68
69 // configuration information
70 final Config config;
71
72 // id of the PKCS#11 slot we are using
73 final long slotID;
74
75 private CallbackHandler pHandler;
76 private final Object LOCK_HANDLER = new Object();
77
78 final boolean removable;
79
80 final Secmod.Module nssModule;
81
82 final boolean nssUseSecmodTrust;
83
84 private volatile Token token;
85
86 private TokenPoller poller;
87
88 Token getToken() {
89 return token;
90 }
91
92 public SunPKCS11() {
93 super("SunPKCS11", PROVIDER_VER,
94 "Unconfigured and unusable PKCS11 provider");
95 p11 = null;
96 config = null;
97 slotID = 0;
98 pHandler = null;
99 removable = false;
100 nssModule = null;
101 nssUseSecmodTrust = false;
102 token = null;
103 poller = null;
104 }
105
106 @Override
107 public Provider configure(String configArg) throws InvalidParameterException {
438 // registered if the mechanism is supported
439 private final static Map<Integer,List<Descriptor>> descriptors =
440 new HashMap<Integer,List<Descriptor>>();
441
442 private static int[] m(long m1) {
443 return new int[] {(int)m1};
444 }
445
446 private static int[] m(long m1, long m2) {
447 return new int[] {(int)m1, (int)m2};
448 }
449
450 private static int[] m(long m1, long m2, long m3) {
451 return new int[] {(int)m1, (int)m2, (int)m3};
452 }
453
454 private static int[] m(long m1, long m2, long m3, long m4) {
455 return new int[] {(int)m1, (int)m2, (int)m3, (int)m4};
456 }
457
458 private static void d(String type, String algorithm, String className,
459 int[] m) {
460 register(new Descriptor(type, algorithm, className, null, m));
461 }
462
463 private static void d(String type, String algorithm, String className,
464 String[] aliases, int[] m) {
465 register(new Descriptor(type, algorithm, className, aliases, m));
466 }
467
468 private static void register(Descriptor d) {
469 for (int i = 0; i < d.mechanisms.length; i++) {
470 int m = d.mechanisms[i];
471 Integer key = Integer.valueOf(m);
472 List<Descriptor> list = descriptors.get(key);
473 if (list == null) {
474 list = new ArrayList<Descriptor>();
475 descriptors.put(key, list);
476 }
477 list.add(d);
501 private final static String KS = "KeyStore";
502
503 private final static String SR = "SecureRandom";
504
505 static {
506 // names of all the implementation classes
507 // use local variables, only used here
508 String P11Digest = "sun.security.pkcs11.P11Digest";
509 String P11MAC = "sun.security.pkcs11.P11MAC";
510 String P11KeyPairGenerator = "sun.security.pkcs11.P11KeyPairGenerator";
511 String P11KeyGenerator = "sun.security.pkcs11.P11KeyGenerator";
512 String P11RSAKeyFactory = "sun.security.pkcs11.P11RSAKeyFactory";
513 String P11DSAKeyFactory = "sun.security.pkcs11.P11DSAKeyFactory";
514 String P11DHKeyFactory = "sun.security.pkcs11.P11DHKeyFactory";
515 String P11KeyAgreement = "sun.security.pkcs11.P11KeyAgreement";
516 String P11SecretKeyFactory = "sun.security.pkcs11.P11SecretKeyFactory";
517 String P11Cipher = "sun.security.pkcs11.P11Cipher";
518 String P11RSACipher = "sun.security.pkcs11.P11RSACipher";
519 String P11Signature = "sun.security.pkcs11.P11Signature";
520
521 // XXX register all aliases
522
523 d(MD, "MD2", P11Digest,
524 m(CKM_MD2));
525 d(MD, "MD5", P11Digest,
526 m(CKM_MD5));
527 d(MD, "SHA1", P11Digest,
