8296442: EncryptedPrivateKeyInfo can be created with an uninitialized AlgorithmParameters
Reviewed-by: xuelei, kdriver, mullan
This commit is contained in:
parent
37848a9ca2
commit
68d3ed5cee
src/java.base/share/classes
test/jdk
javax/crypto/EncryptedPrivateKeyInfo
sun/security/x509/AlgorithmId
@ -57,17 +57,20 @@ import sun.security.util.DerOutputStream;
|
||||
|
||||
public class EncryptedPrivateKeyInfo {
|
||||
|
||||
// the "encryptionAlgorithm" field
|
||||
// The "encryptionAlgorithm" is stored in either the algid or
|
||||
// the params field. Precisely, if this object is created by
|
||||
// {@link #EncryptedPrivateKeyInfo(AlgorithmParameters, byte[])}
|
||||
// with an uninitialized AlgorithmParameters, the AlgorithmParameters
|
||||
// object is stored in the params field and algid is set to null.
|
||||
// In all other cases, algid is non null and params is null.
|
||||
private final AlgorithmId algid;
|
||||
|
||||
// the algorithm name of the encrypted private key
|
||||
private String keyAlg;
|
||||
private final AlgorithmParameters params;
|
||||
|
||||
// the "encryptedData" field
|
||||
private final byte[] encryptedData;
|
||||
|
||||
// the ASN.1 encoded contents of this class
|
||||
private byte[] encoded;
|
||||
private final byte[] encoded;
|
||||
|
||||
/**
|
||||
* Constructs (i.e., parses) an {@code EncryptedPrivateKeyInfo} from
|
||||
@ -100,6 +103,7 @@ public class EncryptedPrivateKeyInfo {
|
||||
}
|
||||
|
||||
this.algid = AlgorithmId.parse(seq[0]);
|
||||
this.params = null;
|
||||
if (seq[0].data.available() != 0) {
|
||||
throw new IOException("encryptionAlgorithm field overrun");
|
||||
}
|
||||
@ -141,6 +145,7 @@ public class EncryptedPrivateKeyInfo {
|
||||
throw new NullPointerException("the algName parameter " +
|
||||
"must be non-null");
|
||||
this.algid = AlgorithmId.get(algName);
|
||||
this.params = null;
|
||||
|
||||
if (encryptedData == null) {
|
||||
throw new NullPointerException("the encryptedData " +
|
||||
@ -181,7 +186,22 @@ public class EncryptedPrivateKeyInfo {
|
||||
if (algParams == null) {
|
||||
throw new NullPointerException("algParams must be non-null");
|
||||
}
|
||||
this.algid = AlgorithmId.get(algParams);
|
||||
AlgorithmId tmp;
|
||||
try {
|
||||
tmp = AlgorithmId.get(algParams);
|
||||
} catch (IllegalStateException e) {
|
||||
// This exception is thrown when algParams.getEncoded() fails.
|
||||
// While the spec of this constructor requires that
|
||||
// "getEncoded should return...", in reality people might
|
||||
// create with an uninitialized algParams first and only
|
||||
// initialize it before calling getEncoded(). Thus we support
|
||||
// this case as well.
|
||||
tmp = null;
|
||||
}
|
||||
|
||||
// one and only one is non null
|
||||
this.algid = tmp;
|
||||
this.params = this.algid != null ? null : algParams;
|
||||
|
||||
if (encryptedData == null) {
|
||||
throw new NullPointerException("encryptedData must be non-null");
|
||||
@ -197,7 +217,6 @@ public class EncryptedPrivateKeyInfo {
|
||||
this.encoded = null;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Returns the encryption algorithm.
|
||||
* <p>Note: Standard name is returned instead of the specified one
|
||||
@ -209,7 +228,7 @@ public class EncryptedPrivateKeyInfo {
|
||||
* @return the encryption algorithm name.
|
||||
*/
|
||||
public String getAlgName() {
|
||||
return this.algid.getName();
|
||||
return algid == null ? params.getAlgorithm() : algid.getName();
|
||||
}
|
||||
|
||||
/**
|
||||
@ -217,7 +236,7 @@ public class EncryptedPrivateKeyInfo {
|
||||
* @return the algorithm parameters.
