156 } 157 } 158 159 Session session = null; 160 try { 161 session = token.getObjSession(); 162 CK_ATTRIBUTE[] attributes; 163 if (keyBits != 0) { 164 attributes = new CK_ATTRIBUTE[] { 165 new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), 166 new CK_ATTRIBUTE(CKA_KEY_TYPE, keyType), 167 new CK_ATTRIBUTE(CKA_VALUE_LEN, expandedKeyBits >> 3), 168 }; 169 } else { 170 // ciphersuites with NULL ciphers 171 attributes = new CK_ATTRIBUTE[0]; 172 } 173 attributes = token.getAttributes 174 (O_GENERATE, CKO_SECRET_KEY, keyType, attributes); 175 // the returned keyID is a dummy, ignore 176 long keyID = token.p11.C_DeriveKey(session.id(), 177 new CK_MECHANISM(mechanism, params), p11Key.keyID, attributes); 178 179 CK_SSL3_KEY_MAT_OUT out = params.pReturnedKeyMaterial; 180 // Note that the MAC keys do not inherit all attributes from the 181 // template, but they do inherit the sensitive/extractable/token 182 // flags, which is all P11Key cares about. 183 SecretKey clientMacKey, serverMacKey; 184 185 // The MAC size may be zero for GCM mode. 186 // 187 // PKCS11 does not support GCM mode as the author made the comment, 188 // so the macBits is unlikely to be zero. It's only a place holder. 189 if (macBits != 0) { 190 clientMacKey = P11Key.secretKey 191 (session, out.hClientMacSecret, "MAC", macBits, attributes); 192 serverMacKey = P11Key.secretKey 193 (session, out.hServerMacSecret, "MAC", macBits, attributes); 194 } else { 195 clientMacKey = null; 196 serverMacKey = null; 197 } 198 199 SecretKey clientCipherKey, serverCipherKey; 200 if (keyBits != 0) { 201 clientCipherKey = P11Key.secretKey(session, out.hClientKey, 202 cipherAlgorithm, expandedKeyBits, attributes); 203 serverCipherKey = P11Key.secretKey(session, out.hServerKey, 204 cipherAlgorithm, expandedKeyBits, attributes); 205 } else { 206 clientCipherKey = null; 207 serverCipherKey = null; 208 } 209 IvParameterSpec clientIv = (out.pIVClient == null) 210 ? null : new IvParameterSpec(out.pIVClient); 211 IvParameterSpec serverIv = (out.pIVServer == null) 212 ? null : new IvParameterSpec(out.pIVServer); 213 214 return new TlsKeyMaterialSpec(clientMacKey, serverMacKey, 215 clientCipherKey, clientIv, serverCipherKey, serverIv); 216 217 } catch (Exception e) { 218 throw new ProviderException("Could not generate key", e); 219 } finally { 220 token.releaseSession(session); 221 } 222 } 223 224 } | 156 } 157 } 158 159 Session session = null; 160 try { 161 session = token.getObjSession(); 162 CK_ATTRIBUTE[] attributes; 163 if (keyBits != 0) { 164 attributes = new CK_ATTRIBUTE[] { 165 new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), 166 new CK_ATTRIBUTE(CKA_KEY_TYPE, keyType), 167 new CK_ATTRIBUTE(CKA_VALUE_LEN, expandedKeyBits >> 3), 168 }; 169 } else { 170 // ciphersuites with NULL ciphers 171 attributes = new CK_ATTRIBUTE[0]; 172 } 173 attributes = token.getAttributes 174 (O_GENERATE, CKO_SECRET_KEY, keyType, attributes); 175 // the returned keyID is a dummy, ignore 176 177 p11Key.incNativeKeyRef(); 178 try { 179 token.p11.C_DeriveKey(session.id(), 180 new CK_MECHANISM(mechanism, params), 181 p11Key.keyID, attributes); 182 } finally { 183 p11Key.decNativeKeyRef(); 184 } 185 186 CK_SSL3_KEY_MAT_OUT out = params.pReturnedKeyMaterial; 187 // Note that the MAC keys do not inherit all attributes from the 188 // template, but they do inherit the sensitive/extractable/token 189 // flags, which is all P11Key cares about. 190 SecretKey clientMacKey, serverMacKey; 191 192 // The MAC size may be zero for GCM mode. 193 // 194 // PKCS11 does not support GCM mode as the author made the comment, 195 // so the macBits is unlikely to be zero. It's only a place holder. 196 if (macBits != 0) { 197 clientMacKey = P11Key.secretKey(session, out.hClientMacSecret, 198 "MAC", macBits, attributes, true); 199 serverMacKey = P11Key.secretKey(session, out.hServerMacSecret, 200 "MAC", macBits, attributes, true); 201 } else { 202 clientMacKey = null; 203 serverMacKey = null; 204 } 205 206 SecretKey clientCipherKey, serverCipherKey; 207 if (keyBits != 0) { 208 clientCipherKey = P11Key.secretKey(session, out.hClientKey, 209 cipherAlgorithm, expandedKeyBits, attributes, true); 210 serverCipherKey = P11Key.secretKey(session, out.hServerKey, 211 cipherAlgorithm, expandedKeyBits, attributes, true); 212 } else { 213 clientCipherKey = null; 214 serverCipherKey = null; 215 } 216 IvParameterSpec clientIv = (out.pIVClient == null) 217 ? null : new IvParameterSpec(out.pIVClient); 218 IvParameterSpec serverIv = (out.pIVServer == null) 219 ? null : new IvParameterSpec(out.pIVServer); 220 221 return new TlsKeyMaterialSpec(clientMacKey, serverMacKey, 222 clientCipherKey, clientIv, serverCipherKey, serverIv); 223 224 } catch (Exception e) { 225 throw new ProviderException("Could not generate key", e); 226 } finally { 227 token.releaseSession(session); 228 } 229 } 230 231 } |