diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsMasterSecretGenerator.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsMasterSecretGenerator.java
index a7218def2a2..a7675390c92 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsMasterSecretGenerator.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsMasterSecretGenerator.java
@@ -23,6 +23,12 @@
* questions.
*/
+/*
+ * ===========================================================================
+ * (c) Copyright IBM Corp. 2024, 2024 All Rights Reserved
+ * ===========================================================================
+ */
+
package sun.security.pkcs11;
import java.security.*;
@@ -110,6 +116,8 @@ protected void engineInit(AlgorithmParameterSpec params,
throw new InvalidAlgorithmParameterException("init() failed", e);
}
this.spec = spec;
+ byte[] extendedMasterSecretSessionHash =
+ spec.getExtendedMasterSecretSessionHash();
final boolean isTlsRsaPremasterSecret =
p11Key.getAlgorithm().equals("TlsRsaPremasterSecret");
if (tlsVersion == 0x0300) {
@@ -118,6 +126,9 @@ protected void engineInit(AlgorithmParameterSpec params,
} else if (tlsVersion == 0x0301 || tlsVersion == 0x0302) {
mechanism = isTlsRsaPremasterSecret ?
CKM_TLS_MASTER_KEY_DERIVE : CKM_TLS_MASTER_KEY_DERIVE_DH;
+ } else if (extendedMasterSecretSessionHash.length != 0) {
+ mechanism = isTlsRsaPremasterSecret ?
+ CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE : CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH;
} else if (tlsVersion == 0x0303) {
mechanism = isTlsRsaPremasterSecret ?
CKM_TLS12_MASTER_KEY_DERIVE : CKM_TLS12_MASTER_KEY_DERIVE_DH;
@@ -146,6 +157,8 @@ protected SecretKey engineGenerateKey() {
}
byte[] clientRandom = spec.getClientRandom();
byte[] serverRandom = spec.getServerRandom();
+ byte[] extendedMasterSecretSessionHash =
+ spec.getExtendedMasterSecretSessionHash();
CK_SSL3_RANDOM_DATA random =
new CK_SSL3_RANDOM_DATA(clientRandom, serverRandom);
CK_MECHANISM ckMechanism = null;
@@ -153,6 +166,12 @@ protected SecretKey engineGenerateKey() {
CK_SSL3_MASTER_KEY_DERIVE_PARAMS params =
new CK_SSL3_MASTER_KEY_DERIVE_PARAMS(random, ckVersion);
ckMechanism = new CK_MECHANISM(mechanism, params);
+ } else if (extendedMasterSecretSessionHash.length != 0) {
+ CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS params =
+ new CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS(
+ Functions.getHashMechId(spec.getPRFHashAlg()),
+ extendedMasterSecretSessionHash, ckVersion);
+ ckMechanism = new CK_MECHANISM(mechanism, params);
} else if (tlsVersion == 0x0303) {
CK_TLS12_MASTER_KEY_DERIVE_PARAMS params =
new CK_TLS12_MASTER_KEY_DERIVE_PARAMS(random, ckVersion,
@@ -163,8 +182,16 @@ protected SecretKey engineGenerateKey() {
long p11KeyID = p11Key.getKeyID();
try {
session = token.getObjSession();
- CK_ATTRIBUTE[] attributes = token.getAttributes(O_GENERATE,
- CKO_SECRET_KEY, CKK_GENERIC_SECRET, new CK_ATTRIBUTE[0]);
+ CK_ATTRIBUTE[] attributes;
+ if (extendedMasterSecretSessionHash.length != 0) {
+ attributes = token.getAttributes(O_GENERATE,
+ CKO_SECRET_KEY, CKK_GENERIC_SECRET, new CK_ATTRIBUTE[] {
+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
+ new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_GENERIC_SECRET)});
+ } else {
+ attributes = token.getAttributes(O_GENERATE,
+ CKO_SECRET_KEY, CKK_GENERIC_SECRET, new CK_ATTRIBUTE[0]);
+ }
long keyID = token.p11.C_DeriveKey(session.id(),
ckMechanism, p11KeyID, attributes);
int major, minor;
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
index 864461bd29a..3dd985e1cb8 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -25,7 +25,7 @@
/*
* ===========================================================================
- * (c) Copyright IBM Corp. 2022, 2023 All Rights Reserved
+ * (c) Copyright IBM Corp. 2022, 2024 All Rights Reserved
* ===========================================================================
*/
@@ -1027,6 +1027,10 @@ private static void register(Descriptor d) {
m(CKM_SSL3_MASTER_KEY_DERIVE, CKM_TLS_MASTER_KEY_DERIVE,
CKM_SSL3_MASTER_KEY_DERIVE_DH,
CKM_TLS_MASTER_KEY_DERIVE_DH));
+ d(KG, "SunTlsExtendedMasterSecret",
+ "sun.security.pkcs11.P11TlsMasterSecretGenerator",
+ m(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE,
+ CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH));
d(KG, "SunTls12MasterSecret",
"sun.security.pkcs11.P11TlsMasterSecretGenerator",
m(CKM_TLS12_MASTER_KEY_DERIVE, CKM_TLS12_MASTER_KEY_DERIVE_DH));
@@ -1407,7 +1411,8 @@ public Object newInstance0(Object param) throws
return new P11TlsRsaPremasterSecretGenerator(
token, algorithm, mechanism);
} else if (algorithm == "SunTlsMasterSecret"
- || algorithm == "SunTls12MasterSecret") {
+ || algorithm == "SunTls12MasterSecret"
+ || algorithm == "SunTlsExtendedMasterSecret") {
return new P11TlsMasterSecretGenerator(
token, algorithm, mechanism);
} else if (algorithm == "SunTlsKeyMaterial"
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java
index db5474fa888..e2f33a3cfe8 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java
@@ -45,6 +45,12 @@
* POSSIBILITY OF SUCH DAMAGE.
