--- old/src/java.base/share/classes/module-info.java 2017-01-20 09:51:19.474291933 -0800 +++ new/src/java.base/share/classes/module-info.java 2017-01-20 09:51:19.150291945 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2014, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -219,7 +219,7 @@ java.security.jgss; exports sun.nio.ch to java.management, - jdk.crypto.token, + jdk.crypto.cryptoki, jdk.sctp, jdk.unsupported; exports sun.nio.cs to @@ -244,13 +244,13 @@ java.desktop, java.security.jgss; exports sun.security.internal.interfaces to - jdk.crypto.token; + jdk.crypto.cryptoki; exports sun.security.internal.spec to - jdk.crypto.token; + jdk.crypto.cryptoki; exports sun.security.jca to java.smartcardio, jdk.crypto.ec, - jdk.crypto.token, + jdk.crypto.cryptoki, jdk.naming.dns; exports sun.security.pkcs to jdk.crypto.ec, @@ -258,13 +258,13 @@ exports sun.security.provider to java.rmi, java.security.jgss, - jdk.crypto.token, + jdk.crypto.cryptoki, jdk.policytool, jdk.security.auth; exports sun.security.provider.certpath to java.naming; exports sun.security.rsa to - jdk.crypto.token; + jdk.crypto.cryptoki; exports sun.security.ssl to java.security.jgss; exports sun.security.timestamp to @@ -280,14 +280,14 @@ java.smartcardio, java.xml.crypto, jdk.crypto.ec, - jdk.crypto.token, + jdk.crypto.cryptoki, jdk.jartool, jdk.policytool, jdk.security.auth, jdk.security.jgss; exports sun.security.x509 to jdk.crypto.ec, - jdk.crypto.token, + jdk.crypto.cryptoki, jdk.jartool, jdk.security.auth; exports sun.security.validator to --- old/src/java.base/share/lib/security/default.policy 2017-01-20 09:51:20.794291883 -0800 +++ new/src/java.base/share/lib/security/default.policy 2017-01-20 09:51:20.442291896 -0800 @@ -137,7 +137,7 @@ permission java.security.SecurityPermission "removeProviderProperty.SunEC"; }; -grant codeBase "jrt:/jdk.crypto.token" { +grant codeBase "jrt:/jdk.crypto.cryptoki" { permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*"; permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch"; --- old/test/java/lang/SecurityManager/CheckSecurityProvider.java 2017-01-20 09:51:22.086291834 -0800 +++ new/test/java/lang/SecurityManager/CheckSecurityProvider.java 2017-01-20 09:51:21.810291845 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2014, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -62,7 +62,7 @@ if (os.equals("SunOS")) { layer.findModule("jdk.crypto.ucrypto") .ifPresent(m -> expected.add("com.oracle.security.ucrypto.UcryptoProvider")); - layer.findModule("jdk.crypto.token") + layer.findModule("jdk.crypto.cryptoki") .ifPresent(m -> expected.add("sun.security.pkcs11.SunPKCS11")); } expected.add("sun.security.provider.Sun"); @@ -91,7 +91,7 @@ expected.add("apple.security.AppleProvider"); } if (!os.equals("SunOS")) { - layer.findModule("jdk.crypto.token") + layer.findModule("jdk.crypto.cryptoki") .ifPresent(m -> expected.add("sun.security.pkcs11.SunPKCS11")); } --- old/test/sun/security/ec/TestEC.java 2017-01-20 09:51:22.850291806 -0800 +++ new/test/sun/security/ec/TestEC.java 2017-01-20 09:51:22.566291816 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2009, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -34,8 +34,8 @@ * @library ../pkcs11/ec * @library ../pkcs11/sslecc * @library ../../../java/security/testlibrary - * @modules jdk.crypto.token/sun.security.pkcs11.wrapper - * @compile --add-modules jdk.crypto.token TestEC.java + * @modules jdk.crypto.cryptoki/sun.security.pkcs11.wrapper + * @compile --add-modules jdk.crypto.cryptoki TestEC.java * @run main/othervm -Djdk.tls.namedGroups="secp256r1,sect193r1" TestEC * @run main/othervm/java.security.policy=TestEC.policy -Djdk.tls.namedGroups="secp256r1,sect193r1" TestEC */ --- old/test/sun/security/pkcs11/Cipher/ReinitCipher.java 2017-01-20 09:51:23.610291777 -0800 +++ new/test/sun/security/pkcs11/Cipher/ReinitCipher.java 2017-01-20 09:51:23.302291789 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,7 +28,7 @@ * @author Andreas Sterbenz * @library .. * @key randomness - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm ReinitCipher * @run main/othervm ReinitCipher sm */ --- old/test/sun/security/pkcs11/Cipher/TestPKCS5PaddingError.java 2017-01-20 09:51:24.310291750 -0800 +++ new/test/sun/security/pkcs11/Cipher/TestPKCS5PaddingError.java 2017-01-20 09:51:24.030291761 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2010, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2010, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,7 +27,7 @@ * @summary Test internal PKCS5Padding impl with various error conditions. * @author Valerie Peng * @library .. - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm TestPKCS5PaddingError * @run main/othervm TestPKCS5PaddingError sm */ --- old/test/sun/security/pkcs11/Cipher/TestRSACipher.java 2017-01-20 09:51:25.002291724 -0800 +++ new/test/sun/security/pkcs11/Cipher/TestRSACipher.java 2017-01-20 09:51:24.722291735 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,7 +28,7 @@ * @author Andreas Sterbenz * @library .. * @key randomness - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm TestRSACipher * @run main/othervm TestRSACipher sm */ --- old/test/sun/security/pkcs11/Cipher/TestRSACipherWrap.java 2017-01-20 09:51:25.702291698 -0800 +++ new/test/sun/security/pkcs11/Cipher/TestRSACipherWrap.java 2017-01-20 09:51:25.434291708 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2008, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2008, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,7 +27,7 @@ * @summary basic test for RSA cipher key wrapping functionality * @author Valerie Peng * @library .. - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm TestRSACipherWrap * @run main/othervm TestRSACipherWrap sm */ --- old/test/sun/security/pkcs11/Cipher/TestRawRSACipher.java 2017-01-20 09:51:26.518291667 -0800 +++ new/test/sun/security/pkcs11/Cipher/TestRawRSACipher.java 2017-01-20 09:51:26.242291678 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2011, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,7 +28,7 @@ * @author Valerie Peng * @library .. * @key randomness - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm TestRawRSACipher * @run main/othervm TestRawRSACipher sm */ --- old/test/sun/security/pkcs11/Cipher/TestSymmCiphers.java 2017-01-20 09:51:27.226291640 -0800 +++ new/test/sun/security/pkcs11/Cipher/TestSymmCiphers.java 2017-01-20 09:51:26.942291651 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2008, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2008, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,7 +28,7 @@ * @author Valerie Peng * @library .. * @key randomness - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm TestSymmCiphers * @run main/othervm TestSymmCiphers sm */ --- old/test/sun/security/pkcs11/Cipher/TestSymmCiphersNoPad.java 2017-01-20 09:51:27.942291613 -0800 +++ new/test/sun/security/pkcs11/Cipher/TestSymmCiphersNoPad.java 2017-01-20 09:51:27.666291624 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,7 +28,7 @@ * @author Valerie Peng * @library .. * @key randomness - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm TestSymmCiphersNoPad * @run main/othervm TestSymmCiphersNoPad sm */ --- old/test/sun/security/pkcs11/KeyAgreement/SupportedDHKeys.java 2017-01-20 09:51:28.810291581 -0800 +++ new/test/sun/security/pkcs11/KeyAgreement/SupportedDHKeys.java 2017-01-20 09:51:28.458291594 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,7 +26,7 @@ * @bug 8072452 * @summary Support DHE sizes up to 8192-bits and DSA sizes up to 3072-bits * @library .. - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm SupportedDHKeys * @run main/othervm SupportedDHKeys sm */ --- old/test/sun/security/pkcs11/KeyAgreement/TestDH.java 2017-01-20 09:51:29.766291544 -0800 +++ new/test/sun/security/pkcs11/KeyAgreement/TestDH.java 2017-01-20 09:51:29.318291561 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,7 +27,7 @@ * @summary Verify that DH works properly * @author Andreas Sterbenz * @library .. - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm TestDH * @run main/othervm TestDH sm */ --- old/test/sun/security/pkcs11/KeyAgreement/TestInterop.java 2017-01-20 09:51:30.626291512 -0800 +++ new/test/sun/security/pkcs11/KeyAgreement/TestInterop.java 2017-01-20 09:51:30.290291525 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2012, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,7 +26,7 @@ * @bug 7146728 * @summary Interop test for DH with secret that has a leading 0x00 byte * @library .. - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm TestInterop * @run main/othervm TestInterop sm */ --- old/test/sun/security/pkcs11/KeyAgreement/TestShort.java 2017-01-20 09:51:31.778291469 -0800 +++ new/test/sun/security/pkcs11/KeyAgreement/TestShort.java 2017-01-20 09:51:31.142291493 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,7 +27,7 @@ * @summary KAT test for DH (normal and with secret that has leading a 0x00 byte) * @author Andreas Sterbenz * @library .. - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm TestShort * @run main/othervm TestShort sm */ --- old/test/sun/security/pkcs11/KeyAgreement/UnsupportedDHKeys.java 2017-01-20 09:51:32.650291436 -0800 +++ new/test/sun/security/pkcs11/KeyAgreement/UnsupportedDHKeys.java 2017-01-20 09:51:32.298291449 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,7 +26,7 @@ * @bug 8072452 * @summary Support DHE sizes up to 8192-bits and DSA sizes up to 3072-bits * @library .. - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm UnsupportedDHKeys * @run main/othervm UnsupportedDHKeys sm */ --- old/test/sun/security/pkcs11/KeyGenerator/DESParity.java 2017-01-20 09:51:33.526291403 -0800 +++ new/test/sun/security/pkcs11/KeyGenerator/DESParity.java 2017-01-20 09:51:33.126291418 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,7 +28,7 @@ * @author Andreas Sterbenz * @library .. * @key randomness - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm DESParity * @run main/othervm DESParity sm */ --- old/test/sun/security/pkcs11/KeyGenerator/TestKeyGenerator.java 2017-01-20 09:51:34.442291368 -0800 +++ new/test/sun/security/pkcs11/KeyGenerator/TestKeyGenerator.java 2017-01-20 09:51:34.074291382 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,7 +27,7 @@ * @summary test the KeyGenerator * @author Andreas Sterbenz * @library .. - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm TestKeyGenerator * @run main/othervm TestKeyGenerator sm */ --- old/test/sun/security/pkcs11/KeyPairGenerator/TestDH2048.java 2017-01-20 09:51:35.126291342 -0800 +++ new/test/sun/security/pkcs11/KeyPairGenerator/TestDH2048.java 2017-01-20 09:51:34.850291353 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,7 +27,7 @@ * @summary Ensure that DH key pairs can be generated for 512 - 8192 bits * @author Valerie Peng * @library .. - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm TestDH2048 * @run main/othervm TestDH2048 sm */ --- old/test/sun/security/pkcs11/Mac/MacKAT.java 2017-01-20 09:51:35.818291316 -0800 +++ new/test/sun/security/pkcs11/Mac/MacKAT.java 2017-01-20 09:51:35.542291326 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,7 +27,7 @@ * @summary Basic known-answer-test for Hmac algorithms * @author Andreas Sterbenz * @library .. - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm MacKAT * @run main/othervm MacKAT sm */ --- old/test/sun/security/pkcs11/Mac/MacSameTest.java 2017-01-20 09:51:37.170291265 -0800 +++ new/test/sun/security/pkcs11/Mac/MacSameTest.java 2017-01-20 09:51:36.558291288 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1998, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1998, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,7 +27,7 @@ * @summary Check if doFinal and update operation result in same Mac * @author Yu-Ching Valerie Peng, Bill Situ, Alexander Fomin * @library .. - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm MacSameTest * @run main/othervm MacSameTest sm * @key randomness --- old/test/sun/security/pkcs11/Mac/ReinitMac.java 2017-01-20 09:51:38.094291230 -0800 +++ new/test/sun/security/pkcs11/Mac/ReinitMac.java 2017-01-20 09:51:37.734291244 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,7 +28,7 @@ * @author Andreas Sterbenz * @library .. * @key randomness - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm ReinitMac * @run main/othervm ReinitMac sm */ --- old/test/sun/security/pkcs11/MessageDigest/ByteBuffers.java 2017-01-20 09:51:38.970291197 -0800 +++ new/test/sun/security/pkcs11/MessageDigest/ByteBuffers.java 2017-01-20 09:51:38.614291210 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,7 +28,7 @@ * @author Andreas Sterbenz * @library .. * @key randomness - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm ByteBuffers * @run main/othervm ByteBuffers sm */ --- old/test/sun/security/pkcs11/MessageDigest/DigestKAT.java 2017-01-20 09:51:39.930291161 -0800 +++ new/test/sun/security/pkcs11/MessageDigest/DigestKAT.java 2017-01-20 09:51:39.550291175 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,7 +27,7 @@ * @summary Basic known-answer-test for all our MessageDigest algorithms * @author Andreas Sterbenz * @library .. - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm DigestKAT * @run main/othervm DigestKAT sm */ --- old/test/sun/security/pkcs11/MessageDigest/ReinitDigest.java 2017-01-20 09:51:40.818291127 -0800 +++ new/test/sun/security/pkcs11/MessageDigest/ReinitDigest.java 2017-01-20 09:51:40.442291141 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,7 +28,7 @@ * @author Andreas Sterbenz * @library .. * @key randomness - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm ReinitDigest * @run main/othervm ReinitDigest sm */ --- old/test/sun/security/pkcs11/MessageDigest/TestCloning.java 2017-01-20 09:51:41.910291086 -0800 +++ new/test/sun/security/pkcs11/MessageDigest/TestCloning.java 2017-01-20 09:51:41.290291109 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2012, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,7 +28,7 @@ * @author Valerie Peng * @library .. * @key randomness - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm TestCloning * @run main/othervm TestCloning sm */ --- old/test/sun/security/pkcs11/Provider/Absolute.java 2017-01-20 09:51:42.922291048 -0800 +++ new/test/sun/security/pkcs11/Provider/Absolute.java 2017-01-20 09:51:42.474291065 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2011, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -24,7 +24,7 @@ * @test * @bug 7003952 7191662 * @library .. - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @summary load DLLs and launch executables using fully qualified path */ --- old/test/sun/security/pkcs11/SampleTest.java 2017-01-20 09:51:43.786291015 -0800 +++ new/test/sun/security/pkcs11/SampleTest.java 2017-01-20 09:51:43.434291029 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,7 +27,7 @@ * @summary XXX todo * @author Andreas Sterbenz * @library .. - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki */ import java.security.Provider; --- old/test/sun/security/pkcs11/Secmod/AddPrivateKey.java 2017-01-20 09:51:44.622290984 -0800 +++ new/test/sun/security/pkcs11/Secmod/AddPrivateKey.java 2017-01-20 09:51:44.274290997 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2006, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,7 +27,7 @@ * @summary Test that the PKCS#11 KeyStore handles RSA, DSA, and EC keys * @author Andreas Sterbenz * @library .. - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm AddPrivateKey * @run main/othervm AddPrivateKey sm policy */ --- old/test/sun/security/pkcs11/Secmod/AddTrustedCert.java 2017-01-20 09:51:45.906290935 -0800 +++ new/test/sun/security/pkcs11/Secmod/AddTrustedCert.java 2017-01-20 09:51:45.166290963 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,7 +27,7 @@ * @summary make sure we can add a trusted cert to the NSS KeyStore module * @author Andreas Sterbenz * @library .. - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm AddTrustedCert * @run main/othervm AddTrustedCert sm policy */ --- old/test/sun/security/pkcs11/Secmod/Crypto.java 2017-01-20 09:51:47.122290889 -0800 +++ new/test/sun/security/pkcs11/Secmod/Crypto.java 2017-01-20 09:51:46.426290916 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,7 +27,7 @@ * @summary verify that NSS no-db mode works correctly * @author Andreas Sterbenz * @library .. - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm Crypto * @run main/othervm Crypto sm policy */ --- old/test/sun/security/pkcs11/Secmod/GetPrivateKey.java 2017-01-20 09:51:48.454290839 -0800 +++ new/test/sun/security/pkcs11/Secmod/GetPrivateKey.java 2017-01-20 09:51:48.018290856 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,7 +28,7 @@ * and use a private key * @author Andreas Sterbenz * @library .. - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm GetPrivateKey * @run main/othervm GetPrivateKey sm policy */ --- old/test/sun/security/pkcs11/Secmod/JksSetPrivateKey.java 2017-01-20 09:51:49.706290792 -0800 +++ new/test/sun/security/pkcs11/Secmod/JksSetPrivateKey.java 2017-01-20 09:51:49.358290805 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2006, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,7 +27,7 @@ * @summary store a NSS PKCS11 PrivateKeyEntry to JKS KeyStore throws confusing NPE * @author Wang Weijun * @library .. - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm JksSetPrivateKey * @run main/othervm JksSetPrivateKey sm policy */ --- old/test/sun/security/pkcs11/Secmod/LoadKeystore.java 2017-01-20 09:51:50.554290760 -0800 +++ new/test/sun/security/pkcs11/Secmod/LoadKeystore.java 2017-01-20 09:51:50.190290774 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,7 +26,7 @@ * @bug 8048622 8134232 * @summary Checks that PKCS#11 keystore can't be loaded with wrong password * @library ../ - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm LoadKeystore * @run main/othervm LoadKeystore sm policy */ --- old/test/sun/security/pkcs11/Secmod/TrustAnchors.java 2017-01-20 09:51:51.406290728 -0800 +++ new/test/sun/security/pkcs11/Secmod/TrustAnchors.java 2017-01-20 09:51:51.070290740 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,7 +27,7 @@ * @summary make sure we can access the NSS trust anchor module * @author Andreas Sterbenz * @library .. - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm TrustAnchors * @run main/othervm TrustAnchors sm policy */ --- old/test/sun/security/pkcs11/SecureRandom/Basic.java 2017-01-20 09:51:52.846290673 -0800 +++ new/test/sun/security/pkcs11/SecureRandom/Basic.java 2017-01-20 09:51:52.442290689 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,7 +28,7 @@ * @author Andreas Sterbenz * @library .. * @key randomness - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm Basic * @run main/othervm Basic sm */ --- old/test/sun/security/pkcs11/SecureRandom/TestDeserialization.java 2017-01-20 09:51:53.738290640 -0800 +++ new/test/sun/security/pkcs11/SecureRandom/TestDeserialization.java 2017-01-20 09:51:53.378290653 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2010, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2010, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,7 +26,7 @@ * @bug 6837847 * @summary Ensure a deserialized PKCS#11 SecureRandom is functional. * @library .. - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki */ import java.io.ByteArrayInputStream; --- old/test/sun/security/pkcs11/Serialize/SerializeProvider.java 2017-01-20 09:51:54.562290608 -0800 +++ new/test/sun/security/pkcs11/Serialize/SerializeProvider.java 2017-01-20 09:51:54.214290622 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,7 +27,7 @@ * @summary Test that the SunPKCS11 provider can be serialized * @author Andreas Sterbenz * @library .. - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki */ import java.io.ByteArrayInputStream; --- old/test/sun/security/pkcs11/Signature/ByteBuffers.java 2017-01-20 09:51:55.538290572 -0800 +++ new/test/sun/security/pkcs11/Signature/ByteBuffers.java 2017-01-20 09:51:55.134290587 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,7 +28,7 @@ * @author Andreas Sterbenz * @library .. * @key randomness - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm ByteBuffers * @run main/othervm ByteBuffers sm */ --- old/test/sun/security/pkcs11/Signature/ReinitSignature.java 2017-01-20 09:51:56.374290540 -0800 +++ new/test/sun/security/pkcs11/Signature/ReinitSignature.java 2017-01-20 09:51:56.094290551 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,7 +28,7 @@ * @author Andreas Sterbenz * @library .. * @key randomness - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main ReinitSignature * @run main ReinitSignature * @run main ReinitSignature --- old/test/sun/security/pkcs11/Signature/TestDSA.java 2017-01-20 09:51:57.682290491 -0800 +++ new/test/sun/security/pkcs11/Signature/TestDSA.java 2017-01-20 09:51:57.186290509 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,7 +28,7 @@ * @author Andreas Sterbenz * @library .. * @key randomness - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm TestDSA * @run main/othervm TestDSA sm */ --- old/test/sun/security/pkcs11/Signature/TestDSAKeyLength.java 2017-01-20 09:51:58.562290457 -0800 +++ new/test/sun/security/pkcs11/Signature/TestDSAKeyLength.java 2017-01-20 09:51:58.210290471 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,7 +28,7 @@ * with unsupported key sizes * @library .. * @key randomness - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm TestDSAKeyLength * @run main/othervm TestDSAKeyLength sm */ --- old/test/sun/security/pkcs11/Signature/TestRSAKeyLength.java 2017-01-20 09:51:59.538290421 -0800 +++ new/test/sun/security/pkcs11/Signature/TestRSAKeyLength.java 2017-01-20 09:51:59.110290437 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2010, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2010, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,7 +27,7 @@ * @summary Make sure initSign/initVerify() check RSA key lengths * @author Yu-Ching Valerie Peng * @library .. - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm TestRSAKeyLength * @run main/othervm TestRSAKeyLength sm */ --- old/test/sun/security/pkcs11/ec/ReadCertificates.java 2017-01-20 09:52:00.398290388 -0800 +++ new/test/sun/security/pkcs11/ec/ReadCertificates.java 2017-01-20 09:52:00.050290401 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2006, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -29,7 +29,7 @@ * @author Andreas Sterbenz * @library .. * @library ../../../../java/security/testlibrary - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm ReadCertificates * @run main/othervm ReadCertificates sm policy */ --- old/test/sun/security/pkcs11/ec/ReadPKCS12.java 2017-01-20 09:52:01.382290351 -0800 +++ new/test/sun/security/pkcs11/ec/ReadPKCS12.java 2017-01-20 09:52:01.002290365 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2006, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -29,7 +29,7 @@ * @library .. * @library ../../../../java/security/testlibrary * @key randomness - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm ReadPKCS12 * @run main/othervm ReadPKCS12 sm policy */ --- old/test/sun/security/pkcs11/ec/TestCurves.java 2017-01-20 09:52:02.450290311 -0800 +++ new/test/sun/security/pkcs11/ec/TestCurves.java 2017-01-20 09:52:01.894290332 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2006, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,8 +27,8 @@ * @summary Basic consistency test for all curves using ECDSA and ECDH * @author Andreas Sterbenz * @library .. - * @modules jdk.crypto.token/sun.security.pkcs11.wrapper - * @compile --add-modules jdk.crypto.token TestCurves.java + * @modules jdk.crypto.cryptoki/sun.security.pkcs11.wrapper + * @compile --add-modules jdk.crypto.cryptoki TestCurves.java * @run main/othervm TestCurves * @run main/othervm TestCurves sm * @key randomness --- old/test/sun/security/pkcs11/ec/TestECDH.java 2017-01-20 09:52:03.358290276 -0800 +++ new/test/sun/security/pkcs11/ec/TestECDH.java 2017-01-20 09:52:02.994290290 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2006, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,7 +28,7 @@ * @author Andreas Sterbenz * @library .. * @library ../../../../java/security/testlibrary - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm TestECDH * @run main/othervm TestECDH sm policy */ --- old/test/sun/security/pkcs11/ec/TestECDH2.java 2017-01-20 09:52:04.198290245 -0800 +++ new/test/sun/security/pkcs11/ec/TestECDH2.java 2017-01-20 09:52:03.850290258 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2012, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -29,7 +29,7 @@ * @library .. * @library ../../../../java/security/testlibrary * @modules java.base/sun.security.util - * jdk.crypto.token + * jdk.crypto.cryptoki * @compile -XDignore.symbol.file TestECDH2.java * @run main/othervm TestECDH2 * @run main/othervm TestECDH2 sm --- old/test/sun/security/pkcs11/ec/TestECDSA.java 2017-01-20 09:52:05.098290211 -0800 +++ new/test/sun/security/pkcs11/ec/TestECDSA.java 2017-01-20 09:52:04.718290225 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2006, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -29,7 +29,7 @@ * @library .. * @library ../../../../java/security/testlibrary * @key randomness - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm TestECDSA * @run main/othervm TestECDSA sm policy */ --- old/test/sun/security/pkcs11/ec/TestECDSA2.java 2017-01-20 09:52:05.982290177 -0800 +++ new/test/sun/security/pkcs11/ec/TestECDSA2.java 2017-01-20 09:52:05.634290191 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2012, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -29,7 +29,7 @@ * @library .. * @library ../../../../java/security/testlibrary * @modules java.base/sun.security.util - * jdk.crypto.token + * jdk.crypto.cryptoki * @compile -XDignore.symbol.file TestECDSA2.java * @run main/othervm TestECDSA2 * @run main/othervm TestECDSA2 sm --- old/test/sun/security/pkcs11/ec/TestECGenSpec.java 2017-01-20 09:52:06.822290146 -0800 +++ new/test/sun/security/pkcs11/ec/TestECGenSpec.java 2017-01-20 09:52:06.482290159 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2006, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,7 +27,7 @@ * @summary Verify that we can use ECGenParameterSpec * @author Andreas Sterbenz * @library .. - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm TestECGenSpec * @run main/othervm TestECGenSpec sm */ --- old/test/sun/security/pkcs11/ec/TestKeyFactory.java 2017-01-20 09:52:08.066290099 -0800 +++ new/test/sun/security/pkcs11/ec/TestKeyFactory.java 2017-01-20 09:52:07.642290115 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2006, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,7 +27,7 @@ * @summary Test the P11ECKeyFactory * @author Andreas Sterbenz * @library .. - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm TestKeyFactory * @run main/othervm TestKeyFactory sm */ --- old/test/sun/security/pkcs11/rsa/KeyWrap.java 2017-01-20 09:52:08.930290066 -0800 +++ new/test/sun/security/pkcs11/rsa/KeyWrap.java 2017-01-20 09:52:08.586290079 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,7 +28,7 @@ * @author Andreas Sterbenz * @library .. * @key randomness - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm KeyWrap * @run main/othervm KeyWrap sm */ --- old/test/sun/security/pkcs11/rsa/TestCACerts.java 2017-01-20 09:52:09.890290030 -0800 +++ new/test/sun/security/pkcs11/rsa/TestCACerts.java 2017-01-20 09:52:09.486290045 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,7 +28,7 @@ * @author Andreas Sterbenz * @library .. * @library ../../../../java/security/testlibrary - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm TestCACerts * @run main/othervm TestCACerts sm TestCACerts.policy */ --- old/test/sun/security/pkcs11/rsa/TestKeyFactory.java 2017-01-20 09:52:10.942289990 -0800 +++ new/test/sun/security/pkcs11/rsa/TestKeyFactory.java 2017-01-20 09:52:10.374290012 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,7 +27,7 @@ * @summary Test KeyFactory of the new RSA provider * @author Andreas Sterbenz * @library .. - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm TestKeyFactory * @run main/othervm TestKeyFactory sm rsakeys.ks.policy */ --- old/test/sun/security/pkcs11/rsa/TestKeyPairGenerator.java 2017-01-20 09:52:11.850289956 -0800 +++ new/test/sun/security/pkcs11/rsa/TestKeyPairGenerator.java 2017-01-20 09:52:11.462289971 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -29,7 +29,7 @@ * @library .. * @library /lib/testlibrary * @build jdk.testlibrary.* - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm -Djava.security.debug=sunpkcs11 TestKeyPairGenerator * @run main/othervm -Djava.security.debug=sunpkcs11 TestKeyPairGenerator * sm TestKeyPairGenerator.policy --- old/test/sun/security/pkcs11/rsa/TestSignatures.java 2017-01-20 09:52:13.266289902 -0800 +++ new/test/sun/security/pkcs11/rsa/TestSignatures.java 2017-01-20 09:52:12.878289917 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,7 +28,7 @@ * @author Andreas Sterbenz * @library .. * @key randomness - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm TestSignatures * @run main/othervm TestSignatures sm rsakeys.ks.policy */ --- old/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java 2017-01-20 09:52:14.198289867 -0800 +++ new/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java 2017-01-20 09:52:13.842289881 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -33,7 +33,7 @@ * @author Andreas Sterbenz * @library .. * @library ../../../../java/security/testlibrary - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm -Djdk.tls.namedGroups="secp256r1,sect193r1" * ClientJSSEServerJSSE * @run main/othervm -Djdk.tls.namedGroups="secp256r1,sect193r1" --- old/test/sun/security/pkcs11/tls/TestKeyMaterial.java 2017-01-20 09:52:15.042289835 -0800 +++ new/test/sun/security/pkcs11/tls/TestKeyMaterial.java 2017-01-20 09:52:14.742289847 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,7 +28,7 @@ * @author Andreas Sterbenz * @library .. * @modules java.base/sun.security.internal.spec - * jdk.crypto.token + * jdk.crypto.cryptoki * @run main/othervm TestKeyMaterial * @run main/othervm TestKeyMaterial sm policy */ --- old/test/sun/security/pkcs11/tls/TestLeadingZeroesP11.java 2017-01-20 09:52:15.806289807 -0800 +++ new/test/sun/security/pkcs11/tls/TestLeadingZeroesP11.java 2017-01-20 09:52:15.426289821 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,7 +27,7 @@ * @summary Need to strip leading zeros in TlsPremasterSecret of DHKeyAgreement * @library .. * @author Pasi Eronen - * @modules jdk.crypto.token + * @modules jdk.crypto.cryptoki * @run main/othervm TestLeadingZeroesP11 * @run main/othervm TestLeadingZeroesP11 sm */ --- old/test/sun/security/pkcs11/tls/TestMasterSecret.java 2017-01-20 09:52:16.606289776 -0800 +++ new/test/sun/security/pkcs11/tls/TestMasterSecret.java 2017-01-20 09:52:16.262289789 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -29,7 +29,7 @@ * @library .. * @modules java.base/sun.security.internal.interfaces * java.base/sun.security.internal.spec - * jdk.crypto.token + * jdk.crypto.cryptoki * @run main/othervm TestMasterSecret * @run main/othervm TestMasterSecret sm TestMasterSecret.policy */ --- old/test/sun/security/pkcs11/tls/TestPRF.java 2017-01-20 09:52:17.750289733 -0800 +++ new/test/sun/security/pkcs11/tls/TestPRF.java 2017-01-20 09:52:17.126289757 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,7 +28,7 @@ * @author Andreas Sterbenz * @library .. * @modules java.base/sun.security.internal.spec - * jdk.crypto.token + * jdk.crypto.cryptoki * @run main/othervm TestPRF * @run main/othervm TestPRF sm policy */ --- old/test/sun/security/pkcs11/tls/TestPremaster.java 2017-01-20 09:52:18.794289694 -0800 +++ new/test/sun/security/pkcs11/tls/TestPremaster.java 2017-01-20 09:52:18.326289711 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,7 +28,7 @@ * @author Andreas Sterbenz * @library .. * @modules java.base/sun.security.internal.spec - * jdk.crypto.token + * jdk.crypto.cryptoki * @run main/othervm TestPremaster * @run main/othervm TestPremaster sm policy */ --- old/test/tools/launcher/MiscTests.java 2017-01-20 09:52:19.774289657 -0800 +++ new/test/tools/launcher/MiscTests.java 2017-01-20 09:52:19.302289675 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2010, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2010, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -80,8 +80,8 @@ createFile(new File(mainClass + ".java"), scratch); compile(mainClass + ".java", - "--add-modules=jdk.crypto.token", - "--add-exports=jdk.crypto.token/sun.security.pkcs11=ALL-UNNAMED"); + "--add-modules=jdk.crypto.cryptoki", + "--add-exports=jdk.crypto.cryptoki/sun.security.pkcs11=ALL-UNNAMED"); File testJar = new File("Foo.jar"); testJar.delete(); --- old/make/copy/Copy-jdk.crypto.token.gmk 2017-01-20 09:52:20.810289618 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,45 +0,0 @@ -# -# Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved. -# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -# -# This code is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License version 2 only, as -# published by the Free Software Foundation. Oracle designates this -# particular file as subject to the "Classpath" exception as provided -# by Oracle in the LICENSE file that accompanied this code. -# -# This code is distributed in the hope that it will be useful, but WITHOUT -# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# version 2 for more details (a copy is included in the LICENSE file that -# accompanied this code). -# -# You should have received a copy of the GNU General Public License version -# 2 along with this work; if not, write to the Free Software Foundation, -# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -# or visit www.oracle.com if you need additional information or have any -# questions. -# - -include CopyCommon.gmk - -################################################################################ - -ifeq ($(OPENJDK_TARGET_OS), solaris) - - SUNPKCS11_CFG_SRC := \ - $(JDK_TOPDIR)/src/jdk.crypto.token/solaris/conf/security/sunpkcs11-solaris.cfg - SUNPKCS11_CFG_DST := $(CONF_DST_DIR)/security/sunpkcs11-solaris.cfg - - $(SUNPKCS11_CFG_DST): $(SUNPKCS11_CFG_SRC) - $(call install-file) - - SECURITY_PKCS11_CONF_FILES += $(SUNPKCS11_CFG_DST) - - TARGETS := $(SUNPKCS11_CFG_DST) - -endif - -################################################################################ --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/make/copy/Copy-jdk.crypto.cryptoki.gmk 2017-01-20 09:52:20.314289636 -0800 @@ -0,0 +1,45 @@ +# +# Copyright (c) 2014, 2017, Oracle and/or its affiliates. All rights reserved. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +# +# This code is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 2 only, as +# published by the Free Software Foundation. Oracle designates this +# particular file as subject to the "Classpath" exception as provided +# by Oracle in the LICENSE file that accompanied this code. +# +# This code is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# version 2 for more details (a copy is included in the LICENSE file that +# accompanied this code). +# +# You should have received a copy of the GNU General Public License version +# 2 along with this work; if not, write to the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA +# or visit www.oracle.com if you need additional information or have any +# questions. +# + +include CopyCommon.gmk + +################################################################################ + +ifeq ($(OPENJDK_TARGET_OS), solaris) + + SUNPKCS11_CFG_SRC := \ + $(JDK_TOPDIR)/src/jdk.crypto.cryptoki/solaris/conf/security/sunpkcs11-solaris.cfg + SUNPKCS11_CFG_DST := $(CONF_DST_DIR)/security/sunpkcs11-solaris.cfg + + $(SUNPKCS11_CFG_DST): $(SUNPKCS11_CFG_SRC) + $(call install-file) + + SECURITY_PKCS11_CONF_FILES += $(SUNPKCS11_CFG_DST) + + TARGETS := $(SUNPKCS11_CFG_DST) + +endif + +################################################################################ --- old/make/lib/Lib-jdk.crypto.token.gmk 2017-01-20 09:52:21.838289579 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,56 +0,0 @@ -# -# Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved. -# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -# -# This code is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License version 2 only, as -# published by the Free Software Foundation. Oracle designates this -# particular file as subject to the "Classpath" exception as provided -# by Oracle in the LICENSE file that accompanied this code. -# -# This code is distributed in the hope that it will be useful, but WITHOUT -# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# version 2 for more details (a copy is included in the LICENSE file that -# accompanied this code). -# -# You should have received a copy of the GNU General Public License version -# 2 along with this work; if not, write to the Free Software Foundation, -# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -# or visit www.oracle.com if you need additional information or have any -# questions. -# - -include LibCommon.gmk - -################################################################################ - -LIBJ2PKCS11_SRC := $(JDK_TOPDIR)/src/jdk.crypto.token/share/native/libj2pkcs11 \ - $(JDK_TOPDIR)/src/jdk.crypto.token/$(OPENJDK_TARGET_OS_TYPE)/native/libj2pkcs11 - -$(eval $(call SetupNativeCompilation,BUILD_LIBJ2PKCS11, \ - LIBRARY := j2pkcs11, \ - OUTPUT_DIR := $(INSTALL_LIBRARIES_HERE), \ - SRC := $(LIBJ2PKCS11_SRC), \ - OPTIMIZATION := LOW, \ - CFLAGS := $(CFLAGS_JDKLIB) $(addprefix -I, $(LIBJ2PKCS11_SRC)) \ - $(LIBJAVA_HEADER_FLAGS) \ - -I$(SUPPORT_OUTPUTDIR)/headers/jdk.crypto.token, \ - MAPFILE := $(JDK_TOPDIR)/make/mapfiles/libj2pkcs11/mapfile-vers, \ - LDFLAGS := $(LDFLAGS_JDKLIB) \ - $(call SET_SHARED_LIBRARY_ORIGIN), \ - LIBS_unix := $(LIBDL), \ - LIBS_solaris := -lc, \ - VERSIONINFO_RESOURCE := $(GLOBAL_VERSION_INFO_RESOURCE), \ - RC_FLAGS := $(RC_FLAGS) \ - -D "JDK_FNAME=j2pkcs11.dll" \ - -D "JDK_INTERNAL_NAME=j2pkcs11" \ - -D "JDK_FTYPE=0x2L", \ - OBJECT_DIR := $(SUPPORT_OUTPUTDIR)/native/$(MODULE)/libj2pkcs11, \ -)) - -TARGETS += $(BUILD_LIBJ2PKCS11) - -################################################################################ --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/make/lib/Lib-jdk.crypto.cryptoki.gmk 2017-01-20 09:52:21.390289596 -0800 @@ -0,0 +1,56 @@ +# +# Copyright (c) 2011, 2017, Oracle and/or its affiliates. All rights reserved. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +# +# This code is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 2 only, as +# published by the Free Software Foundation. Oracle designates this +# particular file as subject to the "Classpath" exception as provided +# by Oracle in the LICENSE file that accompanied this code. +# +# This code is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# version 2 for more details (a copy is included in the LICENSE file that +# accompanied this code). +# +# You should have received a copy of the GNU General Public License version +# 2 along with this work; if not, write to the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA +# or visit www.oracle.com if you need additional information or have any +# questions. +# + +include LibCommon.gmk + +################################################################################ + +LIBJ2PKCS11_SRC := $(JDK_TOPDIR)/src/jdk.crypto.cryptoki/share/native/libj2pkcs11 \ + $(JDK_TOPDIR)/src/jdk.crypto.cryptoki/$(OPENJDK_TARGET_OS_TYPE)/native/libj2pkcs11 + +$(eval $(call SetupNativeCompilation,BUILD_LIBJ2PKCS11, \ + LIBRARY := j2pkcs11, \ + OUTPUT_DIR := $(INSTALL_LIBRARIES_HERE), \ + SRC := $(LIBJ2PKCS11_SRC), \ + OPTIMIZATION := LOW, \ + CFLAGS := $(CFLAGS_JDKLIB) $(addprefix -I, $(LIBJ2PKCS11_SRC)) \ + $(LIBJAVA_HEADER_FLAGS) \ + -I$(SUPPORT_OUTPUTDIR)/headers/jdk.crypto.cryptoki, \ + MAPFILE := $(JDK_TOPDIR)/make/mapfiles/libj2pkcs11/mapfile-vers, \ + LDFLAGS := $(LDFLAGS_JDKLIB) \ + $(call SET_SHARED_LIBRARY_ORIGIN), \ + LIBS_unix := $(LIBDL), \ + LIBS_solaris := -lc, \ + VERSIONINFO_RESOURCE := $(GLOBAL_VERSION_INFO_RESOURCE), \ + RC_FLAGS := $(RC_FLAGS) \ + -D "JDK_FNAME=j2pkcs11.dll" \ + -D "JDK_INTERNAL_NAME=j2pkcs11" \ + -D "JDK_FTYPE=0x2L", \ + OBJECT_DIR := $(SUPPORT_OUTPUTDIR)/native/$(MODULE)/libj2pkcs11, \ +)) + +TARGETS += $(BUILD_LIBJ2PKCS11) + +################################################################################ --- old/src/jdk.crypto.token/share/classes/module-info.java 2017-01-20 09:52:22.910289538 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,31 +0,0 @@ -/* - * Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -module jdk.crypto.token { - // Depends on SunEC provider for EC related functionality - requires jdk.crypto.ec; - provides java.security.Provider with sun.security.pkcs11.SunPKCS11; -} - --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/module-info.java 2017-01-20 09:52:22.394289558 -0800 @@ -0,0 +1,31 @@ +/* + * Copyright (c) 2014, 2017, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +module jdk.crypto.cryptoki { + // Depends on SunEC provider for EC related functionality + requires jdk.crypto.ec; + provides java.security.Provider with sun.security.pkcs11.SunPKCS11; +} + --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/Config.java 2017-01-20 09:52:23.982289498 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,1008 +0,0 @@ -/* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.pkcs11; - -import java.io.*; -import static java.io.StreamTokenizer.*; -import java.math.BigInteger; -import java.util.*; - -import java.security.*; - -import sun.security.util.PropertyExpander; - -import sun.security.pkcs11.wrapper.*; -import static sun.security.pkcs11.wrapper.PKCS11Constants.*; -import static sun.security.pkcs11.wrapper.CK_ATTRIBUTE.*; - -import static sun.security.pkcs11.TemplateManager.*; - -/** - * Configuration container and file parsing. - * - * @author Andreas Sterbenz - * @since 1.5 - */ -final class Config { - - static final int ERR_HALT = 1; - static final int ERR_IGNORE_ALL = 2; - static final int ERR_IGNORE_LIB = 3; - - // same as allowSingleThreadedModules but controlled via a system property - // and applied to all providers. if set to false, no SunPKCS11 instances - // will accept single threaded modules regardless of the setting in their - // config files. - private static final boolean staticAllowSingleThreadedModules; - private static final String osName; - private static final String osArch; - - static { - List props = AccessController.doPrivileged( - new PrivilegedAction<>() { - @Override - public List run() { - return List.of( - System.getProperty( - "sun.security.pkcs11.allowSingleThreadedModules", - "true"), - System.getProperty("os.name"), - System.getProperty("os.arch")); - } - } - ); - if ("false".equalsIgnoreCase(props.get(0))) { - staticAllowSingleThreadedModules = false; - } else { - staticAllowSingleThreadedModules = true; - } - osName = props.get(1); - osArch = props.get(2); - } - - private final static boolean DEBUG = false; - - private static void debug(Object o) { - if (DEBUG) { - System.out.println(o); - } - } - - // file name containing this configuration - private String filename; - - // Reader and StringTokenizer used during parsing - private Reader reader; - - private StreamTokenizer st; - - private Set parsedKeywords; - - // name suffix of the provider - private String name; - - // name of the PKCS#11 library - private String library; - - // description to pass to the provider class - private String description; - - // slotID of the slot to use - private int slotID = -1; - - // slot to use, specified as index in the slotlist - private int slotListIndex = -1; - - // set of enabled mechanisms (or null to use default) - private Set enabledMechanisms; - - // set of disabled mechanisms - private Set disabledMechanisms; - - // whether to print debug info during startup - private boolean showInfo = false; - - // template manager, initialized from parsed attributes - private TemplateManager templateManager; - - // how to handle error during startup, one of ERR_ - private int handleStartupErrors = ERR_HALT; - - // flag indicating whether the P11KeyStore should - // be more tolerant of input parameters - private boolean keyStoreCompatibilityMode = true; - - // flag indicating whether we need to explicitly cancel operations - // see Token - private boolean explicitCancel = true; - - // how often to test for token insertion, if no token is present - private int insertionCheckInterval = 2000; - - // flag inidicating whether to omit the call to C_Initialize() - // should be used only if we are running within a process that - // has already called it (e.g. Plugin inside of Mozilla/NSS) - private boolean omitInitialize = false; - - // whether to allow modules that only support single threaded access. - // they cannot be used safely from multiple PKCS#11 consumers in the - // same process, for example NSS and SunPKCS11 - private boolean allowSingleThreadedModules = true; - - // name of the C function that returns the PKCS#11 functionlist - // This option primarily exists for the deprecated - // Secmod.Module.getProvider() method. - private String functionList = "C_GetFunctionList"; - - // whether to use NSS secmod mode. Implicitly set if nssLibraryDirectory, - // nssSecmodDirectory, or nssModule is specified. - private boolean nssUseSecmod; - - // location of the NSS library files (libnss3.so, etc.) - private String nssLibraryDirectory; - - // location of secmod.db - private String nssSecmodDirectory; - - // which NSS module to use - private String nssModule; - - private Secmod.DbMode nssDbMode = Secmod.DbMode.READ_WRITE; - - // Whether the P11KeyStore should specify the CKA_NETSCAPE_DB attribute - // when creating private keys. Only valid if nssUseSecmod is true. - private boolean nssNetscapeDbWorkaround = true; - - // Special init argument string for the NSS softtoken. - // This is used when using the NSS softtoken directly without secmod mode. - private String nssArgs; - - // whether to use NSS trust attributes for the KeyStore of this provider - // this option is for internal use by the SunPKCS11 code only and - // works only for NSS providers created via the Secmod API - private boolean nssUseSecmodTrust = false; - - // Flag to indicate whether the X9.63 encoding for EC points shall be used - // (true) or whether that encoding shall be wrapped in an ASN.1 OctetString - // (false). - private boolean useEcX963Encoding = false; - - // Flag to indicate whether NSS should favour performance (false) or - // memory footprint (true). - private boolean nssOptimizeSpace = false; - - Config(String fn) throws IOException { - this.filename = fn; - if (filename.startsWith("--")) { - // inline config - String config = filename.substring(2).replace("\\n", "\n"); - reader = new StringReader(config); - } else { - reader = new BufferedReader(new InputStreamReader - (new FileInputStream(expand(filename)))); - } - parsedKeywords = new HashSet(); - st = new StreamTokenizer(reader); - setupTokenizer(); - parse(); - } - - String getFileName() { - return filename; - } - - String getName() { - return name; - } - - String getLibrary() { - return library; - } - - String getDescription() { - if (description != null) { - return description; - } - return "SunPKCS11-" + name + " using library " + library; - } - - int getSlotID() { - return slotID; - } - - int getSlotListIndex() { - if ((slotID == -1) && (slotListIndex == -1)) { - // if neither is set, default to first slot - return 0; - } else { - return slotListIndex; - } - } - - boolean getShowInfo() { - return (SunPKCS11.debug != null) || showInfo; - } - - TemplateManager getTemplateManager() { - if (templateManager == null) { - templateManager = new TemplateManager(); - } - return templateManager; - } - - boolean isEnabled(long m) { - if (enabledMechanisms != null) { - return enabledMechanisms.contains(Long.valueOf(m)); - } - if (disabledMechanisms != null) { - return !disabledMechanisms.contains(Long.valueOf(m)); - } - return true; - } - - int getHandleStartupErrors() { - return handleStartupErrors; - } - - boolean getKeyStoreCompatibilityMode() { - return keyStoreCompatibilityMode; - } - - boolean getExplicitCancel() { - return explicitCancel; - } - - int getInsertionCheckInterval() { - return insertionCheckInterval; - } - - boolean getOmitInitialize() { - return omitInitialize; - } - - boolean getAllowSingleThreadedModules() { - return staticAllowSingleThreadedModules && allowSingleThreadedModules; - } - - String getFunctionList() { - return functionList; - } - - boolean getNssUseSecmod() { - return nssUseSecmod; - } - - String getNssLibraryDirectory() { - return nssLibraryDirectory; - } - - String getNssSecmodDirectory() { - return nssSecmodDirectory; - } - - String getNssModule() { - return nssModule; - } - - Secmod.DbMode getNssDbMode() { - return nssDbMode; - } - - public boolean getNssNetscapeDbWorkaround() { - return nssUseSecmod && nssNetscapeDbWorkaround; - } - - String getNssArgs() { - return nssArgs; - } - - boolean getNssUseSecmodTrust() { - return nssUseSecmodTrust; - } - - boolean getUseEcX963Encoding() { - return useEcX963Encoding; - } - - boolean getNssOptimizeSpace() { - return nssOptimizeSpace; - } - - private static String expand(final String s) throws IOException { - try { - return PropertyExpander.expand(s); - } catch (Exception e) { - throw new RuntimeException(e.getMessage()); - } - } - - private void setupTokenizer() { - st.resetSyntax(); - st.wordChars('a', 'z'); - st.wordChars('A', 'Z'); - st.wordChars('0', '9'); - st.wordChars(':', ':'); - st.wordChars('.', '.'); - st.wordChars('_', '_'); - st.wordChars('-', '-'); - st.wordChars('/', '/'); - st.wordChars('\\', '\\'); - st.wordChars('$', '$'); - st.wordChars('{', '{'); // need {} for property subst - st.wordChars('}', '}'); - st.wordChars('*', '*'); - st.wordChars('+', '+'); - st.wordChars('~', '~'); - // XXX check ASCII table and add all other characters except special - - // special: #="(), - st.whitespaceChars(0, ' '); - st.commentChar('#'); - st.eolIsSignificant(true); - st.quoteChar('\"'); - } - - private ConfigurationException excToken(String msg) { - return new ConfigurationException(msg + " " + st); - } - - private ConfigurationException excLine(String msg) { - return new ConfigurationException(msg + ", line " + st.lineno()); - } - - private void parse() throws IOException { - while (true) { - int token = nextToken(); - if (token == TT_EOF) { - break; - } - if (token == TT_EOL) { - continue; - } - if (token != TT_WORD) { - throw excToken("Unexpected token:"); - } - String word = st.sval; - if (word.equals("name")) { - name = parseStringEntry(word); - } else if (word.equals("library")) { - library = parseLibrary(word); - } else if (word.equals("description")) { - parseDescription(word); - } else if (word.equals("slot")) { - parseSlotID(word); - } else if (word.equals("slotListIndex")) { - parseSlotListIndex(word); - } else if (word.equals("enabledMechanisms")) { - parseEnabledMechanisms(word); - } else if (word.equals("disabledMechanisms")) { - parseDisabledMechanisms(word); - } else if (word.equals("attributes")) { - parseAttributes(word); - } else if (word.equals("handleStartupErrors")) { - parseHandleStartupErrors(word); - } else if (word.endsWith("insertionCheckInterval")) { - insertionCheckInterval = parseIntegerEntry(word); - if (insertionCheckInterval < 100) { - throw excLine(word + " must be at least 100 ms"); - } - } else if (word.equals("showInfo")) { - showInfo = parseBooleanEntry(word); - } else if (word.equals("keyStoreCompatibilityMode")) { - keyStoreCompatibilityMode = parseBooleanEntry(word); - } else if (word.equals("explicitCancel")) { - explicitCancel = parseBooleanEntry(word); - } else if (word.equals("omitInitialize")) { - omitInitialize = parseBooleanEntry(word); - } else if (word.equals("allowSingleThreadedModules")) { - allowSingleThreadedModules = parseBooleanEntry(word); - } else if (word.equals("functionList")) { - functionList = parseStringEntry(word); - } else if (word.equals("nssUseSecmod")) { - nssUseSecmod = parseBooleanEntry(word); - } else if (word.equals("nssLibraryDirectory")) { - nssLibraryDirectory = parseLibrary(word); - nssUseSecmod = true; - } else if (word.equals("nssSecmodDirectory")) { - nssSecmodDirectory = expand(parseStringEntry(word)); - nssUseSecmod = true; - } else if (word.equals("nssModule")) { - nssModule = parseStringEntry(word); - nssUseSecmod = true; - } else if (word.equals("nssDbMode")) { - String mode = parseStringEntry(word); - if (mode.equals("readWrite")) { - nssDbMode = Secmod.DbMode.READ_WRITE; - } else if (mode.equals("readOnly")) { - nssDbMode = Secmod.DbMode.READ_ONLY; - } else if (mode.equals("noDb")) { - nssDbMode = Secmod.DbMode.NO_DB; - } else { - throw excToken("nssDbMode must be one of readWrite, readOnly, and noDb:"); - } - nssUseSecmod = true; - } else if (word.equals("nssNetscapeDbWorkaround")) { - nssNetscapeDbWorkaround = parseBooleanEntry(word); - nssUseSecmod = true; - } else if (word.equals("nssArgs")) { - parseNSSArgs(word); - } else if (word.equals("nssUseSecmodTrust")) { - nssUseSecmodTrust = parseBooleanEntry(word); - } else if (word.equals("useEcX963Encoding")) { - useEcX963Encoding = parseBooleanEntry(word); - } else if (word.equals("nssOptimizeSpace")) { - nssOptimizeSpace = parseBooleanEntry(word); - } else { - throw new ConfigurationException - ("Unknown keyword '" + word + "', line " + st.lineno()); - } - parsedKeywords.add(word); - } - reader.close(); - reader = null; - st = null; - parsedKeywords = null; - if (name == null) { - throw new ConfigurationException("name must be specified"); - } - if (nssUseSecmod == false) { - if (library == null) { - throw new ConfigurationException("library must be specified"); - } - } else { - if (library != null) { - throw new ConfigurationException - ("library must not be specified in NSS mode"); - } - if ((slotID != -1) || (slotListIndex != -1)) { - throw new ConfigurationException - ("slot and slotListIndex must not be specified in NSS mode"); - } - if (nssArgs != null) { - throw new ConfigurationException - ("nssArgs must not be specified in NSS mode"); - } - if (nssUseSecmodTrust != false) { - throw new ConfigurationException("nssUseSecmodTrust is an " - + "internal option and must not be specified in NSS mode"); - } - } - } - - // - // Parsing helper methods - // - - private int nextToken() throws IOException { - int token = st.nextToken(); - debug(st); - return token; - } - - private void parseEquals() throws IOException { - int token = nextToken(); - if (token != '=') { - throw excToken("Expected '=', read"); - } - } - - private void parseOpenBraces() throws IOException { - while (true) { - int token = nextToken(); - if (token == TT_EOL) { - continue; - } - if ((token == TT_WORD) && st.sval.equals("{")) { - return; - } - throw excToken("Expected '{', read"); - } - } - - private boolean isCloseBraces(int token) { - return (token == TT_WORD) && st.sval.equals("}"); - } - - private String parseWord() throws IOException { - int token = nextToken(); - if (token != TT_WORD) { - throw excToken("Unexpected value:"); - } - return st.sval; - } - - private String parseStringEntry(String keyword) throws IOException { - checkDup(keyword); - parseEquals(); - - int token = nextToken(); - if (token != TT_WORD && token != '\"') { - // not a word token nor a string enclosed by double quotes - throw excToken("Unexpected value:"); - } - String value = st.sval; - - debug(keyword + ": " + value); - return value; - } - - private boolean parseBooleanEntry(String keyword) throws IOException { - checkDup(keyword); - parseEquals(); - boolean value = parseBoolean(); - debug(keyword + ": " + value); - return value; - } - - private int parseIntegerEntry(String keyword) throws IOException { - checkDup(keyword); - parseEquals(); - int value = decodeNumber(parseWord()); - debug(keyword + ": " + value); - return value; - } - - private boolean parseBoolean() throws IOException { - String val = parseWord(); - switch (val) { - case "true": - return true; - case "false": - return false; - default: - throw excToken("Expected boolean value, read:"); - } - } - - private String parseLine() throws IOException { - // allow quoted string as part of line - String s = null; - while (true) { - int token = nextToken(); - if ((token == TT_EOL) || (token == TT_EOF)) { - break; - } - if (token != TT_WORD && token != '\"') { - throw excToken("Unexpected value"); - } - if (s == null) { - s = st.sval; - } else { - s = s + " " + st.sval; - } - } - if (s == null) { - throw excToken("Unexpected empty line"); - } - return s; - } - - private int decodeNumber(String str) throws IOException { - try { - if (str.startsWith("0x") || str.startsWith("0X")) { - return Integer.parseInt(str.substring(2), 16); - } else { - return Integer.parseInt(str); - } - } catch (NumberFormatException e) { - throw excToken("Expected number, read"); - } - } - - private static boolean isNumber(String s) { - if (s.length() == 0) { - return false; - } - char ch = s.charAt(0); - return ((ch >= '0') && (ch <= '9')); - } - - private void parseComma() throws IOException { - int token = nextToken(); - if (token != ',') { - throw excToken("Expected ',', read"); - } - } - - private static boolean isByteArray(String val) { - return val.startsWith("0h"); - } - - private byte[] decodeByteArray(String str) throws IOException { - if (str.startsWith("0h") == false) { - throw excToken("Expected byte array value, read"); - } - str = str.substring(2); - // XXX proper hex parsing - try { - return new BigInteger(str, 16).toByteArray(); - } catch (NumberFormatException e) { - throw excToken("Expected byte array value, read"); - } - } - - private void checkDup(String keyword) throws IOException { - if (parsedKeywords.contains(keyword)) { - throw excLine(keyword + " must only be specified once"); - } - } - - // - // individual entry parsing methods - // - - private String parseLibrary(String keyword) throws IOException { - checkDup(keyword); - parseEquals(); - String lib = parseLine(); - lib = expand(lib); - int i = lib.indexOf("/$ISA/"); - if (i != -1) { - // replace "/$ISA/" with "/sparcv9/" on 64-bit Solaris SPARC - // and with "/amd64/" on Solaris AMD64. - // On all other platforms, just turn it into a "/" - String prefix = lib.substring(0, i); - String suffix = lib.substring(i + 5); - if (osName.equals("SunOS") && osArch.equals("sparcv9")) { - lib = prefix + "/sparcv9" + suffix; - } else if (osName.equals("SunOS") && osArch.equals("amd64")) { - lib = prefix + "/amd64" + suffix; - } else { - lib = prefix + suffix; - } - } - debug(keyword + ": " + lib); - - // Check to see if full path is specified to prevent the DLL - // preloading attack - if (!(new File(lib)).isAbsolute()) { - throw new ConfigurationException( - "Absolute path required for library value: " + lib); - } - return lib; - } - - private void parseDescription(String keyword) throws IOException { - checkDup(keyword); - parseEquals(); - description = parseLine(); - debug("description: " + description); - } - - private void parseSlotID(String keyword) throws IOException { - if (slotID >= 0) { - throw excLine("Duplicate slot definition"); - } - if (slotListIndex >= 0) { - throw excLine - ("Only one of slot and slotListIndex must be specified"); - } - parseEquals(); - String slotString = parseWord(); - slotID = decodeNumber(slotString); - debug("slot: " + slotID); - } - - private void parseSlotListIndex(String keyword) throws IOException { - if (slotListIndex >= 0) { - throw excLine("Duplicate slotListIndex definition"); - } - if (slotID >= 0) { - throw excLine - ("Only one of slot and slotListIndex must be specified"); - } - parseEquals(); - String slotString = parseWord(); - slotListIndex = decodeNumber(slotString); - debug("slotListIndex: " + slotListIndex); - } - - private void parseEnabledMechanisms(String keyword) throws IOException { - enabledMechanisms = parseMechanisms(keyword); - } - - private void parseDisabledMechanisms(String keyword) throws IOException { - disabledMechanisms = parseMechanisms(keyword); - } - - private Set parseMechanisms(String keyword) throws IOException { - checkDup(keyword); - Set mechs = new HashSet(); - parseEquals(); - parseOpenBraces(); - while (true) { - int token = nextToken(); - if (isCloseBraces(token)) { - break; - } - if (token == TT_EOL) { - continue; - } - if (token != TT_WORD) { - throw excToken("Expected mechanism, read"); - } - long mech = parseMechanism(st.sval); - mechs.add(Long.valueOf(mech)); - } - if (DEBUG) { - System.out.print("mechanisms: ["); - for (Long mech : mechs) { - System.out.print(Functions.getMechanismName(mech)); - System.out.print(", "); - } - System.out.println("]"); - } - return mechs; - } - - private long parseMechanism(String mech) throws IOException { - if (isNumber(mech)) { - return decodeNumber(mech); - } else { - try { - return Functions.getMechanismId(mech); - } catch (IllegalArgumentException e) { - throw excLine("Unknown mechanism: " + mech); - } - } - } - - private void parseAttributes(String keyword) throws IOException { - if (templateManager == null) { - templateManager = new TemplateManager(); - } - int token = nextToken(); - if (token == '=') { - String s = parseWord(); - if (s.equals("compatibility") == false) { - throw excLine("Expected 'compatibility', read " + s); - } - setCompatibilityAttributes(); - return; - } - if (token != '(') { - throw excToken("Expected '(' or '=', read"); - } - String op = parseOperation(); - parseComma(); - long objectClass = parseObjectClass(); - parseComma(); - long keyAlg = parseKeyAlgorithm(); - token = nextToken(); - if (token != ')') { - throw excToken("Expected ')', read"); - } - parseEquals(); - parseOpenBraces(); - List attributes = new ArrayList(); - while (true) { - token = nextToken(); - if (isCloseBraces(token)) { - break; - } - if (token == TT_EOL) { - continue; - } - if (token != TT_WORD) { - throw excToken("Expected mechanism, read"); - } - String attributeName = st.sval; - long attributeId = decodeAttributeName(attributeName); - parseEquals(); - String attributeValue = parseWord(); - attributes.add(decodeAttributeValue(attributeId, attributeValue)); - } - templateManager.addTemplate - (op, objectClass, keyAlg, attributes.toArray(CK_A0)); - } - - private void setCompatibilityAttributes() { - // all secret keys - templateManager.addTemplate(O_ANY, CKO_SECRET_KEY, PCKK_ANY, - new CK_ATTRIBUTE[] { - TOKEN_FALSE, - SENSITIVE_FALSE, - EXTRACTABLE_TRUE, - ENCRYPT_TRUE, - DECRYPT_TRUE, - WRAP_TRUE, - UNWRAP_TRUE, - }); - - // generic secret keys are special - // They are used as MAC keys plus for the SSL/TLS (pre)master secrets - templateManager.addTemplate(O_ANY, CKO_SECRET_KEY, CKK_GENERIC_SECRET, - new CK_ATTRIBUTE[] { - SIGN_TRUE, - VERIFY_TRUE, - ENCRYPT_NULL, - DECRYPT_NULL, - WRAP_NULL, - UNWRAP_NULL, - DERIVE_TRUE, - }); - - // all private and public keys - templateManager.addTemplate(O_ANY, CKO_PRIVATE_KEY, PCKK_ANY, - new CK_ATTRIBUTE[] { - TOKEN_FALSE, - SENSITIVE_FALSE, - EXTRACTABLE_TRUE, - }); - templateManager.addTemplate(O_ANY, CKO_PUBLIC_KEY, PCKK_ANY, - new CK_ATTRIBUTE[] { - TOKEN_FALSE, - }); - - // additional attributes for RSA private keys - templateManager.addTemplate(O_ANY, CKO_PRIVATE_KEY, CKK_RSA, - new CK_ATTRIBUTE[] { - DECRYPT_TRUE, - SIGN_TRUE, - SIGN_RECOVER_TRUE, - UNWRAP_TRUE, - }); - // additional attributes for RSA public keys - templateManager.addTemplate(O_ANY, CKO_PUBLIC_KEY, CKK_RSA, - new CK_ATTRIBUTE[] { - ENCRYPT_TRUE, - VERIFY_TRUE, - VERIFY_RECOVER_TRUE, - WRAP_TRUE, - }); - - // additional attributes for DSA private keys - templateManager.addTemplate(O_ANY, CKO_PRIVATE_KEY, CKK_DSA, - new CK_ATTRIBUTE[] { - SIGN_TRUE, - }); - // additional attributes for DSA public keys - templateManager.addTemplate(O_ANY, CKO_PUBLIC_KEY, CKK_DSA, - new CK_ATTRIBUTE[] { - VERIFY_TRUE, - }); - - // additional attributes for DH private keys - templateManager.addTemplate(O_ANY, CKO_PRIVATE_KEY, CKK_DH, - new CK_ATTRIBUTE[] { - DERIVE_TRUE, - }); - - // additional attributes for EC private keys - templateManager.addTemplate(O_ANY, CKO_PRIVATE_KEY, CKK_EC, - new CK_ATTRIBUTE[] { - SIGN_TRUE, - DERIVE_TRUE, - }); - // additional attributes for EC public keys - templateManager.addTemplate(O_ANY, CKO_PUBLIC_KEY, CKK_EC, - new CK_ATTRIBUTE[] { - VERIFY_TRUE, - }); - } - - private final static CK_ATTRIBUTE[] CK_A0 = new CK_ATTRIBUTE[0]; - - private String parseOperation() throws IOException { - String op = parseWord(); - switch (op) { - case "*": - return TemplateManager.O_ANY; - case "generate": - return TemplateManager.O_GENERATE; - case "import": - return TemplateManager.O_IMPORT; - default: - throw excLine("Unknown operation " + op); - } - } - - private long parseObjectClass() throws IOException { - String name = parseWord(); - try { - return Functions.getObjectClassId(name); - } catch (IllegalArgumentException e) { - throw excLine("Unknown object class " + name); - } - } - - private long parseKeyAlgorithm() throws IOException { - String name = parseWord(); - if (isNumber(name)) { - return decodeNumber(name); - } else { - try { - return Functions.getKeyId(name); - } catch (IllegalArgumentException e) { - throw excLine("Unknown key algorithm " + name); - } - } - } - - private long decodeAttributeName(String name) throws IOException { - if (isNumber(name)) { - return decodeNumber(name); - } else { - try { - return Functions.getAttributeId(name); - } catch (IllegalArgumentException e) { - throw excLine("Unknown attribute name " + name); - } - } - } - - private CK_ATTRIBUTE decodeAttributeValue(long id, String value) - throws IOException { - if (value.equals("null")) { - return new CK_ATTRIBUTE(id); - } else if (value.equals("true")) { - return new CK_ATTRIBUTE(id, true); - } else if (value.equals("false")) { - return new CK_ATTRIBUTE(id, false); - } else if (isByteArray(value)) { - return new CK_ATTRIBUTE(id, decodeByteArray(value)); - } else if (isNumber(value)) { - return new CK_ATTRIBUTE(id, Integer.valueOf(decodeNumber(value))); - } else { - throw excLine("Unknown attribute value " + value); - } - } - - private void parseNSSArgs(String keyword) throws IOException { - checkDup(keyword); - parseEquals(); - int token = nextToken(); - if (token != '"') { - throw excToken("Expected quoted string"); - } - nssArgs = expand(st.sval); - debug("nssArgs: " + nssArgs); - } - - private void parseHandleStartupErrors(String keyword) throws IOException { - checkDup(keyword); - parseEquals(); - String val = parseWord(); - if (val.equals("ignoreAll")) { - handleStartupErrors = ERR_IGNORE_ALL; - } else if (val.equals("ignoreMissingLibrary")) { - handleStartupErrors = ERR_IGNORE_LIB; - } else if (val.equals("halt")) { - handleStartupErrors = ERR_HALT; - } else { - throw excToken("Invalid value for handleStartupErrors:"); - } - debug("handleStartupErrors: " + handleStartupErrors); - } - -} - -class ConfigurationException extends IOException { - private static final long serialVersionUID = 254492758807673194L; - ConfigurationException(String msg) { - super(msg); - } -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Config.java 2017-01-20 09:52:23.494289516 -0800 @@ -0,0 +1,1008 @@ +/* + * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11; + +import java.io.*; +import static java.io.StreamTokenizer.*; +import java.math.BigInteger; +import java.util.*; + +import java.security.*; + +import sun.security.util.PropertyExpander; + +import sun.security.pkcs11.wrapper.*; +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; +import static sun.security.pkcs11.wrapper.CK_ATTRIBUTE.*; + +import static sun.security.pkcs11.TemplateManager.*; + +/** + * Configuration container and file parsing. + * + * @author Andreas Sterbenz + * @since 1.5 + */ +final class Config { + + static final int ERR_HALT = 1; + static final int ERR_IGNORE_ALL = 2; + static final int ERR_IGNORE_LIB = 3; + + // same as allowSingleThreadedModules but controlled via a system property + // and applied to all providers. if set to false, no SunPKCS11 instances + // will accept single threaded modules regardless of the setting in their + // config files. + private static final boolean staticAllowSingleThreadedModules; + private static final String osName; + private static final String osArch; + + static { + List props = AccessController.doPrivileged( + new PrivilegedAction<>() { + @Override + public List run() { + return List.of( + System.getProperty( + "sun.security.pkcs11.allowSingleThreadedModules", + "true"), + System.getProperty("os.name"), + System.getProperty("os.arch")); + } + } + ); + if ("false".equalsIgnoreCase(props.get(0))) { + staticAllowSingleThreadedModules = false; + } else { + staticAllowSingleThreadedModules = true; + } + osName = props.get(1); + osArch = props.get(2); + } + + private final static boolean DEBUG = false; + + private static void debug(Object o) { + if (DEBUG) { + System.out.println(o); + } + } + + // file name containing this configuration + private String filename; + + // Reader and StringTokenizer used during parsing + private Reader reader; + + private StreamTokenizer st; + + private Set parsedKeywords; + + // name suffix of the provider + private String name; + + // name of the PKCS#11 library + private String library; + + // description to pass to the provider class + private String description; + + // slotID of the slot to use + private int slotID = -1; + + // slot to use, specified as index in the slotlist + private int slotListIndex = -1; + + // set of enabled mechanisms (or null to use default) + private Set enabledMechanisms; + + // set of disabled mechanisms + private Set disabledMechanisms; + + // whether to print debug info during startup + private boolean showInfo = false; + + // template manager, initialized from parsed attributes + private TemplateManager templateManager; + + // how to handle error during startup, one of ERR_ + private int handleStartupErrors = ERR_HALT; + + // flag indicating whether the P11KeyStore should + // be more tolerant of input parameters + private boolean keyStoreCompatibilityMode = true; + + // flag indicating whether we need to explicitly cancel operations + // see Token + private boolean explicitCancel = true; + + // how often to test for token insertion, if no token is present + private int insertionCheckInterval = 2000; + + // flag inidicating whether to omit the call to C_Initialize() + // should be used only if we are running within a process that + // has already called it (e.g. Plugin inside of Mozilla/NSS) + private boolean omitInitialize = false; + + // whether to allow modules that only support single threaded access. + // they cannot be used safely from multiple PKCS#11 consumers in the + // same process, for example NSS and SunPKCS11 + private boolean allowSingleThreadedModules = true; + + // name of the C function that returns the PKCS#11 functionlist + // This option primarily exists for the deprecated + // Secmod.Module.getProvider() method. + private String functionList = "C_GetFunctionList"; + + // whether to use NSS secmod mode. Implicitly set if nssLibraryDirectory, + // nssSecmodDirectory, or nssModule is specified. + private boolean nssUseSecmod; + + // location of the NSS library files (libnss3.so, etc.) + private String nssLibraryDirectory; + + // location of secmod.db + private String nssSecmodDirectory; + + // which NSS module to use + private String nssModule; + + private Secmod.DbMode nssDbMode = Secmod.DbMode.READ_WRITE; + + // Whether the P11KeyStore should specify the CKA_NETSCAPE_DB attribute + // when creating private keys. Only valid if nssUseSecmod is true. + private boolean nssNetscapeDbWorkaround = true; + + // Special init argument string for the NSS softtoken. + // This is used when using the NSS softtoken directly without secmod mode. + private String nssArgs; + + // whether to use NSS trust attributes for the KeyStore of this provider + // this option is for internal use by the SunPKCS11 code only and + // works only for NSS providers created via the Secmod API + private boolean nssUseSecmodTrust = false; + + // Flag to indicate whether the X9.63 encoding for EC points shall be used + // (true) or whether that encoding shall be wrapped in an ASN.1 OctetString + // (false). + private boolean useEcX963Encoding = false; + + // Flag to indicate whether NSS should favour performance (false) or + // memory footprint (true). + private boolean nssOptimizeSpace = false; + + Config(String fn) throws IOException { + this.filename = fn; + if (filename.startsWith("--")) { + // inline config + String config = filename.substring(2).replace("\\n", "\n"); + reader = new StringReader(config); + } else { + reader = new BufferedReader(new InputStreamReader + (new FileInputStream(expand(filename)))); + } + parsedKeywords = new HashSet(); + st = new StreamTokenizer(reader); + setupTokenizer(); + parse(); + } + + String getFileName() { + return filename; + } + + String getName() { + return name; + } + + String getLibrary() { + return library; + } + + String getDescription() { + if (description != null) { + return description; + } + return "SunPKCS11-" + name + " using library " + library; + } + + int getSlotID() { + return slotID; + } + + int getSlotListIndex() { + if ((slotID == -1) && (slotListIndex == -1)) { + // if neither is set, default to first slot + return 0; + } else { + return slotListIndex; + } + } + + boolean getShowInfo() { + return (SunPKCS11.debug != null) || showInfo; + } + + TemplateManager getTemplateManager() { + if (templateManager == null) { + templateManager = new TemplateManager(); + } + return templateManager; + } + + boolean isEnabled(long m) { + if (enabledMechanisms != null) { + return enabledMechanisms.contains(Long.valueOf(m)); + } + if (disabledMechanisms != null) { + return !disabledMechanisms.contains(Long.valueOf(m)); + } + return true; + } + + int getHandleStartupErrors() { + return handleStartupErrors; + } + + boolean getKeyStoreCompatibilityMode() { + return keyStoreCompatibilityMode; + } + + boolean getExplicitCancel() { + return explicitCancel; + } + + int getInsertionCheckInterval() { + return insertionCheckInterval; + } + + boolean getOmitInitialize() { + return omitInitialize; + } + + boolean getAllowSingleThreadedModules() { + return staticAllowSingleThreadedModules && allowSingleThreadedModules; + } + + String getFunctionList() { + return functionList; + } + + boolean getNssUseSecmod() { + return nssUseSecmod; + } + + String getNssLibraryDirectory() { + return nssLibraryDirectory; + } + + String getNssSecmodDirectory() { + return nssSecmodDirectory; + } + + String getNssModule() { + return nssModule; + } + + Secmod.DbMode getNssDbMode() { + return nssDbMode; + } + + public boolean getNssNetscapeDbWorkaround() { + return nssUseSecmod && nssNetscapeDbWorkaround; + } + + String getNssArgs() { + return nssArgs; + } + + boolean getNssUseSecmodTrust() { + return nssUseSecmodTrust; + } + + boolean getUseEcX963Encoding() { + return useEcX963Encoding; + } + + boolean getNssOptimizeSpace() { + return nssOptimizeSpace; + } + + private static String expand(final String s) throws IOException { + try { + return PropertyExpander.expand(s); + } catch (Exception e) { + throw new RuntimeException(e.getMessage()); + } + } + + private void setupTokenizer() { + st.resetSyntax(); + st.wordChars('a', 'z'); + st.wordChars('A', 'Z'); + st.wordChars('0', '9'); + st.wordChars(':', ':'); + st.wordChars('.', '.'); + st.wordChars('_', '_'); + st.wordChars('-', '-'); + st.wordChars('/', '/'); + st.wordChars('\\', '\\'); + st.wordChars('$', '$'); + st.wordChars('{', '{'); // need {} for property subst + st.wordChars('}', '}'); + st.wordChars('*', '*'); + st.wordChars('+', '+'); + st.wordChars('~', '~'); + // XXX check ASCII table and add all other characters except special + + // special: #="(), + st.whitespaceChars(0, ' '); + st.commentChar('#'); + st.eolIsSignificant(true); + st.quoteChar('\"'); + } + + private ConfigurationException excToken(String msg) { + return new ConfigurationException(msg + " " + st); + } + + private ConfigurationException excLine(String msg) { + return new ConfigurationException(msg + ", line " + st.lineno()); + } + + private void parse() throws IOException { + while (true) { + int token = nextToken(); + if (token == TT_EOF) { + break; + } + if (token == TT_EOL) { + continue; + } + if (token != TT_WORD) { + throw excToken("Unexpected token:"); + } + String word = st.sval; + if (word.equals("name")) { + name = parseStringEntry(word); + } else if (word.equals("library")) { + library = parseLibrary(word); + } else if (word.equals("description")) { + parseDescription(word); + } else if (word.equals("slot")) { + parseSlotID(word); + } else if (word.equals("slotListIndex")) { + parseSlotListIndex(word); + } else if (word.equals("enabledMechanisms")) { + parseEnabledMechanisms(word); + } else if (word.equals("disabledMechanisms")) { + parseDisabledMechanisms(word); + } else if (word.equals("attributes")) { + parseAttributes(word); + } else if (word.equals("handleStartupErrors")) { + parseHandleStartupErrors(word); + } else if (word.endsWith("insertionCheckInterval")) { + insertionCheckInterval = parseIntegerEntry(word); + if (insertionCheckInterval < 100) { + throw excLine(word + " must be at least 100 ms"); + } + } else if (word.equals("showInfo")) { + showInfo = parseBooleanEntry(word); + } else if (word.equals("keyStoreCompatibilityMode")) { + keyStoreCompatibilityMode = parseBooleanEntry(word); + } else if (word.equals("explicitCancel")) { + explicitCancel = parseBooleanEntry(word); + } else if (word.equals("omitInitialize")) { + omitInitialize = parseBooleanEntry(word); + } else if (word.equals("allowSingleThreadedModules")) { + allowSingleThreadedModules = parseBooleanEntry(word); + } else if (word.equals("functionList")) { + functionList = parseStringEntry(word); + } else if (word.equals("nssUseSecmod")) { + nssUseSecmod = parseBooleanEntry(word); + } else if (word.equals("nssLibraryDirectory")) { + nssLibraryDirectory = parseLibrary(word); + nssUseSecmod = true; + } else if (word.equals("nssSecmodDirectory")) { + nssSecmodDirectory = expand(parseStringEntry(word)); + nssUseSecmod = true; + } else if (word.equals("nssModule")) { + nssModule = parseStringEntry(word); + nssUseSecmod = true; + } else if (word.equals("nssDbMode")) { + String mode = parseStringEntry(word); + if (mode.equals("readWrite")) { + nssDbMode = Secmod.DbMode.READ_WRITE; + } else if (mode.equals("readOnly")) { + nssDbMode = Secmod.DbMode.READ_ONLY; + } else if (mode.equals("noDb")) { + nssDbMode = Secmod.DbMode.NO_DB; + } else { + throw excToken("nssDbMode must be one of readWrite, readOnly, and noDb:"); + } + nssUseSecmod = true; + } else if (word.equals("nssNetscapeDbWorkaround")) { + nssNetscapeDbWorkaround = parseBooleanEntry(word); + nssUseSecmod = true; + } else if (word.equals("nssArgs")) { + parseNSSArgs(word); + } else if (word.equals("nssUseSecmodTrust")) { + nssUseSecmodTrust = parseBooleanEntry(word); + } else if (word.equals("useEcX963Encoding")) { + useEcX963Encoding = parseBooleanEntry(word); + } else if (word.equals("nssOptimizeSpace")) { + nssOptimizeSpace = parseBooleanEntry(word); + } else { + throw new ConfigurationException + ("Unknown keyword '" + word + "', line " + st.lineno()); + } + parsedKeywords.add(word); + } + reader.close(); + reader = null; + st = null; + parsedKeywords = null; + if (name == null) { + throw new ConfigurationException("name must be specified"); + } + if (nssUseSecmod == false) { + if (library == null) { + throw new ConfigurationException("library must be specified"); + } + } else { + if (library != null) { + throw new ConfigurationException + ("library must not be specified in NSS mode"); + } + if ((slotID != -1) || (slotListIndex != -1)) { + throw new ConfigurationException + ("slot and slotListIndex must not be specified in NSS mode"); + } + if (nssArgs != null) { + throw new ConfigurationException + ("nssArgs must not be specified in NSS mode"); + } + if (nssUseSecmodTrust != false) { + throw new ConfigurationException("nssUseSecmodTrust is an " + + "internal option and must not be specified in NSS mode"); + } + } + } + + // + // Parsing helper methods + // + + private int nextToken() throws IOException { + int token = st.nextToken(); + debug(st); + return token; + } + + private void parseEquals() throws IOException { + int token = nextToken(); + if (token != '=') { + throw excToken("Expected '=', read"); + } + } + + private void parseOpenBraces() throws IOException { + while (true) { + int token = nextToken(); + if (token == TT_EOL) { + continue; + } + if ((token == TT_WORD) && st.sval.equals("{")) { + return; + } + throw excToken("Expected '{', read"); + } + } + + private boolean isCloseBraces(int token) { + return (token == TT_WORD) && st.sval.equals("}"); + } + + private String parseWord() throws IOException { + int token = nextToken(); + if (token != TT_WORD) { + throw excToken("Unexpected value:"); + } + return st.sval; + } + + private String parseStringEntry(String keyword) throws IOException { + checkDup(keyword); + parseEquals(); + + int token = nextToken(); + if (token != TT_WORD && token != '\"') { + // not a word token nor a string enclosed by double quotes + throw excToken("Unexpected value:"); + } + String value = st.sval; + + debug(keyword + ": " + value); + return value; + } + + private boolean parseBooleanEntry(String keyword) throws IOException { + checkDup(keyword); + parseEquals(); + boolean value = parseBoolean(); + debug(keyword + ": " + value); + return value; + } + + private int parseIntegerEntry(String keyword) throws IOException { + checkDup(keyword); + parseEquals(); + int value = decodeNumber(parseWord()); + debug(keyword + ": " + value); + return value; + } + + private boolean parseBoolean() throws IOException { + String val = parseWord(); + switch (val) { + case "true": + return true; + case "false": + return false; + default: + throw excToken("Expected boolean value, read:"); + } + } + + private String parseLine() throws IOException { + // allow quoted string as part of line + String s = null; + while (true) { + int token = nextToken(); + if ((token == TT_EOL) || (token == TT_EOF)) { + break; + } + if (token != TT_WORD && token != '\"') { + throw excToken("Unexpected value"); + } + if (s == null) { + s = st.sval; + } else { + s = s + " " + st.sval; + } + } + if (s == null) { + throw excToken("Unexpected empty line"); + } + return s; + } + + private int decodeNumber(String str) throws IOException { + try { + if (str.startsWith("0x") || str.startsWith("0X")) { + return Integer.parseInt(str.substring(2), 16); + } else { + return Integer.parseInt(str); + } + } catch (NumberFormatException e) { + throw excToken("Expected number, read"); + } + } + + private static boolean isNumber(String s) { + if (s.length() == 0) { + return false; + } + char ch = s.charAt(0); + return ((ch >= '0') && (ch <= '9')); + } + + private void parseComma() throws IOException { + int token = nextToken(); + if (token != ',') { + throw excToken("Expected ',', read"); + } + } + + private static boolean isByteArray(String val) { + return val.startsWith("0h"); + } + + private byte[] decodeByteArray(String str) throws IOException { + if (str.startsWith("0h") == false) { + throw excToken("Expected byte array value, read"); + } + str = str.substring(2); + // XXX proper hex parsing + try { + return new BigInteger(str, 16).toByteArray(); + } catch (NumberFormatException e) { + throw excToken("Expected byte array value, read"); + } + } + + private void checkDup(String keyword) throws IOException { + if (parsedKeywords.contains(keyword)) { + throw excLine(keyword + " must only be specified once"); + } + } + + // + // individual entry parsing methods + // + + private String parseLibrary(String keyword) throws IOException { + checkDup(keyword); + parseEquals(); + String lib = parseLine(); + lib = expand(lib); + int i = lib.indexOf("/$ISA/"); + if (i != -1) { + // replace "/$ISA/" with "/sparcv9/" on 64-bit Solaris SPARC + // and with "/amd64/" on Solaris AMD64. + // On all other platforms, just turn it into a "/" + String prefix = lib.substring(0, i); + String suffix = lib.substring(i + 5); + if (osName.equals("SunOS") && osArch.equals("sparcv9")) { + lib = prefix + "/sparcv9" + suffix; + } else if (osName.equals("SunOS") && osArch.equals("amd64")) { + lib = prefix + "/amd64" + suffix; + } else { + lib = prefix + suffix; + } + } + debug(keyword + ": " + lib); + + // Check to see if full path is specified to prevent the DLL + // preloading attack + if (!