提交 65d04a83 编写于 作者: V vinnie

7099228: Use a PKCS11 config attribute to control encoding of an EC point

Reviewed-by: valeriep, mullan
上级 d5cc3e61
......@@ -192,6 +192,11 @@ final class Config {
// works only for NSS providers created via the Secmod API
private boolean nssUseSecmodTrust = false;
// Flag to indicate whether the X9.63 encoding for EC points shall be used
// (true) or whether that encoding shall be wrapped in an ASN.1 OctetString
// (false).
private boolean useEcX963Encoding = false;
private Config(String filename, InputStream in) throws IOException {
if (in == null) {
if (filename.startsWith("--")) {
......@@ -320,6 +325,10 @@ final class Config {
return nssUseSecmodTrust;
}
boolean getUseEcX963Encoding() {
return useEcX963Encoding;
}
private static String expand(final String s) throws IOException {
try {
return PropertyExpander.expand(s);
......@@ -440,6 +449,8 @@ final class Config {
parseNSSArgs(word);
} else if (word.equals("nssUseSecmodTrust")) {
nssUseSecmodTrust = parseBooleanEntry(word);
} else if (word.equals("useEcX963Encoding")) {
useEcX963Encoding = parseBooleanEntry(word);
} else {
throw new ConfigurationException
("Unknown keyword '" + word + "', line " + st.lineno());
......
......@@ -203,14 +203,20 @@ final class P11ECKeyFactory extends P11KeyFactory {
private PublicKey generatePublic(ECPoint point, ECParameterSpec params) throws PKCS11Exception {
byte[] encodedParams = ECParameters.encodeParameters(params);
byte[] encodedPoint = null;
DerValue pkECPoint = new DerValue(DerValue.tag_OctetString,
ECParameters.encodePoint(point, params.getCurve()));
byte[] encodedPoint =
ECParameters.encodePoint(point, params.getCurve());
try {
encodedPoint = pkECPoint.toByteArray();
} catch (IOException e) {
throw new IllegalArgumentException("Could not DER encode point", e);
// Check whether the X9.63 encoding of an EC point shall be wrapped
// in an ASN.1 OCTET STRING
if (!token.config.getUseEcX963Encoding()) {
try {
encodedPoint =
new DerValue(DerValue.tag_OctetString, encodedPoint)
.toByteArray();
} catch (IOException e) {
throw new
IllegalArgumentException("Could not DER encode point", e);
}
}
CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] {
......
......@@ -1028,28 +1028,21 @@ abstract class P11Key implements Key {
try {
params = P11ECKeyFactory.decodeParameters
(attributes[1].getByteArray());
/*
* An uncompressed EC point may be in either of two formats.
* First try the OCTET STRING encoding:
* 04 <length> 04 <X-coordinate> <Y-coordinate>
*
* Otherwise try the raw encoding:
* 04 <X-coordinate> <Y-coordinate>
*/
byte[] ecKey = attributes[0].getByteArray();
try {
// Check whether the X9.63 encoding of an EC point is wrapped
// in an ASN.1 OCTET STRING
if (!token.config.getUseEcX963Encoding()) {
DerValue wECPoint = new DerValue(ecKey);
if (wECPoint.getTag() != DerValue.tag_OctetString)
throw new IOException("Unexpected tag: " +
wECPoint.getTag());
if (wECPoint.getTag() != DerValue.tag_OctetString) {
throw new IOException("Could not DER decode EC point." +
" Unexpected tag: " + wECPoint.getTag());
}
w = P11ECKeyFactory.decodePoint
(wECPoint.getDataBytes(), params.getCurve());
} catch (IOException e) {
// Failover
} else {
w = P11ECKeyFactory.decodePoint(ecKey, params.getCurve());
}
......
......@@ -11,6 +11,9 @@ library = /usr/lib/$ISA/libpkcs11.so
handleStartupErrors = ignoreAll
# Use the X9.63 encoding for EC points (do not wrap in an ASN.1 OctetString).
useEcX963Encoding = true
attributes = compatibility
disabledMechanisms = {
......
......@@ -517,9 +517,6 @@ sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java generic-all
# 7079203 sun/security/tools/keytool/printssl.sh fails on solaris with timeout
sun/security/tools/keytool/printssl.sh solaris-all
# 7054637
sun/security/tools/jarsigner/ec.sh solaris-all
# 7081817
sun/security/provider/certpath/X509CertPath/IllegalCertiticates.java generic-all
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册