8301553: Support Password-Based Cryptography in SunPKCS11 (iteration #4)

Co-authored-by: Francisco Ferrari <[email protected]>
Co-authored-by: Martin Balao <[email protected]>

Author: martinuy

src/java.base/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java

@@ -65,10 +65,8 @@ final class PBKDF2KeyImpl implements javax.crypto.interfaces.PBEKey {
     private byte[] key;
 
     // The following fields are not Serializable. See writeReplace method.
-    @SuppressWarnings("serial")
-    private Mac prf;
-    @SuppressWarnings("serial")
-    private Cleaner.Cleanable cleaner;
+    private transient Mac prf;
+    private transient Cleaner.Cleanable cleaner;
 
     private static byte[] getPasswordBytes(char[] passwd) {
         CharBuffer cb = CharBuffer.wrap(passwd);

src/java.base/share/classes/sun/security/util/PBEUtil.java

@@ -67,6 +67,51 @@ public static final class PBES2Params {
         private byte[] salt;
         private IvParameterSpec ivSpec;
 
+        /*
+         * Initialize a PBES2Params instance. May generate random salt and
+         * IV if not passed and the operation is encryption. If initialization
+         * fails, values are reset. Used by PBES2Params and P11PBECipher
+         * (SunPKCS11).
+         */
+        public void initialize(int blkSize, int opmode, int iCount, byte[] salt,
+                AlgorithmParameterSpec params, SecureRandom random)
+                throws InvalidAlgorithmParameterException {
+            try {
+                boolean doEncrypt = ((opmode == Cipher.ENCRYPT_MODE) ||
+                        (opmode == Cipher.WRAP_MODE));
+                if (params instanceof PBEParameterSpec pbeParams) {
+                    params = pbeParams.getParameterSpec();
+                }
+                if (params instanceof IvParameterSpec iv) {
+                    this.ivSpec = iv;
+                } else if (params == null && doEncrypt) {
+                    byte[] ivBytes = new byte[blkSize];
+                    random.nextBytes(ivBytes);
+                    this.ivSpec = new IvParameterSpec(ivBytes);
+                } else {
+                    throw new InvalidAlgorithmParameterException("Wrong " +
+                            "parameter type: IvParameterSpec " +
+                            (doEncrypt ? "or null " : "") + "expected");
+                }
+                this.iCount = iCount;
+                if (salt == null) {
+                    if (doEncrypt) {
+                        salt = new byte[DEFAULT_SALT_LENGTH];
+                        random.nextBytes(salt);
+                    } else {
+                        throw new InvalidAlgorithmParameterException("Salt " +
+                                "needed for decryption");
+                    }
+                }
+                this.salt = salt;
+            } catch (InvalidAlgorithmParameterException e) {
+                this.ivSpec = null;
+                this.iCount = 0;
+                this.salt = null;
+                throw e;
+            }
+        }
+
         /*
          * Obtain an IvParameterSpec for Cipher services. This method returns
          * null when the state is not initialized. Used by PBES2Core (SunJCE)
@@ -77,116 +122,84 @@ public IvParameterSpec getIvSpec() {
         }
 
         /*
-         * Obtain AlgorithmParameters for Cipher services. If the state is not
-         * initialized, this method will generate new values randomly or assign
-         * from defaults. If the state is initialized, existing values will be
-         * returned. Used by PBES2Core (SunJCE) and P11PBECipher (SunPKCS11).
+         * Obtain AlgorithmParameters for Cipher services. This method will
+         * initialize PBES2Params if needed, generating new values randomly or
+         * assigning from defaults. If PBES2Params is initialized, existing
+         * values will be returned. Used by PBES2Core (SunJCE) and
+         * P11PBECipher (SunPKCS11).
          */
         public AlgorithmParameters getAlgorithmParameters(int blkSize,
                 String pbeAlgo, Provider algParamsProv, SecureRandom random) {
-            AlgorithmParameters params = null;
-            if (salt == null) {
-                // generate random salt and use default iteration count
-                salt = new byte[DEFAULT_SALT_LENGTH];
-                random.nextBytes(salt);
-                iCount = DEFAULT_ITERATIONS;
-            }
-            if (ivSpec == null) {
-                // generate random IV
-                byte[] ivBytes = new byte[blkSize];
-                random.nextBytes(ivBytes);
-                ivSpec = new IvParameterSpec(ivBytes);
-            }
-            PBEParameterSpec pbeSpec = new PBEParameterSpec(
-                    salt, iCount, ivSpec);
+            AlgorithmParameters params;
             try {
+                if (iCount == 0 && salt == null && ivSpec == null) {
+                    initialize(blkSize, Cipher.ENCRYPT_MODE, DEFAULT_ITERATIONS,
+                            null, null, random);
+                }
                 params = AlgorithmParameters.getInstance(pbeAlgo,
                         algParamsProv);
-                params.init(pbeSpec);
+                params.init(new PBEParameterSpec(salt, iCount, ivSpec));
             } catch (NoSuchAlgorithmException nsae) {
                 // should never happen
                 throw new RuntimeException("AlgorithmParameters for "
                         + pbeAlgo + " not configured");
             } catch (InvalidParameterSpecException ipse) {
                 // should never happen
                 throw new RuntimeException("PBEParameterSpec not supported");
+            } catch (InvalidAlgorithmParameterException iape) {
+                // should never happen
+                throw new RuntimeException("Error initializing PBES2Params");
             }
             return params;
         }
 
         /*
-         * Obtain a PBEKeySpec for Cipher services, after key and parameters
-         * validation, random generation or assignment from defaults. Used by
-         * PBES2Core (SunJCE) and P11PBECipher (SunPKCS11).
+         * Initialize PBES2Params and obtain a PBEKeySpec for Cipher services.
+         * Data from the key, parameters, defaults or random may be used for
+         * initialization. Used by PBES2Core (SunJCE) and P11PBECipher
+         * (SunPKCS11).
          */
         public PBEKeySpec getPBEKeySpec(int blkSize, int keyLength, int opmode,
                 Key key, AlgorithmParameterSpec params, SecureRandom random)
                 throws InvalidKeyException, InvalidAlgorithmParameterException {
             if (key == null) {
                 throw new InvalidKeyException("Null key");
             }
-
-            char[] passwdChars = null;
-            salt = null;
-            iCount = 0;
-            ivSpec = null;
             PBEKeySpec pbeSpec;
             byte[] passwdBytes;
+            char[] passwdChars = null;
             if (!(key.getAlgorithm().regionMatches(true, 0, "PBE", 0, 3)) ||
                     (passwdBytes = key.getEncoded()) == null) {
                 throw new InvalidKeyException("Missing password");
             }
             try {
-                boolean doEncrypt = ((opmode == Cipher.ENCRYPT_MODE) ||
-                            (opmode == Cipher.WRAP_MODE));
-
+                int iCountInit;
+                byte[] saltInit;
                 // Extract from the supplied PBE params, if present
                 if (params instanceof PBEParameterSpec pbeParams) {
                     // salt should be non-null per PBEParameterSpec
-                    salt = check(pbeParams.getSalt());
-                    iCount = check(pbeParams.getIterationCount());
-                    AlgorithmParameterSpec ivParams =
-                            pbeParams.getParameterSpec();
-                    if (ivParams instanceof IvParameterSpec iv) {
-                        ivSpec = iv;
-                    } else if (ivParams == null && doEncrypt) {
-                        // generate random IV
-                        byte[] ivBytes = new byte[blkSize];
-                        random.nextBytes(ivBytes);
-                        ivSpec = new IvParameterSpec(ivBytes);
-                    } else {
-                        throw new InvalidAlgorithmParameterException(
-                                "Wrong parameter type: IV expected");
-                    }
-                } else if (params == null && doEncrypt) {
+                    iCountInit = check(pbeParams.getIterationCount());
+                    saltInit = check(pbeParams.getSalt());
+                } else if (params == null) {
                     // Try extracting from the key if present. If unspecified,
-                    // PBEKey returns null and 0 respectively.
+                    // PBEKey returns 0 and null respectively.
                     if (key instanceof javax.crypto.interfaces.PBEKey pbeKey) {
-                        salt = check(pbeKey.getSalt());
-                        iCount = check(pbeKey.getIterationCount());
-                    }
-                    if (salt == null) {
-                        // generate random salt
-                        salt = new byte[DEFAULT_SALT_LENGTH];
-                        random.nextBytes(salt);
-                    }
-                    if (iCount == 0) {
-                        // use default iteration count
-                        iCount = DEFAULT_ITERATIONS;
+                        iCountInit = check(pbeKey.getIterationCount());
+                        saltInit = check(pbeKey.getSalt());
+                    } else {
+                        iCountInit = DEFAULT_ITERATIONS;
+                        saltInit = null;
                     }
-                    // generate random IV
-                    byte[] ivBytes = new byte[blkSize];
-                    random.nextBytes(ivBytes);
-                    ivSpec = new IvParameterSpec(ivBytes);
                 } else {
                     throw new InvalidAlgorithmParameterException(
                             "Wrong parameter type: PBE expected");
                 }
+                initialize(blkSize, opmode, iCountInit, saltInit, params,
+                        random);
                 passwdChars = new char[passwdBytes.length];
                 for (int i = 0; i < passwdChars.length; i++) {
                     passwdChars[i] = (char) (passwdBytes[i] & 0x7f);
                 }
-
                 pbeSpec = new PBEKeySpec(passwdChars, salt, iCount, keyLength);
             } finally {
                 // password char[] was cloned in PBEKeySpec constructor,

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java

@@ -500,7 +500,7 @@ private static abstract class P11PublicKey extends P11Key implements
     static final class P11PBEKey extends P11SecretKey
             implements PBEKey {
         private static final long serialVersionUID = 6847576994253634876L;
-        private final char[] password;
+        private char[] password;
         private final byte[] salt;
         private final int iterationCount;
         P11PBEKey(Session session, long keyID, String algorithm,
@@ -514,6 +514,9 @@ static final class P11PBEKey extends P11SecretKey
 
         @Override
         public char[] getPassword() {
+            if (password == null) {
+                throw new IllegalStateException("password has been cleared");
+            }
             return password.clone();
         }
 
@@ -529,6 +532,7 @@ public int getIterationCount() {
 
         void clearPassword() {
             Arrays.fill(password, '\0');
+            password = null;
         }
     }
 

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PBECipher.java

@@ -39,7 +39,6 @@
 import javax.crypto.NoSuchPaddingException;
 import javax.crypto.ShortBufferException;
 import javax.crypto.spec.PBEKeySpec;
-import javax.crypto.spec.PBEParameterSpec;
 
 import sun.security.jca.JCAUtil;
 import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
@@ -107,9 +106,8 @@ protected byte[] engineGetIV() {
     // see JCE spec
     @Override
     protected AlgorithmParameters engineGetParameters() {
-        return pbes2Params.getAlgorithmParameters(
-                blkSize, pbeAlg, P11Util.getSunJceProvider(),
-                JCAUtil.getSecureRandom());
+        return pbes2Params.getAlgorithmParameters(blkSize, pbeAlg,
+                P11Util.getSunJceProvider(), JCAUtil.getSecureRandom());
     }
 
     // see JCE spec
@@ -134,10 +132,18 @@ protected void engineInit(int opmode, Key key,
             // because this is a PBE Cipher service. In addition to checking the
             // key, check that params (if passed) are consistent.
             PBEUtil.checkKeyAndParams(key, params, pbeAlg);
-            if (params instanceof PBEParameterSpec pbeParams) {
-                // Reassign params to the underlying service params.
-                params = pbeParams.getParameterSpec();
+            // At this point, we know that the key is a P11PBEKey.
+            P11Key.P11PBEKey p11PBEKey = (P11Key.P11PBEKey) key;
+            // PBE services require a PBE key of the same algorithm and the
+            // underlying service (non-PBE) won't check it.
+            if (!pbeAlg.equals(p11PBEKey.getAlgorithm())) {
+                throw new InvalidKeyException("Cannot use a " +
+                        p11PBEKey.getAlgorithm() + " key for a " + pbeAlg +
+                        " service");
             }
+            pbes2Params.initialize(blkSize, opmode,
+                    p11PBEKey.getIterationCount(), p11PBEKey.getSalt(), params,
+                    random);
         } else {
             // If the key is not a P11Key, a derivation is needed. Data for
             // derivation has to be carried either as part of the key or params.
@@ -158,9 +164,8 @@ protected void engineInit(int opmode, Key key,
             } finally {
                 pbeSpec.clearPassword();
             }
-            params = pbes2Params.getIvSpec();
         }
-        cipher.engineInit(opmode, key, params, random);
+        cipher.engineInit(opmode, key, pbes2Params.getIvSpec(), random);
     }
 
     // see JCE spec
@@ -209,9 +214,11 @@ protected int engineDoFinal(byte[] input, int inputOffset,
 
     // see JCE spec
     @Override
-    protected int engineGetKeySize(Key key)
-            throws InvalidKeyException {
-        return cipher.engineGetKeySize(key);
+    protected int engineGetKeySize(Key key) {
+        // It's guaranteed that when engineInit succeeds, the key length
+        // for the underlying cipher is equal to the PBE service key length.
+        // Otherwise, initialization fails.
+        return svcPbeKi.keyLen;
     }
 
 }

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java

@@ -579,7 +579,7 @@ protected SecretKey engineGenerateSecret(KeySpec keySpec)
             }
         } else if (keySpec instanceof PBEKeySpec pbeKeySpec &&
                 svcPbeKi != null) {
-            return (SecretKey) derivePBEKey(token, pbeKeySpec, svcPbeKi);
+            return derivePBEKey(token, pbeKeySpec, svcPbeKi);
         } else if (algorithm.equalsIgnoreCase("DES")) {
             if (keySpec instanceof DESKeySpec desKeySpec) {
                 return generateDESSecret(desKeySpec.getKey(), "DES");

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java

@@ -31,9 +31,7 @@
 import java.nio.CharBuffer;
 import java.nio.charset.Charset;
 import java.security.*;
-import java.util.Arrays;
 
-import jdk.internal.access.SharedSecrets;
 import sun.security.pkcs11.wrapper.PKCS11Exception;
 import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*;
 
@@ -90,6 +88,7 @@ static char[] encodePassword(char[] password, Charset cs,
         int i = 0;
         while (passwordBytes.hasRemaining()) {
             encPassword[i] = (char) (passwordBytes.get() & 0xFF);
+            // Erase password bytes as we read during encoding.
             passwordBytes.put(i++, (byte) 0);
         }
         return encPassword;

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
  */
 
 /* Copyright  (c) 2002 Graz University of Technology. All rights reserved.