(new File(lib)).isAbsolute()) { + throw new ConfigurationException( + "Absolute path required for library value: " + lib); + } + return lib; + } + + private void parseDescription(String keyword) throws IOException { + checkDup(keyword); + parseEquals(); + description = parseLine(); + debug("description: " + description); + } + + private void parseSlotID(String keyword) throws IOException { + if (slotID >= 0) { + throw excLine("Duplicate slot definition"); + } + if (slotListIndex >= 0) { + throw excLine + ("Only one of slot and slotListIndex must be specified"); + } + parseEquals(); + String slotString = parseWord(); + slotID = decodeNumber(slotString); + debug("slot: " + slotID); + } + + private void parseSlotListIndex(String keyword) throws IOException { + if (slotListIndex >= 0) { + throw excLine("Duplicate slotListIndex definition"); + } + if (slotID >= 0) { + throw excLine + ("Only one of slot and slotListIndex must be specified"); + } + parseEquals(); + String slotString = parseWord(); + slotListIndex = decodeNumber(slotString); + debug("slotListIndex: " + slotListIndex); + } + + private void parseEnabledMechanisms(String keyword) throws IOException { + enabledMechanisms = parseMechanisms(keyword); + } + + private void parseDisabledMechanisms(String keyword) throws IOException { + disabledMechanisms = parseMechanisms(keyword); + } + + private Set parseMechanisms(String keyword) throws IOException { + checkDup(keyword); + Set mechs = new HashSet(); + parseEquals(); + parseOpenBraces(); + while (true) { + int token = nextToken(); + if (isCloseBraces(token)) { + break; + } + if (token == TT_EOL) { + continue; + } + if (token != TT_WORD) { + throw excToken("Expected mechanism, read"); + } + long mech = parseMechanism(st.sval); + mechs.add(Long.valueOf(mech)); + } + if (DEBUG) { + System.out.print("mechanisms: ["); + for (Long mech : mechs) { + System.out.print(Functions.getMechanismName(mech)); + System.out.print(", "); + } + System.out.println("]"); + } + return mechs; + } + + private long parseMechanism(String mech) throws IOException { + if (isNumber(mech)) { + return decodeNumber(mech); + } else { + try { + return Functions.getMechanismId(mech); + } catch (IllegalArgumentException e) { + throw excLine("Unknown mechanism: " + mech); + } + } + } + + private void parseAttributes(String keyword) throws IOException { + if (templateManager == null) { + templateManager = new TemplateManager(); + } + int token = nextToken(); + if (token == '=') { + String s = parseWord(); + if (s.equals("compatibility") == false) { + throw excLine("Expected 'compatibility', read " + s); + } + setCompatibilityAttributes(); + return; + } + if (token != '(') { + throw excToken("Expected '(' or '=', read"); + } + String op = parseOperation(); + parseComma(); + long objectClass = parseObjectClass(); + parseComma(); + long keyAlg = parseKeyAlgorithm(); + token = nextToken(); + if (token != ')') { + throw excToken("Expected ')', read"); + } + parseEquals(); + parseOpenBraces(); + List attributes = new ArrayList(); + while (true) { + token = nextToken(); + if (isCloseBraces(token)) { + break; + } + if (token == TT_EOL) { + continue; + } + if (token != TT_WORD) { + throw excToken("Expected mechanism, read"); + } + String attributeName = st.sval; + long attributeId = decodeAttributeName(attributeName); + parseEquals(); + String attributeValue = parseWord(); + attributes.add(decodeAttributeValue(attributeId, attributeValue)); + } + templateManager.addTemplate + (op, objectClass, keyAlg, attributes.toArray(CK_A0)); + } + + private void setCompatibilityAttributes() { + // all secret keys + templateManager.addTemplate(O_ANY, CKO_SECRET_KEY, PCKK_ANY, + new CK_ATTRIBUTE[] { + TOKEN_FALSE, + SENSITIVE_FALSE, + EXTRACTABLE_TRUE, + ENCRYPT_TRUE, + DECRYPT_TRUE, + WRAP_TRUE, + UNWRAP_TRUE, + }); + + // generic secret keys are special + // They are used as MAC keys plus for the SSL/TLS (pre)master secrets + templateManager.addTemplate(O_ANY, CKO_SECRET_KEY, CKK_GENERIC_SECRET, + new CK_ATTRIBUTE[] { + SIGN_TRUE, + VERIFY_TRUE, + ENCRYPT_NULL, + DECRYPT_NULL, + WRAP_NULL, + UNWRAP_NULL, + DERIVE_TRUE, + }); + + // all private and public keys + templateManager.addTemplate(O_ANY, CKO_PRIVATE_KEY, PCKK_ANY, + new CK_ATTRIBUTE[] { + TOKEN_FALSE, + SENSITIVE_FALSE, + EXTRACTABLE_TRUE, + }); + templateManager.addTemplate(O_ANY, CKO_PUBLIC_KEY, PCKK_ANY, + new CK_ATTRIBUTE[] { + TOKEN_FALSE, + }); + + // additional attributes for RSA private keys + templateManager.addTemplate(O_ANY, CKO_PRIVATE_KEY, CKK_RSA, + new CK_ATTRIBUTE[] { + DECRYPT_TRUE, + SIGN_TRUE, + SIGN_RECOVER_TRUE, + UNWRAP_TRUE, + }); + // additional attributes for RSA public keys + templateManager.addTemplate(O_ANY, CKO_PUBLIC_KEY, CKK_RSA, + new CK_ATTRIBUTE[] { + ENCRYPT_TRUE, + VERIFY_TRUE, + VERIFY_RECOVER_TRUE, + WRAP_TRUE, + }); + + // additional attributes for DSA private keys + templateManager.addTemplate(O_ANY, CKO_PRIVATE_KEY, CKK_DSA, + new CK_ATTRIBUTE[] { + SIGN_TRUE, + }); + // additional attributes for DSA public keys + templateManager.addTemplate(O_ANY, CKO_PUBLIC_KEY, CKK_DSA, + new CK_ATTRIBUTE[] { + VERIFY_TRUE, + }); + + // additional attributes for DH private keys + templateManager.addTemplate(O_ANY, CKO_PRIVATE_KEY, CKK_DH, + new CK_ATTRIBUTE[] { + DERIVE_TRUE, + }); + + // additional attributes for EC private keys + templateManager.addTemplate(O_ANY, CKO_PRIVATE_KEY, CKK_EC, + new CK_ATTRIBUTE[] { + SIGN_TRUE, + DERIVE_TRUE, + }); + // additional attributes for EC public keys + templateManager.addTemplate(O_ANY, CKO_PUBLIC_KEY, CKK_EC, + new CK_ATTRIBUTE[] { + VERIFY_TRUE, + }); + } + + private final static CK_ATTRIBUTE[] CK_A0 = new CK_ATTRIBUTE[0]; + + private String parseOperation() throws IOException { + String op = parseWord(); + switch (op) { + case "*": + return TemplateManager.O_ANY; + case "generate": + return TemplateManager.O_GENERATE; + case "import": + return TemplateManager.O_IMPORT; + default: + throw excLine("Unknown operation " + op); + } + } + + private long parseObjectClass() throws IOException { + String name = parseWord(); + try { + return Functions.getObjectClassId(name); + } catch (IllegalArgumentException e) { + throw excLine("Unknown object class " + name); + } + } + + private long parseKeyAlgorithm() throws IOException { + String name = parseWord(); + if (isNumber(name)) { + return decodeNumber(name); + } else { + try { + return Functions.getKeyId(name); + } catch (IllegalArgumentException e) { + throw excLine("Unknown key algorithm " + name); + } + } + } + + private long decodeAttributeName(String name) throws IOException { + if (isNumber(name)) { + return decodeNumber(name); + } else { + try { + return Functions.getAttributeId(name); + } catch (IllegalArgumentException e) { + throw excLine("Unknown attribute name " + name); + } + } + } + + private CK_ATTRIBUTE decodeAttributeValue(long id, String value) + throws IOException { + if (value.equals("null")) { + return new CK_ATTRIBUTE(id); + } else if (value.equals("true")) { + return new CK_ATTRIBUTE(id, true); + } else if (value.equals("false")) { + return new CK_ATTRIBUTE(id, false); + } else if (isByteArray(value)) { + return new CK_ATTRIBUTE(id, decodeByteArray(value)); + } else if (isNumber(value)) { + return new CK_ATTRIBUTE(id, Integer.valueOf(decodeNumber(value))); + } else { + throw excLine("Unknown attribute value " + value); + } + } + + private void parseNSSArgs(String keyword) throws IOException { + checkDup(keyword); + parseEquals(); + int token = nextToken(); + if (token != '"') { + throw excToken("Expected quoted string"); + } + nssArgs = expand(st.sval); + debug("nssArgs: " + nssArgs); + } + + private void parseHandleStartupErrors(String keyword) throws IOException { + checkDup(keyword); + parseEquals(); + String val = parseWord(); + if (val.equals("ignoreAll")) { + handleStartupErrors = ERR_IGNORE_ALL; + } else if (val.equals("ignoreMissingLibrary")) { + handleStartupErrors = ERR_IGNORE_LIB; + } else if (val.equals("halt")) { + handleStartupErrors = ERR_HALT; + } else { + throw excToken("Invalid value for handleStartupErrors:"); + } + debug("handleStartupErrors: " + handleStartupErrors); + } + +} + +class ConfigurationException extends IOException { + private static final long serialVersionUID = 254492758807673194L; + ConfigurationException(String msg) { + super(msg); + } +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/KeyCache.java 2017-01-20 09:52:24.866289465 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,103 +0,0 @@ -/* - * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.pkcs11; - -import java.util.*; -import java.lang.ref.*; - -import java.security.Key; - -import sun.security.util.Cache; - -/** - * Key to P11Key translation cache. The PKCS#11 token can only perform - * operations on keys stored on the token (permanently or temporarily). That - * means that in order to allow the PKCS#11 provider to use keys from other - * providers, we need to transparently convert them to P11Keys. The engines - * do that using (Secret)KeyFactories, which in turn use this class as a - * cache. - * - * There are two KeyCache instances per provider, one for secret keys and - * one for public and private keys. - * - * @author Andreas Sterbenz - * @since 1.5 - */ -final class KeyCache { - - private final Cache strongCache; - - private WeakReference> cacheReference; - - KeyCache() { - strongCache = Cache.newHardMemoryCache(16); - } - - private static final class IdentityWrapper { - final Object obj; - IdentityWrapper(Object obj) { - this.obj = obj; - } - public boolean equals(Object o) { - if (this == o) { - return true; - } - if (o instanceof IdentityWrapper == false) { - return false; - } - IdentityWrapper other = (IdentityWrapper)o; - return this.obj == other.obj; - } - public int hashCode() { - return System.identityHashCode(obj); - } - } - - synchronized P11Key get(Key key) { - P11Key p11Key = strongCache.get(new IdentityWrapper(key)); - if (p11Key != null) { - return p11Key; - } - Map map = - (cacheReference == null) ? null : cacheReference.get(); - if (map == null) { - return null; - } - return map.get(key); - } - - synchronized void put(Key key, P11Key p11Key) { - strongCache.put(new IdentityWrapper(key), p11Key); - Map map = - (cacheReference == null) ? null : cacheReference.get(); - if (map == null) { - map = new IdentityHashMap<>(); - cacheReference = new WeakReference<>(map); - } - map.put(key, p11Key); - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/KeyCache.java 2017-01-20 09:52:24.390289483 -0800 @@ -0,0 +1,103 @@ +/* + * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11; + +import java.util.*; +import java.lang.ref.*; + +import java.security.Key; + +import sun.security.util.Cache; + +/** + * Key to P11Key translation cache. The PKCS#11 token can only perform + * operations on keys stored on the token (permanently or temporarily). That + * means that in order to allow the PKCS#11 provider to use keys from other + * providers, we need to transparently convert them to P11Keys. The engines + * do that using (Secret)KeyFactories, which in turn use this class as a + * cache. + * + * There are two KeyCache instances per provider, one for secret keys and + * one for public and private keys. + * + * @author Andreas Sterbenz + * @since 1.5 + */ +final class KeyCache { + + private final Cache strongCache; + + private WeakReference> cacheReference; + + KeyCache() { + strongCache = Cache.newHardMemoryCache(16); + } + + private static final class IdentityWrapper { + final Object obj; + IdentityWrapper(Object obj) { + this.obj = obj; + } + public boolean equals(Object o) { + if (this == o) { + return true; + } + if (o instanceof IdentityWrapper == false) { + return false; + } + IdentityWrapper other = (IdentityWrapper)o; + return this.obj == other.obj; + } + public int hashCode() { + return System.identityHashCode(obj); + } + } + + synchronized P11Key get(Key key) { + P11Key p11Key = strongCache.get(new IdentityWrapper(key)); + if (p11Key != null) { + return p11Key; + } + Map map = + (cacheReference == null) ? null : cacheReference.get(); + if (map == null) { + return null; + } + return map.get(key); + } + + synchronized void put(Key key, P11Key p11Key) { + strongCache.put(new IdentityWrapper(key), p11Key); + Map map = + (cacheReference == null) ? null : cacheReference.get(); + if (map == null) { + map = new IdentityHashMap<>(); + cacheReference = new WeakReference<>(map); + } + map.put(key, p11Key); + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11Cipher.java 2017-01-20 09:52:25.726289432 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,929 +0,0 @@ -/* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ -package sun.security.pkcs11; - -import java.nio.ByteBuffer; -import java.util.Arrays; -import java.util.Locale; - -import java.security.*; -import java.security.spec.*; - -import javax.crypto.*; -import javax.crypto.spec.*; - -import sun.nio.ch.DirectBuffer; -import sun.security.jca.JCAUtil; -import sun.security.pkcs11.wrapper.*; -import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - -/** - * Cipher implementation class. This class currently supports - * DES, DESede, AES, ARCFOUR, and Blowfish. - * - * This class is designed to support ECB, CBC, CTR with NoPadding - * and ECB, CBC with PKCS5Padding. It will use its own padding impl - * if the native mechanism does not support padding. - * - * Note that PKCS#11 currently only supports ECB, CBC, and CTR. - * There are no provisions for other modes such as CFB, OFB, and PCBC. - * - * @author Andreas Sterbenz - * @since 1.5 - */ -final class P11Cipher extends CipherSpi { - - // mode constant for ECB mode - private final static int MODE_ECB = 3; - // mode constant for CBC mode - private final static int MODE_CBC = 4; - // mode constant for CTR mode - private final static int MODE_CTR = 5; - - // padding constant for NoPadding - private final static int PAD_NONE = 5; - // padding constant for PKCS5Padding - private final static int PAD_PKCS5 = 6; - - private static interface Padding { - // ENC: format the specified buffer with padding bytes and return the - // actual padding length - int setPaddingBytes(byte[] paddingBuffer, int padLen); - - // DEC: return the length of trailing padding bytes given the specified - // padded data - int unpad(byte[] paddedData, int len) - throws BadPaddingException, IllegalBlockSizeException; - } - - private static class PKCS5Padding implements Padding { - - private final int blockSize; - - PKCS5Padding(int blockSize) - throws NoSuchPaddingException { - if (blockSize == 0) { - throw new NoSuchPaddingException - ("PKCS#5 padding not supported with stream ciphers"); - } - this.blockSize = blockSize; - } - - public int setPaddingBytes(byte[] paddingBuffer, int padLen) { - Arrays.fill(paddingBuffer, 0, padLen, (byte) (padLen & 0x007f)); - return padLen; - } - - public int unpad(byte[] paddedData, int len) - throws BadPaddingException, IllegalBlockSizeException { - if ((len < 1) || (len % blockSize != 0)) { - throw new IllegalBlockSizeException - ("Input length must be multiples of " + blockSize); - } - byte padValue = paddedData[len - 1]; - if (padValue < 1 || padValue > blockSize) { - throw new BadPaddingException("Invalid pad value!"); - } - // sanity check padding bytes - int padStartIndex = len - padValue; - for (int i = padStartIndex; i < len; i++) { - if (paddedData[i] != padValue) { - throw new BadPaddingException("Invalid pad bytes!"); - } - } - return padValue; - } - } - - // token instance - private final Token token; - - // algorithm name - private final String algorithm; - - // name of the key algorithm, e.g. DES instead of algorithm DES/CBC/... - private final String keyAlgorithm; - - // mechanism id - private final long mechanism; - - // associated session, if any - private Session session; - - // key, if init() was called - private P11Key p11Key; - - // flag indicating whether an operation is initialized - private boolean initialized; - - // falg indicating encrypt or decrypt mode - private boolean encrypt; - - // mode, one of MODE_* above (MODE_ECB for stream ciphers) - private int blockMode; - - // block size, 0 for stream ciphers - private final int blockSize; - - // padding type, on of PAD_* above (PAD_NONE for stream ciphers) - private int paddingType; - - // when the padding is requested but unsupported by the native mechanism, - // we use the following to do padding and necessary data buffering. - // padding object which generate padding and unpad the decrypted data - private Padding paddingObj; - // buffer for holding back the block which contains padding bytes - private byte[] padBuffer; - private int padBufferLen; - - // original IV, if in MODE_CBC or MODE_CTR - private byte[] iv; - - // number of bytes buffered internally by the native mechanism and padBuffer - // if we do the padding - private int bytesBuffered; - - // length of key size in bytes; currently only used by AES given its oid - // specification mandates a fixed size of the key - private int fixedKeySize = -1; - - P11Cipher(Token token, String algorithm, long mechanism) - throws PKCS11Exception, NoSuchAlgorithmException { - super(); - this.token = token; - this.algorithm = algorithm; - this.mechanism = mechanism; - - String[] algoParts = algorithm.split("/"); - - if (algoParts[0].startsWith("AES")) { - blockSize = 16; - int index = algoParts[0].indexOf('_'); - if (index != -1) { - // should be well-formed since we specify what we support - fixedKeySize = Integer.parseInt(algoParts[0].substring(index+1))/8; - } - keyAlgorithm = "AES"; - } else { - keyAlgorithm = algoParts[0]; - if (keyAlgorithm.equals("RC4") || - keyAlgorithm.equals("ARCFOUR")) { - blockSize = 0; - } else { // DES, DESede, Blowfish - blockSize = 8; - } - } - this.blockMode = - (algoParts.length > 1 ? parseMode(algoParts[1]) : MODE_ECB); - String defPadding = (blockSize == 0 ? "NoPadding" : "PKCS5Padding"); - String paddingStr = - (algoParts.length > 2 ? algoParts[2] : defPadding); - try { - engineSetPadding(paddingStr); - } catch (NoSuchPaddingException nspe) { - // should not happen - throw new ProviderException(nspe); - } - } - - protected void engineSetMode(String mode) throws NoSuchAlgorithmException { - // Disallow change of mode for now since currently it's explicitly - // defined in transformation strings - throw new NoSuchAlgorithmException("Unsupported mode " + mode); - } - - private int parseMode(String mode) throws NoSuchAlgorithmException { - mode = mode.toUpperCase(Locale.ENGLISH); - int result; - if (mode.equals("ECB")) { - result = MODE_ECB; - } else if (mode.equals("CBC")) { - if (blockSize == 0) { - throw new NoSuchAlgorithmException - ("CBC mode not supported with stream ciphers"); - } - result = MODE_CBC; - } else if (mode.equals("CTR")) { - result = MODE_CTR; - } else { - throw new NoSuchAlgorithmException("Unsupported mode " + mode); - } - return result; - } - - // see JCE spec - protected void engineSetPadding(String padding) - throws NoSuchPaddingException { - paddingObj = null; - padBuffer = null; - padding = padding.toUpperCase(Locale.ENGLISH); - if (padding.equals("NOPADDING")) { - paddingType = PAD_NONE; - } else if (padding.equals("PKCS5PADDING")) { - if (this.blockMode == MODE_CTR) { - throw new NoSuchPaddingException - ("PKCS#5 padding not supported with CTR mode"); - } - paddingType = PAD_PKCS5; - if (mechanism != CKM_DES_CBC_PAD && mechanism != CKM_DES3_CBC_PAD && - mechanism != CKM_AES_CBC_PAD) { - // no native padding support; use our own padding impl - paddingObj = new PKCS5Padding(blockSize); - padBuffer = new byte[blockSize]; - } - } else { - throw new NoSuchPaddingException("Unsupported padding " + padding); - } - } - - // see JCE spec - protected int engineGetBlockSize() { - return blockSize; - } - - // see JCE spec - protected int engineGetOutputSize(int inputLen) { - return doFinalLength(inputLen); - } - - // see JCE spec - protected byte[] engineGetIV() { - return (iv == null) ? null : iv.clone(); - } - - // see JCE spec - protected AlgorithmParameters engineGetParameters() { - if (iv == null) { - return null; - } - IvParameterSpec ivSpec = new IvParameterSpec(iv); - try { - AlgorithmParameters params = - AlgorithmParameters.getInstance(keyAlgorithm, - P11Util.getSunJceProvider()); - params.init(ivSpec); - return params; - } catch (GeneralSecurityException e) { - // NoSuchAlgorithmException, NoSuchProviderException - // InvalidParameterSpecException - throw new ProviderException("Could not encode parameters", e); - } - } - - // see JCE spec - protected void engineInit(int opmode, Key key, SecureRandom random) - throws InvalidKeyException { - try { - implInit(opmode, key, null, random); - } catch (InvalidAlgorithmParameterException e) { - throw new InvalidKeyException("init() failed", e); - } - } - - // see JCE spec - protected void engineInit(int opmode, Key key, - AlgorithmParameterSpec params, SecureRandom random) - throws InvalidKeyException, InvalidAlgorithmParameterException { - byte[] ivValue; - if (params != null) { - if (params instanceof IvParameterSpec == false) { - throw new InvalidAlgorithmParameterException - ("Only IvParameterSpec supported"); - } - IvParameterSpec ivSpec = (IvParameterSpec) params; - ivValue = ivSpec.getIV(); - } else { - ivValue = null; - } - implInit(opmode, key, ivValue, random); - } - - // see JCE spec - protected void engineInit(int opmode, Key key, AlgorithmParameters params, - SecureRandom random) - throws InvalidKeyException, InvalidAlgorithmParameterException { - byte[] ivValue; - if (params != null) { - try { - IvParameterSpec ivSpec = - params.getParameterSpec(IvParameterSpec.class); - ivValue = ivSpec.getIV(); - } catch (InvalidParameterSpecException e) { - throw new InvalidAlgorithmParameterException - ("Could not decode IV", e); - } - } else { - ivValue = null; - } - implInit(opmode, key, ivValue, random); - } - - // actual init() implementation - private void implInit(int opmode, Key key, byte[] iv, - SecureRandom random) - throws InvalidKeyException, InvalidAlgorithmParameterException { - reset(true); - if (fixedKeySize != -1 && key.getEncoded().length != fixedKeySize) { - throw new InvalidKeyException("Key size is invalid"); - } - switch (opmode) { - case Cipher.ENCRYPT_MODE: - encrypt = true; - break; - case Cipher.DECRYPT_MODE: - encrypt = false; - break; - default: - throw new InvalidAlgorithmParameterException - ("Unsupported mode: " + opmode); - } - if (blockMode == MODE_ECB) { // ECB or stream cipher - if (iv != null) { - if (blockSize == 0) { - throw new InvalidAlgorithmParameterException - ("IV not used with stream ciphers"); - } else { - throw new InvalidAlgorithmParameterException - ("IV not used in ECB mode"); - } - } - } else { // MODE_CBC or MODE_CTR - if (iv == null) { - if (encrypt == false) { - String exMsg = - (blockMode == MODE_CBC ? - "IV must be specified for decryption in CBC mode" : - "IV must be specified for decryption in CTR mode"); - throw new InvalidAlgorithmParameterException(exMsg); - } - // generate random IV - if (random == null) { - random = JCAUtil.getSecureRandom(); - } - iv = new byte[blockSize]; - random.nextBytes(iv); - } else { - if (iv.length != blockSize) { - throw new InvalidAlgorithmParameterException - ("IV length must match block size"); - } - } - } - this.iv = iv; - p11Key = P11SecretKeyFactory.convertKey(token, key, keyAlgorithm); - try { - initialize(); - } catch (PKCS11Exception e) { - throw new InvalidKeyException("Could not initialize cipher", e); - } - } - - private void cancelOperation() { - if (initialized == false) { - return; - } - - if ((session == null) || (token.explicitCancel == false)) { - return; - } - try { - if (session.hasObjects() == false) { - session = token.killSession(session); - return; - } else { - // cancel operation by finishing it - int bufLen = doFinalLength(0); - byte[] buffer = new byte[bufLen]; - if (encrypt) { - token.p11.C_EncryptFinal(session.id(), 0, buffer, 0, bufLen); - } else { - token.p11.C_DecryptFinal(session.id(), 0, buffer, 0, bufLen); - } - } - } catch (PKCS11Exception e) { - throw new ProviderException("Cancel failed", e); - } - } - - private void ensureInitialized() throws PKCS11Exception { - if (initialized == false) { - initialize(); - } - } - - private void initialize() throws PKCS11Exception { - if (session == null) { - session = token.getOpSession(); - } - CK_MECHANISM mechParams = (blockMode == MODE_CTR? - new CK_MECHANISM(mechanism, new CK_AES_CTR_PARAMS(iv)) : - new CK_MECHANISM(mechanism, iv)); - - try { - if (encrypt) { - token.p11.C_EncryptInit(session.id(), mechParams, p11Key.keyID); - } else { - token.p11.C_DecryptInit(session.id(), mechParams, p11Key.keyID); - } - } catch (PKCS11Exception ex) { - // release session when initialization failed - session = token.releaseSession(session); - throw ex; - } - bytesBuffered = 0; - padBufferLen = 0; - initialized = true; - } - - // if update(inLen) is called, how big does the output buffer have to be? - private int updateLength(int inLen) { - if (inLen <= 0) { - return 0; - } - - int result = inLen + bytesBuffered; - if (blockSize != 0 && blockMode != MODE_CTR) { - // minus the number of bytes in the last incomplete block. - result -= (result & (blockSize - 1)); - } - return result; - } - - // if doFinal(inLen) is called, how big does the output buffer have to be? - private int doFinalLength(int inLen) { - if (inLen < 0) { - return 0; - } - - int result = inLen + bytesBuffered; - if (blockSize != 0 && encrypt && paddingType != PAD_NONE) { - // add the number of bytes to make the last block complete. - result += (blockSize - (result & (blockSize - 1))); - } - return result; - } - - // reset the states to the pre-initialized values - private void reset(boolean doCancel) { - if (doCancel) cancelOperation(); - - initialized = false; - bytesBuffered = 0; - padBufferLen = 0; - if (session != null) { - session = token.releaseSession(session); - } - } - - // see JCE spec - protected byte[] engineUpdate(byte[] in, int inOfs, int inLen) { - try { - byte[] out = new byte[updateLength(inLen)]; - int n = engineUpdate(in, inOfs, inLen, out, 0); - return P11Util.convert(out, 0, n); - } catch (ShortBufferException e) { - // convert since the output length is calculated by updateLength() - throw new ProviderException(e); - } - } - - // see JCE spec - protected int engineUpdate(byte[] in, int inOfs, int inLen, byte[] out, - int outOfs) throws ShortBufferException { - int outLen = out.length - outOfs; - return implUpdate(in, inOfs, inLen, out, outOfs, outLen); - } - - // see JCE spec - @Override - protected int engineUpdate(ByteBuffer inBuffer, ByteBuffer outBuffer) - throws ShortBufferException { - return implUpdate(inBuffer, outBuffer); - } - - // see JCE spec - protected byte[] engineDoFinal(byte[] in, int inOfs, int inLen) - throws IllegalBlockSizeException, BadPaddingException { - try { - byte[] out = new byte[doFinalLength(inLen)]; - int n = engineDoFinal(in, inOfs, inLen, out, 0); - return P11Util.convert(out, 0, n); - } catch (ShortBufferException e) { - // convert since the output length is calculated by doFinalLength() - throw new ProviderException(e); - } - } - - // see JCE spec - protected int engineDoFinal(byte[] in, int inOfs, int inLen, byte[] out, - int outOfs) throws ShortBufferException, IllegalBlockSizeException, - BadPaddingException { - int n = 0; - if ((inLen != 0) && (in != null)) { - n = engineUpdate(in, inOfs, inLen, out, outOfs); - outOfs += n; - } - n += implDoFinal(out, outOfs, out.length - outOfs); - return n; - } - - // see JCE spec - @Override - protected int engineDoFinal(ByteBuffer inBuffer, ByteBuffer outBuffer) - throws ShortBufferException, IllegalBlockSizeException, - BadPaddingException { - int n = engineUpdate(inBuffer, outBuffer); - n += implDoFinal(outBuffer); - return n; - } - - private int implUpdate(byte[] in, int inOfs, int inLen, - byte[] out, int outOfs, int outLen) throws ShortBufferException { - if (outLen < updateLength(inLen)) { - throw new ShortBufferException(); - } - try { - ensureInitialized(); - int k = 0; - if (encrypt) { - k = token.p11.C_EncryptUpdate(session.id(), 0, in, inOfs, inLen, - 0, out, outOfs, outLen); - } else { - int newPadBufferLen = 0; - if (paddingObj != null) { - if (padBufferLen != 0) { - // NSS throws up when called with data not in multiple - // of blocks. Try to work around this by holding the - // extra data in padBuffer. - if (padBufferLen != padBuffer.length) { - int bufCapacity = padBuffer.length - padBufferLen; - if (inLen > bufCapacity) { - bufferInputBytes(in, inOfs, bufCapacity); - inOfs += bufCapacity; - inLen -= bufCapacity; - } else { - bufferInputBytes(in, inOfs, inLen); - return 0; - } - } - k = token.p11.C_DecryptUpdate(session.id(), - 0, padBuffer, 0, padBufferLen, - 0, out, outOfs, outLen); - padBufferLen = 0; - } - newPadBufferLen = inLen & (blockSize - 1); - if (newPadBufferLen == 0) { - newPadBufferLen = padBuffer.length; - } - inLen -= newPadBufferLen; - } - if (inLen > 0) { - k += token.p11.C_DecryptUpdate(session.id(), 0, in, inOfs, - inLen, 0, out, (outOfs + k), (outLen - k)); - } - // update 'padBuffer' if using our own padding impl. - if (paddingObj != null) { - bufferInputBytes(in, inOfs + inLen, newPadBufferLen); - } - } - bytesBuffered += (inLen - k); - return k; - } catch (PKCS11Exception e) { - if (e.getErrorCode() == CKR_BUFFER_TOO_SMALL) { - throw (ShortBufferException) - (new ShortBufferException().initCause(e)); - } - reset(false); - throw new ProviderException("update() failed", e); - } - } - - private int implUpdate(ByteBuffer inBuffer, ByteBuffer outBuffer) - throws ShortBufferException { - int inLen = inBuffer.remaining(); - if (inLen <= 0) { - return 0; - } - - int outLen = outBuffer.remaining(); - if (outLen < updateLength(inLen)) { - throw new ShortBufferException(); - } - int origPos = inBuffer.position(); - try { - ensureInitialized(); - - long inAddr = 0; - int inOfs = 0; - byte[] inArray = null; - - if (inBuffer instanceof DirectBuffer) { - inAddr = ((DirectBuffer) inBuffer).address(); - inOfs = origPos; - } else if (inBuffer.hasArray()) { - inArray = inBuffer.array(); - inOfs = (origPos + inBuffer.arrayOffset()); - } - - long outAddr = 0; - int outOfs = 0; - byte[] outArray = null; - if (outBuffer instanceof DirectBuffer) { - outAddr = ((DirectBuffer) outBuffer).address(); - outOfs = outBuffer.position(); - } else { - if (outBuffer.hasArray()) { - outArray = outBuffer.array(); - outOfs = (outBuffer.position() + outBuffer.arrayOffset()); - } else { - outArray = new byte[outLen]; - } - } - - int k = 0; - if (encrypt) { - if (inAddr == 0 && inArray == null) { - inArray = new byte[inLen]; - inBuffer.get(inArray); - } else { - inBuffer.position(origPos + inLen); - } - k = token.p11.C_EncryptUpdate(session.id(), - inAddr, inArray, inOfs, inLen, - outAddr, outArray, outOfs, outLen); - } else { - int newPadBufferLen = 0; - if (paddingObj != null) { - if (padBufferLen != 0) { - // NSS throws up when called with data not in multiple - // of blocks. Try to work around this by holding the - // extra data in padBuffer. - if (padBufferLen != padBuffer.length) { - int bufCapacity = padBuffer.length - padBufferLen; - if (inLen > bufCapacity) { - bufferInputBytes(inBuffer, bufCapacity); - inOfs += bufCapacity; - inLen -= bufCapacity; - } else { - bufferInputBytes(inBuffer, inLen); - return 0; - } - } - k = token.p11.C_DecryptUpdate(session.id(), 0, - padBuffer, 0, padBufferLen, outAddr, outArray, - outOfs, outLen); - padBufferLen = 0; - } - newPadBufferLen = inLen & (blockSize - 1); - if (newPadBufferLen == 0) { - newPadBufferLen = padBuffer.length; - } - inLen -= newPadBufferLen; - } - if (inLen > 0) { - if (inAddr == 0 && inArray == null) { - inArray = new byte[inLen]; - inBuffer.get(inArray); - } else { - inBuffer.position(inBuffer.position() + inLen); - } - k += token.p11.C_DecryptUpdate(session.id(), inAddr, - inArray, inOfs, inLen, outAddr, outArray, - (outOfs + k), (outLen - k)); - } - // update 'padBuffer' if using our own padding impl. - if (paddingObj != null && newPadBufferLen != 0) { - bufferInputBytes(inBuffer, newPadBufferLen); - } - } - bytesBuffered += (inLen - k); - if (!(outBuffer instanceof DirectBuffer) && - !outBuffer.hasArray()) { - outBuffer.put(outArray, outOfs, k); - } else { - outBuffer.position(outBuffer.position() + k); - } - return k; - } catch (PKCS11Exception e) { - // Reset input buffer to its original position for - inBuffer.position(origPos); - if (e.getErrorCode() == CKR_BUFFER_TOO_SMALL) { - throw (ShortBufferException) - (new ShortBufferException().initCause(e)); - } - reset(false); - throw new ProviderException("update() failed", e); - } - } - - private int implDoFinal(byte[] out, int outOfs, int outLen) - throws ShortBufferException, IllegalBlockSizeException, - BadPaddingException { - int requiredOutLen = doFinalLength(0); - if (outLen < requiredOutLen) { - throw new ShortBufferException(); - } - boolean doCancel = true; - try { - ensureInitialized(); - int k = 0; - if (encrypt) { - if (paddingObj != null) { - int actualPadLen = paddingObj.setPaddingBytes(padBuffer, - requiredOutLen - bytesBuffered); - k = token.p11.C_EncryptUpdate(session.id(), - 0, padBuffer, 0, actualPadLen, - 0, out, outOfs, outLen); - } - k += token.p11.C_EncryptFinal(session.id(), - 0, out, (outOfs + k), (outLen - k)); - doCancel = false; - } else { - // Special handling to match SunJCE provider behavior - if (bytesBuffered == 0 && padBufferLen == 0) { - return 0; - } - if (paddingObj != null) { - if (padBufferLen != 0) { - k = token.p11.C_DecryptUpdate(session.id(), 0, - padBuffer, 0, padBufferLen, 0, padBuffer, 0, - padBuffer.length); - } - k += token.p11.C_DecryptFinal(session.id(), 0, padBuffer, k, - padBuffer.length - k); - doCancel = false; - - int actualPadLen = paddingObj.unpad(padBuffer, k); - k -= actualPadLen; - System.arraycopy(padBuffer, 0, out, outOfs, k); - } else { - k = token.p11.C_DecryptFinal(session.id(), 0, out, outOfs, - outLen); - doCancel = false; - } - } - return k; - } catch (PKCS11Exception e) { - doCancel = false; - handleException(e); - throw new ProviderException("doFinal() failed", e); - } finally { - reset(doCancel); - } - } - - private int implDoFinal(ByteBuffer outBuffer) - throws ShortBufferException, IllegalBlockSizeException, - BadPaddingException { - int outLen = outBuffer.remaining(); - int requiredOutLen = doFinalLength(0); - if (outLen < requiredOutLen) { - throw new ShortBufferException(); - } - - boolean doCancel = true; - try { - ensureInitialized(); - - long outAddr = 0; - byte[] outArray = null; - int outOfs = 0; - if (outBuffer instanceof DirectBuffer) { - outAddr = ((DirectBuffer) outBuffer).address(); - outOfs = outBuffer.position(); - } else { - if (outBuffer.hasArray()) { - outArray = outBuffer.array(); - outOfs = outBuffer.position() + outBuffer.arrayOffset(); - } else { - outArray = new byte[outLen]; - } - } - - int k = 0; - - if (encrypt) { - if (paddingObj != null) { - int actualPadLen = paddingObj.setPaddingBytes(padBuffer, - requiredOutLen - bytesBuffered); - k = token.p11.C_EncryptUpdate(session.id(), - 0, padBuffer, 0, actualPadLen, - outAddr, outArray, outOfs, outLen); - } - k += token.p11.C_EncryptFinal(session.id(), - outAddr, outArray, (outOfs + k), (outLen - k)); - doCancel = false; - } else { - // Special handling to match SunJCE provider behavior - if (bytesBuffered == 0 && padBufferLen == 0) { - return 0; - } - - if (paddingObj != null) { - if (padBufferLen != 0) { - k = token.p11.C_DecryptUpdate(session.id(), - 0, padBuffer, 0, padBufferLen, - 0, padBuffer, 0, padBuffer.length); - padBufferLen = 0; - } - k += token.p11.C_DecryptFinal(session.id(), - 0, padBuffer, k, padBuffer.length - k); - doCancel = false; - - int actualPadLen = paddingObj.unpad(padBuffer, k); - k -= actualPadLen; - outArray = padBuffer; - outOfs = 0; - } else { - k = token.p11.C_DecryptFinal(session.id(), - outAddr, outArray, outOfs, outLen); - doCancel = false; - } - } - if ((!encrypt && paddingObj != null) || - (!