From bb770bf414c86ce96be0a4c8cd7153c2502696bd Mon Sep 17 00:00:00 2001 From: Zainab Fatmi Date: Wed, 19 Oct 2022 11:23:03 -0400 Subject: [PATCH] Use the OpenSSL PKCS12 method for PBE and simplify NativeCrypto property checking Signed-off-by: Zainab Fatmi --- .../jdk/crypto/jniprovider/NativeCrypto.java | 111 +++++++++++++++++- .../sun/security/provider/NativeSHA.java | 6 +- .../sun/security/provider/NativeSHA2.java | 8 +- .../sun/security/provider/NativeSHA5.java | 8 +- .../share/native/libjncrypto/NativeCrypto.c | 88 +++++++++++++- .../security/ec/NativeECDHKeyAgreement.java | 13 +- .../com/sun/crypto/provider/CipherCore.java | 68 +---------- .../crypto/provider/PKCS12PBECipherCore.java | 34 ++++++ .../com/sun/crypto/provider/SunJCE.java | 70 +---------- .../sun/security/provider/SunEntries.java | 52 +------- .../classes/sun/security/rsa/RSACore.java | 56 +-------- .../share/classes/sun/security/ec/SunEC.java | 53 +-------- 12 files changed, 261 insertions(+), 306 deletions(-) diff --git a/closed/src/java.base/share/classes/jdk/crypto/jniprovider/NativeCrypto.java b/closed/src/java.base/share/classes/jdk/crypto/jniprovider/NativeCrypto.java index 7c4216d3596..6c587ba6c8d 100644 --- a/closed/src/java.base/share/classes/jdk/crypto/jniprovider/NativeCrypto.java +++ b/closed/src/java.base/share/classes/jdk/crypto/jniprovider/NativeCrypto.java @@ -33,10 +33,25 @@ import jdk.internal.reflect.Reflection; import jdk.internal.reflect.CallerSensitive; +import sun.security.action.GetPropertyAction; + public class NativeCrypto { + /* Define constants for the native digest algorithm indeces */ + public static final int SHA1 = 0; + public static final int SHA256 = 1; + public static final int SHA224 = 2; + public static final int SHA384 = 3; + public static final int SHA512 = 4; + private static final Cleaner ECKeyCleaner = CleanerFactory.cleaner(); + private static final boolean useNativeCrypto = Boolean.parseBoolean( + GetPropertyAction.privilegedGetProperty("jdk.nativeCrypto", "true")); + + private static final boolean traceEnabled = Boolean.parseBoolean( + GetPropertyAction.privilegedGetProperty("jdk.nativeCryptoTrace", "false")); + //ossl_ver: // -1 : library load failed // 0 : openssl 1.0.x @@ -44,7 +59,6 @@ public class NativeCrypto { private static final int ossl_ver = AccessController.doPrivileged( (PrivilegedAction) () -> { int ossl_ver = -1; - boolean traceEnabled = Boolean.getBoolean("jdk.nativeCryptoTrace"); try { System.loadLibrary("jncrypto"); // check for native library @@ -70,6 +84,91 @@ public static final int getVersion() { return ossl_ver; } + /** + * Check whether native crypto is enabled. Note that, by default, native + * crypto is enabled (the native crypto library implementation is used). + * + * The property 'jdk.nativeCrypto' is used to control enablement of all + * native cryptos (Digest, CBC, GCM, RSA, ChaCha20, EC, and PBE), while + * the given property should be used to control enablement of the given + * native crypto algorithm. + * + * @param property the property used to control enablement of the given + * algorithm + * @param name the name of the class or the algorithm + * @return whether the given native crypto algorithm is enabled + */ + public static final boolean isAlgorithmEnabled(String property, String name) { + return isAlgorithmEnabled(property, name, true, null); + } + + /** + * Check whether native crypto is enabled. Note that, by default, native + * crypto is enabled (the native crypto library implementation is used). + + * The property 'jdk.nativeCrypto' is used to control enablement of all + * native cryptos (Digest, CBC, GCM, RSA, ChaCha20, EC, and PBE), while + * the given property should be used to control enablement of the given + * native crypto algorithm. + * + * This method is used for native cryptos that have additional requirements + * in order to load. + * + * @param property the property used to control enablement of the given + * algorithm + * @param name the name of the class or the algorithm + * @param satisfied whether the additional requirements are met + * @param explanation explanation if the native crypto is not loaded + * due to the additional requirements not being met + * @return whether the given