1 /* 2 * Copyright (c) 2005, 2018, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.pkcs11; 27 28 import java.security.*; 29 import java.security.spec.AlgorithmParameterSpec; 30 31 import javax.crypto.*; 32 import javax.crypto.spec.*; 33 34 import sun.security.internal.spec.TlsPrfParameterSpec; 35 36 import static sun.security.pkcs11.TemplateManager.*; 37 import sun.security.pkcs11.wrapper.*; 38 import static sun.security.pkcs11.wrapper.PKCS11Constants.*; 39 40 /** 41 * KeyGenerator for the TLS PRF. Note that although the PRF is used in a number 42 * of places during the handshake, this class is usually only used to calculate 43 * the Finished messages. The reason is that for those other uses more specific 44 * PKCS#11 mechanisms have been defined (CKM_SSL3_MASTER_KEY_DERIVE, etc.). 45 * 46 * <p>This class supports the CKM_TLS_PRF mechanism from PKCS#11 v2.20 and 47 * the older NSS private mechanism. 48 * 49 * @author Andreas Sterbenz 50 * @since 1.6 51 */ 52 final class P11TlsPrfGenerator extends KeyGeneratorSpi { 53 54 private final static String MSG = 55 "TlsPrfGenerator must be initialized using a TlsPrfParameterSpec"; 56 57 // token instance 58 private final Token token; 59 60 // algorithm name 61 private final String algorithm; 62 63 // mechanism id 64 private final long mechanism; 65 66 @SuppressWarnings("deprecation") 67 private TlsPrfParameterSpec spec; 68 69 private P11Key p11Key; 70 71 P11TlsPrfGenerator(Token token, String algorithm, long mechanism) 72 throws PKCS11Exception { 73 super(); 74 this.token = token; 75 this.algorithm = algorithm; 76 this.mechanism = mechanism; 77 } 78 79 protected void engineInit(SecureRandom random) { 80 throw new InvalidParameterException(MSG); 81 } 82 83 @SuppressWarnings("deprecation") 84 protected void engineInit(AlgorithmParameterSpec params, 85 SecureRandom random) throws InvalidAlgorithmParameterException { 86 if (params instanceof TlsPrfParameterSpec == false) { 87 throw new InvalidAlgorithmParameterException(MSG); 88 } 89 this.spec = (TlsPrfParameterSpec)params; 90 SecretKey key = spec.getSecret(); 91 if (key == null) { 92 key = NULL_KEY; 93 } 94 try { 95 p11Key = P11SecretKeyFactory.convertKey(token, key, null); 96 } catch (InvalidKeyException e) { 97 throw new InvalidAlgorithmParameterException("init() failed", e); 98 } 99 } 100 101 // SecretKeySpec does not allow zero length keys, so we define our 102 // own class. 103 // 104 // As an anonymous class cannot make any guarantees about serialization 105 // compatibility, it is nonsensical for an anonymous class to define a 106 // serialVersionUID. Suppress warnings relative to missing serialVersionUID 107 // field in the anonymous subclass of serializable SecretKey. 108 @SuppressWarnings("serial") 109 private static final SecretKey NULL_KEY = new SecretKey() { 110 public byte[] getEncoded() { 111 return new byte[0]; 112 } 113 public String getFormat() { 114 return "RAW"; 115 } 116 public String getAlgorithm() { 117 return "Generic"; 118 } 119 }; 120 121 protected void engineInit(int keysize, SecureRandom random) { 122 throw new InvalidParameterException(MSG); 123 } 124 125 protected SecretKey engineGenerateKey() { 126 if (spec == null) { 127 throw new IllegalStateException("TlsPrfGenerator must be initialized"); 128 } 129 130 byte[] seed = spec.getSeed(); 131 132 // TLS 1.2 133 if (mechanism == CKM_TLS_MAC) { 134 SecretKey k = null; 135 int ulServerOrClient = 0; 136 if (spec.getLabel().equals("server finished")) { 137 ulServerOrClient = 1; 138 } 139 if (spec.getLabel().equals("client finished")) { 140 ulServerOrClient = 2; 141 } 142 143 if (ulServerOrClient != 0) { 144 // Finished message 145 CK_TLS_MAC_PARAMS params = new CK_TLS_MAC_PARAMS( 146 SunPKCS11.hashAlgorithmToHashMechanismMap.get(spec.getPRFHashAlg()), 147 spec.getOutputLength(), ulServerOrClient); 148 Session session = null; 149 try { 150 session = token.getOpSession(); 151 token.p11.C_SignInit(session.id(), 152 new CK_MECHANISM(mechanism, params), p11Key.keyID); 153 token.p11.C_SignUpdate(session.id(), 0, seed, 0, seed.length); 154 byte[] out = token.p11.C_SignFinal 155 (session.id(), spec.getOutputLength()); 156 k = new SecretKeySpec(out, "TlsPrf"); 157 } catch (PKCS11Exception e) { 158 throw new ProviderException("Could not calculate PRF", e); 159 } finally { 160 token.releaseSession(session); 161 } 162 } else { 163 throw new ProviderException("Only Finished message authentication code"+ 164 " generation supported for TLS 1.2."); 165 } 166 return k; 167 } 168 169 byte[] label = P11Util.getBytesUTF8(spec.getLabel()); 170 171 if (mechanism == CKM_NSS_TLS_PRF_GENERAL) { 172 Session session = null; 173 try { 174 session = token.getOpSession(); 175 token.p11.C_SignInit 176 (session.id(), new CK_MECHANISM(mechanism), p11Key.keyID); 177 token.p11.C_SignUpdate(session.id(), 0, label, 0, label.length); 178 token.p11.C_SignUpdate(session.id(), 0, seed, 0, seed.length); 179 byte[] out = token.p11.C_SignFinal 180 (session.id(), spec.getOutputLength()); 181 return new SecretKeySpec(out, "TlsPrf"); 182 } catch (PKCS11Exception e) { 183 throw new ProviderException("Could not calculate PRF", e); 184 } finally { 185 token.releaseSession(session); 186 } 187 } 188 189 // mechanism == CKM_TLS_PRF 190 191 byte[] out = new byte[spec.getOutputLength()]; 192 CK_TLS_PRF_PARAMS params = new CK_TLS_PRF_PARAMS(seed, label, out); 193 194 Session session = null; 195 try { 196 session = token.getOpSession(); 197 long keyID = token.p11.C_DeriveKey(session.id(), 198 new CK_MECHANISM(mechanism, params), p11Key.keyID, null); 199 // ignore keyID, returned PRF bytes are in 'out' 200 return new SecretKeySpec(out, "TlsPrf"); 201 } catch (PKCS11Exception e) { 202 throw new ProviderException("Could not calculate PRF", e); 203 } finally { 204 token.releaseSession(session); 205 } 206 } 207 208 }