156 }
157 }
158
159 Session session = null;
160 try {
161 session = token.getObjSession();
162 CK_ATTRIBUTE[] attributes;
163 if (keyBits != 0) {
164 attributes = new CK_ATTRIBUTE[] {
165 new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
166 new CK_ATTRIBUTE(CKA_KEY_TYPE, keyType),
167 new CK_ATTRIBUTE(CKA_VALUE_LEN, expandedKeyBits >> 3),
168 };
169 } else {
170 // ciphersuites with NULL ciphers
171 attributes = new CK_ATTRIBUTE[0];
172 }
173 attributes = token.getAttributes
174 (O_GENERATE, CKO_SECRET_KEY, keyType, attributes);
175 // the returned keyID is a dummy, ignore
176 long keyID = token.p11.C_DeriveKey(session.id(),
177 new CK_MECHANISM(mechanism, params), p11Key.keyID, attributes);
178
179 CK_SSL3_KEY_MAT_OUT out = params.pReturnedKeyMaterial;
180 // Note that the MAC keys do not inherit all attributes from the
181 // template, but they do inherit the sensitive/extractable/token
182 // flags, which is all P11Key cares about.
183 SecretKey clientMacKey, serverMacKey;
184
185 // The MAC size may be zero for GCM mode.
186 //
187 // PKCS11 does not support GCM mode as the author made the comment,
188 // so the macBits is unlikely to be zero. It's only a place holder.
189 if (macBits != 0) {
190 clientMacKey = P11Key.secretKey
191 (session, out.hClientMacSecret, "MAC", macBits, attributes);
192 serverMacKey = P11Key.secretKey
193 (session, out.hServerMacSecret, "MAC", macBits, attributes);
194 } else {
195 clientMacKey = null;
196 serverMacKey = null;
197 }
198
199 SecretKey clientCipherKey, serverCipherKey;
200 if (keyBits != 0) {
201 clientCipherKey = P11Key.secretKey(session, out.hClientKey,
202 cipherAlgorithm, expandedKeyBits, attributes);
203 serverCipherKey = P11Key.secretKey(session, out.hServerKey,
204 cipherAlgorithm, expandedKeyBits, attributes);
205 } else {
206 clientCipherKey = null;
207 serverCipherKey = null;
208 }
209 IvParameterSpec clientIv = (out.pIVClient == null)
210 ? null : new IvParameterSpec(out.pIVClient);
211 IvParameterSpec serverIv = (out.pIVServer == null)
212 ? null : new IvParameterSpec(out.pIVServer);
213
214 return new TlsKeyMaterialSpec(clientMacKey, serverMacKey,
215 clientCipherKey, clientIv, serverCipherKey, serverIv);
216
217 } catch (Exception e) {
218 throw new ProviderException("Could not generate key", e);
219 } finally {
220 token.releaseSession(session);
221 }
222 }
223
224 }
|
156 }
157 }
158
159 Session session = null;
160 try {
161 session = token.getObjSession();
162 CK_ATTRIBUTE[] attributes;
163 if (keyBits != 0) {
164 attributes = new CK_ATTRIBUTE[] {
165 new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
166 new CK_ATTRIBUTE(CKA_KEY_TYPE, keyType),
167 new CK_ATTRIBUTE(CKA_VALUE_LEN, expandedKeyBits >> 3),
168 };
169 } else {
170 // ciphersuites with NULL ciphers
171 attributes = new CK_ATTRIBUTE[0];
172 }
173 attributes = token.getAttributes
174 (O_GENERATE, CKO_SECRET_KEY, keyType, attributes);
175 // the returned keyID is a dummy, ignore
176
177 p11Key.incNativeKeyRef();
178 try {
179 token.p11.C_DeriveKey(session.id(),
180 new CK_MECHANISM(mechanism, params), p11Key.keyID, attributes);
181 } finally {
182 p11Key.decNativeKeyRef();
183 }
184
185 CK_SSL3_KEY_MAT_OUT out = params.pReturnedKeyMaterial;
186 // Note that the MAC keys do not inherit all attributes from the
187 // template, but they do inherit the sensitive/extractable/token
188 // flags, which is all P11Key cares about.
189 SecretKey clientMacKey, serverMacKey;
190
191 // The MAC size may be zero for GCM mode.
192 //
193 // PKCS11 does not support GCM mode as the author made the comment,
194 // so the macBits is unlikely to be zero. It's only a place holder.
195 if (macBits != 0) {
196 clientMacKey = P11Key.secretKey
197 (session, out.hClientMacSecret, "MAC", macBits, attributes, true);
198 serverMacKey = P11Key.secretKey
199 (session, out.hServerMacSecret, "MAC", macBits, attributes, true);
200 } else {
201 clientMacKey = null;
202 serverMacKey = null;
203 }
204
205 SecretKey clientCipherKey, serverCipherKey;
206 if (keyBits != 0) {
207 clientCipherKey = P11Key.secretKey(session, out.hClientKey,
208 cipherAlgorithm, expandedKeyBits, attributes, true);
209 serverCipherKey = P11Key.secretKey(session, out.hServerKey,
210 cipherAlgorithm, expandedKeyBits, attributes, true);
211 } else {
212 clientCipherKey = null;
213 serverCipherKey = null;
214 }
215 IvParameterSpec clientIv = (out.pIVClient == null)
216 ? null : new IvParameterSpec(out.pIVClient);
217 IvParameterSpec serverIv = (out.pIVServer == null)
218 ? null : new IvParameterSpec(out.pIVServer);
219
220 return new TlsKeyMaterialSpec(clientMacKey, serverMacKey,
221 clientCipherKey, clientIv, serverCipherKey, serverIv);
222
223 } catch (Exception e) {
224 throw new ProviderException("Could not generate key", e);
225 } finally {
226 token.releaseSession(session);
227 }
228 }
229
230 }
|