< prev index next >
src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsKeyMaterialGenerator.java
Print this page
*** 171,182 ****
attributes = new CK_ATTRIBUTE[0];
}
attributes = token.getAttributes
(O_GENERATE, CKO_SECRET_KEY, keyType, attributes);
// the returned keyID is a dummy, ignore
! long keyID = token.p11.C_DeriveKey(session.id(),
new CK_MECHANISM(mechanism, params), p11Key.keyID, attributes);
CK_SSL3_KEY_MAT_OUT out = params.pReturnedKeyMaterial;
// Note that the MAC keys do not inherit all attributes from the
// template, but they do inherit the sensitive/extractable/token
// flags, which is all P11Key cares about.
--- 171,188 ----
attributes = new CK_ATTRIBUTE[0];
}
attributes = token.getAttributes
(O_GENERATE, CKO_SECRET_KEY, keyType, attributes);
// the returned keyID is a dummy, ignore
!
! p11Key.incNativeKeyRef();
! try {
! token.p11.C_DeriveKey(session.id(),
new CK_MECHANISM(mechanism, params), p11Key.keyID, attributes);
+ } finally {
+ p11Key.decNativeKeyRef();
+ }
CK_SSL3_KEY_MAT_OUT out = params.pReturnedKeyMaterial;
// Note that the MAC keys do not inherit all attributes from the
// template, but they do inherit the sensitive/extractable/token
// flags, which is all P11Key cares about.
*** 186,209 ****
//
// PKCS11 does not support GCM mode as the author made the comment,
// so the macBits is unlikely to be zero. It's only a place holder.
if (macBits != 0) {
clientMacKey = P11Key.secretKey
! (session, out.hClientMacSecret, "MAC", macBits, attributes);
serverMacKey = P11Key.secretKey
! (session, out.hServerMacSecret, "MAC", macBits, attributes);
} else {
clientMacKey = null;
serverMacKey = null;
}
SecretKey clientCipherKey, serverCipherKey;
if (keyBits != 0) {
clientCipherKey = P11Key.secretKey(session, out.hClientKey,
! cipherAlgorithm, expandedKeyBits, attributes);
serverCipherKey = P11Key.secretKey(session, out.hServerKey,
! cipherAlgorithm, expandedKeyBits, attributes);
} else {
clientCipherKey = null;
serverCipherKey = null;
}
IvParameterSpec clientIv = (out.pIVClient == null)
--- 192,215 ----
//
// PKCS11 does not support GCM mode as the author made the comment,
// so the macBits is unlikely to be zero. It's only a place holder.
if (macBits != 0) {
clientMacKey = P11Key.secretKey
! (session, out.hClientMacSecret, "MAC", macBits, attributes, true);
serverMacKey = P11Key.secretKey
! (session, out.hServerMacSecret, "MAC", macBits, attributes, true);
} else {
clientMacKey = null;
serverMacKey = null;
}
SecretKey clientCipherKey, serverCipherKey;
if (keyBits != 0) {
clientCipherKey = P11Key.secretKey(session, out.hClientKey,
! cipherAlgorithm, expandedKeyBits, attributes, true);
serverCipherKey = P11Key.secretKey(session, out.hServerKey,
! cipherAlgorithm, expandedKeyBits, attributes, true);
} else {
clientCipherKey = null;
serverCipherKey = null;
}
IvParameterSpec clientIv = (out.pIVClient == null)
< prev index next >