6414899: P11Digest should support cloning

Summary: Enhanced the PKCS11 Digest implementation to support cloning
Reviewed-by: vinnie

make/sun/security/pkcs11/mapfile-vers

 #
-# Copyright (c) 2003, 2005, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -47,8 +47,8 @@ SUNWprivate_1.1 {
 		Java_sun_security_pkcs11_wrapper_PKCS11_C_1CloseSession;
 #		Java_sun_security_pkcs11_wrapper_PKCS11_C_1CloseAllSessions;
 		Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetSessionInfo;
-#		Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetOperationState;
-#		Java_sun_security_pkcs11_wrapper_PKCS11_C_1SetOperationState;
+		Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetOperationState;
+		Java_sun_security_pkcs11_wrapper_PKCS11_C_1SetOperationState;
 		Java_sun_security_pkcs11_wrapper_PKCS11_C_1Login;
 		Java_sun_security_pkcs11_wrapper_PKCS11_C_1Logout;
 		Java_sun_security_pkcs11_wrapper_PKCS11_C_1CreateObject;

src/share/classes/sun/security/pkcs11/P11Digest.java

 /*
- * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -49,13 +49,12 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
  * @author  Andreas Sterbenz
  * @since   1.5
  */
-final class P11Digest extends MessageDigestSpi {
+final class P11Digest extends MessageDigestSpi implements Cloneable {
 
-    /* unitialized, fields uninitialized, no session acquired */
+    /* fields initialized, no session acquired */
     private final static int S_BLANK    = 1;
 
-    // data in buffer, all fields valid, session acquired
-    // but digest not initialized
+    /* data in buffer, session acquired, but digest not initialized */
     private final static int S_BUFFERED = 2;
 
     /* session initialized for digesting */
@@ -69,8 +68,8 @@ final class P11Digest extends MessageDigestSpi {
     // algorithm name
     private final String algorithm;
 
-    // mechanism id
-    private final long mechanism;
+    // mechanism id object
+    private final CK_MECHANISM mechanism;
 
     // length of the digest in bytes
     private final int digestLength;
@@ -81,11 +80,8 @@ final class P11Digest extends MessageDigestSpi {
     // current state, one of S_* above
     private int state;
 
-    // one byte buffer for the update(byte) method, initialized on demand
-    private byte[] oneByte;
-
     // buffer to reduce number of JNI calls
-    private final byte[] buffer;
+    private byte[] buffer;
 
     // offset into the buffer
     private int bufOfs;
@@ -94,7 +90,7 @@ final class P11Digest extends MessageDigestSpi {
         super();
         this.token = token;
         this.algorithm = algorithm;
-        this.mechanism = mechanism;
+        this.mechanism = new CK_MECHANISM(mechanism);
         switch ((int)mechanism) {
         case (int)CKM_MD2:
         case (int)CKM_MD5:
@@ -117,7 +113,6 @@ final class P11Digest extends MessageDigestSpi {
         }
         buffer = new byte[BUFFER_SIZE];
         state = S_BLANK;
-        engineReset();
     }
 
     // see JCA spec
@@ -125,44 +120,31 @@ final class P11Digest extends MessageDigestSpi {
         return digestLength;
     }
 
-    private void cancelOperation() {
-        token.ensureValid();
-        if (session == null) {
-            return;
-        }
-        if ((state != S_INIT) || (token.explicitCancel == false)) {
-            return;
-        }
-        // need to explicitly "cancel" active op by finishing it
-        try {
-            token.p11.C_DigestFinal(session.id(), buffer, 0, buffer.length);
-        } catch (PKCS11Exception e) {
-            throw new ProviderException("cancel() failed", e);
-        } finally {
-            state = S_BUFFERED;
-        }
-    }
-
     private void fetchSession() {
         token.ensureValid();
         if (state == S_BLANK) {
-            engineReset();
+            try {
+                session = token.getOpSession();
+                state = S_BUFFERED;
+            } catch (PKCS11Exception e) {
+                throw new ProviderException("No more session available", e);
+            }
         }
     }
 
     // see JCA spec
     protected void engineReset() {
-        try {
-            cancelOperation();
-            bufOfs = 0;
-            if (session == null) {
-                session = token.getOpSession();
+        token.ensureValid();
+
+        if (session != null) {
+            if (state == S_INIT && token.explicitCancel == true) {
+                session = token.killSession(session);
+            } else {
+                session = token.releaseSession(session);
             }
-            state = S_BUFFERED;
-        } catch (PKCS11Exception e) {
-            state = S_BLANK;
-            throw new ProviderException("reset() failed, ", e);
         }
+        state = S_BLANK;
+        bufOfs = 0;
     }
 
