8297519: Improve expressions and modernise code in PKCS
Reviewed-by: weijun
This commit is contained in:
parent
1722f9cce3
commit
e9d501e442
@ -479,15 +479,12 @@ final class Config {
|
|||||||
}
|
}
|
||||||
case "nssDbMode"-> {
|
case "nssDbMode"-> {
|
||||||
String mode = parseStringEntry(st.sval);
|
String mode = parseStringEntry(st.sval);
|
||||||
if (mode.equals("readWrite")) {
|
nssDbMode = switch (mode) {
|
||||||
nssDbMode = Secmod.DbMode.READ_WRITE;
|
case "readWrite" -> Secmod.DbMode.READ_WRITE;
|
||||||
} else if (mode.equals("readOnly")) {
|
case "readOnly" -> Secmod.DbMode.READ_ONLY;
|
||||||
nssDbMode = Secmod.DbMode.READ_ONLY;
|
case "noDb" -> Secmod.DbMode.NO_DB;
|
||||||
} else if (mode.equals("noDb")) {
|
default -> throw excToken("nssDbMode must be one of readWrite, readOnly, and noDb:");
|
||||||
nssDbMode = Secmod.DbMode.NO_DB;
|
};
|
||||||
} else {
|
|
||||||
throw excToken("nssDbMode must be one of readWrite, readOnly, and noDb:");
|
|
||||||
}
|
|
||||||
nssUseSecmod = true;
|
nssUseSecmod = true;
|
||||||
}
|
}
|
||||||
case "nssNetscapeDbWorkaround"-> {
|
case "nssNetscapeDbWorkaround"-> {
|
||||||
@ -516,7 +513,7 @@ final class Config {
|
|||||||
if (name == null) {
|
if (name == null) {
|
||||||
throw new ConfigurationException("name must be specified");
|
throw new ConfigurationException("name must be specified");
|
||||||
}
|
}
|
||||||
if (nssUseSecmod == false) {
|
if (!nssUseSecmod) {
|
||||||
if (library == null) {
|
if (library == null) {
|
||||||
throw new ConfigurationException("library must be specified");
|
throw new ConfigurationException("library must be specified");
|
||||||
}
|
}
|
||||||
@ -533,7 +530,7 @@ final class Config {
|
|||||||
throw new ConfigurationException
|
throw new ConfigurationException
|
||||||
("nssArgs must not be specified in NSS mode");
|
("nssArgs must not be specified in NSS mode");
|
||||||
}
|
}
|
||||||
if (nssUseSecmodTrust != false) {
|
if (nssUseSecmodTrust) {
|
||||||
throw new ConfigurationException("nssUseSecmodTrust is an "
|
throw new ConfigurationException("nssUseSecmodTrust is an "
|
||||||
+ "internal option and must not be specified in NSS mode");
|
+ "internal option and must not be specified in NSS mode");
|
||||||
}
|
}
|
||||||
@ -623,14 +620,11 @@ final class Config {
|
|||||||
|
|
||||||
private boolean parseBoolean() throws IOException {
|
private boolean parseBoolean() throws IOException {
|
||||||
String val = parseWord();
|
String val = parseWord();
|
||||||
switch (val) {
|
return switch (val) {
|
||||||
case "true":
|
case "true" -> true;
|
||||||
return true;
|
case "false" -> false;
|
||||||
case "false":
|
default -> throw excToken("Expected boolean value, read:");
|
||||||
return false;
|
};
|
||||||
default:
|
|
||||||
throw excToken("Expected boolean value, read:");
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private String parseLine() throws IOException {
|
private String parseLine() throws IOException {
|
||||||
@ -688,7 +682,7 @@ final class Config {
|
|||||||
}
|
}
|
||||||
|
|
||||||
private byte[] decodeByteArray(String str) throws IOException {
|
private byte[] decodeByteArray(String str) throws IOException {
|
||||||
if (str.startsWith("0h") == false) {
|
if (!str.startsWith("0h")) {
|
||||||
throw excToken("Expected byte array value, read");
|
throw excToken("Expected byte array value, read");
|
||||||
}
|
}
|
||||||
str = str.substring(2);
|
str = str.substring(2);
|
||||||
@ -833,7 +827,7 @@ final class Config {
|
|||||||
int token = nextToken();
|
int token = nextToken();
|
||||||
if (token == '=') {
|
if (token == '=') {
|
||||||
String s = parseWord();
|
String s = parseWord();
|
||||||
if (s.equals("compatibility") == false) {
|
if (!s.equals("compatibility")) {
|
||||||
throw excLine("Expected 'compatibility', read " + s);
|
throw excLine("Expected 'compatibility', read " + s);
|
||||||
}
|
}
|
||||||
setCompatibilityAttributes();
|
setCompatibilityAttributes();
|
||||||
@ -964,16 +958,12 @@ final class Config {
|
|||||||
|
|
||||||
private String parseOperation() throws IOException {
|
private String parseOperation() throws IOException {
|
||||||
String op = parseWord();
|
String op = parseWord();
|
||||||
switch (op) {
|
return switch (op) {
|
||||||
case "*":
|
case "*" -> TemplateManager.O_ANY;
|
||||||
return TemplateManager.O_ANY;
|
case "generate" -> TemplateManager.O_GENERATE;
|
||||||
case "generate":
|
case "import" -> TemplateManager.O_IMPORT;
|
||||||
return TemplateManager.O_GENERATE;
|
default -> throw excLine("Unknown operation " + op);
|
||||||
case "import":
|
};
|
||||||
return TemplateManager.O_IMPORT;
|
|
||||||
default:
|
|
||||||
throw excLine("Unknown operation " + op);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private long parseObjectClass() throws IOException {
|
private long parseObjectClass() throws IOException {
|
||||||
@ -1044,15 +1034,12 @@ final class Config {
|
|||||||
checkDup(keyword);
|
checkDup(keyword);
|
||||||
parseEquals();
|
parseEquals();
|
||||||
String val = parseWord();
|
String val = parseWord();
|
||||||
if (val.equals("ignoreAll")) {
|
handleStartupErrors = switch (val) {
|
||||||
handleStartupErrors = ERR_IGNORE_ALL;
|
case "ignoreAll" -> ERR_IGNORE_ALL;
|
||||||
} else if (val.equals("ignoreMissingLibrary")) {
|
case "ignoreMissingLibrary" -> ERR_IGNORE_LIB;
|
||||||
handleStartupErrors = ERR_IGNORE_LIB;
|
case "halt" -> ERR_HALT;
|
||||||
} else if (val.equals("halt")) {
|
default -> throw excToken("Invalid value for handleStartupErrors:");
|
||||||
handleStartupErrors = ERR_HALT;
|
};
|
||||||
} else {
|
|
||||||
throw excToken("Invalid value for handleStartupErrors:");
|
|
||||||
}
|
|
||||||
if (DEBUG) {
|
if (DEBUG) {
|
||||||
System.out.println("handleStartupErrors: " + handleStartupErrors);
|
System.out.println("handleStartupErrors: " + handleStartupErrors);
|
||||||
}
|
}
|
||||||
|
@ -65,7 +65,7 @@ final class KeyCache {
|
|||||||
if (this == o) {
|
if (this == o) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
if (o instanceof IdentityWrapper == false) {
|
if (!(o instanceof IdentityWrapper)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
IdentityWrapper other = (IdentityWrapper)o;
|
IdentityWrapper other = (IdentityWrapper)o;
|
||||||
|
@ -208,7 +208,7 @@ final class P11AEADCipher extends CipherSpi {
|
|||||||
String apAlgo;
|
String apAlgo;
|
||||||
AlgorithmParameterSpec spec = null;
|
AlgorithmParameterSpec spec = null;
|
||||||
switch (type) {
|
switch (type) {
|
||||||
case AES_GCM:
|
case AES_GCM -> {
|
||||||
apAlgo = "GCM";
|
apAlgo = "GCM";
|
||||||
if (encrypt && iv == null && tagLen == -1) {
|
if (encrypt && iv == null && tagLen == -1) {
|
||||||
iv = new byte[type.defIvLen];
|
iv = new byte[type.defIvLen];
|
||||||
@ -218,8 +218,8 @@ final class P11AEADCipher extends CipherSpi {
|
|||||||
if (iv != null) {
|
if (iv != null) {
|
||||||
spec = new GCMParameterSpec(tagLen << 3, iv);
|
spec = new GCMParameterSpec(tagLen << 3, iv);
|
||||||
}
|
}
|
||||||
break;
|
}
|
||||||
case CHACHA20_POLY1305:
|
case CHACHA20_POLY1305 -> {
|
||||||
if (encrypt && iv == null) {
|
if (encrypt && iv == null) {
|
||||||
iv = new byte[type.defIvLen];
|
iv = new byte[type.defIvLen];
|
||||||
random.nextBytes(iv);
|
random.nextBytes(iv);
|
||||||
@ -228,9 +228,8 @@ final class P11AEADCipher extends CipherSpi {
|
|||||||
if (iv != null) {
|
if (iv != null) {
|
||||||
spec = new IvParameterSpec(iv);
|
spec = new IvParameterSpec(iv);
|
||||||
}
|
}
|
||||||
break;
|
}
|
||||||
default:
|
default -> throw new AssertionError("Unsupported type " + type);
|
||||||
throw new AssertionError("Unsupported type " + type);
|
|
||||||
}
|
}
|
||||||
if (spec != null) {
|
if (spec != null) {
|
||||||
try {
|
try {
|
||||||
@ -311,18 +310,10 @@ final class P11AEADCipher extends CipherSpi {
|
|||||||
try {
|
try {
|
||||||
AlgorithmParameterSpec paramSpec = null;
|
AlgorithmParameterSpec paramSpec = null;
|
||||||
if (params != null) {
|
if (params != null) {
|
||||||
switch (type) {
|
paramSpec = switch (type) {
|
||||||
case AES_GCM:
|
case AES_GCM -> params.getParameterSpec(GCMParameterSpec.class);
|
||||||
paramSpec =
|
case CHACHA20_POLY1305 -> params.getParameterSpec(IvParameterSpec.class);
|
||||||
params.getParameterSpec(GCMParameterSpec.class);
|
};
|
||||||
break;
|
|
||||||
case CHACHA20_POLY1305:
|
|
||||||
paramSpec =
|
|
||||||
params.getParameterSpec(IvParameterSpec.class);
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
throw new AssertionError("Unsupported type " + type);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
engineInit(opmode, key, paramSpec, sr);
|
engineInit(opmode, key, paramSpec, sr);
|
||||||
} catch (InvalidParameterSpecException ex) {
|
} catch (InvalidParameterSpecException ex) {
|
||||||
@ -343,7 +334,7 @@ final class P11AEADCipher extends CipherSpi {
|
|||||||
P11Key newKey = P11SecretKeyFactory.convertKey(token, key,
|
P11Key newKey = P11SecretKeyFactory.convertKey(token, key,
|
||||||
type.keyAlgo);
|
type.keyAlgo);
|
||||||
switch (opmode) {
|
switch (opmode) {
|
||||||
case Cipher.ENCRYPT_MODE:
|
case Cipher.ENCRYPT_MODE -> {
|
||||||
encrypt = true;
|
encrypt = true;
|
||||||
requireReinit = Arrays.equals(iv, lastEncIv) &&
|
requireReinit = Arrays.equals(iv, lastEncIv) &&
|
||||||
(newKey == lastEncKey);
|
(newKey == lastEncKey);
|
||||||
@ -351,18 +342,16 @@ final class P11AEADCipher extends CipherSpi {
|
|||||||
throw new InvalidAlgorithmParameterException(
|
throw new InvalidAlgorithmParameterException(
|
||||||
"Cannot reuse the same key and iv pair");
|
"Cannot reuse the same key and iv pair");
|
||||||
}
|
}
|
||||||
break;
|
}
|
||||||
case Cipher.DECRYPT_MODE:
|
case Cipher.DECRYPT_MODE -> {
|
||||||
encrypt = false;
|
encrypt = false;
|
||||||
requireReinit = false;
|
requireReinit = false;
|
||||||
break;
|
}
|
||||||
case Cipher.WRAP_MODE:
|
case Cipher.WRAP_MODE, Cipher.UNWRAP_MODE -> throw new UnsupportedOperationException
|
||||||
case Cipher.UNWRAP_MODE:
|
("Unsupported mode: " + opmode);
|
||||||
throw new UnsupportedOperationException
|
default ->
|
||||||
("Unsupported mode: " + opmode);
|
|
||||||
default:
|
|
||||||
// should never happen; checked by Cipher.init()
|
// should never happen; checked by Cipher.init()
|
||||||
throw new AssertionError("Unknown mode: " + opmode);
|
throw new AssertionError("Unknown mode: " + opmode);
|
||||||
}
|
}
|
||||||
|
|
||||||
// decryption without parameters is checked in all engineInit() calls
|
// decryption without parameters is checked in all engineInit() calls
|
||||||
@ -372,20 +361,9 @@ final class P11AEADCipher extends CipherSpi {
|
|||||||
|
|
||||||
if (iv == null && tagLen == -1) {
|
if (iv == null && tagLen == -1) {
|
||||||
// generate default values
|
// generate default values
|
||||||
switch (type) {
|
iv = new byte[type.defIvLen];
|
||||||
case AES_GCM:
|
this.random.nextBytes(iv);
|
||||||
iv = new byte[type.defIvLen];
|
tagLen = type.defTagLen;
|
||||||
this.random.nextBytes(iv);
|
|
||||||
tagLen = type.defTagLen;
|
|
||||||
break;
|
|
||||||
case CHACHA20_POLY1305:
|
|
||||||
iv = new byte[type.defIvLen];
|
|
||||||
this.random.nextBytes(iv);
|
|
||||||
tagLen = type.defTagLen;
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
throw new AssertionError("Unsupported type " + type);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
this.iv = iv;
|
this.iv = iv;
|
||||||
this.tagLen = tagLen;
|
this.tagLen = tagLen;
|
||||||
@ -463,19 +441,12 @@ final class P11AEADCipher extends CipherSpi {
|
|||||||
|
|
||||||
long p11KeyID = p11Key.getKeyID();
|
long p11KeyID = p11Key.getKeyID();
|
||||||
try {
|
try {
|
||||||
CK_MECHANISM mechWithParams;
|
CK_MECHANISM mechWithParams = switch (type) {
|
||||||
switch (type) {
|
case AES_GCM -> new CK_MECHANISM(mechanism,
|
||||||
case AES_GCM:
|
|
||||||
mechWithParams = new CK_MECHANISM(mechanism,
|
|
||||||
new CK_GCM_PARAMS(tagLen << 3, iv, aad));
|
new CK_GCM_PARAMS(tagLen << 3, iv, aad));
|
||||||
break;
|
case CHACHA20_POLY1305 -> new CK_MECHANISM(mechanism,
|
||||||
case CHACHA20_POLY1305:
|
|
||||||
mechWithParams = new CK_MECHANISM(mechanism,
|
|
||||||
new CK_SALSA20_CHACHA20_POLY1305_PARAMS(iv, aad));
|
new CK_SALSA20_CHACHA20_POLY1305_PARAMS(iv, aad));
|
||||||
break;
|
};
|
||||||
default:
|
|
||||||
throw new AssertionError("Unsupported type: " + type);
|
|
||||||
}
|
|
||||||
if (session == null) {
|
if (session == null) {
|
||||||
session = token.getOpSession();
|
session = token.getOpSession();
|
||||||
}
|
}
|
||||||
@ -513,7 +484,7 @@ final class P11AEADCipher extends CipherSpi {
|
|||||||
result -= tagLen;
|
result -= tagLen;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return (result > 0 ? result : 0);
|
return (Math.max(result, 0));
|
||||||
}
|
}
|
||||||
|
|
||||||
// reset the states to the pre-initialized values
|
// reset the states to the pre-initialized values
|
||||||
|
@ -225,21 +225,18 @@ final class P11Cipher extends CipherSpi {
|
|||||||
|
|
||||||
private int parseMode(String mode) throws NoSuchAlgorithmException {
|
private int parseMode(String mode) throws NoSuchAlgorithmException {
|
||||||
mode = mode.toUpperCase(Locale.ENGLISH);
|
mode = mode.toUpperCase(Locale.ENGLISH);
|
||||||
int result;
|
return switch (mode) {
|
||||||
if (mode.equals("ECB")) {
|
case "ECB" -> MODE_ECB;
|
||||||
result = MODE_ECB;
|
case "CBC" -> {
|
||||||
} else if (mode.equals("CBC")) {
|
if (blockSize == 0) {
|
||||||
if (blockSize == 0) {
|
throw new NoSuchAlgorithmException
|
||||||
throw new NoSuchAlgorithmException
|
("CBC mode not supported with stream ciphers");
|
||||||
("CBC mode not supported with stream ciphers");
|
}
|
||||||
|
yield MODE_CBC;
|
||||||
}
|
}
|
||||||
result = MODE_CBC;
|
case "CTR" -> MODE_CTR;
|
||||||
} else if (mode.equals("CTR")) {
|
default -> throw new NoSuchAlgorithmException("Unsupported mode " + mode);
|
||||||
result = MODE_CTR;
|
};
|
||||||
} else {
|
|
||||||
throw new NoSuchAlgorithmException("Unsupported mode " + mode);
|
|
||||||
}
|
|
||||||
return result;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// see JCE spec
|
// see JCE spec
|
||||||
@ -321,7 +318,7 @@ final class P11Cipher extends CipherSpi {
|
|||||||
throws InvalidKeyException, InvalidAlgorithmParameterException {
|
throws InvalidKeyException, InvalidAlgorithmParameterException {
|
||||||
byte[] ivValue;
|
byte[] ivValue;
|
||||||
if (params != null) {
|
if (params != null) {
|
||||||
if (params instanceof IvParameterSpec == false) {
|
if (!(params instanceof IvParameterSpec)) {
|
||||||
throw new InvalidAlgorithmParameterException
|
throw new InvalidAlgorithmParameterException
|
||||||
("Only IvParameterSpec supported");
|
("Only IvParameterSpec supported");
|
||||||
}
|
}
|
||||||
@ -363,21 +360,15 @@ final class P11Cipher extends CipherSpi {
|
|||||||
key.getEncoded().length) != fixedKeySize) {
|
key.getEncoded().length) != fixedKeySize) {
|
||||||
throw new InvalidKeyException("Key size is invalid");
|
throw new InvalidKeyException("Key size is invalid");
|
||||||
}
|
}
|
||||||
switch (opmode) {
|
encrypt = switch (opmode) {
|
||||||
case Cipher.ENCRYPT_MODE:
|
case Cipher.ENCRYPT_MODE -> true;
|
||||||
encrypt = true;
|
case Cipher.DECRYPT_MODE -> false;
|
||||||
break;
|
case Cipher.WRAP_MODE, Cipher.UNWRAP_MODE -> throw new UnsupportedOperationException
|
||||||
case Cipher.DECRYPT_MODE:
|
("Unsupported mode: " + opmode);
|
||||||
encrypt = false;
|
default ->
|
||||||
break;
|
|
||||||
case Cipher.WRAP_MODE:
|
|
||||||
case Cipher.UNWRAP_MODE:
|
|
||||||
throw new UnsupportedOperationException
|
|
||||||
("Unsupported mode: " + opmode);
|
|
||||||
default:
|
|
||||||
// should never happen; checked by Cipher.init()
|
// should never happen; checked by Cipher.init()
|
||||||
throw new AssertionError("Unknown mode: " + opmode);
|
throw new AssertionError("Unknown mode: " + opmode);
|
||||||
}
|
};
|
||||||
if (blockMode == MODE_ECB) { // ECB or stream cipher
|
if (blockMode == MODE_ECB) { // ECB or stream cipher
|
||||||
if (iv != null) {
|
if (iv != null) {
|
||||||
if (blockSize == 0) {
|
if (blockSize == 0) {
|
||||||
@ -390,7 +381,7 @@ final class P11Cipher extends CipherSpi {
|
|||||||
}
|
}
|
||||||
} else { // MODE_CBC or MODE_CTR
|
} else { // MODE_CBC or MODE_CTR
|
||||||
if (iv == null) {
|
if (iv == null) {
|
||||||
if (encrypt == false) {
|
if (!encrypt) {
|
||||||
String exMsg =
|
String exMsg =
|
||||||
(blockMode == MODE_CBC ?
|
(blockMode == MODE_CBC ?
