Followup alt provider changes

peterdettman · peterdettman · commit 8d0ff575fcfe · 2025-05-12T13:54:12.000+07:00
diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JcaTlsCrypto.java b/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JcaTlsCrypto.java
@@ -113,7 +113,8 @@ protected JcaTlsCrypto(JcaJceHelper helper, SecureRandom entropySource, SecureRa
      * @param entropySource      primary entropy source, used for key generation.
      * @param nonceEntropySource secondary entropy source, used for nonce and IV generation.
      */
-    protected JcaTlsCrypto(JcaJceHelper helper, JcaJceHelper altHelper, SecureRandom entropySource, SecureRandom nonceEntropySource)
+    protected JcaTlsCrypto(JcaJceHelper helper, JcaJceHelper altHelper, SecureRandom entropySource,
+        SecureRandom nonceEntropySource)
     {
         this.helper = helper;
         this.altHelper = altHelper;
@@ -572,7 +573,7 @@ public boolean hasCryptoSignatureAlgorithm(int cryptoSignatureAlgorithm)
         case CryptoSignatureAlgorithm.gostr34102012_256:
         case CryptoSignatureAlgorithm.gostr34102012_512:
 
-            // TODO[RFC 8998]
+        // TODO[RFC 8998]
         case CryptoSignatureAlgorithm.sm2:
 
         default:
@@ -754,7 +755,7 @@ public boolean hasSignatureAlgorithm(short signatureAlgorithm)
         case SignatureAlgorithm.gostr34102012_256:
         case SignatureAlgorithm.gostr34102012_512:
 
-            // TODO[RFC 8998]
+        // TODO[RFC 8998]
 //        case SignatureAlgorithm.sm2:
 
         default:
@@ -783,7 +784,7 @@ public boolean hasSignatureScheme(int signatureScheme)
         switch (signatureScheme)
         {
         case SignatureScheme.sm2sig_sm3:
-            // TODO[tls] Implement before adding
+        // TODO[tls] Implement before adding
         case SignatureScheme.DRAFT_mldsa44:
         case SignatureScheme.DRAFT_mldsa65:
         case SignatureScheme.DRAFT_mldsa87:
@@ -902,8 +903,7 @@ protected TlsAEADCipherImpl createAEADCipher(String cipherName, String algorithm
      * @throws GeneralSecurityException in case of failure.
      */
     protected TlsBlockCipherImpl createBlockCipher(String cipherName, String algorithm, int keySize,
-                                                   boolean isEncrypting)
-        throws GeneralSecurityException
+        boolean isEncrypting) throws GeneralSecurityException
     {
         return new JceBlockCipherImpl(this, helper.createCipher(cipherName), algorithm, keySize, isEncrypting);
     }
@@ -919,8 +919,7 @@ protected TlsBlockCipherImpl createBlockCipher(String cipherName, String algorit
      * @throws GeneralSecurityException in case of failure.
      */
     protected TlsBlockCipherImpl createBlockCipherWithCBCImplicitIV(String cipherName, String algorithm, int keySize,
-                                                                    boolean isEncrypting)
-        throws GeneralSecurityException
+        boolean isEncrypting) throws GeneralSecurityException
     {
         return new JceBlockCipherWithCBCImplicitIVImpl(this, helper.createCipher(cipherName), algorithm, isEncrypting);
     }
@@ -954,17 +953,15 @@ protected TlsNullCipher createNullCipher(TlsCryptoParameters cryptoParams, int m
     }
 
     protected TlsStreamSigner createStreamSigner(SignatureAndHashAlgorithm algorithm, PrivateKey privateKey,
-                                                 boolean needsRandom)
-        throws IOException
+        boolean needsRandom) throws IOException
     {
         String algorithmName = JcaUtils.getJcaAlgorithmName(algorithm);
 
         return createStreamSigner(algorithmName, null, privateKey, needsRandom);
     }
 
     protected TlsStreamSigner createStreamSigner(String algorithmName, AlgorithmParameterSpec parameter,
-                                                 PrivateKey privateKey, boolean needsRandom)
-        throws IOException
+        PrivateKey privateKey, boolean needsRandom) throws IOException
     {
         SecureRandom random = needsRandom ? getSecureRandom() : null;
 
