提交 5f9583ae 编写于 作者: V valeriep

6414899: P11Digest should support cloning

Summary: Enhanced the PKCS11 Digest implementation to support cloning
Reviewed-by: vinnie
上级 33bb7b5d
#
# Copyright (c) 2003, 2005, Oracle and/or its affiliates. All rights reserved.
# Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
......@@ -47,8 +47,8 @@ SUNWprivate_1.1 {
Java_sun_security_pkcs11_wrapper_PKCS11_C_1CloseSession;
# Java_sun_security_pkcs11_wrapper_PKCS11_C_1CloseAllSessions;
Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetSessionInfo;
# Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetOperationState;
# Java_sun_security_pkcs11_wrapper_PKCS11_C_1SetOperationState;
Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetOperationState;
Java_sun_security_pkcs11_wrapper_PKCS11_C_1SetOperationState;
Java_sun_security_pkcs11_wrapper_PKCS11_C_1Login;
Java_sun_security_pkcs11_wrapper_PKCS11_C_1Logout;
Java_sun_security_pkcs11_wrapper_PKCS11_C_1CreateObject;
......
/*
* Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -49,13 +49,12 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
* @author Andreas Sterbenz
* @since 1.5
*/
final class P11Digest extends MessageDigestSpi {
final class P11Digest extends MessageDigestSpi implements Cloneable {
/* unitialized, fields uninitialized, no session acquired */
/* fields initialized, no session acquired */
private final static int S_BLANK = 1;
// data in buffer, all fields valid, session acquired
// but digest not initialized
/* data in buffer, session acquired, but digest not initialized */
private final static int S_BUFFERED = 2;
/* session initialized for digesting */
......@@ -69,8 +68,8 @@ final class P11Digest extends MessageDigestSpi {
// algorithm name
private final String algorithm;
// mechanism id
private final long mechanism;
// mechanism id object
private final CK_MECHANISM mechanism;
// length of the digest in bytes
private final int digestLength;
......@@ -81,11 +80,8 @@ final class P11Digest extends MessageDigestSpi {
// current state, one of S_* above
private int state;
// one byte buffer for the update(byte) method, initialized on demand
private byte[] oneByte;
// buffer to reduce number of JNI calls
private final byte[] buffer;
private byte[] buffer;
// offset into the buffer
private int bufOfs;
......@@ -94,7 +90,7 @@ final class P11Digest extends MessageDigestSpi {
super();
this.token = token;
this.algorithm = algorithm;
this.mechanism = mechanism;
this.mechanism = new CK_MECHANISM(mechanism);
switch ((int)mechanism) {
case (int)CKM_MD2:
case (int)CKM_MD5:
......@@ -117,7 +113,6 @@ final class P11Digest extends MessageDigestSpi {
}
buffer = new byte[BUFFER_SIZE];
state = S_BLANK;
engineReset();
}
// see JCA spec
......@@ -125,44 +120,31 @@ final class P11Digest extends MessageDigestSpi {
return digestLength;
}
private void cancelOperation() {
token.ensureValid();
if (session == null) {
return;
}
if ((state != S_INIT) || (token.explicitCancel == false)) {
return;
}
// need to explicitly "cancel" active op by finishing it
try {
token.p11.C_DigestFinal(session.id(), buffer, 0, buffer.length);
} catch (PKCS11Exception e) {
throw new ProviderException("cancel() failed", e);
} finally {
state = S_BUFFERED;
}
}
private void fetchSession() {
token.ensureValid();
if (state == S_BLANK) {
engineReset();
try {
session = token.getOpSession();