528 s("SHA", "SHA-1", "1.3.14.3.2.26", "OID.1.3.14.3.2.26"),
529 m(CKM_SHA_1));
530
531 d(MD, "SHA-224", P11Digest,
532 s("2.16.840.1.101.3.4.2.4", "OID.2.16.840.1.101.3.4.2.4"),
533 m(CKM_SHA224));
534 d(MD, "SHA-256", P11Digest,
535 s("2.16.840.1.101.3.4.2.1", "OID.2.16.840.1.101.3.4.2.1"),
536 m(CKM_SHA256));
537 d(MD, "SHA-384", P11Digest,
538 s("2.16.840.1.101.3.4.2.2", "OID.2.16.840.1.101.3.4.2.2"),
539 m(CKM_SHA384));
540 d(MD, "SHA-512", P11Digest,
727 d(SIG, "MD5withRSA", P11Signature,
728 s("1.2.840.113549.1.1.4", "OID.1.2.840.113549.1.1.4"),
729 m(CKM_MD5_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
730 d(SIG, "SHA1withRSA", P11Signature,
731 s("1.2.840.113549.1.1.5", "OID.1.2.840.113549.1.1.5",
732 "1.3.14.3.2.29"),
733 m(CKM_SHA1_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
734 d(SIG, "SHA224withRSA", P11Signature,
735 s("1.2.840.113549.1.1.14", "OID.1.2.840.113549.1.1.14"),
736 m(CKM_SHA224_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
737 d(SIG, "SHA256withRSA", P11Signature,
738 s("1.2.840.113549.1.1.11", "OID.1.2.840.113549.1.1.11"),
739 m(CKM_SHA256_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
740 d(SIG, "SHA384withRSA", P11Signature,
741 s("1.2.840.113549.1.1.12", "OID.1.2.840.113549.1.1.12"),
742 m(CKM_SHA384_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
743 d(SIG, "SHA512withRSA", P11Signature,
744 s("1.2.840.113549.1.1.13", "OID.1.2.840.113549.1.1.13"),
745 m(CKM_SHA512_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
746
747 /*
748 * TLS 1.2 uses a different hash algorithm than 1.0/1.1 for the
749 * PRF calculations. As of 2010, there is no PKCS11-level
750 * support for TLS 1.2 PRF calculations, and no known OS's have
751 * an internal variant we could use. Therefore for TLS 1.2, we
752 * are updating JSSE to request different provider algorithms
753 * (e.g. "SunTls12Prf"), and currently only SunJCE has these
754 * TLS 1.2 algorithms.
755 *
756 * If we reused the names such as "SunTlsPrf", the PKCS11
757 * providers would need be updated to fail correctly when
758 * presented with the wrong version number (via
759 * Provider.Service.supportsParameters()), and we would also
760 * need to add the appropriate supportsParamters() checks into
761 * KeyGenerators (not currently there).
762 *
763 * In the future, if PKCS11 support is added, we will restructure
764 * this.
765 */
766 d(KG, "SunTlsRsaPremasterSecret",
767 "sun.security.pkcs11.P11TlsRsaPremasterSecretGenerator",
768 m(CKM_SSL3_PRE_MASTER_KEY_GEN, CKM_TLS_PRE_MASTER_KEY_GEN));
769 d(KG, "SunTlsMasterSecret",
770 "sun.security.pkcs11.P11TlsMasterSecretGenerator",
771 m(CKM_SSL3_MASTER_KEY_DERIVE, CKM_TLS_MASTER_KEY_DERIVE,
772 CKM_SSL3_MASTER_KEY_DERIVE_DH,
773 CKM_TLS_MASTER_KEY_DERIVE_DH));
774 d(KG, "SunTlsKeyMaterial",
775 "sun.security.pkcs11.P11TlsKeyMaterialGenerator",
776 m(CKM_SSL3_KEY_AND_MAC_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE));
777 d(KG, "SunTlsPrf", "sun.security.pkcs11.P11TlsPrfGenerator",
778 m(CKM_TLS_PRF, CKM_NSS_TLS_PRF_GENERAL));
779 }
780
781 // background thread that periodically checks for token insertion
782 // if no token is present. We need to do that in a separate thread because
783 // the insertion check may block for quite a long time on some tokens.
