changeset 4402:c17d659cd01a

7054637: Enable PKCS11 to use raw encoding for the EC point in an Elliptic Curve public key Reviewed-by: valeriep
author vinnie
date Thu, 15 Sep 2011 16:39:52 +0100
parents a141f7ccdc5b
children ebef72df4b3e
files src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java src/share/classes/sun/security/pkcs11/wrapper/Functions.java src/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java src/share/lib/security/sunpkcs11-solaris.cfg test/ProblemList.txt
diffstat 5 files changed, 35 insertions(+), 5 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java	Wed Sep 07 15:57:12 2011 +0400
+++ b/src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java	Thu Sep 15 16:39:52 2011 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -203,9 +203,11 @@
 
     private PublicKey generatePublic(ECPoint point, ECParameterSpec params) throws PKCS11Exception {
         byte[] encodedParams = ECParameters.encodeParameters(params);
+        byte[] rawPoint = ECParameters.encodePoint(point, params.getCurve());
         byte[] encodedPoint = null;
-        DerValue pkECPoint = new DerValue(DerValue.tag_OctetString,
-            ECParameters.encodePoint(point, params.getCurve()));
+
+        // Wrap the EC point in a DER OCTET STRING
+        DerValue pkECPoint = new DerValue(DerValue.tag_OctetString, rawPoint);
 
         try {
             encodedPoint = pkECPoint.toByteArray();
@@ -221,6 +223,26 @@
         };
         attributes = token.getAttributes
                 (O_IMPORT, CKO_PUBLIC_KEY, CKK_EC, attributes);
+
+        // Check whether DER-encoded EC points are supported by the PKCS11 token
+        // (Some tokens support only the raw encoding for an EC point.)
+        for (int i = 0; i < attributes.length; i++) {
+            if (attributes[i].type == CKA_ENABLE_RAW_EC_POINT &&
+                attributes[i].getBoolean()) {
+                // Must use the raw encoding for the EC point
+                for (int j = 0; j < attributes.length; j++) {
+                    if (attributes[j].type == CKA_EC_POINT) {
+                        attributes[j].pValue = rawPoint;
+                        // Overwrite the CKA_ENABLE_RAW_EC_POINT attribute too
+                        attributes[i].type = CKA_EC_POINT;
+                        attributes[i].pValue = rawPoint;
+                        break;
+                    }
+                }
+                break;
+            }
+        }
+
         Session session = null;
         try {
             session = token.getObjSession();
--- a/src/share/classes/sun/security/pkcs11/wrapper/Functions.java	Wed Sep 07 15:57:12 2011 +0400
+++ b/src/share/classes/sun/security/pkcs11/wrapper/Functions.java	Thu Sep 15 16:39:52 2011 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2005, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
  */
 
 /* Copyright  (c) 2002 Graz University of Technology. All rights reserved.
@@ -885,6 +885,7 @@
         addAttribute(CKA_MODIFIABLE,            "CKA_MODIFIABLE");
         addAttribute(CKA_EC_PARAMS,             "CKA_EC_PARAMS");
         addAttribute(CKA_EC_POINT,              "CKA_EC_POINT");
+        addAttribute(CKA_ENABLE_RAW_EC_POINT,   "CKA_ENABLE_RAW_EC_POINT");
         addAttribute(CKA_SECONDARY_AUTH,        "CKA_SECONDARY_AUTH");
         addAttribute(CKA_AUTH_PIN_FLAGS,        "CKA_AUTH_PIN_FLAGS");
         addAttribute(CKA_HW_FEATURE_TYPE,       "CKA_HW_FEATURE_TYPE");
--- a/src/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java	Wed Sep 07 15:57:12 2011 +0400
+++ b/src/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java	Thu Sep 15 16:39:52 2011 +0100
@@ -413,6 +413,9 @@
 
     public static final long  CKA_VENDOR_DEFINED     = 0x80000000L;
 
+    /* Only the raw encoding for an EC point is supported */
+    public static final long CKA_ENABLE_RAW_EC_POINT = (CKA_VENDOR_DEFINED | 1);
+
     /* the following mechanism types are defined: */
     public static final long  CKM_RSA_PKCS_KEY_PAIR_GEN      = 0x00000000L;
     public static final long  CKM_RSA_PKCS                   = 0x00000001L;
--- a/src/share/lib/security/sunpkcs11-solaris.cfg	Wed Sep 07 15:57:12 2011 +0400
+++ b/src/share/lib/security/sunpkcs11-solaris.cfg	Thu Sep 15 16:39:52 2011 +0100
@@ -13,6 +13,11 @@
 
 attributes = compatibility
 
+# Support only the raw encoding for an EC point
+attributes (*, CKO_PUBLIC_KEY, CKK_EC) = {
+    CKA_ENABLE_RAW_EC_POINT = true
+}
+
 disabledMechanisms = {
 # the following mechanisms are disabled due to lack of digest cloning support
 # need to fix 6414899 first
--- a/test/ProblemList.txt	Wed Sep 07 15:57:12 2011 +0400
+++ b/test/ProblemList.txt	Thu Sep 15 16:39:52 2011 +0100
@@ -584,7 +584,6 @@
 sun/security/tools/jarsigner/concise_jarsigner.sh		generic-all
 
 # Various failures on Linux Fedora 9 X64, othervm mode
-lib/security/cacerts/VerifyCACerts.java				generic-all
 sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/TestAllSuites.java generic-all
 sun/security/ssl/sanity/ciphersuites/CheckCipherSuites.java	generic-all
 sun/security/tools/jarsigner/oldsig.sh				generic-all