On 3/20/2021 1:54 PM, SalusaSecondus wrote:
On Thu, 18 Mar 2021 20:25:59 GMT, Ziyi Luo <luoz...@openjdk.org> wrote:
This looks to cover the cases and fixes we talked about.
@valeriepeng Sorry for the delay. There were unknown Windows build failure
during the pre-submit tests that I have to rebase my commits on top of the
master tip. This new revision should cover all comments you left before. Thank
you!
Mike,
From what I can find, if you try to get a spec from a non-extractable key
you'll get an `InvalidKeySpecException`.
1. `C_GetAttributeValue`will throw a `PKCS11Exception`
2. The `PKCS11Exception` gets caught in
[P11KeyFactory](https://github.com/openjdk/jdk/blob/master/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyFactory.java#L98-L99)
which rethrows it as an `InvalidKeySpecException`.
-------------
PR: https://git.openjdk.java.net/jdk/pull/2949
Given that, I'd refactor the code to pull the CKA_SENSITIVE and
CKA_EXPORTABLE attributes first and throw a more specific message if the
key is not extractable rather than having to fail twice before throwing
the error. (I.e., you try both combos of the attributes and both are
failing on the inability to pull the private exponent).
Either that or fail early by checking the error code of the first thrown
PKCS11Exception against CKR_ATTRIBUTE_SENSITIVE.
} catch (final PKCS11Exception ex) {
if (ex.getErrorCode() == PKCS11Constants.CKR_ATTRIBUTE_SENSITIVE) {
throw new InvalidKeySpecException ("Sensitive key may not be
extracted", ex);
}
// bubble this up if RSAPrivateCrtKeySpec is specified
// otherwise fall through to RSAPrivateKeySpec
if (!keySpec.isAssignableFrom(RSAPrivateKeySpec.class)) {
throw ex;
}
} finally {
key.releaseKeyID();
}
Later, Mike
