jdk_tls12_sunpkcs11 Udiff src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsPrfGenerator.java

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsPrfGenerator.java

@@ -1,7 +1,7 @@
 /*
- * Copyright (c) 2005, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License version 2 only, as
  * published by the Free Software Foundation.  Oracle designates this

@@ -124,13 +124,52 @@
 
     protected SecretKey engineGenerateKey() {
         if (spec == null) {
             throw new IllegalStateException("TlsPrfGenerator must be initialized");
         }
-        byte[] label = P11Util.getBytesUTF8(spec.getLabel());
+        
         byte[] seed = spec.getSeed();
 
+        // TLS 1.2
+        if (mechanism == CKM_TLS_MAC) {
+            SecretKey k = null;
+            int ulServerOrClient = 0;
+            if (spec.getLabel().equals("server finished")) {
+                ulServerOrClient = 1;
+            }
+            if (spec.getLabel().equals("client finished")) {
+                ulServerOrClient = 2;
+            }
+            
+            if (ulServerOrClient != 0) {
+                // Finished message
+                CK_TLS_MAC_PARAMS params = new CK_TLS_MAC_PARAMS(
+                        SunPKCS11.hashAlgorithmToHashMechanismMap.get(spec.getPRFHashAlg()),
+                        spec.getOutputLength(), ulServerOrClient);
+                Session session = null;
+                try {
+                    session = token.getOpSession();
+                    token.p11.C_SignInit(session.id(), 
+                            new CK_MECHANISM(mechanism, params), p11Key.keyID);
+                    token.p11.C_SignUpdate(session.id(), 0, seed, 0, seed.length);
+                    byte[] out = token.p11.C_SignFinal
+                                        (session.id(), spec.getOutputLength());
+                    k = new SecretKeySpec(out, "TlsPrf");
+                } catch (PKCS11Exception e) {
+                    throw new ProviderException("Could not calculate PRF", e);
+                } finally {
+                    token.releaseSession(session);
+                }
+            } else {
+                throw new ProviderException("Only Finished message authentication code"+
+                                            " generation supported for TLS 1.2.");
+            }
+            return k;
+        }
+        
+        byte[] label = P11Util.getBytesUTF8(spec.getLabel());
+
         if (mechanism == CKM_NSS_TLS_PRF_GENERAL) {
             Session session = null;
             try {
                 session = token.getOpSession();
                 token.p11.C_SignInit

< prev index next >