|
||||||
"IV must be specified for decryption in CBC mode" :
|
"IV must be specified for decryption in CBC mode" :
|
||||||
|
@ -51,8 +51,7 @@ final class P11DHKeyFactory extends P11KeyFactory {
|
|||||||
|
|
||||||
PublicKey implTranslatePublicKey(PublicKey key) throws InvalidKeyException {
|
PublicKey implTranslatePublicKey(PublicKey key) throws InvalidKeyException {
|
||||||
try {
|
try {
|
||||||
if (key instanceof DHPublicKey) {
|
if (key instanceof DHPublicKey dhKey) {
|
||||||
DHPublicKey dhKey = (DHPublicKey)key;
|
|
||||||
DHParameterSpec params = dhKey.getParams();
|
DHParameterSpec params = dhKey.getParams();
|
||||||
return generatePublic(
|
return generatePublic(
|
||||||
dhKey.getY(),
|
dhKey.getY(),
|
||||||
@ -80,8 +79,7 @@ final class P11DHKeyFactory extends P11KeyFactory {
|
|||||||
PrivateKey implTranslatePrivateKey(PrivateKey key)
|
PrivateKey implTranslatePrivateKey(PrivateKey key)
|
||||||
throws InvalidKeyException {
|
throws InvalidKeyException {
|
||||||
try {
|
try {
|
||||||
if (key instanceof DHPrivateKey) {
|
if (key instanceof DHPrivateKey dhKey) {
|
||||||
DHPrivateKey dhKey = (DHPrivateKey)key;
|
|
||||||
DHParameterSpec params = dhKey.getParams();
|
DHParameterSpec params = dhKey.getParams();
|
||||||
return generatePrivate(
|
return generatePrivate(
|
||||||
dhKey.getX(),
|
dhKey.getX(),
|
||||||
@ -120,7 +118,7 @@ final class P11DHKeyFactory extends P11KeyFactory {
|
|||||||
("Could not create DH public key", e);
|
("Could not create DH public key", e);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (keySpec instanceof DHPublicKeySpec == false) {
|
if (!(keySpec instanceof DHPublicKeySpec)) {
|
||||||
throw new InvalidKeySpecException("Only DHPublicKeySpec and "
|
throw new InvalidKeySpecException("Only DHPublicKeySpec and "
|
||||||
+ "X509EncodedKeySpec supported for DH public keys");
|
+ "X509EncodedKeySpec supported for DH public keys");
|
||||||
}
|
}
|
||||||
@ -151,7 +149,7 @@ final class P11DHKeyFactory extends P11KeyFactory {
|
|||||||
("Could not create DH private key", e);
|
("Could not create DH private key", e);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (keySpec instanceof DHPrivateKeySpec == false) {
|
if (!(keySpec instanceof DHPrivateKeySpec)) {
|
||||||
throw new InvalidKeySpecException("Only DHPrivateKeySpec and "
|
throw new InvalidKeySpecException("Only DHPrivateKeySpec and "
|
||||||
+ "PKCS8EncodedKeySpec supported for DH private keys");
|
+ "PKCS8EncodedKeySpec supported for DH private keys");
|
||||||
}
|
}
|
||||||
|
@ -49,8 +49,7 @@ final class P11DSAKeyFactory extends P11KeyFactory {
|
|||||||
|
|
||||||
PublicKey implTranslatePublicKey(PublicKey key) throws InvalidKeyException {
|
PublicKey implTranslatePublicKey(PublicKey key) throws InvalidKeyException {
|
||||||
try {
|
try {
|
||||||
if (key instanceof DSAPublicKey) {
|
if (key instanceof DSAPublicKey dsaKey) {
|
||||||
DSAPublicKey dsaKey = (DSAPublicKey)key;
|
|
||||||
DSAParams params = dsaKey.getParams();
|
DSAParams params = dsaKey.getParams();
|
||||||
return generatePublic(
|
return generatePublic(
|
||||||
dsaKey.getY(),
|
dsaKey.getY(),
|
||||||
@ -75,8 +74,7 @@ final class P11DSAKeyFactory extends P11KeyFactory {
|
|||||||
PrivateKey implTranslatePrivateKey(PrivateKey key)
|
PrivateKey implTranslatePrivateKey(PrivateKey key)
|
||||||
throws InvalidKeyException {
|
throws InvalidKeyException {
|
||||||
try {
|
try {
|
||||||
if (key instanceof DSAPrivateKey) {
|
if (key instanceof DSAPrivateKey dsaKey) {
|
||||||
DSAPrivateKey dsaKey = (DSAPrivateKey)key;
|
|
||||||
DSAParams params = dsaKey.getParams();
|
DSAParams params = dsaKey.getParams();
|
||||||
return generatePrivate(
|
return generatePrivate(
|
||||||
dsaKey.getX(),
|
dsaKey.getX(),
|
||||||
@ -112,7 +110,7 @@ final class P11DSAKeyFactory extends P11KeyFactory {
|
|||||||
("Could not create DSA public key", e);
|
("Could not create DSA public key", e);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (keySpec instanceof DSAPublicKeySpec == false) {
|
if (!(keySpec instanceof DSAPublicKeySpec)) {
|
||||||
throw new InvalidKeySpecException("Only DSAPublicKeySpec and "
|
throw new InvalidKeySpecException("Only DSAPublicKeySpec and "
|
||||||
+ "X509EncodedKeySpec supported for DSA public keys");
|
+ "X509EncodedKeySpec supported for DSA public keys");
|
||||||
}
|
}
|
||||||
@ -144,7 +142,7 @@ final class P11DSAKeyFactory extends P11KeyFactory {
|
|||||||
("Could not create DSA private key", e);
|
("Could not create DSA private key", e);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (keySpec instanceof DSAPrivateKeySpec == false) {
|
if (!(keySpec instanceof DSAPrivateKeySpec)) {
|
||||||
throw new InvalidKeySpecException("Only DSAPrivateKeySpec and "
|
throw new InvalidKeySpecException("Only DSAPrivateKeySpec and "
|
||||||
+ "PKCS8EncodedKeySpec supported for DSA private keys");
|
+ "PKCS8EncodedKeySpec supported for DSA private keys");
|
||||||
}
|
}
|
||||||
|
@ -95,35 +95,15 @@ final class P11Digest extends MessageDigestSpi implements Cloneable,
|
|||||||
this.token = token;
|
this.token = token;
|
||||||
this.algorithm = algorithm;
|
this.algorithm = algorithm;
|
||||||
this.mechanism = new CK_MECHANISM(mechanism);
|
this.mechanism = new CK_MECHANISM(mechanism);
|
||||||
switch ((int)mechanism) {
|
digestLength = switch ((int) mechanism) {
|
||||||
case (int)CKM_MD2:
|
case (int) CKM_MD2, (int) CKM_MD5 -> 16;
|
||||||
case (int)CKM_MD5:
|
case (int) CKM_SHA_1 -> 20;
|
||||||
digestLength = 16;
|
case (int) CKM_SHA224, (int) CKM_SHA512_224, (int) CKM_SHA3_224 -> 28;
|
||||||
break;
|
case (int) CKM_SHA256, (int) CKM_SHA512_256, (int) CKM_SHA3_256 -> 32;
|
||||||
case (int)CKM_SHA_1:
|
case (int) CKM_SHA384, (int) CKM_SHA3_384 -> 48;
|
||||||
digestLength = 20;
|
case (int) CKM_SHA512, (int) CKM_SHA3_512 -> 64;
|
||||||
break;
|
default -> throw new ProviderException("Unknown mechanism: " + mechanism);
|
||||||
case (int)CKM_SHA224:
|
};
|
||||||
case (int)CKM_SHA512_224:
|
|
||||||
case (int)CKM_SHA3_224:
|
|
||||||
digestLength = 28;
|
|
||||||
break;
|
|
||||||
case (int)CKM_SHA256:
|
|
||||||
case (int)CKM_SHA512_256:
|
|
||||||
case (int)CKM_SHA3_256:
|
|
||||||
digestLength = 32;
|
|
||||||
break;
|
|
||||||
case (int)CKM_SHA384:
|
|
||||||
case (int)CKM_SHA3_384:
|
|
||||||
digestLength = 48;
|
|
||||||
break;
|
|
||||||
case (int)CKM_SHA512:
|
|
||||||
case (int)CKM_SHA3_512:
|
|
||||||
digestLength = 64;
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
throw new ProviderException("Unknown mechanism: " + mechanism);
|
|
||||||
}
|
|
||||||
buffer = new byte[BUFFER_SIZE];
|
buffer = new byte[BUFFER_SIZE];
|
||||||
state = S_BLANK;
|
state = S_BLANK;
|
||||||
}
|
}
|
||||||
@ -150,8 +130,8 @@ final class P11Digest extends MessageDigestSpi implements Cloneable,
|
|||||||
token.ensureValid();
|
token.ensureValid();
|
||||||
|
|
||||||
if (session != null) {
|
if (session != null) {
|
||||||
if (state == S_INIT && token.explicitCancel == true
|
if (state == S_INIT && token.explicitCancel
|
||||||
&& session.hasObjects() == false) {
|
&& !session.hasObjects()) {
|
||||||
session = token.killSession(session);
|
session = token.killSession(session);
|
||||||
} else {
|
} else {
|
||||||
session = token.releaseSession(session);
|
session = token.releaseSession(session);
|
||||||
@ -252,10 +232,9 @@ final class P11Digest extends MessageDigestSpi implements Cloneable,
|
|||||||
// SunJSSE calls this method only if the key does not have a RAW
|
// SunJSSE calls this method only if the key does not have a RAW
|
||||||
// encoding, i.e. if it is sensitive. Therefore, no point in calling
|
// encoding, i.e. if it is sensitive. Therefore, no point in calling
|
||||||
// SecretKeyFactory to try to convert it. Just verify it ourselves.
|
// SecretKeyFactory to try to convert it. Just verify it ourselves.
|
||||||
if (key instanceof P11Key == false) {
|
if (!(key instanceof P11Key p11Key)) {
|
||||||
throw new InvalidKeyException("Not a P11Key: " + key);
|
throw new InvalidKeyException("Not a P11Key: " + key);
|
||||||
}
|
}
|
||||||
P11Key p11Key = (P11Key)key;
|
|
||||||
if (p11Key.token != token) {
|
if (p11Key.token != token) {
|
||||||
throw new InvalidKeyException("Not a P11Key of this provider: " +
|
throw new InvalidKeyException("Not a P11Key of this provider: " +
|
||||||
key);
|
key);
|
||||||
@ -289,7 +268,7 @@ final class P11Digest extends MessageDigestSpi implements Cloneable,
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (byteBuffer instanceof DirectBuffer == false) {
|
if (!(byteBuffer instanceof DirectBuffer)) {
|
||||||
super.engineUpdate(byteBuffer);
|
super.engineUpdate(byteBuffer);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
@ -71,7 +71,7 @@ final class P11ECDHKeyAgreement extends KeyAgreementSpi {
|
|||||||
// see JCE spec
|
// see JCE spec
|
||||||
protected void engineInit(Key key, SecureRandom random)
|
protected void engineInit(Key key, SecureRandom random)
|
||||||
throws InvalidKeyException {
|
throws InvalidKeyException {
|
||||||
if (key instanceof PrivateKey == false) {
|
if (!(key instanceof PrivateKey)) {
|
||||||
throw new InvalidKeyException
|
throw new InvalidKeyException
|
||||||
("Key must be instance of PrivateKey");
|
("Key must be instance of PrivateKey");
|
||||||
}
|
}
|
||||||
@ -99,15 +99,14 @@ final class P11ECDHKeyAgreement extends KeyAgreementSpi {
|
|||||||
if (publicValue != null) {
|
if (publicValue != null) {
|
||||||
throw new IllegalStateException("Phase already executed");
|
throw new IllegalStateException("Phase already executed");
|
||||||
}
|
}
|
||||||
if (lastPhase == false) {
|
if (!lastPhase) {
|
||||||
throw new IllegalStateException
|
throw new IllegalStateException
|
||||||
("Only two party agreement supported, lastPhase must be true");
|
("Only two party agreement supported, lastPhase must be true");
|
||||||
}
|
}
|
||||||
if (key instanceof ECPublicKey == false) {
|
if (!(key instanceof ECPublicKey ecKey)) {
|
||||||
throw new InvalidKeyException
|
throw new InvalidKeyException
|
||||||
("Key must be a PublicKey with algorithm EC");
|
("Key must be a PublicKey with algorithm EC");
|
||||||
}
|
}
|
||||||
ECPublicKey ecKey = (ECPublicKey)key;
|
|
||||||
int keyLenBits = ecKey.getParams().getCurve().getField().getFieldSize();
|
int keyLenBits = ecKey.getParams().getCurve().getField().getFieldSize();
|
||||||
secretLen = (keyLenBits + 7) >> 3;
|
secretLen = (keyLenBits + 7) >> 3;
|
||||||
publicValue = P11ECKeyFactory.getEncodedPublicValue(ecKey);
|
publicValue = P11ECKeyFactory.getEncodedPublicValue(ecKey);
|
||||||
@ -169,7 +168,7 @@ final class P11ECDHKeyAgreement extends KeyAgreementSpi {
|
|||||||
if (algorithm == null) {
|
if (algorithm == null) {
|
||||||
throw new NoSuchAlgorithmException("Algorithm must not be null");
|
throw new NoSuchAlgorithmException("Algorithm must not be null");
|
||||||
}
|
}
|
||||||
if (algorithm.equals("TlsPremasterSecret") == false) {
|
if (!algorithm.equals("TlsPremasterSecret")) {
|
||||||
throw new NoSuchAlgorithmException
|
throw new NoSuchAlgorithmException
|
||||||
("Only supported for algorithm TlsPremasterSecret");
|
("Only supported for algorithm TlsPremasterSecret");
|
||||||
}
|
}
|
||||||
|
@ -91,8 +91,7 @@ final class P11ECKeyFactory extends P11KeyFactory {
|
|||||||
|
|
||||||
// Used by ECDH KeyAgreement
|
// Used by ECDH KeyAgreement
|
||||||
static byte[] getEncodedPublicValue(PublicKey key) throws InvalidKeyException {
|
static byte[] getEncodedPublicValue(PublicKey key) throws InvalidKeyException {
|
||||||
if (key instanceof ECPublicKey) {
|
if (key instanceof ECPublicKey ecKey) {
|
||||||
ECPublicKey ecKey = (ECPublicKey)key;
|
|
||||||
ECPoint w = ecKey.getW();
|
ECPoint w = ecKey.getW();
|
||||||
ECParameterSpec params = ecKey.getParams();
|
ECParameterSpec params = ecKey.getParams();
|
||||||
return ECUtil.encodePoint(w, params.getCurve());
|
return ECUtil.encodePoint(w, params.getCurve());
|
||||||
@ -105,8 +104,7 @@ final class P11ECKeyFactory extends P11KeyFactory {
|
|||||||
|
|
||||||
PublicKey implTranslatePublicKey(PublicKey key) throws InvalidKeyException {
|
PublicKey implTranslatePublicKey(PublicKey key) throws InvalidKeyException {
|
||||||
try {
|
try {
|
||||||
if (key instanceof ECPublicKey) {
|
if (key instanceof ECPublicKey ecKey) {
|
||||||
ECPublicKey ecKey = (ECPublicKey)key;
|
|
||||||
return generatePublic(
|
return generatePublic(
|
||||||
ecKey.getW(),
|
ecKey.getW(),
|
||||||
ecKey.getParams()
|
ecKey.getParams()
|
||||||
@ -134,8 +132,7 @@ final class P11ECKeyFactory extends P11KeyFactory {
|
|||||||
PrivateKey implTranslatePrivateKey(PrivateKey key)
|
PrivateKey implTranslatePrivateKey(PrivateKey key)
|
||||||
throws InvalidKeyException {
|
throws InvalidKeyException {
|
||||||
try {
|
try {
|
||||||
if (key instanceof ECPrivateKey) {
|
if (key instanceof ECPrivateKey ecKey) {
|
||||||
ECPrivateKey ecKey = (ECPrivateKey)key;
|
|
||||||
return generatePrivate(
|
return generatePrivate(
|
||||||
ecKey.getS(),
|
ecKey.getS(),
|
||||||
ecKey.getParams()
|
ecKey.getParams()
|
||||||
@ -174,7 +171,7 @@ final class P11ECKeyFactory extends P11KeyFactory {
|
|||||||
("Could not create EC public key", e);
|
("Could not create EC public key", e);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (keySpec instanceof ECPublicKeySpec == false) {
|
if (!(keySpec instanceof ECPublicKeySpec)) {
|
||||||
throw new InvalidKeySpecException("Only ECPublicKeySpec and "
|
throw new InvalidKeySpecException("Only ECPublicKeySpec and "
|
||||||
+ "X509EncodedKeySpec supported for EC public keys");
|
+ "X509EncodedKeySpec supported for EC public keys");
|
||||||
}
|
}
|
||||||
@ -204,7 +201,7 @@ final class P11ECKeyFactory extends P11KeyFactory {
|
|||||||
("Could not create EC private key", e);
|
("Could not create EC private key", e);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (keySpec instanceof ECPrivateKeySpec == false) {
|
if (!(keySpec instanceof ECPrivateKeySpec)) {
|
||||||
throw new InvalidKeySpecException("Only ECPrivateKeySpec and "
|
throw new InvalidKeySpecException("Only ECPrivateKeySpec and "
|
||||||
+ "PKCS8EncodedKeySpec supported for EC private keys");
|
+ "PKCS8EncodedKeySpec supported for EC private keys");
|
||||||
}
|
}
|
||||||
|
@ -189,10 +189,10 @@ abstract class P11Key implements Key, Length {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
// equals() should never throw exceptions
|
// equals() should never throw exceptions
|
||||||
if (token.isValid() == false) {
|
if (!token.isValid()) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
if (obj instanceof Key == false) {
|
if (!(obj instanceof Key other)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
String thisFormat = getFormat();
|
String thisFormat = getFormat();
|
||||||
@ -201,8 +201,7 @@ abstract class P11Key implements Key, Length {
|
|||||||
// XXX getEncoded() for unextractable keys will change that
|
// XXX getEncoded() for unextractable keys will change that
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
Key other = (Key)obj;
|
if (!thisFormat.equals(other.getFormat())) {
|
||||||
if (thisFormat.equals(other.getFormat()) == false) {
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
byte[] thisEnc = this.getEncodedInternal();
|
byte[] thisEnc = this.getEncodedInternal();
|
||||||
@ -217,7 +216,7 @@ abstract class P11Key implements Key, Length {
|
|||||||
|
|
||||||
public int hashCode() {
|
public int hashCode() {
|
||||||
// hashCode() should never throw exceptions
|
// hashCode() should never throw exceptions
|
||||||
if (token.isValid() == false) {
|
if (!token.isValid()) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
byte[] b1 = getEncodedInternal();
|
byte[] b1 = getEncodedInternal();
|
||||||
@ -370,23 +369,18 @@ abstract class P11Key implements Key, Length {
|
|||||||
// we assume that all components of public keys are always accessible
|
// we assume that all components of public keys are always accessible
|
||||||
static PublicKey publicKey(Session session, long keyID, String algorithm,
|
static PublicKey publicKey(Session session, long keyID, String algorithm,
|
||||||
int keyLength, CK_ATTRIBUTE[] attrs) {
|
int keyLength, CK_ATTRIBUTE[] attrs) {
|
||||||
switch (algorithm) {
|
return switch (algorithm) {
|
||||||
case "RSA":
|
case "RSA" -> new P11RSAPublicKey(session, keyID, algorithm,
|
||||||
return new P11RSAPublicKey(session, keyID, algorithm,
|
keyLength, attrs);
|
||||||
keyLength, attrs);
|
case "DSA" -> new P11DSAPublicKey(session, keyID, algorithm,
|
||||||
case "DSA":
|
keyLength, attrs);
|
||||||
return new P11DSAPublicKey(session, keyID, algorithm,
|
case "DH" -> new P11DHPublicKey(session, keyID, algorithm,
|
||||||
keyLength, attrs);
|
keyLength, attrs);
|
||||||
case "DH":
|
case "EC" -> new P11ECPublicKey(session, keyID, algorithm,
|
||||||
return new P11DHPublicKey(session, keyID, algorithm,
|
keyLength, attrs);
|
||||||
keyLength, attrs);
|
default -> throw new ProviderException
|
||||||
case "EC":
|
|
||||||
return new P11ECPublicKey(session, keyID, algorithm,
|
|
||||||
keyLength, attrs);
|
|
||||||
default:
|
|
||||||
throw new ProviderException
|
|
||||||
("Unknown public key algorithm " + algorithm);
|
("Unknown public key algorithm " + algorithm);
|
||||||
}
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
static PrivateKey privateKey(Session session, long keyID, String algorithm,
|
static PrivateKey privateKey(Session session, long keyID, String algorithm,
|
||||||
@ -400,23 +394,18 @@ abstract class P11Key implements Key, Length {
|
|||||||
boolean keySensitive = (attrs[0].getBoolean() ||
|
boolean keySensitive = (attrs[0].getBoolean() ||
|
||||||
attrs[1].getBoolean() || !attrs[2].getBoolean());
|
attrs[1].getBoolean() || !attrs[2].getBoolean());
|
||||||
|
|
||||||
switch (algorithm) {
|
return switch (algorithm) {
|
||||||
case "RSA":
|
case "RSA" -> P11RSAPrivateKeyInternal.of(session, keyID, algorithm,
|
||||||
return P11RSAPrivateKeyInternal.of(session, keyID, algorithm,
|
|
||||||
keyLength, attrs, keySensitive);
|
keyLength, attrs, keySensitive);
|
||||||
case "DSA":
|
case "DSA" -> P11DSAPrivateKeyInternal.of(session, keyID, algorithm,
|
||||||
return P11DSAPrivateKeyInternal.of(session, keyID, algorithm,
|
|
||||||
keyLength, attrs, keySensitive);
|
keyLength, attrs, keySensitive);
|
||||||
case "DH":
|
case "DH" -> P11DHPrivateKeyInternal.of(session, keyID, algorithm,
|
||||||
return P11DHPrivateKeyInternal.of(session, keyID, algorithm,
|
|
||||||
keyLength, attrs, keySensitive);
|
keyLength, attrs, keySensitive);
|
||||||
case "EC":
|
case "EC" -> P11ECPrivateKeyInternal.of(session, keyID, algorithm,
|
||||||
return P11ECPrivateKeyInternal.of(session, keyID, algorithm,
|
|
||||||
keyLength, attrs, keySensitive);
|
keyLength, attrs, keySensitive);
|
||||||
default:
|
default -> throw new ProviderException
|
||||||
throw new ProviderException
|
|
||||||
("Unknown private key algorithm " + algorithm);
|
("Unknown private key algorithm " + algorithm);
|
||||||
}
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
// base class for all PKCS11 private keys
|
// base class for all PKCS11 private keys
|
||||||
@ -1108,7 +1097,7 @@ abstract class P11Key implements Key, Length {
|
|||||||
+ "\n g: " + params.getG();
|
+ "\n g: " + params.getG();
|
||||||
}
|
}
|
||||||
public int hashCode() {
|
public int hashCode() {
|
||||||
if (token.isValid() == false) {
|
if (!token.isValid()) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
fetchValues();
|
fetchValues();
|
||||||
@ -1117,14 +1106,13 @@ abstract class P11Key implements Key, Length {
|
|||||||
public boolean equals(Object obj) {
|
public boolean equals(Object obj) {
|
||||||
if (this == obj) return true;
|
if (this == obj) return true;
|
||||||
// equals() should never throw exceptions
|
// equals() should never throw exceptions
|
||||||
if (token.isValid() == false) {
|
if (!token.isValid()) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
if (!(obj instanceof DHPublicKey)) {
|
if (!(obj instanceof DHPublicKey other)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
fetchValues();
|
fetchValues();
|
||||||
DHPublicKey other = (DHPublicKey) obj;
|
|
||||||
DHParameterSpec otherParams = other.getParams();
|
DHParameterSpec otherParams = other.getParams();
|
||||||
return ((this.y.compareTo(other.getY()) == 0) &&
|
return ((this.y.compareTo(other.getY()) == 0) &&
|
||||||
(this.params.getP().compareTo(otherParams.getP()) == 0) &&
|
(this.params.getP().compareTo(otherParams.getP()) == 0) &&
|
||||||
|
@ -91,7 +91,7 @@ final class P11KeyAgreement extends KeyAgreementSpi {
|
|||||||
// see JCE spec
|
// see JCE spec
|
||||||
protected void engineInit(Key key, SecureRandom random)
|
protected void engineInit(Key key, SecureRandom random)
|
||||||
throws InvalidKeyException {
|
throws InvalidKeyException {
|
||||||
if (key instanceof PrivateKey == false) {
|
if (!(key instanceof PrivateKey)) {
|
||||||
throw new InvalidKeyException
|
throw new InvalidKeyException
|
||||||
("Key must be instance of PrivateKey");
|
("Key must be instance of PrivateKey");
|
||||||
}
|
}
|
||||||
@ -126,7 +126,7 @@ final class P11KeyAgreement extends KeyAgreementSpi {
|
|||||||
// NOTE that we initialize using the P11Key, which will fail if it
|
// NOTE that we initialize using the P11Key, which will fail if it
|
||||||
// is sensitive/unextractable. However, this is not an issue in the
|
// is sensitive/unextractable. However, this is not an issue in the
|
||||||
// compatibility configuration, which is all we are targeting here.
|
// compatibility configuration, which is all we are targeting here.
