diff --git a/jdk/src/share/classes/sun/security/pkcs11/P11Key.java b/jdk/src/share/classes/sun/security/pkcs11/P11Key.java index 9ef1f32b0cb..689fa525a38 100644 --- a/jdk/src/share/classes/sun/security/pkcs11/P11Key.java +++ b/jdk/src/share/classes/sun/security/pkcs11/P11Key.java @@ -331,6 +331,24 @@ static SecretKey secretKey(Session session, long keyID, String algorithm, new CK_ATTRIBUTE(CKA_SENSITIVE), new CK_ATTRIBUTE(CKA_EXTRACTABLE), }); + + if ((SunPKCS11.mysunpkcs11 != null) && !SunPKCS11.isExportWrapKey.get() + && ("AES".equals(algorithm) || "TripleDES".equals(algorithm)) + ) { + if (attributes[0].getBoolean() || attributes[1].getBoolean() || (attributes[2].getBoolean() == false)) { + try { + byte[] key = SunPKCS11.mysunpkcs11.exportKey(session.id(), attributes, keyID); + SecretKey secretKey = new SecretKeySpec(key, algorithm); + return new P11SecretKeyFIPS(session, keyID, algorithm, keyLength, attributes, secretKey); + } catch (PKCS11Exception e) { + // Attempt failed, create a P11SecretKey object. + if (debug != null) { + debug.println("Attempt failed, creating a SecretKey object for " + algorithm); + } + } + } + } + return new P11SecretKey(session, keyID, algorithm, keyLength, attributes); } @@ -475,6 +493,29 @@ byte[] getEncodedInternal() { } } + private static final class P11SecretKeyFIPS extends P11Key implements SecretKey { + + private static final long serialVersionUID = -9186806495402041696L; + private final SecretKey key; + + P11SecretKeyFIPS(Session session, long keyID, String algorithm, + int keyLength, CK_ATTRIBUTE[] attributes, SecretKey key) { + super(SECRET, session, keyID, algorithm, keyLength, attributes); + this.key = key; + } + + @Override + public String getFormat() { + return "RAW"; + } + + @Override + byte[] getEncodedInternal() { + return key.getEncoded(); + } + + } + private static class P11SecretKey extends P11Key implements SecretKey { private static final long serialVersionUID = -7828241727014329084L; private volatile byte[] encoded; diff --git a/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java b/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java index 745a25e0dc1..038e69e483e 100644 --- a/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java +++ b/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java @@ -115,6 +115,8 @@ public final class SunPKCS11 extends AuthProvider { // FIPS mode. static SunPKCS11 mysunpkcs11; + static final ThreadLocal isExportWrapKey = ThreadLocal.withInitial(() -> Boolean.FALSE); + Token getToken() { return token; } @@ -461,10 +463,12 @@ byte[] exportKey(long hSession, CK_ATTRIBUTE[] attributes, long keyId) throws PK try { long genKeyId = token.p11.C_GenerateKey(wrapKeyGenSession.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), wrapKeyAttributes); + isExportWrapKey.set(Boolean.TRUE); wrapKey = (P11Key)P11Key.secretKey(wrapKeyGenSession, genKeyId, "AES", 256 >> 3, null); } catch (PKCS11Exception e) { throw e; } finally { + isExportWrapKey.set(Boolean.TRUE); token.releaseSession(wrapKeyGenSession); }