156 } 157 } 158 159 Session session = null; 160 try { 161 session = token.getObjSession(); 162 CK_ATTRIBUTE[] attributes; 163 if (keyBits != 0) { 164 attributes = new CK_ATTRIBUTE[] { 165 new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), 166 new CK_ATTRIBUTE(CKA_KEY_TYPE, keyType), 167 new CK_ATTRIBUTE(CKA_VALUE_LEN, expandedKeyBits >> 3), 168 }; 169 } else { 170 // ciphersuites with NULL ciphers 171 attributes = new CK_ATTRIBUTE[0]; 172 } 173 attributes = token.getAttributes 174 (O_GENERATE, CKO_SECRET_KEY, keyType, attributes); 175 // the returned keyID is a dummy, ignore 176 long keyID = token.p11.C_DeriveKey(session.id(), 177 new CK_MECHANISM(mechanism, params), p11Key.keyID, attributes); 178 179 CK_SSL3_KEY_MAT_OUT out = params.pReturnedKeyMaterial; 180 // Note that the MAC keys do not inherit all attributes from the 181 // template, but they do inherit the sensitive/extractable/token 182 // flags, which is all P11Key cares about. 183 SecretKey clientMacKey, serverMacKey; 184 185 // The MAC size may be zero for GCM mode. 186 // 187 // PKCS11 does not support GCM mode as the author made the comment, 188 // so the macBits is unlikely to be zero. It's only a place holder. 189 if (macBits != 0) { 190 clientMacKey = P11Key.secretKey 191 (session, out.hClientMacSecret, "MAC", macBits, attributes); 192 serverMacKey = P11Key.secretKey 193 (session, out.hServerMacSecret, "MAC", macBits, attributes); 194 } else { 195 clientMacKey = null; 196 serverMacKey = null; 197 } 198 199 SecretKey clientCipherKey, serverCipherKey; 200 if (keyBits != 0) { 201 clientCipherKey = P11Key.secretKey(session, out.hClientKey, 202 cipherAlgorithm, expandedKeyBits, attributes); 203 serverCipherKey = P11Key.secretKey(session, out.hServerKey, 204 cipherAlgorithm, expandedKeyBits, attributes); 205 } else { 206 clientCipherKey = null; 207 serverCipherKey = null; 208 } 209 IvParameterSpec clientIv = (out.pIVClient == null) 210 ? null : new IvParameterSpec(out.pIVClient); 211 IvParameterSpec serverIv = (out.pIVServer == null) 212 ? null : new IvParameterSpec(out.pIVServer); 213 214 return new TlsKeyMaterialSpec(clientMacKey, serverMacKey, 215 clientCipherKey, clientIv, serverCipherKey, serverIv); 216 217 } catch (Exception e) { 218 throw new ProviderException("Could not generate key", e); 219 } finally { 220 token.releaseSession(session); 221 } 222 } 223 224 } | 156 } 157 } 158 159 Session session = null; 160 try { 161 session = token.getObjSession(); 162 CK_ATTRIBUTE[] attributes; 163 if (keyBits != 0) { 164 attributes = new CK_ATTRIBUTE[] { 165 new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), 166 new CK_ATTRIBUTE(CKA_KEY_TYPE, keyType), 167 new CK_ATTRIBUTE(CKA_VALUE_LEN, expandedKeyBits >> 3), 168 }; 169 } else { 170 // ciphersuites with NULL ciphers 171 attributes = new CK_ATTRIBUTE[0]; 172 } 173 attributes = token.getAttributes 174 (O_GENERATE, CKO_SECRET_KEY, keyType, attributes); 175 // the returned keyID is a dummy, ignore 176 177 p11Key.incNativeKeyRef(); 178 try { 179 token.p11.C_DeriveKey(session.id(), 180 new CK_MECHANISM(mechanism, params), p11Key.keyID, attributes); 181 } finally { 182 p11Key.decNativeKeyRef(); 183 } 184 185 CK_SSL3_KEY_MAT_OUT out = params.pReturnedKeyMaterial; 186 // Note that the MAC keys do not inherit all attributes from the 187 // template, but they do inherit the sensitive/extractable/token 188 // flags, which is all P11Key cares about. 189 SecretKey clientMacKey, serverMacKey; 190 191 // The MAC size may be zero for GCM mode. 192 // 193 // PKCS11 does not support GCM mode as the author made the comment, 194 // so the macBits is unlikely to be zero. It's only a place holder. 195 if (macBits != 0) { 196 clientMacKey = P11Key.secretKey 197 (session, out.hClientMacSecret, "MAC", macBits, attributes, true); 198 serverMacKey = P11Key.secretKey 199 (session, out.hServerMacSecret, "MAC", macBits, attributes, true); 200 } else { 201 clientMacKey = null; 202 serverMacKey = null; 203 } 204 205 SecretKey clientCipherKey, serverCipherKey; 206 if (keyBits != 0) { 207 clientCipherKey = P11Key.secretKey(session, out.hClientKey, 208 cipherAlgorithm, expandedKeyBits, attributes, true); 209 serverCipherKey = P11Key.secretKey(session, out.hServerKey, 210 cipherAlgorithm, expandedKeyBits, attributes, true); 211 } else { 212 clientCipherKey = null; 213 serverCipherKey = null; 214 } 215 IvParameterSpec clientIv = (out.pIVClient == null) 216 ? null : new IvParameterSpec(out.pIVClient); 217 IvParameterSpec serverIv = (out.pIVServer == null) 218 ? null : new IvParameterSpec(out.pIVServer); 219 220 return new TlsKeyMaterialSpec(clientMacKey, serverMacKey, 221 clientCipherKey, clientIv, serverCipherKey, serverIv); 222 223 } catch (Exception e) { 224 throw new ProviderException("Could not generate key", e); 225 } finally { 226 token.releaseSession(session); 227 } 228 } 229 230 } |