state = S_BUFFERED;
} catch (PKCS11Exception e) {
throw new ProviderException("No more session available", e);
}
}
}
// see JCA spec
protected void engineReset() {
try {
cancelOperation();
bufOfs = 0;
if (session == null) {
session = token.getOpSession();
token.ensureValid();
if (session != null) {
if (state == S_INIT && token.explicitCancel == true) {
session = token.killSession(session);
} else {
session = token.releaseSession(session);
}
state = S_BUFFERED;
} catch (PKCS11Exception e) {
state = S_BLANK;
throw new ProviderException("reset() failed, ", e);
}
state = S_BLANK;
bufOfs = 0;
}
// see JCA spec
......@@ -180,18 +162,22 @@ final class P11Digest extends MessageDigestSpi {
protected int engineDigest(byte[] digest, int ofs, int len)
throws DigestException {
if (len < digestLength) {
throw new DigestException("Length must be at least " + digestLength);
throw new DigestException("Length must be at least " +
digestLength);
}
fetchSession();
try {
int n;
if (state == S_BUFFERED) {
n = token.p11.C_DigestSingle(session.id(),
new CK_MECHANISM(mechanism),
buffer, 0, bufOfs, digest, ofs, len);
n = token.p11.C_DigestSingle(session.id(), mechanism, buffer, 0,
bufOfs, digest, ofs, len);
bufOfs = 0;
} else {
if (bufOfs != 0) {
doUpdate(buffer, 0, bufOfs);
token.p11.C_DigestUpdate(session.id(), 0, buffer, 0,
bufOfs);
bufOfs = 0;
}
n = token.p11.C_DigestFinal(session.id(), digest, ofs, len);
}
......@@ -202,36 +188,44 @@ final class P11Digest extends MessageDigestSpi {
} catch (PKCS11Exception e) {
throw new ProviderException("digest() failed", e);
} finally {
state = S_BLANK;
bufOfs = 0;
session = token.releaseSession(session);
engineReset();
}
}
// see JCA spec
protected void engineUpdate(byte in) {
if (oneByte == null) {
oneByte = new byte[1];
}
oneByte[0] = in;
engineUpdate(oneByte, 0, 1);
byte[] temp = { in };
engineUpdate(temp, 0, 1);
}
// see JCA spec
protected void engineUpdate(byte[] in, int ofs, int len) {
fetchSession();
if (len <= 0) {
return;
}
if ((bufOfs != 0) && (bufOfs + len > buffer.length)) {
doUpdate(buffer, 0, bufOfs);
bufOfs = 0;
}
if (bufOfs + len > buffer.length) {
doUpdate(in, ofs, len);
} else {
System.arraycopy(in, ofs, buffer, bufOfs, len);
bufOfs += len;
fetchSession();
try {
if (state == S_BUFFERED) {
token.p11.C_DigestInit(session.id(), mechanism);
state = S_INIT;
}
if ((bufOfs != 0) && (bufOfs + len > buffer.length)) {
// process the buffered data
token.p11.C_DigestUpdate(session.id(), 0, buffer, 0, bufOfs);
bufOfs = 0;
}
if (bufOfs + len > buffer.length) {
// process the new data
token.p11.C_DigestUpdate(session.id(), 0, in, ofs, len);
} else {
// buffer the new data
System.arraycopy(in, ofs, buffer, bufOfs, len);
bufOfs += len;
}
} catch (PKCS11Exception e) {
engineReset();
throw new ProviderException("update() failed", e);
}
}
......@@ -239,11 +233,7 @@ final class P11Digest extends MessageDigestSpi {
// the master secret is sensitive. We may want to consider making this
// method public in a future release.
protected void implUpdate(SecretKey key) throws InvalidKeyException {
fetchSession();
if (bufOfs != 0) {
doUpdate(buffer, 0, bufOfs);
bufOfs = 0;
}
// SunJSSE calls this method only if the key does not have a RAW
// encoding, i.e. if it is sensitive. Therefore, no point in calling
// SecretKeyFactory to try to convert it. Just verify it ourselves.
