From 601824928614ae34136a1e0151b04859a443f4d8 Mon Sep 17 00:00:00 2001 From: Tao Liu Date: Thu, 22 Feb 2024 13:43:16 -0500 Subject: [PATCH] Add ExtendedMasterSecret support in SunPKCS11 provider This commit is for adding the ExtendedMasterSecret support in SunPKCS11 security provider. Signed-off-by: Tao Liu --- .../pkcs11/P11TlsMasterSecretGenerator.java | 31 +++++- .../sun/security/pkcs11/SunPKCS11.java | 9 +- .../security/pkcs11/wrapper/CK_MECHANISM.java | 10 ++ ...TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS.java | 105 ++++++++++++++++++ .../security/pkcs11/wrapper/Functions.java | 10 ++ .../pkcs11/wrapper/PKCS11Constants.java | 10 ++ .../share/native/libj2pkcs11/p11_convert.c | 78 +++++++++++++ .../share/native/libj2pkcs11/p11_keymgmt.c | 27 +++++ .../share/native/libj2pkcs11/p11_util.c | 14 +++ .../share/native/libj2pkcs11/pkcs11t.h | 16 +++ .../share/native/libj2pkcs11/pkcs11wrapper.h | 10 ++ 11 files changed, 316 insertions(+), 4 deletions(-) create mode 100644 src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS.java diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsMasterSecretGenerator.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsMasterSecretGenerator.java index 8148fd6a33e..c542ecc33bf 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsMasterSecretGenerator.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsMasterSecretGenerator.java @@ -23,6 +23,12 @@ * questions. */ +/* + * =========================================================================== + * (c) Copyright IBM Corp. 2024, 2024 All Rights Reserved + * =========================================================================== + */ + package sun.security.pkcs11; import java.security.*; @@ -110,6 +116,8 @@ protected void engineInit(AlgorithmParameterSpec params, throw new InvalidAlgorithmParameterException("init() failed", e); } this.spec = spec; + byte[] extendedMasterSecretSessionHash = + spec.getExtendedMasterSecretSessionHash(); final boolean isTlsRsaPremasterSecret = p11Key.getAlgorithm().equals("TlsRsaPremasterSecret"); if (tlsVersion == 0x0300) { @@ -118,6 +126,9 @@ protected void engineInit(AlgorithmParameterSpec params, } else if (tlsVersion == 0x0301 || tlsVersion == 0x0302) { mechanism = isTlsRsaPremasterSecret ? CKM_TLS_MASTER_KEY_DERIVE : CKM_TLS_MASTER_KEY_DERIVE_DH; + } else if (extendedMasterSecretSessionHash.length != 0) { + mechanism = isTlsRsaPremasterSecret ? + CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE : CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH; } else if (tlsVersion == 0x0303) { mechanism = isTlsRsaPremasterSecret ? CKM_TLS12_MASTER_KEY_DERIVE : CKM_TLS12_MASTER_KEY_DERIVE_DH; @@ -146,6 +157,8 @@ protected SecretKey engineGenerateKey() { } byte[] clientRandom = spec.getClientRandom(); byte[] serverRandom = spec.getServerRandom(); + byte[] extendedMasterSecretSessionHash = + spec.getExtendedMasterSecretSessionHash(); CK_SSL3_RANDOM_DATA random = new CK_SSL3_RANDOM_DATA(clientRandom, serverRandom); CK_MECHANISM ckMechanism = null; @@ -153,6 +166,12 @@ protected SecretKey engineGenerateKey() { CK_SSL3_MASTER_KEY_DERIVE_PARAMS params = new CK_SSL3_MASTER_KEY_DERIVE_PARAMS(random, ckVersion); ckMechanism = new CK_MECHANISM(mechanism, params); + } else if (extendedMasterSecretSessionHash.length != 0) { + CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS params = + new CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS( + Functions.getHashMechId(spec.getPRFHashAlg()), + extendedMasterSecretSessionHash, ckVersion); + ckMechanism = new CK_MECHANISM(mechanism, params); } else if (tlsVersion == 0x0303) { CK_TLS12_MASTER_KEY_DERIVE_PARAMS params = new CK_TLS12_MASTER_KEY_DERIVE_PARAMS(random, ckVersion, @@ -163,8 +182,16 @@ protected SecretKey engineGenerateKey() { long p11KeyID = p11Key.getKeyID(); try { session = token.getObjSession(); - CK_ATTRIBUTE[] attributes = token.getAttributes(O_GENERATE, - CKO_SECRET_KEY, CKK_GENERIC_SECRET, new