--- old/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java 2018-05-22 17:08:45.010348158 -0300 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java 2018-05-22 17:08:44.885348061 -0300 @@ -85,6 +85,9 @@ private TokenPoller poller; + static final Map hashAlgorithmToHashMechanismMap = + new HashMap(); + Token getToken() { return token; } @@ -455,6 +458,10 @@ return new int[] {(int)m1, (int)m2, (int)m3, (int)m4}; } + private static int[] m(long m1, long m2, long m3, long m4, long m5) { + return new int[] {(int)m1, (int)m2, (int)m3, (int)m4, (int)m5}; + } + private static void d(String type, String algorithm, String className, int[] m) { register(new Descriptor(type, algorithm, className, null, m)); @@ -518,6 +525,12 @@ String P11RSACipher = "sun.security.pkcs11.P11RSACipher"; String P11Signature = "sun.security.pkcs11.P11Signature"; + hashAlgorithmToHashMechanismMap.put("SHA-1", CKM_SHA_1); + hashAlgorithmToHashMechanismMap.put("SHA-224", CKM_SHA224); + hashAlgorithmToHashMechanismMap.put("SHA-256", CKM_SHA256); + hashAlgorithmToHashMechanismMap.put("SHA-386", CKM_SHA384); + hashAlgorithmToHashMechanismMap.put("SHA-512", CKM_SHA512); + // XXX register all aliases d(MD, "MD2", P11Digest, @@ -744,38 +757,25 @@ s("1.2.840.113549.1.1.13", "OID.1.2.840.113549.1.1.13"), m(CKM_SHA512_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); - /* - * TLS 1.2 uses a different hash algorithm than 1.0/1.1 for the - * PRF calculations. As of 2010, there is no PKCS11-level - * support for TLS 1.2 PRF calculations, and no known OS's have - * an internal variant we could use. Therefore for TLS 1.2, we - * are updating JSSE to request different provider algorithms - * (e.g. "SunTls12Prf"), and currently only SunJCE has these - * TLS 1.2 algorithms. - * - * If we reused the names such as "SunTlsPrf", the PKCS11 - * providers would need be updated to fail correctly when - * presented with the wrong version number (via - * Provider.Service.supportsParameters()), and we would also - * need to add the appropriate supportsParamters() checks into - * KeyGenerators (not currently there). - * - * In the future, if PKCS11 support is added, we will restructure - * this. - */ d(KG, "SunTlsRsaPremasterSecret", "sun.security.pkcs11.P11TlsRsaPremasterSecretGenerator", + s("SunTls12RsaPremasterSecret"), m(CKM_SSL3_PRE_MASTER_KEY_GEN, CKM_TLS_PRE_MASTER_KEY_GEN)); d(KG, "SunTlsMasterSecret", "sun.security.pkcs11.P11TlsMasterSecretGenerator", + s("SunTls12MasterSecret"), m(CKM_SSL3_MASTER_KEY_DERIVE, CKM_TLS_MASTER_KEY_DERIVE, + CKM_TLS12_MASTER_KEY_DERIVE, CKM_SSL3_MASTER_KEY_DERIVE_DH, CKM_TLS_MASTER_KEY_DERIVE_DH)); d(KG, "SunTlsKeyMaterial", "sun.security.pkcs11.P11TlsKeyMaterialGenerator", + s("SunTls12KeyMaterial"), m(CKM_SSL3_KEY_AND_MAC_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE)); d(KG, "SunTlsPrf", "sun.security.pkcs11.P11TlsPrfGenerator", m(CKM_TLS_PRF, CKM_NSS_TLS_PRF_GENERAL)); + d(KG, "SunTls12Prf", "sun.security.pkcs11.P11TlsPrfGenerator", + m(CKM_TLS_MAC)); } // background thread that periodically checks for token insertion @@ -1048,7 +1048,7 @@ } else if (algorithm == "SunTlsKeyMaterial") { return new P11TlsKeyMaterialGenerator( token, algorithm, mechanism); - } else if (algorithm == "SunTlsPrf") { + } else if (algorithm == "SunTlsPrf" || algorithm == "SunTls12Prf") { return new P11TlsPrfGenerator(token, algorithm, mechanism); } else { return new P11KeyGenerator(token, algorithm, mechanism);