     // see JCA spec
@@ -180,18 +162,22 @@ final class P11Digest extends MessageDigestSpi {
     protected int engineDigest(byte[] digest, int ofs, int len)
             throws DigestException {
         if (len < digestLength) {
-            throw new DigestException("Length must be at least " + digestLength);
+            throw new DigestException("Length must be at least " +
+                    digestLength);
         }
+
         fetchSession();
         try {
             int n;
             if (state == S_BUFFERED) {
-                n = token.p11.C_DigestSingle(session.id(),
-                        new CK_MECHANISM(mechanism),
-                        buffer, 0, bufOfs, digest, ofs, len);
+                n = token.p11.C_DigestSingle(session.id(), mechanism, buffer, 0,
+                        bufOfs, digest, ofs, len);
+                bufOfs = 0;
             } else {
                 if (bufOfs != 0) {
-                    doUpdate(buffer, 0, bufOfs);
+                    token.p11.C_DigestUpdate(session.id(), 0, buffer, 0,
+                            bufOfs);
+                    bufOfs = 0;
                 }
                 n = token.p11.C_DigestFinal(session.id(), digest, ofs, len);
             }
@@ -202,36 +188,44 @@ final class P11Digest extends MessageDigestSpi {
         } catch (PKCS11Exception e) {
             throw new ProviderException("digest() failed", e);
         } finally {
-            state = S_BLANK;
-            bufOfs = 0;
-            session = token.releaseSession(session);
+            engineReset();
         }
     }
 
     // see JCA spec
     protected void engineUpdate(byte in) {
-        if (oneByte == null) {
-            oneByte = new byte[1];
-        }
-        oneByte[0] = in;
-        engineUpdate(oneByte, 0, 1);
+        byte[] temp = { in };
+        engineUpdate(temp, 0, 1);
     }
 
     // see JCA spec
     protected void engineUpdate(byte[] in, int ofs, int len) {
-        fetchSession();
         if (len <= 0) {
             return;
         }
-        if ((bufOfs != 0) && (bufOfs + len > buffer.length)) {
-            doUpdate(buffer, 0, bufOfs);
-            bufOfs = 0;
-        }
-        if (bufOfs + len > buffer.length) {
-            doUpdate(in, ofs, len);
-        } else {
-            System.arraycopy(in, ofs, buffer, bufOfs, len);
-            bufOfs += len;
+
+        fetchSession();
+        try {
+            if (state == S_BUFFERED) {
+                token.p11.C_DigestInit(session.id(), mechanism);
+                state = S_INIT;
+            }
+            if ((bufOfs != 0) && (bufOfs + len > buffer.length)) {
+                // process the buffered data
+                token.p11.C_DigestUpdate(session.id(), 0, buffer, 0, bufOfs);
+                bufOfs = 0;
+            }
+            if (bufOfs + len > buffer.length) {
+                // process the new data
+                token.p11.C_DigestUpdate(session.id(), 0, in, ofs, len);
+             } else {
+                // buffer the new data
+                System.arraycopy(in, ofs, buffer, bufOfs, len);
+                bufOfs += len;
+            }
+        } catch (PKCS11Exception e) {
+            engineReset();
+            throw new ProviderException("update() failed", e);
         }
     }
 
@@ -239,11 +233,7 @@ final class P11Digest extends MessageDigestSpi {
     // the master secret is sensitive. We may want to consider making this
     // method public in a future release.
     protected void implUpdate(SecretKey key) throws InvalidKeyException {
-        fetchSession();
-        if (bufOfs != 0) {
-            doUpdate(buffer, 0, bufOfs);
-            bufOfs = 0;
-        }
+
         // SunJSSE calls this method only if the key does not have a RAW
         // encoding, i.e. if it is sensitive. Therefore, no point in calling
         // SecretKeyFactory to try to convert it. Just verify it ourselves.
@@ -252,60 +242,77 @@ final class P11Digest extends MessageDigestSpi {
         }
         P11Key p11Key = (P11Key)key;
         if (p11Key.token != token) {
-            throw new InvalidKeyException("Not a P11Key of this provider: " + key);
+            throw new InvalidKeyException("Not a P11Key of this provider: " +
+                    key);
         }
+
+        fetchSession();
         try {
             if (state == S_BUFFERED) {
-                token.p11.C_DigestInit(session.id(), new CK_MECHANISM(mechanism));
+                token.p11.C_DigestInit(session.id(), mechanism);
                 state = S_INIT;
             }
+
+            if (bufOfs != 0) {
+                token.p11.C_DigestUpdate(session.id(), 0, buffer, 0, bufOfs);
+                bufOfs = 0;
+            }
             token.p11.C_DigestKey(session.id(), p11Key.keyID);
         } catch (PKCS11Exception e) {
+            engineReset();
             throw new ProviderException("update(SecretKey) failed", e);
         }
     }
 