@@ -976,14 +973,13 @@ protected TlsStreamSigner createStreamSigner(String algorithmName, AlgorithmPara
             }
             catch (InvalidKeyException e)
             {
-                if (altHelper != null)
-                {
-                    return createStreamSigner(altHelper, algorithmName, parameter, privateKey, random);
-                }
-                else
+                JcaJceHelper altHelper = getAltHelper();
+                if (altHelper == null)
                 {
                     throw e;
                 }
+
+                return createStreamSigner(altHelper, algorithmName, parameter, privateKey, random);
             }
         }
         catch (GeneralSecurityException e)
@@ -992,38 +988,36 @@ protected TlsStreamSigner createStreamSigner(String algorithmName, AlgorithmPara
         }
     }
 
-    private TlsStreamSigner createStreamSigner(JcaJceHelper helper, String algorithmName, AlgorithmParameterSpec parameter,
-                                               PrivateKey privateKey, SecureRandom random)
-        throws GeneralSecurityException
+    protected TlsStreamSigner createStreamSigner(JcaJceHelper helper, String algorithmName,
+        AlgorithmParameterSpec parameter, PrivateKey privateKey, SecureRandom random) throws GeneralSecurityException
     {
         try
         {
             if (null != parameter)
             {
+                Signature dummySigner;                
                 try
                 {
-                    Signature dummySigner = helper.createSignature(algorithmName);
-                    dummySigner.initSign(privateKey, random);
-                    helper = new ProviderJcaJceHelper(dummySigner.getProvider());
+                    dummySigner = helper.createSignature(algorithmName);
                 }
                 catch (NoSuchAlgorithmException e)
                 {
                     // more PKCS#11 mischief
                     String upperAlg = Strings.toUpperCase(algorithmName);
-                    if (upperAlg.endsWith("MGF1"))
+                    if (upperAlg.endsWith("ANDMGF1"))
                     {
                         // ANDMGF1 has vanished from the Sun PKCS11 provider.
                         algorithmName = upperAlg.replace("ANDMGF1", "SSA-PSS");
-                        Signature dummySigner = helper.createSignature(algorithmName);
-
-                        dummySigner.initSign(privateKey, random);
-                        helper = new ProviderJcaJceHelper(dummySigner.getProvider());
+                        dummySigner = helper.createSignature(algorithmName);
                     }
                     else
                     {
                         throw e;
                     }
                 }
+
+                dummySigner.initSign(privateKey, random);
+                helper = new ProviderJcaJceHelper(dummySigner.getProvider());
             }
 
             Signature signer = helper.createSignature(algorithmName);
@@ -1037,7 +1031,7 @@ private TlsStreamSigner createStreamSigner(JcaJceHelper helper, String algorithm
         catch (InvalidKeyException e)
         {
             String upperAlg = Strings.toUpperCase(algorithmName);
-            if (upperAlg.endsWith("MGF1"))
+            if (upperAlg.endsWith("ANDMGF1"))
             {
                 // ANDMGF1 has vanished from the Sun PKCS11 provider.
                 algorithmName = upperAlg.replace("ANDMGF1", "SSA-PSS");
@@ -1059,8 +1053,7 @@ protected TlsStreamVerifier createStreamVerifier(DigitallySigned digitallySigned
     }
 
     protected TlsStreamVerifier createStreamVerifier(String algorithmName, AlgorithmParameterSpec parameter,
-                                                     byte[] signature, PublicKey publicKey)
-        throws IOException
+        byte[] signature, PublicKey publicKey) throws IOException
     {
         try
         {
@@ -1087,8 +1080,7 @@ protected TlsStreamVerifier createStreamVerifier(String algorithmName, Algorithm
     }
 
     protected Tls13Verifier createTls13Verifier(String algorithmName, AlgorithmParameterSpec parameter,
-                                                PublicKey publicKey)
-        throws IOException
+        PublicKey publicKey) throws IOException
     {
         try
         {
@@ -1268,8 +1260,7 @@ public JcaJceHelper getAltHelper()
     }
 
     protected TlsBlockCipherImpl createCBCBlockCipherImpl(TlsCryptoParameters cryptoParams, String algorithm,
-                                                          int cipherKeySize, boolean forEncryption)
-        throws GeneralSecurityException
+        int cipherKeySize, boolean forEncryption) throws GeneralSecurityException
     {
         String cipherName = algorithm + "/CBC/NoPadding";
 