*/
+/*
+ * ===========================================================================
+ * (c) Copyright IBM Corp. 2024, 2024 All Rights Reserved
+ * ===========================================================================
+ */
+
package sun.security.pkcs11.wrapper;
import java.math.BigInteger;
@@ -119,6 +125,10 @@ public CK_MECHANISM(long mechanism, CK_TLS12_MASTER_KEY_DERIVE_PARAMS params) {
init(mechanism, params);
}
+ public CK_MECHANISM(long mechanism, CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS params) {
+ init(mechanism, params);
+ }
+
public CK_MECHANISM(long mechanism, CK_SSL3_KEY_MAT_PARAMS params) {
init(mechanism, params);
}
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS.java
new file mode 100644
index 00000000000..3c7d2185387
--- /dev/null
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS.java
@@ -0,0 +1,105 @@
+/*
+ * ===========================================================================
+ * (c) Copyright IBM Corp. 2024, 2024 All Rights Reserved
+ * ===========================================================================
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * IBM designates this particular file as subject to the "Classpath" exception
+ * as provided by IBM in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, see
+ * PKCS#11 structure: + *
+ * typedef struct CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS { + * CK_MECHANISM_TYPE prfHashMechanism; + * CK_BYTE_PTR pSessionHash; + * CK_ULONG ulSessionHashLen; + * CK_VERSION_PTR pVersion; + * } CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS; + *+ * + */ +public class CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS { + + /** + * PKCS#11: + *
+ * CK_MECHANISM_TYPE prfHashMechanism; + *+ */ + public final long prfHashMechanism; + + /** + * PKCS#11: + *
+ * CK_BYTE_PTR pSessionHash; + *+ */ + public final byte[] pSessionHash; + + /** + * PKCS#11: + *
+ * CK_VERSION_PTR pVersion; + *+ */ + public final CK_VERSION pVersion; + + public CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS( + long prfHashMechanism, byte[] pSessionHash, + CK_VERSION pVersion) { + this.prfHashMechanism = prfHashMechanism; + this.pSessionHash = pSessionHash; + this.pVersion = pVersion; + } + + /** + * Returns the string representation of + * CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS. + * + * @return the string representation of + * CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS + */ + @Override + public String toString() { + StringBuilder buffer = new StringBuilder(); + + buffer.append(Constants.INDENT); + buffer.append("prfHashMechanism: "); + buffer.append(prfHashMechanism); + buffer.append(Constants.NEWLINE); + + buffer.append(Constants.INDENT); + buffer.append("pSessionHash: "); + buffer.append(Functions.toHexString(pSessionHash)); + buffer.append(Constants.NEWLINE); + + buffer.append(Constants.INDENT); + buffer.append("pVersion: "); + buffer.append(pVersion); + + return buffer.toString(); + } + +} diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/Functions.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/Functions.java index 7d8f32a6cce..4af40495ba6 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/Functions.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/Functions.java @@ -45,6 +45,12 @@ * POSSIBILITY OF SUCH DAMAGE. */ +/* + * =========================================================================== + * (c) Copyright IBM Corp. 2024, 2024 All Rights Reserved + * =========================================================================== + */ + package sun.security.pkcs11.wrapper; import java.math.BigInteger; @@ -1098,6 +1104,10 @@ private static void addMGF(long id, String name) { addMech(CKM_VENDOR_DEFINED, "CKM_VENDOR_DEFINED"); addMech(CKM_NSS_TLS_PRF_GENERAL, "CKM_NSS_TLS_PRF_GENERAL"); + addMech(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, + "CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE"); + addMech(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, + "CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH"); addMech(PCKM_SECURERANDOM, "SecureRandom"); addMech(PCKM_KEYSTORE, "KeyStore"); diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java index 480c99cd01d..5283db7fc87 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java @@ -45,6 +45,12 @@ * POSSIBILITY OF SUCH DAMAGE. */ +/* + * =========================================================================== + * (c) Copyright IBM Corp. 2024, 2024 All Rights Reserved + * =========================================================================== + */ + package sun.security.pkcs11.wrapper; /** @@ -999,6 +1005,10 @@ public interface PKCS11Constants { // NSS private