     // see JCA spec
     protected void engineUpdate(ByteBuffer byteBuffer) {
-        fetchSession();
         int len = byteBuffer.remaining();
         if (len <= 0) {
             return;
         }
+
         if (byteBuffer instanceof DirectBuffer == false) {
             super.engineUpdate(byteBuffer);
             return;
         }
+
+        fetchSession();
         long addr = ((DirectBuffer)byteBuffer).address();
         int ofs = byteBuffer.position();
         try {
             if (state == S_BUFFERED) {
-                token.p11.C_DigestInit(session.id(), new CK_MECHANISM(mechanism));
+                token.p11.C_DigestInit(session.id(), mechanism);
                 state = S_INIT;
-                if (bufOfs != 0) {
-                    doUpdate(buffer, 0, bufOfs);
-                    bufOfs = 0;
-                }
+            }
+            if (bufOfs != 0) {
+                token.p11.C_DigestUpdate(session.id(), 0, buffer, 0, bufOfs);
+                bufOfs = 0;
             }
             token.p11.C_DigestUpdate(session.id(), addr + ofs, null, 0, len);
             byteBuffer.position(ofs + len);
         } catch (PKCS11Exception e) {
+            engineReset();
             throw new ProviderException("update() failed", e);
         }
     }
 
-    private void doUpdate(byte[] in, int ofs, int len) {
-        if (len <= 0) {
-            return;
-        }
+    public Object clone() throws CloneNotSupportedException {
+        P11Digest copy = (P11Digest) super.clone();
+        copy.buffer = buffer.clone();
         try {
-            if (state == S_BUFFERED) {
-                token.p11.C_DigestInit(session.id(), new CK_MECHANISM(mechanism));
-                state = S_INIT;
+            if (session != null) {
+                copy.session = copy.token.getOpSession();
+            }
+            if (state == S_INIT) {
+                byte[] stateValues =
+                    token.p11.C_GetOperationState(session.id());
+                token.p11.C_SetOperationState(copy.session.id(),
+                                              stateValues, 0, 0);
             }
-            token.p11.C_DigestUpdate(session.id(), 0, in, ofs, len);
         } catch (PKCS11Exception e) {
-            throw new ProviderException("update() failed", e);
+            throw (CloneNotSupportedException)
+                (new CloneNotSupportedException(algorithm).initCause(e));
         }
+        return copy;
     }
 }

src/share/lib/security/sunpkcs11-solaris.cfg

@@ -17,23 +17,27 @@ useEcX963Encoding = true
 attributes = compatibility
 
 disabledMechanisms = {
-# the following mechanisms are disabled due to lack of digest cloning support
-# need to fix 6414899 first
+  CKM_DSA_KEY_PAIR_GEN
+# the following mechanisms are disabled due to CKR_SAVED_STATE_INVALID bug
+# (Solaris bug 7058108)
   CKM_MD2
   CKM_MD5
   CKM_SHA_1
+# the following mechanisms are disabled due to no cloning support
+# (Solaris bug 7050617)
   CKM_SHA256
   CKM_SHA384
   CKM_SHA512
-  CKM_DSA_KEY_PAIR_GEN
-# the following mechanisms are disabled due to performance issues (Solaris bug 6337157)
+# the following mechanisms are disabled due to performance issues
+# (Solaris bug 6337157)
   CKM_DSA_SHA1
   CKM_MD5_RSA_PKCS
   CKM_SHA1_RSA_PKCS
   CKM_SHA256_RSA_PKCS
   CKM_SHA384_RSA_PKCS
   CKM_SHA512_RSA_PKCS
-# the following mechanisms are disabled to ensure backward compatibility (Solaris bug 6545046)
+# the following mechanisms are disabled to ensure backward compatibility
+# (Solaris bug 6545046)
   CKM_DES_CBC_PAD
   CKM_DES3_CBC_PAD
   CKM_AES_CBC_PAD

src/share/native/sun/security/pkcs11/wrapper/pkcs11wrapper.h

 /*
- * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
  */
 
 /* Copyright  (c) 2002 Graz University of Technology. All rights reserved.
@@ -96,8 +96,8 @@
 #define P11_ENABLE_C_CLOSESESSION
 #undef  P11_ENABLE_C_CLOSEALLSESSIONS
 #define P11_ENABLE_C_GETSESSIONINFO
-#undef  P11_ENABLE_C_GETOPERATIONSTATE
-#undef  P11_ENABLE_C_SETOPERATIONSTATE
+#define P11_ENABLE_C_GETOPERATIONSTATE
+#define P11_ENABLE_C_SETOPERATIONSTATE
 #define P11_ENABLE_C_LOGIN
 #define P11_ENABLE_C_LOGOUT
 #define P11_ENABLE_C_CREATEOBJECT