|
||||||
if ((multiPartyAgreement != null) || (lastPhase == false)) {
|
if ((multiPartyAgreement != null) || (!lastPhase)) {
|
||||||
if (multiPartyAgreement == null) {
|
if (multiPartyAgreement == null) {
|
||||||
try {
|
try {
|
||||||
multiPartyAgreement = KeyAgreement.getInstance
|
multiPartyAgreement = KeyAgreement.getInstance
|
||||||
@ -139,14 +139,13 @@ final class P11KeyAgreement extends KeyAgreementSpi {
|
|||||||
}
|
}
|
||||||
return multiPartyAgreement.doPhase(key, lastPhase);
|
return multiPartyAgreement.doPhase(key, lastPhase);
|
||||||
}
|
}
|
||||||
if ((key instanceof PublicKey == false)
|
if ((!(key instanceof PublicKey))
|
||||||
|| (key.getAlgorithm().equals(algorithm) == false)) {
|
|| (!key.getAlgorithm().equals(algorithm))) {
|
||||||
throw new InvalidKeyException
|
throw new InvalidKeyException
|
||||||
("Key must be a PublicKey with algorithm DH");
|
("Key must be a PublicKey with algorithm DH");
|
||||||
}
|
}
|
||||||
BigInteger p, g, y;
|
BigInteger p, g, y;
|
||||||
if (key instanceof DHPublicKey) {
|
if (key instanceof DHPublicKey dhKey) {
|
||||||
DHPublicKey dhKey = (DHPublicKey)key;
|
|
||||||
|
|
||||||
// validate the Diffie-Hellman public key
|
// validate the Diffie-Hellman public key
|
||||||
KeyUtil.validate(dhKey);
|
KeyUtil.validate(dhKey);
|
||||||
@ -176,11 +175,10 @@ final class P11KeyAgreement extends KeyAgreementSpi {
|
|||||||
// if parameters of private key are accessible, verify that
|
// if parameters of private key are accessible, verify that
|
||||||
// they match parameters of public key
|
// they match parameters of public key
|
||||||
// XXX p and g should always be readable, even if the key is sensitive
|
// XXX p and g should always be readable, even if the key is sensitive
|
||||||
if (privateKey instanceof DHPrivateKey) {
|
if (privateKey instanceof DHPrivateKey dhKey) {
|
||||||
DHPrivateKey dhKey = (DHPrivateKey)privateKey;
|
|
||||||
DHParameterSpec params = dhKey.getParams();
|
DHParameterSpec params = dhKey.getParams();
|
||||||
if ((p.equals(params.getP()) == false)
|
if ((!p.equals(params.getP()))
|
||||||
|| (g.equals(params.getG()) == false)) {
|
|| (!g.equals(params.getG()))) {
|
||||||
throw new InvalidKeyException
|
throw new InvalidKeyException
|
||||||
("PublicKey DH parameters must match PrivateKey DH parameters");
|
("PublicKey DH parameters must match PrivateKey DH parameters");
|
||||||
}
|
}
|
||||||
|
@ -134,12 +134,11 @@ abstract class P11KeyFactory extends KeyFactorySpi {
|
|||||||
if (key == null) {
|
if (key == null) {
|
||||||
throw new InvalidKeyException("Key must not be null");
|
throw new InvalidKeyException("Key must not be null");
|
||||||
}
|
}
|
||||||
if (key.getAlgorithm().equals(this.algorithm) == false) {
|
if (!key.getAlgorithm().equals(this.algorithm)) {
|
||||||
throw new InvalidKeyException
|
throw new InvalidKeyException
|
||||||
("Key algorithm must be " + algorithm);
|
("Key algorithm must be " + algorithm);
|
||||||
}
|
}
|
||||||
if (key instanceof P11Key) {
|
if (key instanceof P11Key p11Key) {
|
||||||
P11Key p11Key = (P11Key)key;
|
|
||||||
if (p11Key.token == token) {
|
if (p11Key.token == token) {
|
||||||
// already a key of this token, no need to translate
|
// already a key of this token, no need to translate
|
||||||
return key;
|
return key;
|
||||||
|
@ -209,106 +209,105 @@ final class P11KeyGenerator extends KeyGeneratorSpi {
|
|||||||
// set default keysize and keyType
|
// set default keysize and keyType
|
||||||
private void setDefault() {
|
private void setDefault() {
|
||||||
significantKeySize = -1;
|
significantKeySize = -1;
|
||||||
switch ((int)mechanism) {
|
switch ((int) mechanism) {
|
||||||
case (int)CKM_DES_KEY_GEN:
|
case (int) CKM_DES_KEY_GEN -> {
|
||||||
keySize = 64;
|
keySize = 64;
|
||||||
keyType = CKK_DES;
|
keyType = CKK_DES;
|
||||||
significantKeySize = 56;
|
significantKeySize = 56;
|
||||||
break;
|
|
||||||
case (int)CKM_DES2_KEY_GEN:
|
|
||||||
keySize = 128;
|
|
||||||
keyType = CKK_DES2;
|
|
||||||
significantKeySize = 112;
|
|
||||||
break;
|
|
||||||
case (int)CKM_DES3_KEY_GEN:
|
|
||||||
keySize = 192;
|
|
||||||
keyType = CKK_DES3;
|
|
||||||
significantKeySize = 168;
|
|
||||||
break;
|
|
||||||
case (int)CKM_AES_KEY_GEN:
|
|
||||||
keySize = adjustKeySize
|
|
||||||
(SecurityProviderConstants.getDefAESKeySize(), range);
|
|
||||||
keyType = CKK_AES;
|
|
||||||
break;
|
|
||||||
case (int)CKM_RC4_KEY_GEN:
|
|
||||||
keySize = adjustKeySize(128, range);
|
|
||||||
keyType = CKK_RC4;
|
|
||||||
break;
|
|
||||||
case (int)CKM_BLOWFISH_KEY_GEN:
|
|
||||||
keySize = adjustKeySize(128, range);
|
|
||||||
keyType = CKK_BLOWFISH;
|
|
||||||
break;
|
|
||||||
case (int)CKM_CHACHA20_KEY_GEN:
|
|
||||||
keySize = 256;
|
|
||||||
keyType = CKK_CHACHA20;
|
|
||||||
break;
|
|
||||||
case (int)CKM_SHA_1_KEY_GEN:
|
|
||||||
keySize = adjustKeySize(160, range);
|
|
||||||
keyType = CKK_SHA_1_HMAC;
|
|
||||||
break;
|
|
||||||
case (int)CKM_SHA224_KEY_GEN:
|
|
||||||
keySize = adjustKeySize(224, range);
|
|
||||||
keyType = CKK_SHA224_HMAC;
|
|
||||||
break;
|
|
||||||
case (int)CKM_SHA256_KEY_GEN:
|
|
||||||
keySize = adjustKeySize(256, range);
|
|
||||||
keyType = CKK_SHA256_HMAC;
|
|
||||||
break;
|
|
||||||
case (int)CKM_SHA384_KEY_GEN:
|
|
||||||
keySize = adjustKeySize(384, range);
|
|
||||||
keyType = CKK_SHA384_HMAC;
|
|
||||||
break;
|
|
||||||
case (int)CKM_SHA512_KEY_GEN:
|
|
||||||
keySize = adjustKeySize(512, range);
|
|
||||||
keyType = CKK_SHA512_HMAC;
|
|
||||||
break;
|
|
||||||
case (int)CKM_SHA512_224_KEY_GEN:
|
|
||||||
keySize = adjustKeySize(224, range);
|
|
||||||
keyType = CKK_SHA512_224_HMAC;
|
|
||||||
break;
|
|
||||||
case (int)CKM_SHA512_256_KEY_GEN:
|
|
||||||
keySize = adjustKeySize(256, range);
|
|
||||||
keyType = CKK_SHA512_256_HMAC;
|
|
||||||
break;
|
|
||||||
case (int)CKM_SHA3_224_KEY_GEN:
|
|
||||||
keySize = adjustKeySize(224, range);
|
|
||||||
keyType = CKK_SHA3_224_HMAC;
|
|
||||||
break;
|
|
||||||
case (int)CKM_SHA3_256_KEY_GEN:
|
|
||||||
keySize = adjustKeySize(256, range);
|
|
||||||
keyType = CKK_SHA3_256_HMAC;
|
|
||||||
break;
|
|
||||||
case (int)CKM_SHA3_384_KEY_GEN:
|
|
||||||
keySize = adjustKeySize(384, range);
|
|
||||||
keyType = CKK_SHA3_384_HMAC;
|
|
||||||
break;
|
|
||||||
case (int)CKM_SHA3_512_KEY_GEN:
|
|
||||||
keySize = adjustKeySize(512, range);
|
|
||||||
keyType = CKK_SHA3_512_HMAC;
|
|
||||||
break;
|
|
||||||
case (int)CKM_GENERIC_SECRET_KEY_GEN:
|
|
||||||
if (algorithm.startsWith("Hmac")) {
|
|
||||||
String digest = algorithm.substring(4);
|
|
||||||
keySize = adjustKeySize(switch (digest) {
|
|
||||||
case "MD5" -> 512;
|
|
||||||
case "SHA1" -> 160;
|
|
||||||
case "SHA224", "SHA512/224", "SHA3-224" -> 224;
|
|
||||||
case "SHA256", "SHA512/256", "SHA3-256" -> 256;
|
|
||||||
case "SHA384", "SHA3-384" -> 384;
|
|
||||||
case "SHA512", "SHA3-512" -> 512;
|
|
||||||
default -> {
|
|
||||||
throw new ProviderException("Unsupported algorithm " +
|
|
||||||
algorithm);
|
|
||||||
}
|
|
||||||
}, range);
|
|
||||||
} else {
|
|
||||||
throw new ProviderException("Unsupported algorithm " +
|
|
||||||
algorithm);
|
|
||||||
}
|
}
|
||||||
keyType = CKK_GENERIC_SECRET;
|
case (int) CKM_DES2_KEY_GEN -> {
|
||||||
break;
|
keySize = 128;
|
||||||
default:
|
keyType = CKK_DES2;
|
||||||
throw new ProviderException("Unknown mechanism " + mechanism);
|
significantKeySize = 112;
|
||||||
|
}
|
||||||
|
case (int) CKM_DES3_KEY_GEN -> {
|
||||||
|
keySize = 192;
|
||||||
|
keyType = CKK_DES3;
|
||||||
|
significantKeySize = 168;
|
||||||
|
}
|
||||||
|
case (int) CKM_AES_KEY_GEN -> {
|
||||||
|
keySize = adjustKeySize
|
||||||
|
(SecurityProviderConstants.getDefAESKeySize(), range);
|
||||||
|
keyType = CKK_AES;
|
||||||
|
}
|
||||||
|
case (int) CKM_RC4_KEY_GEN -> {
|
||||||
|
keySize = adjustKeySize(128, range);
|
||||||
|
keyType = CKK_RC4;
|
||||||
|
}
|
||||||
|
case (int) CKM_BLOWFISH_KEY_GEN -> {
|
||||||
|
keySize = adjustKeySize(128, range);
|
||||||
|
keyType = CKK_BLOWFISH;
|
||||||
|
}
|
||||||
|
case (int) CKM_CHACHA20_KEY_GEN -> {
|
||||||
|
keySize = 256;
|
||||||
|
keyType = CKK_CHACHA20;
|
||||||
|
}
|
||||||
|
case (int) CKM_SHA_1_KEY_GEN -> {
|
||||||
|
keySize = adjustKeySize(160, range);
|
||||||
|
keyType = CKK_SHA_1_HMAC;
|
||||||
|
}
|
||||||
|
case (int) CKM_SHA224_KEY_GEN -> {
|
||||||
|
keySize = adjustKeySize(224, range);
|
||||||
|
keyType = CKK_SHA224_HMAC;
|
||||||
|
}
|
||||||
|
case (int) CKM_SHA256_KEY_GEN -> {
|
||||||
|
keySize = adjustKeySize(256, range);
|
||||||
|
keyType = CKK_SHA256_HMAC;
|
||||||
|
}
|
||||||
|
case (int) CKM_SHA384_KEY_GEN -> {
|
||||||
|
keySize = adjustKeySize(384, range);
|
||||||
|
keyType = CKK_SHA384_HMAC;
|
||||||
|
}
|
||||||
|
case (int) CKM_SHA512_KEY_GEN -> {
|
||||||
|
keySize = adjustKeySize(512, range);
|
||||||
|
keyType = CKK_SHA512_HMAC;
|
||||||
|
}
|
||||||
|
case (int) CKM_SHA512_224_KEY_GEN -> {
|
||||||
|
keySize = adjustKeySize(224, range);
|
||||||
|
keyType = CKK_SHA512_224_HMAC;
|
||||||
|
}
|
||||||
|
case (int) CKM_SHA512_256_KEY_GEN -> {
|
||||||
|
keySize = adjustKeySize(256, range);
|
||||||
|
keyType = CKK_SHA512_256_HMAC;
|
||||||
|
}
|
||||||
|
case (int) CKM_SHA3_224_KEY_GEN -> {
|
||||||
|
keySize = adjustKeySize(224, range);
|
||||||
|
keyType = CKK_SHA3_224_HMAC;
|
||||||
|
}
|
||||||
|
case (int) CKM_SHA3_256_KEY_GEN -> {
|
||||||
|
keySize = adjustKeySize(256, range);
|
||||||
|
keyType = CKK_SHA3_256_HMAC;
|
||||||
|
}
|
||||||
|
case (int) CKM_SHA3_384_KEY_GEN -> {
|
||||||
|
keySize = adjustKeySize(384, range);
|
||||||
|
keyType = CKK_SHA3_384_HMAC;
|
||||||
|
}
|
||||||
|
case (int) CKM_SHA3_512_KEY_GEN -> {
|
||||||
|
keySize = adjustKeySize(512, range);
|
||||||
|
keyType = CKK_SHA3_512_HMAC;
|
||||||
|
}
|
||||||
|
case (int) CKM_GENERIC_SECRET_KEY_GEN -> {
|
||||||
|
if (algorithm.startsWith("Hmac")) {
|
||||||
|
String digest = algorithm.substring(4);
|
||||||
|
keySize = adjustKeySize(switch (digest) {
|
||||||
|
case "MD5" -> 512;
|
||||||
|
case "SHA1" -> 160;
|
||||||
|
case "SHA224", "SHA512/224", "SHA3-224" -> 224;
|
||||||
|
case "SHA256", "SHA512/256", "SHA3-256" -> 256;
|
||||||
|
case "SHA384", "SHA3-384" -> 384;
|
||||||
|
case "SHA512", "SHA3-512" -> 512;
|
||||||
|
default -> {
|
||||||
|
throw new ProviderException("Unsupported algorithm " +
|
||||||
|
algorithm);
|
||||||
|
}
|
||||||
|
}, range);
|
||||||
|
} else {
|
||||||
|
throw new ProviderException("Unsupported algorithm " +
|
||||||
|
algorithm);
|
||||||
|
}
|
||||||
|
keyType = CKK_GENERIC_SECRET;
|
||||||
|
}
|
||||||
|
default -> throw new ProviderException("Unknown mechanism " + mechanism);
|
||||||
}
|
}
|
||||||
if (significantKeySize == -1) {
|
if (significantKeySize == -1) {
|
||||||
significantKeySize = keySize;
|
significantKeySize = keySize;
|
||||||
@ -363,24 +362,18 @@ final class P11KeyGenerator extends KeyGeneratorSpi {
|
|||||||
Session session = null;
|
Session session = null;
|
||||||
try {
|
try {
|
||||||
session = token.getObjSession();
|
session = token.getObjSession();
|
||||||
CK_ATTRIBUTE[] attributes;
|
CK_ATTRIBUTE[] attributes = switch ((int) mechanism) {
|
||||||
|
case (int) CKM_DES_KEY_GEN, (int) CKM_DES2_KEY_GEN, (int) CKM_DES3_KEY_GEN ->
|
||||||
|
// fixed length, do not specify CKA_VALUE_LEN
|
||||||
|
new CK_ATTRIBUTE[]{
|
||||||
|
new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
|
||||||
|
};
|
||||||
|
default -> new CK_ATTRIBUTE[]{
|
||||||
|
new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
|
||||||
|
new CK_ATTRIBUTE(CKA_VALUE_LEN, keySize >> 3),
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
switch ((int)mechanism) {
|
|
||||||
case (int)CKM_DES_KEY_GEN:
|
|
||||||
case (int)CKM_DES2_KEY_GEN:
|
|
||||||
case (int)CKM_DES3_KEY_GEN:
|
|
||||||
// fixed length, do not specify CKA_VALUE_LEN
|
|
||||||
attributes = new CK_ATTRIBUTE[] {
|
|
||||||
new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
|
|
||||||
};
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
attributes = new CK_ATTRIBUTE[] {
|
|
||||||
new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
|
|
||||||
new CK_ATTRIBUTE(CKA_VALUE_LEN, keySize >> 3),
|
|
||||||
};
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
attributes = token.getAttributes
|
attributes = token.getAttributes
|
||||||
(O_GENERATE, CKO_SECRET_KEY, keyType, attributes);
|
(O_GENERATE, CKO_SECRET_KEY, keyType, attributes);
|
||||||
long keyID = token.p11.C_GenerateKey
|
long keyID = token.p11.C_GenerateKey
|
||||||
|
@ -172,63 +172,62 @@ final class P11KeyPairGenerator extends KeyPairGeneratorSpi {
|
|||||||
throws InvalidAlgorithmParameterException {
|
throws InvalidAlgorithmParameterException {
|
||||||
token.ensureValid();
|
token.ensureValid();
|
||||||
int tmpKeySize;
|
int tmpKeySize;
|
||||||
if (algorithm.equals("DH")) {
|
switch (algorithm) {
|
||||||
if (params instanceof DHParameterSpec == false) {
|
case "DH" -> {
|
||||||
throw new InvalidAlgorithmParameterException
|
if (!(params instanceof DHParameterSpec dhParams)) {
|
||||||
("DHParameterSpec required for Diffie-Hellman");
|
|
||||||
}
|
|
||||||
DHParameterSpec dhParams = (DHParameterSpec) params;
|
|
||||||
tmpKeySize = dhParams.getP().bitLength();
|
|
||||||
checkKeySize(tmpKeySize, dhParams);
|
|
||||||
// XXX sanity check params
|
|
||||||
} else if (algorithm.equals("RSA")) {
|
|
||||||
if (params instanceof RSAKeyGenParameterSpec == false) {
|
|
||||||
throw new InvalidAlgorithmParameterException
|
|
||||||
("RSAKeyGenParameterSpec required for RSA");
|
|
||||||
}
|
|
||||||
RSAKeyGenParameterSpec rsaParams =
|
|
||||||
(RSAKeyGenParameterSpec) params;
|
|
||||||
tmpKeySize = rsaParams.getKeysize();
|
|
||||||
checkKeySize(tmpKeySize, rsaParams);
|
|
||||||
// override the supplied params to null
|
|
||||||
params = null;
|
|
||||||
this.rsaPublicExponent = rsaParams.getPublicExponent();
|
|
||||||
// XXX sanity check params
|
|
||||||
} else if (algorithm.equals("DSA")) {
|
|
||||||
if (params instanceof DSAParameterSpec == false) {
|
|
||||||
throw new InvalidAlgorithmParameterException
|
|
||||||
("DSAParameterSpec required for DSA");
|
|
||||||
}
|
|
||||||
DSAParameterSpec dsaParams = (DSAParameterSpec) params;
|
|
||||||
tmpKeySize = dsaParams.getP().bitLength();
|
|
||||||
checkKeySize(tmpKeySize, dsaParams);
|
|
||||||
// XXX sanity check params
|
|
||||||
} else if (algorithm.equals("EC")) {
|
|
||||||
ECParameterSpec ecParams;
|
|
||||||
if (params instanceof ECParameterSpec) {
|
|
||||||
ecParams = P11ECKeyFactory.getECParameterSpec(
|
|
||||||
(ECParameterSpec)params);
|
|
||||||
if (ecParams == null) {
|
|
||||||
throw new InvalidAlgorithmParameterException
|
throw new InvalidAlgorithmParameterException
|
||||||
("Unsupported curve: " + params);
|
("DHParameterSpec required for Diffie-Hellman");
|
||||||
}
|
}
|
||||||
} else if (params instanceof ECGenParameterSpec) {
|
tmpKeySize = dhParams.getP().bitLength();
|
||||||
String name = ((ECGenParameterSpec) params).getName();
|
checkKeySize(tmpKeySize, dhParams);
|
||||||
ecParams = P11ECKeyFactory.getECParameterSpec(name);
|
|
||||||
if (ecParams == null) {
|
|
||||||
throw new InvalidAlgorithmParameterException
|
|
||||||
("Unknown curve name: " + name);
|
|
||||||
}
|
|
||||||
// override the supplied params with the derived one
|
|
||||||
params = ecParams;
|
|
||||||
} else {
|
|
||||||
throw new InvalidAlgorithmParameterException
|
|
||||||
("ECParameterSpec or ECGenParameterSpec required for EC");
|
|
||||||
}
|
}
|
||||||
tmpKeySize = ecParams.getCurve().getField().getFieldSize();
|
// XXX sanity check params
|
||||||
checkKeySize(tmpKeySize, ecParams);
|
case "RSA" -> {
|
||||||
} else {
|
if (!(params instanceof RSAKeyGenParameterSpec rsaParams)) {
|
||||||
throw new ProviderException("Unknown algorithm: " + algorithm);
|
throw new InvalidAlgorithmParameterException
|
||||||
|
("RSAKeyGenParameterSpec required for RSA");
|
||||||
|
}
|
||||||
|
tmpKeySize = rsaParams.getKeysize();
|
||||||
|
checkKeySize(tmpKeySize, rsaParams);
|
||||||
|
// override the supplied params to null
|
||||||
|
params = null;
|
||||||
|
this.rsaPublicExponent = rsaParams.getPublicExponent();
|
||||||
|
}
|
||||||
|
// XXX sanity check params
|
||||||
|
case "DSA" -> {
|
||||||
|
if (!(params instanceof DSAParameterSpec dsaParams)) {
|
||||||
|
throw new InvalidAlgorithmParameterException
|
||||||
|
("DSAParameterSpec required for DSA");
|
||||||
|
}
|
||||||
|
tmpKeySize = dsaParams.getP().bitLength();
|
||||||
|
checkKeySize(tmpKeySize, dsaParams);
|
||||||
|
}
|
||||||
|
// XXX sanity check params
|
||||||
|
case "EC" -> {
|
||||||
|
ECParameterSpec ecParams;
|
||||||
|
if (params instanceof ECParameterSpec ecParameterSpec) {
|
||||||
|
ecParams = P11ECKeyFactory.getECParameterSpec(ecParameterSpec);
|
||||||
|
if (ecParams == null) {
|
||||||
|
throw new InvalidAlgorithmParameterException
|
||||||
|
("Unsupported curve: " + params);
|
||||||
|
}
|
||||||
|
} else if (params instanceof ECGenParameterSpec ecGenParameterSpec) {
|
||||||
|
String name = ecGenParameterSpec.getName();
|
||||||
|
ecParams = P11ECKeyFactory.getECParameterSpec(name);
|
||||||
|
if (ecParams == null) {
|
||||||
|
throw new InvalidAlgorithmParameterException
|
||||||
|
("Unknown curve name: " + name);
|
||||||
|
}
|
||||||
|
// override the supplied params with the derived one
|
||||||
|
params = ecParams;