CK_ATTRIBUTE[0]); + CK_ATTRIBUTE[] attributes; + if (extendedMasterSecretSessionHash.length != 0) { + attributes = token.getAttributes(O_GENERATE, + CKO_SECRET_KEY, CKK_GENERIC_SECRET, new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), + new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_GENERIC_SECRET)}); + } else { + attributes = token.getAttributes(O_GENERATE, + CKO_SECRET_KEY, CKK_GENERIC_SECRET, new CK_ATTRIBUTE[0]); + } long keyID = token.p11.C_DeriveKey(session.id(), ckMechanism, p11KeyID, attributes); int major, minor; diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java index f052e980cde..a0093bde967 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java @@ -25,7 +25,7 @@ /* * =========================================================================== - * (c) Copyright IBM Corp. 2022, 2023 All Rights Reserved + * (c) Copyright IBM Corp. 2022, 2024 All Rights Reserved * =========================================================================== */ @@ -1125,6 +1125,10 @@ private static void register(Descriptor d) { m(CKM_SSL3_MASTER_KEY_DERIVE, CKM_TLS_MASTER_KEY_DERIVE, CKM_SSL3_MASTER_KEY_DERIVE_DH, CKM_TLS_MASTER_KEY_DERIVE_DH)); + d(KG, "SunTlsExtendedMasterSecret", + "sun.security.pkcs11.P11TlsMasterSecretGenerator", + m(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, + CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH)); d(KG, "SunTls12MasterSecret", "sun.security.pkcs11.P11TlsMasterSecretGenerator", m(CKM_TLS12_MASTER_KEY_DERIVE, CKM_TLS12_MASTER_KEY_DERIVE_DH)); @@ -1508,7 +1512,8 @@ public Object newInstance0(Object param) throws return new P11TlsRsaPremasterSecretGenerator( token, algorithm, mechanism); } else if (algorithm == "SunTlsMasterSecret" - || algorithm == "SunTls12MasterSecret") { + || algorithm == "SunTls12MasterSecret" + || algorithm == "SunTlsExtendedMasterSecret") { return new P11TlsMasterSecretGenerator( token, algorithm, mechanism); } else if (algorithm == "SunTlsKeyMaterial" diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java index 0c9ebb289c1..2480d77732b 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java @@ -45,6 +45,12 @@ * POSSIBILITY OF SUCH DAMAGE. */ +/* + * =========================================================================== + * (c) Copyright IBM Corp. 2024, 2024 All Rights Reserved + * =========================================================================== + */ + package sun.security.pkcs11.wrapper; import java.math.BigInteger; @@ -119,6 +125,10 @@ public CK_MECHANISM(long mechanism, CK_TLS12_MASTER_KEY_DERIVE_PARAMS params) { init(mechanism, params); } + public CK_MECHANISM(long mechanism, CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS params) { + init(mechanism, params); + } + public CK_MECHANISM(long mechanism, CK_SSL3_KEY_MAT_PARAMS params) { init(mechanism, params); } diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS.java new file mode 100644 index 00000000000..3c7d2185387 --- /dev/null +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS.java @@ -0,0 +1,105 @@ +/* + * =========================================================================== + * (c) Copyright IBM Corp. 2024, 2024 All Rights Reserved + * =========================================================================== + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * IBM designates this particular file as subject to the "Classpath" exception + * as provided by IBM in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, see . + * + * =========================================================================== + */ + +package sun.security.pkcs11.wrapper; + +/** + * This class represents the necessary parameters required by the + * CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE and + * CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH mechanisms as defined + * in CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS structure.

