diff --git a/src/java.base/share/classes/sun/security/ec/ECKeyPairGenerator.java b/src/java.base/share/classes/sun/security/ec/ECKeyPairGenerator.java index 69c57b95bc4..155691d2fda 100644 --- a/src/java.base/share/classes/sun/security/ec/ECKeyPairGenerator.java +++ b/src/java.base/share/classes/sun/security/ec/ECKeyPairGenerator.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2009, 2021, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2009, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -29,7 +29,6 @@ import java.security.*; import java.security.spec.AlgorithmParameterSpec; import java.security.spec.ECGenParameterSpec; import java.security.spec.ECParameterSpec; -import java.security.spec.ECPoint; import java.security.spec.InvalidParameterSpecException; import java.util.Arrays; import java.util.Optional; @@ -37,7 +36,7 @@ import java.util.Optional; import sun.security.jca.JCAUtil; import sun.security.util.ECUtil; import sun.security.util.math.*; -import sun.security.ec.point.*; + import static sun.security.util.SecurityProviderConstants.DEF_EC_KEY_SIZE; import static sun.security.ec.ECOperations.IntermediateValueException; @@ -74,7 +73,7 @@ public final class ECKeyPairGenerator extends KeyPairGeneratorSpi { public void initialize(int keySize, SecureRandom random) { checkKeySize(keySize); - this.params = ECUtil.getECParameterSpec(null, keySize); + this.params = ECUtil.getECParameterSpec(keySize); if (params == null) { throw new InvalidParameterException( "No EC parameters available for key size " + keySize + " bits"); @@ -91,14 +90,14 @@ public final class ECKeyPairGenerator extends KeyPairGeneratorSpi { if (params instanceof ECParameterSpec) { ECParameterSpec ecParams = (ECParameterSpec) params; - ecSpec = ECUtil.getECParameterSpec(null, ecParams); + ecSpec = ECUtil.getECParameterSpec(ecParams); if (ecSpec == null) { throw new InvalidAlgorithmParameterException( "Curve not supported: " + params); } } else if (params instanceof ECGenParameterSpec) { String name = ((ECGenParameterSpec) params).getName(); - ecSpec = ECUtil.getECParameterSpec(null, name); + ecSpec = ECUtil.getECParameterSpec(name); if (ecSpec == null) { throw new InvalidAlgorithmParameterException( "Unknown curve name: " + name); @@ -120,7 +119,7 @@ public final class ECKeyPairGenerator extends KeyPairGeneratorSpi { throws InvalidAlgorithmParameterException { // Check if ecSpec is a valid curve - AlgorithmParameters ecParams = ECUtil.getECParameters(null); + AlgorithmParameters ecParams = ECUtil.getECParameters(); try { ecParams.init(ecSpec); } catch (InvalidParameterSpecException ex) { diff --git a/src/java.base/share/classes/sun/security/util/ECUtil.java b/src/java.base/share/classes/sun/security/util/ECUtil.java index 011ab846048..966b13beee2 100644 --- a/src/java.base/share/classes/sun/security/util/ECUtil.java +++ b/src/java.base/share/classes/sun/security/util/ECUtil.java @@ -140,21 +140,16 @@ public final class ECUtil { return (ECPrivateKey)keyFactory.generatePrivate(keySpec); } - public static AlgorithmParameters getECParameters(Provider p) { + public static AlgorithmParameters getECParameters() { try { - if (p != null) { - return AlgorithmParameters.getInstance("EC", p); - } - return AlgorithmParameters.getInstance("EC"); } catch (NoSuchAlgorithmException nsae) { throw new RuntimeException(nsae); } } - public static byte[] encodeECParameterSpec(Provider p, - ECParameterSpec spec) { - AlgorithmParameters parameters = getECParameters(p); + public static byte[] encodeECParameterSpec(ECParameterSpec spec) { + AlgorithmParameters parameters = getECParameters(); try { parameters.init(spec); @@ -170,9 +165,8 @@ public final class ECUtil { } } - public static ECParameterSpec getECParameterSpec(Provider p, - ECParameterSpec spec) { - AlgorithmParameters parameters = getECParameters(p); + public static ECParameterSpec getECParameterSpec(ECParameterSpec spec) { + AlgorithmParameters parameters = getECParameters(); try { parameters.init(spec); @@ -182,10 +176,9 @@ public final class ECUtil { } } - public static ECParameterSpec getECParameterSpec(Provider p, - byte[] params) + public static ECParameterSpec getECParameterSpec(byte[] params) throws IOException { - AlgorithmParameters parameters = getECParameters(p); + AlgorithmParameters parameters = getECParameters(); parameters.init(params); @@ -196,8 +189,8 @@ public final class ECUtil { } } - public static ECParameterSpec getECParameterSpec(Provider p, String name) { - AlgorithmParameters parameters = getECParameters(p); + public static ECParameterSpec getECParameterSpec(String name) { + AlgorithmParameters parameters = getECParameters(); try { parameters.init(new ECGenParameterSpec(name)); @@ -207,8 +200,8 @@ public final class ECUtil { } } - public static ECParameterSpec getECParameterSpec(Provider p, int keySize) { - AlgorithmParameters parameters = getECParameters(p); + public static ECParameterSpec getECParameterSpec(int keySize) { + AlgorithmParameters parameters = getECParameters(); try { parameters.init(new ECKeySizeParameterSpec(keySize)); @@ -219,9 +212,9 @@ public final class ECUtil { } - public static String getCurveName(Provider p, ECParameterSpec spec) { + public static String getCurveName(ECParameterSpec spec) { ECGenParameterSpec nameSpec; - AlgorithmParameters parameters = getECParameters(p); + AlgorithmParameters parameters = getECParameters(); try { parameters.init(spec); diff --git a/src/java.base/share/classes/sun/security/util/KeyUtil.java b/src/java.base/share/classes/sun/security/util/KeyUtil.java index c38889ed494..6884b9b201a 100644 --- a/src/java.base/share/classes/sun/security/util/KeyUtil.java +++ b/src/java.base/share/classes/sun/security/util/KeyUtil.java @@ -153,7 +153,7 @@ public final class KeyUtil { // Note: the ECGenParameterSpec case should be covered by the // ECParameterSpec case above. - // See ECUtil.getECParameterSpec(Provider, String). + // See ECUtil.getECParameterSpec(String). break; case "DiffieHellman": diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11ECKeyFactory.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11ECKeyFactory.java index 9918503c7fd..9896cb738bb 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11ECKeyFactory.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11ECKeyFactory.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2006, 2022, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2006, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -64,25 +64,25 @@ final class P11ECKeyFactory extends P11KeyFactory { } static ECParameterSpec getECParameterSpec(String name) { - return ECUtil.getECParameterSpec(getSunECProvider(), name); + return ECUtil.getECParameterSpec(name); } static ECParameterSpec getECParameterSpec(int keySize) { - return ECUtil.getECParameterSpec(getSunECProvider(), keySize); + return ECUtil.getECParameterSpec(keySize); } // Check that spec is a known supported curve and convert it to our // ECParameterSpec subclass. If not possible, return null. static ECParameterSpec getECParameterSpec(ECParameterSpec spec) { - return ECUtil.getECParameterSpec(getSunECProvider(), spec); + return ECUtil.getECParameterSpec(spec); } static ECParameterSpec decodeParameters(byte[] params) throws IOException { - return ECUtil.getECParameterSpec(getSunECProvider(), params); + return ECUtil.getECParameterSpec(params); } static byte[] encodeParameters(ECParameterSpec params) { - return ECUtil.encodeECParameterSpec(getSunECProvider(), params); + return ECUtil.encodeECParameterSpec(params); } static ECPoint decodePoint(byte[] encoded, EllipticCurve curve) throws IOException { @@ -220,7 +220,7 @@ final class P11ECKeyFactory extends P11KeyFactory { private PublicKey generatePublic(ECPoint point, ECParameterSpec params) throws PKCS11Exception { byte[] encodedParams = - ECUtil.encodeECParameterSpec(getSunECProvider(), params); + ECUtil.encodeECParameterSpec(params); byte[] encodedPoint = ECUtil.encodePoint(point, params.getCurve()); @@ -254,7 +254,7 @@ final class P11ECKeyFactory extends P11KeyFactory { private PrivateKey generatePrivate(BigInteger s, ECParameterSpec params) throws PKCS11Exception { byte[] encodedParams = - ECUtil.encodeECParameterSpec(getSunECProvider(), params); + ECUtil.encodeECParameterSpec(params); CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_CLASS, CKO_PRIVATE_KEY), new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_EC), diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyStore.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyStore.java index c3383f52190..d1377b807fe 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyStore.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyStore.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -1378,7 +1378,7 @@ final class P11KeyStore extends KeyStoreSpi { byte[] encodedParams = attrs[0].getByteArray(); try { ECParameterSpec params = - ECUtil.getECParameterSpec(null, encodedParams); + ECUtil.getECParameterSpec(encodedParams); keyLength = params.getCurve().getField().getFieldSize(); } catch (IOException e) { // we do not want to accept key with unsupported parameters @@ -1776,7 +1776,7 @@ final class P11KeyStore extends KeyStoreSpi { } byte[] encodedParams = - ECUtil.encodeECParameterSpec(null, ecKey.getParams()); + ECUtil.encodeECParameterSpec(ecKey.getParams()); attrs = new CK_ATTRIBUTE[] { ATTR_TOKEN_TRUE, ATTR_CLASS_PKEY, diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java index cfe6b01a2e5..77783870df7 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java @@ -776,7 +776,7 @@ final class P11PSSSignature extends SignatureSpi { protected AlgorithmParameters engineGetParameters() { if (this.sigParams != null) { try { - AlgorithmParameters ap = AlgorithmParameters.getInstance("RSASSA-PSS"); + AlgorithmParameters ap = AlgorithmParameters.getInstance("RSASSA-PSS", token.provider); ap.init(this.sigParams); return ap; } catch (GeneralSecurityException e) { diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java index e8dc0880d22..3e112bfe0ed 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java @@ -42,7 +42,9 @@ import javax.security.auth.callback.PasswordCallback; import com.sun.crypto.provider.ChaCha20Poly1305Parameters; +import com.sun.crypto.provider.DHParameters; import jdk.internal.misc.InnocuousThread; +import sun.security.rsa.PSSParameters; import sun.security.util.Debug; import sun.security.util.ResourcesMgr; import static sun.security.util.SecurityConstants.PROVIDER_VER; @@ -707,6 +709,14 @@ public final class SunPKCS11 extends AuthProvider { "com.sun.crypto.provider.ChaCha20Poly1305Parameters", m(CKM_CHACHA20_POLY1305)); + dA(AGP, "RSASSA-PSS", + "sun.security.rsa.PSSParameters", + m(CKM_RSA_PKCS_PSS)); + + dA(AGP, "DiffieHellman", + "com.sun.crypto.provider.DHParameters", + m(CKM_DH_PKCS_DERIVE)); + d(KA, "DH", P11KeyAgreement, dhAlias, m(CKM_DH_PKCS_DERIVE)); @@ -1496,6 +1506,10 @@ public final class SunPKCS11 extends AuthProvider { return new sun.security.util.GCMParameters(); } else if (algorithm == "ChaCha20-Poly1305") { return new ChaCha20Poly1305Parameters(); // from SunJCE + } else if (algorithm == "RSASSA-PSS") { + return new PSSParameters(); // from SunRsaSign + } else if (algorithm == "DiffieHellman") { + return new DHParameters(); // from SunJCE } else { throw new NoSuchAlgorithmException("Unsupported algorithm: " + algorithm); diff --git a/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS2.java b/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS2.java index b8ea9863327..c15f10aab3e 100644 --- a/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS2.java +++ b/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS2.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2020, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,7 +27,7 @@ import java.security.interfaces.