@@ -1324,8 +1315,7 @@ private TlsAEADCipher createCipher_Camellia_GCM(TlsCryptoParameters cryptoParams
     }
 
     protected TlsCipher createCipher_CBC(TlsCryptoParameters cryptoParams, String algorithm, int cipherKeySize,
-                                         int macAlgorithm)
-        throws GeneralSecurityException, IOException
+        int macAlgorithm) throws GeneralSecurityException, IOException
     {
         TlsBlockCipherImpl encrypt = createCBCBlockCipherImpl(cryptoParams, algorithm, cipherKeySize, true);
         TlsBlockCipherImpl decrypt = createCBCBlockCipherImpl(cryptoParams, algorithm, cipherKeySize, false);
diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JcaTlsCryptoProvider.java b/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JcaTlsCryptoProvider.java
@@ -20,7 +20,7 @@ public class JcaTlsCryptoProvider
     implements TlsCryptoProvider
 {
     private JcaJceHelper helper = new DefaultJcaJceHelper();
-    private JcaJceHelper altHelper = helper;
+    private JcaJceHelper altHelper = null;
 
     public JcaTlsCryptoProvider()
     {
@@ -34,7 +34,8 @@ public JcaTlsCryptoProvider()
      */
     public JcaTlsCryptoProvider setProvider(Provider provider)
     {
-        this.helper = this.altHelper = new ProviderJcaJceHelper(provider);
+        this.helper = new ProviderJcaJceHelper(provider);
+        this.altHelper = null;
 
         return this;
     }
@@ -61,7 +62,8 @@ public JcaTlsCryptoProvider setAlternateProvider(Provider provider)
      */
     public JcaTlsCryptoProvider setProvider(String providerName)
     {
-        this.helper = this.altHelper = new NamedJcaJceHelper(providerName);
+        this.helper = new NamedJcaJceHelper(providerName);
+        this.altHelper = null;
 
         return this;
     }
@@ -120,19 +122,19 @@ public JcaTlsCrypto create(SecureRandom random)
      */
     public JcaTlsCrypto create(SecureRandom keyRandom, SecureRandom nonceRandom)
     {
-        if (helper != altHelper)
-        {
-            return new JcaTlsCrypto(getHelper(), altHelper, keyRandom, nonceRandom);
-        }
-
-        return new JcaTlsCrypto(getHelper(), keyRandom, nonceRandom);
+        return new JcaTlsCrypto(getHelper(), getAltHelper(), keyRandom, nonceRandom);
     }
 
     public JcaJceHelper getHelper()
     {
         return helper;
     }
 
+    public JcaJceHelper getAltHelper()
+    {
+        return altHelper;
+    }
+
     @SuppressWarnings("serial")
     private static class NonceEntropySource
        extends SecureRandom
diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JcaTlsECDSA13Signer.java b/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JcaTlsECDSA13Signer.java
@@ -4,8 +4,10 @@
 import java.security.GeneralSecurityException;
 import java.security.InvalidKeyException;
 import java.security.PrivateKey;
+import java.security.SecureRandom;
 import java.security.Signature;
 
+import org.bouncycastle.jcajce.util.JcaJceHelper;
 import org.bouncycastle.tls.AlertDescription;
 import org.bouncycastle.tls.SignatureAndHashAlgorithm;
 import org.bouncycastle.tls.SignatureScheme;
@@ -51,26 +53,24 @@ public byte[] generateRawSignature(SignatureAndHashAlgorithm algorithm, byte[] h
             throw new IllegalStateException("Invalid algorithm: " + algorithm);
         }
 
