changeset 4436:3bf3f68bbe56

7099228: Use a PKCS11 config attribute to control encoding of an EC point Reviewed-by: valeriep, mullan
author vinnie
date Fri, 14 Oct 2011 15:31:14 +0100
parents 02de5cdbef21
children 35a7ac263804
files src/share/classes/sun/security/pkcs11/Config.java src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java src/share/classes/sun/security/pkcs11/P11Key.java src/share/classes/sun/security/pkcs11/wrapper/Functions.java src/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java src/share/lib/security/sunpkcs11-solaris.cfg
diffstat 6 files changed, 35 insertions(+), 53 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/security/pkcs11/Config.java	Wed Sep 07 21:05:24 2011 -0700
+++ b/src/share/classes/sun/security/pkcs11/Config.java	Fri Oct 14 15:31:14 2011 +0100
@@ -192,6 +192,11 @@
     // works only for NSS providers created via the Secmod API
     private boolean nssUseSecmodTrust = false;
 
+    // Flag to indicate whether the X9.63 encoding for EC points shall be used
+    // (true) or whether that encoding shall be wrapped in an ASN.1 OctetString
+    // (false).
+    private boolean useEcX963Encoding = false;
+
     private Config(String filename, InputStream in) throws IOException {
         if (in == null) {
             if (filename.startsWith("--")) {
@@ -320,6 +325,10 @@
         return nssUseSecmodTrust;
     }
 
+    boolean getUseEcX963Encoding() {
+        return useEcX963Encoding;
+    }
+
     private static String expand(final String s) throws IOException {
         try {
             return PropertyExpander.expand(s);
@@ -440,6 +449,8 @@
                 parseNSSArgs(word);
             } else if (word.equals("nssUseSecmodTrust")) {
                 nssUseSecmodTrust = parseBooleanEntry(word);
+            } else if (word.equals("useEcX963Encoding")) {
+                useEcX963Encoding = parseBooleanEntry(word);
             } else {
                 throw new ConfigurationException
                         ("Unknown keyword '" + word + "', line " + st.lineno());
--- a/src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java	Wed Sep 07 21:05:24 2011 -0700
+++ b/src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java	Fri Oct 14 15:31:14 2011 +0100
@@ -203,16 +203,20 @@
 
     private PublicKey generatePublic(ECPoint point, ECParameterSpec params) throws PKCS11Exception {
         byte[] encodedParams = ECParameters.encodeParameters(params);
-        byte[] rawPoint = ECParameters.encodePoint(point, params.getCurve());
-        byte[] encodedPoint = null;
+        byte[] encodedPoint =
+            ECParameters.encodePoint(point, params.getCurve());
 
-        // Wrap the EC point in a DER OCTET STRING
-        DerValue pkECPoint = new DerValue(DerValue.tag_OctetString, rawPoint);
-
-        try {
-            encodedPoint = pkECPoint.toByteArray();
-        } catch (IOException e) {
-            throw new IllegalArgumentException("Could not DER encode point", e);
+        // Check whether the X9.63 encoding of an EC point shall be wrapped
+        // in an ASN.1 OCTET STRING
+        if (!token.config.getUseEcX963Encoding()) {
+            try {
+                encodedPoint =
+                    new DerValue(DerValue.tag_OctetString, encodedPoint)
+                        .toByteArray();
+            } catch (IOException e) {
+                throw new
+                    IllegalArgumentException("Could not DER encode point", e);
+            }
         }
 
         CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] {
@@ -223,26 +227,6 @@
         };
         attributes = token.getAttributes
                 (O_IMPORT, CKO_PUBLIC_KEY, CKK_EC, attributes);
-
-        // Check whether DER-encoded EC points are supported by the PKCS11 token
-        // (Some tokens support only the raw encoding for an EC point.)
-        for (int i = 0; i < attributes.length; i++) {
-            if (attributes[i].type == CKA_ENABLE_RAW_EC_POINT &&
-                attributes[i].getBoolean()) {
-                // Must use the raw encoding for the EC point
-                for (int j = 0; j < attributes.length; j++) {
-                    if (attributes[j].type == CKA_EC_POINT) {
-                        attributes[j].pValue = rawPoint;
-                        // Overwrite the CKA_ENABLE_RAW_EC_POINT attribute too
-                        attributes[i].type = CKA_EC_POINT;
-                        attributes[i].pValue = rawPoint;
-                        break;
-                    }
-                }
-                break;
-            }
-        }
-
         Session session = null;
         try {
             session = token.getObjSession();
--- a/src/share/classes/sun/security/pkcs11/P11Key.java	Wed Sep 07 21:05:24 2011 -0700
+++ b/src/share/classes/sun/security/pkcs11/P11Key.java	Fri Oct 14 15:31:14 2011 +0100
@@ -1003,28 +1003,21 @@
             try {
                 params = P11ECKeyFactory.decodeParameters
                             (attributes[1].getByteArray());
-
-                /*
-                 * An uncompressed EC point may be in either of two formats.
-                 * First try the OCTET STRING encoding:
-                 *   04 <length> 04 <X-coordinate> <Y-coordinate>
-                 *
-                 * Otherwise try the raw encoding:
-                 *   04 <X-coordinate> <Y-coordinate>
-                 */
                 byte[] ecKey = attributes[0].getByteArray();
 
