CoCalc -- JsseJce.java

GitHub Repository: PojavLauncherTeam/openjdk-multiarch-jdk8u
Path: blob/aarch64-shenandoah-jdk8u272-b10/jdk/src/share/classes/sun/security/ssl/JsseJce.java
³⁸⁸³⁰ views
1
/*
2
 * Copyright (c) 2001, 2018, Oracle and/or its affiliates. All rights reserved.
3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4
 *
5
 * This code is free software; you can redistribute it and/or modify it
6
 * under the terms of the GNU General Public License version 2 only, as
7
 * published by the Free Software Foundation.  Oracle designates this
8
 * particular file as subject to the "Classpath" exception as provided
9
 * by Oracle in the LICENSE file that accompanied this code.
10
 *
11
 * This code is distributed in the hope that it will be useful, but WITHOUT
12
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
14
 * version 2 for more details (a copy is included in the LICENSE file that
15
 * accompanied this code).
16
 *
17
 * You should have received a copy of the GNU General Public License version
18
 * 2 along with this work; if not, write to the Free Software Foundation,
19
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20
 *
21
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22
 * or visit www.oracle.com if you need additional information or have any
23
 * questions.
24
 */
25

26
package sun.security.ssl;
27

28
import java.math.BigInteger;
29
import java.security.*;
30
import java.security.interfaces.RSAPublicKey;
31
import java.security.spec.*;
32
import java.util.*;
33
import javax.crypto.*;
34
import sun.security.jca.ProviderList;
35
import sun.security.jca.Providers;
36
import static sun.security.ssl.SunJSSE.cryptoProvider;
37
import sun.security.util.ECUtil;
38
import static sun.security.util.SecurityConstants.PROVIDER_VER;
39

40
/**
41
 * This class contains a few static methods for interaction with the JCA/JCE
42
 * to obtain implementations, etc.
43
 *
44
 * @author  Andreas Sterbenz
45
 */
46
final class JsseJce {
47
    static final boolean ALLOW_ECC =
48
            Utilities.getBooleanProperty("com.sun.net.ssl.enableECC", true);
49

50
    private static final ProviderList fipsProviderList;
51

52
    // Flag indicating whether Kerberos crypto is available.
53
    // If true, then all the Kerberos-based crypto we need is available.
54
    private final static boolean kerberosAvailable;
55
    static {
56
        boolean temp;
57
        try {
58
            AccessController.doPrivileged(
59
                new PrivilegedExceptionAction<Void>() {
60
                    @Override
61
                    public Void run() throws Exception {
62
                        // Test for Kerberos using the bootstrap class loader
63
                        Class.forName("sun.security.krb5.PrincipalName", true,
64
                                null);
65
                        return null;
66
                    }
67
                });
68
            temp = true;
69

70
        } catch (Exception e) {
71
            temp = false;
72
        }
73
        kerberosAvailable = temp;
74
    }
75

76
    static {
77
        // force FIPS flag initialization
78
        // Because isFIPS() is synchronized and cryptoProvider is not modified
79
        // after it completes, this also eliminates the need for any further
80
        // synchronization when accessing cryptoProvider
81
        if (SunJSSE.isFIPS() == false) {
82
            fipsProviderList = null;
83
        } else {
84
            // Setup a ProviderList that can be used by the trust manager
85
            // during certificate chain validation. All the crypto must be
86
            // from the FIPS provider, but we also allow the required
87
            // certificate related services from the SUN provider.
88
            Provider sun = Security.getProvider("SUN");
89
            if (sun == null) {
90
                throw new RuntimeException
91
                    ("FIPS mode: SUN provider must be installed");
92
            }
93
            Provider sunCerts = new SunCertificates(sun);
94
            fipsProviderList = ProviderList.newList(cryptoProvider, sunCerts);
95
        }
96
    }
97

98
    private static final class SunCertificates extends Provider {
99
        private static final long serialVersionUID = -3284138292032213752L;
100