+        SecureRandom random = crypto.getSecureRandom();
+
         try
         {
-            Signature signer = crypto.getHelper().createSignature("NoneWithECDSA");
-            signer.initSign(privateKey, crypto.getSecureRandom());
-            signer.update(hash, 0, hash.length);
-            return signer.sign();
-        }
-        catch (InvalidKeyException e)
-        {
-            // try with PKCS#11 (usually) alternative provider
             try
             {
-                Signature signer = crypto.getAltHelper().createSignature("NoneWithECDSA");
-                signer.initSign(privateKey, crypto.getSecureRandom());
-                signer.update(hash, 0, hash.length);
-                return signer.sign();
+                return implGenerateRawSignature(crypto.getHelper(), privateKey, random, hash);
             }
-            catch (GeneralSecurityException ex)
+            catch (InvalidKeyException e)
             {
-                throw new TlsFatalAlert(AlertDescription.internal_error, ex);
+                // try with PKCS#11 (usually) alternative provider
+                JcaJceHelper altHelper = crypto.getAltHelper();
+                if (altHelper == null)
+                {
+                    throw e;
+                }
+
+                return implGenerateRawSignature(altHelper, privateKey, random, hash);
             }
         }
         catch (GeneralSecurityException e)
@@ -84,4 +84,13 @@ public TlsStreamSigner getStreamSigner(SignatureAndHashAlgorithm algorithm)
     {
         return null;
     }
+
+    private static byte[] implGenerateRawSignature(JcaJceHelper helper, PrivateKey privateKey, SecureRandom random,
+        byte[] hash) throws GeneralSecurityException
+    {
+        Signature signer = helper.createSignature("NoneWithECDSA");
+        signer.initSign(privateKey, random);
+        signer.update(hash, 0, hash.length);
+        return signer.sign();
+    }
 }
diff --git a/tls/src/test/java/org/bouncycastle/jsse/provider/test/FipsJcaTlsCrypto.java b/tls/src/test/java/org/bouncycastle/jsse/provider/test/FipsJcaTlsCrypto.java
@@ -14,6 +14,12 @@ public FipsJcaTlsCrypto(JcaJceHelper helper, SecureRandom entropySource, SecureR
         super(helper, entropySource, nonceEntropySource);
     }
 