+ * PKCS#11 structure: + * 

+ * typedef struct CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS {
+ *     CK_MECHANISM_TYPE prfHashMechanism;
+ *     CK_BYTE_PTR pSessionHash;
+ *     CK_ULONG ulSessionHashLen;
+ *     CK_VERSION_PTR pVersion;
+ * } CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS;
+ *
+ * + */ +public class CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS { + + /** + * PKCS#11: + * 
+     *   CK_MECHANISM_TYPE prfHashMechanism;
+     *
+ */ + public final long prfHashMechanism; + + /** + * PKCS#11: + * 
+     *   CK_BYTE_PTR pSessionHash;
+     *
+ */ + public final byte[] pSessionHash; + + /** + * PKCS#11: + * 
+     *   CK_VERSION_PTR pVersion;
+     *
+ */ + public final CK_VERSION pVersion; + + public CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS( + long prfHashMechanism, byte[] pSessionHash, + CK_VERSION pVersion) { + this.prfHashMechanism = prfHashMechanism; + this.pSessionHash = pSessionHash; + this.pVersion = pVersion; + } + + /** + * Returns the string representation of + * CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS. + * + * @return the string representation of + * CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS + */ + @Override + public String toString() { + StringBuilder buffer = new StringBuilder(); + + buffer.append(Constants.INDENT); + buffer.append("prfHashMechanism: "); + buffer.append(prfHashMechanism); + buffer.append(Constants.NEWLINE); + + buffer.append(Constants.INDENT); + buffer.append("pSessionHash: "); + buffer.append(Functions.toHexString(pSessionHash)); + buffer.append(Constants.NEWLINE); + + buffer.append(Constants.INDENT); + buffer.append("pVersion: "); + buffer.append(pVersion); + + return buffer.toString(); + } + +} diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/Functions.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/Functions.java index 7d8f32a6cce..4af40495ba6 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/Functions.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/Functions.java @@ -45,6 +45,12 @@ * POSSIBILITY OF SUCH DAMAGE. */ +/* + * =========================================================================== + * (c) Copyright IBM Corp. 2024, 2024 All Rights Reserved + * =========================================================================== + */ + package sun.security.pkcs11.wrapper; import java.math.BigInteger; @@ -1098,6 +1104,10 @@ private static void addMGF(long id, String name) { addMech(CKM_VENDOR_DEFINED, "CKM_VENDOR_DEFINED"); addMech(CKM_NSS_TLS_PRF_GENERAL, "CKM_NSS_TLS_PRF_GENERAL"); + addMech(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, + "CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE"); + addMech(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, + "CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH"); addMech(PCKM_SECURERANDOM, "SecureRandom"); addMech(PCKM_KEYSTORE, "KeyStore"); diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java index 0d65ee26805..a2b09782c16 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java @@ -45,6 +45,12 @@ * POSSIBILITY OF SUCH DAMAGE. */ +/* + * =========================================================================== + * (c) Copyright IBM Corp. 2024, 2024 All Rights Reserved + * =========================================================================== + */ + package sun.security.pkcs11.wrapper; /** @@ -999,6 +1005,10 @@ public interface PKCS11Constants { // NSS private public static final long CKM_NSS_TLS_PRF_GENERAL = 0x80000373L; + public static final long CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE + /* (CKM_NSS + 25) */ = 0xCE534369L; + public static final long CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH + /* (CKM_NSS + 26) */ = 0xCE53436AL; // internal ids for our pseudo mechanisms SecureRandom and KeyStore public static final long PCKM_SECURERANDOM = 0x7FFFFF20L; diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c index d941b574cc7..f8834a98cd0 100644 --- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c +++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c @@ -45,6 +45,12 @@ * POSSIBILITY OF SUCH DAMAGE. */ +/* + * =========================================================================== + * (c) Copyright IBM Corp. 2024, 2024 All Rights Reserved + * =========================================================================== + */ + /* * pkcs11wrapper.c * 18.05.2001 @@ -608,6 +614,73 @@ jTls12MasterKeyDeriveParamToCKTls12MasterKeyDeriveParamPtr(JNIEnv *env, return NULL; } +/* + * Converts the Java CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS object to a + * CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS pointer. + * + * @param env - used to call JNI functions to get the Java classes and objects + * @param jParam - the Java CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS object to convert + * @param pLength - length of the