diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsMasterSecretGenerator.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsMasterSecretGenerator.java
index 8148fd6a33e..c542ecc33bf 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsMasterSecretGenerator.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsMasterSecretGenerator.java
@@ -23,6 +23,12 @@
* questions.
*/
+/*
+ * ===========================================================================
+ * (c) Copyright IBM Corp. 2024, 2024 All Rights Reserved
+ * ===========================================================================
+ */
+
package sun.security.pkcs11;
import java.security.*;
@@ -110,6 +116,8 @@ protected void engineInit(AlgorithmParameterSpec params,
throw new InvalidAlgorithmParameterException("init() failed", e);
}
this.spec = spec;
+ byte[] extendedMasterSecretSessionHash =
+ spec.getExtendedMasterSecretSessionHash();
final boolean isTlsRsaPremasterSecret =
p11Key.getAlgorithm().equals("TlsRsaPremasterSecret");
if (tlsVersion == 0x0300) {
@@ -118,6 +126,9 @@ protected void engineInit(AlgorithmParameterSpec params,
} else if (tlsVersion == 0x0301 || tlsVersion == 0x0302) {
mechanism = isTlsRsaPremasterSecret ?
CKM_TLS_MASTER_KEY_DERIVE : CKM_TLS_MASTER_KEY_DERIVE_DH;
+ } else if (extendedMasterSecretSessionHash.length != 0) {
+ mechanism = isTlsRsaPremasterSecret ?
+ CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE : CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH;
} else if (tlsVersion == 0x0303) {
mechanism = isTlsRsaPremasterSecret ?
CKM_TLS12_MASTER_KEY_DERIVE : CKM_TLS12_MASTER_KEY_DERIVE_DH;
@@ -146,6 +157,8 @@ protected SecretKey engineGenerateKey() {
}
byte[] clientRandom = spec.getClientRandom();
byte[] serverRandom = spec.getServerRandom();
+ byte[] extendedMasterSecretSessionHash =
+ spec.getExtendedMasterSecretSessionHash();
CK_SSL3_RANDOM_DATA random =
new CK_SSL3_RANDOM_DATA(clientRandom, serverRandom);
CK_MECHANISM ckMechanism = null;
@@ -153,6 +166,12 @@ protected SecretKey engineGenerateKey() {
CK_SSL3_MASTER_KEY_DERIVE_PARAMS params =
new CK_SSL3_MASTER_KEY_DERIVE_PARAMS(random, ckVersion);
ckMechanism = new CK_MECHANISM(mechanism, params);
+ } else if (extendedMasterSecretSessionHash.length != 0) {
+ CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS params =
+ new CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS(
+ Functions.getHashMechId(spec.getPRFHashAlg()),
+ extendedMasterSecretSessionHash, ckVersion);
+ ckMechanism = new CK_MECHANISM(mechanism, params);
} else if (tlsVersion == 0x0303) {
CK_TLS12_MASTER_KEY_DERIVE_PARAMS params =
new CK_TLS12_MASTER_KEY_DERIVE_PARAMS(random, ckVersion,
@@ -163,8 +182,16 @@ protected SecretKey engineGenerateKey() {
long p11KeyID = p11Key.getKeyID();
try {
session = token.getObjSession();
- CK_ATTRIBUTE[] attributes = token.getAttributes(O_GENERATE,
- CKO_SECRET_KEY, CKK_GENERIC_SECRET, new CK_ATTRIBUTE[0]);
+ CK_ATTRIBUTE[] attributes;
+ if (extendedMasterSecretSessionHash.length != 0) {
+ attributes = token.getAttributes(O_GENERATE,
+ CKO_SECRET_KEY, CKK_GENERIC_SECRET, new CK_ATTRIBUTE[] {
+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
+ new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_GENERIC_SECRET)});
+ } else {
+ attributes = token.getAttributes(O_GENERATE,
+ CKO_SECRET_KEY, CKK_GENERIC_SECRET, new CK_ATTRIBUTE[0]);
+ }
long keyID = token.p11.C_DeriveKey(session.id(),
ckMechanism, p11KeyID, attributes);
int major, minor;
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
index f052e980cde..a0093bde967 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -25,7 +25,7 @@
/*
* ===========================================================================
- * (c) Copyright IBM Corp. 2022, 2023 All Rights Reserved
+ * (c) Copyright IBM Corp. 2022, 2024 All Rights Reserved
* ===========================================================================
*/
@@ -1125,6 +1125,10 @@ private static void register(Descriptor d) {
m(CKM_SSL3_MASTER_KEY_DERIVE, CKM_TLS_MASTER_KEY_DERIVE,
CKM_SSL3_MASTER_KEY_DERIVE_DH,
CKM_TLS_MASTER_KEY_DERIVE_DH));
+ d(KG, "SunTlsExtendedMasterSecret",
+ "sun.security.pkcs11.P11TlsMasterSecretGenerator",
+ m(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE,
+ CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH));
d(KG, "SunTls12MasterSecret",
"sun.security.pkcs11.P11TlsMasterSecretGenerator",
m(CKM_TLS12_MASTER_KEY_DERIVE, CKM_TLS12_MASTER_KEY_DERIVE_DH));
@@ -1508,7 +1512,8 @@ public Object newInstance0(Object param) throws
return new P11TlsRsaPremasterSecretGenerator(
token, algorithm, mechanism);
} else if (algorithm == "SunTlsMasterSecret"
- || algorithm == "SunTls12MasterSecret") {
+ || algorithm == "SunTls12MasterSecret"
+ || algorithm == "SunTlsExtendedMasterSecret") {
return new P11TlsMasterSecretGenerator(
token, algorithm, mechanism);
} else if (algorithm == "SunTlsKeyMaterial"
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java
index 0c9ebb289c1..2480d77732b 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java
@@ -45,6 +45,12 @@
* POSSIBILITY OF SUCH DAMAGE.