|
||||||
|
} else {
|
||||||
|
throw new InvalidAlgorithmParameterException
|
||||||
|
("ECParameterSpec or ECGenParameterSpec required for EC");
|
||||||
|
}
|
||||||
|
tmpKeySize = ecParams.getCurve().getField().getFieldSize();
|
||||||
|
checkKeySize(tmpKeySize, ecParams);
|
||||||
|
}
|
||||||
|
default -> throw new ProviderException("Unknown algorithm: " + algorithm);
|
||||||
}
|
}
|
||||||
this.keySize = tmpKeySize;
|
this.keySize = tmpKeySize;
|
||||||
this.params = params;
|
this.params = params;
|
||||||
@ -337,77 +336,81 @@ final class P11KeyPairGenerator extends KeyPairGeneratorSpi {
|
|||||||
CK_ATTRIBUTE[] publicKeyTemplate;
|
CK_ATTRIBUTE[] publicKeyTemplate;
|
||||||
CK_ATTRIBUTE[] privateKeyTemplate;
|
CK_ATTRIBUTE[] privateKeyTemplate;
|
||||||
long keyType;
|
long keyType;
|
||||||
if (algorithm.equals("RSA")) {
|
switch (algorithm) {
|
||||||
keyType = CKK_RSA;
|
case "RSA" -> {
|
||||||
publicKeyTemplate = new CK_ATTRIBUTE[] {
|
keyType = CKK_RSA;
|
||||||
new CK_ATTRIBUTE(CKA_MODULUS_BITS, keySize),
|
publicKeyTemplate = new CK_ATTRIBUTE[]{
|
||||||
new CK_ATTRIBUTE(CKA_PUBLIC_EXPONENT, rsaPublicExponent),
|
new CK_ATTRIBUTE(CKA_MODULUS_BITS, keySize),
|
||||||
};
|
new CK_ATTRIBUTE(CKA_PUBLIC_EXPONENT, rsaPublicExponent),
|
||||||
privateKeyTemplate = new CK_ATTRIBUTE[] {
|
};
|
||||||
// empty
|
privateKeyTemplate = new CK_ATTRIBUTE[]{
|
||||||
};
|
// empty
|
||||||
} else if (algorithm.equals("DSA")) {
|
};
|
||||||
keyType = CKK_DSA;
|
}
|
||||||
DSAParameterSpec dsaParams;
|
case "DSA" -> {
|
||||||
if (params == null) {
|
keyType = CKK_DSA;
|
||||||
try {
|
DSAParameterSpec dsaParams;
|
||||||
dsaParams = ParameterCache.getDSAParameterSpec
|
if (params == null) {
|
||||||
(keySize, random);
|
try {
|
||||||
} catch (GeneralSecurityException e) {
|
dsaParams = ParameterCache.getDSAParameterSpec
|
||||||
throw new ProviderException
|
(keySize, random);
|
||||||
("Could not generate DSA parameters", e);
|
} catch (GeneralSecurityException e) {
|
||||||
|
throw new ProviderException
|
||||||
|
("Could not generate DSA parameters", e);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
dsaParams = (DSAParameterSpec) params;
|
||||||
}
|
}
|
||||||
} else {
|
publicKeyTemplate = new CK_ATTRIBUTE[]{
|
||||||
dsaParams = (DSAParameterSpec)params;
|
new CK_ATTRIBUTE(CKA_PRIME, dsaParams.getP()),
|
||||||
|
new CK_ATTRIBUTE(CKA_SUBPRIME, dsaParams.getQ()),
|
||||||
|
new CK_ATTRIBUTE(CKA_BASE, dsaParams.getG()),
|
||||||
|
};
|
||||||
|
privateKeyTemplate = new CK_ATTRIBUTE[]{
|
||||||
|
// empty
|
||||||
|
};
|
||||||
}
|
}
|
||||||
publicKeyTemplate = new CK_ATTRIBUTE[] {
|
case "DH" -> {
|
||||||
new CK_ATTRIBUTE(CKA_PRIME, dsaParams.getP()),
|
keyType = CKK_DH;
|
||||||
new CK_ATTRIBUTE(CKA_SUBPRIME, dsaParams.getQ()),
|
DHParameterSpec dhParams;
|
||||||
new CK_ATTRIBUTE(CKA_BASE, dsaParams.getG()),
|
int privateBits;
|
||||||
};
|
if (params == null) {
|
||||||
privateKeyTemplate = new CK_ATTRIBUTE[] {
|
try {
|
||||||
// empty
|
dhParams = ParameterCache.getDHParameterSpec
|
||||||
};
|
(keySize, random);
|
||||||
} else if (algorithm.equals("DH")) {
|
} catch (GeneralSecurityException e) {
|
||||||
keyType = CKK_DH;
|
throw new ProviderException
|
||||||
DHParameterSpec dhParams;
|
("Could not generate DH parameters", e);
|
||||||
int privateBits;
|
}
|
||||||
if (params == null) {
|
privateBits = 0;
|
||||||
try {
|
} else {
|
||||||
dhParams = ParameterCache.getDHParameterSpec
|
dhParams = (DHParameterSpec) params;
|
||||||
(keySize, random);
|
privateBits = dhParams.getL();
|
||||||
} catch (GeneralSecurityException e) {
|
|
||||||
throw new ProviderException
|
|
||||||
("Could not generate DH parameters", e);
|
|
||||||
}
|
}
|
||||||
privateBits = 0;
|
if (privateBits <= 0) {
|
||||||
} else {
|
// XXX find better defaults
|
||||||
dhParams = (DHParameterSpec)params;
|
privateBits = (keySize >= 1024) ? 768 : 512;
|
||||||
privateBits = dhParams.getL();
|
}
|
||||||
|
publicKeyTemplate = new CK_ATTRIBUTE[]{
|
||||||
|
new CK_ATTRIBUTE(CKA_PRIME, dhParams.getP()),
|
||||||
|
new CK_ATTRIBUTE(CKA_BASE, dhParams.getG())
|
||||||
|
};
|
||||||
|
privateKeyTemplate = new CK_ATTRIBUTE[]{
|
||||||
|
new CK_ATTRIBUTE(CKA_VALUE_BITS, privateBits),
|
||||||
|
};
|
||||||
}
|
}
|
||||||
if (privateBits <= 0) {
|
case "EC" -> {
|
||||||
// XXX find better defaults
|
keyType = CKK_EC;
|
||||||
privateBits = (keySize >= 1024) ? 768 : 512;
|
byte[] encodedParams =
|
||||||
|
P11ECKeyFactory.encodeParameters((ECParameterSpec) params);
|
||||||
|
publicKeyTemplate = new CK_ATTRIBUTE[]{
|
||||||
|
new CK_ATTRIBUTE(CKA_EC_PARAMS, encodedParams),
|
||||||
|
};
|
||||||
|
privateKeyTemplate = new CK_ATTRIBUTE[]{
|
||||||
|
// empty
|
||||||
|
};
|
||||||
}
|
}
|
||||||
publicKeyTemplate = new CK_ATTRIBUTE[] {
|
default -> throw new ProviderException("Unknown algorithm: " + algorithm);
|
||||||
new CK_ATTRIBUTE(CKA_PRIME, dhParams.getP()),
|
|
||||||
new CK_ATTRIBUTE(CKA_BASE, dhParams.getG())
|
|
||||||
};
|
|
||||||
privateKeyTemplate = new CK_ATTRIBUTE[] {
|
|
||||||
new CK_ATTRIBUTE(CKA_VALUE_BITS, privateBits),
|
|
||||||
};
|
|
||||||
} else if (algorithm.equals("EC")) {
|
|
||||||
keyType = CKK_EC;
|
|
||||||
byte[] encodedParams =
|
|
||||||
P11ECKeyFactory.encodeParameters((ECParameterSpec)params);
|
|
||||||
publicKeyTemplate = new CK_ATTRIBUTE[] {
|
|
||||||
new CK_ATTRIBUTE(CKA_EC_PARAMS, encodedParams),
|
|
||||||
};
|
|
||||||
privateKeyTemplate = new CK_ATTRIBUTE[] {
|
|
||||||
// empty
|
|
||||||
};
|
|
||||||
} else {
|
|
||||||
throw new ProviderException("Unknown algorithm: " + algorithm);
|
|
||||||
}
|
}
|
||||||
Session session = null;
|
Session session = null;
|
||||||
try {
|
try {
|
||||||
|
@ -779,7 +779,7 @@ final class P11KeyStore extends KeyStoreSpi {
|
|||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
if (mapLabels() == true) {
|
if (mapLabels()) {
|
||||||
// CKA_LABELs are shared by multiple certs
|
// CKA_LABELs are shared by multiple certs
|
||||||
writeDisabled = true;
|
writeDisabled = true;
|
||||||
}
|
}
|
||||||
@ -861,7 +861,7 @@ final class P11KeyStore extends KeyStoreSpi {
|
|||||||
|
|
||||||
try {
|
try {
|
||||||
login(handler);
|
login(handler);
|
||||||
if (mapLabels() == true) {
|
if (mapLabels()) {
|
||||||
// CKA_LABELs are shared by multiple certs
|
// CKA_LABELs are shared by multiple certs
|
||||||
writeDisabled = true;
|
writeDisabled = true;
|
||||||
}
|
}
|
||||||
@ -1030,7 +1030,7 @@ final class P11KeyStore extends KeyStoreSpi {
|
|||||||
|
|
||||||
if (entry instanceof KeyStore.TrustedCertificateEntry) {
|
if (entry instanceof KeyStore.TrustedCertificateEntry) {
|
||||||
|
|
||||||
if (useSecmodTrust == false) {
|
if (!useSecmodTrust) {
|
||||||
// PKCS #11 does not allow app to modify trusted certs -
|
// PKCS #11 does not allow app to modify trusted certs -
|
||||||
throw new KeyStoreException(new UnsupportedOperationException
|
throw new KeyStoreException(new UnsupportedOperationException
|
||||||
("trusted certificates may only be set by " +
|
("trusted certificates may only be set by " +
|
||||||
@ -1043,10 +1043,9 @@ final class P11KeyStore extends KeyStoreSpi {
|
|||||||
+ "added to the NSS KeyStore module");
|
+ "added to the NSS KeyStore module");
|
||||||
}
|
}
|
||||||
Certificate cert = ((TrustedCertificateEntry)entry).getTrustedCertificate();
|
Certificate cert = ((TrustedCertificateEntry)entry).getTrustedCertificate();
|
||||||
if (cert instanceof X509Certificate == false) {
|
if (!(cert instanceof X509Certificate xcert)) {
|
||||||
throw new KeyStoreException("Certificate must be an X509Certificate");
|
throw new KeyStoreException("Certificate must be an X509Certificate");
|
||||||
}
|
}
|
||||||
X509Certificate xcert = (X509Certificate)cert;
|
|
||||||
AliasInfo info = aliasMap.get(alias);
|
AliasInfo info = aliasMap.get(alias);
|
||||||
if (info != null) {
|
if (info != null) {
|
||||||
// XXX try to update
|
// XXX try to update
|
||||||
@ -1122,9 +1121,8 @@ final class P11KeyStore extends KeyStoreSpi {
|
|||||||
throw new KeyStoreException(pe);
|
throw new KeyStoreException(pe);
|
||||||
}
|
}
|
||||||
|
|
||||||
} else if (entry instanceof KeyStore.SecretKeyEntry) {
|
} else if (entry instanceof SecretKeyEntry ske) {
|
||||||
|
|
||||||
KeyStore.SecretKeyEntry ske = (KeyStore.SecretKeyEntry)entry;
|
|
||||||
SecretKey skey = ske.getSecretKey();
|
SecretKey skey = ske.getSecretKey();
|
||||||
|
|
||||||
try {
|
try {
|
||||||
@ -1215,7 +1213,7 @@ final class P11KeyStore extends KeyStoreSpi {
|
|||||||
// self signed
|
// self signed
|
||||||
return new X509Certificate[] { endCert };
|
return new X509Certificate[] { endCert };
|
||||||
} else {
|
} else {
|
||||||
lChain = new ArrayList<X509Certificate>();
|
lChain = new ArrayList<>();
|
||||||
lChain.add(endCert);
|
lChain.add(endCert);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1509,7 +1507,7 @@ final class P11KeyStore extends KeyStoreSpi {
|
|||||||
long keyID = key.getKeyID();
|
long keyID = key.getKeyID();
|
||||||
try {
|
try {
|
||||||
session = token.getOpSession();
|
session = token.getOpSession();
|
||||||
if (key.tokenObject == true) {
|
if (key.tokenObject) {
|
||||||
// token key - set new CKA_ID
|
// token key - set new CKA_ID
|
||||||
|
|
||||||
CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] {
|
CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] {
|
||||||
@ -1549,7 +1547,7 @@ final class P11KeyStore extends KeyStoreSpi {
|
|||||||
private void storeCert(String alias, X509Certificate cert)
|
private void storeCert(String alias, X509Certificate cert)
|
||||||
throws PKCS11Exception, CertificateException {
|
throws PKCS11Exception, CertificateException {
|
||||||
|
|
||||||
ArrayList<CK_ATTRIBUTE> attrList = new ArrayList<CK_ATTRIBUTE>();
|
ArrayList<CK_ATTRIBUTE> attrList = new ArrayList<>();
|
||||||
attrList.add(ATTR_TOKEN_TRUE);
|
attrList.add(ATTR_TOKEN_TRUE);
|
||||||
attrList.add(ATTR_CLASS_CERT);
|
attrList.add(ATTR_CLASS_CERT);
|
||||||
attrList.add(ATTR_X509_CERT_TYPE);
|
attrList.add(ATTR_X509_CERT_TYPE);
|
||||||
@ -1673,8 +1671,7 @@ final class P11KeyStore extends KeyStoreSpi {
|
|||||||
// If the key is a token object on this token, update it instead
|
// If the key is a token object on this token, update it instead
|
||||||
// of creating a duplicate key object.
|
// of creating a duplicate key object.
|
||||||
// Otherwise, treat a P11Key like any other key, if it is extractable.
|
// Otherwise, treat a P11Key like any other key, if it is extractable.
|
||||||
if (key instanceof P11Key) {
|
if (key instanceof P11Key p11Key) {
|
||||||
P11Key p11Key = (P11Key)key;
|
|
||||||
if (p11Key.tokenObject && (p11Key.token == this.token)) {
|
if (p11Key.tokenObject && (p11Key.token == this.token)) {
|
||||||
updateP11Pkey(alias, null, p11Key);
|
updateP11Pkey(alias, null, p11Key);
|
||||||
storeChain(alias, (X509Certificate[])pke.getCertificateChain());
|
storeChain(alias, (X509Certificate[])pke.getCertificateChain());
|
||||||
@ -1691,9 +1688,7 @@ final class P11KeyStore extends KeyStoreSpi {
|
|||||||
attrs = getRsaPrivKeyAttrs
|
attrs = getRsaPrivKeyAttrs
|
||||||
(alias, (RSAPrivateKey)key, cert.getSubjectX500Principal());
|
(alias, (RSAPrivateKey)key, cert.getSubjectX500Principal());
|
||||||
|
|
||||||
} else if (key instanceof DSAPrivateKey) {
|
} else if (key instanceof DSAPrivateKey dsaKey) {
|
||||||
|
|
||||||
DSAPrivateKey dsaKey = (DSAPrivateKey)key;
|
|
||||||
|
|
||||||
CK_ATTRIBUTE[] idAttrs = getIdAttributes(key, publicKey, false, useNDB);
|
CK_ATTRIBUTE[] idAttrs = getIdAttributes(key, publicKey, false, useNDB);
|
||||||
if (idAttrs[0] == null) {
|
if (idAttrs[0] == null) {
|
||||||
@ -1722,9 +1717,7 @@ final class P11KeyStore extends KeyStoreSpi {
|
|||||||
debug.println("storePkey created DSA template");
|
debug.println("storePkey created DSA template");
|
||||||
}
|
}
|
||||||
|
|
||||||
} else if (key instanceof DHPrivateKey) {
|
} else if (key instanceof DHPrivateKey dhKey) {
|
||||||
|
|
||||||
DHPrivateKey dhKey = (DHPrivateKey)key;
|
|
||||||
|
|
||||||
CK_ATTRIBUTE[] idAttrs = getIdAttributes(key, publicKey, false, useNDB);
|
CK_ATTRIBUTE[] idAttrs = getIdAttributes(key, publicKey, false, useNDB);
|
||||||
if (idAttrs[0] == null) {
|
if (idAttrs[0] == null) {
|
||||||
@ -1748,9 +1741,7 @@ final class P11KeyStore extends KeyStoreSpi {
|
|||||||
attrs = token.getAttributes
|
attrs = token.getAttributes
|
||||||
(TemplateManager.O_IMPORT, CKO_PRIVATE_KEY, CKK_DH, attrs);
|
(TemplateManager.O_IMPORT, CKO_PRIVATE_KEY, CKK_DH, attrs);
|
||||||
|
|
||||||
} else if (key instanceof ECPrivateKey) {
|
} else if (key instanceof ECPrivateKey ecKey) {
|
||||||
|
|
||||||
ECPrivateKey ecKey = (ECPrivateKey)key;
|
|
||||||
|
|
||||||
CK_ATTRIBUTE[] idAttrs = getIdAttributes(key, publicKey, false, useNDB);
|
CK_ATTRIBUTE[] idAttrs = getIdAttributes(key, publicKey, false, useNDB);
|
||||||
if (idAttrs[0] == null) {
|
if (idAttrs[0] == null) {
|
||||||
@ -1779,9 +1770,8 @@ final class P11KeyStore extends KeyStoreSpi {
|
|||||||
debug.println("storePkey created EC template");
|
debug.println("storePkey created EC template");
|
||||||
}
|
}
|
||||||
|
|
||||||
} else if (key instanceof P11Key) {
|
} else if (key instanceof P11Key p11Key) {
|
||||||
// sensitive/non-extractable P11Key
|
// sensitive/non-extractable P11Key
|
||||||
P11Key p11Key = (P11Key)key;
|
|
||||||
if (p11Key.token != this.token) {
|
if (p11Key.token != this.token) {
|
||||||
throw new KeyStoreException
|
throw new KeyStoreException
|
||||||
("Cannot move sensitive keys across tokens");
|
("Cannot move sensitive keys across tokens");
|
||||||
@ -1831,14 +1821,12 @@ final class P11KeyStore extends KeyStoreSpi {
|
|||||||
// subject is currently ignored - could be used to set CKA_SUBJECT
|
// subject is currently ignored - could be used to set CKA_SUBJECT
|
||||||
|
|
||||||
CK_ATTRIBUTE[] attrs = null;
|
CK_ATTRIBUTE[] attrs = null;
|
||||||
if (key instanceof RSAPrivateCrtKey) {
|
if (key instanceof RSAPrivateCrtKey rsaKey) {
|
||||||
|
|
||||||
if (debug != null) {
|
if (debug != null) {
|
||||||
debug.println("creating RSAPrivateCrtKey attrs");
|
debug.println("creating RSAPrivateCrtKey attrs");
|
||||||
}
|
}
|
||||||
|
|
||||||
RSAPrivateCrtKey rsaKey = (RSAPrivateCrtKey)key;
|
|
||||||
|
|
||||||
attrs = new CK_ATTRIBUTE[] {
|
attrs = new CK_ATTRIBUTE[] {
|
||||||
ATTR_TOKEN_TRUE,
|
ATTR_TOKEN_TRUE,
|
||||||
ATTR_CLASS_PKEY,
|
ATTR_CLASS_PKEY,
|
||||||
@ -1870,8 +1858,6 @@ final class P11KeyStore extends KeyStoreSpi {
|
|||||||
debug.println("creating RSAPrivateKey attrs");
|
debug.println("creating RSAPrivateKey attrs");
|
||||||
}
|
}
|
||||||
|
|
||||||
RSAPrivateKey rsaKey = key;
|
|
||||||
|
|
||||||
attrs = new CK_ATTRIBUTE[] {
|
attrs = new CK_ATTRIBUTE[] {
|
||||||
ATTR_TOKEN_TRUE,
|
ATTR_TOKEN_TRUE,
|
||||||
ATTR_CLASS_PKEY,
|
ATTR_CLASS_PKEY,
|
||||||
@ -1879,9 +1865,9 @@ final class P11KeyStore extends KeyStoreSpi {
|
|||||||
new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_RSA),
|
new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_RSA),
|
||||||
new CK_ATTRIBUTE(CKA_ID, alias),
|
new CK_ATTRIBUTE(CKA_ID, alias),
|
||||||
new CK_ATTRIBUTE(CKA_MODULUS,
|
new CK_ATTRIBUTE(CKA_MODULUS,
|
||||||
rsaKey.getModulus()),
|
key.getModulus()),
|
||||||
new CK_ATTRIBUTE(CKA_PRIVATE_EXPONENT,
|
new CK_ATTRIBUTE(CKA_PRIVATE_EXPONENT,
|
||||||
rsaKey.getPrivateExponent()) };
|
key.getPrivateExponent()) };
|
||||||
attrs = token.getAttributes
|
attrs = token.getAttributes
|
||||||
(TemplateManager.O_IMPORT, CKO_PRIVATE_KEY, CKK_RSA, attrs);
|
(TemplateManager.O_IMPORT, CKO_PRIVATE_KEY, CKK_RSA, attrs);
|
||||||
}
|
}
|
||||||
@ -1905,7 +1891,7 @@ final class P11KeyStore extends KeyStoreSpi {
|
|||||||
private CK_ATTRIBUTE[] getIdAttributes(PrivateKey privateKey,
|
private CK_ATTRIBUTE[] getIdAttributes(PrivateKey privateKey,
|
||||||
PublicKey publicKey, boolean id, boolean netscapeDb) {
|
PublicKey publicKey, boolean id, boolean netscapeDb) {
|
||||||
CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[2];
|
CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[2];
|
||||||
if ((id || netscapeDb) == false) {
|
if (!(id || netscapeDb)) {
|
||||||
return attrs;
|
return attrs;
|
||||||
}
|
}
|
||||||
String alg = privateKey.getAlgorithm();
|
String alg = privateKey.getAlgorithm();
|
||||||
@ -2010,7 +1996,7 @@ final class P11KeyStore extends KeyStoreSpi {
|
|||||||
|
|
||||||
if (next.getSubjectX500Principal().equals
|
if (next.getSubjectX500Principal().equals
|
||||||
(next.getIssuerX500Principal())) {
|
(next.getIssuerX500Principal())) {
|
||||||
// self signed - done
|
// self-signed - done
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2233,7 +2219,7 @@ final class P11KeyStore extends KeyStoreSpi {
|
|||||||
|
|
||||||
if (type == ATTR_CLASS_SKEY) {
|
if (type == ATTR_CLASS_SKEY) {
|
||||||
|
|
||||||
ArrayList<THandle> list = new ArrayList<THandle>(h.length);
|
ArrayList<THandle> list = new ArrayList<>(h.length);
|
||||||
for (int i = 0; i < h.length; i++) {
|
for (int i = 0; i < h.length; i++) {
|
||||||
|
|
||||||
CK_ATTRIBUTE[] label = new CK_ATTRIBUTE[]
|
CK_ATTRIBUTE[] label = new CK_ATTRIBUTE[]
|
||||||
@ -2299,7 +2285,7 @@ final class P11KeyStore extends KeyStoreSpi {
|
|||||||
|
|
||||||
// get all private key CKA_IDs
|
// get all private key CKA_IDs
|
||||||
|
|
||||||
