8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.pkcs11;
27
28 import java.util.*;
29 import java.nio.ByteBuffer;
30
31 import java.security.*;
32 import java.security.spec.AlgorithmParameterSpec;
33
34 import javax.crypto.MacSpi;
35
36 import sun.nio.ch.DirectBuffer;
37
38 import sun.security.pkcs11.wrapper.*;
39 import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
40
41 /**
42 * MAC implementation class. This class currently supports HMAC using
43 * MD5, SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 and the SSL3 MAC
44 * using MD5 and SHA-1.
45 *
46 * Note that unlike other classes (e.g. Signature), this does not
47 * composite various operations if the token only supports part of the
48 * required functionality. The MAC implementations in SunJCE already
49 * do exactly that by implementing an MAC on top of MessageDigests. We
50 * could not do any better than they.
51 *
52 * @author Andreas Sterbenz
53 * @since 1.5
54 */
55 final class P11Mac extends MacSpi {
56
57 /* unitialized, all fields except session have arbitrary values */
58 private final static int S_UNINIT = 1;
59
60 /* session initialized, no data processed yet */
61 private final static int S_RESET = 2;
62
63 /* session initialized, data processed */
64 private final static int S_UPDATE = 3;
65
66 /* transitional state after doFinal() before we go to S_UNINIT */
67 private final static int S_DOFINAL = 4;
68
69 // token instance
70 private final Token token;
71
72 // algorithm name
73 private final String algorithm;
74
75 // mechanism id
76 private final long mechanism;
77
78 // mechanism object
79 private final CK_MECHANISM ckMechanism;
80
81 // length of the MAC in bytes
82 private final int macLength;
83
84 // key instance used, if operation active
85 private P11Key p11Key;
86
87 // associated session, if any
88 private Session session;
89
90 // state, one of S_* above
91 private int state;
92
93 // one byte buffer for the update(byte) method, initialized on demand
94 private byte[] oneByte;
95
96 P11Mac(Token token, String algorithm, long mechanism)
97 throws PKCS11Exception {
98 super();
99 this.token = token;
100 this.algorithm = algorithm;
101 this.mechanism = mechanism;
102 Long params = null;
103 switch ((int)mechanism) {
104 case (int)CKM_MD5_HMAC:
105 macLength = 16;
106 break;
107 case (int)CKM_SHA_1_HMAC:
108 macLength = 20;
109 break;
110 case (int)CKM_SHA224_HMAC:
111 macLength = 28;
112 break;
113 case (int)CKM_SHA256_HMAC:
114 macLength = 32;
115 break;
116 case (int)CKM_SHA384_HMAC:
117 macLength = 48;
118 break;
119 case (int)CKM_SHA512_HMAC:
120 macLength = 64;
121 break;
122 case (int)CKM_SSL3_MD5_MAC:
123 macLength = 16;
124 params = Long.valueOf(16);
125 break;
126 case (int)CKM_SSL3_SHA1_MAC:
127 macLength = 20;
128 params = Long.valueOf(20);
129 break;
130 default:
131 throw new ProviderException("Unknown mechanism: " + mechanism);
132 }
133 ckMechanism = new CK_MECHANISM(mechanism, params);
134 state = S_UNINIT;
135 initialize();
136 }
137
138 private void ensureInitialized() throws PKCS11Exception {
139 token.ensureValid();
140 if (state == S_UNINIT) {
141 initialize();
142 }
143 }
144
145 private void cancelOperation() {
146 token.ensureValid();
147 if (state == S_UNINIT) {
148 return;
149 }
150 state = S_UNINIT;
151 if ((session == null) || (token.explicitCancel == false)) {
152 return;
153 }
154 try {
155 token.p11.C_SignFinal(session.id(), 0);
156 } catch (PKCS11Exception e) {
157 throw new ProviderException("Cancel failed", e);
158 }
159 }
160
161 private void initialize() throws PKCS11Exception {
162 if (state == S_RESET) {