......@@ -252,60 +242,77 @@ final class P11Digest extends MessageDigestSpi {
}
P11Key p11Key = (P11Key)key;
if (p11Key.token != token) {
throw new InvalidKeyException("Not a P11Key of this provider: " + key);
throw new InvalidKeyException("Not a P11Key of this provider: " +
key);
}
fetchSession();
try {
if (state == S_BUFFERED) {
token.p11.C_DigestInit(session.id(), new CK_MECHANISM(mechanism));
token.p11.C_DigestInit(session.id(), mechanism);
state = S_INIT;
}
if (bufOfs != 0) {
token.p11.C_DigestUpdate(session.id(), 0, buffer, 0, bufOfs);
bufOfs = 0;
}
token.p11.C_DigestKey(session.id(), p11Key.keyID);
} catch (PKCS11Exception e) {
engineReset();
throw new ProviderException("update(SecretKey) failed", e);
}
}
// see JCA spec
protected void engineUpdate(ByteBuffer byteBuffer) {
fetchSession();
int len = byteBuffer.remaining();
if (len <= 0) {
return;
}
if (byteBuffer instanceof DirectBuffer == false) {
super.engineUpdate(byteBuffer);
return;
}
fetchSession();
long addr = ((DirectBuffer)byteBuffer).address();
int ofs = byteBuffer.position();
try {
if (state == S_BUFFERED) {
token.p11.C_DigestInit(session.id(), new CK_MECHANISM(mechanism));
token.p11.C_DigestInit(session.id(), mechanism);
state = S_INIT;
if (bufOfs != 0) {
doUpdate(buffer, 0, bufOfs);
bufOfs = 0;
}
}
if (bufOfs != 0) {
token.p11.C_DigestUpdate(session.id(), 0, buffer, 0, bufOfs);
bufOfs = 0;
}
token.p11.C_DigestUpdate(session.id(), addr + ofs, null, 0, len);
byteBuffer.position(ofs + len);
} catch (PKCS11Exception e) {
engineReset();
throw new ProviderException("update() failed", e);
}
}
private void doUpdate(byte[] in, int ofs, int len) {
if (len <= 0) {
return;
}
public Object clone() throws CloneNotSupportedException {
P11Digest copy = (P11Digest) super.clone();
copy.buffer = buffer.clone();
try {
if (state == S_BUFFERED) {
token.p11.C_DigestInit(session.id(), new CK_MECHANISM(mechanism));
state = S_INIT;
if (session != null) {
copy.session = copy.token.getOpSession();
}
if (state == S_INIT) {
byte[] stateValues =
token.p11.C_GetOperationState(session.id());
token.p11.C_SetOperationState(copy.session.id(),
stateValues, 0, 0);
}
token.p11.C_DigestUpdate(session.id(), 0, in, ofs, len);
} catch (PKCS11Exception e) {
throw new ProviderException("update() failed", e);
throw (CloneNotSupportedException)
(new CloneNotSupportedException(algorithm).initCause(e));
}
return copy;
}
}
......@@ -17,23 +17,27 @@ useEcX963Encoding = true
attributes = compatibility
disabledMechanisms = {
# the following mechanisms are disabled due to lack of digest cloning support
# need to fix 6414899 first
CKM_DSA_KEY_PAIR_GEN
# the following mechanisms are disabled due to CKR_SAVED_STATE_INVALID bug
# (Solaris bug 7058108)
CKM_MD2
CKM_MD5
CKM_SHA_1
# the following mechanisms are disabled due to no cloning support
# (Solaris bug 7050617)
CKM_SHA256
CKM_SHA384
CKM_SHA512
CKM_DSA_KEY_PAIR_GEN
# the following mechanisms are disabled due to performance issues (Solaris bug 6337157)
# the following mechanisms are disabled due to performance issues
# (Solaris bug 6337157)
CKM_DSA_SHA1
CKM_MD5_RSA_PKCS
CKM_SHA1_RSA_PKCS
CKM_SHA256_RSA_PKCS
CKM_SHA384_RSA_PKCS
CKM_SHA512_RSA_PKCS
# the following mechanisms are disabled to ensure backward compatibility (Solaris bug 6545046)
# the following mechanisms are disabled to ensure backward compatibility
# (Solaris bug 6545046)
CKM_DES_CBC_PAD
CKM_DES3_CBC_PAD
CKM_AES_CBC_PAD
......
/*
* Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
*/
/* Copyright (c) 2002 Graz University of Technology. All rights reserved.
