Re: RFR: 8263404: RsaPrivateKeySpec is always recognized as RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec [v4]

[Michael StJohns]

On 3/19/2021 2:24 PM, Valerie Peng wrote:

some* reason (even if I cannot figure out why).
Well, for `P11RSAKeyFactory`, I think some minor modification may be needed 
given the additional P11PrivateKey type.
I'd expect it to be something like:
         // must be either RSAPrivateKeySpec or RSAPrivateCrtKeySpec
         if (keySpec.isAssignableFrom(RSAPrivateCrtKeySpec.class)) {
             session[0] = token.getObjSession();
             CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] {
                 new CK_ATTRIBUTE(CKA_MODULUS),
                 new CK_ATTRIBUTE(CKA_PUBLIC_EXPONENT),
                 new CK_ATTRIBUTE(CKA_PRIVATE_EXPONENT),

If the PKCS11 private key has the CKA_SENSITIVE attribute set to true or 
CKA_EXPORTABLE set to false, you can't retrieve the above attribute.  
AIRC, the contract for getting a Key from an unextractable PKCS11 
private key is to return a key that implements both PrivateKey and 
RSAKey, but doesn't implement either of the RSAPrivateKey interfaces.   
I don't know what the contract is for producing KeySpec's from 
unextractable keys.

Mike


                 new CK_ATTRIBUTE(CKA_PRIME_1),
                 new CK_ATTRIBUTE(CKA_PRIME_2),
                 new CK_ATTRIBUTE(CKA_EXPONENT_1),
                 new CK_ATTRIBUTE(CKA_EXPONENT_2),
                 new CK_ATTRIBUTE(CKA_COEFFICIENT),
             };
             long keyID = key.getKeyID();
             try {
                 token.p11.C_GetAttributeValue(session[0].id(), keyID, 
attributes);
                 KeySpec spec = new RSAPrivateCrtKeySpec(
                     attributes[0].getBigInteger(),
                     attributes[1].getBigInteger(),
                     attributes[2].getBigInteger(),
                     attributes[3].getBigInteger(),
                     attributes[4].getBigInteger(),
                     attributes[5].getBigInteger(),
                     attributes[6].getBigInteger(),
                     attributes[7].getBigInteger()
                 );
                 return keySpec.cast(spec);
             } catch (final PKCS11Exception ex) {
                 // bubble this up if RSAPrivateCrtKeySpec is specified
                 // otherwise fall through to RSAPrivateKeySpec
                 if (!keySpec.isAssignableFrom(RSAPrivateKeySpec.class)) {
                     throw ex;
                 }
             }  finally {
                 key.releaseKeyID();
             }

             attributes = new CK_ATTRIBUTE[] {
                 new CK_ATTRIBUTE(CKA_MODULUS),
                 new CK_ATTRIBUTE(CKA_PRIVATE_EXPONENT),
             };
             keyID = key.getKeyID();
             try {
                 token.p11.C_GetAttributeValue(session[0].id(), keyID, 
attributes);
             } finally {
                 key.releaseKeyID();
             }

             KeySpec spec = new RSAPrivateKeySpec(
                 attributes[0].getBigInteger(),
                 attributes[1].getBigInteger()
             );
             return keySpec.cast(spec);
         } else { // PKCS#8 handled in superclass
             throw new InvalidKeySpecException("Only RSAPrivate(Crt)KeySpec "
                 + "and PKCS8EncodedKeySpec supported for RSA private keys");
         }
     }

-------------

PR: https://git.openjdk.java.net/jdk/pull/2949