1 /*
2 * Copyright (c) 2005, 2018, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.pkcs11;
27
28 import java.security.*;
29 import java.security.spec.AlgorithmParameterSpec;
30
31 import javax.crypto.*;
32 import javax.crypto.spec.*;
33
34 import sun.security.internal.spec.TlsPrfParameterSpec;
35
36 import static sun.security.pkcs11.TemplateManager.*;
37 import sun.security.pkcs11.wrapper.*;
38 import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
39
40 /**
41 * KeyGenerator for the TLS PRF. Note that although the PRF is used in a number
42 * of places during the handshake, this class is usually only used to calculate
43 * the Finished messages. The reason is that for those other uses more specific
44 * PKCS#11 mechanisms have been defined (CKM_SSL3_MASTER_KEY_DERIVE, etc.).
45 *
46 * <p>This class supports the CKM_TLS_PRF mechanism from PKCS#11 v2.20 and
47 * the older NSS private mechanism.
48 *
49 * @author Andreas Sterbenz
50 * @since 1.6
51 */
52 final class P11TlsPrfGenerator extends KeyGeneratorSpi {
53
54 private final static String MSG =
55 "TlsPrfGenerator must be initialized using a TlsPrfParameterSpec";
56
57 // token instance
58 private final Token token;
59
60 // algorithm name
61 private final String algorithm;
62
63 // mechanism id
64 private final long mechanism;
65
66 @SuppressWarnings("deprecation")
67 private TlsPrfParameterSpec spec;
68
69 private P11Key p11Key;
70
71 P11TlsPrfGenerator(Token token, String algorithm, long mechanism)
72 throws PKCS11Exception {
73 super();
74 this.token = token;
75 this.algorithm = algorithm;
76 this.mechanism = mechanism;
77 }
78
79 protected void engineInit(SecureRandom random) {
80 throw new InvalidParameterException(MSG);
81 }
82
83 @SuppressWarnings("deprecation")
84 protected void engineInit(AlgorithmParameterSpec params,
85 SecureRandom random) throws InvalidAlgorithmParameterException {
86 if (params instanceof TlsPrfParameterSpec == false) {
87 throw new InvalidAlgorithmParameterException(MSG);
88 }
89 this.spec = (TlsPrfParameterSpec)params;
90 SecretKey key = spec.getSecret();
91 if (key == null) {
92 key = NULL_KEY;
93 }
94 try {
95 p11Key = P11SecretKeyFactory.convertKey(token, key, null);
96 } catch (InvalidKeyException e) {
97 throw new InvalidAlgorithmParameterException("init() failed", e);
98 }
99 }
100
101 // SecretKeySpec does not allow zero length keys, so we define our
102 // own class.
103 //
104 // As an anonymous class cannot make any guarantees about serialization
105 // compatibility, it is nonsensical for an anonymous class to define a
106 // serialVersionUID. Suppress warnings relative to missing serialVersionUID
107 // field in the anonymous subclass of serializable SecretKey.
108 @SuppressWarnings("serial")
109 private static final SecretKey NULL_KEY = new SecretKey() {
110 public byte[] getEncoded() {
111 return new byte[0];
112 }
113 public String getFormat() {
114 return "RAW";
115 }
116 public String getAlgorithm() {
117 return "Generic";
118 }
119 };
120
121 protected void engineInit(int keysize, SecureRandom random) {
122 throw new InvalidParameterException(MSG);
123 }
124
125 protected SecretKey engineGenerateKey() {
126 if (spec == null) {
127 throw new IllegalStateException("TlsPrfGenerator must be initialized");
128 }
129
130 byte[] seed = spec.getSeed();
131
132 // TLS 1.2
133 if (mechanism == CKM_TLS_MAC) {
134 SecretKey k = null;
135 int ulServerOrClient = 0;
136 if (spec.getLabel().equals("server finished")) {
137 ulServerOrClient = 1;
138 }
139 if (spec.getLabel().equals("client finished")) {
140 ulServerOrClient = 2;
141 }
142
143 if (ulServerOrClient != 0) {
144 // Finished message
145 CK_TLS_MAC_PARAMS params = new CK_TLS_MAC_PARAMS(
146 SunPKCS11.hashAlgorithmToHashMechanismMap.get(spec.getPRFHashAlg()),
147 spec.getOutputLength(), ulServerOrClient);
148 Session session = null;
149 try {
150 session = token.getOpSession();
151 token.p11.C_SignInit(session.id(),
152 new CK_MECHANISM(mechanism, params), p11Key.keyID);
153 token.p11.C_SignUpdate(session.id(), 0, seed, 0, seed.length);
154 byte[] out = token.p11.C_SignFinal
155 (session.id(), spec.getOutputLength());
156 k = new SecretKeySpec(out, "TlsPrf");
157 } catch (PKCS11Exception e) {
158 throw new ProviderException("Could not calculate PRF", e);
159 } finally {
160 token.releaseSession(session);
161 }
162 } else {
163 throw new ProviderException("Only Finished message authentication code"+
164 " generation supported for TLS 1.2.");
165 }
166 return k;
167 }
168
169 byte[] label = P11Util.getBytesUTF8(spec.getLabel());
170
171 if (mechanism == CKM_NSS_TLS_PRF_GENERAL) {
172 Session session = null;
173 try {
174 session = token.getOpSession();
175 token.p11.C_SignInit
176 (session.id(), new CK_MECHANISM(mechanism), p11Key.keyID);
177 token.p11.C_SignUpdate(session.id(), 0, label, 0, label.length);
178 token.p11.C_SignUpdate(session.id(), 0, seed, 0, seed.length);
179 byte[] out = token.p11.C_SignFinal
180 (session.id(), spec.getOutputLength());
181 return new SecretKeySpec(out, "TlsPrf");
182 } catch (PKCS11Exception e) {
183 throw new ProviderException("Could not calculate PRF", e);
184 } finally {
185 token.releaseSession(session);
186 }
187 }
188
189 // mechanism == CKM_TLS_PRF
190
191 byte[] out = new byte[spec.getOutputLength()];
192 CK_TLS_PRF_PARAMS params = new CK_TLS_PRF_PARAMS(seed, label, out);
193
194 Session session = null;
195 try {
196 session = token.getOpSession();
197 long keyID = token.p11.C_DeriveKey(session.id(),
198 new CK_MECHANISM(mechanism, params), p11Key.keyID, null);
199 // ignore keyID, returned PRF bytes are in 'out'
200 return new SecretKeySpec(out, "TlsPrf");
201 } catch (PKCS11Exception e) {
202 throw new ProviderException("Could not calculate PRF", e);
203 } finally {
204 token.releaseSession(session);
205 }
206 }
207
208 }