101
        SunCertificates(final Provider p) {
102
            super("SunCertificates", PROVIDER_VER, "SunJSSE internal");
103
            AccessController.doPrivileged(new PrivilegedAction<Object>() {
104
                @Override
105
                public Object run() {
106
                    // copy certificate related services from the Sun provider
107
                    for (Map.Entry<Object,Object> entry : p.entrySet()) {
108
                        String key = (String)entry.getKey();
109
                        if (key.startsWith("CertPathValidator.")
110
                                || key.startsWith("CertPathBuilder.")
111
                                || key.startsWith("CertStore.")
112
                                || key.startsWith("CertificateFactory.")) {
113
                            put(key, entry.getValue());
114
                        }
115
                    }
116
                    return null;
117
                }
118
            });
119
        }
120
    }
121

122
    /**
123
     * JCE transformation string for RSA with PKCS#1 v1.5 padding.
124
     * Can be used for encryption, decryption, signing, verifying.
125
     */
126
    static final String CIPHER_RSA_PKCS1 = "RSA/ECB/PKCS1Padding";
127

128
    /**
129
     * JCE transformation string for the stream cipher RC4.
130
     */
131
    static final String CIPHER_RC4 = "RC4";
132

133
    /**
134
     * JCE transformation string for DES in CBC mode without padding.
135
     */
136
    static final String CIPHER_DES = "DES/CBC/NoPadding";
137

138
    /**
139
     * JCE transformation string for (3-key) Triple DES in CBC mode
140
     * without padding.
141
     */
142
    static final String CIPHER_3DES = "DESede/CBC/NoPadding";
143

144
    /**
145
     * JCE transformation string for AES in CBC mode
146
     * without padding.
147
     */
148
    static final String CIPHER_AES = "AES/CBC/NoPadding";
149

150
    /**
151
     * JCE transformation string for AES in GCM mode
152
     * without padding.
153
     */
154
    static final String CIPHER_AES_GCM = "AES/GCM/NoPadding";
155

156
    /**
157
     * JCA identifier string for DSA, i.e. a DSA with SHA-1.
158
     */
159
    static final String SIGNATURE_DSA = "DSA";
160

161
    /**
162
     * JCA identifier string for ECDSA, i.e. a ECDSA with SHA-1.
163
     */
164
    static final String SIGNATURE_ECDSA = "SHA1withECDSA";
165

166
    /**
167
     * JCA identifier string for Raw DSA, i.e. a DSA signature without
168
     * hashing where the application provides the SHA-1 hash of the data.
169
     * Note that the standard name is "NONEwithDSA" but we use "RawDSA"
170
     * for compatibility.
171
     */
172
    static final String SIGNATURE_RAWDSA = "RawDSA";
173

174
    /**
175
     * JCA identifier string for Raw ECDSA, i.e. a DSA signature without
176
     * hashing where the application provides the SHA-1 hash of the data.
177
     */
178
    static final String SIGNATURE_RAWECDSA = "NONEwithECDSA";
179

180
    /**
181
     * JCA identifier string for Raw RSA, i.e. a RSA PKCS#1 v1.5 signature
182
     * without hashing where the application provides the hash of the data.
183
     * Used for RSA client authentication with a 36 byte hash.
184
     */
185
    static final String SIGNATURE_RAWRSA = "NONEwithRSA";
186

187
    /**
188
     * JCA identifier string for the SSL/TLS style RSA Signature. I.e.
189
     * an signature using RSA with PKCS#1 v1.5 padding signing a
190
     * concatenation of an MD5 and SHA-1 digest.
191
     */
192
    static final String SIGNATURE_SSLRSA = "MD5andSHA1withRSA";
193

194
    private JsseJce() {
195
        // no instantiation of this class
196
    }
197

198
    static boolean isEcAvailable() {
199
        return EcAvailability.isAvailable;
200
    }
201

202
    static boolean isKerberosAvailable() {
203
        return kerberosAvailable;
204
    }
205

206
    /**
207
     * Return an JCE cipher implementation for the specified algorithm.
208
     */
209
    static Cipher getCipher(String transformation)
210
            throws NoSuchAlgorithmException {
211
        try {
212
            if (cryptoProvider == null) {
213
                return Cipher.getInstance(transformation);
214
            } else {
215
                return Cipher.getInstance(transformation, cryptoProvider);
216
            }
217
        } catch (NoSuchPaddingException e) {
218
            throw new NoSuchAlgorithmException(e);
219
        }
220
    }
221