+    public FipsJcaTlsCrypto(JcaJceHelper helper, JcaJceHelper altHelper, SecureRandom entropySource,
+        SecureRandom nonceEntropySource)
+    {
+        super(helper, altHelper, entropySource, nonceEntropySource);
+    }
+
     @Override
     public AEADNonceGeneratorFactory getFipsGCMNonceGeneratorFactory()
     {
diff --git a/tls/src/test/java/org/bouncycastle/jsse/provider/test/FipsJcaTlsCryptoProvider.java b/tls/src/test/java/org/bouncycastle/jsse/provider/test/FipsJcaTlsCryptoProvider.java
@@ -10,6 +10,6 @@ public class FipsJcaTlsCryptoProvider extends JcaTlsCryptoProvider
     @Override
     public JcaTlsCrypto create(SecureRandom keyRandom, SecureRandom nonceRandom)
     {
-        return new FipsJcaTlsCrypto(getHelper(), keyRandom, nonceRandom);
+        return new FipsJcaTlsCrypto(getHelper(), getAltHelper(), keyRandom, nonceRandom);
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -113,7 +113,8 @@ protected JcaTlsCrypto(JcaJceHelper helper, SecureRandom entropySource, SecureRa`
`113`	`113`	`* @param entropySource primary entropy source, used for key generation.`
`114`	`114`	`* @param nonceEntropySource secondary entropy source, used for nonce and IV generation.`
`115`	`115`	`*/`
`116`		`- protected JcaTlsCrypto(JcaJceHelper helper, JcaJceHelper altHelper, SecureRandom entropySource, SecureRandom nonceEntropySource)`
	`116`	`+ protected JcaTlsCrypto(JcaJceHelper helper, JcaJceHelper altHelper, SecureRandom entropySource,`
	`117`	`+ SecureRandom nonceEntropySource)`
`117`	`118`	`{`
`118`	`119`	`this.helper = helper;`
`119`	`120`	`this.altHelper = altHelper;`
`@@ -572,7 +573,7 @@ public boolean hasCryptoSignatureAlgorithm(int cryptoSignatureAlgorithm)`
`572`	`573`	`case CryptoSignatureAlgorithm.gostr34102012_256:`
`573`	`574`	`case CryptoSignatureAlgorithm.gostr34102012_512:`
`574`	`575`
`575`		`- // TODO[RFC 8998]`
	`576`	`+ // TODO[RFC 8998]`
`576`	`577`	`case CryptoSignatureAlgorithm.sm2:`
`577`	`578`
`578`	`579`	`default:`
`@@ -754,7 +755,7 @@ public boolean hasSignatureAlgorithm(short signatureAlgorithm)`
`754`	`755`	`case SignatureAlgorithm.gostr34102012_256:`
`755`	`756`	`case SignatureAlgorithm.gostr34102012_512:`
`756`	`757`
`757`		`- // TODO[RFC 8998]`
	`758`	`+ // TODO[RFC 8998]`
`758`	`759`	`// case SignatureAlgorithm.sm2:`
`759`	`760`
`760`	`761`	`default:`
`@@ -783,7 +784,7 @@ public boolean hasSignatureScheme(int signatureScheme)`
`783`	`784`	`switch (signatureScheme)`
`784`	`785`	`{`
`785`	`786`	`case SignatureScheme.sm2sig_sm3:`
`786`		`- // TODO[tls] Implement before adding`
	`787`	`+ // TODO[tls] Implement before adding`
`787`	`788`	`case SignatureScheme.DRAFT_mldsa44:`
`788`	`789`	`case SignatureScheme.DRAFT_mldsa65:`
`789`	`790`	`case SignatureScheme.DRAFT_mldsa87:`
`@@ -902,8 +903,7 @@ protected TlsAEADCipherImpl createAEADCipher(String cipherName, String algorithm`
`902`	`903`	`* @throws GeneralSecurityException in case of failure.`
`903`	`904`	`*/`
`904`	`905`	`protected TlsBlockCipherImpl createBlockCipher(String cipherName, String algorithm, int keySize,`
`905`		`- boolean isEncrypting)`
`906`		`- throws GeneralSecurityException`
	`906`	`+ boolean isEncrypting) throws GeneralSecurityException`
`907`	`907`	`{`
`908`	`908`	`return new JceBlockCipherImpl(this, helper.createCipher(cipherName), algorithm, keySize, isEncrypting);`
`909`	`909`	`}`
`@@ -919,8 +919,7 @@ protected TlsBlockCipherImpl createBlockCipher(String cipherName, String algorit`
`919`	`919`	`* @throws GeneralSecurityException in case of failure.`
`920`	`920`	`*/`
`921`	`921`	`protected TlsBlockCipherImpl createBlockCipherWithCBCImplicitIV(String cipherName, String algorithm, int keySize,`
`922`		`- boolean isEncrypting)`
`923`		`- throws GeneralSecurityException`
	`922`	`+ boolean isEncrypting) throws GeneralSecurityException`
`924`	`923`	`{`
`925`	`924`	`return new JceBlockCipherWithCBCImplicitIVImpl(this, helper.createCipher(cipherName), algorithm, isEncrypting);`
`926`	`925`	`}`
`@@ -954,17 +953,15 @@ protected TlsNullCipher createNullCipher(TlsCryptoParameters cryptoParams, int m`
`954`	`953`	`}`
`955`	`954`
`956`	`955`	`protected TlsStreamSigner createStreamSigner(SignatureAndHashAlgorithm algorithm, PrivateKey privateKey,`
`957`		`- boolean needsRandom)`
`958`		`- throws IOException`
	`956`	`+ boolean needsRandom) throws IOException`
`959`	`957`	`{`
`960`	`958`	`String algorithmName = JcaUtils.getJcaAlgorithmName(algorithm);`
`961`	`959`
`962`	`960`	`return createStreamSigner(algorithmName, null, privateKey, needsRandom);`
`963`	`961`	`}`
`964`	`962`
`965`	`963`	`protected TlsStreamSigner createStreamSigner(String algorithmName, AlgorithmParameterSpec parameter,`
`966`		`- PrivateKey privateKey, boolean needsRandom)`
`967`		`- throws IOException`
	`964`	`+ PrivateKey privateKey, boolean needsRandom) throws IOException`
`968`	`965`	`{`
`969`	`966`	`SecureRandom random = needsRandom ? getSecureRandom() : null;`
`970`	`967`
`@@ -976,14 +973,13 @@ protected TlsStreamSigner createStreamSigner(String algorithmName, AlgorithmPara`
`976`	`973`	`}`
`977`	`974`	`catch (InvalidKeyException e)`
`978`	`975`	`{`
`979`		`- if (altHelper != null)`
`980`		`- {`
`981`		`- return createStreamSigner(altHelper, algorithmName, parameter, privateKey, random);`
`982`		`- }`
`983`		`- else`
	`976`	`+ JcaJceHelper altHelper = getAltHelper();`
	`977`	`+ if (altHelper == null)`
`984`	`978`	`{`
`985`	`979`	`throw e;`
`986`	`980`	`}`
	`981`	`+`
	`982`	`+ return createStreamSigner(altHelper, algorithmName, parameter, privateKey, random);`
`987`	`983`	`}`
`988`	`984`	`}`
`989`	`985`	`catch (GeneralSecurityException e)`
`@@ -992,38 +988,36 @@ protected TlsStreamSigner createStreamSigner(String algorithmName, AlgorithmPara`
`992`	`988`	`}`
`993`	`989`	`}`
`994`	`990`
`995`		`- private TlsStreamSigner createStreamSigner(JcaJceHelper helper, String algorithmName, AlgorithmParameterSpec parameter,`
`996`		`- PrivateKey privateKey, SecureRandom random)`
`997`		`- throws GeneralSecurityException`
	`991`	`+ protected TlsStreamSigner createStreamSigner(JcaJceHelper helper, String algorithmName,`
	`992`	`+ AlgorithmParameterSpec parameter, PrivateKey privateKey, SecureRandom random) throws GeneralSecurityException`
`998`	`993`	`{`
`999`	`994`	`try`
`1000`	`995`	`{`
`1001`	`996`	`if (null != parameter)`
`1002`	`997`	`{`
	`998`	`+ Signature dummySigner;`
`1003`	`999`	`try`
`1004`	`1000`	`{`
`1005`		`- Signature dummySigner = helper.createSignature(algorithmName);`
`1006`		`- dummySigner.initSign(privateKey, random);`
`1007`		`- helper = new ProviderJcaJceHelper(dummySigner.getProvider());`
	`1001`	`+ dummySigner = helper.createSignature(algorithmName);`
`1008`	`1002`	`}`
`1009`	`1003`	`catch (NoSuchAlgorithmException e)`
