On 3/19/2021 2:24 PM, Valerie Peng wrote:
some* reason (even if I cannot figure out why). Well, for `P11RSAKeyFactory`, I think some minor modification may be needed given the additional P11PrivateKey type. I'd expect it to be something like: // must be either RSAPrivateKeySpec or RSAPrivateCrtKeySpec if (keySpec.isAssignableFrom(RSAPrivateCrtKeySpec.class)) { session[0] = token.getObjSession(); CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_MODULUS), new CK_ATTRIBUTE(CKA_PUBLIC_EXPONENT), new CK_ATTRIBUTE(CKA_PRIVATE_EXPONENT),
If the PKCS11 private key has the CKA_SENSITIVE attribute set to true or CKA_EXPORTABLE set to false, you can't retrieve the above attribute. AIRC, the contract for getting a Key from an unextractable PKCS11 private key is to return a key that implements both PrivateKey and RSAKey, but doesn't implement either of the RSAPrivateKey interfaces. I don't know what the contract is for producing KeySpec's from unextractable keys.
Mike
new CK_ATTRIBUTE(CKA_PRIME_1), new CK_ATTRIBUTE(CKA_PRIME_2), new CK_ATTRIBUTE(CKA_EXPONENT_1), new CK_ATTRIBUTE(CKA_EXPONENT_2), new CK_ATTRIBUTE(CKA_COEFFICIENT), }; long keyID = key.getKeyID(); try { token.p11.C_GetAttributeValue(session[0].id(), keyID, attributes); KeySpec spec = new RSAPrivateCrtKeySpec( attributes[0].getBigInteger(), attributes[1].getBigInteger(), attributes[2].getBigInteger(), attributes[3].getBigInteger(), attributes[4].getBigInteger(), attributes[5].getBigInteger(), attributes[6].getBigInteger(), attributes[7].getBigInteger() ); return keySpec.cast(spec); } catch (final PKCS11Exception ex) { // bubble this up if RSAPrivateCrtKeySpec is specified // otherwise fall through to RSAPrivateKeySpec if (!keySpec.isAssignableFrom(RSAPrivateKeySpec.class)) { throw ex; } } finally { key.releaseKeyID(); } attributes = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_MODULUS), new CK_ATTRIBUTE(CKA_PRIVATE_EXPONENT), }; keyID = key.getKeyID(); try { token.p11.C_GetAttributeValue(session[0].id(), keyID, attributes); } finally { key.releaseKeyID(); } KeySpec spec = new RSAPrivateKeySpec( attributes[0].getBigInteger(), attributes[1].getBigInteger() ); return keySpec.cast(spec); } else { // PKCS#8 handled in superclass throw new InvalidKeySpecException("Only RSAPrivate(Crt)KeySpec " + "and PKCS8EncodedKeySpec supported for RSA private keys"); } } ------------- PR: https://git.openjdk.java.net/jdk/pull/2949