222
    /**
223
     * Return an JCA signature implementation for the specified algorithm.
224
     * The algorithm string should be one of the constants defined
225
     * in this class.
226
     */
227
    static Signature getSignature(String algorithm)
228
            throws NoSuchAlgorithmException {
229
        if (cryptoProvider == null) {
230
            return Signature.getInstance(algorithm);
231
        } else {
232
            // reference equality
233
            if (algorithm == SIGNATURE_SSLRSA) {
234
                // The SunPKCS11 provider currently does not support this
235
                // special algorithm. We allow a fallback in this case because
236
                // the SunJSSE implementation does the actual crypto using
237
                // a NONEwithRSA signature obtained from the cryptoProvider.
238
                if (cryptoProvider.getService("Signature", algorithm) == null) {
239
                    // Calling Signature.getInstance() and catching the
240
                    // exception would be cleaner, but exceptions are a little
241
                    // expensive. So we check directly via getService().
242
                    try {
243
                        return Signature.getInstance(algorithm, "SunJSSE");
244
                    } catch (NoSuchProviderException e) {
245
                        throw new NoSuchAlgorithmException(e);
246
                    }
247
                }
248
            }
249
            return Signature.getInstance(algorithm, cryptoProvider);
250
        }
251
    }
252

253
    static KeyGenerator getKeyGenerator(String algorithm)
254
            throws NoSuchAlgorithmException {
255
        if (cryptoProvider == null) {
256
            return KeyGenerator.getInstance(algorithm);
257
        } else {
258
            return KeyGenerator.getInstance(algorithm, cryptoProvider);
259
        }
260
    }
261

262
    static KeyPairGenerator getKeyPairGenerator(String algorithm)
263
            throws NoSuchAlgorithmException {
264
        if (cryptoProvider == null) {
265
            return KeyPairGenerator.getInstance(algorithm);
266
        } else {
267
            return KeyPairGenerator.getInstance(algorithm, cryptoProvider);
268
        }
269
    }
270

271
    static KeyAgreement getKeyAgreement(String algorithm)
272
            throws NoSuchAlgorithmException {
273
        if (cryptoProvider == null) {
274
            return KeyAgreement.getInstance(algorithm);
275
        } else {
276
            return KeyAgreement.getInstance(algorithm, cryptoProvider);
277
        }
278
    }
279

280
    static Mac getMac(String algorithm)
281
            throws NoSuchAlgorithmException {
282
        if (cryptoProvider == null) {
283
            return Mac.getInstance(algorithm);
284
        } else {
285
            return Mac.getInstance(algorithm, cryptoProvider);
286
        }
287
    }
288

289
    static KeyFactory getKeyFactory(String algorithm)
290
            throws NoSuchAlgorithmException {
291
        if (cryptoProvider == null) {
292
            return KeyFactory.getInstance(algorithm);
293
        } else {
294
            return KeyFactory.getInstance(algorithm, cryptoProvider);
295
        }
296
    }
297

298
    static AlgorithmParameters getAlgorithmParameters(String algorithm)
299
            throws NoSuchAlgorithmException {
300
        if (cryptoProvider == null) {
301
            return AlgorithmParameters.getInstance(algorithm);
302
        } else {
303
            return AlgorithmParameters.getInstance(algorithm, cryptoProvider);
304
        }
305
    }
306

307
    static SecureRandom getSecureRandom() throws KeyManagementException {
308
        if (cryptoProvider == null) {
309
            return new SecureRandom();
310
        }
311
        // Try "PKCS11" first. If that is not supported, iterate through
312
        // the provider and return the first working implementation.
313
        try {
314
            return SecureRandom.getInstance("PKCS11", cryptoProvider);
315
        } catch (NoSuchAlgorithmException e) {
316
            // ignore
317
        }
318
        for (Provider.Service s : cryptoProvider.getServices()) {
319
            if (s.getType().equals("SecureRandom")) {
320
                try {
321
                    return SecureRandom.getInstance(
322
                            s.getAlgorithm(), cryptoProvider);
323
                } catch (NoSuchAlgorithmException ee) {
324
                    // ignore
325
                }
326
            }
327
        }
328
        throw new KeyManagementException("FIPS mode: no SecureRandom "
329
            + " implementation found in provider " + cryptoProvider.getName());
330
    }
331