*; /* * @test - * @bug 8080462 8226651 8242332 + * @bug 8080462 8226651 8242332 8325164 * @summary testing interoperability of PSS signatures of PKCS11 provider * against SunRsaSign provider * @library /test/lib .. @@ -51,9 +51,12 @@ public class SigInteropPSS2 extends PKCS11Test { @Override public void main(Provider p) throws Exception { + Provider sunRsaSign = Security.getProvider("SunRsaSign"); + Security.removeProvider("SunRsaSign"); + Signature sigPkcs11; Signature sigSunRsaSign = - Signature.getInstance("RSASSA-PSS", "SunRsaSign"); + Signature.getInstance("RSASSA-PSS", sunRsaSign); KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", p); kpg.initialize(3072); diff --git a/test/jdk/sun/security/pkcs11/tls/tls12/FipsModeTLS12.java b/test/jdk/sun/security/pkcs11/tls/tls12/FipsModeTLS12.java index 1f6886f2d69..e9e4158f20e 100644 --- a/test/jdk/sun/security/pkcs11/tls/tls12/FipsModeTLS12.java +++ b/test/jdk/sun/security/pkcs11/tls/tls12/FipsModeTLS12.java @@ -23,7 +23,7 @@ /* * @test - * @bug 8029661 + * @bug 8029661 8325164 * @summary Test TLS 1.2 * @modules java.base/sun.security.internal.spec * java.base/sun.security.util @@ -412,6 +412,18 @@ public final class FipsModeTLS12 extends SecmodTest { ssle = sslCtx.createSSLEngine("localhost", 443); ssle.setUseClientMode(client); SSLParameters sslParameters = ssle.getSSLParameters(); + // verify that FFDHE named groups are available + boolean ffdheAvailable = Arrays.stream(sslParameters.getNamedGroups()) + .anyMatch(ng -> ng.startsWith("ffdhe")); + if (!ffdheAvailable) { + throw new RuntimeException("No FFDHE named groups available"); + } + // verify that ECDHE named groups are available + boolean ecdheAvailable = Arrays.stream(sslParameters.getNamedGroups()) + .anyMatch(ng -> ng.startsWith("secp")); + if (!ecdheAvailable) { + throw new RuntimeException("No ECDHE named groups available"); + } ssle.setSSLParameters(sslParameters); return ssle; @@ -426,28 +438,6 @@ public final class FipsModeTLS12 extends SecmodTest { // 1. SunPKCS11 (with an NSS FIPS mode backend) // 2. SUN (to handle X.509 certificates) // 3. SunJSSE (for a TLS engine) - // - // RSASSA-PSS algorithm is not currently supported in SunPKCS11 - // but in SUN provider. As a result, it can be negotiated by the - // TLS engine. The problem is that SunPKCS11 keys are sensitive - // in FIPS mode and cannot be used in a SUN algorithm (conversion - // fails as plain values cannot be extracted). - // - // To workaround this issue, we disable RSASSA-PSS algorithm for - // TLS connections. Once JDK-8222937 is fixed, this workaround can - // (and should) be removed. - // - // On a final note, the list of disabled TLS algorithms - // (jdk.tls.disabledAlgorithms) has to be updated at this point, - // before it is read in sun.security.ssl.SSLAlgorithmConstraints - // class initialization. - String disabledAlgorithms = - Security.getProperty("jdk.tls.disabledAlgorithms"); - if (disabledAlgorithms.length() > 0) { - disabledAlgorithms += ", "; - } - disabledAlgorithms += "RSASSA-PSS"; - Security.setProperty("jdk.tls.disabledAlgorithms", disabledAlgorithms); if (initSecmod() == false) { return; diff --git a/test/jdk/sun/security/tools/keytool/fakegen/java.base/sun/security/ec/ECKeyPairGenerator.java b/test/jdk/sun/security/tools/keytool/fakegen/java.base/sun/security/ec/ECKeyPairGenerator.java index 50de12acf06..5e7429ee616 100644 --- a/test/jdk/sun/security/tools/keytool/fakegen/java.base/sun/security/ec/ECKeyPairGenerator.java +++ b/test/jdk/sun/security/tools/keytool/fakegen/java.base/sun/security/ec/ECKeyPairGenerator.java @@ -74,7 +74,7 @@ public final class ECKeyPairGenerator extends KeyPairGeneratorSpi { " has been patched. Key size " + keySize + " is not supported"); } - ECParameterSpec ecParams = ECUtil.getECParameterSpec(null, keySize); + ECParameterSpec ecParams = ECUtil.getECParameterSpec(keySize); try { return new KeyPair(new ECPublicKeyImpl(new ECPoint(x, y), ecParams), new ECPrivateKeyImpl(s, ecParams));