(outBuffer instanceof DirectBuffer) && - !outBuffer.hasArray())) { - outBuffer.put(outArray, outOfs, k); - } else { - outBuffer.position(outBuffer.position() + k); - } - return k; - } catch (PKCS11Exception e) { - doCancel = false; - handleException(e); - throw new ProviderException("doFinal() failed", e); - } finally { - reset(doCancel); - } - } - - private void handleException(PKCS11Exception e) - throws ShortBufferException, IllegalBlockSizeException { - long errorCode = e.getErrorCode(); - if (errorCode == CKR_BUFFER_TOO_SMALL) { - throw (ShortBufferException) - (new ShortBufferException().initCause(e)); - } else if (errorCode == CKR_DATA_LEN_RANGE || - errorCode == CKR_ENCRYPTED_DATA_LEN_RANGE) { - throw (IllegalBlockSizeException) - (new IllegalBlockSizeException(e.toString()).initCause(e)); - } - } - - // see JCE spec - protected byte[] engineWrap(Key key) throws IllegalBlockSizeException, - InvalidKeyException { - // XXX key wrapping - throw new UnsupportedOperationException("engineWrap()"); - } - - // see JCE spec - protected Key engineUnwrap(byte[] wrappedKey, String wrappedKeyAlgorithm, - int wrappedKeyType) - throws InvalidKeyException, NoSuchAlgorithmException { - // XXX key unwrapping - throw new UnsupportedOperationException("engineUnwrap()"); - } - - // see JCE spec - @Override - protected int engineGetKeySize(Key key) throws InvalidKeyException { - int n = P11SecretKeyFactory.convertKey - (token, key, keyAlgorithm).length(); - return n; - } - - private final void bufferInputBytes(byte[] in, int inOfs, int len) { - System.arraycopy(in, inOfs, padBuffer, padBufferLen, len); - padBufferLen += len; - bytesBuffered += len; - } - - private final void bufferInputBytes(ByteBuffer inBuffer, int len) { - inBuffer.get(padBuffer, padBufferLen, len); - padBufferLen += len; - bytesBuffered += len; - } -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java 2017-01-20 09:52:25.242289450 -0800 @@ -0,0 +1,929 @@ +/* + * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ +package sun.security.pkcs11; + +import java.nio.ByteBuffer; +import java.util.Arrays; +import java.util.Locale; + +import java.security.*; +import java.security.spec.*; + +import javax.crypto.*; +import javax.crypto.spec.*; + +import sun.nio.ch.DirectBuffer; +import sun.security.jca.JCAUtil; +import sun.security.pkcs11.wrapper.*; +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + +/** + * Cipher implementation class. This class currently supports + * DES, DESede, AES, ARCFOUR, and Blowfish. + * + * This class is designed to support ECB, CBC, CTR with NoPadding + * and ECB, CBC with PKCS5Padding. It will use its own padding impl + * if the native mechanism does not support padding. + * + * Note that PKCS#11 currently only supports ECB, CBC, and CTR. + * There are no provisions for other modes such as CFB, OFB, and PCBC. + * + * @author Andreas Sterbenz + * @since 1.5 + */ +final class P11Cipher extends CipherSpi { + + // mode constant for ECB mode + private final static int MODE_ECB = 3; + // mode constant for CBC mode + private final static int MODE_CBC = 4; + // mode constant for CTR mode + private final static int MODE_CTR = 5; + + // padding constant for NoPadding + private final static int PAD_NONE = 5; + // padding constant for PKCS5Padding + private final static int PAD_PKCS5 = 6; + + private static interface Padding { + // ENC: format the specified buffer with padding bytes and return the + // actual padding length + int setPaddingBytes(byte[] paddingBuffer, int padLen); + + // DEC: return the length of trailing padding bytes given the specified + // padded data + int unpad(byte[] paddedData, int len) + throws BadPaddingException, IllegalBlockSizeException; + } + + private static class PKCS5Padding implements Padding { + + private final int blockSize; + + PKCS5Padding(int blockSize) + throws NoSuchPaddingException { + if (blockSize == 0) { + throw new NoSuchPaddingException + ("PKCS#5 padding not supported with stream ciphers"); + } + this.blockSize = blockSize; + } + + public int setPaddingBytes(byte[] paddingBuffer, int padLen) { + Arrays.fill(paddingBuffer, 0, padLen, (byte) (padLen & 0x007f)); + return padLen; + } + + public int unpad(byte[] paddedData, int len) + throws BadPaddingException, IllegalBlockSizeException { + if ((len < 1) || (len % blockSize != 0)) { + throw new IllegalBlockSizeException + ("Input length must be multiples of " + blockSize); + } + byte padValue = paddedData[len - 1]; + if (padValue < 1 || padValue > blockSize) { + throw new BadPaddingException("Invalid pad value!"); + } + // sanity check padding bytes + int padStartIndex = len - padValue; + for (int i = padStartIndex; i < len; i++) { + if (paddedData[i] != padValue) { + throw new BadPaddingException("Invalid pad bytes!"); + } + } + return padValue; + } + } + + // token instance + private final Token token; + + // algorithm name + private final String algorithm; + + // name of the key algorithm, e.g. DES instead of algorithm DES/CBC/... + private final String keyAlgorithm; + + // mechanism id + private final long mechanism; + + // associated session, if any + private Session session; + + // key, if init() was called + private P11Key p11Key; + + // flag indicating whether an operation is initialized + private boolean initialized; + + // falg indicating encrypt or decrypt mode + private boolean encrypt; + + // mode, one of MODE_* above (MODE_ECB for stream ciphers) + private int blockMode; + + // block size, 0 for stream ciphers + private final int blockSize; + + // padding type, on of PAD_* above (PAD_NONE for stream ciphers) + private int paddingType; + + // when the padding is requested but unsupported by the native mechanism, + // we use the following to do padding and necessary data buffering. + // padding object which generate padding and unpad the decrypted data + private Padding paddingObj; + // buffer for holding back the block which contains padding bytes + private byte[] padBuffer; + private int padBufferLen; + + // original IV, if in MODE_CBC or MODE_CTR + private byte[] iv; + + // number of bytes buffered internally by the native mechanism and padBuffer + // if we do the padding + private int bytesBuffered; + + // length of key size in bytes; currently only used by AES given its oid + // specification mandates a fixed size of the key + private int fixedKeySize = -1; + + P11Cipher(Token token, String algorithm, long mechanism) + throws PKCS11Exception, NoSuchAlgorithmException { + super(); + this.token = token; + this.algorithm = algorithm; + this.mechanism = mechanism; + + String[] algoParts = algorithm.split("/"); + + if (algoParts[0].startsWith("AES")) { + blockSize = 16; + int index = algoParts[0].indexOf('_'); + if (index != -1) { + // should be well-formed since we specify what we support + fixedKeySize = Integer.parseInt(algoParts[0].substring(index+1))/8; + } + keyAlgorithm = "AES"; + } else { + keyAlgorithm = algoParts[0]; + if (keyAlgorithm.equals("RC4") || + keyAlgorithm.equals("ARCFOUR")) { + blockSize = 0; + } else { // DES, DESede, Blowfish + blockSize = 8; + } + } + this.blockMode = + (algoParts.length > 1 ? parseMode(algoParts[1]) : MODE_ECB); + String defPadding = (blockSize == 0 ? "NoPadding" : "PKCS5Padding"); + String paddingStr = + (algoParts.length > 2 ? algoParts[2] : defPadding); + try { + engineSetPadding(paddingStr); + } catch (NoSuchPaddingException nspe) { + // should not happen + throw new ProviderException(nspe); + } + } + + protected void engineSetMode(String mode) throws NoSuchAlgorithmException { + // Disallow change of mode for now since currently it's explicitly + // defined in transformation strings + throw new NoSuchAlgorithmException("Unsupported mode " + mode); + } + + private int parseMode(String mode) throws NoSuchAlgorithmException { + mode = mode.toUpperCase(Locale.ENGLISH); + int result; + if (mode.equals("ECB")) { + result = MODE_ECB; + } else if (mode.equals("CBC")) { + if (blockSize == 0) { + throw new NoSuchAlgorithmException + ("CBC mode not supported with stream ciphers"); + } + result = MODE_CBC; + } else if (mode.equals("CTR")) { + result = MODE_CTR; + } else { + throw new NoSuchAlgorithmException("Unsupported mode " + mode); + } + return result; + } + + // see JCE spec + protected void engineSetPadding(String padding) + throws NoSuchPaddingException { + paddingObj = null; + padBuffer = null; + padding = padding.toUpperCase(Locale.ENGLISH); + if (padding.equals("NOPADDING")) { + paddingType = PAD_NONE; + } else if (padding.equals("PKCS5PADDING")) { + if (this.blockMode == MODE_CTR) { + throw new NoSuchPaddingException + ("PKCS#5 padding not supported with CTR mode"); + } + paddingType = PAD_PKCS5; + if (mechanism != CKM_DES_CBC_PAD && mechanism != CKM_DES3_CBC_PAD && + mechanism != CKM_AES_CBC_PAD) { + // no native padding support; use our own padding impl + paddingObj = new PKCS5Padding(blockSize); + padBuffer = new byte[blockSize]; + } + } else { + throw new NoSuchPaddingException("Unsupported padding " + padding); + } + } + + // see JCE spec + protected int engineGetBlockSize() { + return blockSize; + } + + // see JCE spec + protected int engineGetOutputSize(int inputLen) { + return doFinalLength(inputLen); + } + + // see JCE spec + protected byte[] engineGetIV() { + return (iv == null) ? null : iv.clone(); + } + + // see JCE spec + protected AlgorithmParameters engineGetParameters() { + if (iv == null) { + return null; + } + IvParameterSpec ivSpec = new IvParameterSpec(iv); + try { + AlgorithmParameters params = + AlgorithmParameters.getInstance(keyAlgorithm, + P11Util.getSunJceProvider()); + params.init(ivSpec); + return params; + } catch (GeneralSecurityException e) { + // NoSuchAlgorithmException, NoSuchProviderException + // InvalidParameterSpecException + throw new ProviderException("Could not encode parameters", e); + } + } + + // see JCE spec + protected void engineInit(int opmode, Key key, SecureRandom random) + throws InvalidKeyException { + try { + implInit(opmode, key, null, random); + } catch (InvalidAlgorithmParameterException e) { + throw new InvalidKeyException("init() failed", e); + } + } + + // see JCE spec + protected void engineInit(int opmode, Key key, + AlgorithmParameterSpec params, SecureRandom random) + throws InvalidKeyException, InvalidAlgorithmParameterException { + byte[] ivValue; + if (params != null) { + if (params instanceof IvParameterSpec == false) { + throw new InvalidAlgorithmParameterException + ("Only IvParameterSpec supported"); + } + IvParameterSpec ivSpec = (IvParameterSpec) params; + ivValue = ivSpec.getIV(); + } else { + ivValue = null; + } + implInit(opmode, key, ivValue, random); + } + + // see JCE spec + protected void engineInit(int opmode, Key key, AlgorithmParameters params, + SecureRandom random) + throws InvalidKeyException, InvalidAlgorithmParameterException { + byte[] ivValue; + if (params != null) { + try { + IvParameterSpec ivSpec = + params.getParameterSpec(IvParameterSpec.class); + ivValue = ivSpec.getIV(); + } catch (InvalidParameterSpecException e) { + throw new InvalidAlgorithmParameterException + ("Could not decode IV", e); + } + } else { + ivValue = null; + } + implInit(opmode, key, ivValue, random); + } + + // actual init() implementation + private void implInit(int opmode, Key key, byte[] iv, + SecureRandom random) + throws InvalidKeyException, InvalidAlgorithmParameterException { + reset(true); + if (fixedKeySize != -1 && key.getEncoded().length != fixedKeySize) { + throw new InvalidKeyException("Key size is invalid"); + } + switch (opmode) { + case Cipher.ENCRYPT_MODE: + encrypt = true; + break; + case Cipher.DECRYPT_MODE: + encrypt = false; + break; + default: + throw new InvalidAlgorithmParameterException + ("Unsupported mode: " + opmode); + } + if (blockMode == MODE_ECB) { // ECB or stream cipher + if (iv != null) { + if (blockSize == 0) { + throw new InvalidAlgorithmParameterException + ("IV not used with stream ciphers"); + } else { + throw new InvalidAlgorithmParameterException + ("IV not used in ECB mode"); + } + } + } else { // MODE_CBC or MODE_CTR + if (iv == null) { + if (encrypt == false) { + String exMsg = + (blockMode == MODE_CBC ? + "IV must be specified for decryption in CBC mode" : + "IV must be specified for decryption in CTR mode"); + throw new InvalidAlgorithmParameterException(exMsg); + } + // generate random IV + if (random == null) { + random = JCAUtil.getSecureRandom(); + } + iv = new byte[blockSize]; + random.nextBytes(iv); + } else { + if (iv.length != blockSize) { + throw new InvalidAlgorithmParameterException + ("IV length must match block size"); + } + } + } + this.iv = iv; + p11Key = P11SecretKeyFactory.convertKey(token, key, keyAlgorithm); + try { + initialize(); + } catch (PKCS11Exception e) { + throw new InvalidKeyException("Could not initialize cipher", e); + } + } + + private void cancelOperation() { + if (initialized == false) { + return; + } + + if ((session == null) || (token.explicitCancel == false)) { + return; + } + try { + if (session.hasObjects() == false) { + session = token.killSession(session); + return; + } else { + // cancel operation by finishing it + int bufLen = doFinalLength(0); + byte[] buffer = new byte[bufLen]; + if (encrypt) { + token.p11.C_EncryptFinal(session.id(), 0, buffer, 0, bufLen); + } else { + token.p11.C_DecryptFinal(session.id(), 0, buffer, 0, bufLen); + } + } + } catch (PKCS11Exception e) { + throw new ProviderException("Cancel failed", e); + } + } + + private void ensureInitialized() throws PKCS11Exception { + if (initialized == false) { + initialize(); + } + } + + private void initialize() throws PKCS11Exception { + if (session == null) { + session = token.getOpSession(); + } + CK_MECHANISM mechParams = (blockMode == MODE_CTR? + new CK_MECHANISM(mechanism, new CK_AES_CTR_PARAMS(iv)) : + new CK_MECHANISM(mechanism, iv)); + + try { + if (encrypt) { + token.p11.C_EncryptInit(session.id(), mechParams, p11Key.keyID); + } else { + token.p11.C_DecryptInit(session.id(), mechParams, p11Key.keyID); + } + } catch (PKCS11Exception ex) { + // release session when initialization failed + session = token.releaseSession(session); + throw ex; + } + bytesBuffered = 0; + padBufferLen = 0; + initialized = true; + } + + // if update(inLen) is called, how big does the output buffer have to be? + private int updateLength(int inLen) { + if (inLen <= 0) { + return 0; + } + + int result = inLen + bytesBuffered; + if (blockSize != 0 && blockMode != MODE_CTR) { + // minus the number of bytes in the last incomplete block. + result -= (result & (blockSize - 1)); + } + return result; + } + + // if doFinal(inLen) is called, how big does the output buffer have to be? + private int doFinalLength(int inLen) { + if (inLen < 0) { + return 0; + } + + int result = inLen + bytesBuffered; + if (blockSize != 0 && encrypt && paddingType != PAD_NONE) { + // add the number of bytes to make the last block complete. + result += (blockSize - (result & (blockSize - 1))); + } + return result; + } + + // reset the states to the pre-initialized values + private void reset(boolean doCancel) { + if (doCancel) cancelOperation(); + + initialized = false; + bytesBuffered = 0; + padBufferLen = 0; + if (session != null) { + session = token.releaseSession(session); + } + } + + // see JCE spec + protected byte[] engineUpdate(byte[] in, int inOfs, int inLen) { + try { + byte[] out = new byte[updateLength(inLen)]; + int n = engineUpdate(in, inOfs, inLen, out, 0); + return P11Util.convert(out, 0, n); + } catch (ShortBufferException e) { + // convert since the output length is calculated by updateLength() + throw new ProviderException(e); + } + } + + // see JCE spec + protected int engineUpdate(byte[] in, int inOfs, int inLen, byte[] out, + int outOfs) throws ShortBufferException { + int outLen = out.length - outOfs; + return implUpdate(in, inOfs, inLen, out, outOfs, outLen); + } + + // see JCE spec + @Override + protected int engineUpdate(ByteBuffer inBuffer, ByteBuffer outBuffer) + throws ShortBufferException { + return implUpdate(inBuffer, outBuffer); + } + + // see JCE spec + protected byte[] engineDoFinal(byte[] in, int inOfs, int inLen) + throws IllegalBlockSizeException, BadPaddingException { + try { + byte[] out = new byte[doFinalLength(inLen)]; + int n = engineDoFinal(in, inOfs, inLen, out, 0); + return P11Util.convert(out, 0, n); + } catch (ShortBufferException e) { + // convert since the output length is calculated by doFinalLength() + throw new ProviderException(e); + } + } + + // see JCE spec + protected int engineDoFinal(byte[] in, int inOfs, int inLen, byte[] out, + int outOfs) throws ShortBufferException, IllegalBlockSizeException, + BadPaddingException { + int n = 0; + if ((inLen != 0) && (in != null)) { + n = engineUpdate(in, inOfs, inLen, out, outOfs); + outOfs += n; + } + n += implDoFinal(out, outOfs, out.length - outOfs); + return n; + } + + // see JCE spec + @Override + protected int engineDoFinal(ByteBuffer inBuffer, ByteBuffer outBuffer) + throws ShortBufferException, IllegalBlockSizeException, + BadPaddingException { + int n = engineUpdate(inBuffer, outBuffer); + n += implDoFinal(outBuffer); + return n; + } + + private int implUpdate(byte[] in, int inOfs, int inLen, + byte[] out, int outOfs, int outLen) throws ShortBufferException { + if (outLen < updateLength(inLen)) { + throw new ShortBufferException(); + } + try { + ensureInitialized(); + int k = 0; + if (encrypt) { + k = token.p11.C_EncryptUpdate(session.id(), 0, in, inOfs, inLen, + 0, out, outOfs, outLen); + } else { + int newPadBufferLen = 0; + if (paddingObj != null) { + if (padBufferLen != 0) { + // NSS throws up when called with data not in multiple + // of blocks. Try to work around this by holding the + // extra data in padBuffer. + if (padBufferLen != padBuffer.length) { + int bufCapacity = padBuffer.length - padBufferLen; + if (inLen > bufCapacity) { + bufferInputBytes(in, inOfs, bufCapacity); + inOfs += bufCapacity; + inLen -= bufCapacity; + } else { + bufferInputBytes(in, inOfs, inLen); + return 0; + } + } + k = token.p11.C_DecryptUpdate(session.id(), + 0, padBuffer, 0, padBufferLen, + 0, out, outOfs, outLen); + padBufferLen = 0; + } + newPadBufferLen = inLen & (blockSize - 1); + if (newPadBufferLen == 0) { + newPadBufferLen = padBuffer.length; + } + inLen -= newPadBufferLen; + } + if (inLen > 0) { + k += token.p11.C_DecryptUpdate(session.id(), 0, in, inOfs, + inLen, 0, out, (outOfs + k), (outLen - k)); + } + // update 'padBuffer' if using our own padding impl. + if (paddingObj != null) { + bufferInputBytes(in, inOfs + inLen, newPadBufferLen); + } + } + bytesBuffered += (inLen - k); + return k; + } catch (PKCS11Exception e) { + if (e.getErrorCode() == CKR_BUFFER_TOO_SMALL) { + throw (ShortBufferException) + (new ShortBufferException().initCause(e)); + } + reset(false); + throw new ProviderException("update() failed", e); + } + } + + private int implUpdate(ByteBuffer inBuffer, ByteBuffer outBuffer) + throws ShortBufferException { + int inLen = inBuffer.remaining(); + if (inLen <= 0) { + return 0; + } + + int outLen = outBuffer.remaining(); + if (outLen < updateLength(inLen)) { + throw new ShortBufferException(); + } + int origPos = inBuffer.position(); + try { + ensureInitialized(); + + long inAddr = 0; + int inOfs = 0; + byte[] inArray = null; + + if (inBuffer instanceof DirectBuffer) { + inAddr = ((DirectBuffer) inBuffer).address(); + inOfs = origPos; + } else if (inBuffer.hasArray()) { + inArray = inBuffer.array(); + inOfs = (origPos + inBuffer.arrayOffset()); + } + + long outAddr = 0; + int outOfs = 0; + byte[] outArray = null; + if (outBuffer instanceof DirectBuffer) { + outAddr = ((DirectBuffer) outBuffer).address(); + outOfs = outBuffer.position(); + } else { + if (outBuffer.hasArray()) { + outArray = outBuffer.array(); + outOfs = (outBuffer.position() + outBuffer.arrayOffset()); + } else { + outArray = new byte[outLen]; + } + } + + int k = 0; + if (encrypt) { + if (inAddr == 0 && inArray == null) { + inArray = new byte[inLen]; + inBuffer.get(inArray); + } else { + inBuffer.position(origPos + inLen); + } + k = token.p11.C_EncryptUpdate(session.id(), + inAddr, inArray, inOfs, inLen, + outAddr, outArray, outOfs, outLen); + } else { + int newPadBufferLen = 0; + if (paddingObj != null) { + if (padBufferLen != 0) { + // NSS throws up when called with data not in multiple + // of blocks. Try to work around this by holding the + // extra data in padBuffer. + if (padBufferLen != padBuffer.length) { + int bufCapacity = padBuffer.length - padBufferLen; + if (inLen > bufCapacity) { + bufferInputBytes(inBuffer, bufCapacity); + inOfs += bufCapacity; + inLen -= bufCapacity; + } else { + bufferInputBytes(inBuffer, inLen); + return 0; + } + } + k = token.p11.C_DecryptUpdate(session.id(), 0, + padBuffer, 0, padBufferLen, outAddr, outArray, + outOfs, outLen); + padBufferLen = 0; + } + newPadBufferLen = inLen & (blockSize - 1); + if (newPadBufferLen == 0) { + newPadBufferLen = padBuffer.length; + } + inLen -= newPadBufferLen; + } + if (inLen > 0) { + if (inAddr == 0 && inArray == null) { + inArray = new byte[inLen]; + inBuffer.get(inArray); + } else { + inBuffer.position(inBuffer.position() + inLen); + } + k += token.p11.C_DecryptUpdate(session.id(), inAddr, + inArray, inOfs, inLen, outAddr, outArray, + (outOfs + k), (outLen - k)); + } + // update 'padBuffer' if using our own padding impl. + if (paddingObj != null && newPadBufferLen != 0) { + bufferInputBytes(inBuffer, newPadBufferLen); + } + } + bytesBuffered += (inLen - k); + if (!(outBuffer instanceof DirectBuffer) && + !outBuffer.hasArray()) { + outBuffer.put(outArray, outOfs, k); + } else { + outBuffer.position(outBuffer.position() + k); + } + return k; + } catch (PKCS11Exception e) { + // Reset input buffer to its original position for + inBuffer.position(origPos); + if (e.getErrorCode() == CKR_BUFFER_TOO_SMALL) { + throw (ShortBufferException) + (new ShortBufferException().initCause(e)); + } + reset(false); + throw new ProviderException("update() failed", e); + } + } + + private int implDoFinal(byte[] out, int outOfs, int outLen) + throws ShortBufferException, IllegalBlockSizeException, + BadPaddingException { + int requiredOutLen = doFinalLength(0); + if (outLen < requiredOutLen) { + throw new ShortBufferException(); + } + boolean doCancel = true; + try { + ensureInitialized(); + int k = 0; + if (encrypt) { + if (paddingObj != null) { + int actualPadLen = paddingObj.setPaddingBytes(padBuffer, + requiredOutLen - bytesBuffered); + k = token.p11.C_EncryptUpdate(session.id(), + 0, padBuffer, 0, actualPadLen, + 0, out, outOfs, outLen); + } + k += token.p11.C_EncryptFinal(session.id(), + 0, out, (outOfs + k), (outLen - k)); + doCancel = false; + } else { + // Special handling to match SunJCE provider behavior + if (bytesBuffered == 0 && padBufferLen == 0) { + return 0; + } + if (paddingObj != null) { + if (padBufferLen != 0) { + k = token.p11.C_DecryptUpdate(session.id(), 0, + padBuffer, 0, padBufferLen, 0, padBuffer, 0, + padBuffer.length); + } + k += token.p11.C_DecryptFinal(session.id(), 0, padBuffer, k, + padBuffer.length - k); + doCancel = false; + + int actualPadLen = paddingObj.unpad(padBuffer, k); + k -= actualPadLen; + System.arraycopy(padBuffer, 0, out, outOfs, k); + } else { + k = token.p11.C_DecryptFinal(session.id(), 0, out, outOfs, + outLen); + doCancel = false; + } + } + return k; + } catch (PKCS11Exception e) { + doCancel = false; + handleException(e); + throw new ProviderException("doFinal() failed", e); + } finally { + reset(doCancel); + } + } + + private int implDoFinal(ByteBuffer outBuffer) + throws ShortBufferException, IllegalBlockSizeException, + BadPaddingException { + int outLen = outBuffer.remaining(); + int requiredOutLen = doFinalLength(0); + if (outLen < requiredOutLen) { + throw new ShortBufferException(); + } + + boolean doCancel = true; + try { + ensureInitialized(); + + long outAddr = 0; + byte[] outArray = null; + int outOfs = 0; + if (outBuffer instanceof DirectBuffer) { + outAddr = ((DirectBuffer) outBuffer).address(); + outOfs = outBuffer.position(); + } else { + if (outBuffer.hasArray()) { + outArray = outBuffer.array(); + outOfs = outBuffer.position() + outBuffer.arrayOffset(); + } else { + outArray = new byte[outLen]; + } + } + + int k = 0; + + if (encrypt) { + if (paddingObj != null) { + int actualPadLen = paddingObj.setPaddingBytes(padBuffer, + requiredOutLen - bytesBuffered); + k = token.p11.C_EncryptUpdate(session.id(), + 0, padBuffer, 0, actualPadLen, + outAddr, outArray, outOfs, outLen); + } + k += token.p11.C_EncryptFinal(session.id(), + outAddr, outArray, (outOfs + k), (outLen - k)); + doCancel = false; + } else { + // Special handling to match SunJCE provider behavior + if (bytesBuffered == 0 && padBufferLen == 0) { + return 0; + } + + if (paddingObj != null) { + if (padBufferLen != 0) { + k = token.p11.C_DecryptUpdate(session.id(), + 0, padBuffer, 0, padBufferLen, + 0, padBuffer, 0, padBuffer.length); + padBufferLen = 0; + } + k += token.p11.C_DecryptFinal(session.id(), + 0, padBuffer, k, padBuffer.length - k); + doCancel = false; + + int actualPadLen = paddingObj.unpad(padBuffer, k); + k -= actualPadLen; + outArray = padBuffer; + outOfs = 0; + } else { + k = token.p11.C_DecryptFinal(session.id(), + outAddr, outArray, outOfs, outLen); + doCancel = false; + } + } + if ((!encrypt && paddingObj != null) || + (!(outBuffer instanceof DirectBuffer) && + !outBuffer.hasArray())) { + outBuffer.put(outArray, outOfs, k); + } else { + outBuffer.position(outBuffer.position() + k); + } + return k; + } catch (PKCS11Exception e) { + doCancel = false; + handleException(e); + throw new ProviderException("doFinal() failed", e); + } finally { + reset(doCancel); + } + } + + private void handleException(PKCS11Exception e) + throws ShortBufferException, IllegalBlockSizeException { + long errorCode = e.getErrorCode(); + if (errorCode == CKR_BUFFER_TOO_SMALL) { + throw (ShortBufferException) + (new ShortBufferException().initCause(e)); + } else if (errorCode == CKR_DATA_LEN_RANGE || + errorCode == CKR_ENCRYPTED_DATA_LEN_RANGE) { + throw (IllegalBlockSizeException) + (new IllegalBlockSizeException(e.toString()).initCause(e)); + } + } + + // see JCE spec + protected byte[] engineWrap(Key key) throws IllegalBlockSizeException, + InvalidKeyException { + // XXX key wrapping + throw new UnsupportedOperationException("engineWrap()"); + } + + // see JCE spec + protected Key engineUnwrap(byte[] wrappedKey, String wrappedKeyAlgorithm, + int wrappedKeyType) + throws InvalidKeyException, NoSuchAlgorithmException { + // XXX key unwrapping + throw new UnsupportedOperationException("engineUnwrap()"); + } + + // see JCE spec + @Override + protected int engineGetKeySize(Key key) throws InvalidKeyException { + int n = P11SecretKeyFactory.convertKey + (token, key, keyAlgorithm).length(); + return n; + } + + private final void bufferInputBytes(byte[] in, int inOfs, int len) { + System.arraycopy(in, inOfs, padBuffer, padBufferLen, len); + padBufferLen += len; + bytesBuffered += len; + } + + private final void bufferInputBytes(ByteBuffer inBuffer, int len) { + inBuffer.get(padBuffer, padBufferLen, len); + padBufferLen += len; + bytesBuffered += len; + } +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11DHKeyFactory.java 2017-01-20 09:52:26.526289402 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,263 +0,0 @@ -/* - * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.pkcs11; - -import java.math.BigInteger; - -import java.security.*; -import java.security.spec.*; - -import javax.crypto.interfaces.*; -import javax.crypto.spec.*; - -import static sun.security.pkcs11.TemplateManager.*; -import sun.security.pkcs11.wrapper.*; -import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - -/** - * DH KeyFactory implementation. - * - * @author Andreas Sterbenz - * @since 1.5 - */ -final class P11DHKeyFactory extends P11KeyFactory { - - P11DHKeyFactory(Token token, String algorithm) { - super(token, algorithm); - } - - PublicKey implTranslatePublicKey(PublicKey key) throws InvalidKeyException { - try { - if (key instanceof DHPublicKey) { - DHPublicKey dhKey = (DHPublicKey)key; - DHParameterSpec params = dhKey.getParams(); - return generatePublic( - dhKey.getY(), - params.getP(), - params.getG() - ); - } else if ("X.509".equals(key.getFormat())) { - // let SunJCE provider parse for us, then recurse - try { - KeyFactory factory = implGetSoftwareFactory(); - key = (PublicKey)factory.translateKey(key); - return implTranslatePublicKey(key); - } catch (GeneralSecurityException e) { - throw new InvalidKeyException("Could not translate key", e); - } - } else { - throw new InvalidKeyException("PublicKey must be instance " - + "of DHPublicKey or have X.509 encoding"); - } - } catch (PKCS11Exception e) { - throw new InvalidKeyException("Could not create DH public key", e); - } - } - - PrivateKey implTranslatePrivateKey(PrivateKey key) - throws InvalidKeyException { - try { - if (key instanceof DHPrivateKey) { - DHPrivateKey dhKey = (DHPrivateKey)key; - DHParameterSpec params = dhKey.getParams(); - return generatePrivate( - dhKey.getX(), - params.getP(), - params.getG() - ); - } else if ("PKCS#8".equals(key.getFormat())) { - // let SunJCE provider parse for us, then recurse - try { - KeyFactory factory = implGetSoftwareFactory(); - key = (PrivateKey)factory.translateKey(key); - return implTranslatePrivateKey(key); - } catch (GeneralSecurityException e) { - throw new InvalidKeyException("Could not translate key", e); - } - } else { - throw new InvalidKeyException("PrivateKey must be instance " - + "of DHPrivateKey or have PKCS#8 encoding"); - } - } catch (PKCS11Exception e) { - throw new InvalidKeyException("Could not create DH private key", e); - } - } - - // see JCA spec - protected PublicKey engineGeneratePublic(KeySpec keySpec) - throws InvalidKeySpecException { - token.ensureValid(); - if (keySpec instanceof X509EncodedKeySpec) { - try { - KeyFactory factory = implGetSoftwareFactory(); - PublicKey key = factory.generatePublic(keySpec); - return implTranslatePublicKey(key); - } catch (GeneralSecurityException e) { - throw new InvalidKeySpecException - ("Could not create DH public key", e); - } - } - if (keySpec instanceof DHPublicKeySpec == false) { - throw new InvalidKeySpecException("Only DHPublicKeySpec and " - + "X509EncodedKeySpec supported for DH public keys"); - } - try { - DHPublicKeySpec ds = (DHPublicKeySpec)keySpec; - return generatePublic( - ds.getY(), - ds.getP(), - ds.getG() - ); - } catch (PKCS11Exception e) { - throw new InvalidKeySpecException - ("Could not create DH public key", e); - } - } - - // see JCA spec - protected PrivateKey engineGeneratePrivate(KeySpec keySpec) - throws InvalidKeySpecException { - token.ensureValid(); - if (keySpec instanceof PKCS8EncodedKeySpec) { - try { - KeyFactory factory = implGetSoftwareFactory(); - PrivateKey key = factory.generatePrivate(keySpec); - return implTranslatePrivateKey(key); - } catch (GeneralSecurityException e) { - throw new InvalidKeySpecException - ("Could not create DH private key", e); - } - } - if (keySpec instanceof DHPrivateKeySpec == false) { - throw new InvalidKeySpecException("Only DHPrivateKeySpec and " - + "PKCS8EncodedKeySpec supported for DH private keys"); - } - try { - DHPrivateKeySpec ds = (DHPrivateKeySpec)keySpec; - return generatePrivate( - ds.getX(), - ds.getP(), - ds.getG() - ); - } catch (PKCS11Exception e) { - throw new InvalidKeySpecException - ("Could not create DH private key", e); - } - } - - private PublicKey generatePublic(BigInteger y, BigInteger p, BigInteger g) - throws PKCS11Exception { - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_CLASS, CKO_PUBLIC_KEY), - new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_DH), - new CK_ATTRIBUTE(CKA_VALUE, y), - new CK_ATTRIBUTE(CKA_PRIME, p), - new CK_ATTRIBUTE(CKA_BASE, g), - }; - attributes = token.getAttributes - (O_IMPORT, CKO_PUBLIC_KEY, CKK_DH, attributes); - Session session = null; - try { - session = token.getObjSession(); - long keyID = token.p11.C_CreateObject(session.id(), attributes); - return P11Key.publicKey - (session, keyID, "DH", p.bitLength(), attributes); - } finally { - token.releaseSession(session); - } - } - - private PrivateKey generatePrivate(BigInteger x, BigInteger p, - BigInteger g) throws PKCS11Exception { - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_CLASS, CKO_PRIVATE_KEY), - new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_DH), - new CK_ATTRIBUTE(CKA_VALUE, x), - new CK_ATTRIBUTE(CKA_PRIME, p), - new CK_ATTRIBUTE(CKA_BASE, g), - }; - attributes = token.getAttributes - (O_IMPORT, CKO_PRIVATE_KEY, CKK_DH, attributes); - Session session = null; - try { - session = token.getObjSession(); - long keyID = token.p11.C_CreateObject(session.id(), attributes); - return P11Key.privateKey - (session, keyID, "DH", p.bitLength(), attributes); - } finally { - token.releaseSession(session); - } - } - - T implGetPublicKeySpec(P11Key key, Class keySpec, - Session[] session) throws PKCS11Exception, InvalidKeySpecException { - if (DHPublicKeySpec.class.isAssignableFrom(keySpec)) { - session[0] = token.getObjSession(); - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_VALUE), - new CK_ATTRIBUTE(CKA_PRIME), - new CK_ATTRIBUTE(CKA_BASE), - }; - token.p11.C_GetAttributeValue(session[0].id(), key.keyID, attributes); - KeySpec spec = new DHPublicKeySpec( - attributes[0].getBigInteger(), - attributes[1].getBigInteger(), - attributes[2].getBigInteger() - ); - return keySpec.cast(spec); - } else { // X.509 handled in superclass - throw new InvalidKeySpecException("Only DHPublicKeySpec and " - + "X509EncodedKeySpec supported for DH public keys"); - } - } - - T implGetPrivateKeySpec(P11Key key, Class keySpec, - Session[] session) throws PKCS11Exception, InvalidKeySpecException { - if (DHPrivateKeySpec.class.isAssignableFrom(keySpec)) { - session[0] = token.getObjSession(); - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_VALUE), - new CK_ATTRIBUTE(CKA_PRIME), - new CK_ATTRIBUTE(CKA_BASE), - }; - token.p11.C_GetAttributeValue(session[0].id(), key.keyID, attributes); - KeySpec spec = new DHPrivateKeySpec( - attributes[0].getBigInteger(), - attributes[1].getBigInteger(), - attributes[2].getBigInteger() - ); - return keySpec.cast(spec); - } else { // PKCS#8 handled in superclass - throw new InvalidKeySpecException("Only DHPrivateKeySpec " - + "and PKCS8EncodedKeySpec supported for DH private keys"); - } - } - - KeyFactory implGetSoftwareFactory() throws GeneralSecurityException { - return KeyFactory.getInstance("DH", P11Util.getSunJceProvider()); - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11DHKeyFactory.java 2017-01-20 09:52:26.094289418 -0800 @@ -0,0 +1,263 @@ +/* + * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11; + +import java.math.BigInteger; + +import java.security.*; +import java.security.spec.*; + +import javax.crypto.interfaces.*; +import javax.crypto.spec.*; + +import static sun.security.pkcs11.TemplateManager.*; +import sun.security.pkcs11.wrapper.*; +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + +/** + * DH KeyFactory implementation. + * + * @author Andreas Sterbenz + * @since 1.5 + */ +final class P11DHKeyFactory extends P11KeyFactory { + + P11DHKeyFactory(Token token, String algorithm) { + super(token, algorithm); + } + + PublicKey implTranslatePublicKey(PublicKey key) throws InvalidKeyException { + try { + if (key instanceof DHPublicKey) { + DHPublicKey dhKey = (DHPublicKey)key; + DHParameterSpec params = dhKey.getParams(); + return generatePublic( + dhKey.getY(), + params.getP(), + params.getG() + ); + } else if ("X.509".equals(key.getFormat())) { + // let SunJCE provider parse for us, then recurse + try { + KeyFactory factory = implGetSoftwareFactory(); + key = (PublicKey)factory.translateKey(key); + return implTranslatePublicKey(key); + } catch (GeneralSecurityException e) { + throw new InvalidKeyException("Could not translate key", e); + } + } else { + throw new InvalidKeyException("PublicKey must be instance " + + "of DHPublicKey or have X.509 encoding"); + } + } catch (PKCS11Exception e) { + throw new InvalidKeyException("Could not create DH public key", e); + } + } + + PrivateKey implTranslatePrivateKey(PrivateKey key) + throws InvalidKeyException { + try { + if (key instanceof DHPrivateKey) { + DHPrivateKey dhKey = (DHPrivateKey)key; + DHParameterSpec params = dhKey.getParams(); + return generatePrivate( + dhKey.getX(), + params.getP(), + params.getG() + ); + } else if ("PKCS#8".equals(key.getFormat())) { + // let SunJCE provider parse for us, then recurse + try { + KeyFactory factory = implGetSoftwareFactory(); + key = (PrivateKey)factory.translateKey(key); + return implTranslatePrivateKey(key); + } catch (GeneralSecurityException e) { + throw new InvalidKeyException("Could not translate key", e); + } + } else { + throw new InvalidKeyException("PrivateKey must be instance " + + "of DHPrivateKey or have PKCS#8 encoding"); + } + } catch (PKCS11Exception e) { + throw new InvalidKeyException("Could not create DH private key", e); + } + } + + // see JCA spec + protected PublicKey engineGeneratePublic(KeySpec keySpec) + throws InvalidKeySpecException { + token.ensureValid(); + if (keySpec instanceof X509EncodedKeySpec) { + try { + KeyFactory factory = implGetSoftwareFactory(); + PublicKey key = factory.generatePublic(keySpec); + return implTranslatePublicKey(key); + } catch (GeneralSecurityException e) { + throw new InvalidKeySpecException + ("Could not create DH public key", e); + } + } + if (keySpec instanceof DHPublicKeySpec == false) { + throw new InvalidKeySpecException("Only DHPublicKeySpec and " + + "X509EncodedKeySpec supported for DH public keys"); + } + try { + DHPublicKeySpec ds = (DHPublicKeySpec)keySpec; + return generatePublic( + ds.getY(), + ds.getP(), + ds.getG() + ); + } catch (PKCS11Exception e) { + throw new InvalidKeySpecException + ("Could not create DH public key", e); + } + } + + // see JCA spec + protected PrivateKey engineGeneratePrivate(KeySpec keySpec) + throws InvalidKeySpecException { + token.ensureValid(); + if (keySpec instanceof PKCS8EncodedKeySpec) { + try { + KeyFactory factory = implGetSoftwareFactory(); + PrivateKey key = factory.generatePrivate(keySpec); + return implTranslatePrivateKey(key); + } catch (GeneralSecurityException e) { + throw new InvalidKeySpecException + ("Could not create DH private key", e); + } + } + if (keySpec instanceof DHPrivateKeySpec == false) { + throw new InvalidKeySpecException("Only DHPrivateKeySpec and " + + "PKCS8EncodedKeySpec supported for DH private keys"); + } + try { + DHPrivateKeySpec ds = (DHPrivateKeySpec)keySpec; + return generatePrivate( + ds.getX(), + ds.getP(), + ds.getG() + ); + } catch (PKCS11Exception e) { + throw new InvalidKeySpecException + ("Could not create DH private key", e); + } + } + + private PublicKey generatePublic(BigInteger y, BigInteger p, BigInteger g) + throws PKCS11Exception { + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_CLASS, CKO_PUBLIC_KEY), + new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_DH), + new CK_ATTRIBUTE(CKA_VALUE, y), + new CK_ATTRIBUTE(CKA_PRIME, p), + new CK_ATTRIBUTE(CKA_BASE, g), + }; + attributes = token.getAttributes + (O_IMPORT, CKO_PUBLIC_KEY, CKK_DH, attributes); + Session session = null; + try { + session = token.getObjSession(); + long keyID = token.p11.C_CreateObject(session.id(), attributes); + return P11Key.publicKey + (session, keyID, "DH", p.bitLength(), attributes); + } finally { + token.releaseSession(session); + } + } + + private PrivateKey generatePrivate(BigInteger x, BigInteger p, + BigInteger g) throws PKCS11Exception { + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_CLASS, CKO_PRIVATE_KEY), + new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_DH), + new CK_ATTRIBUTE(CKA_VALUE, x), + new CK_ATTRIBUTE(CKA_PRIME, p), + new CK_ATTRIBUTE(CKA_BASE, g), + }; + attributes = token.getAttributes + (O_IMPORT, CKO_PRIVATE_KEY, CKK_DH, attributes); + Session session = null; + try { + session = token.getObjSession(); + long keyID = token.p11.C_CreateObject(session.id(), attributes); + return P11Key.privateKey + (session, keyID, "DH", p.bitLength(), attributes); + } finally { + token.releaseSession(session); + } + } + + T implGetPublicKeySpec(P11Key key, Class keySpec, + Session[] session) throws PKCS11Exception, InvalidKeySpecException { + if (DHPublicKeySpec.class.isAssignableFrom(keySpec)) { + session[0] = token.getObjSession(); + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_VALUE), + new CK_ATTRIBUTE(CKA_PRIME), + new CK_ATTRIBUTE(CKA_BASE), + }; + token.p11.C_GetAttributeValue(session[0].id(), key.keyID, attributes); + KeySpec spec = new DHPublicKeySpec( + attributes[0].getBigInteger(), + attributes[1].getBigInteger(), + attributes[2].getBigInteger() + ); + return keySpec.cast(spec); + } else { // X.509 handled in superclass + throw new InvalidKeySpecException("Only DHPublicKeySpec and " + + "X509EncodedKeySpec supported for DH public keys"); + } + } + + T implGetPrivateKeySpec(P11Key key, Class keySpec, + Session[] session) throws PKCS11Exception, InvalidKeySpecException { + if (DHPrivateKeySpec.class.isAssignableFrom(keySpec)) { + session[0] = token.getObjSession(); + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_VALUE), + new CK_ATTRIBUTE(CKA_PRIME), + new CK_ATTRIBUTE(CKA_BASE), + }; + token.p11.C_GetAttributeValue(session[0].id(), key.keyID, attributes); + KeySpec spec = new DHPrivateKeySpec( + attributes[0].getBigInteger(), + attributes[1].getBigInteger(), + attributes[2].getBigInteger() + ); + return keySpec.cast(spec); + } else { // PKCS#8 handled in superclass + throw new InvalidKeySpecException("Only DHPrivateKeySpec " + + "and PKCS8EncodedKeySpec supported for DH private keys"); + } + } + + KeyFactory implGetSoftwareFactory() throws GeneralSecurityException { + return KeyFactory.getInstance("DH", P11Util.getSunJceProvider()); + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11DSAKeyFactory.java 2017-01-20 09:52:27.250289375 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,263 +0,0 @@ -/* - * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.pkcs11; - -import java.math.BigInteger; - -import java.security.