native crypto algorithm is enabled + */ + public static final boolean isAlgorithmEnabled(String property, String name, boolean satisfied, String explanation) { + boolean useNativeAlgorithm = false; + if (useNativeCrypto) { + useNativeAlgorithm = Boolean.parseBoolean( + GetPropertyAction.privilegedGetProperty(property, "true")); + } + if (useNativeAlgorithm) { + /* + * User wants to use the native crypto implementation. Ensure that the + * that the native crypto library is loaded successfully. Otherwise, + * issue a warning message and fall back to the built-in java crypto + * implementation. + */ + if (loaded) { + if (satisfied) { + if (traceEnabled) { + System.err.println(name + " load - using native crypto library."); + } + } else { + useNativeAlgorithm = false; + if (traceEnabled) { + System.err.println(name + " load - " + explanation); + } + } + } else { + useNativeAlgorithm = false; + if (traceEnabled) { + System.err.println("Warning: Native crypto library load failed." + + " Using Java crypto implementation."); + } + } + } else { + if (traceEnabled) { + System.err.println(name + " load - native crypto library disabled."); + } + } + return useNativeAlgorithm; + } + + public static final boolean isEnabled() { + return useNativeCrypto; + } + + public static final boolean isTraceEnabled() { + return traceEnabled; + } + private NativeCrypto() { //empty } @@ -293,4 +392,14 @@ public final native int ECDeriveKey(long publicKey, public final native boolean ECNativeGF2m(); + public final native int PBEDerive(byte[] password, + int passwordLength, + byte[] salt, + int saltLength, + byte[] key, + int iterations, + int n, + int id, + int hashAlgorithm); + } diff --git a/closed/src/java.base/share/classes/sun/security/provider/NativeSHA.java b/closed/src/java.base/share/classes/sun/security/provider/NativeSHA.java index 5bf1ffea36b..f9d3f5cc048 100644 --- a/closed/src/java.base/share/classes/sun/security/provider/NativeSHA.java +++ b/closed/src/java.base/share/classes/sun/security/provider/NativeSHA.java @@ -24,18 +24,20 @@ */ /* * =========================================================================== - * (c) Copyright IBM Corp. 2018, 2018 All Rights Reserved + * (c) Copyright IBM Corp. 2018, 2022 All Rights Reserved * =========================================================================== */ package sun.security.provider; +import jdk.crypto.jniprovider.NativeCrypto; + public final class NativeSHA extends NativeDigest { /** * Creates a new native SHA object. */ public NativeSHA() { - super("SHA-1", 20, 0); + super("SHA-1", 20, NativeCrypto.SHA1); } } diff --git a/closed/src/java.base/share/classes/sun/security/provider/NativeSHA2.java b/closed/src/java.base/share/classes/sun/security/provider/NativeSHA2.java index 5d7a3ce6d04..5844017b793 100644 --- a/closed/src/java.base/share/classes/sun/security/provider/NativeSHA2.java +++ b/closed/src/java.base/share/classes/sun/security/provider/NativeSHA2.java @@ -24,12 +24,14 @@ */ /* * =========================================================================== - * (c) Copyright IBM Corp. 2018, 2018 All Rights Reserved + * (c) Copyright IBM Corp. 2018, 2022 All Rights Reserved * =========================================================================== */ package sun.security.provider; +import jdk.crypto.jniprovider.NativeCrypto; + abstract class NativeSHA2 { /** @@ -38,7 +40,7 @@ abstract class NativeSHA2 { public static final class SHA224 extends NativeDigest { public SHA224() { - super("SHA-224", 28, 2); + super("SHA-224", 28, NativeCrypto.SHA224); } } @@ -48,7 +50,7 @@ public SHA224() { public static final class SHA256 extends NativeDigest { public SHA256() { - super("SHA-256", 32, 1); + super("SHA-256", 32, NativeCrypto.SHA256); } } } diff --git a/closed/src/java.base/share/classes/sun/security/provider/NativeSHA5.java b/closed/src/java.base/share/classes/sun/security/provider/NativeSHA5.java index 4fe0906e212..4de41c68ad8 100644 --- a/closed/src/java.base/share/classes/sun/security/provider/NativeSHA5.java +++ b/closed/src/java.base/share/classes/sun/security/provider/NativeSHA5.java @@ -24,12 +24,14 @@ */ /* * =========================================================================== - * (c) Copyright IBM Corp. 2018, 2018 All Rights Reserved + * (c) Copyright IBM Corp. 2018, 2022 All Rights Reserved * =========================================================================== */ package sun.security.provider; +import jdk.crypto.jniprovider.NativeCrypto; + abstract class NativeSHA5 { /** @@ -38,7 +40,7 @@ abstract class NativeSHA5 { public static final class SHA512 extends NativeDigest { public SHA512() { - super("SHA-512", 64, 4); + super("SHA-512", 64, NativeCrypto.SHA512); } } @@ -48,7 +50,7 @@ public SHA512() { public static final class SHA384 extends NativeDigest { public SHA384() { - super("SHA-384", 48, 3); + super("SHA-384", 48, NativeCrypto.SHA384); } } } diff --git a/closed/src/java.base/share/native/libjncrypto/NativeCrypto.c b/closed/src/java.base/share/native/libjncrypto/NativeCrypto.c index ff45f613a0b..29d636d95ea 100644 --- a/closed/src/java.base/share/native/libjncrypto/NativeCrypto.c +++ b/closed/src/java.base/share/native/libjncrypto/NativeCrypto.c @@ -27,6 +27,7 @@ #include #include #include +#include #include #include @@ -134,6 +135,8 @@ typedef int OSSL_EC_KEY_set_public_key_t(EC_KEY *, const EC_POINT *); typedef int OSSL_EC_KEY_check_key_t(const EC_KEY *); typedef int EC_set_public_key_t(EC_KEY *, BIGNUM *, BIGNUM *, int); +typedef int OSSL_PKCS12_key_gen_t(const char *, int, unsigned char *, int, int, int, int, unsigned char *, const EVP_MD *); + typedef int OSSL_CRYPTO_num_locks_t(); typedef void OSSL_CRYPTO_THREADID_set_numeric_t(CRYPTO_THREADID *id, unsigned long val); typedef void* OSSL_OPENSSL_malloc_t(size_t num); @@ -235,6 +238,9 @@ OSSL_EC_KEY_set_public_key_t* OSSL_EC_KEY_set_public_key; OSSL_EC_KEY_check_key_t* OSSL_EC_KEY_check_key; EC_set_public_key_t* EC_set_public_key; +/* Define pointers for OpenSSL functions to handle PBE algorithm. */ +OSSL_PKCS12_key_gen_t* OSSL_PKCS12_key_gen; + /* Structure for OpenSSL Digest context. */ typedef struct OpenSSLMDContext { EVP_MD_CTX *ctx; @@ -461,6 +467,9 @@ JNIEXPORT jint JNICALL Java_jdk_crypto_jniprovider_NativeCrypto_loadCrypto OSSL_ECGF2M = JNI_TRUE; } + /* Load the functions symbols for OpenSSL PBE algorithm. */ + OSSL_PKCS12_key_gen = (OSSL_PKCS12_key_gen_t*)find_crypto_symbol(crypto_library, "PKCS12_key_gen_uni"); + if ((NULL == OSSL_error_string) || (NULL == OSSL_error_string_n) || (NULL == OSSL_get_error) || @@ -519,6 +528,7 @@ JNIEXPORT jint JNICALL Java_jdk_crypto_jniprovider_NativeCrypto_loadCrypto (NULL == OSSL_BN_CTX_free) || (NULL == OSSL_EC_KEY_set_public_key) || (NULL == OSSL_EC_KEY_check_key) || + (NULL == OSSL_PKCS12_key_gen) || /* Check symbols that are only available in OpenSSL 1.1.x and above */ ((1 == ossl_ver) && ((NULL == OSSL_chacha20) || (NULL == OSSL_chacha20_poly1305))) || /* Check symbols that are only available in OpenSSL 1.0.x and above */ @@ -698,19 +708,19 @@ JNIEXPORT jlong JNICALL Java_jdk_crypto_jniprovider_NativeCrypto_DigestCreateCon OpenSSLMDContext *context = NULL; switch (algoIdx) { - case 0: + case jdk_crypto_jniprovider_NativeCrypto_SHA1: digestAlg = (*OSSL_sha1)(); break; - case 1: + case jdk_crypto_jniprovider_NativeCrypto_SHA256: digestAlg = (*OSSL_sha256)(); break; - case 2: + case jdk_crypto_jniprovider_NativeCrypto_SHA224: digestAlg = (*OSSL_sha224)(); break; - case 3: + case jdk_crypto_jniprovider_NativeCrypto_SHA384: digestAlg = (*OSSL_sha384)(); break; - case 4: + case jdk_crypto_jniprovider_NativeCrypto_SHA512: digestAlg = (*OSSL_sha512)(); break; default: @@ -2791,3 +2801,71 @@ setECPublicKey(EC_KEY *key, BIGNUM *x, BIGNUM *y, int field) return ret; } + +/* Password-based encryption algorithm. + * + * Class: jdk_crypto_jniprovider_NativeCrypto + * Method: PBEDerive + * Signature: (J[BI[BI[BIIII)I + */ +JNIEXPORT jint JNICALL +Java_jdk_crypto_jniprovider_NativeCrypto_PBEDerive + (JNIEnv *env, jclass obj, jbyteArray password, jint passwordLength, jbyteArray salt, jint saltLength, jbyteArray key, jint iterations, jint n, jint id, jint hashAlgorithm) +{ + const EVP_MD *digestAlgorithm = NULL; + char *nativePassword = NULL; + unsigned char *nativeSalt = NULL; + unsigned char *nativeKey = NULL; + int ret = 0; + + switch (hashAlgorithm) { + case jdk_crypto_jniprovider_NativeCrypto_SHA1: + digestAlgorithm = (*OSSL_sha1)(); + break; + case jdk_crypto_jniprovider_NativeCrypto_SHA224: + digestAlgorithm = (*OSSL_sha224)(); + break; + case jdk_crypto_jniprovider_NativeCrypto_SHA256: + digestAlgorithm = (*OSSL_sha256)(); + break; + case jdk_crypto_jniprovider_NativeCrypto_SHA384: + digestAlgorithm = (*OSSL_sha384)(); + break; + case jdk_crypto_jniprovider_NativeCrypto_SHA512: + digestAlgorithm = (*OSSL_sha512)(); + break; + default: + return -1; + } + + nativePassword = (char*)((*env)->GetPrimitiveArrayCritical(env, password, 0)); + if (NULL == nativePassword) { + return -1; + } + nativeSalt = (unsigned char*)((*env)->GetPrimitiveArrayCritical(env, salt, 0)); + if (NULL == nativeSalt) { + ret = -1; + goto cleanup; + } + nativeKey = (unsigned char*)((*env)->GetPrimitiveArrayCritical(env, key, 0)); + if (NULL == nativeKey) { + ret = -1; + goto cleanup; + } + + ret = (*OSSL_PKCS12_key_gen)(nativePassword, passwordLength, nativeSalt, saltLength, id, iterations, n, nativeKey, digestAlgorithm); + +cleanup: + (*env)->ReleasePrimitiveArrayCritical(env, password, nativePassword, JNI_ABORT); + if (nativeSalt) { + (*env)->ReleasePrimitiveArrayCritical(env, salt, nativeSalt, JNI_ABORT); + } + if (nativeKey) { + (*env)->ReleasePrimitiveArrayCritical(env, key, nativeKey, JNI_ABORT); + } + + if (1 != ret) { + return -1; + } + return 0; +} diff --git a/closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeECDHKeyAgreement.java b/closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeECDHKeyAgreement.java index f6f7c7a9acf..e24895ab112 100644 --- a/closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeECDHKeyAgreement.java +++ b/closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeECDHKeyAgreement.java @@ -55,7 +55,6 @@ import jdk.crypto.jniprovider.NativeCrypto; -import sun.security.action.GetPropertyAction; import sun.security.util.NamedCurve; /** @@ -64,7 +63,7 @@ public final class NativeECDHKeyAgreement extends KeyAgreementSpi { private static final NativeCrypto nativeCrypto = NativeCrypto.getNativeCrypto(); - private static final String nativeCryptTrace = GetPropertyAction.privilegedGetProperty("jdk.nativeCryptoTrace"); + private static final boolean nativeCryptTrace = NativeCrypto.isTraceEnabled(); /* false if OPENSSL_NO_EC2M is defined, true otherwise */ private static final boolean nativeGF2m = nativeCrypto.ECNativeGF2m(); @@ -123,7 +122,7 @@ protected void engineInit(Key key, SecureRandom random) if ((!nativeGF2m) && this.privateKey.isECFieldF2m()) { /* only print the first time a curve is used */ - if ((curveSupported.putIfAbsent("EC2m", Boolean.FALSE) == null) && (nativeCryptTrace != null)) { + if ((curveSupported.putIfAbsent("EC2m", Boolean.FALSE) == null) && nativeCryptTrace) { System.err.println("EC2m is not supported by OpenSSL, using Java crypto implementation."); } this.initializeJavaImplementation(key, random); @@ -133,7 +132,7 @@ protected void engineInit(Key key, SecureRandom random) this.javaImplementation = null; } } else { - if ((curveSupported.putIfAbsent("ECKeyImpl", Boolean.FALSE) == null) && (nativeCryptTrace != null)) { + if ((curveSupported.putIfAbsent("ECKeyImpl", Boolean.FALSE) == null) && nativeCryptTrace) { System.err.println("Only ECPrivateKeyImpl and ECPublicKeyImpl are supported by the native implementation," + " using Java crypto implementation."); } @@ -181,7 +180,7 @@ protected Key engineDoPhase(Key key, boolean lastPhase) return null; } else { - if ((curveSupported.putIfAbsent("ECKeyImpl", Boolean.FALSE) == null) && (nativeCryptTrace != null)) { + if ((curveSupported.putIfAbsent("ECKeyImpl", Boolean.FALSE) == null) && nativeCryptTrace) { System.err.println("Only ECPrivateKeyImpl and ECPublicKeyImpl are supported by the native implementation," + " using Java crypto implementation."); } @@ -225,7 +224,7 @@ protected int engineGenerateSecret(byte[] sharedSecret, int offset) if (curveSupported.putIfAbsent(this.curve, Boolean.FALSE) != null) { throw new ProviderException("Could not convert keys to native format"); } - if (nativeCryptTrace != null) { + if (nativeCryptTrace) { System.err.println(this.curve + " is not supported by OpenSSL, using Java crypto implementation."); } try { @@ -237,7 +236,7 @@ protected int engineGenerateSecret(byte[] sharedSecret, int offset) } return this.javaImplementation.engineGenerateSecret(sharedSecret, offset); } - if ((curveSupported.putIfAbsent(this.curve, Boolean.TRUE) == null) && (nativeCryptTrace != null)) { + if ((curveSupported.putIfAbsent(this.curve, Boolean.TRUE) == null) && nativeCryptTrace) { System.err.println(this.curve + " is supported by OpenSSL, using native crypto implementation."); } int ret; diff --git a/src/java.base/share/classes/com/sun/crypto/provider/CipherCore.java b/src/java.base/share/classes/com/sun/crypto/provider/CipherCore.java index b3377a7ff60..0de39c89d1b 100644 --- a/src/java.base/share/classes/com/sun/crypto/provider/CipherCore.java +++ b/src/java.base/share/classes/com/sun/crypto/provider/CipherCore.java @@ -61,20 +61,11 @@ final class CipherCore { - /* - * Check whether native crypto is disabled with property. - * - * By default, the native crypto is enabled and uses the native - * crypto library implementation. - * - * The property 'jdk.nativeCBC' is used to disable Native CBC alone, - * 'jdk.nativeGCM' is used to disable Native GCM alone and - * 'jdk.nativeCrypto' is used to disable all native cryptos (Digest, - * CBC, GCM, RSA, ChaCha20, and EC). + /* The property 'jdk.nativeCBC' is used to disable native CBC + * and 'jdk.nativeGCM' is used to disable native GCM. */ - private static boolean useNativeCrypto = true; - private static boolean useNativeCBC = true; - private static boolean useNativeGCM = true; + private static final boolean useNativeCBC = NativeCrypto.isAlgorithmEnabled("jdk.nativeCBC", "CipherCore (CBC)"); + private static final boolean useNativeGCM = NativeCrypto.isAlgorithmEnabled("jdk.nativeGCM", "CipherCore (GCM)"); /* * internal buffer @@ -1284,55 +1275,4 @@ void updateAAD(byte[] src, int offset, int len) { checkReinit(); cipher.updateAAD(src, offset, len); } - - private static String privilegedGetProperty(final String property) { - return AccessController.doPrivileged(new PrivilegedAction() { - public String run() { - return System.getProperty(property); - } - }); - } - - static { - String nativeCryptTrace = privilegedGetProperty("jdk.nativeCryptoTrace"); - String nativeCryptStr = privilegedGetProperty("jdk.nativeCrypto"); - String nativeCBCStr = privilegedGetProperty("jdk.nativeCBC"); - String nativeGCMStr = privilegedGetProperty("jdk.nativeGCM"); - - useNativeCrypto = (nativeCryptStr == null) || Boolean.parseBoolean(nativeCryptStr); - - if (!useNativeCrypto) { - useNativeCBC = false; - useNativeGCM = false; - } else { - useNativeCBC = (nativeCBCStr == null) || Boolean.parseBoolean(nativeCBCStr); - useNativeGCM = (nativeGCMStr == null) || Boolean.parseBoolean(nativeGCMStr); - } - - if (useNativeCBC || useNativeGCM) { - /* - * User want to use native crypto implementation. - * Make sure the native crypto libraries are loaded successfully. - * Otherwise, throw a warning message and fall back to the in-built - * java crypto implementation. - */ - if (!NativeCrypto.isLoaded()) { - useNativeCBC = false; - useNativeGCM = false; - - if (nativeCryptTrace != null) { - System.err.println("Warning: Native crypto library load failed." + - " Using Java crypto implementation"); - } - } else { - if (nativeCryptTrace != null) { - System.err.println("CipherCore Load - using native crypto library."); - } - } - } else { - if (nativeCryptTrace != null) { - System.err.println("CipherCore Load - native crypto library disabled."); - } - } - } } diff --git a/src/java.base/share/classes/com/sun/crypto/provider/PKCS12PBECipherCore.java b/src/java.base/share/classes/com/sun/crypto/provider/PKCS12PBECipherCore.java index 6aaac223edb..52b0179641c 100644 --- a/src/java.base/share/classes/com/sun/crypto/provider/PKCS12PBECipherCore.java +++ b/src/java.base/share/classes/com/sun/crypto/provider/PKCS12PBECipherCore.java @@ -22,6 +22,11 @@ * or visit www.oracle.com if you need additional information or have any * questions. */ +/* + * =========================================================================== + * (c) Copyright IBM Corp. 2022, 2022 All Rights Reserved + * =========================================================================== + */ package com.sun.crypto.provider; @@ -31,6 +36,7 @@ import java.util.Arrays; import javax.crypto.