`1010`	`1004`	`{`
`1011`	`1005`	`// more PKCS#11 mischief`
`1012`	`1006`	`String upperAlg = Strings.toUpperCase(algorithmName);`
`1013`		`- if (upperAlg.endsWith("MGF1"))`
	`1007`	`+ if (upperAlg.endsWith("ANDMGF1"))`
`1014`	`1008`	`{`
`1015`	`1009`	`// ANDMGF1 has vanished from the Sun PKCS11 provider.`
`1016`	`1010`	`algorithmName = upperAlg.replace("ANDMGF1", "SSA-PSS");`
`1017`		`- Signature dummySigner = helper.createSignature(algorithmName);`
`1018`		`-`
`1019`		`- dummySigner.initSign(privateKey, random);`
`1020`		`- helper = new ProviderJcaJceHelper(dummySigner.getProvider());`
	`1011`	`+ dummySigner = helper.createSignature(algorithmName);`
`1021`	`1012`	`}`
`1022`	`1013`	`else`
`1023`	`1014`	`{`
`1024`	`1015`	`throw e;`
`1025`	`1016`	`}`
`1026`	`1017`	`}`
	`1018`	`+`
	`1019`	`+ dummySigner.initSign(privateKey, random);`
	`1020`	`+ helper = new ProviderJcaJceHelper(dummySigner.getProvider());`
`1027`	`1021`	`}`
`1028`	`1022`
`1029`	`1023`	`Signature signer = helper.createSignature(algorithmName);`
`@@ -1037,7 +1031,7 @@ private TlsStreamSigner createStreamSigner(JcaJceHelper helper, String algorithm`
`1037`	`1031`	`catch (InvalidKeyException e)`
`1038`	`1032`	`{`
`1039`	`1033`	`String upperAlg = Strings.toUpperCase(algorithmName);`
`1040`		`- if (upperAlg.endsWith("MGF1"))`
	`1034`	`+ if (upperAlg.endsWith("ANDMGF1"))`
`1041`	`1035`	`{`
`1042`	`1036`	`// ANDMGF1 has vanished from the Sun PKCS11 provider.`
`1043`	`1037`	`algorithmName = upperAlg.replace("ANDMGF1", "SSA-PSS");`
`@@ -1059,8 +1053,7 @@ protected TlsStreamVerifier createStreamVerifier(DigitallySigned digitallySigned`
`1059`	`1053`	`}`
`1060`	`1054`
`1061`	`1055`	`protected TlsStreamVerifier createStreamVerifier(String algorithmName, AlgorithmParameterSpec parameter,`
`1062`		`- byte[] signature, PublicKey publicKey)`
`1063`		`- throws IOException`
	`1056`	`+ byte[] signature, PublicKey publicKey) throws IOException`
`1064`	`1057`	`{`
`1065`	`1058`	`try`
`1066`	`1059`	`{`
`@@ -1087,8 +1080,7 @@ protected TlsStreamVerifier createStreamVerifier(String algorithmName, Algorithm`
`1087`	`1080`	`}`
`1088`	`1081`
`1089`	`1082`	`protected Tls13Verifier createTls13Verifier(String algorithmName, AlgorithmParameterSpec parameter,`
`1090`		`- PublicKey publicKey)`
`1091`		`- throws IOException`
	`1083`	`+ PublicKey publicKey) throws IOException`
`1092`	`1084`	`{`
`1093`	`1085`	`try`
`1094`	`1086`	`{`
`@@ -1268,8 +1260,7 @@ public JcaJceHelper getAltHelper()`
`1268`	`1260`	`}`
`1269`	`1261`
`1270`	`1262`	`protected TlsBlockCipherImpl createCBCBlockCipherImpl(TlsCryptoParameters cryptoParams, String algorithm,`
`1271`		`- int cipherKeySize, boolean forEncryption)`
`1272`		`- throws GeneralSecurityException`
	`1263`	`+ int cipherKeySize, boolean forEncryption) throws GeneralSecurityException`
`1273`	`1264`	`{`
`1274`	`1265`	`String cipherName = algorithm + "/CBC/NoPadding";`
`1275`	`1266`
`@@ -1324,8 +1315,7 @@ private TlsAEADCipher createCipher_Camellia_GCM(TlsCryptoParameters cryptoParams`
`1324`	`1315`	`}`
`1325`	`1316`
`1326`	`1317`	`protected TlsCipher createCipher_CBC(TlsCryptoParameters cryptoParams, String algorithm, int cipherKeySize,`
`1327`		`- int macAlgorithm)`
`1328`		`- throws GeneralSecurityException, IOException`
	`1318`	`+ int macAlgorithm) throws GeneralSecurityException, IOException`
`1329`	`1319`	`{`