*/
+/*
+ * ===========================================================================
+ * (c) Copyright IBM Corp. 2024, 2024 All Rights Reserved
+ * ===========================================================================
+ */
+
package sun.security.pkcs11.wrapper;
import java.math.BigInteger;
@@ -119,6 +125,10 @@ public CK_MECHANISM(long mechanism, CK_TLS12_MASTER_KEY_DERIVE_PARAMS params) {
init(mechanism, params);
}
+ public CK_MECHANISM(long mechanism, CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS params) {
+ init(mechanism, params);
+ }
+
public CK_MECHANISM(long mechanism, CK_SSL3_KEY_MAT_PARAMS params) {
init(mechanism, params);
}
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS.java
new file mode 100644
index 00000000000..3c7d2185387
--- /dev/null
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS.java
@@ -0,0 +1,105 @@
+/*
+ * ===========================================================================
+ * (c) Copyright IBM Corp. 2024, 2024 All Rights Reserved
+ * ===========================================================================
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * IBM designates this particular file as subject to the "Classpath" exception
+ * as provided by IBM in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, see .
+ *
+ * ===========================================================================
+ */
+
+package sun.security.pkcs11.wrapper;
+
+/**
+ * This class represents the necessary parameters required by the
+ * CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE and
+ * CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH mechanisms as defined
+ * in CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS structure.
+ * PKCS#11 structure:
+ *
+ * typedef struct CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS {
+ * CK_MECHANISM_TYPE prfHashMechanism;
+ * CK_BYTE_PTR pSessionHash;
+ * CK_ULONG ulSessionHashLen;
+ * CK_VERSION_PTR pVersion;
+ * } CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS;
+ *
+ *
+ */
+public class CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS {
+
+ /**
+ * PKCS#11:
+ *
+ * CK_MECHANISM_TYPE prfHashMechanism;
+ *
+ */
+ public final long prfHashMechanism;
+
+ /**
+ * PKCS#11:
+ *
+ * CK_BYTE_PTR pSessionHash;
+ *
+ */
+ public final byte[] pSessionHash;
+
+ /**
+ * PKCS#11:
+ *
+ * CK_VERSION_PTR pVersion;
+ *
+ */
+ public final CK_VERSION pVersion;
+
+ public CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS(
+ long prfHashMechanism, byte[] pSessionHash,
+ CK_VERSION pVersion) {
+ this.prfHashMechanism = prfHashMechanism;
+ this.pSessionHash = pSessionHash;
+ this.pVersion = pVersion;
+ }
+
+ /**
+ * Returns the string representation of
+ * CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS.
+ *
+ * @return the string representation of
+ * CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS
+ */
+ @Override
+ public String toString() {
+ StringBuilder buffer = new StringBuilder();
+
+ buffer.append(Constants.INDENT);
+ buffer.append("prfHashMechanism: ");
+ buffer.append(prfHashMechanism);
+ buffer.append(Constants.NEWLINE);
+
+ buffer.append(Constants.INDENT);
+ buffer.append("pSessionHash: ");
+ buffer.append(Functions.toHexString(pSessionHash));
+ buffer.append(Constants.NEWLINE);
+
+ buffer.append(Constants.INDENT);
+ buffer.append("pVersion: ");
+ buffer.append(pVersion);
+
+ return buffer.toString();
+ }
+
+}
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/Functions.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/Functions.java
index 7d8f32a6cce..4af40495ba6 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/Functions.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/Functions.java
@@ -45,6 +45,12 @@
* POSSIBILITY OF SUCH DAMAGE.