test/sun/security/pkcs11/MessageDigest/TestCloning.java

+/*
+ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * @test
+ * @bug 6414899
+ * @summary Ensure the cloning functionality works.
+ * @author Valerie Peng
+ * @library ..
+ */
+
+import java.util.*;
+
+import java.security.*;
+
+public class TestCloning extends PKCS11Test {
+
+    private static final String[] ALGOS = {
+        "MD2", "MD5", "SHA1", "SHA-256", "SHA-384", "SHA-512"
+    };
+
+    public static void main(String[] args) throws Exception {
+        main(new TestCloning());
+    }
+
+    private static final byte[] data1 = new byte[10];
+    private static final byte[] data2 = new byte[10*1024];
+
+
+    public void main(Provider p) throws Exception {
+        Random r = new Random();
+        byte[] data1 = new byte[10];
+        byte[] data2 = new byte[2*1024];
+        r.nextBytes(data1);
+        r.nextBytes(data2);
+        System.out.println("Testing against provider " + p.getName());
+        for (int i = 0; i < ALGOS.length; i++) {
+            if (p.getService("MessageDigest", ALGOS[i]) == null) {
+                System.out.println(ALGOS[i] + " is not supported, skipping");
+                continue;
+            } else {
+                System.out.println("Testing " + ALGOS[i] + " of " + p.getName());
+                MessageDigest md = MessageDigest.getInstance(ALGOS[i], p);
+                try {
+                    md = testCloning(md, p);
+                    // repeat the test again after generating digest once
+                    for (int j = 0; j < 10; j++) {
+                        md = testCloning(md, p);
+                    }
+                } catch (Exception ex) {
+                    if (ALGOS[i] == "MD2" &&
+                        p.getName().equalsIgnoreCase("SunPKCS11-NSS")) {
+                        // known bug in NSS; ignore for now
+                        System.out.println("Ignore Known bug in MD2 of NSS");
+                        continue;
+                    }
+                    throw ex;
+                }
+            }
+        }
+    }
+
+    private static MessageDigest testCloning(MessageDigest mdObj, Provider p)
+        throws Exception {
+
+        // copy#0: clone at state BLANK w/o any data
+        MessageDigest mdCopy0 = (MessageDigest) mdObj.clone();
+
+        // copy#1: clone again at state BUFFERED w/ very short data
+        mdObj.update(data1);
+        mdCopy0.update(data1);
+        MessageDigest mdCopy1 = (MessageDigest) mdObj.clone();
+
+        // copy#2: clone again after updating it w/ long data to trigger
+        // the state into INIT
+        mdObj.update(data2);
+        mdCopy0.update(data2);
+        mdCopy1.update(data2);
+        MessageDigest mdCopy2 = (MessageDigest) mdObj.clone();
+
+        // copy#3: clone again after updating it w/ very short data
+        mdObj.update(data1);
+        mdCopy0.update(data1);
+        mdCopy1.update(data1);
+        mdCopy2.update(data1);
+        MessageDigest mdCopy3 = (MessageDigest) mdObj.clone();
+
+        // copy#4: clone again after updating it w/ long data
+        mdObj.update(data2);
+        mdCopy0.update(data2);
+        mdCopy1.update(data2);
+        mdCopy2.update(data2);
+        mdCopy3.update(data2);
+        MessageDigest mdCopy4 = (MessageDigest) mdObj.clone();
+
+        // check digest equalities
+        byte[] answer = mdObj.digest();
+        byte[] result0 = mdCopy0.digest();
+        byte[] result1 = mdCopy1.digest();
+        byte[] result2 = mdCopy2.digest();
+        byte[] result3 = mdCopy3.digest();
+        byte[] result4 = mdCopy4.digest();
+
+
+        check(answer, result0, "copy0");
+        check(answer, result1, "copy1");
+        check(answer, result2, "copy2");
+        check(answer, result3, "copy3");
+        check(answer, result4, "copy4");
+
+        return mdCopy3;
+    }
+
+    private static void check(byte[] d1, byte[] d2, String copyName)
+            throws Exception {
+        if (Arrays.equals(d1, d2) == false) {
+            throw new RuntimeException(copyName + " digest mismatch!");
+        }
+    }
+}
+