< prev index next >

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsKeyMaterialGenerator.java

Print this page




 156             }
 157         }
 158 
 159         Session session = null;
 160         try {
 161             session = token.getObjSession();
 162             CK_ATTRIBUTE[] attributes;
 163             if (keyBits != 0) {
 164                 attributes = new CK_ATTRIBUTE[] {
 165                     new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
 166                     new CK_ATTRIBUTE(CKA_KEY_TYPE, keyType),
 167                     new CK_ATTRIBUTE(CKA_VALUE_LEN, expandedKeyBits >> 3),
 168                 };
 169             } else {
 170                 // ciphersuites with NULL ciphers
 171                 attributes = new CK_ATTRIBUTE[0];
 172             }
 173             attributes = token.getAttributes
 174                 (O_GENERATE, CKO_SECRET_KEY, keyType, attributes);
 175             // the returned keyID is a dummy, ignore
 176             long keyID = token.p11.C_DeriveKey(session.id(),
 177                 new CK_MECHANISM(mechanism, params), p11Key.keyID, attributes);







 178 
 179             CK_SSL3_KEY_MAT_OUT out = params.pReturnedKeyMaterial;
 180             // Note that the MAC keys do not inherit all attributes from the
 181             // template, but they do inherit the sensitive/extractable/token
 182             // flags, which is all P11Key cares about.
 183             SecretKey clientMacKey, serverMacKey;
 184 
 185             // The MAC size may be zero for GCM mode.
 186             //
 187             // PKCS11 does not support GCM mode as the author made the comment,
 188             // so the macBits is unlikely to be zero. It's only a place holder.
 189             if (macBits != 0) {
 190                 clientMacKey = P11Key.secretKey
 191                     (session, out.hClientMacSecret, "MAC", macBits, attributes);
 192                 serverMacKey = P11Key.secretKey
 193                     (session, out.hServerMacSecret, "MAC", macBits, attributes);
 194             } else {
 195                 clientMacKey = null;
 196                 serverMacKey = null;
 197             }
 198 
 199             SecretKey clientCipherKey, serverCipherKey;
 200             if (keyBits != 0) {
 201                 clientCipherKey = P11Key.secretKey(session, out.hClientKey,
 202                         cipherAlgorithm, expandedKeyBits, attributes);
 203                 serverCipherKey = P11Key.secretKey(session, out.hServerKey,
 204                         cipherAlgorithm, expandedKeyBits, attributes);
 205             } else {
 206                 clientCipherKey = null;
 207                 serverCipherKey = null;
 208             }
 209             IvParameterSpec clientIv = (out.pIVClient == null)
 210                                     ? null : new IvParameterSpec(out.pIVClient);
 211             IvParameterSpec serverIv = (out.pIVServer == null)
 212                                     ? null : new IvParameterSpec(out.pIVServer);
 213 
 214             return new TlsKeyMaterialSpec(clientMacKey, serverMacKey,
 215                     clientCipherKey, clientIv, serverCipherKey, serverIv);
 216 
 217         } catch (Exception e) {
 218             throw new ProviderException("Could not generate key", e);
 219         } finally {
 220             token.releaseSession(session);
 221         }
 222     }
 223 
 224 }


 156             }
 157         }
 158 
 159         Session session = null;
 160         try {
 161             session = token.getObjSession();
 162             CK_ATTRIBUTE[] attributes;
 163             if (keyBits != 0) {
 164                 attributes = new CK_ATTRIBUTE[] {
 165                     new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
 166                     new CK_ATTRIBUTE(CKA_KEY_TYPE, keyType),
 167                     new CK_ATTRIBUTE(CKA_VALUE_LEN, expandedKeyBits >> 3),
 168                 };
 169             } else {
 170                 // ciphersuites with NULL ciphers
 171                 attributes = new CK_ATTRIBUTE[0];
 172             }
 173             attributes = token.getAttributes
 174                 (O_GENERATE, CKO_SECRET_KEY, keyType, attributes);
 175             // the returned keyID is a dummy, ignore
 176 
 177             p11Key.incNativeKeyRef();
 178             try {
 179                 token.p11.C_DeriveKey(session.id(),
 180                         new CK_MECHANISM(mechanism, params),
 181                         p11Key.keyID, attributes);
 182             } finally {
 183                 p11Key.decNativeKeyRef();
 184             }
 185 
 186             CK_SSL3_KEY_MAT_OUT out = params.pReturnedKeyMaterial;
 187             // Note that the MAC keys do not inherit all attributes from the
 188             // template, but they do inherit the sensitive/extractable/token
 189             // flags, which is all P11Key cares about.
 190             SecretKey clientMacKey, serverMacKey;
 191 
 192             // The MAC size may be zero for GCM mode.
 193             //
 194             // PKCS11 does not support GCM mode as the author made the comment,
 195             // so the macBits is unlikely to be zero. It's only a place holder.
 196             if (macBits != 0) {
 197                 clientMacKey = P11Key.secretKey(session, out.hClientMacSecret,
 198                         "MAC", macBits, attributes, true);
 199                 serverMacKey = P11Key.secretKey(session, out.hServerMacSecret,
 200                         "MAC", macBits, attributes, true);
 201             } else {
 202                 clientMacKey = null;
 203                 serverMacKey = null;
 204             }
 205 
 206             SecretKey clientCipherKey, serverCipherKey;
 207             if (keyBits != 0) {
 208                 clientCipherKey = P11Key.secretKey(session, out.hClientKey,
 209                         cipherAlgorithm, expandedKeyBits, attributes, true);
 210                 serverCipherKey = P11Key.secretKey(session, out.hServerKey,
 211                         cipherAlgorithm, expandedKeyBits, attributes, true);
 212             } else {
 213                 clientCipherKey = null;
 214                 serverCipherKey = null;
 215             }
 216             IvParameterSpec clientIv = (out.pIVClient == null)
 217                                     ? null : new IvParameterSpec(out.pIVClient);
 218             IvParameterSpec serverIv = (out.pIVServer == null)
 219                                     ? null : new IvParameterSpec(out.pIVServer);
 220 
 221             return new TlsKeyMaterialSpec(clientMacKey, serverMacKey,
 222                     clientCipherKey, clientIv, serverCipherKey, serverIv);
 223 
 224         } catch (Exception e) {
 225             throw new ProviderException("Could not generate key", e);
 226         } finally {
 227             token.releaseSession(session);
 228         }
 229     }
 230 
 231 }
< prev index next >