*/
+/*
+ * ===========================================================================
+ * (c) Copyright IBM Corp. 2024, 2024 All Rights Reserved
+ * ===========================================================================
+ */
+
package sun.security.pkcs11.wrapper;
import java.math.BigInteger;
@@ -1098,6 +1104,10 @@ private static void addMGF(long id, String name) {
addMech(CKM_VENDOR_DEFINED, "CKM_VENDOR_DEFINED");
addMech(CKM_NSS_TLS_PRF_GENERAL, "CKM_NSS_TLS_PRF_GENERAL");
+ addMech(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE,
+ "CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE");
+ addMech(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH,
+ "CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH");
addMech(PCKM_SECURERANDOM, "SecureRandom");
addMech(PCKM_KEYSTORE, "KeyStore");
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
index 0d65ee26805..a2b09782c16 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
@@ -45,6 +45,12 @@
* POSSIBILITY OF SUCH DAMAGE.
*/
+/*
+ * ===========================================================================
+ * (c) Copyright IBM Corp. 2024, 2024 All Rights Reserved
+ * ===========================================================================
+ */
+
package sun.security.pkcs11.wrapper;
/**
@@ -999,6 +1005,10 @@ public interface PKCS11Constants {
// NSS private
public static final long CKM_NSS_TLS_PRF_GENERAL = 0x80000373L;
+ public static final long CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE
+ /* (CKM_NSS + 25) */ = 0xCE534369L;
+ public static final long CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH
+ /* (CKM_NSS + 26) */ = 0xCE53436AL;
// internal ids for our pseudo mechanisms SecureRandom and KeyStore
public static final long PCKM_SECURERANDOM = 0x7FFFFF20L;
diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
index d941b574cc7..f8834a98cd0 100644
--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
+++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
@@ -45,6 +45,12 @@
* POSSIBILITY OF SUCH DAMAGE.
*/
+/*
+ * ===========================================================================
+ * (c) Copyright IBM Corp. 2024, 2024 All Rights Reserved
+ * ===========================================================================
+ */
+
/*
* pkcs11wrapper.c
* 18.05.2001
@@ -608,6 +614,73 @@ jTls12MasterKeyDeriveParamToCKTls12MasterKeyDeriveParamPtr(JNIEnv *env,
return NULL;
}
+/*
+ * Converts the Java CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS object to a
+ * CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS pointer.
+ *
+ * @param env - used to call JNI functions to get the Java classes and objects
+ * @param jParam - the Java CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS object to convert
+ * @param pLength - length of the allocated memory of the returned pointer
+ * @return pointer to the new CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS structure
+ */
+CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS_PTR
+jTlsExtendedMasterKeyDeriveParamToCKTlsExtendedMasterKeyDeriveParamPtr(JNIEnv *env,
+ jobject jParam, CK_ULONG *pLength)
+{
+ CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS_PTR ckParamPtr = NULL;
+ jclass jTlsExtendedMasterKeyDeriveParamsClass = NULL;
+ jfieldID fieldID = NULL;
+ jlong prfHashMechanism = 0L;
+ jobject pSessionHash = NULL;
+ if (NULL != pLength) {
+ *pLength = 0L;
+ }
+
+ // retrieve java values
+ jTlsExtendedMasterKeyDeriveParamsClass =
+ (*env)->FindClass(env, CLASS_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS);
+ if (NULL == jTlsExtendedMasterKeyDeriveParamsClass) {
+ return NULL;
+ }
+ fieldID = (*env)->GetFieldID(env,
+ jTlsExtendedMasterKeyDeriveParamsClass, "prfHashMechanism", "J");
+ if (NULL == fieldID) {
+ return NULL;
+ }
+ prfHashMechanism = (*env)->GetLongField(env, jParam, fieldID);
+ fieldID = (*env)->GetFieldID(env,
