Martin Balao 4a75fd462c 8301553: Support Password-Based Cryptography in SunPKCS11
Co-authored-by: Francisco Ferrari Bihurriet <fferrari@redhat.com>
Co-authored-by: Martin Balao <mbalao@openjdk.org>
Reviewed-by: valeriep
2023-06-06 19:39:34 +00:00

205 lines
8.2 KiB
Java

/*
* Copyright (c) 2023, Red Hat, Inc.
*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.Provider;
import java.security.Security;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.interfaces.PBEKey;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.PBEParameterSpec;
/*
* @test
* @bug 8301553
* @summary test password based authentication on SunPKCS11's Mac service
* @library /test/lib ..
* @run main/othervm/timeout=30 PBAMac
*/
public final class PBAMac extends PKCS11Test {
private static final char[] password = "123456".toCharArray();
private static final byte[] salt = "abcdefgh".getBytes(
StandardCharsets.UTF_8);
private static final int iterations = 1000;
private static final String plainText = "This is a known plain text!";
private static final String sep = "======================================" +
"===================================";
private enum Configuration {
// Pass salt and iterations to a Mac through a PBEParameterSpec.
PBEParameterSpec,
// Derive a key using SunPKCS11's SecretKeyFactory (wrapping password,
// salt and iterations in a PBEKeySpec), and pass it to a Mac.
SecretKeyFactoryDerivedKey,
// Pass password, salt and iterations and iterations to
// a Mac through an anonymous class implementing the
// javax.crypto.interfaces.PBEKey interface.
AnonymousPBEKey,
}
private static Provider sunJCE = Security.getProvider("SunJCE");
private record AssertionData(String pbeHmacAlgo, String hmacAlgo,
BigInteger expectedMac) {}
private static AssertionData macAssertionData(String pbeHmacAlgo,
String hmacAlgo, String staticExpectedMacString) {
BigInteger staticExpectedMac = new BigInteger(staticExpectedMacString,
16);
BigInteger expectedMac = null;
if (sunJCE != null) {
try {
expectedMac = computeMac(sunJCE, pbeHmacAlgo,
pbeHmacAlgo, Configuration.PBEParameterSpec);
checkAssertionValues(expectedMac, staticExpectedMac);
} catch (GeneralSecurityException e) {
// Move to staticExpectedMac as it's unlikely
// that any of the algorithms are available.
sunJCE = null;
}
}
if (expectedMac == null) {
expectedMac = staticExpectedMac;
}
return new AssertionData(pbeHmacAlgo, hmacAlgo, expectedMac);
}
private static void checkAssertionValues(BigInteger expectedValue,
BigInteger staticExpectedValue) {
if (!expectedValue.equals(staticExpectedValue)) {
printHex("SunJCE value", expectedValue);
printHex("Static value", staticExpectedValue);
throw new Error("Static and SunJCE values do not match.");
}
}
// Generated with SunJCE.
private static final AssertionData[] assertionData = new AssertionData[]{
macAssertionData("HmacPBESHA1", "HmacSHA1",
"707606929395e4297adc63d520ac7d22f3f5fa66"),
macAssertionData("HmacPBESHA224", "HmacSHA224",
"4ffb5ad4974a7a9fca5a36ebe3e34dd443c07fb68c392f8b611657e6"),
macAssertionData("HmacPBESHA256", "HmacSHA256",
"9e8c102c212d2fd1334dc497acb4e002b04e84713b7eda5a63807af2" +
"989d3e50"),
macAssertionData("HmacPBESHA384", "HmacSHA384",
"77f31a785d4f2220251143a4ba80f5610d9d0aeaebb4a278b8a7535c" +
"8cea8e8211809ba450458e351c5b66d691839c23"),
macAssertionData("HmacPBESHA512", "HmacSHA512",
"a53f942a844b234a69c1f92cba20ef272c4394a3cf4024dc16d9dbac" +
"1969870b1c2b28b897149a1a3b9ad80a7ca8c547dfabf3ed5f144c6b" +
"593900b62e120c45"),
};
public void main(Provider sunPKCS11) throws Exception {
System.out.println("SunPKCS11: " + sunPKCS11.getName());
for (Configuration conf : Configuration.values()) {
for (AssertionData data : assertionData) {
testWith(sunPKCS11, data, true, conf);
if (conf != Configuration.PBEParameterSpec) {
testWith(sunPKCS11, data, false, conf);
}
}
}
System.out.println("TEST PASS - OK");
}
private static void testWith(Provider sunPKCS11, AssertionData data,
boolean testPBEService, Configuration conf) throws Exception {
String svcAlgo = testPBEService ? data.pbeHmacAlgo : data.hmacAlgo;
System.out.println(sep + System.lineSeparator() + svcAlgo
+ " (with " + conf.name() + ")");
BigInteger mac = computeMac(sunPKCS11, svcAlgo, data.pbeHmacAlgo, conf);
printHex("HMAC", mac);
if (!mac.equals(data.expectedMac)) {
printHex("Expected HMAC", data.expectedMac);
throw new Exception("Expected HMAC did not match");
}
}
private static BigInteger computeMac(Provider p, String svcAlgo,
String keyAlgo, Configuration conf)
throws GeneralSecurityException {
Mac mac = Mac.getInstance(svcAlgo, p);
switch (conf) {
case PBEParameterSpec -> {
SecretKey key = getPasswordOnlyPBEKey();
mac.init(key, new PBEParameterSpec(salt, iterations));
}
case SecretKeyFactoryDerivedKey -> {
SecretKey key = getDerivedSecretKey(p, keyAlgo);
mac.init(key);
}
case AnonymousPBEKey -> {
SecretKey key = getAnonymousPBEKey(keyAlgo);
mac.init(key);
}
}
return new BigInteger(1, mac.doFinal(
plainText.getBytes(StandardCharsets.UTF_8)));
}
private static SecretKey getPasswordOnlyPBEKey()
throws GeneralSecurityException {
return SecretKeyFactory.getInstance("PBE")
.generateSecret(new PBEKeySpec(password));
}
private static SecretKey getDerivedSecretKey(Provider sunPKCS11,
String algorithm) throws GeneralSecurityException {
return SecretKeyFactory.getInstance(algorithm, sunPKCS11)
.generateSecret(new PBEKeySpec(password, salt, iterations));
}
private static SecretKey getAnonymousPBEKey(String algorithm) {
return new PBEKey() {
public byte[] getSalt() { return salt.clone(); }
public int getIterationCount() { return iterations; }
public String getAlgorithm() { return algorithm; }
public String getFormat() { return "RAW"; }
public char[] getPassword() { return password.clone(); }
public byte[] getEncoded() { return null; }
};
}
private static void printHex(String title, BigInteger b) {
String repr = (b == null) ? "buffer is null" : b.toString(16);
System.out.println(title + ": " + repr + System.lineSeparator());
}
public static void main(String[] args) throws Exception {
main(new PBAMac());
}
}