--- old/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsKeyMaterialGenerator.java 2018-05-22 17:08:43.030346631 -0300 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsKeyMaterialGenerator.java 2018-05-22 17:08:42.854346496 -0300 @@ -38,6 +38,8 @@ import static sun.security.pkcs11.TemplateManager.*; import sun.security.pkcs11.wrapper.*; +import sun.security.ssl.ProtocolVersion; + import static sun.security.pkcs11.wrapper.PKCS11Constants.*; /** @@ -61,6 +63,8 @@ // mechanism id private long mechanism; + private ProtocolVersion tlsVersion; + // parameter spec @SuppressWarnings("deprecation") private TlsKeyMaterialParameterSpec spec; @@ -96,14 +100,15 @@ } TlsKeyMaterialParameterSpec spec = (TlsKeyMaterialParameterSpec)params; - int version = (spec.getMajorVersion() << 8) | spec.getMinorVersion(); + tlsVersion = ProtocolVersion.valueOf(spec.getMajorVersion(), spec.getMinorVersion()); - if ((version == 0x0300 && !supportSSLv3) || (version < 0x0300) || - (version > 0x0302)) { + if ((tlsVersion.compareTo(ProtocolVersion.SSL30) == 0 && !supportSSLv3) || + (tlsVersion.compareTo(ProtocolVersion.SSL30) < 0) || + (tlsVersion.compareTo(ProtocolVersion.TLS12) > 0)) { throw new InvalidAlgorithmParameterException ("Only" + (supportSSLv3? " SSL 3.0,": "") + - " TLS 1.0, and TLS 1.1 are supported (0x" + - Integer.toHexString(version) + ")"); + " TLS 1.0, TLS 1.1 and TLS 1.2 are supported (" + + tlsVersion + ")"); } try { p11Key = P11SecretKeyFactory.convertKey @@ -112,8 +117,14 @@ throw new InvalidAlgorithmParameterException("init() failed", e); } this.spec = spec; - this.mechanism = (version == 0x0300)? - CKM_SSL3_KEY_AND_MAC_DERIVE : CKM_TLS_KEY_AND_MAC_DERIVE; + if (tlsVersion.compareTo(ProtocolVersion.SSL30) == 0) { + mechanism = CKM_SSL3_KEY_AND_MAC_DERIVE; + } else if (tlsVersion.compareTo(ProtocolVersion.TLS10) == 0 || + tlsVersion.compareTo(ProtocolVersion.TLS11) == 0) { + mechanism = CKM_TLS_KEY_AND_MAC_DERIVE; + } else if (tlsVersion.compareTo(ProtocolVersion.TLS12) == 0) { + mechanism = CKM_TLS12_KEY_AND_MAC_DERIVE; + } } protected void engineInit(int keysize, SecureRandom random) { @@ -141,8 +152,18 @@ CK_SSL3_RANDOM_DATA random = new CK_SSL3_RANDOM_DATA (spec.getClientRandom(), spec.getServerRandom()); - CK_SSL3_KEY_MAT_PARAMS params = new CK_SSL3_KEY_MAT_PARAMS - (macBits, keyBits, ivBits, isExportable, random); + Object params = null; + CK_MECHANISM ckMechanism = null; + if (tlsVersion.compareTo(ProtocolVersion.TLS12) < 0) { + params = new CK_SSL3_KEY_MAT_PARAMS + (macBits, keyBits, ivBits, isExportable, random); + ckMechanism = new CK_MECHANISM(mechanism, (CK_SSL3_KEY_MAT_PARAMS)params); + } else if (tlsVersion.compareTo(ProtocolVersion.TLS12) == 0) { + params = new CK_TLS12_KEY_MAT_PARAMS + (macBits, keyBits, ivBits, isExportable, random, + SunPKCS11.hashAlgorithmToHashMechanismMap.get(spec.getPRFHashAlg())); + ckMechanism = new CK_MECHANISM(mechanism, (CK_TLS12_KEY_MAT_PARAMS)params); + } String cipherAlgorithm = spec.getCipherAlgorithm(); long keyType = P11SecretKeyFactory.getKeyType(cipherAlgorithm); @@ -173,10 +194,16 @@ attributes = token.getAttributes (O_GENERATE, CKO_SECRET_KEY, keyType, attributes); // the returned keyID is a dummy, ignore - long keyID = token.p11.C_DeriveKey(session.id(), - new CK_MECHANISM(mechanism, params), p11Key.keyID, attributes); + token.p11.C_DeriveKey(session.id(), + ckMechanism, p11Key.keyID, attributes); - CK_SSL3_KEY_MAT_OUT out = params.pReturnedKeyMaterial; + + CK_SSL3_KEY_MAT_OUT out = null; + if (params instanceof CK_SSL3_KEY_MAT_PARAMS) { + out = ((CK_SSL3_KEY_MAT_PARAMS)params).pReturnedKeyMaterial; + } else if (params instanceof CK_TLS12_KEY_MAT_PARAMS) { + out = ((CK_TLS12_KEY_MAT_PARAMS)params).pReturnedKeyMaterial; + } // Note that the MAC keys do not inherit all attributes from the // template, but they do inherit the sensitive/extractable/token // flags, which is all P11Key cares about.