|
||||
*/
|
||||
public AlgorithmParameters getAlgParameters() {
|
||||
return this.algid.getParameters();
|
||||
return algid == null ? params : algid.getParameters();
|
||||
}
|
||||
|
||||
/**
|
||||
@ -252,14 +271,13 @@ public class EncryptedPrivateKeyInfo {
|
||||
byte[] encoded;
|
||||
try {
|
||||
encoded = cipher.doFinal(encryptedData);
|
||||
checkPKCS8Encoding(encoded);
|
||||
return pkcs8EncodingToSpec(encoded);
|
||||
} catch (GeneralSecurityException |
|
||||
IOException |
|
||||
IllegalStateException ex) {
|
||||
throw new InvalidKeySpecException(
|
||||
"Cannot retrieve the PKCS8EncodedKeySpec", ex);
|
||||
}
|
||||
return new PKCS8EncodedKeySpec(encoded, keyAlg);
|
||||
}
|
||||
|
||||
private PKCS8EncodedKeySpec getKeySpecImpl(Key decryptKey,
|
||||
@ -270,13 +288,13 @@ public class EncryptedPrivateKeyInfo {
|
||||
try {
|
||||
if (provider == null) {
|
||||
// use the most preferred one
|
||||
c = Cipher.getInstance(algid.getName());
|
||||
c = Cipher.getInstance(getAlgName());
|
||||
} else {
|
||||
c = Cipher.getInstance(algid.getName(), provider);
|
||||
c = Cipher.getInstance(getAlgName(), provider);
|
||||
}
|
||||
c.init(Cipher.DECRYPT_MODE, decryptKey, algid.getParameters());
|
||||
c.init(Cipher.DECRYPT_MODE, decryptKey, getAlgParameters());
|
||||
encoded = c.doFinal(encryptedData);
|
||||
checkPKCS8Encoding(encoded);
|
||||
return pkcs8EncodingToSpec(encoded);
|
||||
} catch (NoSuchAlgorithmException nsae) {
|
||||
// rethrow
|
||||
throw nsae;
|
||||
@ -284,7 +302,6 @@ public class EncryptedPrivateKeyInfo {
|
||||
throw new InvalidKeyException(
|
||||
"Cannot retrieve the PKCS8EncodedKeySpec", ex);
|
||||
}
|
||||
return new PKCS8EncodedKeySpec(encoded, keyAlg);
|
||||
}
|
||||
|
||||
/**
|
||||
@ -388,14 +405,23 @@ public class EncryptedPrivateKeyInfo {
|
||||
DerOutputStream tmp = new DerOutputStream();
|
||||
|
||||
// encode encryption algorithm
|
||||
algid.encode(tmp);
|
||||
if (algid != null) {
|
||||
algid.encode(tmp);
|
||||
} else {
|
||||
try {
|
||||
// Let's hope params has been initialized by now.
|
||||
AlgorithmId.get(params).encode(tmp);
|
||||
} catch (Exception e) {
|
||||
throw new IOException("not initialized", e);
|
||||
}
|
||||
}
|
||||
|
||||
// encode encrypted data
|
||||
tmp.putOctetString(encryptedData);
|
||||
|
||||
// wrap everything into a SEQUENCE
|
||||
out.write(DerValue.tag_Sequence, tmp);
|
||||
this.encoded = out.toByteArray();
|
||||
return out.toByteArray();
|
||||
}
|
||||
return this.encoded.clone();
|
||||
}
|
||||
@ -409,7 +435,7 @@ public class EncryptedPrivateKeyInfo {
|
||||
}
|
||||
|
||||
@SuppressWarnings("fallthrough")
|
||||
private void checkPKCS8Encoding(byte[] encodedKey)
|
||||
private static PKCS8EncodedKeySpec pkcs8EncodingToSpec(byte[] encodedKey)
|
||||
throws IOException {
|
||||
DerInputStream in = new DerInputStream(encodedKey);
|
||||
DerValue[] values = in.getSequence(3);
|
||||
@ -420,9 +446,9 @@ public class EncryptedPrivateKeyInfo {
|
||||
/* fall through */
|
||||
case 3:
|
||||
checkTag(values[0], DerValue.tag_Integer, "version");
|
||||
keyAlg = AlgorithmId.parse(values[1]).getName();
|
||||
String keyAlg = AlgorithmId.parse(values[1]).getName();
|
||||
checkTag(values[2], DerValue.tag_OctetString, "privateKey");
|
||||
break;
|
||||
return new PKCS8EncodedKeySpec(encodedKey, keyAlg);
|
||||
default:
|
||||
throw new IOException("invalid key encoding");
|
||||
}
|
||||
|
@ -116,36 +116,6 @@ class MacData {
|
||||
|
||||
}
|
||||
|
||||