ArrayList<byte[]> pkeyIDs = new ArrayList<byte[]>();
|
ArrayList<byte[]> pkeyIDs = new ArrayList<>();
|
||||||
CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] {
|
CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] {
|
||||||
ATTR_TOKEN_TRUE,
|
ATTR_TOKEN_TRUE,
|
||||||
ATTR_CLASS_PKEY,
|
ATTR_CLASS_PKEY,
|
||||||
@ -2326,7 +2312,7 @@ final class P11KeyStore extends KeyStoreSpi {
|
|||||||
// (multiple certs may be mapped to a single CKA_LABEL)
|
// (multiple certs may be mapped to a single CKA_LABEL)
|
||||||
|
|
||||||
HashMap<String, HashSet<AliasInfo>> certMap =
|
HashMap<String, HashSet<AliasInfo>> certMap =
|
||||||
new HashMap<String, HashSet<AliasInfo>>();
|
new HashMap<>();
|
||||||
|
|
||||||
attrs = new CK_ATTRIBUTE[] {
|
attrs = new CK_ATTRIBUTE[] {
|
||||||
ATTR_TOKEN_TRUE,
|
ATTR_TOKEN_TRUE,
|
||||||
@ -2399,11 +2385,7 @@ final class P11KeyStore extends KeyStoreSpi {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
HashSet<AliasInfo> infoSet = certMap.get(cka_label);
|
HashSet<AliasInfo> infoSet = certMap.computeIfAbsent(cka_label, k -> new HashSet<>(2));
|
||||||
if (infoSet == null) {
|
|
||||||
infoSet = new HashSet<AliasInfo>(2);
|
|
||||||
certMap.put(cka_label, infoSet);
|
|
||||||
}
|
|
||||||
|
|
||||||
// initially create private key entry AliasInfo entries -
|
// initially create private key entry AliasInfo entries -
|
||||||
// these entries will get resolved into their true
|
// these entries will get resolved into their true
|
||||||
@ -2421,7 +2403,7 @@ final class P11KeyStore extends KeyStoreSpi {
|
|||||||
// or between a secret key and another object),
|
// or between a secret key and another object),
|
||||||
// throw an exception
|
// throw an exception
|
||||||
HashMap<String, AliasInfo> sKeyMap =
|
HashMap<String, AliasInfo> sKeyMap =
|
||||||
new HashMap<String, AliasInfo>();
|
new HashMap<>();
|
||||||
|
|
||||||
attrs = new CK_ATTRIBUTE[] {
|
attrs = new CK_ATTRIBUTE[] {
|
||||||
ATTR_SKEY_TOKEN_TRUE,
|
ATTR_SKEY_TOKEN_TRUE,
|
||||||
@ -2477,10 +2459,10 @@ final class P11KeyStore extends KeyStoreSpi {
|
|||||||
throws PKCS11Exception, CertificateException {
|
throws PKCS11Exception, CertificateException {
|
||||||
|
|
||||||
// reset global alias map
|
// reset global alias map
|
||||||
aliasMap = new HashMap<String, AliasInfo>();
|
aliasMap = new HashMap<>();
|
||||||
|
|
||||||
// list of matched certs that we will return
|
// list of matched certs that we will return
|
||||||
ArrayList<AliasInfo> matchedCerts = new ArrayList<AliasInfo>();
|
ArrayList<AliasInfo> matchedCerts = new ArrayList<>();
|
||||||
|
|
||||||
for (byte[] pkeyID : pkeyIDs) {
|
for (byte[] pkeyID : pkeyIDs) {
|
||||||
|
|
||||||
@ -2566,7 +2548,7 @@ final class P11KeyStore extends KeyStoreSpi {
|
|||||||
HashSet<AliasInfo> infoSet = certMap.get(certLabel);
|
HashSet<AliasInfo> infoSet = certMap.get(certLabel);
|
||||||
for (AliasInfo aliasInfo : infoSet) {
|
for (AliasInfo aliasInfo : infoSet) {
|
||||||
|
|
||||||
if (aliasInfo.matched == true) {
|
if (aliasInfo.matched) {
|
||||||
// already found a private key match for this cert -
|
// already found a private key match for this cert -
|
||||||
// just continue
|
// just continue
|
||||||
aliasInfo.trusted = false;
|
aliasInfo.trusted = false;
|
||||||
|
@ -345,14 +345,10 @@ final class P11KeyWrapCipher extends CipherSpi {
|
|||||||
session = token.getOpSession();
|
session = token.getOpSession();
|
||||||
}
|
}
|
||||||
switch (opmode) {
|
switch (opmode) {
|
||||||
case Cipher.ENCRYPT_MODE:
|
case Cipher.ENCRYPT_MODE -> token.p11.C_EncryptInit(session.id(), mechWithParams,
|
||||||
token.p11.C_EncryptInit(session.id(), mechWithParams,
|
|
||||||
p11KeyID);
|
p11KeyID);
|
||||||
break;
|
case Cipher.DECRYPT_MODE -> token.p11.C_DecryptInit(session.id(), mechWithParams,
|
||||||
case Cipher.DECRYPT_MODE:
|
|
||||||
token.p11.C_DecryptInit(session.id(), mechWithParams,
|
|
||||||
p11KeyID);
|
p11KeyID);
|
||||||
break;
|
|
||||||
}
|
}
|
||||||
} catch (PKCS11Exception e) {
|
} catch (PKCS11Exception e) {
|
||||||
session = token.releaseSession(session);
|
session = token.releaseSession(session);
|
||||||
@ -386,7 +382,7 @@ final class P11KeyWrapCipher extends CipherSpi {
|
|||||||
} else {
|
} else {
|
||||||
result -= BLK_SIZE; // minus the leading block including the ICV
|
result -= BLK_SIZE; // minus the leading block including the ICV
|
||||||
}
|
}
|
||||||
return (result > 0 ? result : 0);
|
return (Math.max(result, 0));
|
||||||
}
|
}
|
||||||
|
|
||||||
// reset the states to the pre-initialized values
|
// reset the states to the pre-initialized values
|
||||||
@ -744,20 +740,19 @@ final class P11KeyWrapCipher extends CipherSpi {
|
|||||||
long keyClass;
|
long keyClass;
|
||||||
long keyType;
|
long keyType;
|
||||||
switch (wrappedKeyType) {
|
switch (wrappedKeyType) {
|
||||||
case Cipher.PRIVATE_KEY:
|
case Cipher.PRIVATE_KEY -> {
|
||||||
keyClass = CKO_PRIVATE_KEY;
|
keyClass = CKO_PRIVATE_KEY;
|
||||||
keyType = P11KeyFactory.getPKCS11KeyType(wrappedKeyAlgo);
|
keyType = P11KeyFactory.getPKCS11KeyType(wrappedKeyAlgo);
|
||||||
break;
|
}
|
||||||
case Cipher.SECRET_KEY:
|
case Cipher.SECRET_KEY -> {
|
||||||
keyClass = CKO_SECRET_KEY;
|
keyClass = CKO_SECRET_KEY;
|
||||||
keyType = P11SecretKeyFactory.getPKCS11KeyType(wrappedKeyAlgo);
|
keyType = P11SecretKeyFactory.getPKCS11KeyType(wrappedKeyAlgo);
|
||||||
break;
|
}
|
||||||
case Cipher.PUBLIC_KEY:
|
case Cipher.PUBLIC_KEY -> throw new UnsupportedOperationException
|
||||||
throw new UnsupportedOperationException
|
("cannot unwrap public keys");
|
||||||
("cannot unwrap public keys");
|
default -> // should never happen
|
||||||
default: // should never happen
|
throw new AssertionError();
|
||||||
throw new AssertionError();
|
}
|
||||||
};
|
|
||||||
|
|
||||||
CK_ATTRIBUTE[] attributes;
|
CK_ATTRIBUTE[] attributes;
|
||||||
try {
|
try {
|
||||||
|
@ -85,42 +85,23 @@ final class P11Mac extends MacSpi {
|
|||||||
this.token = token;
|
this.token = token;
|
||||||
this.algorithm = algorithm;
|
this.algorithm = algorithm;
|
||||||
Long params = null;
|
Long params = null;
|
||||||
switch ((int)mechanism) {
|
macLength = switch ((int) mechanism) {
|
||||||
case (int)CKM_MD5_HMAC:
|
case (int) CKM_MD5_HMAC -> 16;
|
||||||
macLength = 16;
|
case (int) CKM_SHA_1_HMAC -> 20;
|
||||||
break;
|
case (int) CKM_SHA224_HMAC, (int) CKM_SHA512_224_HMAC, (int) CKM_SHA3_224_HMAC -> 28;
|
||||||
case (int)CKM_SHA_1_HMAC:
|
case (int) CKM_SHA256_HMAC, (int) CKM_SHA512_256_HMAC, (int) CKM_SHA3_256_HMAC -> 32;
|
||||||
macLength = 20;
|
case (int) CKM_SHA384_HMAC, (int) CKM_SHA3_384_HMAC -> 48;
|
||||||
break;
|
case (int) CKM_SHA512_HMAC, (int) CKM_SHA3_512_HMAC -> 64;
|
||||||
case (int)CKM_SHA224_HMAC:
|
case (int) CKM_SSL3_MD5_MAC -> {
|
||||||
case (int)CKM_SHA512_224_HMAC:
|
params = Long.valueOf(16);
|
||||||
case (int)CKM_SHA3_224_HMAC:
|
yield 16;
|
||||||
macLength = 28;
|
}
|
||||||
break;
|
case (int) CKM_SSL3_SHA1_MAC -> {
|
||||||
case (int)CKM_SHA256_HMAC:
|
params = Long.valueOf(20);
|
||||||
case (int)CKM_SHA512_256_HMAC:
|
yield 20;
|
||||||
case (int)CKM_SHA3_256_HMAC:
|
}
|
||||||
macLength = 32;
|
default -> throw new ProviderException("Unknown mechanism: " + mechanism);
|
||||||
break;
|
};
|
||||||
case (int)CKM_SHA384_HMAC:
|
|
||||||
case (int)CKM_SHA3_384_HMAC:
|
|
||||||
macLength = 48;
|
|
||||||
break;
|
|
||||||
case (int)CKM_SHA512_HMAC:
|
|
||||||
case (int)CKM_SHA3_512_HMAC:
|
|
||||||
macLength = 64;
|
|
||||||
break;
|
|
||||||
case (int)CKM_SSL3_MD5_MAC:
|
|
||||||
macLength = 16;
|
|
||||||
params = Long.valueOf(16);
|
|
||||||
break;
|
|
||||||
case (int)CKM_SSL3_SHA1_MAC:
|
|
||||||
macLength = 20;
|
|
||||||
params = Long.valueOf(20);
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
throw new ProviderException("Unknown mechanism: " + mechanism);
|
|
||||||
}
|
|
||||||
ckMechanism = new CK_MECHANISM(mechanism, params);
|
ckMechanism = new CK_MECHANISM(mechanism, params);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -265,11 +246,11 @@ final class P11Mac extends MacSpi {
|
|||||||
if (len <= 0) {
|
if (len <= 0) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
if (byteBuffer instanceof DirectBuffer == false) {
|
if (!(byteBuffer instanceof DirectBuffer directBuffer)) {
|
||||||
super.engineUpdate(byteBuffer);
|
super.engineUpdate(byteBuffer);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
long addr = ((DirectBuffer)byteBuffer).address();
|
long addr = directBuffer.address();
|
||||||
int ofs = byteBuffer.position();
|
int ofs = byteBuffer.position();
|
||||||
token.p11.C_SignUpdate(session.id(), addr + ofs, null, 0, len);
|
token.p11.C_SignUpdate(session.id(), addr + ofs, null, 0, len);
|
||||||
byteBuffer.position(ofs + len);
|
byteBuffer.position(ofs + len);
|
||||||
|
@ -71,8 +71,7 @@ final class P11PSSSignature extends SignatureSpi {
|
|||||||
private static final boolean DEBUG = false;
|
private static final boolean DEBUG = false;
|
||||||
|
|
||||||
// mappings of digest algorithms and their output length in bytes
|
// mappings of digest algorithms and their output length in bytes
|
||||||
private static final Hashtable<String, Integer> DIGEST_LENGTHS =
|
private static final Hashtable<String, Integer> DIGEST_LENGTHS = new Hashtable<>();
|
||||||
new Hashtable<String, Integer>();
|
|
||||||
|
|
||||||
static {
|
static {
|
||||||
DIGEST_LENGTHS.put("SHA-1", 20);
|
DIGEST_LENGTHS.put("SHA-1", 20);
|
||||||
@ -173,32 +172,31 @@ final class P11PSSSignature extends SignatureSpi {
|
|||||||
this.mdAlg = (idx == -1 ?
|
this.mdAlg = (idx == -1 ?
|
||||||
null : toStdName(algorithm.substring(0, idx)));
|
null : toStdName(algorithm.substring(0, idx)));
|
||||||
|
|
||||||
switch ((int)mechId) {
|
switch ((int) mechId) {
|
||||||
case (int)CKM_SHA1_RSA_PKCS_PSS:
|
case (int) CKM_SHA1_RSA_PKCS_PSS,
|
||||||
case (int)CKM_SHA224_RSA_PKCS_PSS:
|
(int) CKM_SHA224_RSA_PKCS_PSS,
|
||||||
case (int)CKM_SHA256_RSA_PKCS_PSS:
|
(int) CKM_SHA256_RSA_PKCS_PSS,
|
||||||
case (int)CKM_SHA384_RSA_PKCS_PSS:
|
(int) CKM_SHA384_RSA_PKCS_PSS,
|
||||||
case (int)CKM_SHA512_RSA_PKCS_PSS:
|
(int) CKM_SHA512_RSA_PKCS_PSS,
|
||||||
case (int)CKM_SHA3_224_RSA_PKCS_PSS:
|
(int) CKM_SHA3_224_RSA_PKCS_PSS,
|
||||||
case (int)CKM_SHA3_256_RSA_PKCS_PSS:
|
(int) CKM_SHA3_256_RSA_PKCS_PSS,
|
||||||
case (int)CKM_SHA3_384_RSA_PKCS_PSS:
|
(int) CKM_SHA3_384_RSA_PKCS_PSS,
|
||||||
case (int)CKM_SHA3_512_RSA_PKCS_PSS:
|
(int) CKM_SHA3_512_RSA_PKCS_PSS -> {
|
||||||
type = T_UPDATE;
|
type = T_UPDATE;
|
||||||
this.md = null;
|
this.md = null;
|
||||||
break;
|
|
||||||
case (int)CKM_RSA_PKCS_PSS:
|
|
||||||
// check if the digest algo is supported by underlying PKCS11 lib
|
|
||||||
if (this.mdAlg != null && token.getMechanismInfo
|
|
||||||
(Functions.getHashMechId(this.mdAlg)) == null) {
|
|
||||||
throw new NoSuchAlgorithmException("Unsupported algorithm: " +
|
|
||||||
algorithm);
|
|
||||||
}
|
}
|
||||||
this.md = (this.mdAlg == null ? null :
|
case (int) CKM_RSA_PKCS_PSS -> {
|
||||||
MessageDigest.getInstance(this.mdAlg));
|
// check if the digest algo is supported by underlying PKCS11 lib
|
||||||
type = T_DIGEST;
|
if (this.mdAlg != null && token.getMechanismInfo
|
||||||
break;
|
(Functions.getHashMechId(this.mdAlg)) == null) {
|
||||||
default:
|
throw new NoSuchAlgorithmException("Unsupported algorithm: " +
|
||||||
throw new ProviderException("Unsupported mechanism: " + mechId);
|
algorithm);
|
||||||
|
}
|
||||||
|
this.md = (this.mdAlg == null ? null :
|
||||||
|
MessageDigest.getInstance(this.mdAlg));
|
||||||
|
type = T_DIGEST;
|
||||||
|
}
|
||||||
|
default -> throw new ProviderException("Unsupported mechanism: " + mechId);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -235,7 +233,7 @@ final class P11PSSSignature extends SignatureSpi {
|
|||||||
this.mdAlg, "MGF1", this.mdAlg, sigParams.getSaltLength()));
|
this.mdAlg, "MGF1", this.mdAlg, sigParams.getSaltLength()));
|
||||||
}
|
}
|
||||||
|
|
||||||
if (initialized == false) {
|
if (!initialized) {
|
||||||
try {
|
try {
|
||||||
initialize();
|
initialize();
|
||||||
} catch (ProviderException pe) {
|
} catch (ProviderException pe) {
|
||||||
@ -413,12 +411,11 @@ final class P11PSSSignature extends SignatureSpi {
|
|||||||
if (p == null) {
|
if (p == null) {
|
||||||
throw new InvalidAlgorithmParameterException("PSS Parameter required");
|
throw new InvalidAlgorithmParameterException("PSS Parameter required");
|
||||||
}
|
}
|
||||||
if (!(p instanceof PSSParameterSpec)) {
|
if (!(p instanceof PSSParameterSpec params)) {
|
||||||
throw new InvalidAlgorithmParameterException
|
throw new InvalidAlgorithmParameterException
|
||||||
("Only PSSParameterSpec is supported");
|
("Only PSSParameterSpec is supported");
|
||||||
}
|
}
|
||||||
// no need to validate again if same as current signature parameters
|
// no need to validate again if same as current signature parameters
|
||||||
PSSParameterSpec params = (PSSParameterSpec) p;
|
|
||||||
if (params == this.sigParams) return;
|
if (params == this.sigParams) return;
|
||||||
|
|
||||||
String digestAlgorithm = params.getDigestAlgorithm();
|
String digestAlgorithm = params.getDigestAlgorithm();
|
||||||
@ -615,42 +612,43 @@ final class P11PSSSignature extends SignatureSpi {
|
|||||||
}
|
}
|
||||||
isActive = true;
|
isActive = true;
|
||||||
switch (type) {
|
switch (type) {
|
||||||
case T_UPDATE:
|
case T_UPDATE -> {
|
||||||
if (byteBuffer instanceof DirectBuffer == false) {
|
if (byteBuffer instanceof DirectBuffer == false) {
|
||||||
// cannot do better than default impl
|
// cannot do better than default impl
|
||||||
super.engineUpdate(byteBuffer);
|
super.engineUpdate(byteBuffer);
|
||||||
return;
|
return;
|
||||||
}
|
|
||||||
long addr = ((DirectBuffer)byteBuffer).address();
|
|
||||||
int ofs = byteBuffer.position();
|
|
||||||
try {
|
|
||||||
if (mode == M_SIGN) {
|
|
||||||
if (DEBUG) System.out.println(this + ": Calling C_SignUpdate");
|
|
||||||
token.p11.C_SignUpdate
|
|
||||||
(session.id(), addr + ofs, null, 0, len);
|
|
||||||
} else {
|
|
||||||
if (DEBUG) System.out.println(this + ": Calling C_VerifyUpdate");
|
|
||||||
token.p11.C_VerifyUpdate
|
|
||||||
(session.id(), addr + ofs, null, 0, len);
|
|
||||||
}
|
}
|
||||||
|
long addr = ((DirectBuffer) byteBuffer).address();
|
||||||
|
int ofs = byteBuffer.position();
|
||||||
|
try {
|
||||||
|
if (mode == M_SIGN) {
|
||||||
|
if (DEBUG) System.out.println(this + ": Calling C_SignUpdate");
|
||||||
|
token.p11.C_SignUpdate
|
||||||
|
(session.id(), addr + ofs, null, 0, len);
|
||||||
|
} else {
|
||||||
|
if (DEBUG) System.out.println(this + ": Calling C_VerifyUpdate");
|
||||||
|
token.p11.C_VerifyUpdate
|
||||||
|
(session.id(), addr + ofs, null, 0, len);
|
||||||
|
}
|
||||||
|
bytesProcessed += len;
|
||||||
|
byteBuffer.position(ofs + len);
|
||||||
|
} catch (PKCS11Exception e) {
|
||||||
|
reset(false);
|
||||||
|
throw new ProviderException("Update failed", e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
case T_DIGEST -> {
|
||||||
|
// should not happen as this should be covered by earlier checks
|
||||||
|
if (md == null) {
|
||||||
|
throw new ProviderException("PSS Parameters required");
|
||||||
|
}
|
||||||
|
md.update(byteBuffer);
|
||||||
bytesProcessed += len;
|
bytesProcessed += len;
|
||||||
byteBuffer.position(ofs + len);
|
}
|
||||||
} catch (PKCS11Exception e) {
|
default -> {
|
||||||
reset(false);
|
reset(false);
|
||||||
throw new ProviderException("Update failed", e);
|
throw new ProviderException("Internal error");
|
||||||
}
|
}
|
||||||
break;
|
|
||||||
case T_DIGEST:
|
|
||||||
// should not happen as this should be covered by earlier checks
|
|
||||||
if (md == null) {
|
|
||||||
throw new ProviderException("PSS Parameters required");
|
|
||||||
}
|
|
||||||
md.update(byteBuffer);
|
|
||||||
bytesProcessed += len;
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
reset(false);
|
|
||||||
throw new ProviderException("Internal error");
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -122,7 +122,7 @@ final class P11RSACipher extends CipherSpi {
|
|||||||
// modes do not make sense for RSA, but allow ECB
|
// modes do not make sense for RSA, but allow ECB
|
||||||
// see JCE spec
|
// see JCE spec
|
||||||
protected void engineSetMode(String mode) throws NoSuchAlgorithmException {
|
protected void engineSetMode(String mode) throws NoSuchAlgorithmException {
|
||||||
if (mode.equalsIgnoreCase("ECB") == false) {
|
if (!mode.equalsIgnoreCase("ECB")) {
|
||||||
throw new NoSuchAlgorithmException("Unsupported mode " + mode);
|
throw new NoSuchAlgorithmException("Unsupported mode " + mode);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -205,7 +205,7 @@ final class P11RSACipher extends CipherSpi {
|
|||||||
} else if (opmode == Cipher.DECRYPT_MODE) {
|
} else if (opmode == Cipher.DECRYPT_MODE) {
|
||||||
encrypt = false;
|
encrypt = false;
|
||||||
} else if (opmode == Cipher.WRAP_MODE) {
|
} else if (opmode == Cipher.WRAP_MODE) {
|
||||||
if (p11Key.isPublic() == false) {
|
if (!p11Key.isPublic()) {
|
||||||
throw new InvalidKeyException
|
throw new InvalidKeyException
|
||||||
("Wrap has to be used with public keys");
|
("Wrap has to be used with public keys");
|
||||||
}
|
}
|
||||||
@ -213,7 +213,7 @@ final class P11RSACipher extends CipherSpi {
|
|||||||
// we can't use C_Wrap().
|
// we can't use C_Wrap().