784 private static class TokenPoller implements Runnable {
785 private final SunPKCS11 provider;
786 private volatile boolean enabled;
787 private TokenPoller(SunPKCS11 provider) {
788 this.provider = provider;
789 enabled = true;
790 }
791 public void run() {
792 int interval = provider.config.getInsertionCheckInterval();
793 while (enabled) {
794 try {
795 Thread.sleep(interval);
796 } catch (InterruptedException e) {
797 break;
798 }
1031 if (algorithm.equals("ECDH")) {
1032 return new P11ECDHKeyAgreement(token, algorithm, mechanism);
1033 } else {
1034 return new P11KeyAgreement(token, algorithm, mechanism);
1035 }
1036 } else if (type == KF) {
1037 return token.getKeyFactory(algorithm);
1038 } else if (type == SKF) {
1039 return new P11SecretKeyFactory(token, algorithm);
1040 } else if (type == KG) {
1041 // reference equality
1042 if (algorithm == "SunTlsRsaPremasterSecret") {
1043 return new P11TlsRsaPremasterSecretGenerator(
1044 token, algorithm, mechanism);
1045 } else if (algorithm == "SunTlsMasterSecret") {
1046 return new P11TlsMasterSecretGenerator(
1047 token, algorithm, mechanism);
1048 } else if (algorithm == "SunTlsKeyMaterial") {
1049 return new P11TlsKeyMaterialGenerator(
1050 token, algorithm, mechanism);
1051 } else if (algorithm == "SunTlsPrf") {
1052 return new P11TlsPrfGenerator(token, algorithm, mechanism);
1053 } else {
1054 return new P11KeyGenerator(token, algorithm, mechanism);
1055 }
1056 } else if (type == SR) {
1057 return token.getRandom();
1058 } else if (type == KS) {
1059 return token.getKeyStore();
1060 } else if (type == AGP) {
1061 return new sun.security.util.ECParameters();
1062 } else {
1063 throw new NoSuchAlgorithmException("Unknown type: " + type);
1064 }
1065 }
1066
1067 public boolean supportsParameter(Object param) {
1068 if ((param == null) || (token.isValid() == false)) {
1069 return false;
1070 }
1071 if (param instanceof Key == false) {
|
68
69 // configuration information
70 final Config config;
71
72 // id of the PKCS#11 slot we are using
73 final long slotID;
74
75 private CallbackHandler pHandler;
76 private final Object LOCK_HANDLER = new Object();
77
78 final boolean removable;
79
80 final Secmod.Module nssModule;
81
82 final boolean nssUseSecmodTrust;
83
84 private volatile Token token;
85
86 private TokenPoller poller;
87
88 static final Map<String, Long> hashAlgorithmToHashMechanismMap =
89 new HashMap<String, Long>();
90
91 Token getToken() {
92 return token;
93 }
94
95 public SunPKCS11() {
96 super("SunPKCS11", PROVIDER_VER,
97 "Unconfigured and unusable PKCS11 provider");
98 p11 = null;
99 config = null;
100 slotID = 0;
101 pHandler = null;
102 removable = false;
103 nssModule = null;
104 nssUseSecmodTrust = false;
105 token = null;
106 poller = null;
107 }
108
109 @Override
110 public Provider configure(String configArg) throws InvalidParameterException {
441 // registered if the mechanism is supported
442 private final static Map<Integer,List<Descriptor>> descriptors =
443 new HashMap<Integer,List<Descriptor>>();
444
445 private static int[] m(long m1) {
446 return new int[] {(int)m1};
447 }
448
449 private static int[] m(long m1, long m2) {
450 return new int[] {(int)m1, (int)m2};
451 }
452
453 private static int[] m(long m1, long m2, long m3) {
454 return new int[] {(int)m1, (int)m2, (int)m3};
455 }
456
457 private static int[] m(long m1, long m2, long m3, long m4) {
458 return new int[] {(int)m1, (int)m2, (int)m3, (int)m4};