*; -import java.security.interfaces.*; -import java.security.spec.*; - -import static sun.security.pkcs11.TemplateManager.*; -import sun.security.pkcs11.wrapper.*; -import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - -/** - * DSA KeyFactory implementation. - * - * @author Andreas Sterbenz - * @since 1.5 - */ -final class P11DSAKeyFactory extends P11KeyFactory { - - P11DSAKeyFactory(Token token, String algorithm) { - super(token, algorithm); - } - - PublicKey implTranslatePublicKey(PublicKey key) throws InvalidKeyException { - try { - if (key instanceof DSAPublicKey) { - DSAPublicKey dsaKey = (DSAPublicKey)key; - DSAParams params = dsaKey.getParams(); - return generatePublic( - dsaKey.getY(), - params.getP(), - params.getQ(), - params.getG() - ); - } else if ("X.509".equals(key.getFormat())) { - // let Sun provider parse for us, then recurse - byte[] encoded = key.getEncoded(); - key = new sun.security.provider.DSAPublicKey(encoded); - return implTranslatePublicKey(key); - } else { - throw new InvalidKeyException("PublicKey must be instance " - + "of DSAPublicKey or have X.509 encoding"); - } - } catch (PKCS11Exception e) { - throw new InvalidKeyException("Could not create DSA public key", e); - } - } - - PrivateKey implTranslatePrivateKey(PrivateKey key) - throws InvalidKeyException { - try { - if (key instanceof DSAPrivateKey) { - DSAPrivateKey dsaKey = (DSAPrivateKey)key; - DSAParams params = dsaKey.getParams(); - return generatePrivate( - dsaKey.getX(), - params.getP(), - params.getQ(), - params.getG() - ); - } else if ("PKCS#8".equals(key.getFormat())) { - // let Sun provider parse for us, then recurse - byte[] encoded = key.getEncoded(); - key = new sun.security.provider.DSAPrivateKey(encoded); - return implTranslatePrivateKey(key); - } else { - throw new InvalidKeyException("PrivateKey must be instance " - + "of DSAPrivateKey or have PKCS#8 encoding"); - } - } catch (PKCS11Exception e) { - throw new InvalidKeyException("Could not create DSA private key", e); - } - } - - // see JCA spec - protected PublicKey engineGeneratePublic(KeySpec keySpec) - throws InvalidKeySpecException { - token.ensureValid(); - if (keySpec instanceof X509EncodedKeySpec) { - try { - byte[] encoded = ((X509EncodedKeySpec)keySpec).getEncoded(); - PublicKey key = new sun.security.provider.DSAPublicKey(encoded); - return implTranslatePublicKey(key); - } catch (InvalidKeyException e) { - throw new InvalidKeySpecException - ("Could not create DSA public key", e); - } - } - if (keySpec instanceof DSAPublicKeySpec == false) { - throw new InvalidKeySpecException("Only DSAPublicKeySpec and " - + "X509EncodedKeySpec supported for DSA public keys"); - } - try { - DSAPublicKeySpec ds = (DSAPublicKeySpec)keySpec; - return generatePublic( - ds.getY(), - ds.getP(), - ds.getQ(), - ds.getG() - ); - } catch (PKCS11Exception e) { - throw new InvalidKeySpecException - ("Could not create DSA public key", e); - } - } - - // see JCA spec - protected PrivateKey engineGeneratePrivate(KeySpec keySpec) - throws InvalidKeySpecException { - token.ensureValid(); - if (keySpec instanceof PKCS8EncodedKeySpec) { - try { - byte[] encoded = ((PKCS8EncodedKeySpec)keySpec).getEncoded(); - PrivateKey key = new sun.security.provider.DSAPrivateKey(encoded); - return implTranslatePrivateKey(key); - } catch (GeneralSecurityException e) { - throw new InvalidKeySpecException - ("Could not create DSA private key", e); - } - } - if (keySpec instanceof DSAPrivateKeySpec == false) { - throw new InvalidKeySpecException("Only DSAPrivateKeySpec and " - + "PKCS8EncodedKeySpec supported for DSA private keys"); - } - try { - DSAPrivateKeySpec ds = (DSAPrivateKeySpec)keySpec; - return generatePrivate( - ds.getX(), - ds.getP(), - ds.getQ(), - ds.getG() - ); - } catch (PKCS11Exception e) { - throw new InvalidKeySpecException - ("Could not create DSA private key", e); - } - } - - private PublicKey generatePublic(BigInteger y, BigInteger p, BigInteger q, - BigInteger g) throws PKCS11Exception { - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_CLASS, CKO_PUBLIC_KEY), - new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_DSA), - new CK_ATTRIBUTE(CKA_VALUE, y), - new CK_ATTRIBUTE(CKA_PRIME, p), - new CK_ATTRIBUTE(CKA_SUBPRIME, q), - new CK_ATTRIBUTE(CKA_BASE, g), - }; - attributes = token.getAttributes - (O_IMPORT, CKO_PUBLIC_KEY, CKK_DSA, attributes); - Session session = null; - try { - session = token.getObjSession(); - long keyID = token.p11.C_CreateObject(session.id(), attributes); - return P11Key.publicKey - (session, keyID, "DSA", p.bitLength(), attributes); - } finally { - token.releaseSession(session); - } - } - - private PrivateKey generatePrivate(BigInteger x, BigInteger p, - BigInteger q, BigInteger g) throws PKCS11Exception { - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_CLASS, CKO_PRIVATE_KEY), - new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_DSA), - new CK_ATTRIBUTE(CKA_VALUE, x), - new CK_ATTRIBUTE(CKA_PRIME, p), - new CK_ATTRIBUTE(CKA_SUBPRIME, q), - new CK_ATTRIBUTE(CKA_BASE, g), - }; - attributes = token.getAttributes - (O_IMPORT, CKO_PRIVATE_KEY, CKK_DSA, attributes); - Session session = null; - try { - session = token.getObjSession(); - long keyID = token.p11.C_CreateObject(session.id(), attributes); - return P11Key.privateKey - (session, keyID, "DSA", p.bitLength(), attributes); - } finally { - token.releaseSession(session); - } - } - - T implGetPublicKeySpec(P11Key key, Class keySpec, - Session[] session) throws PKCS11Exception, InvalidKeySpecException { - if (DSAPublicKeySpec.class.isAssignableFrom(keySpec)) { - session[0] = token.getObjSession(); - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_VALUE), - new CK_ATTRIBUTE(CKA_PRIME), - new CK_ATTRIBUTE(CKA_SUBPRIME), - new CK_ATTRIBUTE(CKA_BASE), - }; - token.p11.C_GetAttributeValue(session[0].id(), key.keyID, attributes); - KeySpec spec = new DSAPublicKeySpec( - attributes[0].getBigInteger(), - attributes[1].getBigInteger(), - attributes[2].getBigInteger(), - attributes[3].getBigInteger() - ); - return keySpec.cast(spec); - } else { // X.509 handled in superclass - throw new InvalidKeySpecException("Only DSAPublicKeySpec and " - + "X509EncodedKeySpec supported for DSA public keys"); - } - } - - T implGetPrivateKeySpec(P11Key key, Class keySpec, - Session[] session) throws PKCS11Exception, InvalidKeySpecException { - if (DSAPrivateKeySpec.class.isAssignableFrom(keySpec)) { - session[0] = token.getObjSession(); - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_VALUE), - new CK_ATTRIBUTE(CKA_PRIME), - new CK_ATTRIBUTE(CKA_SUBPRIME), - new CK_ATTRIBUTE(CKA_BASE), - }; - token.p11.C_GetAttributeValue(session[0].id(), key.keyID, attributes); - KeySpec spec = new DSAPrivateKeySpec( - attributes[0].getBigInteger(), - attributes[1].getBigInteger(), - attributes[2].getBigInteger(), - attributes[3].getBigInteger() - ); - return keySpec.cast(spec); - } else { // PKCS#8 handled in superclass - throw new InvalidKeySpecException("Only DSAPrivateKeySpec " - + "and PKCS8EncodedKeySpec supported for DSA private keys"); - } - } - - KeyFactory implGetSoftwareFactory() throws GeneralSecurityException { - return KeyFactory.getInstance("DSA", P11Util.getSunProvider()); - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11DSAKeyFactory.java 2017-01-20 09:52:26.878289389 -0800 @@ -0,0 +1,263 @@ +/* + * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11; + +import java.math.BigInteger; + +import java.security.*; +import java.security.interfaces.*; +import java.security.spec.*; + +import static sun.security.pkcs11.TemplateManager.*; +import sun.security.pkcs11.wrapper.*; +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + +/** + * DSA KeyFactory implementation. + * + * @author Andreas Sterbenz + * @since 1.5 + */ +final class P11DSAKeyFactory extends P11KeyFactory { + + P11DSAKeyFactory(Token token, String algorithm) { + super(token, algorithm); + } + + PublicKey implTranslatePublicKey(PublicKey key) throws InvalidKeyException { + try { + if (key instanceof DSAPublicKey) { + DSAPublicKey dsaKey = (DSAPublicKey)key; + DSAParams params = dsaKey.getParams(); + return generatePublic( + dsaKey.getY(), + params.getP(), + params.getQ(), + params.getG() + ); + } else if ("X.509".equals(key.getFormat())) { + // let Sun provider parse for us, then recurse + byte[] encoded = key.getEncoded(); + key = new sun.security.provider.DSAPublicKey(encoded); + return implTranslatePublicKey(key); + } else { + throw new InvalidKeyException("PublicKey must be instance " + + "of DSAPublicKey or have X.509 encoding"); + } + } catch (PKCS11Exception e) { + throw new InvalidKeyException("Could not create DSA public key", e); + } + } + + PrivateKey implTranslatePrivateKey(PrivateKey key) + throws InvalidKeyException { + try { + if (key instanceof DSAPrivateKey) { + DSAPrivateKey dsaKey = (DSAPrivateKey)key; + DSAParams params = dsaKey.getParams(); + return generatePrivate( + dsaKey.getX(), + params.getP(), + params.getQ(), + params.getG() + ); + } else if ("PKCS#8".equals(key.getFormat())) { + // let Sun provider parse for us, then recurse + byte[] encoded = key.getEncoded(); + key = new sun.security.provider.DSAPrivateKey(encoded); + return implTranslatePrivateKey(key); + } else { + throw new InvalidKeyException("PrivateKey must be instance " + + "of DSAPrivateKey or have PKCS#8 encoding"); + } + } catch (PKCS11Exception e) { + throw new InvalidKeyException("Could not create DSA private key", e); + } + } + + // see JCA spec + protected PublicKey engineGeneratePublic(KeySpec keySpec) + throws InvalidKeySpecException { + token.ensureValid(); + if (keySpec instanceof X509EncodedKeySpec) { + try { + byte[] encoded = ((X509EncodedKeySpec)keySpec).getEncoded(); + PublicKey key = new sun.security.provider.DSAPublicKey(encoded); + return implTranslatePublicKey(key); + } catch (InvalidKeyException e) { + throw new InvalidKeySpecException + ("Could not create DSA public key", e); + } + } + if (keySpec instanceof DSAPublicKeySpec == false) { + throw new InvalidKeySpecException("Only DSAPublicKeySpec and " + + "X509EncodedKeySpec supported for DSA public keys"); + } + try { + DSAPublicKeySpec ds = (DSAPublicKeySpec)keySpec; + return generatePublic( + ds.getY(), + ds.getP(), + ds.getQ(), + ds.getG() + ); + } catch (PKCS11Exception e) { + throw new InvalidKeySpecException + ("Could not create DSA public key", e); + } + } + + // see JCA spec + protected PrivateKey engineGeneratePrivate(KeySpec keySpec) + throws InvalidKeySpecException { + token.ensureValid(); + if (keySpec instanceof PKCS8EncodedKeySpec) { + try { + byte[] encoded = ((PKCS8EncodedKeySpec)keySpec).getEncoded(); + PrivateKey key = new sun.security.provider.DSAPrivateKey(encoded); + return implTranslatePrivateKey(key); + } catch (GeneralSecurityException e) { + throw new InvalidKeySpecException + ("Could not create DSA private key", e); + } + } + if (keySpec instanceof DSAPrivateKeySpec == false) { + throw new InvalidKeySpecException("Only DSAPrivateKeySpec and " + + "PKCS8EncodedKeySpec supported for DSA private keys"); + } + try { + DSAPrivateKeySpec ds = (DSAPrivateKeySpec)keySpec; + return generatePrivate( + ds.getX(), + ds.getP(), + ds.getQ(), + ds.getG() + ); + } catch (PKCS11Exception e) { + throw new InvalidKeySpecException + ("Could not create DSA private key", e); + } + } + + private PublicKey generatePublic(BigInteger y, BigInteger p, BigInteger q, + BigInteger g) throws PKCS11Exception { + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_CLASS, CKO_PUBLIC_KEY), + new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_DSA), + new CK_ATTRIBUTE(CKA_VALUE, y), + new CK_ATTRIBUTE(CKA_PRIME, p), + new CK_ATTRIBUTE(CKA_SUBPRIME, q), + new CK_ATTRIBUTE(CKA_BASE, g), + }; + attributes = token.getAttributes + (O_IMPORT, CKO_PUBLIC_KEY, CKK_DSA, attributes); + Session session = null; + try { + session = token.getObjSession(); + long keyID = token.p11.C_CreateObject(session.id(), attributes); + return P11Key.publicKey + (session, keyID, "DSA", p.bitLength(), attributes); + } finally { + token.releaseSession(session); + } + } + + private PrivateKey generatePrivate(BigInteger x, BigInteger p, + BigInteger q, BigInteger g) throws PKCS11Exception { + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_CLASS, CKO_PRIVATE_KEY), + new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_DSA), + new CK_ATTRIBUTE(CKA_VALUE, x), + new CK_ATTRIBUTE(CKA_PRIME, p), + new CK_ATTRIBUTE(CKA_SUBPRIME, q), + new CK_ATTRIBUTE(CKA_BASE, g), + }; + attributes = token.getAttributes + (O_IMPORT, CKO_PRIVATE_KEY, CKK_DSA, attributes); + Session session = null; + try { + session = token.getObjSession(); + long keyID = token.p11.C_CreateObject(session.id(), attributes); + return P11Key.privateKey + (session, keyID, "DSA", p.bitLength(), attributes); + } finally { + token.releaseSession(session); + } + } + + T implGetPublicKeySpec(P11Key key, Class keySpec, + Session[] session) throws PKCS11Exception, InvalidKeySpecException { + if (DSAPublicKeySpec.class.isAssignableFrom(keySpec)) { + session[0] = token.getObjSession(); + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_VALUE), + new CK_ATTRIBUTE(CKA_PRIME), + new CK_ATTRIBUTE(CKA_SUBPRIME), + new CK_ATTRIBUTE(CKA_BASE), + }; + token.p11.C_GetAttributeValue(session[0].id(), key.keyID, attributes); + KeySpec spec = new DSAPublicKeySpec( + attributes[0].getBigInteger(), + attributes[1].getBigInteger(), + attributes[2].getBigInteger(), + attributes[3].getBigInteger() + ); + return keySpec.cast(spec); + } else { // X.509 handled in superclass + throw new InvalidKeySpecException("Only DSAPublicKeySpec and " + + "X509EncodedKeySpec supported for DSA public keys"); + } + } + + T implGetPrivateKeySpec(P11Key key, Class keySpec, + Session[] session) throws PKCS11Exception, InvalidKeySpecException { + if (DSAPrivateKeySpec.class.isAssignableFrom(keySpec)) { + session[0] = token.getObjSession(); + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_VALUE), + new CK_ATTRIBUTE(CKA_PRIME), + new CK_ATTRIBUTE(CKA_SUBPRIME), + new CK_ATTRIBUTE(CKA_BASE), + }; + token.p11.C_GetAttributeValue(session[0].id(), key.keyID, attributes); + KeySpec spec = new DSAPrivateKeySpec( + attributes[0].getBigInteger(), + attributes[1].getBigInteger(), + attributes[2].getBigInteger(), + attributes[3].getBigInteger() + ); + return keySpec.cast(spec); + } else { // PKCS#8 handled in superclass + throw new InvalidKeySpecException("Only DSAPrivateKeySpec " + + "and PKCS8EncodedKeySpec supported for DSA private keys"); + } + } + + KeyFactory implGetSoftwareFactory() throws GeneralSecurityException { + return KeyFactory.getInstance("DSA", P11Util.getSunProvider()); + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11Digest.java 2017-01-20 09:52:28.202289339 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,325 +0,0 @@ -/* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.pkcs11; - -import java.util.*; -import java.nio.ByteBuffer; - -import java.security.*; - -import javax.crypto.SecretKey; - -import sun.nio.ch.DirectBuffer; - -import sun.security.util.MessageDigestSpi2; - -import sun.security.pkcs11.wrapper.*; -import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - -/** - * MessageDigest implementation class. This class currently supports - * MD2, MD5, SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512. - * - * Note that many digest operations are on fairly small amounts of data - * (less than 100 bytes total). For example, the 2nd hashing in HMAC or - * the PRF in TLS. In order to speed those up, we use some buffering to - * minimize number of the Java->native transitions. - * - * @author Andreas Sterbenz - * @since 1.5 - */ -final class P11Digest extends MessageDigestSpi implements Cloneable, - MessageDigestSpi2 { - - /* fields initialized, no session acquired */ - private final static int S_BLANK = 1; - - /* data in buffer, session acquired, but digest not initialized */ - private final static int S_BUFFERED = 2; - - /* session initialized for digesting */ - private final static int S_INIT = 3; - - private final static int BUFFER_SIZE = 96; - - // token instance - private final Token token; - - // algorithm name - private final String algorithm; - - // mechanism id object - private final CK_MECHANISM mechanism; - - // length of the digest in bytes - private final int digestLength; - - // associated session, if any - private Session session; - - // current state, one of S_* above - private int state; - - // buffer to reduce number of JNI calls - private byte[] buffer; - - // offset into the buffer - private int bufOfs; - - P11Digest(Token token, String algorithm, long mechanism) { - super(); - this.token = token; - this.algorithm = algorithm; - this.mechanism = new CK_MECHANISM(mechanism); - switch ((int)mechanism) { - case (int)CKM_MD2: - case (int)CKM_MD5: - digestLength = 16; - break; - case (int)CKM_SHA_1: - digestLength = 20; - break; - case (int)CKM_SHA224: - digestLength = 28; - break; - case (int)CKM_SHA256: - digestLength = 32; - break; - case (int)CKM_SHA384: - digestLength = 48; - break; - case (int)CKM_SHA512: - digestLength = 64; - break; - default: - throw new ProviderException("Unknown mechanism: " + mechanism); - } - buffer = new byte[BUFFER_SIZE]; - state = S_BLANK; - } - - // see JCA spec - protected int engineGetDigestLength() { - return digestLength; - } - - private void fetchSession() { - token.ensureValid(); - if (state == S_BLANK) { - try { - session = token.getOpSession(); - state = S_BUFFERED; - } catch (PKCS11Exception e) { - throw new ProviderException("No more session available", e); - } - } - } - - // see JCA spec - protected void engineReset() { - token.ensureValid(); - - if (session != null) { - if (state == S_INIT && token.explicitCancel == true) { - session = token.killSession(session); - } else { - session = token.releaseSession(session); - } - } - state = S_BLANK; - bufOfs = 0; - } - - // see JCA spec - protected byte[] engineDigest() { - try { - byte[] digest = new byte[digestLength]; - int n = engineDigest(digest, 0, digestLength); - return digest; - } catch (DigestException e) { - throw new ProviderException("internal error", e); - } - } - - // see JCA spec - protected int engineDigest(byte[] digest, int ofs, int len) - throws DigestException { - if (len < digestLength) { - throw new DigestException("Length must be at least " + - digestLength); - } - - fetchSession(); - try { - int n; - if (state == S_BUFFERED) { - n = token.p11.C_DigestSingle(session.id(), mechanism, buffer, 0, - bufOfs, digest, ofs, len); - bufOfs = 0; - } else { - if (bufOfs != 0) { - token.p11.C_DigestUpdate(session.id(), 0, buffer, 0, - bufOfs); - bufOfs = 0; - } - n = token.p11.C_DigestFinal(session.id(), digest, ofs, len); - } - if (n != digestLength) { - throw new ProviderException("internal digest length error"); - } - return n; - } catch (PKCS11Exception e) { - throw new ProviderException("digest() failed", e); - } finally { - engineReset(); - } - } - - // see JCA spec - protected void engineUpdate(byte in) { - byte[] temp = { in }; - engineUpdate(temp, 0, 1); - } - - // see JCA spec - protected void engineUpdate(byte[] in, int ofs, int len) { - if (len <= 0) { - return; - } - - fetchSession(); - try { - if (state == S_BUFFERED) { - token.p11.C_DigestInit(session.id(), mechanism); - state = S_INIT; - } - if ((bufOfs != 0) && (bufOfs + len > buffer.length)) { - // process the buffered data - token.p11.C_DigestUpdate(session.id(), 0, buffer, 0, bufOfs); - bufOfs = 0; - } - if (bufOfs + len > buffer.length) { - // process the new data - token.p11.C_DigestUpdate(session.id(), 0, in, ofs, len); - } else { - // buffer the new data - System.arraycopy(in, ofs, buffer, bufOfs, len); - bufOfs += len; - } - } catch (PKCS11Exception e) { - engineReset(); - throw new ProviderException("update() failed", e); - } - } - - // Called by SunJSSE via reflection during the SSL 3.0 handshake if - // the master secret is sensitive. - // Note: Change to protected after this method is moved from - // sun.security.util.MessageSpi2 interface to - // java.security.MessageDigestSpi class - public void engineUpdate(SecretKey key) throws InvalidKeyException { - // SunJSSE calls this method only if the key does not have a RAW - // encoding, i.e. if it is sensitive. Therefore, no point in calling - // SecretKeyFactory to try to convert it. Just verify it ourselves. - if (key instanceof P11Key == false) { - throw new InvalidKeyException("Not a P11Key: " + key); - } - P11Key p11Key = (P11Key)key; - if (p11Key.token != token) { - throw new InvalidKeyException("Not a P11Key of this provider: " + - key); - } - - fetchSession(); - try { - if (state == S_BUFFERED) { - token.p11.C_DigestInit(session.id(), mechanism); - state = S_INIT; - } - - if (bufOfs != 0) { - token.p11.C_DigestUpdate(session.id(), 0, buffer, 0, bufOfs); - bufOfs = 0; - } - token.p11.C_DigestKey(session.id(), p11Key.keyID); - } catch (PKCS11Exception e) { - engineReset(); - throw new ProviderException("update(SecretKey) failed", e); - } - } - - // see JCA spec - protected void engineUpdate(ByteBuffer byteBuffer) { - int len = byteBuffer.remaining(); - if (len <= 0) { - return; - } - - if (byteBuffer instanceof DirectBuffer == false) { - super.engineUpdate(byteBuffer); - return; - } - - fetchSession(); - long addr = ((DirectBuffer)byteBuffer).address(); - int ofs = byteBuffer.position(); - try { - if (state == S_BUFFERED) { - token.p11.C_DigestInit(session.id(), mechanism); - state = S_INIT; - } - if (bufOfs != 0) { - token.p11.C_DigestUpdate(session.id(), 0, buffer, 0, bufOfs); - bufOfs = 0; - } - token.p11.C_DigestUpdate(session.id(), addr + ofs, null, 0, len); - byteBuffer.position(ofs + len); - } catch (PKCS11Exception e) { - engineReset(); - throw new ProviderException("update() failed", e); - } - } - - public Object clone() throws CloneNotSupportedException { - P11Digest copy = (P11Digest) super.clone(); - copy.buffer = buffer.clone(); - try { - if (session != null) { - copy.session = copy.token.getOpSession(); - } - if (state == S_INIT) { - byte[] stateValues = - token.p11.C_GetOperationState(session.id()); - token.p11.C_SetOperationState(copy.session.id(), - stateValues, 0, 0); - } - } catch (PKCS11Exception e) { - throw (CloneNotSupportedException) - (new CloneNotSupportedException(algorithm).initCause(e)); - } - return copy; - } -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Digest.java 2017-01-20 09:52:27.762289355 -0800 @@ -0,0 +1,325 @@ +/* + * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11; + +import java.util.*; +import java.nio.ByteBuffer; + +import java.security.*; + +import javax.crypto.SecretKey; + +import sun.nio.ch.DirectBuffer; + +import sun.security.util.MessageDigestSpi2; + +import sun.security.pkcs11.wrapper.*; +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + +/** + * MessageDigest implementation class. This class currently supports + * MD2, MD5, SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512. + * + * Note that many digest operations are on fairly small amounts of data + * (less than 100 bytes total). For example, the 2nd hashing in HMAC or + * the PRF in TLS. In order to speed those up, we use some buffering to + * minimize number of the Java->native transitions. + * + * @author Andreas Sterbenz + * @since 1.5 + */ +final class P11Digest extends MessageDigestSpi implements Cloneable, + MessageDigestSpi2 { + + /* fields initialized, no session acquired */ + private final static int S_BLANK = 1; + + /* data in buffer, session acquired, but digest not initialized */ + private final static int S_BUFFERED = 2; + + /* session initialized for digesting */ + private final static int S_INIT = 3; + + private final static int BUFFER_SIZE = 96; + + // token instance + private final Token token; + + // algorithm name + private final String algorithm; + + // mechanism id object + private final CK_MECHANISM mechanism; + + // length of the digest in bytes + private final int digestLength; + + // associated session, if any + private Session session; + + // current state, one of S_* above + private int state; + + // buffer to reduce number of JNI calls + private byte[] buffer; + + // offset into the buffer + private int bufOfs; + + P11Digest(Token token, String algorithm, long mechanism) { + super(); + this.token = token; + this.algorithm = algorithm; + this.mechanism = new CK_MECHANISM(mechanism); + switch ((int)mechanism) { + case (int)CKM_MD2: + case (int)CKM_MD5: + digestLength = 16; + break; + case (int)CKM_SHA_1: + digestLength = 20; + break; + case (int)CKM_SHA224: + digestLength = 28; + break; + case (int)CKM_SHA256: + digestLength = 32; + break; + case (int)CKM_SHA384: + digestLength = 48; + break; + case (int)CKM_SHA512: + digestLength = 64; + break; + default: + throw new ProviderException("Unknown mechanism: " + mechanism); + } + buffer = new byte[BUFFER_SIZE]; + state = S_BLANK; + } + + // see JCA spec + protected int engineGetDigestLength() { + return digestLength; + } + + private void fetchSession() { + token.ensureValid(); + if (state == S_BLANK) { + try { + session = token.getOpSession(); + state = S_BUFFERED; + } catch (PKCS11Exception e) { + throw new ProviderException("No more session available", e); + } + } + } + + // see JCA spec + protected void engineReset() { + token.ensureValid(); + + if (session != null) { + if (state == S_INIT && token.explicitCancel == true) { + session = token.killSession(session); + } else { + session = token.releaseSession(session); + } + } + state = S_BLANK; + bufOfs = 0; + } + + // see JCA spec + protected byte[] engineDigest() { + try { + byte[] digest = new byte[digestLength]; + int n = engineDigest(digest, 0, digestLength); + return digest; + } catch (DigestException e) { + throw new ProviderException("internal error", e); + } + } + + // see JCA spec + protected int engineDigest(byte[] digest, int ofs, int len) + throws DigestException { + if (len < digestLength) { + throw new DigestException("Length must be at least " + + digestLength); + } + + fetchSession(); + try { + int n; + if (state == S_BUFFERED) { + n = token.p11.C_DigestSingle(session.id(), mechanism, buffer, 0, + bufOfs, digest, ofs, len); + bufOfs = 0; + } else { + if (bufOfs != 0) { + token.p11.C_DigestUpdate(session.id(), 0, buffer, 0, + bufOfs); + bufOfs = 0; + } + n = token.p11.C_DigestFinal(session.id(), digest, ofs, len); + } + if (n != digestLength) { + throw new ProviderException("internal digest length error"); + } + return n; + } catch (PKCS11Exception e) { + throw new ProviderException("digest() failed", e); + } finally { + engineReset(); + } + } + + // see JCA spec + protected void engineUpdate(byte in) { + byte[] temp = { in }; + engineUpdate(temp, 0, 1); + } + + // see JCA spec + protected void engineUpdate(byte[] in, int ofs, int len) { + if (len <= 0) { + return; + } + + fetchSession(); + try { + if (state == S_BUFFERED) { + token.p11.C_DigestInit(session.id(), mechanism); + state = S_INIT; + } + if ((bufOfs != 0) && (bufOfs + len > buffer.length)) { + // process the buffered data + token.p11.C_DigestUpdate(session.id(), 0, buffer, 0, bufOfs); + bufOfs = 0; + } + if (bufOfs + len > buffer.length) { + // process the new data + token.p11.C_DigestUpdate(session.id(), 0, in, ofs, len); + } else { + // buffer the new data + System.arraycopy(in, ofs, buffer, bufOfs, len); + bufOfs += len; + } + } catch (PKCS11Exception e) { + engineReset(); + throw new ProviderException("update() failed", e); + } + } + + // Called by SunJSSE via reflection during the SSL 3.0 handshake if + // the master secret is sensitive. + // Note: Change to protected after this method is moved from + // sun.security.util.MessageSpi2 interface to + // java.security.MessageDigestSpi class + public void engineUpdate(SecretKey key) throws InvalidKeyException { + // SunJSSE calls this method only if the key does not have a RAW + // encoding, i.e. if it is sensitive. Therefore, no point in calling + // SecretKeyFactory to try to convert it. Just verify it ourselves. + if (key instanceof P11Key == false) { + throw new InvalidKeyException("Not a P11Key: " + key); + } + P11Key p11Key = (P11Key)key; + if (p11Key.token != token) { + throw new InvalidKeyException("Not a P11Key of this provider: " + + key); + } + + fetchSession(); + try { + if (state == S_BUFFERED) { + token.p11.C_DigestInit(session.id(), mechanism); + state = S_INIT; + } + + if (bufOfs != 0) { + token.p11.C_DigestUpdate(session.id(), 0, buffer, 0, bufOfs); + bufOfs = 0; + } + token.p11.C_DigestKey(session.id(), p11Key.keyID); + } catch (PKCS11Exception e) { + engineReset(); + throw new ProviderException("update(SecretKey) failed", e); + } + } + + // see JCA spec + protected void engineUpdate(ByteBuffer byteBuffer) { + int len = byteBuffer.remaining(); + if (len <= 0) { + return; + } + + if (byteBuffer instanceof DirectBuffer == false) { + super.engineUpdate(byteBuffer); + return; + } + + fetchSession(); + long addr = ((DirectBuffer)byteBuffer).address(); + int ofs = byteBuffer.position(); + try { + if (state == S_BUFFERED) { + token.p11.C_DigestInit(session.id(), mechanism); + state = S_INIT; + } + if (bufOfs != 0) { + token.p11.C_DigestUpdate(session.id(), 0, buffer, 0, bufOfs); + bufOfs = 0; + } + token.p11.C_DigestUpdate(session.id(), addr + ofs, null, 0, len); + byteBuffer.position(ofs + len); + } catch (PKCS11Exception e) { + engineReset(); + throw new ProviderException("update() failed", e); + } + } + + public Object clone() throws CloneNotSupportedException { + P11Digest copy = (P11Digest) super.clone(); + copy.buffer = buffer.clone(); + try { + if (session != null) { + copy.session = copy.token.getOpSession(); + } + if (state == S_INIT) { + byte[] stateValues = + token.p11.C_GetOperationState(session.id()); + token.p11.C_SetOperationState(copy.session.id(), + stateValues, 0, 0); + } + } catch (PKCS11Exception e) { + throw (CloneNotSupportedException) + (new CloneNotSupportedException(algorithm).initCause(e)); + } + return copy; + } +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11ECDHKeyAgreement.java 2017-01-20 09:52:28.958289310 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,214 +0,0 @@ -/* - * Copyright (c) 2006, 2007, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.pkcs11; - -import java.security.*; -import java.security.interfaces.ECPublicKey; -import java.security.spec.AlgorithmParameterSpec; - -import javax.crypto.*; - -import static sun.security.pkcs11.TemplateManager.*; -import sun.security.pkcs11.wrapper.*; -import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - -/** - * KeyAgreement implementation for ECDH. - * - * @author Andreas Sterbenz - * @since 1.6 - */ -final class P11ECDHKeyAgreement extends KeyAgreementSpi { - - // token instance - private final Token token; - - // algorithm name - private final String algorithm; - - // mechanism id - private final long mechanism; - - // private key, if initialized - private P11Key privateKey; - - // encoded public point, non-null between doPhase() and generateSecret() only - private byte[] publicValue; - - // length of the secret to be derived - private int secretLen; - - P11ECDHKeyAgreement(Token token, String algorithm, long mechanism) { - super(); - this.token = token; - this.algorithm = algorithm; - this.mechanism = mechanism; - } - - // see JCE spec - protected void engineInit(Key key, SecureRandom random) - throws InvalidKeyException { - if (key instanceof PrivateKey == false) { - throw new InvalidKeyException - ("Key must be instance of PrivateKey"); - } - privateKey = P11KeyFactory.convertKey(token, key, "EC"); - publicValue = null; - } - - // see JCE spec - protected void engineInit(Key key, AlgorithmParameterSpec params, - SecureRandom random) throws InvalidKeyException, - InvalidAlgorithmParameterException { - if (params != null) { - throw new InvalidAlgorithmParameterException - ("Parameters not supported"); - } - engineInit(key, random); - } - - // see JCE spec - protected Key engineDoPhase(Key key, boolean lastPhase) - throws InvalidKeyException, IllegalStateException { - if (privateKey == null) { - throw new IllegalStateException("Not initialized"); - } - if (publicValue != null) { - throw new IllegalStateException("Phase already executed"); - } - if (lastPhase == false) { - throw new IllegalStateException - ("Only two party agreement supported, lastPhase must be true"); - } - if (key instanceof ECPublicKey == false) { - throw new InvalidKeyException - ("Key must be a PublicKey with algorithm EC"); - } - ECPublicKey ecKey = (ECPublicKey)key; - int keyLenBits = ecKey.getParams().getCurve().getField().getFieldSize(); - secretLen = (keyLenBits + 7) >> 3; - publicValue = P11ECKeyFactory.getEncodedPublicValue(ecKey); - return null; - } - - // see JCE spec - protected byte[] engineGenerateSecret() throws IllegalStateException { - if ((privateKey == null) || (publicValue == null)) { - throw new IllegalStateException("Not initialized correctly"); - } - Session session = null; - try { - session = token.getOpSession(); - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), - new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_GENERIC_SECRET), - }; - CK_ECDH1_DERIVE_PARAMS ckParams = - new CK_ECDH1_DERIVE_PARAMS(CKD_NULL, null, publicValue); - attributes = token.getAttributes - (O_GENERATE, CKO_SECRET_KEY, CKK_GENERIC_SECRET, attributes); - long keyID = token.p11.C_DeriveKey(session.id(), - new CK_MECHANISM(mechanism, ckParams), privateKey.keyID, - attributes); - attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_VALUE) - }; - token.p11.C_GetAttributeValue(session.id(), keyID, attributes); - byte[] secret = attributes[0].getByteArray(); - token.p11.C_DestroyObject(session.id(), keyID); - return secret; - } catch (PKCS11Exception e) { - throw new ProviderException("Could not derive key", e); - } finally { - publicValue = null; - token.releaseSession(session); - } - } - - // see JCE spec - protected int engineGenerateSecret(byte[] sharedSecret, int - offset) throws IllegalStateException, ShortBufferException { - if (offset + secretLen > sharedSecret.length) { - throw new ShortBufferException("Need " + secretLen - + " bytes, only " + (sharedSecret.length - offset) + " available"); - } - byte[] secret = engineGenerateSecret(); - System.arraycopy(secret, 0, sharedSecret, offset, secret.length); - return secret.length; - } - - // see JCE spec - protected SecretKey engineGenerateSecret(String algorithm) - throws IllegalStateException, NoSuchAlgorithmException, - InvalidKeyException { - if (algorithm == null) { - throw new NoSuchAlgorithmException("Algorithm must not be null"); - } - if (algorithm.equals("TlsPremasterSecret") == false) { - throw new NoSuchAlgorithmException - ("Only supported for algorithm TlsPremasterSecret"); - } - return nativeGenerateSecret(algorithm); - } - - private SecretKey nativeGenerateSecret(String algorithm) - throws IllegalStateException, NoSuchAlgorithmException, - InvalidKeyException { - if ((privateKey == null) || (publicValue == null)) { - throw new IllegalStateException("Not initialized correctly"); - } - long keyType = CKK_GENERIC_SECRET; - Session session = null; - try { - session = token.getObjSession(); - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), - new CK_ATTRIBUTE(CKA_KEY_TYPE, keyType), - }; - CK_ECDH1_DERIVE_PARAMS ckParams = - new CK_ECDH1_DERIVE_PARAMS(CKD_NULL, null, publicValue); - attributes = token.getAttributes - (O_GENERATE, CKO_SECRET_KEY, keyType, attributes); - long keyID = token.p11.C_DeriveKey(session.id(), - new CK_MECHANISM(mechanism, ckParams), privateKey.keyID, - attributes); - CK_ATTRIBUTE[] lenAttributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_VALUE_LEN), - }; - token.p11.C_GetAttributeValue(session.id(), keyID, lenAttributes); - int keyLen = (int)lenAttributes[0].getLong(); - SecretKey key = P11Key.secretKey - (session, keyID, algorithm, keyLen << 3, attributes); - return key; - } catch (PKCS11Exception e) { - throw new InvalidKeyException("Could not derive key", e); - } finally { - publicValue = null; - token.releaseSession(session); - } - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11ECDHKeyAgreement.java 2017-01-20 09:52:28.526289326 -0800 @@ -0,0 +1,214 @@ +/* + * Copyright (c) 2006, 2007, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11; + +import java.security.*; +import java.security.interfaces.ECPublicKey; +import java.security.spec.AlgorithmParameterSpec; + +import javax.crypto.*; + +import static sun.security.pkcs11.TemplateManager.*; +import sun.security.pkcs11.wrapper.