163 return;
164 }
165 if (session == null) {
166 session = token.getOpSession();
167 }
168 if (p11Key != null) {
169 token.p11.C_SignInit
170 (session.id(), ckMechanism, p11Key.keyID);
171 state = S_RESET;
172 } else {
173 state = S_UNINIT;
174 }
175 }
176
177 // see JCE spec
178 protected int engineGetMacLength() {
179 return macLength;
180 }
181
182 // see JCE spec
183 protected void engineReset() {
184 // the framework insists on calling reset() after doFinal(),
185 // but we prefer to take care of reinitialization ourselves
186 if (state == S_DOFINAL) {
187 state = S_UNINIT;
188 return;
189 }
190 cancelOperation();
191 try {
192 initialize();
193 } catch (PKCS11Exception e) {
194 throw new ProviderException("reset() failed, ", e);
195 }
196 }
197
198 // see JCE spec
199 protected void engineInit(Key key, AlgorithmParameterSpec params)
200 throws InvalidKeyException, InvalidAlgorithmParameterException {
201 if (params != null) {
202 throw new InvalidAlgorithmParameterException
203 ("Parameters not supported");
204 }
205 cancelOperation();
206 p11Key = P11SecretKeyFactory.convertKey(token, key, algorithm);
207 try {
208 initialize();
209 } catch (PKCS11Exception e) {
210 throw new InvalidKeyException("init() failed", e);
211 }
212 }
213
214 // see JCE spec
215 protected byte[] engineDoFinal() {
216 try {
217 ensureInitialized();
218 byte[] mac = token.p11.C_SignFinal(session.id(), 0);
219 state = S_DOFINAL;
220 return mac;
221 } catch (PKCS11Exception e) {
222 throw new ProviderException("doFinal() failed", e);
223 } finally {
224 session = token.releaseSession(session);
225 }
226 }
227
228 // see JCE spec
229 protected void engineUpdate(byte input) {
230 if (oneByte == null) {
231 oneByte = new byte[1];
232 }
233 oneByte[0] = input;
234 engineUpdate(oneByte, 0, 1);
235 }
236
237 // see JCE spec
238 protected void engineUpdate(byte[] b, int ofs, int len) {
239 try {
240 ensureInitialized();
241 token.p11.C_SignUpdate(session.id(), 0, b, ofs, len);
242 state = S_UPDATE;
243 } catch (PKCS11Exception e) {
244 throw new ProviderException("update() failed", e);
245 }
246 }
247
248 // see JCE spec
249 protected void engineUpdate(ByteBuffer byteBuffer) {
250 try {
251 ensureInitialized();
252 int len = byteBuffer.remaining();
253 if (len <= 0) {
254 return;
255 }
256 if (byteBuffer instanceof DirectBuffer == false) {
257 super.engineUpdate(byteBuffer);
258 return;
259 }
260 long addr = ((DirectBuffer)byteBuffer).address();
261 int ofs = byteBuffer.position();
262 token.p11.C_SignUpdate(session.id(), addr + ofs, null, 0, len);
263 byteBuffer.position(ofs + len);
264 state = S_UPDATE;
265 } catch (PKCS11Exception e) {
266 throw new ProviderException("update() failed", e);
267 }
268 }
269 }
|
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.pkcs11;
27
28 import java.nio.ByteBuffer;
29
30 import java.security.*;
31 import java.security.spec.AlgorithmParameterSpec;
32
33 import javax.crypto.MacSpi;
34
35 import sun.nio.ch.DirectBuffer;
36
37 import sun.security.pkcs11.wrapper.*;
38 import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
39
40 /**
41 * MAC implementation class. This class currently supports HMAC using
42 * MD5, SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 and the SSL3 MAC
43 * using MD5 and SHA-1.
44 *
45 * Note that unlike other classes (e.g. Signature), this does not
46 * composite various operations if the token only supports part of the
47 * required functionality. The MAC implementations in SunJCE already
48 * do exactly that by implementing an MAC on top of MessageDigests. We
49 * could not do any better than they.