`1330`	`1320`	`TlsBlockCipherImpl encrypt = createCBCBlockCipherImpl(cryptoParams, algorithm, cipherKeySize, true);`
`1331`	`1321`	`TlsBlockCipherImpl decrypt = createCBCBlockCipherImpl(cryptoParams, algorithm, cipherKeySize, false);`
Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,7 @@ public class JcaTlsCryptoProvider`
`20`	`20`	`implements TlsCryptoProvider`
`21`	`21`	`{`
`22`	`22`	`private JcaJceHelper helper = new DefaultJcaJceHelper();`
`23`		`- private JcaJceHelper altHelper = helper;`
	`23`	`+ private JcaJceHelper altHelper = null;`
`24`	`24`
`25`	`25`	`public JcaTlsCryptoProvider()`
`26`	`26`	`{`
`@@ -34,7 +34,8 @@ public JcaTlsCryptoProvider()`
`34`	`34`	`*/`
`35`	`35`	`public JcaTlsCryptoProvider setProvider(Provider provider)`
`36`	`36`	`{`
`37`		`- this.helper = this.altHelper = new ProviderJcaJceHelper(provider);`
	`37`	`+ this.helper = new ProviderJcaJceHelper(provider);`
	`38`	`+ this.altHelper = null;`
`38`	`39`
`39`	`40`	`return this;`
`40`	`41`	`}`
`@@ -61,7 +62,8 @@ public JcaTlsCryptoProvider setAlternateProvider(Provider provider)`
`61`	`62`	`*/`
`62`	`63`	`public JcaTlsCryptoProvider setProvider(String providerName)`
`63`	`64`	`{`
`64`		`- this.helper = this.altHelper = new NamedJcaJceHelper(providerName);`
	`65`	`+ this.helper = new NamedJcaJceHelper(providerName);`
	`66`	`+ this.altHelper = null;`
`65`	`67`
`66`	`68`	`return this;`
`67`	`69`	`}`
`@@ -120,19 +122,19 @@ public JcaTlsCrypto create(SecureRandom random)`
`120`	`122`	`*/`
`121`	`123`	`public JcaTlsCrypto create(SecureRandom keyRandom, SecureRandom nonceRandom)`
`122`	`124`	`{`
`123`		`- if (helper != altHelper)`
`124`		`- {`
`125`		`- return new JcaTlsCrypto(getHelper(), altHelper, keyRandom, nonceRandom);`
`126`		`- }`
`127`		`-`
`128`		`- return new JcaTlsCrypto(getHelper(), keyRandom, nonceRandom);`
	`125`	`+ return new JcaTlsCrypto(getHelper(), getAltHelper(), keyRandom, nonceRandom);`
`129`	`126`	`}`
`130`	`127`
`131`	`128`	`public JcaJceHelper getHelper()`
`132`	`129`	`{`
`133`	`130`	`return helper;`
`134`	`131`	`}`
`135`	`132`
	`133`	`+ public JcaJceHelper getAltHelper()`
	`134`	`+ {`
	`135`	`+ return altHelper;`
	`136`	`+ }`
	`137`	`+`
`136`	`138`	`@SuppressWarnings("serial")`
`137`	`139`	`private static class NonceEntropySource`
`138`	`140`	`extends SecureRandom`
Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,12 @@ public FipsJcaTlsCrypto(JcaJceHelper helper, SecureRandom entropySource, SecureR`
`14`	`14`	`super(helper, entropySource, nonceEntropySource);`
`15`	`15`	`}`
`16`	`16`
	`17`	`+ public FipsJcaTlsCrypto(JcaJceHelper helper, JcaJceHelper altHelper, SecureRandom entropySource,`
	`18`	`+ SecureRandom nonceEntropySource)`
	`19`	`+ {`
	`20`	`+ super(helper, altHelper, entropySource, nonceEntropySource);`
	`21`	`+ }`
	`22`	`+`
`17`	`23`	`@Override`
`18`	`24`	`public AEADNonceGeneratorFactory getFipsGCMNonceGeneratorFactory()`
`19`	`25`	`{`
Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,6 @@ public class FipsJcaTlsCryptoProvider extends JcaTlsCryptoProvider`
`10`	`10`	`@Override`
`11`	`11`	`public JcaTlsCrypto create(SecureRandom keyRandom, SecureRandom nonceRandom)`
`12`	`12`	`{`
`13`		`- return new FipsJcaTlsCrypto(getHelper(), keyRandom, nonceRandom);`
	`13`	`+ return new FipsJcaTlsCrypto(getHelper(), getAltHelper(), keyRandom, nonceRandom);`
`14`	`14`	`}`
`15`	`15`	`}`