allocated memory of the returned pointer + * @return pointer to the new CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS structure + */ +CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS_PTR +jTlsExtendedMasterKeyDeriveParamToCKTlsExtendedMasterKeyDeriveParamPtr(JNIEnv *env, + jobject jParam, CK_ULONG *pLength) +{ + CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS_PTR ckParamPtr = NULL; + jclass jTlsExtendedMasterKeyDeriveParamsClass = NULL; + jfieldID fieldID = NULL; + jlong prfHashMechanism = 0L; + jobject pSessionHash = NULL; + if (NULL != pLength) { + *pLength = 0L; + } + + // retrieve java values + jTlsExtendedMasterKeyDeriveParamsClass = + (*env)->FindClass(env, CLASS_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS); + if (NULL == jTlsExtendedMasterKeyDeriveParamsClass) { + return NULL; + } + fieldID = (*env)->GetFieldID(env, + jTlsExtendedMasterKeyDeriveParamsClass, "prfHashMechanism", "J"); + if (NULL == fieldID) { + return NULL; + } + prfHashMechanism = (*env)->GetLongField(env, jParam, fieldID); + fieldID = (*env)->GetFieldID(env, + jTlsExtendedMasterKeyDeriveParamsClass, "pSessionHash", "[B"); + if (NULL == fieldID) { + return NULL; + } + pSessionHash = (*env)->GetObjectField(env, jParam, fieldID); + + // allocate memory for CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS pointer + ckParamPtr = calloc(1, sizeof(CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS)); + if (NULL == ckParamPtr) { + throwOutOfMemoryError(env, 0); + return NULL; + } + + // populate using java values + jByteArrayToCKByteArray(env, pSessionHash, &(ckParamPtr->pSessionHash), + &(ckParamPtr->ulSessionHashLen)); + if ((*env)->ExceptionCheck(env)) { + goto cleanup; + } + + ckParamPtr->prfHashMechanism = (CK_MECHANISM_TYPE) prfHashMechanism; + + if (NULL != pLength) { + *pLength = sizeof(CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS); + } + return ckParamPtr; +cleanup: + free(ckParamPtr->pSessionHash); + free(ckParamPtr); + return NULL; +} + /* * converts the Java CK_TLS_PRF_PARAMS object to a CK_TLS_PRF_PARAMS pointer * @@ -1485,6 +1558,11 @@ CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam, ckpParamPtr = jTls12MasterKeyDeriveParamToCKTls12MasterKeyDeriveParamPtr(env, jParam, ckpLength); break; + case CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE: + case CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH: + ckpParamPtr = jTlsExtendedMasterKeyDeriveParamToCKTlsExtendedMasterKeyDeriveParamPtr( + env, jParam, ckpLength); + break; case CKM_TLS_PRF: case CKM_NSS_TLS_PRF_GENERAL: ckpParamPtr = jTlsPrfParamsToCKTlsPrfParamPtr(env, jParam, diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_keymgmt.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_keymgmt.c index dea55f5258b..e0ef6020a1b 100644 --- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_keymgmt.c +++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_keymgmt.c @@ -45,6 +45,12 @@ * POSSIBILITY OF SUCH DAMAGE. */ +/* + * =========================================================================== + * (c) Copyright IBM Corp. 2024, 2024 All Rights Reserved + * =========================================================================== + */ + #include "pkcs11wrapper.h" #include @@ -922,6 +928,9 @@ JNIEXPORT jlong JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1DeriveKey case CKM_TLS12_MASTER_KEY_DERIVE: tls12CopyBackClientVersion(env, ckpMechanism, jMechanism); break; + case CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE: + tlsEmsCopyBackClientVersion(env, ckpMechanism, jMechanism); + break; case CKM_SSL3_KEY_AND_MAC_DERIVE: case CKM_TLS_KEY_AND_MAC_DERIVE: /* we must copy back the unwrapped key info to the jMechanism object */ @@ -1041,6 +1050,24 @@ void tls12CopyBackClientVersion(JNIEnv *env, CK_MECHANISM_PTR ckpMechanism, } } +/* + * Copy back the client version information from the native + * structure to the Java object. This is only used for + * CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE mechanism when used + * for deriving a key. + */ +void tlsEmsCopyBackClientVersion(JNIEnv *env, CK_MECHANISM_PTR ckpMechanism, + jobject jMechanism) +{ + CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS *ckTLSEmsMasterKeyDeriveParams + = (CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS *)ckpMechanism->pParameter; + if (NULL_PTR != ckTLSEmsMasterKeyDeriveParams) { + copyBackClientVersion(env, ckpMechanism, jMechanism, + ckTLSEmsMasterKeyDeriveParams->pVersion, + CLASS_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS); + } +} + static void copyBackKeyMatParams(JNIEnv *env, CK_MECHANISM_PTR ckpMechanism, jobject jMechanism, CK_SSL3_RANDOM_DATA *RandomInfo, CK_SSL3_KEY_MAT_OUT_PTR ckSSL3KeyMatOut, const char *class_key_mat_params) diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c index 520bd52a2cd..c649e188167 100644 --- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c +++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c @@ -45,6 +45,12 @@ * POSSIBILITY OF SUCH DAMAGE. */ +/* + * =========================================================================== + * (c) Copyright IBM Corp. 2024, 2024 All Rights Reserved + * =========================================================================== + */ + #include "pkcs11wrapper.h" #include @@ -321,6 +327,7 @@ void freeCKMechanismPtr(CK_MECHANISM_PTR mechPtr) { CK_SSL3_KEY_MAT_PARAMS* sslKmTmp; CK_TLS12_MASTER_KEY_DERIVE_PARAMS *tlsMkdTmp; CK_TLS12_KEY_MAT_PARAMS* tlsKmTmp; + CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS *tlsEmkdTmp = NULL; if (mechPtr != NULL) { TRACE2("DEBUG freeCKMechanismPtr: free pMech %p (mech 0x%lX)\n", @@ -387,6 +394,13 @@ void freeCKMechanismPtr(CK_MECHANISM_PTR mechPtr) { free(tlsMkdTmp->RandomInfo.pServerRandom); free(tlsMkdTmp->pVersion); break; + case CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE: + case CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH: + tlsEmkdTmp = tmp; + TRACE0("[ CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS ]\n"); + free(tlsEmkdTmp->pSessionHash); + free(tlsEmkdTmp->pVersion); + break; case CKM_TLS12_KEY_AND_MAC_DERIVE: tlsKmTmp = tmp; TRACE0("[ CK_TLS12_KEY_MAT_PARAMS ]\n"); diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11t.h b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11t.h index ab6ef326e8b..db8e04ff9ea 100644 --- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11t.h +++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11t.h @@ -5,6 +5,12 @@ * PARTICULAR PURPOSE or NONINFRINGEMENT of the rights of others. */ +/* + * =========================================================================== + * (c) Copyright IBM Corp. 2024, 2024 All Rights Reserved + * =========================================================================== + */ + /* Latest version of the specification: * http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html */ @@ -2173,6 +2179,16 @@ typedef struct CK_TLS12_MASTER_KEY_DERIVE_PARAMS { typedef CK_TLS12_MASTER_KEY_DERIVE_PARAMS CK_PTR \ CK_TLS12_MASTER_KEY_DERIVE_PARAMS_PTR; +typedef struct CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS { + CK_MECHANISM_TYPE prfHashMechanism; + CK_BYTE_PTR pSessionHash; + CK_ULONG ulSessionHashLen; + CK_VERSION_PTR pVersion; +} CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS; + +typedef CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS CK_PTR \ + CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS_PTR; + typedef struct CK_TLS12_KEY_MAT_PARAMS { CK_ULONG ulMacSizeInBits; CK_ULONG ulKeySizeInBits; diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h index eb6d01b9e47..cd463df42d2 100644 --- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h +++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h @@ -45,6 +45,12 @@ * POSSIBILITY OF SUCH DAMAGE. */ +/* + * =========================================================================== + * (c) Copyright IBM Corp. 2024, 2024 All Rights Reserved + * =========================================================================== + */ + /* * pkcs11wrapper.h * 18.05.2001 @@ -75,6 +81,8 @@ #define CKA_NETSCAPE_TRUST_EMAIL_PROTECTION (CKA_NETSCAPE_TRUST_BASE + 11) #define CKA_NETSCAPE_DB 0xD5A0DB00 #define CKM_NSS_TLS_PRF_GENERAL 0x80000373 +#define CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE (CKA_NETSCAPE_BASE + 25) +#define CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH (CKA_NETSCAPE_BASE + 26) /* @@ -292,6 +300,7 @@ void printDebug(const char *format, ...); // CLASS_SSL3_KEY_MAT_OUT is used by CLASS_SSL3_KEY_MAT_PARAMS and CK_TLS12_KEY_MAT_PARAMS #define CLASS_SSL3_MASTER_KEY_DERIVE_PARAMS "sun/security/pkcs11/wrapper/CK_SSL3_MASTER_KEY_DERIVE_PARAMS" #define CLASS_TLS12_MASTER_KEY_DERIVE_PARAMS "sun/security/pkcs11/wrapper/CK_TLS12_MASTER_KEY_DERIVE_PARAMS" +#define CLASS_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS "sun/security/pkcs11/wrapper/CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS" #define CLASS_SSL3_KEY_MAT_PARAMS "sun/security/pkcs11/wrapper/CK_SSL3_KEY_MAT_PARAMS" #define CLASS_TLS12_KEY_MAT_PARAMS "sun/security/pkcs11/wrapper/CK_TLS12_KEY_MAT_PARAMS" #define CLASS_TLS_PRF_PARAMS "sun/security/pkcs11/wrapper/CK_TLS_PRF_PARAMS" @@ -394,6 +403,7 @@ void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, job void copyBackSetUnwrappedKey(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism); void ssl3CopyBackClientVersion(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism); void tls12CopyBackClientVersion(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism); +void tlsEmsCopyBackClientVersion(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism); void ssl3CopyBackKeyMatParams(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism); void tls12CopyBackKeyMatParams(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism);