Support exporting plain SecretKey in FIPS mode

Signed-off-by: Jinhang Zhang <Jinhang.Zhang@ibm.com> We support exporting and importing plain RSA/EC private keys and importing secret keys as AES in FIPS mode for now. We also need to support exporting secret keys in FIPS mode. Currently, while user generating an AES secretkey in FIPS mode through KeyGenerator, this AES key's encode is NULL. Therefore, we modify the P11Key.java and SunPKCS11.java files to enable the support for exporting secret keys inclusing AES and TripleDES.
ibmruntimes · Jun 26, 2023 · 58a6007 · 58a6007
1 parent e67ed66
commit 58a6007
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 0 deletions.
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
@@ -358,6 +358,24 @@ static SecretKey secretKey(Session session, long keyID, String algorithm,
  new CK_ATTRIBUTE(CKA_SENSITIVE),
  new CK_ATTRIBUTE(CKA_EXTRACTABLE),
  });
+
+ if ((SunPKCS11.mysunpkcs11 != null) && (!SunPKCS11.isExportWrapKey)
+ && ("AES".equals(algorithm) || "TripleDES".equals(algorithm))
+ ) {
+ if (attrs[0].getBoolean() || attrs[1].getBoolean() || (attrs[2].getBoolean() == false)) {
+ try {
+ byte[] key = SunPKCS11.mysunpkcs11.exportKey(session.id(), attrs, keyID);
+ SecretKey aesSecretKey = new SecretKeySpec(key, algorithm);
+ return new P11SecretKeyFIPS(session, keyID, algorithm, keyLength, attrs, aesSecretKey);
+ } catch (PKCS11Exception e) {
+ // Attempt failed, create a P11SecretKey object.
+ if (debug != null) {
+ debug.println("Attempt failed, creating a SecretKey object for " + algorithm);
+ }
+ }
+ }
+ }
+
  return new P11SecretKey(session, keyID, algorithm, keyLength, attrs);
  }
 
@@ -480,6 +498,28 @@ byte[] getEncodedInternal() {
  }
  }
 
+ private static class P11SecretKeyFIPS extends P11Key implements SecretKey {
+ private static final long serialVersionUID = -7828241727014329084L;
+ private final SecretKey key;
+
+ P11SecretKeyFIPS(Session session, long keyID, String algorithm,
+ int keyLength, CK_ATTRIBUTE[] attributes, SecretKey key) {
+ super(SECRET, session, keyID, algorithm, keyLength, attributes);
+ this.key = key;
+ }
+
+ @Override
+ public String getFormat() {
+ return "RAW";
+ }
+
+ @Override
+ synchronized byte[] getEncodedInternal() {
+ return key.getEncoded();
+ }
+
+ }
+
  private static class P11SecretKey extends P11Key implements SecretKey {
  @Serial
  private static final long serialVersionUID = -7828241727014329084L;

diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -128,6 +128,8 @@ public final class SunPKCS11 extends AuthProvider {
  // FIPS mode.
  static SunPKCS11 mysunpkcs11;
 
+ static boolean isExportWrapKey = false;
+
  Token getToken() {
  return token;
  }
@@ -506,7 +508,9 @@ byte[] exportKey(long hSession, CK_ATTRIBUTE[] attributes, long keyId) throws PK
 
  try {
  long genKeyId = token.p11.C_GenerateKey(wrapKeyGenSession.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), wrapKeyAttributes);
+ isExportWrapKey = true;
  wrapKey = (P11Key)P11Key.secretKey(wrapKeyGenSession, genKeyId, "AES", 256 >> 3, null);
+ isExportWrapKey = false;
  } catch (PKCS11Exception e) {
  throw e;
  } finally {