......@@ -96,8 +96,8 @@
#define P11_ENABLE_C_CLOSESESSION
#undef P11_ENABLE_C_CLOSEALLSESSIONS
#define P11_ENABLE_C_GETSESSIONINFO
#undef P11_ENABLE_C_GETOPERATIONSTATE
#undef P11_ENABLE_C_SETOPERATIONSTATE
#define P11_ENABLE_C_GETOPERATIONSTATE
#define P11_ENABLE_C_SETOPERATIONSTATE
#define P11_ENABLE_C_LOGIN
#define P11_ENABLE_C_LOGOUT
#define P11_ENABLE_C_CREATEOBJECT
......
/*
* Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/**
* @test
* @bug 6414899
* @summary Ensure the cloning functionality works.
* @author Valerie Peng
* @library ..
*/
import java.util.*;
import java.security.*;
public class TestCloning extends PKCS11Test {
private static final String[] ALGOS = {
"MD2", "MD5", "SHA1", "SHA-256", "SHA-384", "SHA-512"
};
public static void main(String[] args) throws Exception {
main(new TestCloning());
}
private static final byte[] data1 = new byte[10];
private static final byte[] data2 = new byte[10*1024];
public void main(Provider p) throws Exception {
Random r = new Random();
byte[] data1 = new byte[10];
byte[] data2 = new byte[2*1024];
r.nextBytes(data1);
r.nextBytes(data2);
System.out.println("Testing against provider " + p.getName());
for (int i = 0; i < ALGOS.length; i++) {
if (p.getService("MessageDigest", ALGOS[i]) == null) {
System.out.println(ALGOS[i] + " is not supported, skipping");
continue;
} else {
System.out.println("Testing " + ALGOS[i] + " of " + p.getName());
MessageDigest md = MessageDigest.getInstance(ALGOS[i], p);
try {
md = testCloning(md, p);
// repeat the test again after generating digest once
for (int j = 0; j < 10; j++) {
md = testCloning(md, p);
}
} catch (Exception ex) {
if (ALGOS[i] == "MD2" &&
p.getName().equalsIgnoreCase("SunPKCS11-NSS")) {
// known bug in NSS; ignore for now
System.out.println("Ignore Known bug in MD2 of NSS");
continue;
}
throw ex;
}
}
}
}
private static MessageDigest testCloning(MessageDigest mdObj, Provider p)
throws Exception {
// copy#0: clone at state BLANK w/o any data
MessageDigest mdCopy0 = (MessageDigest) mdObj.clone();
// copy#1: clone again at state BUFFERED w/ very short data
mdObj.update(data1);
mdCopy0.update(data1);
MessageDigest mdCopy1 = (MessageDigest) mdObj.clone();
// copy#2: clone again after updating it w/ long data to trigger
// the state into INIT
mdObj.update(data2);
mdCopy0.update(data2);
mdCopy1.update(data2);
MessageDigest mdCopy2 = (MessageDigest) mdObj.clone();
// copy#3: clone again after updating it w/ very short data
mdObj.update(data1);
mdCopy0.update(data1);
mdCopy1.update(data1);
mdCopy2.update(data1);
MessageDigest mdCopy3 = (MessageDigest) mdObj.clone();
// copy#4: clone again after updating it w/ long data
mdObj.update(data2);
mdCopy0.update(data2);
mdCopy1.update(data2);
mdCopy2.update(data2);
mdCopy3.update(data2);
MessageDigest mdCopy4 = (MessageDigest) mdObj.clone();
// check digest equalities
byte[] answer = mdObj.digest();
byte[] result0 = mdCopy0.digest();
byte[] result1 = mdCopy1.digest();
byte[] result2 = mdCopy2.digest();
byte[] result3 = mdCopy3.digest();
byte[] result4 = mdCopy4.digest();
check(answer, result0, "copy0");
check(answer, result1, "copy1");
check(answer, result2, "copy2");
check(answer, result3, "copy3");
check(answer, result4, "copy4");
return mdCopy3;
}
private static void check(byte[] d1, byte[] d2, String copyName)
throws Exception {
if (Arrays.equals(d1, d2) == false) {
throw new RuntimeException(copyName + " digest mismatch!");
}
}
}
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册