added support for PKCS#11 alt provider for EC TLS 1.3

dghgit · dghgit · commit 7626743f7c19 · 2025-05-08T23:49:01.000+10:00
diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JcaTlsCrypto.java b/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JcaTlsCrypto.java
@@ -1262,6 +1262,11 @@ public JcaJceHelper getHelper()
         return helper;
     }
 
+    public JcaJceHelper getAltHelper()
+    {
+        return altHelper;
+    }
+
     protected TlsBlockCipherImpl createCBCBlockCipherImpl(TlsCryptoParameters cryptoParams, String algorithm,
                                                           int cipherKeySize, boolean forEncryption)
         throws GeneralSecurityException
diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JcaTlsECDSA13Signer.java b/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JcaTlsECDSA13Signer.java
@@ -2,6 +2,7 @@
 
 import java.io.IOException;
 import java.security.GeneralSecurityException;
+import java.security.InvalidKeyException;
 import java.security.PrivateKey;
 import java.security.Signature;
 
@@ -57,6 +58,21 @@ public byte[] generateRawSignature(SignatureAndHashAlgorithm algorithm, byte[] h
             signer.update(hash, 0, hash.length);
             return signer.sign();
         }
+        catch (InvalidKeyException e)
+        {
+            // try with PKCS#11 (usually) alternative provider
+            try
+            {
+                Signature signer = crypto.getAltHelper().createSignature("NoneWithECDSA");
+                signer.initSign(privateKey, crypto.getSecureRandom());
+                signer.update(hash, 0, hash.length);
+                return signer.sign();
+            }
+            catch (GeneralSecurityException ex)
+            {
+                throw new TlsFatalAlert(AlertDescription.internal_error, ex);
+            }
+        }
         catch (GeneralSecurityException e)
         {
             throw new TlsFatalAlert(AlertDescription.internal_error, e);