|
||||||
return;
|
return;
|
||||||
} else if (opmode == Cipher.UNWRAP_MODE) {
|
} else if (opmode == Cipher.UNWRAP_MODE) {
|
||||||
if (p11Key.isPrivate() == false) {
|
if (!p11Key.isPrivate()) {
|
||||||
throw new InvalidKeyException
|
throw new InvalidKeyException
|
||||||
("Unwrap has to be used with private keys");
|
("Unwrap has to be used with private keys");
|
||||||
}
|
}
|
||||||
@ -289,22 +289,15 @@ final class P11RSACipher extends CipherSpi {
|
|||||||
int outLen = buffer.length;
|
int outLen = buffer.length;
|
||||||
long sessId = session.id();
|
long sessId = session.id();
|
||||||
switch (mode) {
|
switch (mode) {
|
||||||
case MODE_ENCRYPT:
|
case MODE_ENCRYPT -> p11.C_Encrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen);
|
||||||
p11.C_Encrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen);
|
case MODE_DECRYPT -> p11.C_Decrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen);
|
||||||
break;
|
case MODE_SIGN -> {
|
||||||
case MODE_DECRYPT:
|
byte[] tmpBuffer = new byte[maxInputSize];
|
||||||
p11.C_Decrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen);
|
p11.C_Sign(sessId, tmpBuffer);
|
||||||
break;
|
}
|
||||||
case MODE_SIGN:
|
case MODE_VERIFY -> p11.C_VerifyRecover(sessId, buffer, 0, inLen, buffer,
|
||||||
byte[] tmpBuffer = new byte[maxInputSize];
|
|
||||||
p11.C_Sign(sessId, tmpBuffer);
|
|
||||||
break;
|
|
||||||
case MODE_VERIFY:
|
|
||||||
p11.C_VerifyRecover(sessId, buffer, 0, inLen, buffer,
|
|
||||||
0, outLen);
|
0, outLen);
|
||||||
break;
|
default -> throw new ProviderException("internal error");
|
||||||
default:
|
|
||||||
throw new ProviderException("internal error");
|
|
||||||
}
|
}
|
||||||
} catch (PKCS11Exception e) {
|
} catch (PKCS11Exception e) {
|
||||||
// XXX ensure this always works, ignore error
|
// XXX ensure this always works, ignore error
|
||||||
@ -332,20 +325,11 @@ final class P11RSACipher extends CipherSpi {
|
|||||||
PKCS11 p11 = token.p11;
|
PKCS11 p11 = token.p11;
|
||||||
CK_MECHANISM ckMechanism = new CK_MECHANISM(mechanism);
|
CK_MECHANISM ckMechanism = new CK_MECHANISM(mechanism);
|
||||||
switch (mode) {
|
switch (mode) {
|
||||||
case MODE_ENCRYPT:
|
case MODE_ENCRYPT -> p11.C_EncryptInit(session.id(), ckMechanism, keyID);
|
||||||
p11.C_EncryptInit(session.id(), ckMechanism, keyID);
|
case MODE_DECRYPT -> p11.C_DecryptInit(session.id(), ckMechanism, keyID);
|
||||||
break;
|
case MODE_SIGN -> p11.C_SignInit(session.id(), ckMechanism, keyID);
|
||||||
case MODE_DECRYPT:
|
case MODE_VERIFY -> p11.C_VerifyRecoverInit(session.id(), ckMechanism, keyID);
|
||||||
p11.C_DecryptInit(session.id(), ckMechanism, keyID);
|
default -> throw new AssertionError("internal error");
|
||||||
break;
|
|
||||||
case MODE_SIGN:
|
|
||||||
p11.C_SignInit(session.id(), ckMechanism, keyID);
|
|
||||||
break;
|
|
||||||
case MODE_VERIFY:
|
|
||||||
p11.C_VerifyRecoverInit(session.id(), ckMechanism, keyID);
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
throw new AssertionError("internal error");
|
|
||||||
}
|
}
|
||||||
bufOfs = 0;
|
bufOfs = 0;
|
||||||
initialized = true;
|
initialized = true;
|
||||||
@ -383,36 +367,27 @@ final class P11RSACipher extends CipherSpi {
|
|||||||
try {
|
try {
|
||||||
ensureInitialized();
|
ensureInitialized();
|
||||||
PKCS11 p11 = token.p11;
|
PKCS11 p11 = token.p11;
|
||||||
int n;
|
return switch (mode) {
|
||||||
switch (mode) {
|
case MODE_ENCRYPT -> p11.C_Encrypt
|
||||||
case MODE_ENCRYPT:
|
|
||||||
n = p11.C_Encrypt
|
|
||||||
(session.id(), 0, buffer, 0, bufOfs, 0, out, outOfs, outLen);
|
(session.id(), 0, buffer, 0, bufOfs, 0, out, outOfs, outLen);
|
||||||
break;
|
case MODE_DECRYPT -> p11.C_Decrypt
|
||||||
case MODE_DECRYPT:
|
|
||||||
n = p11.C_Decrypt
|
|
||||||
(session.id(), 0, buffer, 0, bufOfs, 0, out, outOfs, outLen);
|
(session.id(), 0, buffer, 0, bufOfs, 0, out, outOfs, outLen);
|
||||||
break;
|
case MODE_SIGN -> {
|
||||||
case MODE_SIGN:
|
byte[] tmpBuffer = new byte[bufOfs];
|
||||||
byte[] tmpBuffer = new byte[bufOfs];
|
System.arraycopy(buffer, 0, tmpBuffer, 0, bufOfs);
|
||||||
System.arraycopy(buffer, 0, tmpBuffer, 0, bufOfs);
|
tmpBuffer = p11.C_Sign(session.id(), tmpBuffer);
|
||||||
tmpBuffer = p11.C_Sign(session.id(), tmpBuffer);
|
if (tmpBuffer.length > outLen) {
|
||||||
if (tmpBuffer.length > outLen) {
|
throw new BadPaddingException(
|
||||||
throw new BadPaddingException(
|
"Output buffer (" + outLen + ") is too small to " +
|
||||||
"Output buffer (" + outLen + ") is too small to " +
|
"hold the produced data (" + tmpBuffer.length + ")");
|
||||||
"hold the produced data (" + tmpBuffer.length + ")");
|
}
|
||||||
|
System.arraycopy(tmpBuffer, 0, out, outOfs, tmpBuffer.length);
|
||||||
|
yield tmpBuffer.length;
|
||||||
}
|
}
|
||||||
System.arraycopy(tmpBuffer, 0, out, outOfs, tmpBuffer.length);
|
case MODE_VERIFY -> p11.C_VerifyRecover
|
||||||
n = tmpBuffer.length;
|
|
||||||
break;
|
|
||||||
case MODE_VERIFY:
|
|
||||||
n = p11.C_VerifyRecover
|
|
||||||
(session.id(), buffer, 0, bufOfs, out, outOfs, outLen);
|
(session.id(), buffer, 0, bufOfs, out, outOfs, outLen);
|
||||||
break;
|
default -> throw new ProviderException("internal error");
|
||||||
default:
|
};
|
||||||
throw new ProviderException("internal error");
|
|
||||||
}
|
|
||||||
return n;
|
|
||||||
} catch (PKCS11Exception e) {
|
} catch (PKCS11Exception e) {
|
||||||
throw (BadPaddingException)new BadPaddingException
|
throw (BadPaddingException)new BadPaddingException
|
||||||
("doFinal() failed").initCause(e);
|
("doFinal() failed").initCause(e);
|
||||||
@ -711,15 +686,11 @@ final class ConstructKeys {
|
|||||||
|
|
||||||
static final Key constructKey(byte[] encoding, String keyAlgorithm,
|
static final Key constructKey(byte[] encoding, String keyAlgorithm,
|
||||||
int keyType) throws InvalidKeyException, NoSuchAlgorithmException {
|
int keyType) throws InvalidKeyException, NoSuchAlgorithmException {
|
||||||
switch (keyType) {
|
return switch (keyType) {
|
||||||
case Cipher.SECRET_KEY:
|
case Cipher.SECRET_KEY -> constructSecretKey(encoding, keyAlgorithm);
|
||||||
return constructSecretKey(encoding, keyAlgorithm);
|
case Cipher.PRIVATE_KEY -> constructPrivateKey(encoding, keyAlgorithm);
|
||||||
case Cipher.PRIVATE_KEY:
|
case Cipher.PUBLIC_KEY -> constructPublicKey(encoding, keyAlgorithm);
|
||||||
return constructPrivateKey(encoding, keyAlgorithm);
|
default -> throw new InvalidKeyException("Unknown keytype " + keyType);
|
||||||
case Cipher.PUBLIC_KEY:
|
};
|
||||||
return constructPublicKey(encoding, keyAlgorithm);
|
|
||||||
default:
|
|
||||||
throw new InvalidKeyException("Unknown keytype " + keyType);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -54,8 +54,7 @@ final class P11RSAKeyFactory extends P11KeyFactory {
|
|||||||
|
|
||||||
PublicKey implTranslatePublicKey(PublicKey key) throws InvalidKeyException {
|
PublicKey implTranslatePublicKey(PublicKey key) throws InvalidKeyException {
|
||||||
try {
|
try {
|
||||||
if (key instanceof RSAPublicKey) {
|
if (key instanceof RSAPublicKey rsaKey) {
|
||||||
RSAPublicKey rsaKey = (RSAPublicKey)key;
|
|
||||||
return generatePublic(
|
return generatePublic(
|
||||||
rsaKey.getModulus(),
|
rsaKey.getModulus(),
|
||||||
rsaKey.getPublicExponent()
|
rsaKey.getPublicExponent()
|
||||||
@ -74,8 +73,7 @@ final class P11RSAKeyFactory extends P11KeyFactory {
|
|||||||
PrivateKey implTranslatePrivateKey(PrivateKey key)
|
PrivateKey implTranslatePrivateKey(PrivateKey key)
|
||||||
throws InvalidKeyException {
|
throws InvalidKeyException {
|
||||||
try {
|
try {
|
||||||
if (key instanceof RSAPrivateCrtKey) {
|
if (key instanceof RSAPrivateCrtKey rsaKey) {
|
||||||
RSAPrivateCrtKey rsaKey = (RSAPrivateCrtKey)key;
|
|
||||||
return generatePrivate(
|
return generatePrivate(
|
||||||
rsaKey.getModulus(),
|
rsaKey.getModulus(),
|
||||||
rsaKey.getPublicExponent(),
|
rsaKey.getPublicExponent(),
|
||||||
@ -86,8 +84,7 @@ final class P11RSAKeyFactory extends P11KeyFactory {
|
|||||||
rsaKey.getPrimeExponentQ(),
|
rsaKey.getPrimeExponentQ(),
|
||||||
rsaKey.getCrtCoefficient()
|
rsaKey.getCrtCoefficient()
|
||||||
);
|
);
|
||||||
} else if (key instanceof RSAPrivateKey) {
|
} else if (key instanceof RSAPrivateKey rsaKey) {
|
||||||
RSAPrivateKey rsaKey = (RSAPrivateKey)key;
|
|
||||||
return generatePrivate(
|
return generatePrivate(
|
||||||
rsaKey.getModulus(),
|
rsaKey.getModulus(),
|
||||||
rsaKey.getPrivateExponent()
|
rsaKey.getPrivateExponent()
|
||||||
@ -117,7 +114,7 @@ final class P11RSAKeyFactory extends P11KeyFactory {
|
|||||||
("Could not create RSA public key", e);
|
("Could not create RSA public key", e);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (keySpec instanceof RSAPublicKeySpec == false) {
|
if (!(keySpec instanceof RSAPublicKeySpec)) {
|
||||||
throw new InvalidKeySpecException("Only RSAPublicKeySpec and "
|
throw new InvalidKeySpecException("Only RSAPublicKeySpec and "
|
||||||
+ "X509EncodedKeySpec supported for RSA public keys");
|
+ "X509EncodedKeySpec supported for RSA public keys");
|
||||||
}
|
}
|
||||||
@ -288,8 +285,7 @@ final class P11RSAKeyFactory extends P11KeyFactory {
|
|||||||
// that existing logic.
|
// that existing logic.
|
||||||
if (keySpec.isAssignableFrom(RSAPrivateCrtKeySpec.class)) {
|
if (keySpec.isAssignableFrom(RSAPrivateCrtKeySpec.class)) {
|
||||||
// All supported keyspecs (other than PKCS8EncodedKeySpec) descend from RSAPrivateCrtKeySpec
|
// All supported keyspecs (other than PKCS8EncodedKeySpec) descend from RSAPrivateCrtKeySpec
|
||||||
if (key instanceof RSAPrivateCrtKey) {
|
if (key instanceof RSAPrivateCrtKey crtKey) {
|
||||||
RSAPrivateCrtKey crtKey = (RSAPrivateCrtKey)key;
|
|
||||||
return keySpec.cast(new RSAPrivateCrtKeySpec(
|
return keySpec.cast(new RSAPrivateCrtKeySpec(
|
||||||
crtKey.getModulus(),
|
crtKey.getModulus(),
|
||||||
crtKey.getPublicExponent(),
|
crtKey.getPublicExponent(),
|
||||||
@ -307,7 +303,7 @@ final class P11RSAKeyFactory extends P11KeyFactory {
|
|||||||
("RSAPrivateCrtKeySpec can only be used with CRT keys");
|
("RSAPrivateCrtKeySpec can only be used with CRT keys");
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!(key instanceof RSAPrivateKey)) {
|
if (!(key instanceof RSAPrivateKey rsaKey)) {
|
||||||
// We should never reach here as P11Key.privateKey() should always produce an instance
|
// We should never reach here as P11Key.privateKey() should always produce an instance
|
||||||
// of RSAPrivateKey when the RSA key is both extractable and non-sensitive.
|
// of RSAPrivateKey when the RSA key is both extractable and non-sensitive.
|
||||||
throw new InvalidKeySpecException
|
throw new InvalidKeySpecException
|
||||||
@ -315,7 +311,6 @@ final class P11RSAKeyFactory extends P11KeyFactory {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// fall through to RSAPrivateKey (non-CRT)
|
// fall through to RSAPrivateKey (non-CRT)
|
||||||
RSAPrivateKey rsaKey = (RSAPrivateKey) key;
|
|
||||||
return keySpec.cast(new RSAPrivateKeySpec(
|
return keySpec.cast(new RSAPrivateKeySpec(
|
||||||
rsaKey.getModulus(),
|
rsaKey.getModulus(),
|
||||||
rsaKey.getPrivateExponent(),
|
rsaKey.getPrivateExponent(),
|
||||||
|
@ -136,7 +136,7 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
|
|||||||
if (key == null) {
|
if (key == null) {
|
||||||
throw new InvalidKeyException("Key must not be null");
|
throw new InvalidKeyException("Key must not be null");
|
||||||
}
|
}
|
||||||
if (key instanceof SecretKey == false) {
|
if (!(key instanceof SecretKey)) {
|
||||||
throw new InvalidKeyException("Key must be a SecretKey");
|
throw new InvalidKeyException("Key must be a SecretKey");
|
||||||
}
|
}
|
||||||
long algoType;
|
long algoType;
|
||||||
@ -155,8 +155,7 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (key instanceof P11Key) {
|
if (key instanceof P11Key p11Key) {
|
||||||
P11Key p11Key = (P11Key)key;
|
|
||||||
if (p11Key.token == token) {
|
if (p11Key.token == token) {
|
||||||
if (extraAttrs != null) {
|
if (extraAttrs != null) {
|
||||||
P11Key newP11Key = null;
|
P11Key newP11Key = null;
|
||||||
@ -185,7 +184,7 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
|
|||||||
if (p11Key != null) {
|
if (p11Key != null) {
|
||||||
return p11Key;
|
return p11Key;
|
||||||
}
|
}
|
||||||
if ("RAW".equalsIgnoreCase(key.getFormat()) == false) {
|
if (!"RAW".equalsIgnoreCase(key.getFormat())) {
|
||||||
throw new InvalidKeyException("Encoded format must be RAW");
|
throw new InvalidKeyException("Encoded format must be RAW");
|
||||||
}
|
}
|
||||||
byte[] encoded = key.getEncoded();
|
byte[] encoded = key.getEncoded();
|
||||||
@ -208,15 +207,15 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
|
|||||||
int n = encoded.length << 3;
|
int n = encoded.length << 3;
|
||||||
int keyLength = n;
|
int keyLength = n;
|
||||||
try {
|
try {
|
||||||
switch ((int)keyType) {
|
switch ((int) keyType) {
|
||||||
case (int)CKK_DES:
|
case (int) CKK_DES -> {
|
||||||
keyLength =
|
keyLength =
|
||||||
P11KeyGenerator.checkKeySize(CKM_DES_KEY_GEN, n, token);
|
P11KeyGenerator.checkKeySize(CKM_DES_KEY_GEN, n, token);
|
||||||
fixDESParity(encoded, 0);
|
fixDESParity(encoded, 0);
|
||||||
break;
|
}
|
||||||
case (int)CKK_DES3:
|
case (int) CKK_DES3 -> {
|
||||||
keyLength =
|
keyLength =
|
||||||
P11KeyGenerator.checkKeySize(CKM_DES3_KEY_GEN, n, token);
|
P11KeyGenerator.checkKeySize(CKM_DES3_KEY_GEN, n, token);
|
||||||
fixDESParity(encoded, 0);
|
fixDESParity(encoded, 0);
|
||||||
fixDESParity(encoded, 8);
|
fixDESParity(encoded, 8);
|
||||||
if (keyLength == 112) {
|
if (keyLength == 112) {
|
||||||
@ -225,41 +224,27 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
|
|||||||
keyType = CKK_DES3;
|
keyType = CKK_DES3;
|
||||||
fixDESParity(encoded, 16);
|
fixDESParity(encoded, 16);
|
||||||
}
|
}
|
||||||
break;
|
}
|
||||||
case (int)CKK_AES:
|
case (int) CKK_AES -> keyLength =
|
||||||
keyLength =
|
|
||||||
P11KeyGenerator.checkKeySize(CKM_AES_KEY_GEN, n, token);
|
P11KeyGenerator.checkKeySize(CKM_AES_KEY_GEN, n, token);
|
||||||
break;
|
case (int) CKK_RC4 -> keyLength =
|
||||||
case (int)CKK_RC4:
|
|
||||||
keyLength =
|
|
||||||
P11KeyGenerator.checkKeySize(CKM_RC4_KEY_GEN, n, token);
|
P11KeyGenerator.checkKeySize(CKM_RC4_KEY_GEN, n, token);
|
||||||
break;
|
case (int) CKK_BLOWFISH -> keyLength =
|
||||||
case (int)CKK_BLOWFISH:
|
|
||||||
keyLength =
|
|
||||||
P11KeyGenerator.checkKeySize(CKM_BLOWFISH_KEY_GEN, n,
|
P11KeyGenerator.checkKeySize(CKM_BLOWFISH_KEY_GEN, n,
|
||||||
token);
|
token);
|
||||||
break;
|
case (int) CKK_CHACHA20 -> keyLength = P11KeyGenerator.checkKeySize(
|
||||||
case (int)CKK_CHACHA20:
|
|
||||||
keyLength = P11KeyGenerator.checkKeySize(
|
|
||||||
CKM_CHACHA20_KEY_GEN, n, token);
|
CKM_CHACHA20_KEY_GEN, n, token);
|
||||||
break;
|
case (int) CKK_GENERIC_SECRET, (int) PCKK_TLSPREMASTER, (int) PCKK_TLSRSAPREMASTER, (int) PCKK_TLSMASTER ->
|
||||||
case (int)CKK_GENERIC_SECRET:
|
keyType = CKK_GENERIC_SECRET;
|
||||||
case (int)PCKK_TLSPREMASTER:
|
case (int) PCKK_SSLMAC, (int) PCKK_HMAC -> {
|
||||||
case (int)PCKK_TLSRSAPREMASTER:
|
|
||||||
case (int)PCKK_TLSMASTER:
|
|
||||||
keyType = CKK_GENERIC_SECRET;
|
|
||||||
break;
|
|
||||||
case (int)PCKK_SSLMAC:
|
|
||||||
case (int)PCKK_HMAC:
|
|
||||||
if (n == 0) {
|
if (n == 0) {
|
||||||
throw new InvalidKeyException
|
throw new InvalidKeyException
|
||||||
("MAC keys must not be empty");
|
("MAC keys must not be empty");
|
||||||
}
|
}
|
||||||
keyType = CKK_GENERIC_SECRET;
|
keyType = CKK_GENERIC_SECRET;
|
||||||
break;
|
}
|
||||||
default:
|
default -> throw new InvalidKeyException("Unknown algorithm " +
|
||||||
throw new InvalidKeyException("Unknown algorithm " +
|
algorithm);
|
||||||
algorithm);
|
|
||||||
}
|
}
|
||||||
} catch (InvalidAlgorithmParameterException iape) {
|
} catch (InvalidAlgorithmParameterException iape) {
|
||||||
throw new InvalidKeyException("Invalid key for " + algorithm,
|
throw new InvalidKeyException("Invalid key for " + algorithm,
|
||||||
@ -328,7 +313,7 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi {
|
|||||||
private byte[] getKeyBytes(SecretKey key) throws InvalidKeySpecException {
|
private byte[] getKeyBytes(SecretKey key) throws InvalidKeySpecException {
|
||||||
try {
|
try {
|
||||||
key = engineTranslateKey(key);
|
key = engineTranslateKey(key);
|
||||||
if ("RAW".equalsIgnoreCase(key.getFormat()) == false) {
|
if (!"RAW".equalsIgnoreCase(key.getFormat())) {
|
||||||
throw new InvalidKeySpecException
|
throw new InvalidKeySpecException
|
||||||
("Could not obtain key bytes");
|
("Could not obtain key bytes");
|
||||||
}
|
}
|
||||||
|
@ -172,84 +172,82 @@ final class P11Signature extends SignatureSpi {
|
|||||||
byte[] buffer = null;
|
byte[] buffer = null;
|
||||||
ObjectIdentifier digestOID = null;
|
ObjectIdentifier digestOID = null;
|
||||||
MessageDigest md = null;
|
MessageDigest md = null;
|
||||||
switch ((int)mechanism) {
|
switch ((int) mechanism) {
|
||||||
case (int)CKM_MD2_RSA_PKCS:
|
case (int) CKM_MD2_RSA_PKCS,
|
||||||
case (int)CKM_MD5_RSA_PKCS:
|
(int) CKM_MD5_RSA_PKCS,
|
||||||
case (int)CKM_SHA1_RSA_PKCS:
|
(int) CKM_SHA1_RSA_PKCS,
|
||||||
case (int)CKM_SHA224_RSA_PKCS:
|
(int) CKM_SHA224_RSA_PKCS,
|
||||||
case (int)CKM_SHA256_RSA_PKCS:
|
(int) CKM_SHA256_RSA_PKCS,
|
||||||
case (int)CKM_SHA384_RSA_PKCS:
|
(int) CKM_SHA384_RSA_PKCS,
|
||||||
case (int)CKM_SHA512_RSA_PKCS:
|
(int) CKM_SHA512_RSA_PKCS,
|
||||||
case (int)CKM_SHA3_224_RSA_PKCS:
|
(int) CKM_SHA3_224_RSA_PKCS,
|
||||||
case (int)CKM_SHA3_256_RSA_PKCS:
|
(int) CKM_SHA3_256_RSA_PKCS,
|
||||||
case (int)CKM_SHA3_384_RSA_PKCS:
|
(int) CKM_SHA3_384_RSA_PKCS,
|
||||||
case (int)CKM_SHA3_512_RSA_PKCS:
|
(int) CKM_SHA3_512_RSA_PKCS -> {
|
||||||
keyAlgorithm = "RSA";
|
keyAlgorithm = "RSA";
|
||||||
type = T_UPDATE;
|
type = T_UPDATE;
|
||||||
buffer = new byte[1];
|
buffer = new byte[1];
|
||||||
break;
|
|
||||||
case (int)CKM_DSA_SHA1:
|
|
||||||
case (int)CKM_DSA_SHA224:
|
|
||||||
case (int)CKM_DSA_SHA256:
|
|
||||||
case (int)CKM_DSA_SHA384:
|
|
||||||
case (int)CKM_DSA_SHA512:
|
|
||||||
case (int)CKM_DSA_SHA3_224:
|
|
||||||
case (int)CKM_DSA_SHA3_256:
|
|
||||||
case (int)CKM_DSA_SHA3_384:
|
|
||||||
case (int)CKM_DSA_SHA3_512:
|
|
||||||
keyAlgorithm = "DSA";
|
|
||||||
type = T_UPDATE;
|
|
||||||
buffer = new byte[1];
|
|
||||||
break;
|
|
||||||
case (int)CKM_ECDSA_SHA1:
|
|
||||||
case (int)CKM_ECDSA_SHA224:
|
|
||||||
case (int)CKM_ECDSA_SHA256:
|
|
||||||
case (int)CKM_ECDSA_SHA384:
|
|
||||||
case (int)CKM_ECDSA_SHA512:
|
|
||||||
case (int)CKM_ECDSA_SHA3_224:
|
|
||||||
case (int)CKM_ECDSA_SHA3_256:
|
|
||||||
case (int)CKM_ECDSA_SHA3_384:
|
|
||||||
case (int)CKM_ECDSA_SHA3_512:
|
|
||||||
keyAlgorithm = "EC";
|
|
||||||
type = T_UPDATE;
|
|
||||||
buffer = new byte[1];
|
|
||||||
break;
|
|
||||||
case (int)CKM_DSA:
|
|
||||||
keyAlgorithm = "DSA";
|
|
||||||
if (algorithm.equals("DSA") ||
|
|
||||||
algorithm.equals("DSAinP1363Format")) {
|
|
||||||
type = T_DIGEST;
|
|
||||||
md = MessageDigest.getInstance("SHA-1");
|
|
||||||
} else if (algorithm.equals("RawDSA") ||
|
|
||||||
algorithm.equals("RawDSAinP1363Format")) {
|
|
||||||
type = T_RAW;
|
|
||||||
buffer = new byte[20];
|
|
||||||
} else {
|
|
||||||
throw new ProviderException(algorithm);
|
|
||||||
}
|
}
|
||||||
break;
|
case (int) CKM_DSA_SHA1,
|
||||||
case (int)CKM_ECDSA:
|
(int) CKM_DSA_SHA224,
|
||||||
keyAlgorithm = "EC";
|
(int) CKM_DSA_SHA256,
|
||||||
if (algorithm.equals("NONEwithECDSA") ||
|
(int) CKM_DSA_SHA384,
|
||||||
algorithm.equals("NONEwithECDSAinP1363Format")) {
|
(int) CKM_DSA_SHA512,
|
||||||