public static final long CKM_NSS_TLS_PRF_GENERAL = 0x80000373L; + public static final long CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE + /* (CKM_NSS + 25) */ = 0xCE534369L; + public static final long CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH + /* (CKM_NSS + 26) */ = 0xCE53436AL; // internal ids for our pseudo mechanisms SecureRandom and KeyStore public static final long PCKM_SECURERANDOM = 0x7FFFFF20L; diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c index d941b574cc7..f8834a98cd0 100644 --- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c +++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c @@ -45,6 +45,12 @@ * POSSIBILITY OF SUCH DAMAGE. */ +/* + * =========================================================================== + * (c) Copyright IBM Corp. 2024, 2024 All Rights Reserved + * =========================================================================== + */ + /* * pkcs11wrapper.c * 18.05.2001 @@ -608,6 +614,73 @@ jTls12MasterKeyDeriveParamToCKTls12MasterKeyDeriveParamPtr(JNIEnv *env, return NULL; } +/* + * Converts the Java CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS object to a + * CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS pointer. + * + * @param env - used to call JNI functions to get the Java classes and objects + * @param jParam - the Java CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS object to convert + * @param pLength - length of the allocated memory of the returned pointer + * @return pointer to the new CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS structure + */ +CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS_PTR +jTlsExtendedMasterKeyDeriveParamToCKTlsExtendedMasterKeyDeriveParamPtr(JNIEnv *env, + jobject jParam, CK_ULONG *pLength) +{ + CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS_PTR ckParamPtr = NULL; + jclass jTlsExtendedMasterKeyDeriveParamsClass = NULL; + jfieldID fieldID = NULL; + jlong prfHashMechanism = 0L; + jobject pSessionHash = NULL; + if (NULL != pLength) { + *pLength = 0L; + } + + // retrieve java values + jTlsExtendedMasterKeyDeriveParamsClass = + (*env)->FindClass(env, CLASS_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS); + if (NULL == jTlsExtendedMasterKeyDeriveParamsClass) { + return NULL; + } + fieldID = (*env)->GetFieldID(env, + jTlsExtendedMasterKeyDeriveParamsClass, "prfHashMechanism", "J"); + if (NULL == fieldID) { + return NULL; + } + prfHashMechanism = (*env)->GetLongField(env, jParam, fieldID); + fieldID = (*env)->GetFieldID(env, + jTlsExtendedMasterKeyDeriveParamsClass, "pSessionHash", "[B"); + if (NULL == fieldID) { + return NULL; + } + pSessionHash = (*env)->GetObjectField(env, jParam, fieldID); + + // allocate memory for CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS pointer + ckParamPtr = calloc(1, sizeof(CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS)); + if (NULL == ckParamPtr) { + throwOutOfMemoryError(env, 0); + return NULL; + } + + // populate using java values + jByteArrayToCKByteArray(env, pSessionHash, &(ckParamPtr->pSessionHash), + &(ckParamPtr->ulSessionHashLen)); + if ((*env)->ExceptionCheck(env)) { + goto cleanup; + } + + ckParamPtr->prfHashMechanism = (CK_MECHANISM_TYPE) prfHashMechanism; + + if (NULL != pLength) { + *pLength = sizeof(CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS); + } + return ckParamPtr; +cleanup: + free(ckParamPtr->pSessionHash); + free(ckParamPtr); + return NULL; +} + /* * converts the Java CK_TLS_PRF_PARAMS object to a CK_TLS_PRF_PARAMS pointer * @@ -1485,6 +1558,11 @@ CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam, ckpParamPtr = jTls12MasterKeyDeriveParamToCKTls12MasterKeyDeriveParamPtr(env, jParam, ckpLength); break; + case CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE: + case CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH: + ckpParamPtr = jTlsExtendedMasterKeyDeriveParamToCKTlsExtendedMasterKeyDeriveParamPtr( + env, jParam, ckpLength); + break; case CKM_TLS_PRF: case CKM_NSS_TLS_PRF_GENERAL: ckpParamPtr = jTlsPrfParamsToCKTlsPrfParamPtr(env, jParam, diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_keymgmt.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_keymgmt.c index dea55f5258b..e0ef6020a1b 100644 --- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_keymgmt.c +++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_keymgmt.c @@ -45,6 +45,12 @@ * POSSIBILITY OF SUCH DAMAGE. */ +/* + * =========================================================================== + * (c) Copyright IBM Corp. 2024, 2024 All Rights Reserved + * =========================================================================== + */ + #include "pkcs11wrapper.h" #include