archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-08-28 23:34:52 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8286428: AlgorithmId should understand PBES2

Browse source 
Reviewed-by: valeriep
This commit is contained in:
Weijun Wang 2022-05-15 22:31:14 +00:00
parent f4f1dddfef
commit 357f990e32
3 changed files with 133 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

38
src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java
View file

@ -316,7 +316,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
byte[] encryptedKey;
AlgorithmParameters algParams;
ObjectIdentifier algOid;
AlgorithmId aid;
try {
// get the encrypted private key
@ -327,8 +327,8 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
// parse Algorithm parameters
DerValue val = new DerValue(encrInfo.getAlgorithm().encode());
DerInputStream in = val.toDerInputStream();
algOid = in.getOID();
algParams = parseAlgParameters(algOid, in);
aid = AlgorithmId.parse(val);
algParams = aid.getParameters();
} catch (IOException ioe) {
UnrecoverableKeyException uke =
@ -360,8 +360,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
key = RetryWithZero.run(pass -> {
// Use JCE
Cipher cipher = Cipher.getInstance(
mapPBEParamsToAlgorithm(algOid, algParams));
Cipher cipher = Cipher.getInstance(aid.getName());
SecretKey skey = getPBEKey(pass);
try {
cipher.init(Cipher.DECRYPT_MODE, skey, algParams);
@ -394,7 +393,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
if (debug != null) {
debug.println("Retrieved a protected private key at alias" +
" '" + alias + "' (" +
mapPBEParamsToAlgorithm(algOid, algParams) +
aid.getName() +
" iterations: " + ic + ")");
}
return tmp;
@ -435,7 +434,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
if (debug != null) {
debug.println("Retrieved a protected secret key at alias " +
"'" + alias + "' (" +
mapPBEParamsToAlgorithm(algOid, algParams) +
aid.getName() +
" iterations: " + ic + ")");
}
return tmp;
@ -979,18 +978,6 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
return AlgorithmId.get(algorithm).getOID();
}
/*
* Map a PBE algorithm parameters onto its algorithm name
*/
private static String mapPBEParamsToAlgorithm(ObjectIdentifier algorithm,
AlgorithmParameters algParams) throws NoSuchAlgorithmException {
// Check for PBES2 algorithms
if (algorithm.equals(pbes2_OID) && algParams != null) {
return algParams.toString();
}
return new AlgorithmId(algorithm).getName();
}
/**
* Assigns the given certificate to the given alias.
*
@ -2112,9 +2099,8 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
byte[] rawData = seq[2].getOctetString();
// parse Algorithm parameters
DerInputStream in = seq[1].toDerInputStream();
ObjectIdentifier algOid = in.getOID();
AlgorithmParameters algParams = parseAlgParameters(algOid, in);
AlgorithmId aid = AlgorithmId.parse(seq[1]);
AlgorithmParameters algParams = aid.getParameters();
PBEParameterSpec pbeSpec;
int ic = 0;
@ -2133,23 +2119,21 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
throw new IOException("cert PBE iteration count too large");
}
certProtectionAlgorithm
= mapPBEParamsToAlgorithm(algOid, algParams);
certProtectionAlgorithm = aid.getName();
certPbeIterationCount = ic;
seeEncBag = true;
}
if (debug != null) {
debug.println("Loading PKCS#7 encryptedData " +
"(" + mapPBEParamsToAlgorithm(algOid, algParams) +
"(" + certProtectionAlgorithm +
" iterations: " + ic + ")");
}
try {
RetryWithZero.run(pass -> {
// Use JCE
Cipher cipher = Cipher.getInstance(
mapPBEParamsToAlgorithm(algOid, algParams));
Cipher cipher = Cipher.getInstance(certProtectionAlgorithm);
SecretKey skey = getPBEKey(pass);
try {
cipher.init(Cipher.DECRYPT_MODE, skey, algParams);

26
src/java.base/share/classes/sun/security/x509/AlgorithmId.java
View file

@ -256,15 +256,25 @@ public class AlgorithmId implements Serializable, DerEncoder {
}
/**
* Returns a name for the algorithm which may be more intelligible
* Returns a name for the algorithm which can be used by getInstance()
* call of a crypto primitive. The name is usually more intelligible
* to humans than the algorithm's OID, but which won't necessarily
* be comprehensible on other systems. For example, this might
* return a name such as "MD5withRSA" for a signature algorithm on
* some systems. It also returns names like "OID.1.2.3.4", when
* no particular name for the algorithm is known.
* some systems. It also returns OID names like "1.2.3.4", when
* no particular name for the algorithm is known. The OID may also be
* recognized by getInstance() calls since an OID is usually defined
* as an alias for an algorithm by the security provider.
*
* Note: for ecdsa-with-SHA2 plus hash algorithm (Ex: SHA-256), this method
* In some special cases where the OID does not include enough info
* to return a Java standard algorithm name, an algorithm name
* that includes info on the params is returned:
*
* 1. For ecdsa-with-SHA2 plus hash algorithm (Ex: SHA-256), this method
* returns the "full" signature algorithm (Ex: SHA256withECDSA) directly.
*
* 2. For PBES2, this method returns the "full" cipher name containing the
* KDF and Enc algorithms (Ex: PBEWithHmacSHA256AndAES_256) directly.
*/
public String getName() {
String oidStr = algid.toString();
@ -281,6 +291,14 @@ public class AlgorithmId implements Serializable, DerEncoder {
// ignore
}
}
} else if (o == KnownOIDs.PBES2) {
if (algParams != null) {
return algParams.toString();
} else {
// when getName() is called in decodeParams(), algParams is
// null, where AlgorithmParameters.getInstance("PBES2") will
// be used to initialize it.
}
}
if (o != null) {
return o.stdName();