From adff3e7f6366ca11d691ef8487b93bf13dc4bba4 Mon Sep 17 00:00:00 2001 From: Kostas Tsiounis Date: Wed, 27 Sep 2023 14:39:37 -0400 Subject: [PATCH] Always revert to Java impl when OpenSSL fails At the moment, if there is an OpenSSL failure when using NativeECKeyPairGenerator, a flag for that particular curve is set and the Sun Java implementation is used to complete the task. If another instance of NativeECKeyPairGenerator reaches the same failure, a ProviderException is thrown, as the issue with that particular curve should have been discovered during the call to initialize() thus creating and using an instance of ECKeyPairGenerator, and that particular point should never have been reached. However, in the scenario where the second instance of NativeECKeyPairGenerator has been initialized earlier, the flag for the problematic curve will never be discovered. This fix ensures that we always revert to the Sun Java implementation when an OpenSSL failure occurs. Signed-off by: Kostas Tsiounis --- .../security/ec/NativeECKeyPairGenerator.java | 28 ++++++------------- 1 file changed, 9 insertions(+), 19 deletions(-) diff --git a/closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeECKeyPairGenerator.java b/closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeECKeyPairGenerator.java index df1963b0a25..012192c71f6 100644 --- a/closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeECKeyPairGenerator.java +++ b/closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeECKeyPairGenerator.java @@ -168,17 +168,13 @@ public KeyPair generateKeyPair() { return this.javaImplementation.generateKeyPair(); } - boolean absent; long nativePointer = NativeECUtil.encodeGroup(this.params); if (nativePointer == -1) { - absent = NativeECUtil.putCurveIfAbsent(this.curve, Boolean.FALSE); - if (!absent) { - throw new ProviderException("Could not encode group"); - } + NativeECUtil.putCurveIfAbsent(this.curve, Boolean.FALSE); if (nativeCryptTrace) { - System.err.println(this.curve + - " is not supported by OpenSSL, using Java crypto implementation."); + System.err.println("Could not encode group for curve " + this.curve + + " in OpenSSL, using Java crypto implementation."); } try { this.initializeJavaImplementation(); @@ -195,13 +191,10 @@ public KeyPair generateKeyPair() { } else if (field instanceof ECFieldF2m) { fieldType = NativeCrypto.ECField_F2m; } else { - absent = NativeECUtil.putCurveIfAbsent(this.curve, Boolean.FALSE); - if (!absent) { - throw new ProviderException("Field type not supported"); - } + NativeECUtil.putCurveIfAbsent(this.curve, Boolean.FALSE); if (nativeCryptTrace) { - System.err.println(this.curve + - " is not supported by OpenSSL, using Java crypto implementation."); + System.err.println("Field type not supported for curve " + this.curve + + " by OpenSSL, using Java crypto implementation."); } try { this.initializeJavaImplementation(); @@ -226,13 +219,10 @@ public KeyPair generateKeyPair() { fieldType); if (ret == -1) { - absent = NativeECUtil.putCurveIfAbsent(this.curve, Boolean.FALSE); - if (!absent) { - throw new ProviderException("Could not generate key pair"); - } + NativeECUtil.putCurveIfAbsent(this.curve, Boolean.FALSE); if (nativeCryptTrace) { - System.err.println(this.curve + - " is not supported by OpenSSL, using Java crypto implementation for key generation."); + System.err.println("Could not generate key pair for curve " + this.curve + + " using OpenSSL, using Java crypto implementation for key generation."); } try { this.initializeJavaImplementation();