*; +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + +/** + * KeyAgreement implementation for ECDH. + * + * @author Andreas Sterbenz + * @since 1.6 + */ +final class P11ECDHKeyAgreement extends KeyAgreementSpi { + + // token instance + private final Token token; + + // algorithm name + private final String algorithm; + + // mechanism id + private final long mechanism; + + // private key, if initialized + private P11Key privateKey; + + // encoded public point, non-null between doPhase() and generateSecret() only + private byte[] publicValue; + + // length of the secret to be derived + private int secretLen; + + P11ECDHKeyAgreement(Token token, String algorithm, long mechanism) { + super(); + this.token = token; + this.algorithm = algorithm; + this.mechanism = mechanism; + } + + // see JCE spec + protected void engineInit(Key key, SecureRandom random) + throws InvalidKeyException { + if (key instanceof PrivateKey == false) { + throw new InvalidKeyException + ("Key must be instance of PrivateKey"); + } + privateKey = P11KeyFactory.convertKey(token, key, "EC"); + publicValue = null; + } + + // see JCE spec + protected void engineInit(Key key, AlgorithmParameterSpec params, + SecureRandom random) throws InvalidKeyException, + InvalidAlgorithmParameterException { + if (params != null) { + throw new InvalidAlgorithmParameterException + ("Parameters not supported"); + } + engineInit(key, random); + } + + // see JCE spec + protected Key engineDoPhase(Key key, boolean lastPhase) + throws InvalidKeyException, IllegalStateException { + if (privateKey == null) { + throw new IllegalStateException("Not initialized"); + } + if (publicValue != null) { + throw new IllegalStateException("Phase already executed"); + } + if (lastPhase == false) { + throw new IllegalStateException + ("Only two party agreement supported, lastPhase must be true"); + } + if (key instanceof ECPublicKey == false) { + throw new InvalidKeyException + ("Key must be a PublicKey with algorithm EC"); + } + ECPublicKey ecKey = (ECPublicKey)key; + int keyLenBits = ecKey.getParams().getCurve().getField().getFieldSize(); + secretLen = (keyLenBits + 7) >> 3; + publicValue = P11ECKeyFactory.getEncodedPublicValue(ecKey); + return null; + } + + // see JCE spec + protected byte[] engineGenerateSecret() throws IllegalStateException { + if ((privateKey == null) || (publicValue == null)) { + throw new IllegalStateException("Not initialized correctly"); + } + Session session = null; + try { + session = token.getOpSession(); + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), + new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_GENERIC_SECRET), + }; + CK_ECDH1_DERIVE_PARAMS ckParams = + new CK_ECDH1_DERIVE_PARAMS(CKD_NULL, null, publicValue); + attributes = token.getAttributes + (O_GENERATE, CKO_SECRET_KEY, CKK_GENERIC_SECRET, attributes); + long keyID = token.p11.C_DeriveKey(session.id(), + new CK_MECHANISM(mechanism, ckParams), privateKey.keyID, + attributes); + attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_VALUE) + }; + token.p11.C_GetAttributeValue(session.id(), keyID, attributes); + byte[] secret = attributes[0].getByteArray(); + token.p11.C_DestroyObject(session.id(), keyID); + return secret; + } catch (PKCS11Exception e) { + throw new ProviderException("Could not derive key", e); + } finally { + publicValue = null; + token.releaseSession(session); + } + } + + // see JCE spec + protected int engineGenerateSecret(byte[] sharedSecret, int + offset) throws IllegalStateException, ShortBufferException { + if (offset + secretLen > sharedSecret.length) { + throw new ShortBufferException("Need " + secretLen + + " bytes, only " + (sharedSecret.length - offset) + " available"); + } + byte[] secret = engineGenerateSecret(); + System.arraycopy(secret, 0, sharedSecret, offset, secret.length); + return secret.length; + } + + // see JCE spec + protected SecretKey engineGenerateSecret(String algorithm) + throws IllegalStateException, NoSuchAlgorithmException, + InvalidKeyException { + if (algorithm == null) { + throw new NoSuchAlgorithmException("Algorithm must not be null"); + } + if (algorithm.equals("TlsPremasterSecret") == false) { + throw new NoSuchAlgorithmException + ("Only supported for algorithm TlsPremasterSecret"); + } + return nativeGenerateSecret(algorithm); + } + + private SecretKey nativeGenerateSecret(String algorithm) + throws IllegalStateException, NoSuchAlgorithmException, + InvalidKeyException { + if ((privateKey == null) || (publicValue == null)) { + throw new IllegalStateException("Not initialized correctly"); + } + long keyType = CKK_GENERIC_SECRET; + Session session = null; + try { + session = token.getObjSession(); + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), + new CK_ATTRIBUTE(CKA_KEY_TYPE, keyType), + }; + CK_ECDH1_DERIVE_PARAMS ckParams = + new CK_ECDH1_DERIVE_PARAMS(CKD_NULL, null, publicValue); + attributes = token.getAttributes + (O_GENERATE, CKO_SECRET_KEY, keyType, attributes); + long keyID = token.p11.C_DeriveKey(session.id(), + new CK_MECHANISM(mechanism, ckParams), privateKey.keyID, + attributes); + CK_ATTRIBUTE[] lenAttributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_VALUE_LEN), + }; + token.p11.C_GetAttributeValue(session.id(), keyID, lenAttributes); + int keyLen = (int)lenAttributes[0].getLong(); + SecretKey key = P11Key.secretKey + (session, keyID, algorithm, keyLen << 3, attributes); + return key; + } catch (PKCS11Exception e) { + throw new InvalidKeyException("Could not derive key", e); + } finally { + publicValue = null; + token.releaseSession(session); + } + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11ECKeyFactory.java 2017-01-20 09:52:29.802289278 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,333 +0,0 @@ -/* - * Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.pkcs11; - -import java.io.IOException; -import java.math.BigInteger; - -import java.security.*; -import java.security.interfaces.*; -import java.security.spec.*; - -import static sun.security.pkcs11.TemplateManager.*; -import sun.security.pkcs11.wrapper.*; -import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - -import sun.security.util.DerValue; -import sun.security.util.ECUtil; - -/** - * EC KeyFactory implementation. - * - * @author Andreas Sterbenz - * @since 1.6 - */ -final class P11ECKeyFactory extends P11KeyFactory { - private static Provider sunECprovider; - - private static Provider getSunECProvider() { - if (sunECprovider == null) { - sunECprovider = Security.getProvider("SunEC"); - if (sunECprovider == null) { - throw new RuntimeException("Cannot load SunEC provider"); - } - } - - return sunECprovider; - } - - P11ECKeyFactory(Token token, String algorithm) { - super(token, algorithm); - } - - static ECParameterSpec getECParameterSpec(String name) { - return ECUtil.getECParameterSpec(getSunECProvider(), name); - } - - static ECParameterSpec getECParameterSpec(int keySize) { - return ECUtil.getECParameterSpec(getSunECProvider(), keySize); - } - - // Check that spec is a known supported curve and convert it to our - // ECParameterSpec subclass. If not possible, return null. - static ECParameterSpec getECParameterSpec(ECParameterSpec spec) { - return ECUtil.getECParameterSpec(getSunECProvider(), spec); - } - - static ECParameterSpec decodeParameters(byte[] params) throws IOException { - return ECUtil.getECParameterSpec(getSunECProvider(), params); - } - - static byte[] encodeParameters(ECParameterSpec params) { - return ECUtil.encodeECParameterSpec(getSunECProvider(), params); - } - - static ECPoint decodePoint(byte[] encoded, EllipticCurve curve) throws IOException { - return ECUtil.decodePoint(encoded, curve); - } - - // Used by ECDH KeyAgreement - static byte[] getEncodedPublicValue(PublicKey key) throws InvalidKeyException { - if (key instanceof ECPublicKey) { - ECPublicKey ecKey = (ECPublicKey)key; - ECPoint w = ecKey.getW(); - ECParameterSpec params = ecKey.getParams(); - return ECUtil.encodePoint(w, params.getCurve()); - } else { - // should never occur - throw new InvalidKeyException - ("Key class not yet supported: " + key.getClass().getName()); - } - } - - PublicKey implTranslatePublicKey(PublicKey key) throws InvalidKeyException { - try { - if (key instanceof ECPublicKey) { - ECPublicKey ecKey = (ECPublicKey)key; - return generatePublic( - ecKey.getW(), - ecKey.getParams() - ); - } else if ("X.509".equals(key.getFormat())) { - // let Sun provider parse for us, then recurse - byte[] encoded = key.getEncoded(); - - try { - key = ECUtil.decodeX509ECPublicKey(encoded); - } catch (InvalidKeySpecException ikse) { - throw new InvalidKeyException(ikse); - } - - return implTranslatePublicKey(key); - } else { - throw new InvalidKeyException("PublicKey must be instance " - + "of ECPublicKey or have X.509 encoding"); - } - } catch (PKCS11Exception e) { - throw new InvalidKeyException("Could not create EC public key", e); - } - } - - PrivateKey implTranslatePrivateKey(PrivateKey key) - throws InvalidKeyException { - try { - if (key instanceof ECPrivateKey) { - ECPrivateKey ecKey = (ECPrivateKey)key; - return generatePrivate( - ecKey.getS(), - ecKey.getParams() - ); - } else if ("PKCS#8".equals(key.getFormat())) { - // let Sun provider parse for us, then recurse - byte[] encoded = key.getEncoded(); - - try { - key = ECUtil.decodePKCS8ECPrivateKey(encoded); - } catch (InvalidKeySpecException ikse) { - throw new InvalidKeyException(ikse); - } - - return implTranslatePrivateKey(key); - } else { - throw new InvalidKeyException("PrivateKey must be instance " - + "of ECPrivateKey or have PKCS#8 encoding"); - } - } catch (PKCS11Exception e) { - throw new InvalidKeyException("Could not create EC private key", e); - } - } - - // see JCA spec - protected PublicKey engineGeneratePublic(KeySpec keySpec) - throws InvalidKeySpecException { - token.ensureValid(); - if (keySpec instanceof X509EncodedKeySpec) { - try { - byte[] encoded = ((X509EncodedKeySpec)keySpec).getEncoded(); - PublicKey key = ECUtil.decodeX509ECPublicKey(encoded); - return implTranslatePublicKey(key); - } catch (InvalidKeyException e) { - throw new InvalidKeySpecException - ("Could not create EC public key", e); - } - } - if (keySpec instanceof ECPublicKeySpec == false) { - throw new InvalidKeySpecException("Only ECPublicKeySpec and " - + "X509EncodedKeySpec supported for EC public keys"); - } - try { - ECPublicKeySpec ec = (ECPublicKeySpec)keySpec; - return generatePublic( - ec.getW(), - ec.getParams() - ); - } catch (PKCS11Exception e) { - throw new InvalidKeySpecException - ("Could not create EC public key", e); - } - } - - // see JCA spec - protected PrivateKey engineGeneratePrivate(KeySpec keySpec) - throws InvalidKeySpecException { - token.ensureValid(); - if (keySpec instanceof PKCS8EncodedKeySpec) { - try { - byte[] encoded = ((PKCS8EncodedKeySpec)keySpec).getEncoded(); - PrivateKey key = ECUtil.decodePKCS8ECPrivateKey(encoded); - return implTranslatePrivateKey(key); - } catch (GeneralSecurityException e) { - throw new InvalidKeySpecException - ("Could not create EC private key", e); - } - } - if (keySpec instanceof ECPrivateKeySpec == false) { - throw new InvalidKeySpecException("Only ECPrivateKeySpec and " - + "PKCS8EncodedKeySpec supported for EC private keys"); - } - try { - ECPrivateKeySpec ec = (ECPrivateKeySpec)keySpec; - return generatePrivate( - ec.getS(), - ec.getParams() - ); - } catch (PKCS11Exception e) { - throw new InvalidKeySpecException - ("Could not create EC private key", e); - } - } - - private PublicKey generatePublic(ECPoint point, ECParameterSpec params) - throws PKCS11Exception { - byte[] encodedParams = - ECUtil.encodeECParameterSpec(getSunECProvider(), params); - byte[] encodedPoint = - ECUtil.encodePoint(point, params.getCurve()); - - // Check whether the X9.63 encoding of an EC point shall be wrapped - // in an ASN.1 OCTET STRING - if (!token.config.getUseEcX963Encoding()) { - try { - encodedPoint = - new DerValue(DerValue.tag_OctetString, encodedPoint) - .toByteArray(); - } catch (IOException e) { - throw new - IllegalArgumentException("Could not DER encode point", e); - } - } - - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_CLASS, CKO_PUBLIC_KEY), - new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_EC), - new CK_ATTRIBUTE(CKA_EC_POINT, encodedPoint), - new CK_ATTRIBUTE(CKA_EC_PARAMS, encodedParams), - }; - attributes = token.getAttributes - (O_IMPORT, CKO_PUBLIC_KEY, CKK_EC, attributes); - Session session = null; - try { - session = token.getObjSession(); - long keyID = token.p11.C_CreateObject(session.id(), attributes); - return P11Key.publicKey - (session, keyID, "EC", params.getCurve().getField().getFieldSize(), attributes); - } finally { - token.releaseSession(session); - } - } - - private PrivateKey generatePrivate(BigInteger s, ECParameterSpec params) - throws PKCS11Exception { - byte[] encodedParams = - ECUtil.encodeECParameterSpec(getSunECProvider(), params); - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_CLASS, CKO_PRIVATE_KEY), - new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_EC), - new CK_ATTRIBUTE(CKA_VALUE, s), - new CK_ATTRIBUTE(CKA_EC_PARAMS, encodedParams), - }; - attributes = token.getAttributes - (O_IMPORT, CKO_PRIVATE_KEY, CKK_EC, attributes); - Session session = null; - try { - session = token.getObjSession(); - long keyID = token.p11.C_CreateObject(session.id(), attributes); - return P11Key.privateKey - (session, keyID, "EC", params.getCurve().getField().getFieldSize(), attributes); - } finally { - token.releaseSession(session); - } - } - - T implGetPublicKeySpec(P11Key key, Class keySpec, - Session[] session) throws PKCS11Exception, InvalidKeySpecException { - if (ECPublicKeySpec.class.isAssignableFrom(keySpec)) { - session[0] = token.getObjSession(); - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_EC_POINT), - new CK_ATTRIBUTE(CKA_EC_PARAMS), - }; - token.p11.C_GetAttributeValue(session[0].id(), key.keyID, attributes); - try { - ECParameterSpec params = decodeParameters(attributes[1].getByteArray()); - ECPoint point = decodePoint(attributes[0].getByteArray(), params.getCurve()); - return keySpec.cast(new ECPublicKeySpec(point, params)); - } catch (IOException e) { - throw new InvalidKeySpecException("Could not parse key", e); - } - } else { // X.509 handled in superclass - throw new InvalidKeySpecException("Only ECPublicKeySpec and " - + "X509EncodedKeySpec supported for EC public keys"); - } - } - - T implGetPrivateKeySpec(P11Key key, Class keySpec, - Session[] session) throws PKCS11Exception, InvalidKeySpecException { - if (ECPrivateKeySpec.class.isAssignableFrom(keySpec)) { - session[0] = token.getObjSession(); - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_VALUE), - new CK_ATTRIBUTE(CKA_EC_PARAMS), - }; - token.p11.C_GetAttributeValue(session[0].id(), key.keyID, attributes); - try { - ECParameterSpec params = decodeParameters(attributes[1].getByteArray()); - return keySpec.cast( - new ECPrivateKeySpec(attributes[0].getBigInteger(), params)); - } catch (IOException e) { - throw new InvalidKeySpecException("Could not parse key", e); - } - } else { // PKCS#8 handled in superclass - throw new InvalidKeySpecException("Only ECPrivateKeySpec " - + "and PKCS8EncodedKeySpec supported for EC private keys"); - } - } - - KeyFactory implGetSoftwareFactory() throws GeneralSecurityException { - return KeyFactory.getInstance("EC", getSunECProvider()); - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11ECKeyFactory.java 2017-01-20 09:52:29.298289297 -0800 @@ -0,0 +1,333 @@ +/* + * Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11; + +import java.io.IOException; +import java.math.BigInteger; + +import java.security.*; +import java.security.interfaces.*; +import java.security.spec.*; + +import static sun.security.pkcs11.TemplateManager.*; +import sun.security.pkcs11.wrapper.*; +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + +import sun.security.util.DerValue; +import sun.security.util.ECUtil; + +/** + * EC KeyFactory implementation. + * + * @author Andreas Sterbenz + * @since 1.6 + */ +final class P11ECKeyFactory extends P11KeyFactory { + private static Provider sunECprovider; + + private static Provider getSunECProvider() { + if (sunECprovider == null) { + sunECprovider = Security.getProvider("SunEC"); + if (sunECprovider == null) { + throw new RuntimeException("Cannot load SunEC provider"); + } + } + + return sunECprovider; + } + + P11ECKeyFactory(Token token, String algorithm) { + super(token, algorithm); + } + + static ECParameterSpec getECParameterSpec(String name) { + return ECUtil.getECParameterSpec(getSunECProvider(), name); + } + + static ECParameterSpec getECParameterSpec(int keySize) { + return ECUtil.getECParameterSpec(getSunECProvider(), keySize); + } + + // Check that spec is a known supported curve and convert it to our + // ECParameterSpec subclass. If not possible, return null. + static ECParameterSpec getECParameterSpec(ECParameterSpec spec) { + return ECUtil.getECParameterSpec(getSunECProvider(), spec); + } + + static ECParameterSpec decodeParameters(byte[] params) throws IOException { + return ECUtil.getECParameterSpec(getSunECProvider(), params); + } + + static byte[] encodeParameters(ECParameterSpec params) { + return ECUtil.encodeECParameterSpec(getSunECProvider(), params); + } + + static ECPoint decodePoint(byte[] encoded, EllipticCurve curve) throws IOException { + return ECUtil.decodePoint(encoded, curve); + } + + // Used by ECDH KeyAgreement + static byte[] getEncodedPublicValue(PublicKey key) throws InvalidKeyException { + if (key instanceof ECPublicKey) { + ECPublicKey ecKey = (ECPublicKey)key; + ECPoint w = ecKey.getW(); + ECParameterSpec params = ecKey.getParams(); + return ECUtil.encodePoint(w, params.getCurve()); + } else { + // should never occur + throw new InvalidKeyException + ("Key class not yet supported: " + key.getClass().getName()); + } + } + + PublicKey implTranslatePublicKey(PublicKey key) throws InvalidKeyException { + try { + if (key instanceof ECPublicKey) { + ECPublicKey ecKey = (ECPublicKey)key; + return generatePublic( + ecKey.getW(), + ecKey.getParams() + ); + } else if ("X.509".equals(key.getFormat())) { + // let Sun provider parse for us, then recurse + byte[] encoded = key.getEncoded(); + + try { + key = ECUtil.decodeX509ECPublicKey(encoded); + } catch (InvalidKeySpecException ikse) { + throw new InvalidKeyException(ikse); + } + + return implTranslatePublicKey(key); + } else { + throw new InvalidKeyException("PublicKey must be instance " + + "of ECPublicKey or have X.509 encoding"); + } + } catch (PKCS11Exception e) { + throw new InvalidKeyException("Could not create EC public key", e); + } + } + + PrivateKey implTranslatePrivateKey(PrivateKey key) + throws InvalidKeyException { + try { + if (key instanceof ECPrivateKey) { + ECPrivateKey ecKey = (ECPrivateKey)key; + return generatePrivate( + ecKey.getS(), + ecKey.getParams() + ); + } else if ("PKCS#8".equals(key.getFormat())) { + // let Sun provider parse for us, then recurse + byte[] encoded = key.getEncoded(); + + try { + key = ECUtil.decodePKCS8ECPrivateKey(encoded); + } catch (InvalidKeySpecException ikse) { + throw new InvalidKeyException(ikse); + } + + return implTranslatePrivateKey(key); + } else { + throw new InvalidKeyException("PrivateKey must be instance " + + "of ECPrivateKey or have PKCS#8 encoding"); + } + } catch (PKCS11Exception e) { + throw new InvalidKeyException("Could not create EC private key", e); + } + } + + // see JCA spec + protected PublicKey engineGeneratePublic(KeySpec keySpec) + throws InvalidKeySpecException { + token.ensureValid(); + if (keySpec instanceof X509EncodedKeySpec) { + try { + byte[] encoded = ((X509EncodedKeySpec)keySpec).getEncoded(); + PublicKey key = ECUtil.decodeX509ECPublicKey(encoded); + return implTranslatePublicKey(key); + } catch (InvalidKeyException e) { + throw new InvalidKeySpecException + ("Could not create EC public key", e); + } + } + if (keySpec instanceof ECPublicKeySpec == false) { + throw new InvalidKeySpecException("Only ECPublicKeySpec and " + + "X509EncodedKeySpec supported for EC public keys"); + } + try { + ECPublicKeySpec ec = (ECPublicKeySpec)keySpec; + return generatePublic( + ec.getW(), + ec.getParams() + ); + } catch (PKCS11Exception e) { + throw new InvalidKeySpecException + ("Could not create EC public key", e); + } + } + + // see JCA spec + protected PrivateKey engineGeneratePrivate(KeySpec keySpec) + throws InvalidKeySpecException { + token.ensureValid(); + if (keySpec instanceof PKCS8EncodedKeySpec) { + try { + byte[] encoded = ((PKCS8EncodedKeySpec)keySpec).getEncoded(); + PrivateKey key = ECUtil.decodePKCS8ECPrivateKey(encoded); + return implTranslatePrivateKey(key); + } catch (GeneralSecurityException e) { + throw new InvalidKeySpecException + ("Could not create EC private key", e); + } + } + if (keySpec instanceof ECPrivateKeySpec == false) { + throw new InvalidKeySpecException("Only ECPrivateKeySpec and " + + "PKCS8EncodedKeySpec supported for EC private keys"); + } + try { + ECPrivateKeySpec ec = (ECPrivateKeySpec)keySpec; + return generatePrivate( + ec.getS(), + ec.getParams() + ); + } catch (PKCS11Exception e) { + throw new InvalidKeySpecException + ("Could not create EC private key", e); + } + } + + private PublicKey generatePublic(ECPoint point, ECParameterSpec params) + throws PKCS11Exception { + byte[] encodedParams = + ECUtil.encodeECParameterSpec(getSunECProvider(), params); + byte[] encodedPoint = + ECUtil.encodePoint(point, params.getCurve()); + + // Check whether the X9.63 encoding of an EC point shall be wrapped + // in an ASN.1 OCTET STRING + if (!token.config.getUseEcX963Encoding()) { + try { + encodedPoint = + new DerValue(DerValue.tag_OctetString, encodedPoint) + .toByteArray(); + } catch (IOException e) { + throw new + IllegalArgumentException("Could not DER encode point", e); + } + } + + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_CLASS, CKO_PUBLIC_KEY), + new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_EC), + new CK_ATTRIBUTE(CKA_EC_POINT, encodedPoint), + new CK_ATTRIBUTE(CKA_EC_PARAMS, encodedParams), + }; + attributes = token.getAttributes + (O_IMPORT, CKO_PUBLIC_KEY, CKK_EC, attributes); + Session session = null; + try { + session = token.getObjSession(); + long keyID = token.p11.C_CreateObject(session.id(), attributes); + return P11Key.publicKey + (session, keyID, "EC", params.getCurve().getField().getFieldSize(), attributes); + } finally { + token.releaseSession(session); + } + } + + private PrivateKey generatePrivate(BigInteger s, ECParameterSpec params) + throws PKCS11Exception { + byte[] encodedParams = + ECUtil.encodeECParameterSpec(getSunECProvider(), params); + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_CLASS, CKO_PRIVATE_KEY), + new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_EC), + new CK_ATTRIBUTE(CKA_VALUE, s), + new CK_ATTRIBUTE(CKA_EC_PARAMS, encodedParams), + }; + attributes = token.getAttributes + (O_IMPORT, CKO_PRIVATE_KEY, CKK_EC, attributes); + Session session = null; + try { + session = token.getObjSession(); + long keyID = token.p11.C_CreateObject(session.id(), attributes); + return P11Key.privateKey + (session, keyID, "EC", params.getCurve().getField().getFieldSize(), attributes); + } finally { + token.releaseSession(session); + } + } + + T implGetPublicKeySpec(P11Key key, Class keySpec, + Session[] session) throws PKCS11Exception, InvalidKeySpecException { + if (ECPublicKeySpec.class.isAssignableFrom(keySpec)) { + session[0] = token.getObjSession(); + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_EC_POINT), + new CK_ATTRIBUTE(CKA_EC_PARAMS), + }; + token.p11.C_GetAttributeValue(session[0].id(), key.keyID, attributes); + try { + ECParameterSpec params = decodeParameters(attributes[1].getByteArray()); + ECPoint point = decodePoint(attributes[0].getByteArray(), params.getCurve()); + return keySpec.cast(new ECPublicKeySpec(point, params)); + } catch (IOException e) { + throw new InvalidKeySpecException("Could not parse key", e); + } + } else { // X.509 handled in superclass + throw new InvalidKeySpecException("Only ECPublicKeySpec and " + + "X509EncodedKeySpec supported for EC public keys"); + } + } + + T implGetPrivateKeySpec(P11Key key, Class keySpec, + Session[] session) throws PKCS11Exception, InvalidKeySpecException { + if (ECPrivateKeySpec.class.isAssignableFrom(keySpec)) { + session[0] = token.getObjSession(); + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_VALUE), + new CK_ATTRIBUTE(CKA_EC_PARAMS), + }; + token.p11.C_GetAttributeValue(session[0].id(), key.keyID, attributes); + try { + ECParameterSpec params = decodeParameters(attributes[1].getByteArray()); + return keySpec.cast( + new ECPrivateKeySpec(attributes[0].getBigInteger(), params)); + } catch (IOException e) { + throw new InvalidKeySpecException("Could not parse key", e); + } + } else { // PKCS#8 handled in superclass + throw new InvalidKeySpecException("Only ECPrivateKeySpec " + + "and PKCS8EncodedKeySpec supported for EC private keys"); + } + } + + KeyFactory implGetSoftwareFactory() throws GeneralSecurityException { + return KeyFactory.getInstance("EC", getSunECProvider()); + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11Key.java 2017-01-20 09:52:30.642289247 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,1188 +0,0 @@ -/* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.pkcs11; - -import java.io.*; -import java.lang.ref.*; -import java.math.BigInteger; -import java.util.*; - -import java.security.*; -import java.security.interfaces.*; -import java.security.spec.*; - -import javax.crypto.*; -import javax.crypto.interfaces.*; -import javax.crypto.spec.*; - -import sun.security.rsa.RSAPublicKeyImpl; - -import sun.security.internal.interfaces.TlsMasterSecret; - -import sun.security.pkcs11.wrapper.*; -import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - -import sun.security.util.Debug; -import sun.security.util.DerValue; -import sun.security.util.Length; -import sun.security.util.ECUtil; - -/** - * Key implementation classes. - * - * In PKCS#11, the components of private and secret keys may or may not - * be accessible. If they are, we use the algorithm specific key classes - * (e.g. DSAPrivateKey) for compatibility with existing applications. - * If the components are not accessible, we use a generic class that - * only implements PrivateKey (or SecretKey). Whether the components of a - * key are extractable is automatically determined when the key object is - * created. - * - * @author Andreas Sterbenz - * @since 1.5 - */ -abstract class P11Key implements Key, Length { - - private static final long serialVersionUID = -2575874101938349339L; - - private final static String PUBLIC = "public"; - private final static String PRIVATE = "private"; - private final static String SECRET = "secret"; - - // type of key, one of (PUBLIC, PRIVATE, SECRET) - final String type; - - // token instance - final Token token; - - // algorithm name, returned by getAlgorithm(), etc. - final String algorithm; - - // key id - final long keyID; - - // effective key length of the key, e.g. 56 for a DES key - final int keyLength; - - // flags indicating whether the key is a token object, sensitive, extractable - final boolean tokenObject, sensitive, extractable; - - // phantom reference notification clean up for session keys - private final SessionKeyRef sessionKeyRef; - - P11Key(String type, Session session, long keyID, String algorithm, - int keyLength, CK_ATTRIBUTE[] attributes) { - this.type = type; - this.token = session.token; - this.keyID = keyID; - this.algorithm = algorithm; - this.keyLength = keyLength; - boolean tokenObject = false; - boolean sensitive = false; - boolean extractable = true; - int n = (attributes == null) ? 0 : attributes.length; - for (int i = 0; i < n; i++) { - CK_ATTRIBUTE attr = attributes[i]; - if (attr.type == CKA_TOKEN) { - tokenObject = attr.getBoolean(); - } else if (attr.type == CKA_SENSITIVE) { - sensitive = attr.getBoolean(); - } else if (attr.type == CKA_EXTRACTABLE) { - extractable = attr.getBoolean(); - } - } - this.tokenObject = tokenObject; - this.sensitive = sensitive; - this.extractable = extractable; - if (tokenObject == false) { - sessionKeyRef = new SessionKeyRef(this, keyID, session); - } else { - sessionKeyRef = null; - } - } - - // see JCA spec - public final String getAlgorithm() { - token.ensureValid(); - return algorithm; - } - - // see JCA spec - public final byte[] getEncoded() { - byte[] b = getEncodedInternal(); - return (b == null) ? null : b.clone(); - } - - abstract byte[] getEncodedInternal(); - - public boolean equals(Object obj) { - if (this == obj) { - return true; - } - // equals() should never throw exceptions - if (token.isValid() == false) { - return false; - } - if (obj instanceof Key == false) { - return false; - } - String thisFormat = getFormat(); - if (thisFormat == null) { - // no encoding, key only equal to itself - // XXX getEncoded() for unextractable keys will change that - return false; - } - Key other = (Key)obj; - if (thisFormat.equals(other.getFormat()) == false) { - return false; - } - byte[] thisEnc = this.getEncodedInternal(); - byte[] otherEnc; - if (obj instanceof P11Key) { - otherEnc = ((P11Key)other).getEncodedInternal(); - } else { - otherEnc = other.getEncoded(); - } - return MessageDigest.isEqual(thisEnc, otherEnc); - } - - public int hashCode() { - // hashCode() should never throw exceptions - if (token.isValid() == false) { - return 0; - } - byte[] b1 = getEncodedInternal(); - if (b1 == null) { - return 0; - } - int r = b1.length; - for (int i = 0; i < b1.length; i++) { - r += (b1[i] & 0xff) * 37; - } - return r; - } - - protected Object writeReplace() throws ObjectStreamException { - KeyRep.Type type; - String format = getFormat(); - if (isPrivate() && "PKCS#8".equals(format)) { - type = KeyRep.Type.PRIVATE; - } else if (isPublic() && "X.509".equals(format)) { - type = KeyRep.Type.PUBLIC; - } else if (isSecret() && "RAW".equals(format)) { - type = KeyRep.Type.SECRET; - } else { - // XXX short term serialization for unextractable keys - throw new NotSerializableException - ("Cannot serialize sensitive and unextractable keys"); - } - return new KeyRep(type, getAlgorithm(), format, getEncoded()); - } - - public String toString() { - token.ensureValid(); - String s1 = token.provider.getName() + " " + algorithm + " " + type - + " key, " + keyLength + " bits"; - s1 += " (id " + keyID + ", " - + (tokenObject ? "token" : "session") + " object"; - if (isPublic()) { - s1 += ")"; - } else { - s1 += ", " + (sensitive ? "" : "not ") + "sensitive"; - s1 += ", " + (extractable ? "" : "un") + "extractable)"; - } - return s1; - } - - /** - * Return bit length of the key. - */ - @Override - public int length() { - return keyLength; - } - - boolean isPublic() { - return type == PUBLIC; - } - - boolean isPrivate() { - return type == PRIVATE; - } - - boolean isSecret() { - return type == SECRET; - } - - void fetchAttributes(CK_ATTRIBUTE[] attributes) { - Session tempSession = null; - try { - tempSession = token.getOpSession(); - token.p11.C_GetAttributeValue(tempSession.id(), keyID, attributes); - } catch (PKCS11Exception e) { - throw new ProviderException(e); - } finally { - token.releaseSession(tempSession); - } - } - - private final static CK_ATTRIBUTE[] A0 = new CK_ATTRIBUTE[0]; - - private static CK_ATTRIBUTE[] getAttributes(Session session, long keyID, - CK_ATTRIBUTE[] knownAttributes, CK_ATTRIBUTE[] desiredAttributes) { - if (knownAttributes == null) { - knownAttributes = A0; - } - for (int i = 0; i < desiredAttributes.length; i++) { - // For each desired attribute, check to see if we have the value - // available already. If everything is here, we save a native call. - CK_ATTRIBUTE attr = desiredAttributes[i]; - for (CK_ATTRIBUTE known : knownAttributes) { - if ((attr.type == known.type) && (known.pValue != null)) { - attr.pValue = known.pValue; - break; // break inner for loop - } - } - if (attr.pValue == null) { - // nothing found, need to call C_GetAttributeValue() - for (int j = 0; j < i; j++) { - // clear values copied from knownAttributes - desiredAttributes[j].pValue = null; - } - try { - session.token.p11.C_GetAttributeValue - (session.id(), keyID, desiredAttributes); - } catch (PKCS11Exception e) { - throw new ProviderException(e); - } - break; // break loop, goto return - } - } - return desiredAttributes; - } - - static SecretKey secretKey(Session session, long keyID, String algorithm, - int keyLength, CK_ATTRIBUTE[] attributes) { - attributes = getAttributes(session, keyID, attributes, new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_TOKEN), - new CK_ATTRIBUTE(CKA_SENSITIVE), - new CK_ATTRIBUTE(CKA_EXTRACTABLE), - }); - return new P11SecretKey(session, keyID, algorithm, keyLength, attributes); - } - - static SecretKey masterSecretKey(Session session, long keyID, String algorithm, - int keyLength, CK_ATTRIBUTE[] attributes, int major, int minor) { - attributes = getAttributes(session, keyID, attributes, new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_TOKEN), - new CK_ATTRIBUTE(CKA_SENSITIVE), - new CK_ATTRIBUTE(CKA_EXTRACTABLE), - }); - return new P11TlsMasterSecretKey - (session, keyID, algorithm, keyLength, attributes, major, minor); - } - - // we assume that all components of public keys are always accessible - static PublicKey publicKey(Session session, long keyID, String algorithm, - int keyLength, CK_ATTRIBUTE[] attributes) { - switch (algorithm) { - case "RSA": - return new P11RSAPublicKey - (session, keyID, algorithm, keyLength, attributes); - case "DSA": - return new P11DSAPublicKey - (session, keyID, algorithm, keyLength, attributes); - case "DH": - return new P11DHPublicKey - (session, keyID, algorithm, keyLength, attributes); - case "EC": - return new P11ECPublicKey - (session, keyID, algorithm, keyLength, attributes); - default: - throw new ProviderException - ("Unknown public key algorithm " + algorithm); - } - } - - static PrivateKey privateKey(Session session, long keyID, String algorithm, - int keyLength, CK_ATTRIBUTE[] attributes) { - attributes = getAttributes(session, keyID, attributes, new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_TOKEN), - new CK_ATTRIBUTE(CKA_SENSITIVE), - new CK_ATTRIBUTE(CKA_EXTRACTABLE), - }); - if (attributes[1].getBoolean() || (attributes[2].getBoolean() == false)) { - return new P11PrivateKey - (session, keyID, algorithm, keyLength, attributes); - } else { - switch (algorithm) { - case "RSA": - // In order to decide if this is RSA CRT key, we first query - // and see if all extra CRT attributes are available. - CK_ATTRIBUTE[] attrs2 = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_PUBLIC_EXPONENT), - new CK_ATTRIBUTE(CKA_PRIME_1), - new CK_ATTRIBUTE(CKA_PRIME_2), - new CK_ATTRIBUTE(CKA_EXPONENT_1), - new CK_ATTRIBUTE(CKA_EXPONENT_2), - new CK_ATTRIBUTE(CKA_COEFFICIENT), - }; - boolean crtKey; - try { - session.token.p11.C_GetAttributeValue - (session.id(), keyID, attrs2); - crtKey = ((attrs2[0].pValue instanceof byte[]) && - (attrs2[1].pValue instanceof byte[]) && - (attrs2[2].pValue instanceof byte[]) && - (attrs2[3].pValue instanceof byte[]) && - (attrs2[4].pValue instanceof byte[]) && - (attrs2[5].pValue instanceof byte[])) ; - } catch (PKCS11Exception e) { - // ignore, assume not available - crtKey = false; - } - if (crtKey) { - return new P11RSAPrivateKey - (session, keyID, algorithm, keyLength, attributes, attrs2); - } else { - return new P11RSAPrivateNonCRTKey - (session, keyID, algorithm, keyLength, attributes); - } - case "DSA": - return new P11DSAPrivateKey - (session, keyID, algorithm, keyLength, attributes); - case "DH": - return new P11DHPrivateKey - (session, keyID, algorithm, keyLength, attributes); - case "EC": - return new P11ECPrivateKey - (session, keyID, algorithm, keyLength, attributes); - default: - throw new ProviderException - ("Unknown private key algorithm " + algorithm); - } - } - } - - // class for sensitive and unextractable private keys - private static final class P11PrivateKey extends P11Key - implements PrivateKey { - private static final long serialVersionUID = -2138581185214187615L; - - P11PrivateKey(Session session, long keyID, String algorithm, - int keyLength, CK_ATTRIBUTE[] attributes) { - super(PRIVATE, session, keyID, algorithm, keyLength, attributes); - } - // XXX temporary encoding for serialization purposes - public String getFormat() { - token.ensureValid(); - return null; - } - byte[] getEncodedInternal() { - token.ensureValid(); - return null; - } - } - - private static class P11SecretKey extends P11Key implements SecretKey { - private static final long serialVersionUID = -7828241727014329084L; - private volatile byte[] encoded; - P11SecretKey(Session session, long keyID, String algorithm, - int keyLength, CK_ATTRIBUTE[] attributes) { - super(SECRET, session, keyID, algorithm, keyLength, attributes); - } - public String getFormat() { - token.ensureValid(); - if (sensitive || (extractable == false)) { - return null; - } else { - return "RAW"; - } - } - byte[] getEncodedInternal() { - token.ensureValid(); - if (getFormat() == null) { - return null; - } - byte[] b = encoded; - if (b == null) { - synchronized (this) { - b = encoded; - if (b == null) { - Session tempSession = null; - try { - tempSession = token.getOpSession(); - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_VALUE), - }; - token.p11.C_GetAttributeValue - (tempSession.id(), keyID, attributes); - b = attributes[0].getByteArray(); - } catch (PKCS11Exception e) { - throw new ProviderException(e); - } finally { - token.releaseSession(tempSession); - } - encoded = b; - } - } - } - return b; - } - } - - @SuppressWarnings("deprecation") - private static class P11TlsMasterSecretKey extends P11SecretKey - implements TlsMasterSecret { - private static final long serialVersionUID = -1318560923770573441L; - - private final int majorVersion, minorVersion; - P11TlsMasterSecretKey(Session session, long keyID, String algorithm, - int keyLength, CK_ATTRIBUTE[] attributes, int major, int minor) { - super(session, keyID, algorithm, keyLength, attributes); - this.majorVersion = major; - this.minorVersion = minor; - } - public int getMajorVersion() { - return majorVersion; - } - - public int getMinorVersion() { - return minorVersion; - } - } - - // RSA CRT private key - private static final class P11RSAPrivateKey extends P11Key - implements RSAPrivateCrtKey { - private static final long serialVersionUID = 9215872438913515220L; - - private BigInteger n, e, d, p, q, pe, qe, coeff; - private byte[] encoded; - P11RSAPrivateKey(Session session, long keyID, String algorithm, - int keyLength, CK_ATTRIBUTE[] attrs, CK_ATTRIBUTE[] crtAttrs) { - super(PRIVATE, session, keyID, algorithm, keyLength, attrs); - - for (CK_ATTRIBUTE a : crtAttrs) { - if (a.type == CKA_PUBLIC_EXPONENT) { - e = a.getBigInteger(); - } else if (a.type == CKA_PRIME_1) { - p = a.getBigInteger(); - } else if (a.type == CKA_PRIME_2) { - q = a.getBigInteger(); - } else if (a.type == CKA_EXPONENT_1) { - pe = a.getBigInteger(); - } else if (a.type == CKA_EXPONENT_2) { - qe = a.getBigInteger(); - } else if (a.type == CKA_COEFFICIENT) { - coeff = a.getBigInteger(); - } - } - } - private synchronized void fetchValues() { - token.ensureValid(); - if (n != null) { - return; - } - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_MODULUS), - new CK_ATTRIBUTE(CKA_PRIVATE_EXPONENT), - }; - fetchAttributes(attributes); - n = attributes[0].getBigInteger(); - d = attributes[1].getBigInteger(); - } - - public String getFormat() { - token.ensureValid(); - return "PKCS#8"; - } - synchronized byte[] getEncodedInternal() { - token.ensureValid(); - if (encoded == null) { - fetchValues(); - try { - // XXX make constructor in SunRsaSign provider public - // and call it directly - KeyFactory factory = KeyFactory.getInstance - ("RSA", P11Util.getSunRsaSignProvider()); - Key newKey = factory.translateKey(this); - encoded = newKey.getEncoded(); - } catch (GeneralSecurityException e) { - throw new ProviderException(e); - } - } - return