MacData(AlgorithmParameters algParams, byte[] digest,
|
||||
byte[] salt, int iterations) throws NoSuchAlgorithmException
|
||||
{
|
||||
if (algParams == null)
|
||||
throw new NullPointerException("the algParams parameter " +
|
||||
"must be non-null");
|
||||
|
||||
AlgorithmId algid = AlgorithmId.get(algParams);
|
||||
this.digestAlgorithmName = algid.getName();
|
||||
this.digestAlgorithmParams = algid.getParameters();
|
||||
|
||||
if (digest == null) {
|
||||
throw new NullPointerException("the digest " +
|
||||
"parameter must be non-null");
|
||||
} else if (digest.length == 0) {
|
||||
throw new IllegalArgumentException("the digest " +
|
||||
"parameter must not be empty");
|
||||
} else {
|
||||
this.digest = digest.clone();
|
||||
}
|
||||
|
||||
this.macSalt = salt;
|
||||
this.iterations = iterations;
|
||||
|
||||
// delay the generation of ASN.1 encoding until
|
||||
// getEncoded() is called
|
||||
this.encoded = null;
|
||||
|
||||
}
|
||||
|
||||
String getDigestAlgName() {
|
||||
return digestAlgorithmName;
|
||||
}
|
||||
|
@ -100,6 +100,8 @@ public class AlgorithmId implements Serializable, DerEncoder {
|
||||
*
|
||||
* @param oid the identifier for the algorithm.
|
||||
* @param algparams the associated algorithm parameters, can be null.
|
||||
* @exception IllegalStateException if algparams is not initialized
|
||||
* or cannot be encoded
|
||||
*/
|
||||
public AlgorithmId(ObjectIdentifier oid, AlgorithmParameters algparams) {
|
||||
algid = oid;
|
||||
@ -108,9 +110,9 @@ public class AlgorithmId implements Serializable, DerEncoder {
|
||||
try {
|
||||
encodedParams = algParams.getEncoded();
|
||||
} catch (IOException ioe) {
|
||||
// Ignore this at the moment. This exception can occur
|
||||
// if AlgorithmParameters was not initialized yet. Will
|
||||
// try to re-getEncoded() again later.
|
||||
throw new IllegalStateException(
|
||||
"AlgorithmParameters not initialized or cannot be decoded",
|
||||
ioe);
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -157,17 +159,11 @@ public class AlgorithmId implements Serializable, DerEncoder {
|
||||
* @exception IOException on encoding error.
|
||||
*/
|
||||
@Override
|
||||
public void encode (DerOutputStream out) throws IOException {
|
||||
public void encode(DerOutputStream out) throws IOException {
|
||||
DerOutputStream bytes = new DerOutputStream();
|
||||
|
||||
bytes.putOID(algid);
|
||||
|
||||
// Re-getEncoded() from algParams if it was not initialized
|
||||
if (algParams != null && encodedParams == null) {
|
||||
encodedParams = algParams.getEncoded();
|
||||
// If still not initialized. Let the IOE be thrown.
|
||||
}
|
||||
|
||||
if (encodedParams == null) {
|
||||
// Changes backed out for compatibility with Solaris
|
||||
|
||||
@ -488,6 +484,8 @@ public class AlgorithmId implements Serializable, DerEncoder {
|
||||
*
|
||||
* @param algparams the associated algorithm parameters.
|
||||
* @exception NoSuchAlgorithmException on error.
|
||||
* @exception IllegalStateException if algparams is not initialized
|
||||
* or cannot be encoded
|
||||
*/
|
||||
public static AlgorithmId get(AlgorithmParameters algparams)
|
||||
throws NoSuchAlgorithmException {
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2003, 2007, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -23,16 +23,11 @@
|
||||
|
||||
/**
|
||||
* @test
|
||||
* @bug 4941596
|
||||
* @bug 4941596 8296442
|
||||
* @summary Test the EncryptedPrivateKeyInfo.getAlgName(...) methods.