type = T_RAW;
|
(int) CKM_DSA_SHA3_224,
|
||||||
buffer = new byte[RAW_ECDSA_MAX];
|
(int) CKM_DSA_SHA3_256,
|
||||||
} else {
|
(int) CKM_DSA_SHA3_384,
|
||||||
type = T_DIGEST;
|
(int) CKM_DSA_SHA3_512 -> {
|
||||||
md = MessageDigest.getInstance
|
keyAlgorithm = "DSA";
|
||||||
(getDigestEnum(algorithm).stdName());
|
type = T_UPDATE;
|
||||||
|
buffer = new byte[1];
|
||||||
}
|
}
|
||||||
break;
|
case (int) CKM_ECDSA_SHA1,
|
||||||
case (int)CKM_RSA_PKCS:
|
(int) CKM_ECDSA_SHA224,
|
||||||
case (int)CKM_RSA_X_509:
|
(int) CKM_ECDSA_SHA256,
|
||||||
keyAlgorithm = "RSA";
|
(int) CKM_ECDSA_SHA384,
|
||||||
type = T_DIGEST;
|
(int) CKM_ECDSA_SHA512,
|
||||||
KnownOIDs digestAlg = getDigestEnum(algorithm);
|
(int) CKM_ECDSA_SHA3_224,
|
||||||
md = MessageDigest.getInstance(digestAlg.stdName());
|
(int) CKM_ECDSA_SHA3_256,
|
||||||
digestOID = ObjectIdentifier.of(digestAlg);
|
(int) CKM_ECDSA_SHA3_384,
|
||||||
break;
|
(int) CKM_ECDSA_SHA3_512 -> {
|
||||||
default:
|
keyAlgorithm = "EC";
|
||||||
throw new ProviderException("Unknown mechanism: " + mechanism);
|
type = T_UPDATE;
|
||||||
|
buffer = new byte[1];
|
||||||
|
}
|
||||||
|
case (int) CKM_DSA -> {
|
||||||
|
keyAlgorithm = "DSA";
|
||||||
|
if (algorithm.equals("DSA") ||
|
||||||
|
algorithm.equals("DSAinP1363Format")) {
|
||||||
|
type = T_DIGEST;
|
||||||
|
md = MessageDigest.getInstance("SHA-1");
|
||||||
|
} else if (algorithm.equals("RawDSA") ||
|
||||||
|
algorithm.equals("RawDSAinP1363Format")) {
|
||||||
|
type = T_RAW;
|
||||||
|
buffer = new byte[20];
|
||||||
|
} else {
|
||||||
|
throw new ProviderException(algorithm);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
case (int) CKM_ECDSA -> {
|
||||||
|
keyAlgorithm = "EC";
|
||||||
|
if (algorithm.equals("NONEwithECDSA") ||
|
||||||
|
algorithm.equals("NONEwithECDSAinP1363Format")) {
|
||||||
|
type = T_RAW;
|
||||||
|
buffer = new byte[RAW_ECDSA_MAX];
|
||||||
|
} else {
|
||||||
|
type = T_DIGEST;
|
||||||
|
md = MessageDigest.getInstance
|
||||||
|
(getDigestEnum(algorithm).stdName());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
case (int) CKM_RSA_PKCS, (int) CKM_RSA_X_509 -> {
|
||||||
|
keyAlgorithm = "RSA";
|
||||||
|
type = T_DIGEST;
|
||||||
|
KnownOIDs digestAlg = getDigestEnum(algorithm);
|
||||||
|
md = MessageDigest.getInstance(digestAlg.stdName());
|
||||||
|
digestOID = ObjectIdentifier.of(digestAlg);
|
||||||
|
}
|
||||||
|
default -> throw new ProviderException("Unknown mechanism: " + mechanism);
|
||||||
}
|
}
|
||||||
this.buffer = buffer;
|
this.buffer = buffer;
|
||||||
this.digestOID = digestOID;
|
this.digestOID = digestOID;
|
||||||
@ -408,19 +406,16 @@ final class P11Signature extends SignatureSpi {
|
|||||||
maxKeySize = 1024;
|
maxKeySize = 1024;
|
||||||
}
|
}
|
||||||
int keySize = 0;
|
int keySize = 0;
|
||||||
if (key instanceof P11Key) {
|
if (key instanceof P11Key keyP11) {
|
||||||
keySize = ((P11Key) key).length();
|
keySize = keyP11.length();
|
||||||
} else {
|
} else {
|
||||||
try {
|
try {
|
||||||
if (keyAlgo.equals("RSA")) {
|
keySize = switch (keyAlgo) {
|
||||||
keySize = ((RSAKey) key).getModulus().bitLength();
|
case "RSA" -> ((RSAKey) key).getModulus().bitLength();
|
||||||
} else if (keyAlgo.equals("DSA")) {
|
case "DSA" -> ((DSAKey) key).getParams().getP().bitLength();
|
||||||
keySize = ((DSAKey) key).getParams().getP().bitLength();
|
case "EC" -> ((ECKey) key).getParams().getCurve().getField().getFieldSize();
|
||||||
} else if (keyAlgo.equals("EC")) {
|
default -> throw new ProviderException("Error: unsupported algo " + keyAlgo);
|
||||||
keySize = ((ECKey) key).getParams().getCurve().getField().getFieldSize();
|
};
|
||||||
} else {
|
|
||||||
throw new ProviderException("Error: unsupported algo " + keyAlgo);
|
|
||||||
}
|
|
||||||
} catch (ClassCastException cce) {
|
} catch (ClassCastException cce) {
|
||||||
throw new InvalidKeyException(keyAlgo +
|
throw new InvalidKeyException(keyAlgo +
|
||||||
" key must be the right type", cce);
|
" key must be the right type", cce);
|
||||||
@ -506,23 +501,22 @@ final class P11Signature extends SignatureSpi {
|
|||||||
protected void engineUpdate(byte b) throws SignatureException {
|
protected void engineUpdate(byte b) throws SignatureException {
|
||||||
ensureInitialized();
|
ensureInitialized();
|
||||||
switch (type) {
|
switch (type) {
|
||||||
case T_UPDATE:
|
case T_UPDATE -> {
|
||||||
buffer[0] = b;
|
buffer[0] = b;
|
||||||
engineUpdate(buffer, 0, 1);
|
engineUpdate(buffer, 0, 1);
|
||||||
break;
|
|
||||||
case T_DIGEST:
|
|
||||||
md.update(b);
|
|
||||||
bytesProcessed++;
|
|
||||||
break;
|
|
||||||
case T_RAW:
|
|
||||||
if (bytesProcessed >= buffer.length) {
|
|
||||||
bytesProcessed = buffer.length + 1;
|
|
||||||
return;
|
|
||||||
}
|
}
|
||||||
buffer[bytesProcessed++] = b;
|
case T_DIGEST -> {
|
||||||
break;
|
md.update(b);
|
||||||
default:
|
bytesProcessed++;
|
||||||
throw new ProviderException("Internal error");
|
}
|
||||||
|
case T_RAW -> {
|
||||||
|
if (bytesProcessed >= buffer.length) {
|
||||||
|
bytesProcessed = buffer.length + 1;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
buffer[bytesProcessed++] = b;
|
||||||
|
}
|
||||||
|
default -> throw new ProviderException("Internal error");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -580,44 +574,45 @@ final class P11Signature extends SignatureSpi {
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
switch (type) {
|
switch (type) {
|
||||||
case T_UPDATE:
|
case T_UPDATE -> {
|
||||||
if (byteBuffer instanceof DirectBuffer == false) {
|
if (!(byteBuffer instanceof DirectBuffer)) {
|
||||||
// cannot do better than default impl
|
// cannot do better than default impl
|
||||||
super.engineUpdate(byteBuffer);
|
super.engineUpdate(byteBuffer);
|
||||||
return;
|
return;
|
||||||
}
|
|
||||||
long addr = ((DirectBuffer)byteBuffer).address();
|
|
||||||
int ofs = byteBuffer.position();
|
|
||||||
try {
|
|
||||||
if (mode == M_SIGN) {
|
|
||||||
token.p11.C_SignUpdate
|
|
||||||
(session.id(), addr + ofs, null, 0, len);
|
|
||||||
} else {
|
|
||||||
token.p11.C_VerifyUpdate
|
|
||||||
(session.id(), addr + ofs, null, 0, len);
|
|
||||||
}
|
}
|
||||||
|
long addr = ((DirectBuffer) byteBuffer).address();
|
||||||
|
int ofs = byteBuffer.position();
|
||||||
|
try {
|
||||||
|
if (mode == M_SIGN) {
|
||||||
|
token.p11.C_SignUpdate
|
||||||
|
(session.id(), addr + ofs, null, 0, len);
|
||||||
|
} else {
|
||||||
|
token.p11.C_VerifyUpdate
|
||||||
|
(session.id(), addr + ofs, null, 0, len);
|
||||||
|
}
|
||||||
|
bytesProcessed += len;
|
||||||
|
byteBuffer.position(ofs + len);
|
||||||
|
} catch (PKCS11Exception e) {
|
||||||
|
reset(false);
|
||||||
|
throw new ProviderException("Update failed", e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
case T_DIGEST -> {
|
||||||
|
md.update(byteBuffer);
|
||||||
bytesProcessed += len;
|
bytesProcessed += len;
|
||||||
byteBuffer.position(ofs + len);
|
}
|
||||||
} catch (PKCS11Exception e) {
|
case T_RAW -> {
|
||||||
|
if (bytesProcessed + len > buffer.length) {
|
||||||
|
bytesProcessed = buffer.length + 1;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
byteBuffer.get(buffer, bytesProcessed, len);
|
||||||
|
bytesProcessed += len;
|
||||||
|
}
|
||||||
|
default -> {
|
||||||
reset(false);
|
reset(false);
|
||||||
throw new ProviderException("Update failed", e);
|
throw new ProviderException("Internal error");
|
||||||
}
|
}
|
||||||
break;
|
|
||||||
case T_DIGEST:
|
|
||||||
md.update(byteBuffer);
|
|
||||||
bytesProcessed += len;
|
|
||||||
break;
|
|
||||||
case T_RAW:
|
|
||||||
if (bytesProcessed + len > buffer.length) {
|
|
||||||
bytesProcessed = buffer.length + 1;
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
byteBuffer.get(buffer, bytesProcessed, len);
|
|
||||||
bytesProcessed += len;
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
reset(false);
|
|
||||||
throw new ProviderException("Internal error");
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -651,7 +646,7 @@ final class P11Signature extends SignatureSpi {
|
|||||||
System.arraycopy(buffer, 0, digest, 0, bytesProcessed);
|
System.arraycopy(buffer, 0, digest, 0, bytesProcessed);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (keyAlgorithm.equals("RSA") == false) {
|
if (!keyAlgorithm.equals("RSA")) {
|
||||||
// DSA and ECDSA
|
// DSA and ECDSA
|
||||||
signature = token.p11.C_Sign(session.id(), digest);
|
signature = token.p11.C_Sign(session.id(), digest);
|
||||||
} else { // RSA
|
} else { // RSA
|
||||||
@ -724,7 +719,7 @@ final class P11Signature extends SignatureSpi {
|
|||||||
System.arraycopy(buffer, 0, digest, 0, bytesProcessed);
|
System.arraycopy(buffer, 0, digest, 0, bytesProcessed);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (keyAlgorithm.equals("RSA") == false) {
|
if (!keyAlgorithm.equals("RSA")) {
|
||||||
// DSA and ECDSA
|
// DSA and ECDSA
|
||||||
token.p11.C_Verify(session.id(), digest, signature);
|
token.p11.C_Verify(session.id(), digest, signature);
|
||||||
} else { // RSA
|
} else { // RSA
|
||||||
|
@ -87,7 +87,7 @@ public final class P11TlsMasterSecretGenerator extends KeyGeneratorSpi {
|
|||||||
@SuppressWarnings("deprecation")
|
@SuppressWarnings("deprecation")
|
||||||
protected void engineInit(AlgorithmParameterSpec params,
|
protected void engineInit(AlgorithmParameterSpec params,
|
||||||
SecureRandom random) throws InvalidAlgorithmParameterException {
|
SecureRandom random) throws InvalidAlgorithmParameterException {
|
||||||
if (params instanceof TlsMasterSecretParameterSpec == false) {
|
if (!(params instanceof TlsMasterSecretParameterSpec)) {
|
||||||
throw new InvalidAlgorithmParameterException(MSG);
|
throw new InvalidAlgorithmParameterException(MSG);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -85,7 +85,7 @@ final class P11TlsPrfGenerator extends KeyGeneratorSpi {
|
|||||||
@SuppressWarnings("deprecation")
|
@SuppressWarnings("deprecation")
|
||||||
protected void engineInit(AlgorithmParameterSpec params,
|
protected void engineInit(AlgorithmParameterSpec params,
|
||||||
SecureRandom random) throws InvalidAlgorithmParameterException {
|
SecureRandom random) throws InvalidAlgorithmParameterException {
|
||||||
if (params instanceof TlsPrfParameterSpec == false) {
|
if (!(params instanceof TlsPrfParameterSpec)) {
|
||||||
throw new InvalidAlgorithmParameterException(MSG);
|
throw new InvalidAlgorithmParameterException(MSG);
|
||||||
}
|
}
|
||||||
this.spec = (TlsPrfParameterSpec)params;
|
this.spec = (TlsPrfParameterSpec)params;
|
||||||
|
@ -83,12 +83,10 @@ final class P11TlsRsaPremasterSecretGenerator extends KeyGeneratorSpi {
|
|||||||
@SuppressWarnings("deprecation")
|
@SuppressWarnings("deprecation")
|
||||||
protected void engineInit(AlgorithmParameterSpec params,
|
protected void engineInit(AlgorithmParameterSpec params,
|
||||||
SecureRandom random) throws InvalidAlgorithmParameterException {
|
SecureRandom random) throws InvalidAlgorithmParameterException {
|
||||||
if (!(params instanceof TlsRsaPremasterSecretParameterSpec)) {
|
if (!(params instanceof TlsRsaPremasterSecretParameterSpec spec)) {
|
||||||
throw new InvalidAlgorithmParameterException(MSG);
|
throw new InvalidAlgorithmParameterException(MSG);
|
||||||
}
|
}
|
||||||
|
|
||||||
TlsRsaPremasterSecretParameterSpec spec =
|
|
||||||
(TlsRsaPremasterSecretParameterSpec) params;
|
|
||||||
int tlsVersion = (spec.getMajorVersion() << 8) | spec.getMinorVersion();
|
int tlsVersion = (spec.getMajorVersion() << 8) | spec.getMinorVersion();
|
||||||
|
|
||||||
if ((tlsVersion == 0x0300 && !supportSSLv3) ||
|
if ((tlsVersion == 0x0300 && !supportSSLv3) ||
|
||||||
|
@ -133,10 +133,10 @@ public final class Secmod {
|
|||||||
public synchronized boolean isInitialized() throws IOException {
|
public synchronized boolean isInitialized() throws IOException {
|
||||||
// NSS does not allow us to check if it is initialized already
|
// NSS does not allow us to check if it is initialized already
|
||||||
// assume that if it is loaded it is also initialized
|
// assume that if it is loaded it is also initialized
|
||||||
if (isLoaded() == false) {
|
if (!isLoaded()) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
if (supported == false) {
|
if (!supported) {
|
||||||
throw new IOException
|
throw new IOException
|
||||||
("An incompatible version of NSS is already loaded, "
|
("An incompatible version of NSS is already loaded, "
|
||||||
+ "3.7 or later required");
|
+ "3.7 or later required");
|
||||||
@ -194,11 +194,11 @@ public final class Secmod {
|
|||||||
platformPath = platformLibName;
|
platformPath = platformLibName;
|
||||||
} else {
|
} else {
|
||||||
File base = new File(nssLibDir);
|
File base = new File(nssLibDir);
|
||||||
if (base.isDirectory() == false) {
|
if (!base.isDirectory()) {
|
||||||
throw new IOException("nssLibDir must be a directory:" + nssLibDir);
|
throw new IOException("nssLibDir must be a directory:" + nssLibDir);
|
||||||
}
|
}
|
||||||
File platformFile = new File(base, platformLibName);
|
File platformFile = new File(base, platformLibName);
|
||||||
if (platformFile.isFile() == false) {
|
if (!platformFile.isFile()) {
|
||||||
throw new FileNotFoundException(platformFile.getPath());
|
throw new FileNotFoundException(platformFile.getPath());
|
||||||
}
|
}
|
||||||
platformPath = platformFile.getPath();
|
platformPath = platformFile.getPath();
|
||||||
@ -214,12 +214,12 @@ public final class Secmod {
|
|||||||
configDirPath = configDirPathSB.substring(sqlPrefix.length());
|
configDirPath = configDirPathSB.substring(sqlPrefix.length());
|
||||||
}
|
}
|
||||||
File configBase = new File(configDirPath);
|
File configBase = new File(configDirPath);
|
||||||
if (configBase.isDirectory() == false ) {
|
if (!configBase.isDirectory()) {
|
||||||
throw new IOException("configDir must be a directory: " + configDirPath);
|
throw new IOException("configDir must be a directory: " + configDirPath);
|
||||||
}
|
}
|
||||||
if (!configDir.startsWith(sqlPrefix)) {
|
if (!configDir.startsWith(sqlPrefix)) {
|
||||||
File secmodFile = new File(configBase, "secmod.db");
|
File secmodFile = new File(configBase, "secmod.db");
|
||||||
if (secmodFile.isFile() == false) {
|
if (!secmodFile.isFile()) {
|
||||||
throw new FileNotFoundException(secmodFile.getPath());
|
throw new FileNotFoundException(secmodFile.getPath());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -229,7 +229,7 @@ public final class Secmod {
|
|||||||
nssHandle = nssLoadLibrary(platformPath);
|
nssHandle = nssLoadLibrary(platformPath);
|
||||||
if (DEBUG) System.out.println("handle: " + nssHandle);
|
if (DEBUG) System.out.println("handle: " + nssHandle);
|
||||||
fetchVersions();
|
fetchVersions();
|
||||||
if (supported == false) {
|
if (!supported) {
|
||||||
throw new IOException
|
throw new IOException
|
||||||
("The specified version of NSS is incompatible, "
|
("The specified version of NSS is incompatible, "
|
||||||
+ "3.7 or later required");
|
+ "3.7 or later required");
|
||||||
@ -239,7 +239,7 @@ public final class Secmod {
|
|||||||
boolean initok = nssInitialize(dbMode.functionName, nssHandle,
|
boolean initok = nssInitialize(dbMode.functionName, nssHandle,
|
||||||
configDir, nssOptimizeSpace);
|
configDir, nssOptimizeSpace);
|
||||||
if (DEBUG) System.out.println("init: " + initok);
|
if (DEBUG) System.out.println("init: " + initok);
|
||||||
if (initok == false) {
|
if (!initok) {
|
||||||
throw new IOException("NSS initialization failed");
|
throw new IOException("NSS initialization failed");
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -255,7 +255,7 @@ public final class Secmod {
|
|||||||
*/
|
*/
|
||||||
public synchronized List<Module> getModules() {
|
public synchronized List<Module> getModules() {
|
||||||
try {
|
try {
|
||||||
if (isInitialized() == false) {
|
if (!isInitialized()) {
|
||||||
throw new IllegalStateException("NSS not initialized");
|
throw new IllegalStateException("NSS not initialized");
|
||||||
}
|
}
|
||||||
} catch (IOException e) {
|
} catch (IOException e) {
|
||||||
@ -353,35 +353,40 @@ public final class Secmod {
|
|||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
static final String TEMPLATE_EXTERNAL =
|
static final String TEMPLATE_EXTERNAL = """
|
||||||
"library = %s\n"
|
library = %s
|
||||||
+ "name = \"%s\"\n"
|
name = "%s"
|
||||||
+ "slotListIndex = %d\n";
|
slotListIndex = %d
|
||||||
|
""";
|
||||||
|
|
||||||
static final String TEMPLATE_TRUSTANCHOR =
|
static final String TEMPLATE_TRUSTANCHOR = """
|
||||||
"library = %s\n"
|
library = %s
|
||||||
+ "name = \"NSS Trust Anchors\"\n"
|
name = "NSS Trust Anchors"
|
||||||
+ "slotListIndex = 0\n"
|
slotListIndex = 0
|
||||||
+ "enabledMechanisms = { KeyStore }\n"
|
enabledMechanisms = { KeyStore }
|
||||||
+ "nssUseSecmodTrust = true\n";
|
nssUseSecmodTrust = true
|
||||||
|
""";
|
||||||
|
|
||||||
static final String TEMPLATE_CRYPTO =
|
static final String TEMPLATE_CRYPTO = """
|
||||||
"library = %s\n"
|
library = %s
|
||||||
+ "name = \"NSS SoftToken Crypto\"\n"
|
name = "NSS SoftToken Crypto"
|
||||||
+ "slotListIndex = 0\n"
|
slotListIndex = 0
|
||||||
+ "disabledMechanisms = { KeyStore }\n";
|
disabledMechanisms = { KeyStore }
|
||||||
|
""";
|
||||||
|
|
||||||
static final String TEMPLATE_KEYSTORE =
|
static final String TEMPLATE_KEYSTORE = """
|
||||||
"library = %s\n"
|
library = %s
|
||||||
+ "name = \"NSS SoftToken KeyStore\"\n"
|
name = "NSS SoftToken KeyStore"
|
||||||
+ "slotListIndex = 1\n"
|
slotListIndex = 1
|
||||||
+ "nssUseSecmodTrust = true\n";
|
nssUseSecmodTrust = true
|
||||||
|
""";
|
||||||
|
|
||||||
static final String TEMPLATE_FIPS =
|
static final String TEMPLATE_FIPS = """
|
||||||
"library = %s\n"
|
library = %s
|
||||||
+ "name = \"NSS FIPS SoftToken\"\n"
|
name = "NSS FIPS SoftToken"
|
||||||
+ "slotListIndex = 0\n"
|
slotListIndex = 0
|
||||||
+ "nssUseSecmodTrust = true\n";
|
nssUseSecmodTrust = true
|
||||||
|
""";
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A representation of one PKCS#11 slot in a PKCS#11 module.
|
* A representation of one PKCS#11 slot in a PKCS#11 module.
|
||||||
@ -442,26 +447,13 @@ public final class Secmod {
|
|||||||
}
|
}
|
||||||
|
|
||||||
private void initConfiguration() {
|
private void initConfiguration() {
|
||||||
switch (type) {
|
config = switch (type) {
|
||||||
case EXTERNAL:
|
case EXTERNAL -> String.format(TEMPLATE_EXTERNAL, libraryName, commonName + " " + slot, slot);
|
||||||
config = String.format(TEMPLATE_EXTERNAL, libraryName,
|
case CRYPTO -> String.format(TEMPLATE_CRYPTO, libraryName);
|
||||||
commonName + " " + slot, slot);
|
case KEYSTORE -> String.format(TEMPLATE_KEYSTORE, libraryName);
|
||||||
break;
|
case FIPS -> String.format(TEMPLATE_FIPS, libraryName);
|
||||||
case CRYPTO:
|
case TRUSTANCHOR -> String.format(TEMPLATE_TRUSTANCHOR, libraryName);
|
||||||
config = String.format(TEMPLATE_CRYPTO, libraryName);
|
};
|
||||||
break;
|
|
||||||
case KEYSTORE:
|
|
||||||
config = String.format(TEMPLATE_KEYSTORE, libraryName);
|
|
||||||
break;
|
|
||||||
case FIPS:
|
|
||||||
config = String.format(TEMPLATE_FIPS, libraryName);
|
|
||||||
break;
|
|
||||||
case TRUSTANCHOR:
|
|
||||||
config = String.format(TEMPLATE_TRUSTANCHOR, libraryName);
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
throw new RuntimeException("Unknown module type: " + type);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -545,7 +537,7 @@ public final class Secmod {
|
|||||||
trust.put(bytes, attr);
|
trust.put(bytes, attr);
|
||||||
} else {
|
} else {
|
||||||
// does it already have the correct trust settings?
