changeset 4643:2b27e14a4c82

7099228: Use a PKCS11 config attribute to control encoding of an EC point Reviewed-by: valeriep, mullan
author vinnie
date Thu, 13 Oct 2011 12:00:51 +0100
parents 829c3a8d23fa
children 04ecbd2bcf5a
files src/share/classes/sun/security/pkcs11/Config.java src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java src/share/classes/sun/security/pkcs11/P11Key.java src/share/lib/security/sunpkcs11-solaris.cfg test/ProblemList.txt
diffstat 5 files changed, 35 insertions(+), 25 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/security/pkcs11/Config.java	Wed Oct 12 12:12:25 2011 -0700
+++ b/src/share/classes/sun/security/pkcs11/Config.java	Thu Oct 13 12:00:51 2011 +0100
@@ -192,6 +192,11 @@
     // works only for NSS providers created via the Secmod API
     private boolean nssUseSecmodTrust = false;
 
+    // Flag to indicate whether the X9.63 encoding for EC points shall be used
+    // (true) or whether that encoding shall be wrapped in an ASN.1 OctetString
+    // (false).
+    private boolean useEcX963Encoding = false;
+
     private Config(String filename, InputStream in) throws IOException {
         if (in == null) {
             if (filename.startsWith("--")) {
@@ -320,6 +325,10 @@
         return nssUseSecmodTrust;
     }
 
+    boolean getUseEcX963Encoding() {
+        return useEcX963Encoding;
+    }
+
     private static String expand(final String s) throws IOException {
         try {
             return PropertyExpander.expand(s);
@@ -440,6 +449,8 @@
                 parseNSSArgs(word);
             } else if (word.equals("nssUseSecmodTrust")) {
                 nssUseSecmodTrust = parseBooleanEntry(word);
+            } else if (word.equals("useEcX963Encoding")) {
+                useEcX963Encoding = parseBooleanEntry(word);
             } else {
                 throw new ConfigurationException
                         ("Unknown keyword '" + word + "', line " + st.lineno());
--- a/src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java	Wed Oct 12 12:12:25 2011 -0700
+++ b/src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java	Thu Oct 13 12:00:51 2011 +0100
@@ -203,14 +203,20 @@
 
     private PublicKey generatePublic(ECPoint point, ECParameterSpec params) throws PKCS11Exception {
         byte[] encodedParams = ECParameters.encodeParameters(params);
-        byte[] encodedPoint = null;
-        DerValue pkECPoint = new DerValue(DerValue.tag_OctetString,
-            ECParameters.encodePoint(point, params.getCurve()));
+        byte[] encodedPoint =
+            ECParameters.encodePoint(point, params.getCurve());
 
-        try {
-            encodedPoint = pkECPoint.toByteArray();
-        } catch (IOException e) {
-            throw new IllegalArgumentException("Could not DER encode point", e);
+        // Check whether the X9.63 encoding of an EC point shall be wrapped
+        // in an ASN.1 OCTET STRING
+        if (!token.config.getUseEcX963Encoding()) {
+            try {
+                encodedPoint =
+                    new DerValue(DerValue.tag_OctetString, encodedPoint)
+                        .toByteArray();
+            } catch (IOException e) {
+                throw new
+                    IllegalArgumentException("Could not DER encode point", e);
+            }
         }
 
         CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] {
--- a/src/share/classes/sun/security/pkcs11/P11Key.java	Wed Oct 12 12:12:25 2011 -0700
+++ b/src/share/classes/sun/security/pkcs11/P11Key.java	Thu Oct 13 12:00:51 2011 +0100
@@ -1028,28 +1028,21 @@
             try {
                 params = P11ECKeyFactory.decodeParameters
                             (attributes[1].getByteArray());
-
-                /*
-                 * An uncompressed EC point may be in either of two formats.
-                 * First try the OCTET STRING encoding:
-                 *   04 <length> 04 <X-coordinate> <Y-coordinate>
-                 *
-                 * Otherwise try the raw encoding:
-                 *   04 <X-coordinate> <Y-coordinate>
-                 */
                 byte[] ecKey = attributes[0].getByteArray();
 
-                try {
+                // Check whether the X9.63 encoding of an EC point is wrapped
+                // in an ASN.1 OCTET STRING
+                if (!token.config.getUseEcX963Encoding()) {
                     DerValue wECPoint = new DerValue(ecKey);
-                    if (wECPoint.getTag() != DerValue.tag_OctetString)
-                        throw new IOException("Unexpected tag: " +
-                            wECPoint.getTag());
 
+                    if (wECPoint.getTag() != DerValue.tag_OctetString) {
+                        throw new IOException("Could not DER decode EC point." +
+                            " Unexpected tag: " + wECPoint.getTag());
+                    }
                     w = P11ECKeyFactory.decodePoint
                         (wECPoint.getDataBytes(), params.getCurve());
 
-                } catch (IOException e) {
-                    // Failover
+                } else {
                     w = P11ECKeyFactory.decodePoint(ecKey, params.getCurve());
                 }
 
--- a/src/share/lib/security/sunpkcs11-solaris.cfg	Wed Oct 12 12:12:25 2011 -0700
+++ b/src/share/lib/security/sunpkcs11-solaris.cfg	Thu Oct 13 12:00:51 2011 +0100
@@ -11,6 +11,9 @@
 
 handleStartupErrors = ignoreAll
 
+# Use the X9.63 encoding for EC points (do not wrap in an ASN.1 OctetString).
+useEcX963Encoding = true
+
 attributes = compatibility
 
 disabledMechanisms = {
--- a/test/ProblemList.txt	Wed Oct 12 12:12:25 2011 -0700
+++ b/test/ProblemList.txt	Thu Oct 13 12:00:51 2011 +0100
@@ -517,9 +517,6 @@
 # 7079203 sun/security/tools/keytool/printssl.sh fails on solaris with timeout
 sun/security/tools/keytool/printssl.sh                          solaris-all
 
-# 7054637
-sun/security/tools/jarsigner/ec.sh                             solaris-all
-
 # 7081817
 sun/security/provider/certpath/X509CertPath/IllegalCertiticates.java    generic-all