|
||||
* @author Valerie Peng
|
||||
*/
|
||||
import java.util.*;
|
||||
import java.nio.*;
|
||||
import java.io.*;
|
||||
import java.security.*;
|
||||
import java.util.Arrays;
|
||||
import java.security.spec.*;
|
||||
import javax.crypto.*;
|
||||
import javax.crypto.spec.*;
|
||||
|
||||
@ -61,8 +56,18 @@ public class GetAlgName {
|
||||
AlgorithmParameters ap = c.getParameters();
|
||||
epki = new EncryptedPrivateKeyInfo(ap, BYTES);
|
||||
if (!epki.getAlgName().equalsIgnoreCase(algo)) {
|
||||
System.out.println("...expect: " + algo);
|
||||
System.out.println("...got: " + epki.getAlgName());
|
||||
System.out.println("...expected: " + algo);
|
||||
System.out.println(" ...got: " + epki.getAlgName());
|
||||
status = false;
|
||||
}
|
||||
|
||||
// Make sure EncryptedPrivateKeyInfo can be created with an
|
||||
// uninitialized AlgorithmParameters.
|
||||
AlgorithmParameters ap2 = AlgorithmParameters.getInstance(ap.getAlgorithm());
|
||||
epki = new EncryptedPrivateKeyInfo(ap2, BYTES);
|
||||
if (!epki.getAlgName().equalsIgnoreCase(algo)) {
|
||||
System.out.println("...expected: " + algo);
|
||||
System.out.println(" ...got: " + epki.getAlgName());
|
||||
status = false;
|
||||
}
|
||||
}
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2021, 2022, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -23,7 +23,7 @@
|
||||
|
||||
/**
|
||||
* @test
|
||||
* @bug 8261779
|
||||
* @bug 8261779 8296442
|
||||
* @summary Check that EncryptedPrivateKeyInfo.getEncoded() calls
|
||||
* AlgorithmParameters.getEncoded() when first called
|
||||
*/
|
||||
@ -56,6 +56,14 @@ public class GetEncoded {
|
||||
AlgorithmParameters ap1 = AlgorithmParameters.getInstance("EC");
|
||||
EncryptedPrivateKeyInfo epki1 =
|
||||
new EncryptedPrivateKeyInfo(ap1, new byte[] {1, 2, 3, 4});
|
||||
|
||||
try {
|
||||
epki1.getEncoded();
|
||||
throw new Exception("Should have thrown IOException");
|
||||
} catch (IOException ioe) {
|
||||
// test passed, expected exception
|
||||
}
|
||||
|
||||
ap1.init(new ECGenParameterSpec("secp256r1"));
|
||||
|
||||
EncryptedPrivateKeyInfo epki2 =
|
||||
|
49
test/jdk/sun/security/x509/AlgorithmId/Uninitialized.java
Normal file
49
test/jdk/sun/security/x509/AlgorithmId/Uninitialized.java
Normal file
@ -0,0 +1,49 @@
|
||||
/*
|
||||
* Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License version 2 only, as
|
||||
* published by the Free Software Foundation.
|
||||
*
|
||||
* This code is distributed in the hope that it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* version 2 for more details (a copy is included in the LICENSE file that
|
||||
* accompanied this code).
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License version
|
||||
* 2 along with this work; if not, write to the Free Software Foundation,
|
||||
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
*
|
||||
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
||||
* or visit www.oracle.com if you need additional information or have any
|
||||
* questions.
|
||||
*/
|
||||
|
||||
/*
|
||||
* @test
|
||||
* @bug 8296442
|
||||
* @summary EncryptedPrivateKeyInfo can be created with an uninitialized AlgorithmParameters
|
||||
* @modules java.base/sun.security.x509
|
||||
*/
|
||||
|
||||
import sun.security.x509.AlgorithmId;
|
||||
|
||||
import java.security.AlgorithmParameters;
|
||||
|
||||
public class Uninitialized {
|
||||
public static void main(String[] args) throws Exception {
|
||||
AlgorithmParameters ap = AlgorithmParameters.getInstance("EC");
|
||||
boolean success;
|
||||
try {
|
||||
AlgorithmId.get(ap);
|
||||
success = true;
|
||||
} catch (Exception e) {
|
||||
success = false;
|
||||
}
|
||||
if (success) {
|
||||
throw new RuntimeException();
|
||||
}
|
||||
}
|
||||
}
|
Loading…
x
Reference in New Issue
Block a user