encoded; - } - public BigInteger getModulus() { - fetchValues(); - return n; - } - public BigInteger getPublicExponent() { - return e; - } - public BigInteger getPrivateExponent() { - fetchValues(); - return d; - } - public BigInteger getPrimeP() { - return p; - } - public BigInteger getPrimeQ() { - return q; - } - public BigInteger getPrimeExponentP() { - return pe; - } - public BigInteger getPrimeExponentQ() { - return qe; - } - public BigInteger getCrtCoefficient() { - return coeff; - } - } - - // RSA non-CRT private key - private static final class P11RSAPrivateNonCRTKey extends P11Key - implements RSAPrivateKey { - private static final long serialVersionUID = 1137764983777411481L; - - private BigInteger n, d; - private byte[] encoded; - P11RSAPrivateNonCRTKey(Session session, long keyID, String algorithm, - int keyLength, CK_ATTRIBUTE[] attributes) { - super(PRIVATE, session, keyID, algorithm, keyLength, attributes); - } - private synchronized void fetchValues() { - token.ensureValid(); - if (n != null) { - return; - } - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_MODULUS), - new CK_ATTRIBUTE(CKA_PRIVATE_EXPONENT), - }; - fetchAttributes(attributes); - n = attributes[0].getBigInteger(); - d = attributes[1].getBigInteger(); - } - public String getFormat() { - token.ensureValid(); - return "PKCS#8"; - } - synchronized byte[] getEncodedInternal() { - token.ensureValid(); - if (encoded == null) { - fetchValues(); - try { - // XXX make constructor in SunRsaSign provider public - // and call it directly - KeyFactory factory = KeyFactory.getInstance - ("RSA", P11Util.getSunRsaSignProvider()); - Key newKey = factory.translateKey(this); - encoded = newKey.getEncoded(); - } catch (GeneralSecurityException e) { - throw new ProviderException(e); - } - } - return encoded; - } - public BigInteger getModulus() { - fetchValues(); - return n; - } - public BigInteger getPrivateExponent() { - fetchValues(); - return d; - } - } - - private static final class P11RSAPublicKey extends P11Key - implements RSAPublicKey { - private static final long serialVersionUID = -826726289023854455L; - - private BigInteger n, e; - private byte[] encoded; - P11RSAPublicKey(Session session, long keyID, String algorithm, - int keyLength, CK_ATTRIBUTE[] attributes) { - super(PUBLIC, session, keyID, algorithm, keyLength, attributes); - } - private synchronized void fetchValues() { - token.ensureValid(); - if (n != null) { - return; - } - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_MODULUS), - new CK_ATTRIBUTE(CKA_PUBLIC_EXPONENT), - }; - fetchAttributes(attributes); - n = attributes[0].getBigInteger(); - e = attributes[1].getBigInteger(); - } - public String getFormat() { - token.ensureValid(); - return "X.509"; - } - synchronized byte[] getEncodedInternal() { - token.ensureValid(); - if (encoded == null) { - fetchValues(); - try { - encoded = new RSAPublicKeyImpl(n, e).getEncoded(); - } catch (InvalidKeyException e) { - throw new ProviderException(e); - } - } - return encoded; - } - public BigInteger getModulus() { - fetchValues(); - return n; - } - public BigInteger getPublicExponent() { - fetchValues(); - return e; - } - public String toString() { - fetchValues(); - return super.toString() + "\n modulus: " + n - + "\n public exponent: " + e; - } - } - - private static final class P11DSAPublicKey extends P11Key - implements DSAPublicKey { - private static final long serialVersionUID = 5989753793316396637L; - - private BigInteger y; - private DSAParams params; - private byte[] encoded; - P11DSAPublicKey(Session session, long keyID, String algorithm, - int keyLength, CK_ATTRIBUTE[] attributes) { - super(PUBLIC, session, keyID, algorithm, keyLength, attributes); - } - private synchronized void fetchValues() { - token.ensureValid(); - if (y != null) { - return; - } - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_VALUE), - new CK_ATTRIBUTE(CKA_PRIME), - new CK_ATTRIBUTE(CKA_SUBPRIME), - new CK_ATTRIBUTE(CKA_BASE), - }; - fetchAttributes(attributes); - y = attributes[0].getBigInteger(); - params = new DSAParameterSpec( - attributes[1].getBigInteger(), - attributes[2].getBigInteger(), - attributes[3].getBigInteger() - ); - } - public String getFormat() { - token.ensureValid(); - return "X.509"; - } - synchronized byte[] getEncodedInternal() { - token.ensureValid(); - if (encoded == null) { - fetchValues(); - try { - Key key = new sun.security.provider.DSAPublicKey - (y, params.getP(), params.getQ(), params.getG()); - encoded = key.getEncoded(); - } catch (InvalidKeyException e) { - throw new ProviderException(e); - } - } - return encoded; - } - public BigInteger getY() { - fetchValues(); - return y; - } - public DSAParams getParams() { - fetchValues(); - return params; - } - public String toString() { - fetchValues(); - return super.toString() + "\n y: " + y + "\n p: " + params.getP() - + "\n q: " + params.getQ() + "\n g: " + params.getG(); - } - } - - private static final class P11DSAPrivateKey extends P11Key - implements DSAPrivateKey { - private static final long serialVersionUID = 3119629997181999389L; - - private BigInteger x; - private DSAParams params; - private byte[] encoded; - P11DSAPrivateKey(Session session, long keyID, String algorithm, - int keyLength, CK_ATTRIBUTE[] attributes) { - super(PRIVATE, session, keyID, algorithm, keyLength, attributes); - } - private synchronized void fetchValues() { - token.ensureValid(); - if (x != null) { - return; - } - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_VALUE), - new CK_ATTRIBUTE(CKA_PRIME), - new CK_ATTRIBUTE(CKA_SUBPRIME), - new CK_ATTRIBUTE(CKA_BASE), - }; - fetchAttributes(attributes); - x = attributes[0].getBigInteger(); - params = new DSAParameterSpec( - attributes[1].getBigInteger(), - attributes[2].getBigInteger(), - attributes[3].getBigInteger() - ); - } - public String getFormat() { - token.ensureValid(); - return "PKCS#8"; - } - synchronized byte[] getEncodedInternal() { - token.ensureValid(); - if (encoded == null) { - fetchValues(); - try { - Key key = new sun.security.provider.DSAPrivateKey - (x, params.getP(), params.getQ(), params.getG()); - encoded = key.getEncoded(); - } catch (InvalidKeyException e) { - throw new ProviderException(e); - } - } - return encoded; - } - public BigInteger getX() { - fetchValues(); - return x; - } - public DSAParams getParams() { - fetchValues(); - return params; - } - } - - private static final class P11DHPrivateKey extends P11Key - implements DHPrivateKey { - private static final long serialVersionUID = -1698576167364928838L; - - private BigInteger x; - private DHParameterSpec params; - private byte[] encoded; - P11DHPrivateKey(Session session, long keyID, String algorithm, - int keyLength, CK_ATTRIBUTE[] attributes) { - super(PRIVATE, session, keyID, algorithm, keyLength, attributes); - } - private synchronized void fetchValues() { - token.ensureValid(); - if (x != null) { - return; - } - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_VALUE), - new CK_ATTRIBUTE(CKA_PRIME), - new CK_ATTRIBUTE(CKA_BASE), - }; - fetchAttributes(attributes); - x = attributes[0].getBigInteger(); - params = new DHParameterSpec( - attributes[1].getBigInteger(), - attributes[2].getBigInteger() - ); - } - public String getFormat() { - token.ensureValid(); - return "PKCS#8"; - } - synchronized byte[] getEncodedInternal() { - token.ensureValid(); - if (encoded == null) { - fetchValues(); - try { - DHPrivateKeySpec spec = new DHPrivateKeySpec - (x, params.getP(), params.getG()); - KeyFactory kf = KeyFactory.getInstance - ("DH", P11Util.getSunJceProvider()); - Key key = kf.generatePrivate(spec); - encoded = key.getEncoded(); - } catch (GeneralSecurityException e) { - throw new ProviderException(e); - } - } - return encoded; - } - public BigInteger getX() { - fetchValues(); - return x; - } - public DHParameterSpec getParams() { - fetchValues(); - return params; - } - public int hashCode() { - if (token.isValid() == false) { - return 0; - } - fetchValues(); - return Objects.hash(x, params.getP(), params.getG()); - } - public boolean equals(Object obj) { - if (this == obj) return true; - // equals() should never throw exceptions - if (token.isValid() == false) { - return false; - } - if (!(obj instanceof DHPrivateKey)) { - return false; - } - fetchValues(); - DHPrivateKey other = (DHPrivateKey) obj; - DHParameterSpec otherParams = other.getParams(); - return ((this.x.compareTo(other.getX()) == 0) && - (this.params.getP().compareTo(otherParams.getP()) == 0) && - (this.params.getG().compareTo(otherParams.getG()) == 0)); - } - } - - private static final class P11DHPublicKey extends P11Key - implements DHPublicKey { - static final long serialVersionUID = -598383872153843657L; - - private BigInteger y; - private DHParameterSpec params; - private byte[] encoded; - P11DHPublicKey(Session session, long keyID, String algorithm, - int keyLength, CK_ATTRIBUTE[] attributes) { - super(PUBLIC, session, keyID, algorithm, keyLength, attributes); - } - private synchronized void fetchValues() { - token.ensureValid(); - if (y != null) { - return; - } - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_VALUE), - new CK_ATTRIBUTE(CKA_PRIME), - new CK_ATTRIBUTE(CKA_BASE), - }; - fetchAttributes(attributes); - y = attributes[0].getBigInteger(); - params = new DHParameterSpec( - attributes[1].getBigInteger(), - attributes[2].getBigInteger() - ); - } - public String getFormat() { - token.ensureValid(); - return "X.509"; - } - synchronized byte[] getEncodedInternal() { - token.ensureValid(); - if (encoded == null) { - fetchValues(); - try { - DHPublicKeySpec spec = new DHPublicKeySpec - (y, params.getP(), params.getG()); - KeyFactory kf = KeyFactory.getInstance - ("DH", P11Util.getSunJceProvider()); - Key key = kf.generatePublic(spec); - encoded = key.getEncoded(); - } catch (GeneralSecurityException e) { - throw new ProviderException(e); - } - } - return encoded; - } - public BigInteger getY() { - fetchValues(); - return y; - } - public DHParameterSpec getParams() { - fetchValues(); - return params; - } - public String toString() { - fetchValues(); - return super.toString() + "\n y: " + y + "\n p: " + params.getP() - + "\n g: " + params.getG(); - } - public int hashCode() { - if (token.isValid() == false) { - return 0; - } - fetchValues(); - return Objects.hash(y, params.getP(), params.getG()); - } - public boolean equals(Object obj) { - if (this == obj) return true; - // equals() should never throw exceptions - if (token.isValid() == false) { - return false; - } - if (!(obj instanceof DHPublicKey)) { - return false; - } - fetchValues(); - DHPublicKey other = (DHPublicKey) obj; - DHParameterSpec otherParams = other.getParams(); - return ((this.y.compareTo(other.getY()) == 0) && - (this.params.getP().compareTo(otherParams.getP()) == 0) && - (this.params.getG().compareTo(otherParams.getG()) == 0)); - } - } - - private static final class P11ECPrivateKey extends P11Key - implements ECPrivateKey { - private static final long serialVersionUID = -7786054399510515515L; - - private BigInteger s; - private ECParameterSpec params; - private byte[] encoded; - P11ECPrivateKey(Session session, long keyID, String algorithm, - int keyLength, CK_ATTRIBUTE[] attributes) { - super(PRIVATE, session, keyID, algorithm, keyLength, attributes); - } - private synchronized void fetchValues() { - token.ensureValid(); - if (s != null) { - return; - } - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_VALUE), - new CK_ATTRIBUTE(CKA_EC_PARAMS, params), - }; - fetchAttributes(attributes); - s = attributes[0].getBigInteger(); - try { - params = P11ECKeyFactory.decodeParameters - (attributes[1].getByteArray()); - } catch (Exception e) { - throw new RuntimeException("Could not parse key values", e); - } - } - public String getFormat() { - token.ensureValid(); - return "PKCS#8"; - } - synchronized byte[] getEncodedInternal() { - token.ensureValid(); - if (encoded == null) { - fetchValues(); - try { - Key key = ECUtil.generateECPrivateKey(s, params); - encoded = key.getEncoded(); - } catch (InvalidKeySpecException e) { - throw new ProviderException(e); - } - } - return encoded; - } - public BigInteger getS() { - fetchValues(); - return s; - } - public ECParameterSpec getParams() { - fetchValues(); - return params; - } - } - - private static final class P11ECPublicKey extends P11Key - implements ECPublicKey { - private static final long serialVersionUID = -6371481375154806089L; - - private ECPoint w; - private ECParameterSpec params; - private byte[] encoded; - P11ECPublicKey(Session session, long keyID, String algorithm, - int keyLength, CK_ATTRIBUTE[] attributes) { - super(PUBLIC, session, keyID, algorithm, keyLength, attributes); - } - private synchronized void fetchValues() { - token.ensureValid(); - if (w != null) { - return; - } - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_EC_POINT), - new CK_ATTRIBUTE(CKA_EC_PARAMS), - }; - fetchAttributes(attributes); - - try { - params = P11ECKeyFactory.decodeParameters - (attributes[1].getByteArray()); - byte[] ecKey = attributes[0].getByteArray(); - - // Check whether the X9.63 encoding of an EC point is wrapped - // in an ASN.1 OCTET STRING - if (!token.config.getUseEcX963Encoding()) { - DerValue wECPoint = new DerValue(ecKey); - - if (wECPoint.getTag() != DerValue.tag_OctetString) { - throw new IOException("Could not DER decode EC point." + - " Unexpected tag: " + wECPoint.getTag()); - } - w = P11ECKeyFactory.decodePoint - (wECPoint.getDataBytes(), params.getCurve()); - - } else { - w = P11ECKeyFactory.decodePoint(ecKey, params.getCurve()); - } - - } catch (Exception e) { - throw new RuntimeException("Could not parse key values", e); - } - } - public String getFormat() { - token.ensureValid(); - return "X.509"; - } - synchronized byte[] getEncodedInternal() { - token.ensureValid(); - if (encoded == null) { - fetchValues(); - try { - return ECUtil.x509EncodeECPublicKey(w, params); - } catch (InvalidKeySpecException e) { - throw new ProviderException(e); - } - } - return encoded; - } - public ECPoint getW() { - fetchValues(); - return w; - } - public ECParameterSpec getParams() { - fetchValues(); - return params; - } - public String toString() { - fetchValues(); - return super.toString() - + "\n public x coord: " + w.getAffineX() - + "\n public y coord: " + w.getAffineY() - + "\n parameters: " + params; - } - } -} - -/* - * NOTE: Must use PhantomReference here and not WeakReference - * otherwise the key maybe cleared before other objects which - * still use these keys during finalization such as SSLSocket. - */ -final class SessionKeyRef extends PhantomReference - implements Comparable { - private static ReferenceQueue refQueue = - new ReferenceQueue(); - private static Set refList = - Collections.synchronizedSortedSet(new TreeSet()); - - static ReferenceQueue referenceQueue() { - return refQueue; - } - - private static void drainRefQueueBounded() { - Session sess = null; - Token tkn = null; - while (true) { - SessionKeyRef next = (SessionKeyRef) refQueue.poll(); - if (next == null) { - break; - } - - // If the token is still valid, try to remove the object - if (next.session.token.isValid()) { - // If this key's token is the same as the previous key, the - // same session can be used for C_DestroyObject. - try { - if (next.session.token != tkn || sess == null) { - // Release session if not using previous token - if (tkn != null && sess != null) { - tkn.releaseSession(sess); - sess = null; - } - - tkn = next.session.token; - sess = tkn.getOpSession(); - } - next.disposeNative(sess); - } catch (PKCS11Exception e) { - // ignore - } - } - // Regardless of native results, dispose of java references - next.dispose(); - } - - if (tkn != null && sess != null) { - tkn.releaseSession(sess); - } - } - - // handle to the native key - private long keyID; - private Session session; - - SessionKeyRef(P11Key key , long keyID, Session session) { - super(key, refQueue); - this.keyID = keyID; - this.session = session; - this.session.addObject(); - refList.add(this); - drainRefQueueBounded(); - } - - private void disposeNative(Session s) throws PKCS11Exception { - session.token.p11.C_DestroyObject(s.id(), keyID); - } - - private void dispose() { - refList.remove(this); - this.clear(); - session.removeObject(); - } - - public int compareTo(SessionKeyRef other) { - if (this.keyID == other.keyID) { - return 0; - } else { - return (this.keyID < other.keyID) ? -1 : 1; - } - } -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java 2017-01-20 09:52:30.238289262 -0800 @@ -0,0 +1,1188 @@ +/* + * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11; + +import java.io.*; +import java.lang.ref.*; +import java.math.BigInteger; +import java.util.*; + +import java.security.*; +import java.security.interfaces.*; +import java.security.spec.*; + +import javax.crypto.*; +import javax.crypto.interfaces.*; +import javax.crypto.spec.*; + +import sun.security.rsa.RSAPublicKeyImpl; + +import sun.security.internal.interfaces.TlsMasterSecret; + +import sun.security.pkcs11.wrapper.*; +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + +import sun.security.util.Debug; +import sun.security.util.DerValue; +import sun.security.util.Length; +import sun.security.util.ECUtil; + +/** + * Key implementation classes. + * + * In PKCS#11, the components of private and secret keys may or may not + * be accessible. If they are, we use the algorithm specific key classes + * (e.g. DSAPrivateKey) for compatibility with existing applications. + * If the components are not accessible, we use a generic class that + * only implements PrivateKey (or SecretKey). Whether the components of a + * key are extractable is automatically determined when the key object is + * created. + * + * @author Andreas Sterbenz + * @since 1.5 + */ +abstract class P11Key implements Key, Length { + + private static final long serialVersionUID = -2575874101938349339L; + + private final static String PUBLIC = "public"; + private final static String PRIVATE = "private"; + private final static String SECRET = "secret"; + + // type of key, one of (PUBLIC, PRIVATE, SECRET) + final String type; + + // token instance + final Token token; + + // algorithm name, returned by getAlgorithm(), etc. + final String algorithm; + + // key id + final long keyID; + + // effective key length of the key, e.g. 56 for a DES key + final int keyLength; + + // flags indicating whether the key is a token object, sensitive, extractable + final boolean tokenObject, sensitive, extractable; + + // phantom reference notification clean up for session keys + private final SessionKeyRef sessionKeyRef; + + P11Key(String type, Session session, long keyID, String algorithm, + int keyLength, CK_ATTRIBUTE[] attributes) { + this.type = type; + this.token = session.token; + this.keyID = keyID; + this.algorithm = algorithm; + this.keyLength = keyLength; + boolean tokenObject = false; + boolean sensitive = false; + boolean extractable = true; + int n = (attributes == null) ? 0 : attributes.length; + for (int i = 0; i < n; i++) { + CK_ATTRIBUTE attr = attributes[i]; + if (attr.type == CKA_TOKEN) { + tokenObject = attr.getBoolean(); + } else if (attr.type == CKA_SENSITIVE) { + sensitive = attr.getBoolean(); + } else if (attr.type == CKA_EXTRACTABLE) { + extractable = attr.getBoolean(); + } + } + this.tokenObject = tokenObject; + this.sensitive = sensitive; + this.extractable = extractable; + if (tokenObject == false) { + sessionKeyRef = new SessionKeyRef(this, keyID, session); + } else { + sessionKeyRef = null; + } + } + + // see JCA spec + public final String getAlgorithm() { + token.ensureValid(); + return algorithm; + } + + // see JCA spec + public final byte[] getEncoded() { + byte[] b = getEncodedInternal(); + return (b == null) ? null : b.clone(); + } + + abstract byte[] getEncodedInternal(); + + public boolean equals(Object obj) { + if (this == obj) { + return true; + } + // equals() should never throw exceptions + if (token.isValid() == false) { + return false; + } + if (obj instanceof Key == false) { + return false; + } + String thisFormat = getFormat(); + if (thisFormat == null) { + // no encoding, key only equal to itself + // XXX getEncoded() for unextractable keys will change that + return false; + } + Key other = (Key)obj; + if (thisFormat.equals(other.getFormat()) == false) { + return false; + } + byte[] thisEnc = this.getEncodedInternal(); + byte[] otherEnc; + if (obj instanceof P11Key) { + otherEnc = ((P11Key)other).getEncodedInternal(); + } else { + otherEnc = other.getEncoded(); + } + return MessageDigest.isEqual(thisEnc, otherEnc); + } + + public int hashCode() { + // hashCode() should never throw exceptions + if (token.isValid() == false) { + return 0; + } + byte[] b1 = getEncodedInternal(); + if (b1 == null) { + return 0; + } + int r = b1.length; + for (int i = 0; i < b1.length; i++) { + r += (b1[i] & 0xff) * 37; + } + return r; + } + + protected Object writeReplace() throws ObjectStreamException { + KeyRep.Type type; + String format = getFormat(); + if (isPrivate() && "PKCS#8".equals(format)) { + type = KeyRep.Type.PRIVATE; + } else if (isPublic() && "X.509".equals(format)) { + type = KeyRep.Type.PUBLIC; + } else if (isSecret() && "RAW".equals(format)) { + type = KeyRep.Type.SECRET; + } else { + // XXX short term serialization for unextractable keys + throw new NotSerializableException + ("Cannot serialize sensitive and unextractable keys"); + } + return new KeyRep(type, getAlgorithm(), format, getEncoded()); + } + + public String toString() { + token.ensureValid(); + String s1 = token.provider.getName() + " " + algorithm + " " + type + + " key, " + keyLength + " bits"; + s1 += " (id " + keyID + ", " + + (tokenObject ? "token" : "session") + " object"; + if (isPublic()) { + s1 += ")"; + } else { + s1 += ", " + (sensitive ? "" : "not ") + "sensitive"; + s1 += ", " + (extractable ? "" : "un") + "extractable)"; + } + return s1; + } + + /** + * Return bit length of the key. + */ + @Override + public int length() { + return keyLength; + } + + boolean isPublic() { + return type == PUBLIC; + } + + boolean isPrivate() { + return type == PRIVATE; + } + + boolean isSecret() { + return type == SECRET; + } + + void fetchAttributes(CK_ATTRIBUTE[] attributes) { + Session tempSession = null; + try { + tempSession = token.getOpSession(); + token.p11.C_GetAttributeValue(tempSession.id(), keyID, attributes); + } catch (PKCS11Exception e) { + throw new ProviderException(e); + } finally { + token.releaseSession(tempSession); + } + } + + private final static CK_ATTRIBUTE[] A0 = new CK_ATTRIBUTE[0]; + + private static CK_ATTRIBUTE[] getAttributes(Session session, long keyID, + CK_ATTRIBUTE[] knownAttributes, CK_ATTRIBUTE[] desiredAttributes) { + if (knownAttributes == null) { + knownAttributes = A0; + } + for (int i = 0; i < desiredAttributes.length; i++) { + // For each desired attribute, check to see if we have the value + // available already. If everything is here, we save a native call. + CK_ATTRIBUTE attr = desiredAttributes[i]; + for (CK_ATTRIBUTE known : knownAttributes) { + if ((attr.type == known.type) && (known.pValue != null)) { + attr.pValue = known.pValue; + break; // break inner for loop + } + } + if (attr.pValue == null) { + // nothing found, need to call C_GetAttributeValue() + for (int j = 0; j < i; j++) { + // clear values copied from knownAttributes + desiredAttributes[j].pValue = null; + } + try { + session.token.p11.C_GetAttributeValue + (session.id(), keyID, desiredAttributes); + } catch (PKCS11Exception e) { + throw new ProviderException(e); + } + break; // break loop, goto return + } + } + return desiredAttributes; + } + + static SecretKey secretKey(Session session, long keyID, String algorithm, + int keyLength, CK_ATTRIBUTE[] attributes) { + attributes = getAttributes(session, keyID, attributes, new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_TOKEN), + new CK_ATTRIBUTE(CKA_SENSITIVE), + new CK_ATTRIBUTE(CKA_EXTRACTABLE), + }); + return new P11SecretKey(session, keyID, algorithm, keyLength, attributes); + } + + static SecretKey masterSecretKey(Session session, long keyID, String algorithm, + int keyLength, CK_ATTRIBUTE[] attributes, int major, int minor) { + attributes = getAttributes(session, keyID, attributes, new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_TOKEN), + new CK_ATTRIBUTE(CKA_SENSITIVE), + new CK_ATTRIBUTE(CKA_EXTRACTABLE), + }); + return new P11TlsMasterSecretKey + (session, keyID, algorithm, keyLength, attributes, major, minor); + } + + // we assume that all components of public keys are always accessible + static PublicKey publicKey(Session session, long keyID, String algorithm, + int keyLength, CK_ATTRIBUTE[] attributes) { + switch (algorithm) { + case "RSA": + return new P11RSAPublicKey + (session, keyID, algorithm, keyLength, attributes); + case "DSA": + return new P11DSAPublicKey + (session, keyID, algorithm, keyLength, attributes); + case "DH": + return new P11DHPublicKey + (session, keyID, algorithm, keyLength, attributes); + case "EC": + return new P11ECPublicKey + (session, keyID, algorithm, keyLength, attributes); + default: + throw new ProviderException + ("Unknown public key algorithm " + algorithm); + } + } + + static PrivateKey privateKey(Session session, long keyID, String algorithm, + int keyLength, CK_ATTRIBUTE[] attributes) { + attributes = getAttributes(session, keyID, attributes, new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_TOKEN), + new CK_ATTRIBUTE(CKA_SENSITIVE), + new CK_ATTRIBUTE(CKA_EXTRACTABLE), + }); + if (attributes[1].getBoolean() || (attributes[2].getBoolean() == false)) { + return new P11PrivateKey + (session, keyID, algorithm, keyLength, attributes); + } else { + switch (algorithm) { + case "RSA": + // In order to decide if this is RSA CRT key, we first query + // and see if all extra CRT attributes are available. + CK_ATTRIBUTE[] attrs2 = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_PUBLIC_EXPONENT), + new CK_ATTRIBUTE(CKA_PRIME_1), + new CK_ATTRIBUTE(CKA_PRIME_2), + new CK_ATTRIBUTE(CKA_EXPONENT_1), + new CK_ATTRIBUTE(CKA_EXPONENT_2), + new CK_ATTRIBUTE(CKA_COEFFICIENT), + }; + boolean crtKey; + try { + session.token.p11.C_GetAttributeValue + (session.id(), keyID, attrs2); + crtKey = ((attrs2[0].pValue instanceof byte[]) && + (attrs2[1].pValue instanceof byte[]) && + (attrs2[2].pValue instanceof byte[]) && + (attrs2[3].pValue instanceof byte[]) && + (attrs2[4].pValue instanceof byte[]) && + (attrs2[5].pValue instanceof byte[])) ; + } catch (PKCS11Exception e) { + // ignore, assume not available + crtKey = false; + } + if (crtKey) { + return new P11RSAPrivateKey + (session, keyID, algorithm, keyLength, attributes, attrs2); + } else { + return new P11RSAPrivateNonCRTKey + (session, keyID, algorithm, keyLength, attributes); + } + case "DSA": + return new P11DSAPrivateKey + (session, keyID, algorithm, keyLength, attributes); + case "DH": + return new P11DHPrivateKey + (session, keyID, algorithm, keyLength, attributes); + case "EC": + return new P11ECPrivateKey + (session, keyID, algorithm, keyLength, attributes); + default: + throw new ProviderException + ("Unknown private key algorithm " + algorithm); + } + } + } + + // class for sensitive and unextractable private keys + private static final class P11PrivateKey extends P11Key + implements PrivateKey { + private static final long serialVersionUID = -2138581185214187615L; + + P11PrivateKey(Session session, long keyID, String algorithm, + int keyLength, CK_ATTRIBUTE[] attributes) { + super(PRIVATE, session, keyID, algorithm, keyLength, attributes); + } + // XXX temporary encoding for serialization purposes + public String getFormat() { + token.ensureValid(); + return null; + } + byte[] getEncodedInternal() { + token.ensureValid(); + return null; + } + } + + private static class P11SecretKey extends P11Key implements SecretKey { + private static final long serialVersionUID = -7828241727014329084L; + private volatile byte[] encoded; + P11SecretKey(Session session, long keyID, String algorithm, + int keyLength, CK_ATTRIBUTE[] attributes) { + super(SECRET, session, keyID, algorithm, keyLength, attributes); + } + public String getFormat() { + token.ensureValid(); + if (sensitive || (extractable == false)) { + return null; + } else { + return "RAW"; + } + } + byte[] getEncodedInternal() { + token.ensureValid(); + if (getFormat() == null) { + return null; + } + byte[] b = encoded; + if (b == null) { + synchronized (this) { + b = encoded; + if (b == null) { + Session tempSession = null; + try { + tempSession = token.getOpSession(); + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_VALUE), + }; + token.p11.C_GetAttributeValue + (tempSession.id(), keyID, attributes); + b = attributes[0].getByteArray(); + } catch (PKCS11Exception e) { + throw new ProviderException(e); + } finally { + token.releaseSession(tempSession); + } + encoded = b; + } + } + } + return b; + } + } + + @SuppressWarnings("deprecation") + private static class P11TlsMasterSecretKey extends P11SecretKey + implements TlsMasterSecret { + private static final long serialVersionUID = -1318560923770573441L; + + private final int majorVersion, minorVersion; + P11TlsMasterSecretKey(Session session, long keyID, String algorithm, + int keyLength, CK_ATTRIBUTE[] attributes, int major, int minor) { + super(session, keyID, algorithm, keyLength, attributes); + this.majorVersion = major; + this.minorVersion = minor; + } + public int getMajorVersion() { + return majorVersion; + } + + public int getMinorVersion() { + return minorVersion; + } + } + + // RSA CRT private key + private static final class P11RSAPrivateKey extends P11Key + implements RSAPrivateCrtKey { + private static final long serialVersionUID = 9215872438913515220L; + + private BigInteger n, e, d, p, q, pe, qe, coeff; + private byte[] encoded; + P11RSAPrivateKey(Session session, long keyID, String algorithm, + int keyLength, CK_ATTRIBUTE[] attrs, CK_ATTRIBUTE[] crtAttrs) { + super(PRIVATE, session, keyID, algorithm, keyLength, attrs); + + for (CK_ATTRIBUTE a : crtAttrs) { + if (a.type == CKA_PUBLIC_EXPONENT) { + e = a.getBigInteger(); + } else if (a.type == CKA_PRIME_1) { + p = a.getBigInteger(); + } else if (a.type == CKA_PRIME_2) { + q = a.getBigInteger(); + } else if (a.type == CKA_EXPONENT_1) { + pe = a.getBigInteger(); + } else if (a.type == CKA_EXPONENT_2) { + qe = a.getBigInteger(); + } else if (a.type == CKA_COEFFICIENT) { + coeff = a.getBigInteger(); + } + } + } + private synchronized void fetchValues() { + token.ensureValid(); + if (n != null) { + return; + } + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_MODULUS), + new CK_ATTRIBUTE(CKA_PRIVATE_EXPONENT), + }; + fetchAttributes(attributes); + n = attributes[0].getBigInteger(); + d = attributes[1].getBigInteger(); + } + + public String getFormat() { + token.ensureValid(); + return "PKCS#8"; + } + synchronized byte[] getEncodedInternal() { + token.ensureValid(); + if (encoded == null) { + fetchValues(); + try { + // XXX make constructor in SunRsaSign provider public + // and call it directly + KeyFactory factory = KeyFactory.getInstance + ("RSA", P11Util.getSunRsaSignProvider()); + Key newKey = factory.translateKey(this); + encoded = newKey.getEncoded(); + } catch (GeneralSecurityException e) { + throw new ProviderException(e); + } + } + return encoded; + } + public BigInteger getModulus() { + fetchValues(); + return n; + } + public BigInteger getPublicExponent() { + return e; + } + public BigInteger getPrivateExponent() { + fetchValues(); + return d; + } + public BigInteger getPrimeP() { + return p; + } + public BigInteger getPrimeQ() { + return q; + } + public BigInteger getPrimeExponentP() { + return pe; + } + public BigInteger getPrimeExponentQ() { + return qe; + } + public BigInteger getCrtCoefficient() { + return coeff; + } + } + + // RSA non-CRT private key + private static final class P11RSAPrivateNonCRTKey extends P11Key + implements RSAPrivateKey { + private static final long serialVersionUID = 1137764983777411481L; + + private BigInteger n, d; + private byte[] encoded; + P11RSAPrivateNonCRTKey(Session session, long keyID, String algorithm, + int keyLength, CK_ATTRIBUTE[] attributes) { + super(PRIVATE, session, keyID, algorithm, keyLength, attributes); + } + private synchronized void fetchValues() { + token.ensureValid(); + if (n != null) { + return; + } + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_MODULUS), + new CK_ATTRIBUTE(CKA_PRIVATE_EXPONENT), + }; + fetchAttributes(attributes); + n = attributes[0].getBigInteger(); + d = attributes[1].getBigInteger(); + } + public String getFormat() { + token.ensureValid(); + return "PKCS#8"; + } + synchronized byte[] getEncodedInternal() { + token.ensureValid(); + if (encoded == null) { + fetchValues(); + try { + // XXX make constructor in SunRsaSign provider public + // and call it directly + KeyFactory factory = KeyFactory.getInstance + ("RSA", P11Util.getSunRsaSignProvider()); + Key newKey = factory.translateKey(this); + encoded = newKey.getEncoded(); + } catch (GeneralSecurityException e) { + throw new ProviderException(e); + } + } + return encoded; + } + public BigInteger getModulus() { + fetchValues(); + return n; + } + public BigInteger getPrivateExponent() { + fetchValues(); + return d; + } + } + + private static final class P11RSAPublicKey extends P11Key + implements RSAPublicKey { + private static final long serialVersionUID = -826726289023854455L; + + private BigInteger n, e; + private byte[] encoded; + P11RSAPublicKey(Session session, long keyID, String algorithm, + int keyLength, CK_ATTRIBUTE[] attributes) { + super(PUBLIC, session, keyID, algorithm, keyLength, attributes); + } + private synchronized void fetchValues() { + token.ensureValid(); + if (n != null) { + return; + } + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_MODULUS), + new CK_ATTRIBUTE(CKA_PUBLIC_EXPONENT), + }; + fetchAttributes(attributes); + n = attributes[0].getBigInteger(); + e = attributes[1].getBigInteger(); + } + public String getFormat() { + token.ensureValid(); + return "X.509"; + } + synchronized byte[] getEncodedInternal() { + token.ensureValid(); + if (encoded == null) { + fetchValues(); + try { + encoded = new RSAPublicKeyImpl(n, e).getEncoded(); + } catch (InvalidKeyException e) { + throw new ProviderException(e); + } + } + return encoded; + } + public BigInteger getModulus() { + fetchValues(); + return n; + } + public BigInteger getPublicExponent() { + fetchValues(); + return e; + } + public String toString() { + fetchValues(); + return super.toString() + "\n modulus: " + n + + "\n public exponent: " + e; + } + } + + private static final class P11DSAPublicKey extends P11Key + implements DSAPublicKey { + private static final long serialVersionUID = 5989753793316396637L; + + private BigInteger y; + private DSAParams params; + private byte[] encoded; + P11DSAPublicKey(Session session, long keyID, String algorithm, + int keyLength, CK_ATTRIBUTE[] attributes) { + super(PUBLIC, session, keyID, algorithm, keyLength, attributes); + } + private synchronized void fetchValues() { + token.ensureValid(); + if (y != null) { + return; + } + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_VALUE), + new CK_ATTRIBUTE(CKA_PRIME), + new CK_ATTRIBUTE(CKA_SUBPRIME), + new CK_ATTRIBUTE(CKA_BASE), + }; + fetchAttributes(attributes); + y = attributes[0].getBigInteger(); + params = new DSAParameterSpec( + attributes[1].getBigInteger(), + attributes[2].getBigInteger(), + attributes[3].getBigInteger() + ); + } + public String getFormat() { + token.ensureValid(); + return "X.509"; + } + synchronized byte[] getEncodedInternal() { + token.ensureValid(); + if (encoded == null) { + fetchValues(); + try { + Key key = new sun.security.provider.DSAPublicKey + (y, params.getP(), params.getQ(), params.getG()); + encoded = key.getEncoded(); + } catch (InvalidKeyException e) { + throw new ProviderException(e); + } + } + return encoded; + } + public BigInteger getY() { + fetchValues(); + return y; + } + public DSAParams getParams() { + fetchValues(); + return params; + } + public String toString() { + fetchValues(); + return super.toString() + "\n y: " + y + "\n p: " + params.getP() + + "\n q: " + params.getQ() + "\n g: " + params.getG(); + } + } + + private static final class P11DSAPrivateKey extends P11Key + implements DSAPrivateKey { + private static final long serialVersionUID = 3119629997181999389L; + + private BigInteger x; + private DSAParams params; + private byte[] encoded; + P11DSAPrivateKey(Session session, long keyID, String algorithm, + int keyLength, CK_ATTRIBUTE[] attributes) { + super(PRIVATE, session, keyID, algorithm, keyLength, attributes); + } + private synchronized void fetchValues() { + token.ensureValid(); + if (x != null) { + return; + } + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_VALUE), + new CK_ATTRIBUTE(CKA_PRIME), + new CK_ATTRIBUTE(CKA_SUBPRIME), + new CK_ATTRIBUTE(CKA_BASE), + }; + fetchAttributes(attributes); + x = attributes[0].getBigInteger(); + params = new DSAParameterSpec( + attributes[1].getBigInteger(), + attributes[2].getBigInteger(), + attributes[3].getBigInteger() + ); + } + public String getFormat() { + token.ensureValid(); + return "PKCS#8"; + } + synchronized byte[] getEncodedInternal() { + token.ensureValid(); + if (encoded == null) { + fetchValues(); + try { + Key key = new sun.security.provider.DSAPrivateKey + (x, params.getP(), params.getQ(), params.getG()); + encoded = key.getEncoded(); + } catch (InvalidKeyException e) { + throw new ProviderException(e); + } + } + return encoded; + } + public BigInteger getX() { + fetchValues(); + return x; + } + public DSAParams getParams() { + fetchValues(); + return params; + } + } + + private static final class P11DHPrivateKey extends P11Key + implements DHPrivateKey { + private static final long serialVersionUID = -1698576167364928838L; + + private BigInteger x; + private DHParameterSpec params; + private byte[] encoded; + P11DHPrivateKey(Session session, long keyID, String algorithm, + int keyLength, CK_ATTRIBUTE[] attributes) { + super(PRIVATE, session, keyID, algorithm, keyLength, attributes); + } + private synchronized void fetchValues() { + token.ensureValid(); + if (x != null) { + return; + } + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_VALUE), + new CK_ATTRIBUTE(CKA_PRIME), + new CK_ATTRIBUTE(CKA_BASE), + }; + fetchAttributes(attributes); + x = attributes[0].getBigInteger(); + params = new DHParameterSpec( + attributes[1].getBigInteger(), + attributes[2].getBigInteger() + ); + } + public String getFormat() { + token.ensureValid(); + return "PKCS#8"; + } + synchronized byte[] getEncodedInternal() { + token.ensureValid(); + if (encoded == null) { + fetchValues(); + try { + DHPrivateKeySpec spec = new DHPrivateKeySpec + (x, params.getP(), params.getG()); + KeyFactory kf = KeyFactory.getInstance + ("DH", P11Util.getSunJceProvider()); + Key key = kf.generatePrivate(spec); + encoded = key.getEncoded(); + } catch (GeneralSecurityException e) { + throw new ProviderException(e); + } + } + return encoded; + } + public BigInteger getX() { + fetchValues(); + return x; + } + public DHParameterSpec getParams() { + fetchValues(); + return params; + } + public int hashCode() { + if (token.isValid() == false) { + return 0; + } + fetchValues(); + return Objects.hash(x, params.getP(), params.getG()); + } + public boolean equals(Object obj) { + if (this == obj) return true; + // equals() should never throw exceptions + if (token.isValid() == false) { + return false; + } + if (!