-                try {
+                // Check whether the X9.63 encoding of an EC point is wrapped
+                // in an ASN.1 OCTET STRING
+                if (!token.config.getUseEcX963Encoding()) {
                     DerValue wECPoint = new DerValue(ecKey);
-                    if (wECPoint.getTag() != DerValue.tag_OctetString)
-                        throw new IOException("Unexpected tag: " +
-                            wECPoint.getTag());
 
+                    if (wECPoint.getTag() != DerValue.tag_OctetString) {
+                        throw new IOException("Could not DER decode EC point." +
+                            " Unexpected tag: " + wECPoint.getTag());
+                    }
                     w = P11ECKeyFactory.decodePoint
                         (wECPoint.getDataBytes(), params.getCurve());
 
-                } catch (IOException e) {
-                    // Failover
+                } else {
                     w = P11ECKeyFactory.decodePoint(ecKey, params.getCurve());
                 }
 
--- a/src/share/classes/sun/security/pkcs11/wrapper/Functions.java	Wed Sep 07 21:05:24 2011 -0700
+++ b/src/share/classes/sun/security/pkcs11/wrapper/Functions.java	Fri Oct 14 15:31:14 2011 +0100
@@ -885,7 +885,6 @@
         addAttribute(CKA_MODIFIABLE,            "CKA_MODIFIABLE");
         addAttribute(CKA_EC_PARAMS,             "CKA_EC_PARAMS");
         addAttribute(CKA_EC_POINT,              "CKA_EC_POINT");
-        addAttribute(CKA_ENABLE_RAW_EC_POINT,   "CKA_ENABLE_RAW_EC_POINT");
         addAttribute(CKA_SECONDARY_AUTH,        "CKA_SECONDARY_AUTH");
         addAttribute(CKA_AUTH_PIN_FLAGS,        "CKA_AUTH_PIN_FLAGS");
         addAttribute(CKA_HW_FEATURE_TYPE,       "CKA_HW_FEATURE_TYPE");
--- a/src/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java	Wed Sep 07 21:05:24 2011 -0700
+++ b/src/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java	Fri Oct 14 15:31:14 2011 +0100
@@ -413,9 +413,6 @@
 
     public static final long  CKA_VENDOR_DEFINED     = 0x80000000L;
 
-    /* Only the raw encoding for an EC point is supported */
-    public static final long CKA_ENABLE_RAW_EC_POINT = (CKA_VENDOR_DEFINED | 1);
-
     /* the following mechanism types are defined: */
     public static final long  CKM_RSA_PKCS_KEY_PAIR_GEN      = 0x00000000L;
     public static final long  CKM_RSA_PKCS                   = 0x00000001L;
--- a/src/share/lib/security/sunpkcs11-solaris.cfg	Wed Sep 07 21:05:24 2011 -0700
+++ b/src/share/lib/security/sunpkcs11-solaris.cfg	Fri Oct 14 15:31:14 2011 +0100
@@ -11,13 +11,11 @@
 
 handleStartupErrors = ignoreAll
 
+# Use the X9.63 encoding for EC points (do not wrap in an ASN.1 OctetString).
+useEcX963Encoding = true
+
 attributes = compatibility
 
-# Support only the raw encoding for an EC point
-attributes (*, CKO_PUBLIC_KEY, CKK_EC) = {
-    CKA_ENABLE_RAW_EC_POINT = true
-}
-
 disabledMechanisms = {
 # the following mechanisms are disabled due to lack of digest cloning support
 # need to fix 6414899 first