50 *
51 * @author Andreas Sterbenz
52 * @since 1.5
53 */
54 final class P11Mac extends MacSpi {
55
56 // token instance
57 private final Token token;
58
59 // algorithm name
60 private final String algorithm;
61
62 // mechanism object
63 private final CK_MECHANISM ckMechanism;
64
65 // length of the MAC in bytes
66 private final int macLength;
67
68 // key instance used, if operation active
69 private P11Key p11Key;
70
71 // associated session, if any
72 private Session session;
73
74 // initialization status
75 private boolean initialized;
76
77 // one byte buffer for the update(byte) method, initialized on demand
78 private byte[] oneByte;
79
80 P11Mac(Token token, String algorithm, long mechanism)
81 throws PKCS11Exception {
82 super();
83 this.token = token;
84 this.algorithm = algorithm;
85 Long params = null;
86 switch ((int)mechanism) {
87 case (int)CKM_MD5_HMAC:
88 macLength = 16;
89 break;
90 case (int)CKM_SHA_1_HMAC:
91 macLength = 20;
92 break;
93 case (int)CKM_SHA224_HMAC:
94 macLength = 28;
95 break;
96 case (int)CKM_SHA256_HMAC:
97 macLength = 32;
98 break;
99 case (int)CKM_SHA384_HMAC:
100 macLength = 48;
101 break;
102 case (int)CKM_SHA512_HMAC:
103 macLength = 64;
104 break;
105 case (int)CKM_SSL3_MD5_MAC:
106 macLength = 16;
107 params = Long.valueOf(16);
108 break;
109 case (int)CKM_SSL3_SHA1_MAC:
110 macLength = 20;
111 params = Long.valueOf(20);
112 break;
113 default:
114 throw new ProviderException("Unknown mechanism: " + mechanism);
115 }
116 ckMechanism = new CK_MECHANISM(mechanism, params);
117 }
118
119 // reset the states to the pre-initialized values
120 private void reset(boolean doCancel) {
121 if (!initialized) {
122 return;
123 }
124 initialized = false;
125 try {
126 if (session == null) {
127 return;
128 }
129 if (doCancel && token.explicitCancel) {
130 cancelOperation();
131 }
132 } finally {
133 p11Key.decNativeKeyRef();
134 session = token.releaseSession(session);
135 }
136 }
137
138 private void cancelOperation() {
139 token.ensureValid();
140 if (session.hasObjects() == false) {
141 session = token.killSession(session);
142 return;
143 } else {
144 try {
145 token.p11.C_SignFinal(session.id(), 0);
146 } catch (PKCS11Exception e) {
147 throw new ProviderException("Cancel failed", e);
148 }
149 }
150 }
151
152 private void ensureInitialized() throws PKCS11Exception {
153 if (initialized) {
154 return;
155 }
156 if (p11Key == null) {
157 throw new ProviderException(
158 "Operation cannot be performed without calling engineInit first");
159 }
160 token.ensureValid();
161 p11Key.incNativeKeyRef();
162 try {
163 if (session == null) {
164 session = token.getOpSession();
165 }
166 token.p11.C_SignInit
167 (session.id(), ckMechanism, p11Key.keyID);
168 } catch (Throwable t) {
169 p11Key.decNativeKeyRef();
170 session = token.releaseSession(session);
171 throw t;
172 }
173 initialized = true;
174 }
175
176 // see JCE spec
177 protected int engineGetMacLength() {
178 return macLength;
179 }
180
181 // see JCE spec
182 protected void engineReset() {
183 reset(true);
184 }
185
186 // see JCE spec
187 protected void engineInit(Key key, AlgorithmParameterSpec params)
188 throws InvalidKeyException, InvalidAlgorithmParameterException {
189 if (params != null) {
190 throw new InvalidAlgorithmParameterException
191 ("Parameters not supported");
192 }
193 reset(true);
194 p11Key = P11SecretKeyFactory.convertKey(token, key, algorithm);
195 try {
196 ensureInitialized();
197 } catch (PKCS11Exception e) {
198 throw new InvalidKeyException("init() failed", e);
199 }
200 }
201
202 // see JCE spec
203 protected byte[] engineDoFinal() {
204 try {
205 ensureInitialized();
206 return token.p11.C_SignFinal(session.id(), 0);
207 } catch (PKCS11Exception e) {
208 reset(true);
209 throw new ProviderException("doFinal() failed", e);
210 } finally {
211 reset(false);
212 }
213 }
214
215 // see JCE spec
216 protected void engineUpdate(byte input) {
217 if (oneByte == null) {
218 oneByte = new byte[1];
219 }
220 oneByte[0] = input;
221 engineUpdate(oneByte, 0, 1);
222 }
223
224 // see JCE spec
225 protected void engineUpdate(byte[] b, int ofs, int len) {
226 try {
227 ensureInitialized();
228 token.p11.C_SignUpdate(session.id(), 0, b, ofs, len);
229 } catch (PKCS11Exception e) {
230 throw new ProviderException("update() failed", e);
231 }
232 }
233
234 // see JCE spec
235 protected void engineUpdate(ByteBuffer byteBuffer) {
236 try {
237 ensureInitialized();
238 int len = byteBuffer.remaining();
239 if (len <= 0) {
240 return;
241 }
242 if (byteBuffer instanceof DirectBuffer == false) {
243 super.engineUpdate(byteBuffer);
244 return;
245 }
246 long addr = ((DirectBuffer)byteBuffer).address();
247 int ofs = byteBuffer.position();
248 token.p11.C_SignUpdate(session.id(), addr + ofs, null, 0, len);
249 byteBuffer.position(ofs + len);
250 } catch (PKCS11Exception e) {
251 throw new ProviderException("update() failed", e);
252 }
253 }
254 }
|