+ jTlsExtendedMasterKeyDeriveParamsClass, "pSessionHash", "[B");
+ if (NULL == fieldID) {
+ return NULL;
+ }
+ pSessionHash = (*env)->GetObjectField(env, jParam, fieldID);
+
+ // allocate memory for CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS pointer
+ ckParamPtr = calloc(1, sizeof(CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS));
+ if (NULL == ckParamPtr) {
+ throwOutOfMemoryError(env, 0);
+ return NULL;
+ }
+
+ // populate using java values
+ jByteArrayToCKByteArray(env, pSessionHash, &(ckParamPtr->pSessionHash),
+ &(ckParamPtr->ulSessionHashLen));
+ if ((*env)->ExceptionCheck(env)) {
+ goto cleanup;
+ }
+
+ ckParamPtr->prfHashMechanism = (CK_MECHANISM_TYPE) prfHashMechanism;
+
+ if (NULL != pLength) {
+ *pLength = sizeof(CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS);
+ }
+ return ckParamPtr;
+cleanup:
+ free(ckParamPtr->pSessionHash);
+ free(ckParamPtr);
+ return NULL;
+}
+
/*
* converts the Java CK_TLS_PRF_PARAMS object to a CK_TLS_PRF_PARAMS pointer
*
@@ -1485,6 +1558,11 @@ CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam,
ckpParamPtr = jTls12MasterKeyDeriveParamToCKTls12MasterKeyDeriveParamPtr(env, jParam,
ckpLength);
break;
+ case CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE:
+ case CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH:
+ ckpParamPtr = jTlsExtendedMasterKeyDeriveParamToCKTlsExtendedMasterKeyDeriveParamPtr(
+ env, jParam, ckpLength);
+ break;
case CKM_TLS_PRF:
case CKM_NSS_TLS_PRF_GENERAL:
ckpParamPtr = jTlsPrfParamsToCKTlsPrfParamPtr(env, jParam,
diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_keymgmt.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_keymgmt.c
index dea55f5258b..e0ef6020a1b 100644
--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_keymgmt.c
+++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_keymgmt.c
@@ -45,6 +45,12 @@
* POSSIBILITY OF SUCH DAMAGE.
*/
+/*
+ * ===========================================================================
+ * (c) Copyright IBM Corp. 2024, 2024 All Rights Reserved
+ * ===========================================================================
+ */
+
#include "pkcs11wrapper.h"
#include
@@ -922,6 +928,9 @@ JNIEXPORT jlong JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1DeriveKey
case CKM_TLS12_MASTER_KEY_DERIVE:
tls12CopyBackClientVersion(env, ckpMechanism, jMechanism);
break;
+ case CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE:
+ tlsEmsCopyBackClientVersion(env, ckpMechanism, jMechanism);
+ break;
case CKM_SSL3_KEY_AND_MAC_DERIVE:
case CKM_TLS_KEY_AND_MAC_DERIVE:
/* we must copy back the unwrapped key info to the jMechanism object */
@@ -1041,6 +1050,24 @@ void tls12CopyBackClientVersion(JNIEnv *env, CK_MECHANISM_PTR ckpMechanism,
}
}
+/*
+ * Copy back the client version information from the native
+ * structure to the Java object. This is only used for
+ * CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE mechanism when used
+ * for deriving a key.
+ */
+void tlsEmsCopyBackClientVersion(JNIEnv *env, CK_MECHANISM_PTR ckpMechanism,
+ jobject jMechanism)
+{
+ CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS *ckTLSEmsMasterKeyDeriveParams
+ = (CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS *)ckpMechanism->pParameter;
+ if (NULL_PTR != ckTLSEmsMasterKeyDeriveParams) {
+ copyBackClientVersion(env, ckpMechanism, jMechanism,
+ ckTLSEmsMasterKeyDeriveParams->pVersion,
+ CLASS_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS);
+ }
+}
+
static void copyBackKeyMatParams(JNIEnv *env, CK_MECHANISM_PTR ckpMechanism,
jobject jMechanism, CK_SSL3_RANDOM_DATA *RandomInfo,
CK_SSL3_KEY_MAT_OUT_PTR ckSSL3KeyMatOut, const char *class_key_mat_params)
diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
index 520bd52a2cd..c649e188167 100644
--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
+++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
@@ -45,6 +45,12 @@
* POSSIBILITY OF SUCH DAMAGE.