|
// does it already have the correct trust settings?
|
||||||
if (attr.isTrusted(TrustType.ALL) == false) {
|
if (!attr.isTrusted(TrustType.ALL)) {
|
||||||
// XXX not yet implemented
|
// XXX not yet implemented
|
||||||
throw new ProviderException("Cannot change existing trust attributes");
|
throw new ProviderException("Cannot change existing trust attributes");
|
||||||
}
|
}
|
||||||
@ -746,17 +738,16 @@ public final class Secmod {
|
|||||||
if (this == o) {
|
if (this == o) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
if (o instanceof Bytes == false) {
|
if (!(o instanceof Bytes other)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
Bytes other = (Bytes)o;
|
|
||||||
return Arrays.equals(this.b, other.b);
|
return Arrays.equals(this.b, other.b);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private static Map<Bytes,TrustAttributes> getTrust(SunPKCS11 provider)
|
private static Map<Bytes,TrustAttributes> getTrust(SunPKCS11 provider)
|
||||||
throws PKCS11Exception {
|
throws PKCS11Exception {
|
||||||
Map<Bytes,TrustAttributes> trustMap = new HashMap<Bytes,TrustAttributes>();
|
Map<Bytes,TrustAttributes> trustMap = new HashMap<>();
|
||||||
Token token = provider.getToken();
|
Token token = provider.getToken();
|
||||||
Session session = null;
|
Session session = null;
|
||||||
boolean exceptionOccurred = true;
|
boolean exceptionOccurred = true;
|
||||||
|
@ -83,7 +83,7 @@ final class Session implements Comparable<Session> {
|
|||||||
}
|
}
|
||||||
|
|
||||||
long id() {
|
long id() {
|
||||||
if (token.isPresent(this.id) == false) {
|
if (!token.isPresent(this.id)) {
|
||||||
throw new ProviderException("Token has been removed");
|
throw new ProviderException("Token has been removed");
|
||||||
}
|
}
|
||||||
lastAccess = System.currentTimeMillis();
|
lastAccess = System.currentTimeMillis();
|
||||||
|
@ -161,7 +161,7 @@ final class SessionManager {
|
|||||||
}
|
}
|
||||||
|
|
||||||
Session killSession(Session session) {
|
Session killSession(Session session) {
|
||||||
if ((session == null) || (token.isValid() == false)) {
|
if ((session == null) || (!token.isValid())) {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
if (debug != null) {
|
if (debug != null) {
|
||||||
@ -176,7 +176,7 @@ final class SessionManager {
|
|||||||
}
|
}
|
||||||
|
|
||||||
Session releaseSession(Session session) {
|
Session releaseSession(Session session) {
|
||||||
if ((session == null) || (token.isValid() == false)) {
|
if ((session == null) || (!token.isValid())) {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
if (session.hasObjects()) {
|
if (session.hasObjects()) {
|
||||||
@ -193,7 +193,7 @@ final class SessionManager {
|
|||||||
}
|
}
|
||||||
|
|
||||||
void demoteObjSession(Session session) {
|
void demoteObjSession(Session session) {
|
||||||
if (token.isValid() == false) {
|
if (!token.isValid()) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
if (debug != null) {
|
if (debug != null) {
|
||||||
@ -202,14 +202,14 @@ final class SessionManager {
|
|||||||
}
|
}
|
||||||
|
|
||||||
boolean present = objSessions.remove(session);
|
boolean present = objSessions.remove(session);
|
||||||
if (present == false) {
|
if (!present) {
|
||||||
// session is currently in use
|
// session is currently in use
|
||||||
// will be added to correct pool on release, nothing to do now
|
// will be added to correct pool on release, nothing to do now
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
// Objects could have been added to this session by other thread between
|
// Objects could have been added to this session by other thread between
|
||||||
// check in Session.removeObject method and objSessions.remove call
|
// check in Session.removeObject method and objSessions.remove call
|
||||||
// higher. Therefore releaseSession method, which performs additional
|
// higher. Therefore, releaseSession method, which performs additional
|
||||||
// check for objects, is used here to avoid placing this session
|
// check for objects, is used here to avoid placing this session
|
||||||
// in wrong pool due to race condition.
|
// in wrong pool due to race condition.
|
||||||
releaseSession(session);
|
releaseSession(session);
|
||||||
@ -255,9 +255,9 @@ final class SessionManager {
|
|||||||
Pool(SessionManager mgr, boolean obj) {
|
Pool(SessionManager mgr, boolean obj) {
|
||||||
this.mgr = mgr;
|
this.mgr = mgr;
|
||||||
if (obj) {
|
if (obj) {
|
||||||
pool = new LinkedBlockingQueue<Session>();
|
pool = new LinkedBlockingQueue<>();
|
||||||
} else {
|
} else {
|
||||||
pool = new LinkedBlockingQueue<Session>(SESSION_MAX);
|
pool = new LinkedBlockingQueue<>(SESSION_MAX);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -189,7 +189,7 @@ public final class SunPKCS11 extends AuthProvider {
|
|||||||
if (nssSecmodDirectory != null) {
|
if (nssSecmodDirectory != null) {
|
||||||
String s = secmod.getConfigDir();
|
String s = secmod.getConfigDir();
|
||||||
if ((s != null) &&
|
if ((s != null) &&
|
||||||
(s.equals(nssSecmodDirectory) == false)) {
|
(!s.equals(nssSecmodDirectory))) {
|
||||||
throw new ProviderException("Secmod directory "
|
throw new ProviderException("Secmod directory "
|
||||||
+ nssSecmodDirectory
|
+ nssSecmodDirectory
|
||||||
+ " invalid, NSS already initialized with "
|
+ " invalid, NSS already initialized with "
|
||||||
@ -199,7 +199,7 @@ public final class SunPKCS11 extends AuthProvider {
|
|||||||
if (nssLibraryDirectory != null) {
|
if (nssLibraryDirectory != null) {
|
||||||
String s = secmod.getLibDir();
|
String s = secmod.getLibDir();
|
||||||
if ((s != null) &&
|
if ((s != null) &&
|
||||||
(s.equals(nssLibraryDirectory) == false)) {
|
(!s.equals(nssLibraryDirectory))) {
|
||||||
throw new ProviderException("NSS library directory "
|
throw new ProviderException("NSS library directory "
|
||||||
+ nssLibraryDirectory
|
+ nssLibraryDirectory
|
||||||
+ " invalid, NSS already initialized with "
|
+ " invalid, NSS already initialized with "
|
||||||
@ -302,8 +302,8 @@ public final class SunPKCS11 extends AuthProvider {
|
|||||||
// (e.g. "libpkcs11.so"), it may refer to a library somewhere on the
|
// (e.g. "libpkcs11.so"), it may refer to a library somewhere on the
|
||||||
// OS library search path. Omit the test for file existence as that
|
// OS library search path. Omit the test for file existence as that
|
||||||
// only looks in the current directory.
|
// only looks in the current directory.
|
||||||
if (libraryFile.getName().equals(library) == false) {
|
if (!libraryFile.getName().equals(library)) {
|
||||||
if (new File(library).isFile() == false) {
|
if (!new File(library).isFile()) {
|
||||||
String msg = "Library " + library + " does not exist";
|
String msg = "Library " + library + " does not exist";
|
||||||
if (config.getHandleStartupErrors() == Config.ERR_HALT) {
|
if (config.getHandleStartupErrors() == Config.ERR_HALT) {
|
||||||
throw new ProviderException(msg);
|
throw new ProviderException(msg);
|
||||||
@ -332,7 +332,7 @@ public final class SunPKCS11 extends AuthProvider {
|
|||||||
if (debug != null) {
|
if (debug != null) {
|
||||||
debug.println("Multi-threaded initialization failed: " + e);
|
debug.println("Multi-threaded initialization failed: " + e);
|
||||||
}
|
}
|
||||||
if (config.getAllowSingleThreadedModules() == false) {
|
if (!config.getAllowSingleThreadedModules()) {
|
||||||
throw e;
|
throw e;
|
||||||
}
|
}
|
||||||
// fall back to single threaded access
|
// fall back to single threaded access
|
||||||
@ -480,11 +480,7 @@ public final class SunPKCS11 extends AuthProvider {
|
|||||||
for (int i = 0; i < d.mechanisms.length; i++) {
|
for (int i = 0; i < d.mechanisms.length; i++) {
|
||||||
int m = d.mechanisms[i];
|
int m = d.mechanisms[i];
|
||||||
Integer key = Integer.valueOf(m);
|
Integer key = Integer.valueOf(m);
|
||||||
List<Descriptor> list = descriptors.get(key);
|
List<Descriptor> list = descriptors.computeIfAbsent(key, k -> new ArrayList<>());
|
||||||
if (list == null) {
|
|
||||||
list = new ArrayList<Descriptor>();
|
|
||||||
descriptors.put(key, list);
|
|
||||||
}
|
|
||||||
list.add(d);
|
list.add(d);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -954,7 +950,7 @@ public final class SunPKCS11 extends AuthProvider {
|
|||||||
} catch (InterruptedException e) {
|
} catch (InterruptedException e) {
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
if (enabled == false) {
|
if (!enabled) {
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
try {
|
try {
|
||||||
@ -1251,7 +1247,7 @@ public final class SunPKCS11 extends AuthProvider {
|
|||||||
@Override
|
@Override
|
||||||
public Object newInstance(Object param)
|
public Object newInstance(Object param)
|
||||||
throws NoSuchAlgorithmException {
|
throws NoSuchAlgorithmException {
|
||||||
if (token.isValid() == false) {
|
if (!token.isValid()) {
|
||||||
throw new NoSuchAlgorithmException("Token has been removed");
|
throw new NoSuchAlgorithmException("Token has been removed");
|
||||||
}
|
}
|
||||||
try {
|
try {
|
||||||
@ -1273,14 +1269,14 @@ public final class SunPKCS11 extends AuthProvider {
|
|||||||
} else if (algorithm.endsWith("GCM/NoPadding") ||
|
} else if (algorithm.endsWith("GCM/NoPadding") ||
|
||||||
algorithm.startsWith("ChaCha20-Poly1305")) {
|
algorithm.startsWith("ChaCha20-Poly1305")) {
|
||||||
return new P11AEADCipher(token, algorithm, mechanism);
|
return new P11AEADCipher(token, algorithm, mechanism);
|
||||||
} else if (algorithm.indexOf("/KW/") != -1 ||
|
} else if (algorithm.contains("/KW/") ||
|
||||||
algorithm.indexOf("/KWP/") != -1) {
|
algorithm.contains("/KWP/")) {
|
||||||
return new P11KeyWrapCipher(token, algorithm, mechanism);
|
return new P11KeyWrapCipher(token, algorithm, mechanism);
|
||||||
} else {
|
} else {
|
||||||
return new P11Cipher(token, algorithm, mechanism);
|
return new P11Cipher(token, algorithm, mechanism);
|
||||||
}
|
}
|
||||||
} else if (type == SIG) {
|
} else if (type == SIG) {
|
||||||
if (algorithm.indexOf("RSASSA-PSS") != -1) {
|
if (algorithm.contains("RSASSA-PSS")) {
|
||||||
return new P11PSSSignature(token, algorithm, mechanism);
|
return new P11PSSSignature(token, algorithm, mechanism);
|
||||||
} else {
|
} else {
|
||||||
return new P11Signature(token, algorithm, mechanism);
|
return new P11Signature(token, algorithm, mechanism);
|
||||||
@ -1339,20 +1335,19 @@ public final class SunPKCS11 extends AuthProvider {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public boolean supportsParameter(Object param) {
|
public boolean supportsParameter(Object param) {
|
||||||
if ((param == null) || (token.isValid() == false)) {
|
if ((param == null) || (!token.isValid())) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
if (param instanceof Key == false) {
|
if (!(param instanceof Key key)) {
|
||||||
throw new InvalidParameterException("Parameter must be a Key");
|
throw new InvalidParameterException("Parameter must be a Key");
|
||||||
}
|
}
|
||||||
String algorithm = getAlgorithm();
|
String algorithm = getAlgorithm();
|
||||||
String type = getType();
|
String type = getType();
|
||||||
Key key = (Key)param;
|
|
||||||
String keyAlgorithm = key.getAlgorithm();
|
String keyAlgorithm = key.getAlgorithm();
|
||||||
// RSA signatures and cipher
|
// RSA signatures and cipher
|
||||||
if (((type == CIP) && algorithm.startsWith("RSA"))
|
if (((type == CIP) && algorithm.startsWith("RSA"))
|
||||||
|| (type == SIG) && (algorithm.indexOf("RSA") != -1)) {
|
|| (type == SIG) && (algorithm.contains("RSA"))) {
|
||||||
if (keyAlgorithm.equals("RSA") == false) {
|
if (!keyAlgorithm.equals("RSA")) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
return isLocalKey(key)
|
return isLocalKey(key)
|
||||||
@ -1362,7 +1357,7 @@ public final class SunPKCS11 extends AuthProvider {
|
|||||||
// EC
|
// EC
|
||||||
if (((type == KA) && algorithm.equals("ECDH"))
|
if (((type == KA) && algorithm.equals("ECDH"))
|
||||||
|| ((type == SIG) && algorithm.contains("ECDSA"))) {
|
|| ((type == SIG) && algorithm.contains("ECDSA"))) {
|
||||||
if (keyAlgorithm.equals("EC") == false) {
|
if (!keyAlgorithm.equals("EC")) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
return isLocalKey(key)
|
return isLocalKey(key)
|
||||||
@ -1372,7 +1367,7 @@ public final class SunPKCS11 extends AuthProvider {
|
|||||||
// DSA signatures
|
// DSA signatures
|
||||||
if ((type == SIG) && algorithm.contains("DSA") &&
|
if ((type == SIG) && algorithm.contains("DSA") &&
|
||||||
!algorithm.contains("ECDSA")) {
|
!algorithm.contains("ECDSA")) {
|
||||||
if (keyAlgorithm.equals("DSA") == false) {
|
if (!keyAlgorithm.equals("DSA")) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
return isLocalKey(key)
|
return isLocalKey(key)
|
||||||
@ -1386,7 +1381,7 @@ public final class SunPKCS11 extends AuthProvider {
|
|||||||
}
|
}
|
||||||
// DH key agreement
|
// DH key agreement
|
||||||
if (type == KA) {
|
if (type == KA) {
|
||||||
if (keyAlgorithm.equals("DH") == false) {
|
if (!keyAlgorithm.equals("DH")) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
return isLocalKey(key)
|
return isLocalKey(key)
|
||||||
@ -1577,7 +1572,7 @@ public final class SunPKCS11 extends AuthProvider {
|
|||||||
(new SecurityPermission("authProvider." + this.getName()));
|
(new SecurityPermission("authProvider." + this.getName()));
|
||||||
}
|
}
|
||||||
|
|
||||||
if (hasValidToken() == false) {
|
if (!hasValidToken()) {
|
||||||
// app may call logout for cleanup, allow
|
// app may call logout for cleanup, allow
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@ -1775,7 +1770,7 @@ public final class SunPKCS11 extends AuthProvider {
|
|||||||
|
|
||||||
private Object readResolve() throws ObjectStreamException {
|
private Object readResolve() throws ObjectStreamException {
|
||||||
SunPKCS11 p = (SunPKCS11)Security.getProvider(providerName);
|
SunPKCS11 p = (SunPKCS11)Security.getProvider(providerName);
|
||||||
if ((p == null) || (p.config.getFileName().equals(configName) == false)) {
|
if ((p == null) || (!p.config.getFileName().equals(configName))) {
|
||||||
throw new NotSerializableException("Could not find "
|
throw new NotSerializableException("Could not find "
|
||||||
+ providerName + " in installed providers");
|
+ providerName + " in installed providers");
|
||||||
}
|
}
|
||||||
|
@ -85,8 +85,8 @@ final class TemplateManager {
|
|||||||
private final Map<TemplateKey,Template> compositeTemplates;
|
private final Map<TemplateKey,Template> compositeTemplates;
|
||||||
|
|
||||||
TemplateManager() {
|
TemplateManager() {
|
||||||
primitiveTemplates = new ArrayList<KeyAndTemplate>();
|
primitiveTemplates = new ArrayList<>();
|
||||||
compositeTemplates = new ConcurrentHashMap<TemplateKey,Template>();
|
compositeTemplates = new ConcurrentHashMap<>();
|
||||||
}
|
}
|
||||||
|
|
||||||
// add a template. Called by Config.
|
// add a template. Called by Config.
|
||||||
@ -151,10 +151,9 @@ final class TemplateManager {
|
|||||||
if (this == obj) {
|
if (this == obj) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
if (obj instanceof TemplateKey == false) {
|
if (!(obj instanceof TemplateKey other)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
TemplateKey other = (TemplateKey)obj;
|
|
||||||
boolean match = this.operation.equals(other.operation)
|
boolean match = this.operation.equals(other.operation)
|
||||||
&& (this.keyType == other.keyType)
|
&& (this.keyType == other.keyType)
|
||||||
&& (this.keyAlgorithm == other.keyAlgorithm);
|
&& (this.keyAlgorithm == other.keyAlgorithm);
|
||||||
@ -212,7 +211,7 @@ final class TemplateManager {
|
|||||||
*/
|
*/
|
||||||
private static CK_ATTRIBUTE[] combine(CK_ATTRIBUTE[] attrs1,
|
private static CK_ATTRIBUTE[] combine(CK_ATTRIBUTE[] attrs1,
|
||||||
CK_ATTRIBUTE[] attrs2) {
|
CK_ATTRIBUTE[] attrs2) {
|
||||||
List<CK_ATTRIBUTE> attrs = new ArrayList<CK_ATTRIBUTE>();
|
List<CK_ATTRIBUTE> attrs = new ArrayList<>();
|
||||||
for (CK_ATTRIBUTE attr : attrs1) {
|
for (CK_ATTRIBUTE attr : attrs1) {
|
||||||
if (attr.pValue != null) {
|
if (attr.pValue != null) {
|
||||||
attrs.add(attr);
|
attrs.add(attr);
|
||||||
|
@ -54,7 +54,7 @@ class Token implements Serializable {
|
|||||||
|
|
||||||
// how often to check if the token is still present (in ms)
|
// how often to check if the token is still present (in ms)
|
||||||
// this is different from checking if a token has been inserted,
|
// this is different from checking if a token has been inserted,
|
||||||
// that is done in SunPKCS11. Currently 50 ms.
|
// that is done in SunPKCS11. Currently, 50 ms.
|
||||||
private static final long CHECK_INTERVAL = 50;
|
private static final long CHECK_INTERVAL = 50;
|
||||||
|
|
||||||
final SunPKCS11 provider;
|
final SunPKCS11 provider;
|
||||||
@ -168,8 +168,7 @@ class Token implements Serializable {
|
|||||||
privateCache = new KeyCache();
|
privateCache = new KeyCache();
|
||||||
templateManager = config.getTemplateManager();
|
templateManager = config.getTemplateManager();
|
||||||
explicitCancel = config.getExplicitCancel();
|
explicitCancel = config.getExplicitCancel();
|
||||||
mechInfoMap =
|
mechInfoMap = new ConcurrentHashMap<>(10);
|
||||||
new ConcurrentHashMap<Long, CK_MECHANISM_INFO>(10);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
boolean isWriteProtected() {
|
boolean isWriteProtected() {
|
||||||
@ -242,7 +241,7 @@ class Token implements Serializable {
|
|||||||
// ensure that we are logged in
|
// ensure that we are logged in
|
||||||
// call provider.login() if not
|
// call provider.login() if not
|
||||||
void ensureLoggedIn(Session session) throws PKCS11Exception, LoginException {
|
void ensureLoggedIn(Session session) throws PKCS11Exception, LoginException {
|
||||||
if (isLoggedIn(session) == false) {
|
if (!isLoggedIn(session)) {
|
||||||
provider.login(null, null);
|
provider.login(null, null);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -250,14 +249,14 @@ class Token implements Serializable {
|
|||||||
// return whether this token object is valid (i.e. token not removed)
|
// return whether this token object is valid (i.e. token not removed)
|
||||||
// returns value from last check, does not perform new check
|
// returns value from last check, does not perform new check
|
||||||
boolean isValid() {
|
boolean isValid() {
|
||||||
if (removable == false) {
|
if (!removable) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
return valid;
|
return valid;
|
||||||
}
|
}
|
||||||
|
|
||||||
void ensureValid() {
|
void ensureValid() {
|
||||||
if (isValid() == false) {
|
if (!isValid()) {
|
||||||
throw new ProviderException("Token has been removed");
|
throw new ProviderException("Token has been removed");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -265,10 +264,10 @@ class Token implements Serializable {
|
|||||||
// return whether a token is present (i.e. token not removed)
|
// return whether a token is present (i.e. token not removed)
|
||||||
// returns cached value if current, otherwise performs new check
|
// returns cached value if current, otherwise performs new check
|
||||||
boolean isPresent(long sessionID) {
|
boolean isPresent(long sessionID) {
|
||||||
if (removable == false) {
|
if (!removable) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
if (valid == false) {
|
if (!valid) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
long time = System.currentTimeMillis();
|
long time = System.currentTimeMillis();
|
||||||
@ -293,7 +292,7 @@ class Token implements Serializable {
|
|||||||
}
|
}
|
||||||
valid = ok;
|
valid = ok;
|
||||||
lastPresentCheck = System.currentTimeMillis();
|
lastPresentCheck = System.currentTimeMillis();
|
||||||
if (ok == false) {
|
if (!ok) {
|
||||||
destroy();
|
destroy();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -418,7 +417,7 @@ class Token implements Serializable {
|
|||||||
SecureRandom random = JCAUtil.getSecureRandom();
|
SecureRandom random = JCAUtil.getSecureRandom();
|
||||||
tokenId = new byte[20];
|
tokenId = new byte[20];
|
||||||
random.nextBytes(tokenId);
|
random.nextBytes(tokenId);
|
||||||
serializedTokens.add(new WeakReference<Token>(this));
|
serializedTokens.add(new WeakReference<>(this));
|
||||||
}
|
}
|
||||||
return tokenId;
|
return tokenId;
|
||||||
}
|
}
|
||||||
@ -427,11 +426,10 @@ class Token implements Serializable {
|
|||||||
// NOTE that elements are never removed from this list
|
// NOTE that elements are never removed from this list
|
||||||
// the assumption is that the number of tokens that are serialized
|
// the assumption is that the number of tokens that are serialized
|
||||||
// is relatively small
|
// is relatively small
|
||||||
private static final List<Reference<Token>> serializedTokens =
|
private static final List<Reference<Token>> serializedTokens = new ArrayList<>();
|
||||||
new ArrayList<Reference<Token>>();
|
|
||||||
|
|
||||||
private Object writeReplace() throws ObjectStreamException {
|
private Object writeReplace() throws ObjectStreamException {
|
||||||
if (isValid() == false) {
|
if (!isValid()) {
|
||||||
throw new NotSerializableException("Token has been removed");
|
throw new NotSerializableException("Token has been removed");
|
||||||
}
|
}
|
||||||
return new TokenRep(this);
|
return new TokenRep(this);
|
||||||
|
Loading…
Reference in New Issue
Block a user