*; import javax.crypto.spec.*; +import jdk.crypto.jniprovider.NativeCrypto; /** * This class implements password-base encryption algorithm with @@ -58,6 +64,10 @@ final class PKCS12PBECipherCore { private static final int DEFAULT_SALT_LENGTH = 20; private static final int DEFAULT_COUNT = 1024; + private static final NativeCrypto nativeCrypto = NativeCrypto.getNativeCrypto(); + private static final boolean nativeCryptTrace = NativeCrypto.isTraceEnabled(); + /* The property 'jdk.nativePBE' is used to disable native PBE. */ + private static final boolean useNativePBE = NativeCrypto.isAlgorithmEnabled("jdk.nativePBE", "PKCS12PBECipherCore"); static final int CIPHER_KEY = 1; static final int CIPHER_IV = 2; @@ -90,6 +100,30 @@ static byte[] derive(char[] chars, byte[] salt, int ic, int n, int type, } byte[] key = new byte[n]; + if (useNativePBE) { + int hashIndex = -1; + if (hashAlgo.equals("SHA") || hashAlgo.equals("SHA1") || hashAlgo.equals("SHA-1")) { + hashIndex = NativeCrypto.SHA1; + } else if (hashAlgo.equals("SHA224") || hashAlgo.equals("SHA-224")) { + hashIndex = NativeCrypto.SHA224; + } else if (hashAlgo.equals("SHA256") || hashAlgo.equals("SHA-256")) { + hashIndex = NativeCrypto.SHA256; + } else if (hashAlgo.equals("SHA384") || hashAlgo.equals("SHA-384")) { + hashIndex = NativeCrypto.SHA384; + } else if (hashAlgo.equals("SHA512") || hashAlgo.equals("SHA-512")) { + hashIndex = NativeCrypto.SHA512; + } + if (hashIndex != -1) { + if (nativeCrypto.PBEDerive(passwd, passwd.length, salt, salt.length, key, ic, n, type, hashIndex) != -1) { + return key; + } else if (nativeCryptTrace) { + System.err.println("Native PBE derive failed for algorithm " + hashAlgo + ", using Java implementation."); + } + } else if (nativeCryptTrace) { + System.err.println("The algorithm " + hashAlgo + " is not supported in native code, using Java implementation."); + } + } + try { MessageDigest sha = MessageDigest.getInstance(hashAlgo); diff --git a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java index 8541274954a..72c9fc6899a 100644 --- a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java +++ b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java @@ -88,73 +88,11 @@ public final class SunJCE extends Provider { - /* - * Check system properties to see whether native crypto should be enabled. - * By default, the native crypto is enabled and uses the native library. - * The property 'jdk.nativeChaCha20' is used to control native ChaCha20 alone - * and 'jdk.nativeCrypto' is used to control all native crypto implementations - * (Digest, CBC, GCM, ChaCha20, and EC). + /* The property 'jdk.nativeChaCha20' is used to disable native ChaCha20. + * ChaCha20 is only supported in OpenSSL 1.1.0 and above. */ - private static final boolean useNativeChaCha20Cipher = nativeChaCha20Init(); - - private static boolean nativeChaCha20Init() { - boolean nativeChaCha20 = true; - String nativeCryptTrace = GetPropertyAction.privilegedGetProperty("jdk.nativeCryptoTrace"); - String nativeCryptStr = GetPropertyAction.privilegedGetProperty("jdk.nativeCrypto"); - - if ((nativeCryptStr != null) && !Boolean.parseBoolean(nativeCryptStr)) { - /* nativeCrypto is explicitly disabled */ - nativeChaCha20 = false; - } else { - String nativeChaCha20Str = GetPropertyAction.privilegedGetProperty("jdk.nativeChaCha20"); - - if ((nativeChaCha20Str != null) && !Boolean.parseBoolean(nativeChaCha20Str)) { - /* nativeChaCha20 is explicitly disabled */ - nativeChaCha20 = false; - } - } - - if (!nativeChaCha20) { - if (nativeCryptTrace != null) { - System.err.println("NativeChaCha20Cipher load - Native crypto library disabled."); - } - } else { - /* - * User wants to use the native crypto implementation. - * Make sure the native crypto library is loaded successfully. - * Otherwise, issue a warning message and fall back to the built-in - * java crypto implementation. - * - * ChaCha20 is only supported in OpenSSL 1.1.0 and above. - */ - if (!NativeCrypto.isLoaded()) { - nativeChaCha20 = false; - - if (nativeCryptTrace != null) { - System.err.println("Warning: Native crypto library load failed." + - " Using Java crypto implementation"); - } - } else { - final int ossl_ver = NativeCrypto.getVersion(); - - if (ossl_ver < 1) { - nativeChaCha20 = false; - - if (nativeCryptTrace != null) { - System.err.println("Warning: Native ChaCha20 load failed." + - " Need OpenSSL 1.1.0 or above for ChaCha20 support." + - " Using Java crypto implementation"); - } - } else { - if (nativeCryptTrace != null) { - System.err.println("NativeChaCha20Cipher load - using Native crypto library."); - } - } - } - } - - return nativeChaCha20; - } + private static final boolean useNativeChaCha20Cipher = NativeCrypto.isAlgorithmEnabled("jdk.nativeChaCha20", + "NativeChaCha20Cipher", NativeCrypto.getVersion() >= 1, "Need OpenSSL 1.1.0 or above for ChaCha20 support."); private static final long serialVersionUID = 6812507587804302833L; diff --git a/src/java.base/share/classes/sun/security/provider/SunEntries.java b/src/java.base/share/classes/sun/security/provider/SunEntries.java index a34f822b5bb..e640a0d2657 100644 --- a/src/java.base/share/classes/sun/security/provider/SunEntries.java +++ b/src/java.base/share/classes/sun/security/provider/SunEntries.java @@ -86,14 +86,8 @@ public final class SunEntries { - /* - * Check whether native crypto is enabled with property. - * By default, the native crypto is enabled and uses native library crypto. - * The property 'jdk.nativeDigest' is used to disable Native digest alone - * and 'jdk.nativeCrypto' is used to disable all native cryptos (Digest, - * CBC, GCM, RSA, ChaCha20, and EC). - */ - private static boolean useNativeDigest = true; + /* The property 'jdk.nativeDigest' is used to disable native digest. */ + private static final boolean useNativeDigest = NativeCrypto.isAlgorithmEnabled("jdk.nativeDigest", "MessageDigest"); // the default algo used by SecureRandom class for new SecureRandom() calls public static final String DEF_SECURE_RANDOM_ALGO; @@ -465,46 +459,4 @@ static File getDeviceFile(URL device) throws IOException { return new File(device.getPath()); } } - - static { - - String nativeCryptTrace = GetPropertyAction.privilegedGetProperty("jdk.nativeCryptoTrace"); - String nativeCryptStr = GetPropertyAction.privilegedGetProperty("jdk.nativeCrypto"); - String nativeDigestStr = GetPropertyAction.privilegedGetProperty("jdk.nativeDigest"); - - if (Boolean.parseBoolean(nativeCryptStr) || nativeCryptStr == null) { - /* nativeCrypto is enabled */ - if (!(Boolean.parseBoolean(nativeDigestStr) || nativeDigestStr == null)) { - useNativeDigest = false; - } - } else { - /* nativeCrypto is disabled */ - useNativeDigest = false; - } - - if (useNativeDigest) { - /* - * User want to use native crypto implementation. - * Make sure the native crypto libraries are loaded successfully. - * Otherwise, throw a warning message and fall back to the in-built - * java crypto implementation. - */ - if (!NativeCrypto.isLoaded()) { - useNativeDigest = false; - - if (nativeCryptTrace != null) { - System.err.println("Warning: Native crypto library load failed." + - " Using Java crypto implementation"); - } - } else { - if (nativeCryptTrace != null) { - System.err.println("MessageDigest load - using Native crypto library."); - } - } - } else { - if (nativeCryptTrace != null) { - System.err.println("MessageDigest load - Native crypto library disabled."); - } - } - } } diff --git a/src/java.base/share/classes/sun/security/rsa/RSACore.java b/src/java.base/share/classes/sun/security/rsa/RSACore.java index 4cedb8d94e6..d2064b5883e 100644 --- a/src/java.base/share/classes/sun/security/rsa/RSACore.java +++ b/src/java.base/share/classes/sun/security/rsa/RSACore.java @@ -37,7 +37,6 @@ import java.security.interfaces.*; import javax.crypto.BadPaddingException; -import sun.security.action.GetPropertyAction; import jdk.crypto.jniprovider.NativeCrypto; import sun.security.jca.JCAUtil; @@ -57,17 +56,8 @@ */ public final class RSACore { - /* - * Check whether native crypto is enabled with property. - * - * By default, the native crypto is enabled and uses the native - * crypto library implementation. - * - * The property 'jdk.nativeRSA' is used to enable Native RSA alone, - * and 'jdk.nativeCrypto' is used to enable all native cryptos (Digest, - * CBC, GCM, and RSA, and EC). - */ - private static boolean useNativeRsa = true; + /* The property 'jdk.nativeRSA' is used to disable native RSA. */ + private static boolean useNativeRsa = NativeCrypto.isAlgorithmEnabled("jdk.nativeRSA", "RSACore"); // globally enable/disable use of blinding private static final boolean ENABLE_BLINDING = true; @@ -275,48 +265,6 @@ private static byte[] toByteArray(BigInteger bi, int len) { return t; } - static { - String nativeCryptTrace = GetPropertyAction.privilegedGetProperty("jdk.nativeCryptoTrace"); - String nativeCryptStr = GetPropertyAction.privilegedGetProperty("jdk.nativeCrypto"); - - if ((nativeCryptStr != null) && !Boolean.parseBoolean(nativeCryptStr)) { - /* nativeCrypto is disabled */ - useNativeRsa = false; - } else { - String nativeRsaStr = GetPropertyAction.privilegedGetProperty("jdk.nativeRSA"); - - if ((nativeRsaStr != null) && !Boolean.parseBoolean(nativeRsaStr)) { - /* nativeRSA is disabled */ - useNativeRsa = false; - } - } - - if (useNativeRsa) { - /* - * User wants to use native crypto implementation. - * Make sure the native crypto libraries are loaded successfully. - * Otherwise, throw a warning message and fall back to the in-built - * java crypto implementation. - */ - if (!NativeCrypto.isLoaded()) { - useNativeRsa = false; - - if (nativeCryptTrace != null) { - System.err.println("Warning: Native crypto library load failed." + - " Using Java crypto implementation"); - } - } else { - if (nativeCryptTrace != null) { - System.err.println("RSACore load - using Native crypto library."); - } - } - } else { - if (nativeCryptTrace != null) { - System.err.println("RSACore load - Native crypto library disabled."); - } - } - } - /** * Parameters (u,v) for RSA Blinding. This is described in the RSA * Bulletin#2 (Jan 96) and other places: diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java index 15765bfffef..e9a213533da 100644 --- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java +++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java @@ -41,7 +41,6 @@ import openj9.internal.security.FIPSConfigurator; -import sun.security.action.GetPropertyAction; import jdk.crypto.jniprovider.NativeCrypto; /** @@ -68,19 +67,8 @@ public final class SunEC extends Provider { // (when native library is absent then fewer EC algorithms are available) private static boolean useFullImplementation = true; - /* - * Check whether native crypto is disabled with property. - * - * By default, the native crypto is enabled and uses the native - * crypto library implementation. - * - * The property 'jdk.nativeEC' is used to disable Native EC alone and - * 'jdk.nativeCrypto' is used to disable all native cryptos (Digest, - * CBC, GCM, RSA, ChaCha20, and EC). - */ - private static boolean useNativeCrypto; - - private static boolean useNativeEC; + /* The property 'jdk.nativeEC' is used to disable native EC. */ + private static final boolean useNativeEC = NativeCrypto.isAlgorithmEnabled("jdk.nativeEC", "SunEC"); static { try { @@ -93,43 +81,6 @@ public Void run() { } catch (UnsatisfiedLinkError e) { useFullImplementation = false; } - - String nativeCryptTrace = GetPropertyAction.privilegedGetProperty("jdk.nativeCryptoTrace"); - String nativeCryptStr = GetPropertyAction.privilegedGetProperty("jdk.nativeCrypto"); - String nativeECStr = GetPropertyAction.privilegedGetProperty("jdk.nativeEC"); - - useNativeCrypto = (nativeCryptStr == null) || Boolean.parseBoolean(nativeCryptStr); - - if (!useNativeCrypto) { - useNativeEC = false; - } else { - useNativeEC = (nativeECStr == null) || Boolean.parseBoolean(nativeECStr); - } - - if (useNativeEC) { - /* - * User wants to use the native crypto implementation. - * Make sure the native crypto library is loaded successfully. - * Otherwise, throw a warning message and fall back to the in-built - * java crypto implementation. - */ - if (!NativeCrypto.isLoaded()) { - useNativeEC = false; - - if (nativeCryptTrace != null) { - System.err.println("Warning: Native crypto library load failed." + - " Using Java crypto implementation"); - } - } else { - if (nativeCryptTrace != null) { - System.err.println("SunEC Load - using native crypto library."); - } - } - } else { - if (nativeCryptTrace != null) { - System.err.println("SunEC Load - native crypto library disabled."); - } - } } private static class ProviderService extends Provider.Service {