diff --git a/src/java.base/share/classes/sun/security/util/ECUtil.java b/src/java.base/share/classes/sun/security/util/ECUtil.java index 22bc2f71317..23dfaf0b44b 100644 --- a/src/java.base/share/classes/sun/security/util/ECUtil.java +++ b/src/java.base/share/classes/sun/security/util/ECUtil.java @@ -33,6 +33,7 @@ import java.security.*; import java.security.interfaces.*; import java.security.spec.*; import java.util.Arrays; +import java.util.Objects; public final class ECUtil { @@ -310,5 +311,41 @@ public final class ECUtil { } } + /** + * Check an ECPrivateKey to make sure the scalar value is within the + * range of the order [1, n-1]. + * + * @param prv the private key to be checked. + * + * @return the private key that was evaluated. + * + * @throws InvalidKeyException if the key's scalar value is not within + * the range 1 <= x < n where n is the order of the generator. + */ + public static ECPrivateKey checkPrivateKey(ECPrivateKey prv) + throws InvalidKeyException { + // The private key itself cannot be null, but if the private + // key doesn't divulge the parameters or more importantly the S value + // (possibly because it lives on a provider that prevents release + // of those values, e.g. HSM), then we cannot perform the check and + // will allow the operation to proceed. + Objects.requireNonNull(prv, "Private key must be non-null"); + ECParameterSpec spec = prv.getParams(); + if (spec != null) { + BigInteger order = spec.getOrder(); + BigInteger sVal = prv.getS(); + + if (order != null && sVal != null) { + if (sVal.compareTo(BigInteger.ZERO) <= 0 || + sVal.compareTo(order) >= 0) { + throw new InvalidKeyException("The private key must be " + + "within the range [1, n - 1]"); + } + } + } + + return prv; + } + private ECUtil() {} } diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/ECDHKeyAgreement.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/ECDHKeyAgreement.java index 8fe3bea4d3d..8f69da0ac7a 100644 --- a/src/jdk.crypto.ec/share/classes/sun/security/ec/ECDHKeyAgreement.java +++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/ECDHKeyAgreement.java @@ -29,6 +29,7 @@ import sun.security.ec.point.AffinePoint; import sun.security.ec.point.Point; import sun.security.util.ArrayUtil; import sun.security.util.CurveDB; +import sun.security.util.ECUtil; import sun.security.util.NamedCurve; import sun.security.util.math.ImmutableIntegerModuloP; import sun.security.util.math.IntegerFieldModuloP; @@ -92,6 +93,7 @@ public final class ECDHKeyAgreement extends KeyAgreementSpi { "Curve not supported: " + (nc != null ? nc.toString() : "unknown")); } + ECUtil.checkPrivateKey(privateKey); privateKeyOps = opsOpt.get(); } diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/ECDSASignature.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/ECDSASignature.java index 4bf63d77e74..b76d4e493bb 100644 --- a/src/jdk.crypto.ec/share/classes/sun/security/ec/ECDSASignature.java +++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/ECDSASignature.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2009, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2009, 2021, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -374,6 +374,7 @@ abstract class ECDSASignature extends SignatureSpi { throw new InvalidKeyException("Key params does not match signature params"); } + ECUtil.checkPrivateKey(key); // Should check that the supplied key is appropriate for signature // algorithm (e.g. P-256 for SHA256withECDSA) this.privateKey = key; diff --git a/test/jdk/sun/security/ec/ECDSAPrvGreaterThanOrder.java b/test/jdk/sun/security/ec/ECDSAPrvGreaterThanOrder.java new file mode 100644 index 00000000000..40f52d534a7 --- /dev/null +++ b/test/jdk/sun/security/ec/ECDSAPrvGreaterThanOrder.java @@ -0,0 +1,107 @@ +/* + * Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + + +/** + * @test + * @bug 8272385 + * @summary Enforce ECPrivateKey d value to be in the range [1, n-1] for SunEC provider + * @run main ECDSAPrvGreaterThanOrder + */ + +import javax.crypto.KeyAgreement; +import java.math.BigInteger; +import java.security.*; +import java.security.interfaces.ECPrivateKey; +import java.security.spec.ECGenParameterSpec; +import java.security.spec.ECParameterSpec; +import java.security.spec.ECPrivateKeySpec; +import java.util.List; + +public class ECDSAPrvGreaterThanOrder { + + private static final List CURVE_NAMES = + List.of("secp256r1", "secp384r1", "secp521r1"); + + public static void main(String[] args) throws Exception { + for (String curveName : CURVE_NAMES) { + ECPrivateKey ecPrivKey = makePrivateKey(curveName); + + // Check using the private key for creating a digital signature + Signature sig = null; + KeyAgreement ka = null; + try { + sig = Signature.getInstance("SHA256withECDSA", + "SunEC"); + sig.initSign(ecPrivKey); + throw new RuntimeException("Expected exception for " + + "ECDSA/" + sig.getAlgorithm() + "/" + curveName + + " not thrown."); + } catch (InvalidKeyException ike) { + // We are expecting this to be caught + System.out.println("Caught expected exception for " + + "ECDSA/" + sig.getAlgorithm() + "/" + curveName + + ": " + ike); + } + + // Next, try starting a ECDH operation + try { + ka = KeyAgreement.getInstance("ECDH", "SunEC"); + ka.init(ecPrivKey); + throw new RuntimeException("Expected exception for ECDH/" + + curveName + " not thrown."); + } catch (InvalidKeyException ike) { + // We are expecting this to be caught + System.out.println("Caught expected exception for ECDH/" + + curveName + ": " + ike); + } + } + } + + private static ECPrivateKey makePrivateKey(String curveName) { + try { + System.out.println("Creating private key for curve " + curveName); + + AlgorithmParameters params = AlgorithmParameters.getInstance( + "EC", "SunEC"); + params.init(new ECGenParameterSpec(curveName)); + ECParameterSpec ecParameters = params.getParameterSpec( + ECParameterSpec.class); + BigInteger order = ecParameters.getOrder(); // the N value + System.out.println("Order is: " + order); + + // Create a private key value (d) that is outside the range + // [1, N-1] + BigInteger dVal = order.add(BigInteger.TWO); + System.out.println("Modified d Value is: " + dVal); + + // Create the private key + KeyFactory kf = KeyFactory.getInstance("EC", "SunEC"); + return (ECPrivateKey)kf.generatePrivate( + new ECPrivateKeySpec(dVal, ecParameters)); + } catch (GeneralSecurityException gse) { + throw new RuntimeException("Unexpected error creating private key", + gse); + } + } +}