Mercurial > hg > release > icedtea7-forest-2.2 > jdk
view src/share/classes/sun/security/pkcs11/P11KeyAgreement.java @ 5366:66de7885f8dc
8014618: Need to strip leading zeros in TlsPremasterSecret of DHKeyAgreement
Reviewed-by: xuelei
Contributed-by: Pasi Eronen <pe@iki.fi>
| author | andrew |
|---|---|
| date | Wed, 12 Jun 2013 11:42:41 +0100 |
| parents | ba4dd5c84f45 |
| children | 06ee02f5ca2e |
line wrap: on
line source
/* * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Oracle designates this * particular file as subject to the "Classpath" exception as provided * by Oracle in the LICENSE file that accompanied this code. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ package sun.security.pkcs11; import java.math.BigInteger; import java.security.*; import java.security.spec.*; import javax.crypto.*; import javax.crypto.interfaces.*; import javax.crypto.spec.*; import static sun.security.pkcs11.TemplateManager.*; import sun.security.pkcs11.wrapper.*; import static sun.security.pkcs11.wrapper.PKCS11Constants.*; import sun.security.util.KeyUtil; /** * KeyAgreement implementation class. This class currently supports * DH. * * @author Andreas Sterbenz * @since 1.5 */ final class P11KeyAgreement extends KeyAgreementSpi { // token instance private final Token token; // algorithm name private final String algorithm; // mechanism id private final long mechanism; // private key, if initialized private P11Key privateKey; // other sides public value ("y"), if doPhase() already called private BigInteger publicValue; // length of the secret to be derived private int secretLen; // KeyAgreement from SunJCE as fallback for > 2 party agreement private KeyAgreement multiPartyAgreement; P11KeyAgreement(Token token, String algorithm, long mechanism) { super(); this.token = token; this.algorithm = algorithm; this.mechanism = mechanism; } // see JCE spec protected void engineInit(Key key, SecureRandom random) throws InvalidKeyException { if (key instanceof PrivateKey == false) { throw new InvalidKeyException ("Key must be instance of PrivateKey"); } privateKey = P11KeyFactory.convertKey(token, key, algorithm); publicValue = null; multiPartyAgreement = null; } // see JCE spec protected void engineInit(Key key, AlgorithmParameterSpec params, SecureRandom random) throws InvalidKeyException, InvalidAlgorithmParameterException { if (params != null) { throw new InvalidAlgorithmParameterException ("Parameters not supported"); } engineInit(key, random); } // see JCE spec protected Key engineDoPhase(Key key, boolean lastPhase) throws InvalidKeyException, IllegalStateException { if (privateKey == null) { throw new IllegalStateException("Not initialized"); } if (publicValue != null) { throw new IllegalStateException("Phase already executed"); } // PKCS#11 only allows key agreement between 2 parties // JCE allows >= 2 parties. To support that case (for compatibility // and to pass JCK), fall back to SunJCE in this case. // NOTE that we initialize using the P11Key, which will fail if it // is sensitive/unextractable. However, this is not an issue in the // compatibility configuration, which is all we are targeting here. if ((multiPartyAgreement != null) || (lastPhase == false)) { if (multiPartyAgreement == null) { try { multiPartyAgreement = KeyAgreement.getInstance ("DH", P11Util.getSunJceProvider()); multiPartyAgreement.init(privateKey); } catch (NoSuchAlgorithmException e) { throw new InvalidKeyException ("Could not initialize multi party agreement", e); } } return multiPartyAgreement.doPhase(key, lastPhase); } if ((key instanceof PublicKey == false) || (key.getAlgorithm().equals(algorithm) == false)) { throw new InvalidKeyException ("Key must be a PublicKey with algorithm DH"); } BigInteger p, g, y; if (key instanceof DHPublicKey) { DHPublicKey dhKey = (DHPublicKey)key; // validate the Diffie-Hellman public key KeyUtil.validate(dhKey); y = dhKey.getY(); DHParameterSpec params = dhKey.getParams(); p = params.getP(); g = params.getG(); } else { // normally, DH PublicKeys will always implement DHPublicKey // just in case not, attempt conversion P11DHKeyFactory kf = new P11DHKeyFactory(token, "DH"); try { DHPublicKeySpec spec = (DHPublicKeySpec)kf.engineGetKeySpec (key, DHPublicKeySpec.class); // validate the Diffie-Hellman public key KeyUtil.validate(spec); y = spec.getY(); p = spec.getP(); g = spec.getG(); } catch (InvalidKeySpecException e) { throw new InvalidKeyException("Could not obtain key values", e); } } // if parameters of private key are accessible, verify that // they match parameters of public key // XXX p and g should always be readable, even if the key is sensitive if (privateKey instanceof DHPrivateKey) { DHPrivateKey dhKey = (DHPrivateKey)privateKey; DHParameterSpec params = dhKey.getParams(); if ((p.equals(params.getP()) == false) || (g.equals(params.getG()) == false)) { throw new InvalidKeyException ("PublicKey DH parameters must match PrivateKey DH parameters"); } } publicValue = y; // length of the