459 }
460
461 private static int[] m(long m1, long m2, long m3, long m4, long m5) {
462 return new int[] {(int)m1, (int)m2, (int)m3, (int)m4, (int)m5};
463 }
464
465 private static void d(String type, String algorithm, String className,
466 int[] m) {
467 register(new Descriptor(type, algorithm, className, null, m));
468 }
469
470 private static void d(String type, String algorithm, String className,
471 String[] aliases, int[] m) {
472 register(new Descriptor(type, algorithm, className, aliases, m));
473 }
474
475 private static void register(Descriptor d) {
476 for (int i = 0; i < d.mechanisms.length; i++) {
477 int m = d.mechanisms[i];
478 Integer key = Integer.valueOf(m);
479 List<Descriptor> list = descriptors.get(key);
480 if (list == null) {
481 list = new ArrayList<Descriptor>();
482 descriptors.put(key, list);
483 }
484 list.add(d);
508 private final static String KS = "KeyStore";
509
510 private final static String SR = "SecureRandom";
511
512 static {
513 // names of all the implementation classes
514 // use local variables, only used here
515 String P11Digest = "sun.security.pkcs11.P11Digest";
516 String P11MAC = "sun.security.pkcs11.P11MAC";
517 String P11KeyPairGenerator = "sun.security.pkcs11.P11KeyPairGenerator";
518 String P11KeyGenerator = "sun.security.pkcs11.P11KeyGenerator";
519 String P11RSAKeyFactory = "sun.security.pkcs11.P11RSAKeyFactory";
520 String P11DSAKeyFactory = "sun.security.pkcs11.P11DSAKeyFactory";
521 String P11DHKeyFactory = "sun.security.pkcs11.P11DHKeyFactory";
522 String P11KeyAgreement = "sun.security.pkcs11.P11KeyAgreement";
523 String P11SecretKeyFactory = "sun.security.pkcs11.P11SecretKeyFactory";
524 String P11Cipher = "sun.security.pkcs11.P11Cipher";
525 String P11RSACipher = "sun.security.pkcs11.P11RSACipher";
526 String P11Signature = "sun.security.pkcs11.P11Signature";
527
528 hashAlgorithmToHashMechanismMap.put("SHA-1", CKM_SHA_1);
529 hashAlgorithmToHashMechanismMap.put("SHA-224", CKM_SHA224);
530 hashAlgorithmToHashMechanismMap.put("SHA-256", CKM_SHA256);
531 hashAlgorithmToHashMechanismMap.put("SHA-386", CKM_SHA384);
532 hashAlgorithmToHashMechanismMap.put("SHA-512", CKM_SHA512);
533
534 // XXX register all aliases
535
536 d(MD, "MD2", P11Digest,
537 m(CKM_MD2));
538 d(MD, "MD5", P11Digest,
539 m(CKM_MD5));
540 d(MD, "SHA1", P11Digest,
541 s("SHA", "SHA-1", "1.3.14.3.2.26", "OID.1.3.14.3.2.26"),
542 m(CKM_SHA_1));
543
544 d(MD, "SHA-224", P11Digest,
545 s("2.16.840.1.101.3.4.2.4", "OID.2.16.840.1.101.3.4.2.4"),
546 m(CKM_SHA224));
547 d(MD, "SHA-256", P11Digest,
548 s("2.16.840.1.101.3.4.2.1", "OID.2.16.840.1.101.3.4.2.1"),
549 m(CKM_SHA256));
550 d(MD, "SHA-384", P11Digest,
551 s("2.16.840.1.101.3.4.2.2", "OID.2.16.840.1.101.3.4.2.2"),
552 m(CKM_SHA384));
553 d(MD, "SHA-512", P11Digest,
740 d(SIG, "MD5withRSA", P11Signature,
741 s("1.2.840.113549.1.1.4", "OID.1.2.840.113549.1.1.4"),
742 m(CKM_MD5_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
743 d(SIG, "SHA1withRSA", P11Signature,
744 s("1.2.840.113549.1.1.5", "OID.1.2.840.113549.1.1.5",
745 "1.3.14.3.2.29"),
746 m(CKM_SHA1_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
747 d(SIG, "SHA224withRSA", P11Signature,
748 s("1.2.840.113549.1.1.14", "OID.1.2.840.113549.1.1.14"),
749 m(CKM_SHA224_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
750 d(SIG, "SHA256withRSA", P11Signature,
751 s("1.2.840.113549.1.1.11", "OID.1.2.840.113549.1.1.11"),
752 m(CKM_SHA256_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
