< prev index next >
src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsKeyMaterialGenerator.java
Print this page
@@ -171,12 +171,18 @@
attributes = new CK_ATTRIBUTE[0];
}
attributes = token.getAttributes
(O_GENERATE, CKO_SECRET_KEY, keyType, attributes);
// the returned keyID is a dummy, ignore
- long keyID = token.p11.C_DeriveKey(session.id(),
+
+ p11Key.incNativeKeyRef();
+ try {
+ token.p11.C_DeriveKey(session.id(),
new CK_MECHANISM(mechanism, params), p11Key.keyID, attributes);
+ } finally {
+ p11Key.decNativeKeyRef();
+ }
CK_SSL3_KEY_MAT_OUT out = params.pReturnedKeyMaterial;
// Note that the MAC keys do not inherit all attributes from the
// template, but they do inherit the sensitive/extractable/token
// flags, which is all P11Key cares about.
@@ -186,24 +192,24 @@
//
// PKCS11 does not support GCM mode as the author made the comment,
// so the macBits is unlikely to be zero. It's only a place holder.
if (macBits != 0) {
clientMacKey = P11Key.secretKey
- (session, out.hClientMacSecret, "MAC", macBits, attributes);
+ (session, out.hClientMacSecret, "MAC", macBits, attributes, true);
serverMacKey = P11Key.secretKey
- (session, out.hServerMacSecret, "MAC", macBits, attributes);
+ (session, out.hServerMacSecret, "MAC", macBits, attributes, true);
} else {
clientMacKey = null;
serverMacKey = null;
}
SecretKey clientCipherKey, serverCipherKey;
if (keyBits != 0) {
clientCipherKey = P11Key.secretKey(session, out.hClientKey,
- cipherAlgorithm, expandedKeyBits, attributes);
+ cipherAlgorithm, expandedKeyBits, attributes, true);
serverCipherKey = P11Key.secretKey(session, out.hServerKey,
- cipherAlgorithm, expandedKeyBits, attributes);
+ cipherAlgorithm, expandedKeyBits, attributes, true);
} else {
clientCipherKey = null;
serverCipherKey = null;
}
IvParameterSpec clientIv = (out.pIVClient == null)
< prev index next >