8272385: Enforce ECPrivateKey d value to be in the range [1, n-1] for SunEC provider

Reviewed-by: ascarpino, weijun

src/java.base/share/classes/sun/security/util/ECUtil.java

@@ -33,6 +33,7 @@ import java.security.*;
 import java.security.interfaces.*;
 import java.security.spec.*;
 import java.util.Arrays;
+import java.util.Objects;
 
 public final class ECUtil {
 
@@ -310,5 +311,41 @@ public final class ECUtil {
         }
     }
 
+    /**
+     * Check an ECPrivateKey to make sure the scalar value is within the
+     * range of the order [1, n-1].
+     *
+     * @param prv the private key to be checked.
+     *
+     * @return the private key that was evaluated.
+     *
+     * @throws InvalidKeyException if the key's scalar value is not within
+     *      the range 1 <= x < n where n is the order of the generator.
+     */
+    public static ECPrivateKey checkPrivateKey(ECPrivateKey prv)
+            throws InvalidKeyException {
+        // The private key itself cannot be null, but if the private
+        // key doesn't divulge the parameters or more importantly the S value
+        // (possibly because it lives on a provider that prevents release
+        // of those values, e.g. HSM), then we cannot perform the check and
+        // will allow the operation to proceed.
+        Objects.requireNonNull(prv, "Private key must be non-null");
+        ECParameterSpec spec = prv.getParams();
+        if (spec != null) {
+            BigInteger order = spec.getOrder();
+            BigInteger sVal = prv.getS();
+
+            if (order != null && sVal != null) {
+                if (sVal.compareTo(BigInteger.ZERO) <= 0 ||
+                        sVal.compareTo(order) >= 0) {
+                    throw new InvalidKeyException("The private key must be " +
+                            "within the range [1, n - 1]");
+                }
+            }
+        }
+
+        return prv;
+    }
+
     private ECUtil() {}
 }

src/jdk.crypto.ec/share/classes/sun/security/ec/ECDHKeyAgreement.java

@@ -29,6 +29,7 @@ import sun.security.ec.point.AffinePoint;
 import sun.security.ec.point.Point;
 import sun.security.util.ArrayUtil;
 import sun.security.util.CurveDB;
+import sun.security.util.ECUtil;
 import sun.security.util.NamedCurve;
 import sun.security.util.math.ImmutableIntegerModuloP;
 import sun.security.util.math.IntegerFieldModuloP;
@@ -92,6 +93,7 @@ public final class ECDHKeyAgreement extends KeyAgreementSpi {
                 "Curve not supported: " + (nc != null ? nc.toString() :
                     "unknown"));
         }
+        ECUtil.checkPrivateKey(privateKey);
         privateKeyOps = opsOpt.get();
     }
 

src/jdk.crypto.ec/share/classes/sun/security/ec/ECDSASignature.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -374,6 +374,7 @@ abstract class ECDSASignature extends SignatureSpi {
             throw new InvalidKeyException("Key params does not match signature params");
         }
 
+        ECUtil.checkPrivateKey(key);
         // Should check that the supplied key is appropriate for signature
         // algorithm (e.g. P-256 for SHA256withECDSA)
         this.privateKey = key;

test/jdk/sun/security/ec/ECDSAPrvGreaterThanOrder.java

@@ -0,0 +1,107 @@
+/*
+ * Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+
+/**
+ * @test
+ * @bug 8272385
+ * @summary Enforce ECPrivateKey d value to be in the range [1, n-1] for SunEC provider
+ * @run main ECDSAPrvGreaterThanOrder
+ */
+
+import javax.crypto.KeyAgreement;
+import java.math.BigInteger;
+import java.security.*;
+import java.security.interfaces.ECPrivateKey;
+import java.security.spec.ECGenParameterSpec;
+import java.security.spec.ECParameterSpec;
+import java.security.spec.ECPrivateKeySpec;
+import java.util.List;
+
+public class ECDSAPrvGreaterThanOrder {
+
+    private static final List<String> CURVE_NAMES =
+            List.of("secp256r1", "secp384r1", "secp521r1");
+
+    public static void main(String[] args) throws Exception {
+        for (String curveName : CURVE_NAMES) {
+            ECPrivateKey ecPrivKey = makePrivateKey(curveName);
+
+            // Check using the private key for creating a digital signature
+            Signature sig = null;
+            KeyAgreement ka = null;
+            try {
+                sig = Signature.getInstance("SHA256withECDSA",
+                        "SunEC");
+                sig.initSign(ecPrivKey);
+                throw new RuntimeException("Expected exception for " +
+                        "ECDSA/" + sig.getAlgorithm() + "/" + curveName +
+                        " not thrown.");
+            } catch (InvalidKeyException ike) {
+                // We are expecting this to be caught
+                System.out.println("Caught expected exception for " +
+                        "ECDSA/" + sig.getAlgorithm() + "/" + curveName +
+                        ": " + ike);
+            }
+
+            // Next, try starting a ECDH operation
+            try {
+                ka = KeyAgreement.getInstance("ECDH", "SunEC");
+                ka.init(ecPrivKey);
+                throw new RuntimeException("Expected exception for ECDH/" +
+                        curveName + " not thrown.");
+            } catch (InvalidKeyException ike) {
+                // We are expecting this to be caught
+                System.out.println("Caught expected exception for ECDH/" +
+                        curveName + ": " + ike);
+            }
+        }
+    }
+
+    private static ECPrivateKey makePrivateKey(String curveName) {
+        try {
+            System.out.println("Creating private key for curve " + curveName);
+
+            AlgorithmParameters params = AlgorithmParameters.getInstance(
+                    "EC", "SunEC");
+            params.init(new ECGenParameterSpec(curveName));
+            ECParameterSpec ecParameters = params.getParameterSpec(
+                    ECParameterSpec.class);
+            BigInteger order = ecParameters.getOrder(); // the N value
+            System.out.println("Order is: " + order);
+
+            // Create a private key value (d) that is outside the range
+            // [1, N-1]
+            BigInteger dVal = order.add(BigInteger.TWO);
+            System.out.println("Modified d Value is: " + dVal);
+
+            // Create the private key
+            KeyFactory kf = KeyFactory.getInstance("EC", "SunEC");
+            return (ECPrivateKey)kf.generatePrivate(
+                    new ECPrivateKeySpec(dVal, ecParameters));
+        } catch (GeneralSecurityException gse) {
+            throw new RuntimeException("Unexpected error creating private key",
+                    gse);
+        }
+    }
+}