secret is length of key secretLen = (p.bitLength() + 7) >> 3; return null; } // see JCE spec protected byte[] engineGenerateSecret() throws IllegalStateException { if (multiPartyAgreement != null) { byte[] val = multiPartyAgreement.generateSecret(); multiPartyAgreement = null; return val; } if ((privateKey == null) || (publicValue == null)) { throw new IllegalStateException("Not initialized correctly"); } Session session = null; try { session = token.getOpSession(); CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_GENERIC_SECRET), }; attributes = token.getAttributes (O_GENERATE, CKO_SECRET_KEY, CKK_GENERIC_SECRET, attributes); long keyID = token.p11.C_DeriveKey(session.id(), new CK_MECHANISM(mechanism, publicValue), privateKey.keyID, attributes); attributes = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_VALUE) }; token.p11.C_GetAttributeValue(session.id(), keyID, attributes); byte[] secret = attributes[0].getByteArray(); token.p11.C_DestroyObject(session.id(), keyID); // trim leading 0x00 bytes per JCE convention return P11Util.trimZeroes(secret); } catch (PKCS11Exception e) { throw new ProviderException("Could not derive key", e); } finally { publicValue = null; token.releaseSession(session); } } // see JCE spec protected int engineGenerateSecret(byte[] sharedSecret, int offset) throws IllegalStateException, ShortBufferException { if (multiPartyAgreement != null) { int n = multiPartyAgreement.generateSecret(sharedSecret, offset); multiPartyAgreement = null; return n; } if (offset + secretLen > sharedSecret.length) { throw new ShortBufferException("Need " + secretLen + " bytes, only " + (sharedSecret.length - offset) + " available"); } byte[] secret = engineGenerateSecret(); System.arraycopy(secret, 0, sharedSecret, offset, secret.length); return secret.length; } // see JCE spec protected SecretKey engineGenerateSecret(String algorithm) throws IllegalStateException, NoSuchAlgorithmException, InvalidKeyException { if (multiPartyAgreement != null) { SecretKey key = multiPartyAgreement.generateSecret(algorithm); multiPartyAgreement = null; return key; } if (algorithm == null) { throw new NoSuchAlgorithmException("Algorithm must not be null"); } if (algorithm.equals("TlsPremasterSecret")) { // For now, only perform native derivation for TlsPremasterSecret // as that is required for FIPS compliance. // For other algorithms, there are unresolved issues regarding // how this should work in JCE plus a Solaris truncation bug. // (bug not yet filed). return nativeGenerateSecret(algorithm); } byte[] secret = engineGenerateSecret(); // Maintain compatibility for SunJCE: // verify secret length is sensible for algorithm / truncate // return generated key itself if possible int keyLen; if (algorithm.equalsIgnoreCase("DES")) { keyLen = 8; } else if (algorithm.equalsIgnoreCase("DESede")) { keyLen = 24; } else if (algorithm.equalsIgnoreCase("Blowfish")) { keyLen = Math.min(56, secret.length); } else if (algorithm.equalsIgnoreCase("TlsPremasterSecret")) { keyLen = secret.length; } else { throw new NoSuchAlgorithmException ("Unknown algorithm " + algorithm); } if (secret.length < keyLen) { throw new InvalidKeyException("Secret too short"); } if (algorithm.equalsIgnoreCase("DES") || algorithm.equalsIgnoreCase("DESede")) { for (int i = 0; i < keyLen; i+=8) { P11SecretKeyFactory.fixDESParity(secret, i); } } return new SecretKeySpec(secret, 0, keyLen, algorithm); } private SecretKey nativeGenerateSecret(String algorithm) throws IllegalStateException, NoSuchAlgorithmException, InvalidKeyException { if ((privateKey == null) || (publicValue == null)) { throw new IllegalStateException("Not initialized correctly"); } long keyType = CKK_GENERIC_SECRET; Session session = null; try { session = token.getObjSession(); CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), new CK_ATTRIBUTE(CKA_KEY_TYPE, keyType), }; attributes = token.getAttributes (O_GENERATE, CKO_SECRET_KEY, keyType, attributes); long keyID = token.p11.C_DeriveKey(session.id(), new CK_MECHANISM(mechanism, publicValue), privateKey.keyID, attributes); CK_ATTRIBUTE[] lenAttributes = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_VALUE_LEN), }; token.p11.C_GetAttributeValue(session.id(), keyID, lenAttributes); int keyLen = (int)lenAttributes[0].getLong(); SecretKey key = P11Key.secretKey (session, keyID, algorithm, keyLen << 3, attributes); if ("RAW".equals(key.getFormat())) { // Workaround for Solaris bug 6318543. // Strip leading zeroes ourselves if possible (key not sensitive). // This should be removed once the Solaris fix is available // as here we always retrieve the CKA_VALUE even for tokens // that do not have that bug. byte[] keyBytes = key.getEncoded(); byte[] newBytes = KeyUtil.trimZeroes(keyBytes); if (keyBytes != newBytes) { key = new SecretKeySpec(newBytes, algorithm); } } return key; } catch (PKCS11Exception e) { throw new InvalidKeyException("Could not derive key", e); } finally { publicValue = null; token.releaseSession(session); } } }