*/
+/*
+ * ===========================================================================
+ * (c) Copyright IBM Corp. 2024, 2024 All Rights Reserved
+ * ===========================================================================
+ */
+
#include "pkcs11wrapper.h"
#include
@@ -321,6 +327,7 @@ void freeCKMechanismPtr(CK_MECHANISM_PTR mechPtr) {
CK_SSL3_KEY_MAT_PARAMS* sslKmTmp;
CK_TLS12_MASTER_KEY_DERIVE_PARAMS *tlsMkdTmp;
CK_TLS12_KEY_MAT_PARAMS* tlsKmTmp;
+ CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS *tlsEmkdTmp = NULL;
if (mechPtr != NULL) {
TRACE2("DEBUG freeCKMechanismPtr: free pMech %p (mech 0x%lX)\n",
@@ -387,6 +394,13 @@ void freeCKMechanismPtr(CK_MECHANISM_PTR mechPtr) {
free(tlsMkdTmp->RandomInfo.pServerRandom);
free(tlsMkdTmp->pVersion);
break;
+ case CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE:
+ case CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH:
+ tlsEmkdTmp = tmp;
+ TRACE0("[ CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS ]\n");
+ free(tlsEmkdTmp->pSessionHash);
+ free(tlsEmkdTmp->pVersion);
+ break;
case CKM_TLS12_KEY_AND_MAC_DERIVE:
tlsKmTmp = tmp;
TRACE0("[ CK_TLS12_KEY_MAT_PARAMS ]\n");
diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11t.h b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11t.h
index ab6ef326e8b..db8e04ff9ea 100644
--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11t.h
+++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11t.h
@@ -5,6 +5,12 @@
* PARTICULAR PURPOSE or NONINFRINGEMENT of the rights of others.
*/
+/*
+ * ===========================================================================
+ * (c) Copyright IBM Corp. 2024, 2024 All Rights Reserved
+ * ===========================================================================
+ */
+
/* Latest version of the specification:
* http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html
*/
@@ -2173,6 +2179,16 @@ typedef struct CK_TLS12_MASTER_KEY_DERIVE_PARAMS {
typedef CK_TLS12_MASTER_KEY_DERIVE_PARAMS CK_PTR \
CK_TLS12_MASTER_KEY_DERIVE_PARAMS_PTR;
+typedef struct CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS {
+ CK_MECHANISM_TYPE prfHashMechanism;
+ CK_BYTE_PTR pSessionHash;
+ CK_ULONG ulSessionHashLen;
+ CK_VERSION_PTR pVersion;
+} CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS;
+
+typedef CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS CK_PTR \
+ CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS_PTR;
+
typedef struct CK_TLS12_KEY_MAT_PARAMS {
CK_ULONG ulMacSizeInBits;
CK_ULONG ulKeySizeInBits;
diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
index eb6d01b9e47..cd463df42d2 100644
--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
+++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
@@ -45,6 +45,12 @@
* POSSIBILITY OF SUCH DAMAGE.
*/
+/*
+ * ===========================================================================
+ * (c) Copyright IBM Corp. 2024, 2024 All Rights Reserved
+ * ===========================================================================
+ */
+
/*
* pkcs11wrapper.h
* 18.05.2001
@@ -75,6 +81,8 @@
#define CKA_NETSCAPE_TRUST_EMAIL_PROTECTION (CKA_NETSCAPE_TRUST_BASE + 11)
#define CKA_NETSCAPE_DB 0xD5A0DB00
#define CKM_NSS_TLS_PRF_GENERAL 0x80000373
+#define CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE (CKA_NETSCAPE_BASE + 25)
+#define CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH (CKA_NETSCAPE_BASE + 26)
/*
@@ -292,6 +300,7 @@ void printDebug(const char *format, ...);
// CLASS_SSL3_KEY_MAT_OUT is used by CLASS_SSL3_KEY_MAT_PARAMS and CK_TLS12_KEY_MAT_PARAMS
#define CLASS_SSL3_MASTER_KEY_DERIVE_PARAMS "sun/security/pkcs11/wrapper/CK_SSL3_MASTER_KEY_DERIVE_PARAMS"
#define CLASS_TLS12_MASTER_KEY_DERIVE_PARAMS "sun/security/pkcs11/wrapper/CK_TLS12_MASTER_KEY_DERIVE_PARAMS"
+#define CLASS_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS "sun/security/pkcs11/wrapper/CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS"
#define CLASS_SSL3_KEY_MAT_PARAMS "sun/security/pkcs11/wrapper/CK_SSL3_KEY_MAT_PARAMS"
#define CLASS_TLS12_KEY_MAT_PARAMS "sun/security/pkcs11/wrapper/CK_TLS12_KEY_MAT_PARAMS"
#define CLASS_TLS_PRF_PARAMS "sun/security/pkcs11/wrapper/CK_TLS_PRF_PARAMS"
@@ -394,6 +403,7 @@ void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, job
void copyBackSetUnwrappedKey(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism);
void ssl3CopyBackClientVersion(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism);
void tls12CopyBackClientVersion(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism);
+void tlsEmsCopyBackClientVersion(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism);
void ssl3CopyBackKeyMatParams(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism);
void tls12CopyBackKeyMatParams(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism);