8301553: Support Password-Based Cryptography in SunPKCS11 (iteration #2)

Co-authored-by: Francisco Ferrari <[email protected]>
Co-authored-by: Martin Balao <[email protected]>

Author: martinuy

src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java

@@ -25,12 +25,13 @@
 
 package com.sun.crypto.provider;
 
-import javax.crypto.SecretKey;
 import javax.crypto.spec.SecretKeySpec;
 import javax.crypto.spec.PBEKeySpec;
 import java.security.*;
 import java.security.spec.*;
+import java.util.Arrays;
 
+import jdk.internal.access.SharedSecrets;
 import sun.security.util.PBEUtil;
 
 /**
@@ -108,17 +109,30 @@ public HmacPKCS12PBECore(String algorithm, int bl) throws NoSuchAlgorithmExcepti
      */
     protected void engineInit(Key key, AlgorithmParameterSpec params)
         throws InvalidKeyException, InvalidAlgorithmParameterException {
+        char[] password = null;
+        byte[] derivedKey = null;
+        SecretKeySpec cipherKey = null;
         PBEKeySpec keySpec = PBEUtil.getPBAKeySpec(key, params);
-        byte[] derivedKey;
         try {
+            password = keySpec.getPassword();
             derivedKey = PKCS12PBECipherCore.derive(
-                    keySpec.getPassword(), keySpec.getSalt(),
+                    password, keySpec.getSalt(),
                     keySpec.getIterationCount(), engineGetMacLength(),
                     PKCS12PBECipherCore.MAC_KEY, algorithm, bl);
+            cipherKey = new SecretKeySpec(derivedKey, "HmacSHA1");
+            super.engineInit(cipherKey, null);
         } finally {
+            if (cipherKey != null) {
+                SharedSecrets.getJavaxCryptoSpecAccess()
+                        .clearSecretKeySpec(cipherKey);
+            }
+            if (derivedKey != null) {
+                Arrays.fill(derivedKey, (byte) 0);
+            }
+            if (password != null) {
+                Arrays.fill(password, '\0');
+            }
             keySpec.clearPassword();
         }
-        SecretKey cipherKey = new SecretKeySpec(derivedKey, "HmacSHA1");
-        super.engineInit(cipherKey, null);
     }
 }

src/java.base/share/classes/com/sun/crypto/provider/PBES2Core.java

@@ -27,9 +27,11 @@
 
 import java.security.*;
 import java.security.spec.*;
+import java.util.Arrays;
 import javax.crypto.*;
 import javax.crypto.spec.*;
 
+import jdk.internal.access.SharedSecrets;
 import sun.security.util.PBEUtil;
 
 /**
@@ -150,22 +152,32 @@ protected void engineInit(int opmode, Key key,
 
         PBEKeySpec pbeSpec = pbes2Params.getPBEKeySpec(blkSize, keyLength,
                 opmode, key, params, random);
-
-        PBKDF2KeyImpl s;
-
+        PBKDF2KeyImpl s = null;
+        byte[] derivedKey;
         try {
             s = (PBKDF2KeyImpl)kdf.engineGenerateSecret(pbeSpec);
+            derivedKey = s.getEncoded();
         } catch (InvalidKeySpecException ikse) {
             throw new InvalidKeyException("Cannot construct PBE key", ikse);
         } finally {
+            if (s != null) {
+                s.clear();
+            }
             pbeSpec.clearPassword();
         }
-        byte[] derivedKey = s.getEncoded();
-        s.clearPassword();
-        SecretKeySpec cipherKey = new SecretKeySpec(derivedKey, cipherAlgo);
 
-        // initialize the underlying cipher
-        cipher.init(opmode, cipherKey, pbes2Params.getIvSpec(), random);
+        SecretKeySpec cipherKey = null;
+        try {
+            cipherKey = new SecretKeySpec(derivedKey, cipherAlgo);
+            // initialize the underlying cipher
+            cipher.init(opmode, cipherKey, pbes2Params.getIvSpec(), random);
+        } finally {
+            if (cipherKey != null) {
+                SharedSecrets.getJavaxCryptoSpecAccess()
+                        .clearSecretKeySpec(cipherKey);
+            }
+            Arrays.fill(derivedKey, (byte) 0);
+        }
     }
 
     protected void engineInit(int opmode, Key key, AlgorithmParameters params,

src/java.base/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2021, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,7 +26,7 @@
 package com.sun.crypto.provider;
 
 import java.io.ObjectStreamException;
-import java.lang.ref.Reference;
+import java.lang.ref.Cleaner;
 import java.nio.ByteBuffer;
 import java.nio.CharBuffer;
 import java.util.Arrays;
@@ -64,9 +64,11 @@ final class PBKDF2KeyImpl implements javax.crypto.interfaces.PBEKey {
     private int iterCount;
     private byte[] key;
 
-    @SuppressWarnings("serial") // Type of field is not Serializable;
-                                // see writeReplace method
+    // The following fields are not Serializable. See writeReplace method.
+    @SuppressWarnings("serial")
     private Mac prf;
+    @SuppressWarnings("serial")
+    private Cleaner.Cleanable cleaner;
 
     private static byte[] getPasswordBytes(char[] passwd) {
         CharBuffer cb = CharBuffer.wrap(passwd);
@@ -88,17 +90,9 @@ private static byte[] getPasswordBytes(char[] passwd) {
      */
     PBKDF2KeyImpl(PBEKeySpec keySpec, String prfAlgo)
         throws InvalidKeySpecException {
-        char[] passwd = keySpec.getPassword();
-        if (passwd == null) {
-            // Should allow an empty password.
-            this.passwd = new char[0];
-        } else {
-            this.passwd = passwd.clone();
-        }
+        this.passwd = keySpec.getPassword();
         // Convert the password from char[] to byte[]
         byte[] passwdBytes = getPasswordBytes(this.passwd);
-        // remove local copy
-        if (passwd != null) Arrays.fill(passwd, '\0');
 
         try {
             this.salt = keySpec.getSalt();
@@ -124,16 +118,18 @@ private static byte[] getPasswordBytes(char[] passwd) {
             throw new InvalidKeySpecException(nsae);
         } finally {
             Arrays.fill(passwdBytes, (byte) 0x00);
-
-            // Use the cleaner to zero the key when no longer referenced
-            final byte[] k = this.key;
-            final char[] p = this.passwd;
-            CleanerFactory.cleaner().register(this,
-                    () -> {
-                        Arrays.fill(k, (byte) 0x00);
-                        Arrays.fill(p, '\0');
-                    });
+            if (key == null) {
+                Arrays.fill(passwd, '\0');
+            }
         }
+        // Use the cleaner to zero the key when no longer referenced
+        final byte[] k = this.key;
+        final char[] p = this.passwd;
+        cleaner = CleanerFactory.cleaner().register(this,
+                () -> {
+                    Arrays.fill(k, (byte) 0x00);
+                    Arrays.fill(p, '\0');
+                });
     }
 
     private static byte[] deriveKey(final Mac prf, final byte[] password,
@@ -211,11 +207,7 @@ public boolean equals(Object obj) {
     }
 
     public byte[] getEncoded() {
-        // The key is zeroized by finalize()
-        // The reachability fence ensures finalize() isn't called early
-        byte[] result = key.clone();
-        Reference.reachabilityFence(this);
-        return result;
+        return key.clone();
     }
 
     public String getAlgorithm() {
@@ -226,16 +218,12 @@ public int getIterationCount() {
         return iterCount;
     }
 
-    public void clearPassword() {
-        Arrays.fill(passwd, (char)0);
+    public void clear() {
+        cleaner.clean();
     }
 
     public char[] getPassword() {
-        // The password is zeroized by finalize()
-        // The reachability fence ensures finalize() isn't called early
-        char[] result = passwd.clone();
-        Reference.reachabilityFence(this);
-        return result;
+        return passwd.clone();
     }
 
     public byte[] getSalt() {

src/java.base/share/classes/com/sun/crypto/provider/PBMAC1Core.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,8 @@
 
 package com.sun.crypto.provider;
 
+import jdk.internal.access.SharedSecrets;
+
 import java.util.Arrays;
 
 import javax.crypto.SecretKey;
@@ -179,23 +181,29 @@ protected void engineInit(Key key, AlgorithmParameterSpec params)
         }
 
         PBKDF2KeyImpl s = null;
-        PBKDF2Core kdf = getKDFImpl(kdfAlgo);
-        byte[] derivedKey;
+        byte[] derivedKey = null;
+        SecretKeySpec cipherKey = null;
         try {
+            PBKDF2Core kdf = getKDFImpl(kdfAlgo);
             s = (PBKDF2KeyImpl)kdf.engineGenerateSecret(pbeSpec);
             derivedKey = s.getEncoded();
+            cipherKey = new SecretKeySpec(derivedKey, kdfAlgo);
+            super.engineInit(cipherKey, null);
         } catch (InvalidKeySpecException ikse) {
             throw new InvalidKeyException("Cannot construct PBE key", ikse);
         } finally {
-            pbeSpec.clearPassword();
+            if (cipherKey != null) {
+                SharedSecrets.getJavaxCryptoSpecAccess()
+                        .clearSecretKeySpec(cipherKey);
+            }
+            if (derivedKey != null) {
+                Arrays.fill(derivedKey, (byte) 0);
+            }
             if (s != null) {
-                s.clearPassword();
+                s.clear();
             }
+            pbeSpec.clearPassword();
         }
-        SecretKey cipherKey = new SecretKeySpec(derivedKey, kdfAlgo);
-        Arrays.fill(derivedKey, (byte)0);
-
-        super.engineInit(cipherKey, null);
     }
 
     public static final class HmacSHA1 extends PBMAC1Core {

src/java.base/share/classes/sun/security/util/PBEUtil.java

@@ -59,7 +59,7 @@ public final class PBEUtil {
      * ::getAlgorithmParameters (as AlgorithmParameters) or ::getIvSpec (as
      * IvParameterSpec).
      */
-    public final static class PBES2Params {
+    public static final class PBES2Params {
         private static final int DEFAULT_SALT_LENGTH = 20;
         private static final int DEFAULT_ITERATIONS = 4096;
 
@@ -126,20 +126,17 @@ public PBEKeySpec getPBEKeySpec(int blkSize, int keyLength, int opmode,
                 throw new InvalidKeyException("Null key");
             }
 
-            byte[] passwdBytes = key.getEncoded();
             char[] passwdChars = null;
             salt = null;
             iCount = 0;
             ivSpec = null;
-
             PBEKeySpec pbeSpec;
+            byte[] passwdBytes;
+            if (!(key.getAlgorithm().regionMatches(true, 0, "PBE", 0, 3)) ||
+                    (passwdBytes = key.getEncoded()) == null) {
+                throw new InvalidKeyException("Missing password");
+            }
             try {
-                if ((passwdBytes == null) ||
-                        !(key.getAlgorithm().regionMatches(true, 0, "PBE", 0,
-                                3))) {
-                    throw new InvalidKeyException("Missing password");
-                }
-
                 boolean doEncrypt = ((opmode == Cipher.ENCRYPT_MODE) ||
                             (opmode == Cipher.WRAP_MODE));
 

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java

@@ -497,7 +497,7 @@ private static abstract class P11PublicKey extends P11Key implements
         }
     }
 
-    private static final class P11PBEKey extends P11SecretKey
+    static final class P11PBEKey extends P11SecretKey
             implements PBEKey {
         private static final long serialVersionUID = 6847576994253634876L;
         private final char[] password;
@@ -507,8 +507,8 @@ private static final class P11PBEKey extends P11SecretKey
                 int keyLength, CK_ATTRIBUTE[] attributes,
                 char[] password, byte[] salt, int iterationCount) {
             super(session, keyID, algorithm, keyLength, attributes);
-            this.password = password;
-            this.salt = salt;
+            this.password = password.clone();
+            this.salt = salt.clone();
             this.iterationCount = iterationCount;
         }
 
@@ -526,6 +526,10 @@ public byte[] getSalt() {
         public int getIterationCount() {
             return iterationCount;
         }
+
+        void clearPassword() {
+            Arrays.fill(password, '\0');
+        }
     }
 
     @SuppressWarnings("deprecation")

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java

@@ -32,6 +32,7 @@
 import java.security.spec.InvalidKeySpecException;
 
 import javax.crypto.MacSpi;
+import javax.crypto.spec.PBEKeySpec;
 import javax.crypto.spec.PBEParameterSpec;
 
 import jdk.internal.access.JavaNioAccess;
@@ -213,11 +214,21 @@ protected void engineInit(Key key, AlgorithmParameterSpec params)
                 // params. Use SunPKCS11 PBE key derivation to obtain a P11Key.
                 // Assign the derived key to p11Key because conversion is never
                 // needed for this case.
+                PBEKeySpec pbeKeySpec = PBEUtil.getPBAKeySpec(key, params);
                 try {
-                    p11Key = P11SecretKeyFactory.derivePBEKey(token,
-                            PBEUtil.getPBAKeySpec(key, params), svcPbeKi);
+                    P11Key.P11PBEKey p11PBEKey =
+                            P11SecretKeyFactory.derivePBEKey(token,
+                            pbeKeySpec, svcPbeKi);
+                    // This Mac service uses the token where the derived key
+                    // lives so there won't be any need to re-derive and use
+                    // the password. The p11Key cannot be accessed out of this
+                    // class.
+                    p11PBEKey.clearPassword();
+                    p11Key = p11PBEKey;
                 } catch (InvalidKeySpecException e) {
                     throw new InvalidKeyException(e);
+                } finally {
+                    pbeKeySpec.clearPassword();
                 }
             }
             if (params instanceof PBEParameterSpec pbeParams) {

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PBECipher.java

@@ -41,7 +41,6 @@
 import javax.crypto.spec.PBEKeySpec;
 import javax.crypto.spec.PBEParameterSpec;
 
-import com.sun.crypto.provider.SunJCE;
 import sun.security.jca.JCAUtil;
 import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
 import sun.security.pkcs11.wrapper.PKCS11Exception;
@@ -146,10 +145,18 @@ protected void engineInit(int opmode, Key key,
             PBEKeySpec pbeSpec = pbes2Params.getPBEKeySpec(
                     blkSize, svcPbeKi.keyLen, opmode, key, params, random);
             try {
-                key = P11SecretKeyFactory.derivePBEKey(
+                P11Key.P11PBEKey p11PBEKey = P11SecretKeyFactory.derivePBEKey(
                         token, pbeSpec, svcPbeKi);
+                // The internal Cipher service uses the token where the
+                // derived key lives so there won't be any need to re-derive
+                // and use the password. The key cannot be accessed out of this
+                // class.
+                p11PBEKey.clearPassword();
+                key = p11PBEKey;
             } catch (InvalidKeySpecException e) {
                 throw new InvalidKeyException(e);
+            } finally {
+                pbeSpec.clearPassword();
             }
             params = pbes2Params.getIvSpec();
         }