332
    static MessageDigest getMD5() {
333
        return getMessageDigest("MD5");
334
    }
335

336
    static MessageDigest getSHA() {
337
        return getMessageDigest("SHA");
338
    }
339

340
    static MessageDigest getMessageDigest(String algorithm) {
341
        try {
342
            if (cryptoProvider == null) {
343
                return MessageDigest.getInstance(algorithm);
344
            } else {
345
                return MessageDigest.getInstance(algorithm, cryptoProvider);
346
            }
347
        } catch (NoSuchAlgorithmException e) {
348
            throw new RuntimeException
349
                        ("Algorithm " + algorithm + " not available", e);
350
        }
351
    }
352

353
    static int getRSAKeyLength(PublicKey key) {
354
        BigInteger modulus;
355
        if (key instanceof RSAPublicKey) {
356
            modulus = ((RSAPublicKey)key).getModulus();
357
        } else {
358
            RSAPublicKeySpec spec = getRSAPublicKeySpec(key);
359
            modulus = spec.getModulus();
360
        }
361
        return modulus.bitLength();
362
    }
363

364
    static RSAPublicKeySpec getRSAPublicKeySpec(PublicKey key) {
365
        if (key instanceof RSAPublicKey) {
366
            RSAPublicKey rsaKey = (RSAPublicKey)key;
367
            return new RSAPublicKeySpec(rsaKey.getModulus(),
368
                                        rsaKey.getPublicExponent());
369
        }
370
        try {
371
            KeyFactory factory = JsseJce.getKeyFactory("RSA");
372
            return factory.getKeySpec(key, RSAPublicKeySpec.class);
373
        } catch (Exception e) {
374
            throw new RuntimeException(e);
375
        }
376
    }
377

378
    static ECParameterSpec getECParameterSpec(String namedCurveOid) {
379
        return ECUtil.getECParameterSpec(cryptoProvider, namedCurveOid);
380
    }
381

382
    static String getNamedCurveOid(ECParameterSpec params) {
383
        return ECUtil.getCurveName(cryptoProvider, params);
384
    }
385

386
    static ECPoint decodePoint(byte[] encoded, EllipticCurve curve)
387
            throws java.io.IOException {
388
        return ECUtil.decodePoint(encoded, curve);
389
    }
390

391
    static byte[] encodePoint(ECPoint point, EllipticCurve curve) {
392
        return ECUtil.encodePoint(point, curve);
393
    }
394

395
    // In FIPS mode, set thread local providers; otherwise a no-op.
396
    // Must be paired with endFipsProvider.
397
    static Object beginFipsProvider() {
398
        if (fipsProviderList == null) {
399
            return null;
400
        } else {
401
            return Providers.beginThreadProviderList(fipsProviderList);
402
        }
403
    }
404

405
    static void endFipsProvider(Object o) {
406
        if (fipsProviderList != null) {
407
            Providers.endThreadProviderList((ProviderList)o);
408
        }
409
    }
410

411

412
    // lazy initialization holder class idiom for static default parameters
413
    //
414
    // See Effective Java Second Edition: Item 71.
415
    private static class EcAvailability {
416
        // Is EC crypto available?
417
        private static final boolean isAvailable;
418

419
        static {
420
            boolean mediator = true;
421
            try {
422
                JsseJce.getSignature(SIGNATURE_ECDSA);
423
                JsseJce.getSignature(SIGNATURE_RAWECDSA);
424
                JsseJce.getKeyAgreement("ECDH");
425
                JsseJce.getKeyFactory("EC");
426
                JsseJce.getKeyPairGenerator("EC");
427
                JsseJce.getAlgorithmParameters("EC");
428
            } catch (Exception e) {
429
                mediator = false;
430
            }
431

432
            isAvailable = mediator;
433
        }
434
    }
435
}
436

437
Product

Resources

Company