753 d(SIG, "SHA384withRSA", P11Signature,
754 s("1.2.840.113549.1.1.12", "OID.1.2.840.113549.1.1.12"),
755 m(CKM_SHA384_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
756 d(SIG, "SHA512withRSA", P11Signature,
757 s("1.2.840.113549.1.1.13", "OID.1.2.840.113549.1.1.13"),
758 m(CKM_SHA512_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
759
760 d(KG, "SunTlsRsaPremasterSecret",
761 "sun.security.pkcs11.P11TlsRsaPremasterSecretGenerator",
762 s("SunTls12RsaPremasterSecret"),
763 m(CKM_SSL3_PRE_MASTER_KEY_GEN, CKM_TLS_PRE_MASTER_KEY_GEN));
764 d(KG, "SunTlsMasterSecret",
765 "sun.security.pkcs11.P11TlsMasterSecretGenerator",
766 s("SunTls12MasterSecret"),
767 m(CKM_SSL3_MASTER_KEY_DERIVE, CKM_TLS_MASTER_KEY_DERIVE,
768 CKM_TLS12_MASTER_KEY_DERIVE,
769 CKM_SSL3_MASTER_KEY_DERIVE_DH,
770 CKM_TLS_MASTER_KEY_DERIVE_DH));
771 d(KG, "SunTlsKeyMaterial",
772 "sun.security.pkcs11.P11TlsKeyMaterialGenerator",
773 s("SunTls12KeyMaterial"),
774 m(CKM_SSL3_KEY_AND_MAC_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE));
775 d(KG, "SunTlsPrf", "sun.security.pkcs11.P11TlsPrfGenerator",
776 m(CKM_TLS_PRF, CKM_NSS_TLS_PRF_GENERAL));
777 d(KG, "SunTls12Prf", "sun.security.pkcs11.P11TlsPrfGenerator",
778 m(CKM_TLS_MAC));
779 }
780
781 // background thread that periodically checks for token insertion
782 // if no token is present. We need to do that in a separate thread because
783 // the insertion check may block for quite a long time on some tokens.
784 private static class TokenPoller implements Runnable {
785 private final SunPKCS11 provider;
786 private volatile boolean enabled;
787 private TokenPoller(SunPKCS11 provider) {
788 this.provider = provider;
789 enabled = true;
790 }
791 public void run() {
792 int interval = provider.config.getInsertionCheckInterval();
793 while (enabled) {
794 try {
795 Thread.sleep(interval);
796 } catch (InterruptedException e) {
797 break;
798 }
1031 if (algorithm.equals("ECDH")) {
1032 return new P11ECDHKeyAgreement(token, algorithm, mechanism);
1033 } else {
1034 return new P11KeyAgreement(token, algorithm, mechanism);
1035 }
1036 } else if (type == KF) {
1037 return token.getKeyFactory(algorithm);
1038 } else if (type == SKF) {
1039 return new P11SecretKeyFactory(token, algorithm);
1040 } else if (type == KG) {
1041 // reference equality
1042 if (algorithm == "SunTlsRsaPremasterSecret") {
1043 return new P11TlsRsaPremasterSecretGenerator(
1044 token, algorithm, mechanism);
1045 } else if (algorithm == "SunTlsMasterSecret") {
1046 return new P11TlsMasterSecretGenerator(
1047 token, algorithm, mechanism);
1048 } else if (algorithm == "SunTlsKeyMaterial") {
1049 return new P11TlsKeyMaterialGenerator(
1050 token, algorithm, mechanism);
1051 } else if (algorithm == "SunTlsPrf" || algorithm == "SunTls12Prf") {
1052 return new P11TlsPrfGenerator(token, algorithm, mechanism);
1053 } else {
1054 return new P11KeyGenerator(token, algorithm, mechanism);
1055 }
1056 } else if (type == SR) {
1057 return token.getRandom();
1058 } else if (type == KS) {
1059 return token.getKeyStore();
1060 } else if (type == AGP) {
1061 return new sun.security.util.ECParameters();
1062 } else {
1063 throw new NoSuchAlgorithmException("Unknown type: " + type);
1064 }
1065 }
1066
1067 public boolean supportsParameter(Object param) {
1068 if ((param == null) || (token.isValid() == false)) {
1069 return false;
1070 }
1071 if (param instanceof Key == false) {
|