(obj instanceof DHPrivateKey)) { + return false; + } + fetchValues(); + DHPrivateKey other = (DHPrivateKey) obj; + DHParameterSpec otherParams = other.getParams(); + return ((this.x.compareTo(other.getX()) == 0) && + (this.params.getP().compareTo(otherParams.getP()) == 0) && + (this.params.getG().compareTo(otherParams.getG()) == 0)); + } + } + + private static final class P11DHPublicKey extends P11Key + implements DHPublicKey { + static final long serialVersionUID = -598383872153843657L; + + private BigInteger y; + private DHParameterSpec params; + private byte[] encoded; + P11DHPublicKey(Session session, long keyID, String algorithm, + int keyLength, CK_ATTRIBUTE[] attributes) { + super(PUBLIC, session, keyID, algorithm, keyLength, attributes); + } + private synchronized void fetchValues() { + token.ensureValid(); + if (y != null) { + return; + } + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_VALUE), + new CK_ATTRIBUTE(CKA_PRIME), + new CK_ATTRIBUTE(CKA_BASE), + }; + fetchAttributes(attributes); + y = attributes[0].getBigInteger(); + params = new DHParameterSpec( + attributes[1].getBigInteger(), + attributes[2].getBigInteger() + ); + } + public String getFormat() { + token.ensureValid(); + return "X.509"; + } + synchronized byte[] getEncodedInternal() { + token.ensureValid(); + if (encoded == null) { + fetchValues(); + try { + DHPublicKeySpec spec = new DHPublicKeySpec + (y, params.getP(), params.getG()); + KeyFactory kf = KeyFactory.getInstance + ("DH", P11Util.getSunJceProvider()); + Key key = kf.generatePublic(spec); + encoded = key.getEncoded(); + } catch (GeneralSecurityException e) { + throw new ProviderException(e); + } + } + return encoded; + } + public BigInteger getY() { + fetchValues(); + return y; + } + public DHParameterSpec getParams() { + fetchValues(); + return params; + } + public String toString() { + fetchValues(); + return super.toString() + "\n y: " + y + "\n p: " + params.getP() + + "\n g: " + params.getG(); + } + public int hashCode() { + if (token.isValid() == false) { + return 0; + } + fetchValues(); + return Objects.hash(y, params.getP(), params.getG()); + } + public boolean equals(Object obj) { + if (this == obj) return true; + // equals() should never throw exceptions + if (token.isValid() == false) { + return false; + } + if (!(obj instanceof DHPublicKey)) { + return false; + } + fetchValues(); + DHPublicKey other = (DHPublicKey) obj; + DHParameterSpec otherParams = other.getParams(); + return ((this.y.compareTo(other.getY()) == 0) && + (this.params.getP().compareTo(otherParams.getP()) == 0) && + (this.params.getG().compareTo(otherParams.getG()) == 0)); + } + } + + private static final class P11ECPrivateKey extends P11Key + implements ECPrivateKey { + private static final long serialVersionUID = -7786054399510515515L; + + private BigInteger s; + private ECParameterSpec params; + private byte[] encoded; + P11ECPrivateKey(Session session, long keyID, String algorithm, + int keyLength, CK_ATTRIBUTE[] attributes) { + super(PRIVATE, session, keyID, algorithm, keyLength, attributes); + } + private synchronized void fetchValues() { + token.ensureValid(); + if (s != null) { + return; + } + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_VALUE), + new CK_ATTRIBUTE(CKA_EC_PARAMS, params), + }; + fetchAttributes(attributes); + s = attributes[0].getBigInteger(); + try { + params = P11ECKeyFactory.decodeParameters + (attributes[1].getByteArray()); + } catch (Exception e) { + throw new RuntimeException("Could not parse key values", e); + } + } + public String getFormat() { + token.ensureValid(); + return "PKCS#8"; + } + synchronized byte[] getEncodedInternal() { + token.ensureValid(); + if (encoded == null) { + fetchValues(); + try { + Key key = ECUtil.generateECPrivateKey(s, params); + encoded = key.getEncoded(); + } catch (InvalidKeySpecException e) { + throw new ProviderException(e); + } + } + return encoded; + } + public BigInteger getS() { + fetchValues(); + return s; + } + public ECParameterSpec getParams() { + fetchValues(); + return params; + } + } + + private static final class P11ECPublicKey extends P11Key + implements ECPublicKey { + private static final long serialVersionUID = -6371481375154806089L; + + private ECPoint w; + private ECParameterSpec params; + private byte[] encoded; + P11ECPublicKey(Session session, long keyID, String algorithm, + int keyLength, CK_ATTRIBUTE[] attributes) { + super(PUBLIC, session, keyID, algorithm, keyLength, attributes); + } + private synchronized void fetchValues() { + token.ensureValid(); + if (w != null) { + return; + } + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_EC_POINT), + new CK_ATTRIBUTE(CKA_EC_PARAMS), + }; + fetchAttributes(attributes); + + try { + params = P11ECKeyFactory.decodeParameters + (attributes[1].getByteArray()); + byte[] ecKey = attributes[0].getByteArray(); + + // Check whether the X9.63 encoding of an EC point is wrapped + // in an ASN.1 OCTET STRING + if (!token.config.getUseEcX963Encoding()) { + DerValue wECPoint = new DerValue(ecKey); + + if (wECPoint.getTag() != DerValue.tag_OctetString) { + throw new IOException("Could not DER decode EC point." + + " Unexpected tag: " + wECPoint.getTag()); + } + w = P11ECKeyFactory.decodePoint + (wECPoint.getDataBytes(), params.getCurve()); + + } else { + w = P11ECKeyFactory.decodePoint(ecKey, params.getCurve()); + } + + } catch (Exception e) { + throw new RuntimeException("Could not parse key values", e); + } + } + public String getFormat() { + token.ensureValid(); + return "X.509"; + } + synchronized byte[] getEncodedInternal() { + token.ensureValid(); + if (encoded == null) { + fetchValues(); + try { + return ECUtil.x509EncodeECPublicKey(w, params); + } catch (InvalidKeySpecException e) { + throw new ProviderException(e); + } + } + return encoded; + } + public ECPoint getW() { + fetchValues(); + return w; + } + public ECParameterSpec getParams() { + fetchValues(); + return params; + } + public String toString() { + fetchValues(); + return super.toString() + + "\n public x coord: " + w.getAffineX() + + "\n public y coord: " + w.getAffineY() + + "\n parameters: " + params; + } + } +} + +/* + * NOTE: Must use PhantomReference here and not WeakReference + * otherwise the key maybe cleared before other objects which + * still use these keys during finalization such as SSLSocket. + */ +final class SessionKeyRef extends PhantomReference + implements Comparable { + private static ReferenceQueue refQueue = + new ReferenceQueue(); + private static Set refList = + Collections.synchronizedSortedSet(new TreeSet()); + + static ReferenceQueue referenceQueue() { + return refQueue; + } + + private static void drainRefQueueBounded() { + Session sess = null; + Token tkn = null; + while (true) { + SessionKeyRef next = (SessionKeyRef) refQueue.poll(); + if (next == null) { + break; + } + + // If the token is still valid, try to remove the object + if (next.session.token.isValid()) { + // If this key's token is the same as the previous key, the + // same session can be used for C_DestroyObject. + try { + if (next.session.token != tkn || sess == null) { + // Release session if not using previous token + if (tkn != null && sess != null) { + tkn.releaseSession(sess); + sess = null; + } + + tkn = next.session.token; + sess = tkn.getOpSession(); + } + next.disposeNative(sess); + } catch (PKCS11Exception e) { + // ignore + } + } + // Regardless of native results, dispose of java references + next.dispose(); + } + + if (tkn != null && sess != null) { + tkn.releaseSession(sess); + } + } + + // handle to the native key + private long keyID; + private Session session; + + SessionKeyRef(P11Key key , long keyID, Session session) { + super(key, refQueue); + this.keyID = keyID; + this.session = session; + this.session.addObject(); + refList.add(this); + drainRefQueueBounded(); + } + + private void disposeNative(Session s) throws PKCS11Exception { + session.token.p11.C_DestroyObject(s.id(), keyID); + } + + private void dispose() { + refList.remove(this); + this.clear(); + session.removeObject(); + } + + public int compareTo(SessionKeyRef other) { + if (this.keyID == other.keyID) { + return 0; + } else { + return (this.keyID < other.keyID) ? -1 : 1; + } + } +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11KeyAgreement.java 2017-01-20 09:52:31.286289222 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,347 +0,0 @@ -/* - * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.pkcs11; - -import java.math.BigInteger; - -import java.security.*; -import java.security.spec.*; - -import javax.crypto.*; -import javax.crypto.interfaces.*; -import javax.crypto.spec.*; - -import static sun.security.pkcs11.TemplateManager.*; -import sun.security.pkcs11.wrapper.*; -import static sun.security.pkcs11.wrapper.PKCS11Constants.*; -import sun.security.util.KeyUtil; - -/** - * KeyAgreement implementation class. This class currently supports - * DH. - * - * @author Andreas Sterbenz - * @since 1.5 - */ -final class P11KeyAgreement extends KeyAgreementSpi { - - // token instance - private final Token token; - - // algorithm name - private final String algorithm; - - // mechanism id - private final long mechanism; - - // private key, if initialized - private P11Key privateKey; - - // other sides public value ("y"), if doPhase() already called - private BigInteger publicValue; - - // length of the secret to be derived - private int secretLen; - - // KeyAgreement from SunJCE as fallback for > 2 party agreement - private KeyAgreement multiPartyAgreement; - - P11KeyAgreement(Token token, String algorithm, long mechanism) { - super(); - this.token = token; - this.algorithm = algorithm; - this.mechanism = mechanism; - } - - // see JCE spec - protected void engineInit(Key key, SecureRandom random) - throws InvalidKeyException { - if (key instanceof PrivateKey == false) { - throw new InvalidKeyException - ("Key must be instance of PrivateKey"); - } - privateKey = P11KeyFactory.convertKey(token, key, algorithm); - publicValue = null; - multiPartyAgreement = null; - } - - // see JCE spec - protected void engineInit(Key key, AlgorithmParameterSpec params, - SecureRandom random) throws InvalidKeyException, - InvalidAlgorithmParameterException { - if (params != null) { - throw new InvalidAlgorithmParameterException - ("Parameters not supported"); - } - engineInit(key, random); - } - - // see JCE spec - protected Key engineDoPhase(Key key, boolean lastPhase) - throws InvalidKeyException, IllegalStateException { - if (privateKey == null) { - throw new IllegalStateException("Not initialized"); - } - if (publicValue != null) { - throw new IllegalStateException("Phase already executed"); - } - // PKCS#11 only allows key agreement between 2 parties - // JCE allows >= 2 parties. To support that case (for compatibility - // and to pass JCK), fall back to SunJCE in this case. - // NOTE that we initialize using the P11Key, which will fail if it - // is sensitive/unextractable. However, this is not an issue in the - // compatibility configuration, which is all we are targeting here. - if ((multiPartyAgreement != null) || (lastPhase == false)) { - if (multiPartyAgreement == null) { - try { - multiPartyAgreement = KeyAgreement.getInstance - ("DH", P11Util.getSunJceProvider()); - multiPartyAgreement.init(privateKey); - } catch (NoSuchAlgorithmException e) { - throw new InvalidKeyException - ("Could not initialize multi party agreement", e); - } - } - return multiPartyAgreement.doPhase(key, lastPhase); - } - if ((key instanceof PublicKey == false) - || (key.getAlgorithm().equals(algorithm) == false)) { - throw new InvalidKeyException - ("Key must be a PublicKey with algorithm DH"); - } - BigInteger p, g, y; - if (key instanceof DHPublicKey) { - DHPublicKey dhKey = (DHPublicKey)key; - - // validate the Diffie-Hellman public key - KeyUtil.validate(dhKey); - - y = dhKey.getY(); - DHParameterSpec params = dhKey.getParams(); - p = params.getP(); - g = params.getG(); - } else { - // normally, DH PublicKeys will always implement DHPublicKey - // just in case not, attempt conversion - P11DHKeyFactory kf = new P11DHKeyFactory(token, "DH"); - try { - DHPublicKeySpec spec = kf.engineGetKeySpec( - key, DHPublicKeySpec.class); - - // validate the Diffie-Hellman public key - KeyUtil.validate(spec); - - y = spec.getY(); - p = spec.getP(); - g = spec.getG(); - } catch (InvalidKeySpecException e) { - throw new InvalidKeyException("Could not obtain key values", e); - } - } - // if parameters of private key are accessible, verify that - // they match parameters of public key - // XXX p and g should always be readable, even if the key is sensitive - if (privateKey instanceof DHPrivateKey) { - DHPrivateKey dhKey = (DHPrivateKey)privateKey; - DHParameterSpec params = dhKey.getParams(); - if ((p.equals(params.getP()) == false) - || (g.equals(params.getG()) == false)) { - throw new InvalidKeyException - ("PublicKey DH parameters must match PrivateKey DH parameters"); - } - } - publicValue = y; - // length of the secret is length of key - secretLen = (p.bitLength() + 7) >> 3; - return null; - } - - // see JCE spec - protected byte[] engineGenerateSecret() throws IllegalStateException { - if (multiPartyAgreement != null) { - byte[] val = multiPartyAgreement.generateSecret(); - multiPartyAgreement = null; - return val; - } - if ((privateKey == null) || (publicValue == null)) { - throw new IllegalStateException("Not initialized correctly"); - } - Session session = null; - try { - session = token.getOpSession(); - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), - new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_GENERIC_SECRET), - }; - attributes = token.getAttributes - (O_GENERATE, CKO_SECRET_KEY, CKK_GENERIC_SECRET, attributes); - long keyID = token.p11.C_DeriveKey(session.id(), - new CK_MECHANISM(mechanism, publicValue), privateKey.keyID, - attributes); - attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_VALUE) - }; - token.p11.C_GetAttributeValue(session.id(), keyID, attributes); - byte[] secret = attributes[0].getByteArray(); - token.p11.C_DestroyObject(session.id(), keyID); - // Some vendors, e.g. NSS, trim off the leading 0x00 byte(s) from - // the generated secret. Thus, we need to check the secret length - // and trim/pad it so the returned value has the same length as - // the modulus size - if (secret.length == secretLen) { - return secret; - } else { - if (secret.length > secretLen) { - // Shouldn't happen; but check just in case - throw new ProviderException("generated secret is out-of-range"); - } - byte[] newSecret = new byte[secretLen]; - System.arraycopy(secret, 0, newSecret, secretLen - secret.length, - secret.length); - return newSecret; - } - } catch (PKCS11Exception e) { - throw new ProviderException("Could not derive key", e); - } finally { - publicValue = null; - token.releaseSession(session); - } - } - - // see JCE spec - protected int engineGenerateSecret(byte[] sharedSecret, int - offset) throws IllegalStateException, ShortBufferException { - if (multiPartyAgreement != null) { - int n = multiPartyAgreement.generateSecret(sharedSecret, offset); - multiPartyAgreement = null; - return n; - } - if (offset + secretLen > sharedSecret.length) { - throw new ShortBufferException("Need " + secretLen - + " bytes, only " + (sharedSecret.length - offset) + " available"); - } - byte[] secret = engineGenerateSecret(); - System.arraycopy(secret, 0, sharedSecret, offset, secret.length); - return secret.length; - } - - // see JCE spec - protected SecretKey engineGenerateSecret(String algorithm) - throws IllegalStateException, NoSuchAlgorithmException, - InvalidKeyException { - if (multiPartyAgreement != null) { - SecretKey key = multiPartyAgreement.generateSecret(algorithm); - multiPartyAgreement = null; - return key; - } - if (algorithm == null) { - throw new NoSuchAlgorithmException("Algorithm must not be null"); - } - if (algorithm.equals("TlsPremasterSecret")) { - // For now, only perform native derivation for TlsPremasterSecret - // as that is required for FIPS compliance. - // For other algorithms, there are unresolved issues regarding - // how this should work in JCE plus a Solaris truncation bug. - // (bug not yet filed). - return nativeGenerateSecret(algorithm); - } - byte[] secret = engineGenerateSecret(); - // Maintain compatibility for SunJCE: - // verify secret length is sensible for algorithm / truncate - // return generated key itself if possible - int keyLen; - if (algorithm.equalsIgnoreCase("DES")) { - keyLen = 8; - } else if (algorithm.equalsIgnoreCase("DESede")) { - keyLen = 24; - } else if (algorithm.equalsIgnoreCase("Blowfish")) { - keyLen = Math.min(56, secret.length); - } else if (algorithm.equalsIgnoreCase("TlsPremasterSecret")) { - keyLen = secret.length; - } else { - throw new NoSuchAlgorithmException - ("Unknown algorithm " + algorithm); - } - if (secret.length < keyLen) { - throw new InvalidKeyException("Secret too short"); - } - if (algorithm.equalsIgnoreCase("DES") || - algorithm.equalsIgnoreCase("DESede")) { - for (int i = 0; i < keyLen; i+=8) { - P11SecretKeyFactory.fixDESParity(secret, i); - } - } - return new SecretKeySpec(secret, 0, keyLen, algorithm); - } - - private SecretKey nativeGenerateSecret(String algorithm) - throws IllegalStateException, NoSuchAlgorithmException, - InvalidKeyException { - if ((privateKey == null) || (publicValue == null)) { - throw new IllegalStateException("Not initialized correctly"); - } - long keyType = CKK_GENERIC_SECRET; - Session session = null; - try { - session = token.getObjSession(); - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), - new CK_ATTRIBUTE(CKA_KEY_TYPE, keyType), - }; - attributes = token.getAttributes - (O_GENERATE, CKO_SECRET_KEY, keyType, attributes); - long keyID = token.p11.C_DeriveKey(session.id(), - new CK_MECHANISM(mechanism, publicValue), privateKey.keyID, - attributes); - CK_ATTRIBUTE[] lenAttributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_VALUE_LEN), - }; - token.p11.C_GetAttributeValue(session.id(), keyID, lenAttributes); - int keyLen = (int)lenAttributes[0].getLong(); - SecretKey key = P11Key.secretKey - (session, keyID, algorithm, keyLen << 3, attributes); - if ("RAW".equals(key.getFormat())) { - // Workaround for Solaris bug 6318543. - // Strip leading zeroes ourselves if possible (key not sensitive). - // This should be removed once the Solaris fix is available - // as here we always retrieve the CKA_VALUE even for tokens - // that do not have that bug. - byte[] keyBytes = key.getEncoded(); - byte[] newBytes = KeyUtil.trimZeroes(keyBytes); - if (keyBytes != newBytes) { - key = new SecretKeySpec(newBytes, algorithm); - } - } - return key; - } catch (PKCS11Exception e) { - throw new InvalidKeyException("Could not derive key", e); - } finally { - publicValue = null; - token.releaseSession(session); - } - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyAgreement.java 2017-01-20 09:52:30.926289236 -0800 @@ -0,0 +1,347 @@ +/* + * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11; + +import java.math.BigInteger; + +import java.security.*; +import java.security.spec.*; + +import javax.crypto.*; +import javax.crypto.interfaces.*; +import javax.crypto.spec.*; + +import static sun.security.pkcs11.TemplateManager.*; +import sun.security.pkcs11.wrapper.*; +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; +import sun.security.util.KeyUtil; + +/** + * KeyAgreement implementation class. This class currently supports + * DH. + * + * @author Andreas Sterbenz + * @since 1.5 + */ +final class P11KeyAgreement extends KeyAgreementSpi { + + // token instance + private final Token token; + + // algorithm name + private final String algorithm; + + // mechanism id + private final long mechanism; + + // private key, if initialized + private P11Key privateKey; + + // other sides public value ("y"), if doPhase() already called + private BigInteger publicValue; + + // length of the secret to be derived + private int secretLen; + + // KeyAgreement from SunJCE as fallback for > 2 party agreement + private KeyAgreement multiPartyAgreement; + + P11KeyAgreement(Token token, String algorithm, long mechanism) { + super(); + this.token = token; + this.algorithm = algorithm; + this.mechanism = mechanism; + } + + // see JCE spec + protected void engineInit(Key key, SecureRandom random) + throws InvalidKeyException { + if (key instanceof PrivateKey == false) { + throw new InvalidKeyException + ("Key must be instance of PrivateKey"); + } + privateKey = P11KeyFactory.convertKey(token, key, algorithm); + publicValue = null; + multiPartyAgreement = null; + } + + // see JCE spec + protected void engineInit(Key key, AlgorithmParameterSpec params, + SecureRandom random) throws InvalidKeyException, + InvalidAlgorithmParameterException { + if (params != null) { + throw new InvalidAlgorithmParameterException + ("Parameters not supported"); + } + engineInit(key, random); + } + + // see JCE spec + protected Key engineDoPhase(Key key, boolean lastPhase) + throws InvalidKeyException, IllegalStateException { + if (privateKey == null) { + throw new IllegalStateException("Not initialized"); + } + if (publicValue != null) { + throw new IllegalStateException("Phase already executed"); + } + // PKCS#11 only allows key agreement between 2 parties + // JCE allows >= 2 parties. To support that case (for compatibility + // and to pass JCK), fall back to SunJCE in this case. + // NOTE that we initialize using the P11Key, which will fail if it + // is sensitive/unextractable. However, this is not an issue in the + // compatibility configuration, which is all we are targeting here. + if ((multiPartyAgreement != null) || (lastPhase == false)) { + if (multiPartyAgreement == null) { + try { + multiPartyAgreement = KeyAgreement.getInstance + ("DH", P11Util.getSunJceProvider()); + multiPartyAgreement.init(privateKey); + } catch (NoSuchAlgorithmException e) { + throw new InvalidKeyException + ("Could not initialize multi party agreement", e); + } + } + return multiPartyAgreement.doPhase(key, lastPhase); + } + if ((key instanceof PublicKey == false) + || (key.getAlgorithm().equals(algorithm) == false)) { + throw new InvalidKeyException + ("Key must be a PublicKey with algorithm DH"); + } + BigInteger p, g, y; + if (key instanceof DHPublicKey) { + DHPublicKey dhKey = (DHPublicKey)key; + + // validate the Diffie-Hellman public key + KeyUtil.validate(dhKey); + + y = dhKey.getY(); + DHParameterSpec params = dhKey.getParams(); + p = params.getP(); + g = params.getG(); + } else { + // normally, DH PublicKeys will always implement DHPublicKey + // just in case not, attempt conversion + P11DHKeyFactory kf = new P11DHKeyFactory(token, "DH"); + try { + DHPublicKeySpec spec = kf.engineGetKeySpec( + key, DHPublicKeySpec.class); + + // validate the Diffie-Hellman public key + KeyUtil.validate(spec); + + y = spec.getY(); + p = spec.getP(); + g = spec.getG(); + } catch (InvalidKeySpecException e) { + throw new InvalidKeyException("Could not obtain key values", e); + } + } + // if parameters of private key are accessible, verify that + // they match parameters of public key + // XXX p and g should always be readable, even if the key is sensitive + if (privateKey instanceof DHPrivateKey) { + DHPrivateKey dhKey = (DHPrivateKey)privateKey; + DHParameterSpec params = dhKey.getParams(); + if ((p.equals(params.getP()) == false) + || (g.equals(params.getG()) == false)) { + throw new InvalidKeyException + ("PublicKey DH parameters must match PrivateKey DH parameters"); + } + } + publicValue = y; + // length of the secret is length of key + secretLen = (p.bitLength() + 7) >> 3; + return null; + } + + // see JCE spec + protected byte[] engineGenerateSecret() throws IllegalStateException { + if (multiPartyAgreement != null) { + byte[] val = multiPartyAgreement.generateSecret(); + multiPartyAgreement = null; + return val; + } + if ((privateKey == null) || (publicValue == null)) { + throw new IllegalStateException("Not initialized correctly"); + } + Session session = null; + try { + session = token.getOpSession(); + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), + new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_GENERIC_SECRET), + }; + attributes = token.getAttributes + (O_GENERATE, CKO_SECRET_KEY, CKK_GENERIC_SECRET, attributes); + long keyID = token.p11.C_DeriveKey(session.id(), + new CK_MECHANISM(mechanism, publicValue), privateKey.keyID, + attributes); + attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_VALUE) + }; + token.p11.C_GetAttributeValue(session.id(), keyID, attributes); + byte[] secret = attributes[0].getByteArray(); + token.p11.C_DestroyObject(session.id(), keyID); + // Some vendors, e.g. NSS, trim off the leading 0x00 byte(s) from + // the generated secret. Thus, we need to check the secret length + // and trim/pad it so the returned value has the same length as + // the modulus size + if (secret.length == secretLen) { + return secret; + } else { + if (secret.length > secretLen) { + // Shouldn't happen; but check just in case + throw new ProviderException("generated secret is out-of-range"); + } + byte[] newSecret = new byte[secretLen]; + System.arraycopy(secret, 0, newSecret, secretLen - secret.length, + secret.length); + return newSecret; + } + } catch (PKCS11Exception e) { + throw new ProviderException("Could not derive key", e); + } finally { + publicValue = null; + token.releaseSession(session); + } + } + + // see JCE spec + protected int engineGenerateSecret(byte[] sharedSecret, int + offset) throws IllegalStateException, ShortBufferException { + if (multiPartyAgreement != null) { + int n = multiPartyAgreement.generateSecret(sharedSecret, offset); + multiPartyAgreement = null; + return n; + } + if (offset + secretLen > sharedSecret.length) { + throw new ShortBufferException("Need " + secretLen + + " bytes, only " + (sharedSecret.length - offset) + " available"); + } + byte[] secret = engineGenerateSecret(); + System.arraycopy(secret, 0, sharedSecret, offset, secret.length); + return secret.length; + } + + // see JCE spec + protected SecretKey engineGenerateSecret(String algorithm) + throws IllegalStateException, NoSuchAlgorithmException, + InvalidKeyException { + if (multiPartyAgreement != null) { + SecretKey key = multiPartyAgreement.generateSecret(algorithm); + multiPartyAgreement = null; + return key; + } + if (algorithm == null) { + throw new NoSuchAlgorithmException("Algorithm must not be null"); + } + if (algorithm.equals("TlsPremasterSecret")) { + // For now, only perform native derivation for TlsPremasterSecret + // as that is required for FIPS compliance. + // For other algorithms, there are unresolved issues regarding + // how this should work in JCE plus a Solaris truncation bug. + // (bug not yet filed). + return nativeGenerateSecret(algorithm); + } + byte[] secret = engineGenerateSecret(); + // Maintain compatibility for SunJCE: + // verify secret length is sensible for algorithm / truncate + // return generated key itself if possible + int keyLen; + if (algorithm.equalsIgnoreCase("DES")) { + keyLen = 8; + } else if (algorithm.equalsIgnoreCase("DESede")) { + keyLen = 24; + } else if (algorithm.equalsIgnoreCase("Blowfish")) { + keyLen = Math.min(56, secret.length); + } else if (algorithm.equalsIgnoreCase("TlsPremasterSecret")) { + keyLen = secret.length; + } else { + throw new NoSuchAlgorithmException + ("Unknown algorithm " + algorithm); + } + if (secret.length < keyLen) { + throw new InvalidKeyException("Secret too short"); + } + if (algorithm.equalsIgnoreCase("DES") || + algorithm.equalsIgnoreCase("DESede")) { + for (int i = 0; i < keyLen; i+=8) { + P11SecretKeyFactory.fixDESParity(secret, i); + } + } + return new SecretKeySpec(secret, 0, keyLen, algorithm); + } + + private SecretKey nativeGenerateSecret(String algorithm) + throws IllegalStateException, NoSuchAlgorithmException, + InvalidKeyException { + if ((privateKey == null) || (publicValue == null)) { + throw new IllegalStateException("Not initialized correctly"); + } + long keyType = CKK_GENERIC_SECRET; + Session session = null; + try { + session = token.getObjSession(); + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), + new CK_ATTRIBUTE(CKA_KEY_TYPE, keyType), + }; + attributes = token.getAttributes + (O_GENERATE, CKO_SECRET_KEY, keyType, attributes); + long keyID = token.p11.C_DeriveKey(session.id(), + new CK_MECHANISM(mechanism, publicValue), privateKey.keyID, + attributes); + CK_ATTRIBUTE[] lenAttributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_VALUE_LEN), + }; + token.p11.C_GetAttributeValue(session.id(), keyID, lenAttributes); + int keyLen = (int)lenAttributes[0].getLong(); + SecretKey key = P11Key.secretKey + (session, keyID, algorithm, keyLen << 3, attributes); + if ("RAW".equals(key.getFormat())) { + // Workaround for Solaris bug 6318543. + // Strip leading zeroes ourselves if possible (key not sensitive). + // This should be removed once the Solaris fix is available + // as here we always retrieve the CKA_VALUE even for tokens + // that do not have that bug. + byte[] keyBytes = key.getEncoded(); + byte[] newBytes = KeyUtil.trimZeroes(keyBytes); + if (keyBytes != newBytes) { + key = new SecretKeySpec(newBytes, algorithm); + } + } + return key; + } catch (PKCS11Exception e) { + throw new InvalidKeyException("Could not derive key", e); + } finally { + publicValue = null; + token.releaseSession(session); + } + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11KeyFactory.java 2017-01-20 09:52:32.066289193 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,154 +0,0 @@ -/* - * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.pkcs11; - -import java.security.*; -import java.security.spec.*; - -import sun.security.pkcs11.wrapper.PKCS11Exception; - -/** - * KeyFactory base class. Provides common infrastructure for the RSA, DSA, - * and DH implementations. - * - * The subclasses support conversion between keys and keyspecs - * using X.509, PKCS#8, and their individual algorithm specific formats, - * assuming keys are extractable. - * - * @author Andreas Sterbenz - * @since 1.5 - */ -abstract class P11KeyFactory extends KeyFactorySpi { - - // token instance - final Token token; - - // algorithm name, currently one of RSA, DSA, DH - final String algorithm; - - P11KeyFactory(Token token, String algorithm) { - super(); - this.token = token; - this.algorithm = algorithm; - } - - /** - * Convert an arbitrary key of algorithm into a P11Key of token. - * Used by P11Signature.init() and RSACipher.init(). - */ - static P11Key convertKey(Token token, Key key, String algorithm) - throws InvalidKeyException { - return (P11Key)token.getKeyFactory(algorithm).engineTranslateKey(key); - } - - // see JCA spec - protected final T engineGetKeySpec(Key key, Class keySpec) - throws InvalidKeySpecException { - token.ensureValid(); - if ((key == null) || (keySpec == null)) { - throw new InvalidKeySpecException - ("key and keySpec must not be null"); - } - // delegate to our Java based providers for PKCS#8 and X.509 - if (PKCS8EncodedKeySpec.class.isAssignableFrom(keySpec) - || X509EncodedKeySpec.class.isAssignableFrom(keySpec)) { - try { - return implGetSoftwareFactory().getKeySpec(key, keySpec); - } catch (GeneralSecurityException e) { - throw new InvalidKeySpecException("Could not encode key", e); - } - } - // first translate into a key of this token, if it is not already - P11Key p11Key; - try { - p11Key = (P11Key)engineTranslateKey(key); - } catch (InvalidKeyException e) { - throw new InvalidKeySpecException("Could not convert key", e); - } - Session[] session = new Session[1]; - try { - if (p11Key.isPublic()) { - return implGetPublicKeySpec(p11Key, keySpec, session); - } else { - return implGetPrivateKeySpec(p11Key, keySpec, session); - } - } catch (PKCS11Exception e) { - throw new InvalidKeySpecException("Could not generate KeySpec", e); - } finally { - session[0] = token.releaseSession(session[0]); - } - } - - // see JCA spec - protected final Key engineTranslateKey(Key key) throws InvalidKeyException { - token.ensureValid(); - if (key == null) { - throw new InvalidKeyException("Key must not be null"); - } - if (key.getAlgorithm().equals(this.algorithm) == false) { - throw new InvalidKeyException - ("Key algorithm must be " + algorithm); - } - if (key instanceof P11Key) { - P11Key p11Key = (P11Key)key; - if (p11Key.token == token) { - // already a key of this token, no need to translate - return key; - } - } - P11Key p11Key = token.privateCache.get(key); - if (p11Key != null) { - return p11Key; - } - if (key instanceof PublicKey) { - PublicKey publicKey = implTranslatePublicKey((PublicKey)key); - token.privateCache.put(key, (P11Key)publicKey); - return publicKey; - } else if (key instanceof PrivateKey) { - PrivateKey privateKey = implTranslatePrivateKey((PrivateKey)key); - token.privateCache.put(key, (P11Key)privateKey); - return privateKey; - } else { - throw new InvalidKeyException - ("Key must be instance of PublicKey or PrivateKey"); - } - } - - abstract T implGetPublicKeySpec(P11Key key, Class keySpec, - Session[] session) throws PKCS11Exception, InvalidKeySpecException; - - abstract T implGetPrivateKeySpec(P11Key key, Class keySpec, - Session[] session) throws PKCS11Exception, InvalidKeySpecException; - - abstract PublicKey implTranslatePublicKey(PublicKey key) - throws InvalidKeyException; - - abstract PrivateKey implTranslatePrivateKey(PrivateKey key) - throws InvalidKeyException; - - abstract KeyFactory implGetSoftwareFactory() throws GeneralSecurityException; - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyFactory.java 2017-01-20 09:52:31.634289209 -0800 @@ -0,0 +1,154 @@ +/* + * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11; + +import java.security.*; +import java.security.spec.*; + +import sun.security.pkcs11.wrapper.PKCS11Exception; + +/** + * KeyFactory base class. Provides common infrastructure for the RSA, DSA, + * and DH implementations. + * + * The subclasses support conversion between keys and keyspecs + * using X.509, PKCS#8, and their individual algorithm specific formats, + * assuming keys are extractable. + * + * @author Andreas Sterbenz + * @since 1.5 + */ +abstract class P11KeyFactory extends KeyFactorySpi { + + // token instance + final Token token; + + // algorithm name, currently one of RSA, DSA, DH + final String algorithm; + + P11KeyFactory(Token token, String algorithm) { + super(); + this.token = token; + this.algorithm = algorithm; + } + + /** + * Convert an arbitrary key of algorithm into a P11Key of token. + * Used by P11Signature.init() and RSACipher.init(). + */ + static P11Key convertKey(Token token, Key key, String algorithm) + throws InvalidKeyException { + return (P11Key)token.getKeyFactory(algorithm).engineTranslateKey(key); + } + + // see JCA spec + protected final T engineGetKeySpec(Key key, Class keySpec) + throws InvalidKeySpecException { + token.ensureValid(); + if ((key == null) || (keySpec == null)) { + throw new InvalidKeySpecException + ("key and keySpec must not be null"); + } + // delegate to our Java based providers for PKCS#8 and X.509 + if (PKCS8EncodedKeySpec.class.isAssignableFrom(keySpec) + || X509EncodedKeySpec.class.isAssignableFrom(keySpec)) { + try { + return implGetSoftwareFactory().getKeySpec(key, keySpec); + } catch (GeneralSecurityException e) { + throw new InvalidKeySpecException("Could not encode key", e); + } + } + // first translate into a key of this token, if it is not already + P11Key p11Key; + try { + p11Key = (P11Key)engineTranslateKey(key); + } catch (InvalidKeyException e) { + throw new InvalidKeySpecException("Could not convert key", e); + } + Session[] session = new Session[1]; + try { + if (p11Key.isPublic()) { + return implGetPublicKeySpec(p11Key, keySpec, session); + } else { + return implGetPrivateKeySpec(p11Key, keySpec, session); + } + } catch (PKCS11Exception e) { + throw new InvalidKeySpecException("Could not generate KeySpec", e); + } finally { + session[0] = token.releaseSession(session[0]); + } + } + + // see JCA spec + protected final Key engineTranslateKey(Key key) throws InvalidKeyException { + token.ensureValid(); + if (key == null) { + throw new InvalidKeyException("Key must not be null"); + } + if (key.getAlgorithm().equals(this.algorithm) == false) { + throw new InvalidKeyException + ("Key algorithm must be " + algorithm); + } + if (key instanceof P11Key) { + P11Key p11Key = (P11Key)key; + if (p11Key.token == token) { + // already a key of this token, no need to translate + return key; + } + } + P11Key p11Key = token.privateCache.get(key); + if (p11Key != null) { + return p11Key; + } + if (key instanceof PublicKey) { + PublicKey publicKey = implTranslatePublicKey((PublicKey)key); + token.privateCache.put(key, (P11Key)publicKey); + return publicKey; + } else if (key instanceof PrivateKey) { + PrivateKey privateKey = implTranslatePrivateKey((PrivateKey)key); + token.privateCache.put(key, (P11Key)privateKey); + return privateKey; + } else { + throw new InvalidKeyException + ("Key must be instance of PublicKey or PrivateKey"); + } + } + + abstract T implGetPublicKeySpec(P11Key key, Class keySpec, + Session[] session) throws PKCS11Exception, InvalidKeySpecException; + + abstract T implGetPrivateKeySpec(P11Key key, Class keySpec, + Session[] session) throws PKCS11Exception, InvalidKeySpecException; + + abstract PublicKey implTranslatePublicKey(PublicKey key) + throws InvalidKeyException; + + abstract PrivateKey implTranslatePrivateKey(PrivateKey key) + throws InvalidKeyException; + + abstract KeyFactory implGetSoftwareFactory() throws GeneralSecurityException; + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11KeyGenerator.java 2017-01-20 09:52:33.034289156 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,284 +0,0 @@ -/* - * Copyright (c) 2003, 2008, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.pkcs11; - -import java.security.*; -import java.security.spec.AlgorithmParameterSpec; - -import javax.crypto.*; - -import static sun.security.pkcs11.TemplateManager.*; -import sun.security.pkcs11.wrapper.*; -import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - -/** - * KeyGenerator implementation class. This class currently supports - * DES, DESede, AES, ARCFOUR, and Blowfish. - * - * @author Andreas Sterbenz - * @since 1.5 - */ -final class P11KeyGenerator extends KeyGeneratorSpi { - - // token instance - private final Token token; - - // algorithm name - private final String algorithm; - - // mechanism id - private long mechanism; - - // raw key size in bits, e.g. 64 for DES. Always valid. - private int keySize; - - // bits of entropy in the key, e.g. 56 for DES. Always valid. - private int significantKeySize; - - // keyType (CKK_*), needed for TemplateManager call only. - private long keyType; - - // for determining if both 112 and 168 bits of DESede key lengths - // are supported. - private boolean supportBothKeySizes; - - /** - * Utility method for checking if the specified key size is valid - * and within the supported range. Return the significant key size - * upon successful validation. - * @param keyGenMech the PKCS#11 key generation mechanism. - * @param keySize the to-be-checked key size for this mechanism. - * @param token token which provides this mechanism. - * @return the significant key size (in bits) corresponding to the - * specified key size. - * @throws InvalidParameterException if the specified key size is invalid. - * @throws ProviderException if this mechanism isn't supported by SunPKCS11 - * or underlying native impl. - */ - static int checkKeySize(long keyGenMech, int keySize, Token token) - throws InvalidAlgorithmParameterException, ProviderException { - int sigKeySize; - switch ((int)keyGenMech) { - case (int)CKM_DES_KEY_GEN: - if ((keySize != 64) && (keySize != 56)) { - throw new InvalidAlgorithmParameterException - ("DES key length must be 56 bits"); - } - sigKeySize = 56; - break; - case (int)CKM_DES2_KEY_GEN: - case (int)CKM_DES3_KEY_GEN: - if ((keySize == 112) || (keySize == 128)) { - sigKeySize = 112; - } else if ((keySize == 168) || (keySize == 192)) { - sigKeySize = 168; - } else { - throw new InvalidAlgorithmParameterException - ("DESede key length must be 112, or 168 bits"); - } - break; - default: - // Handle all variable-key-length algorithms here - CK_MECHANISM_INFO info = null; - try { - info = token.getMechanismInfo(keyGenMech); - } catch (PKCS11Exception p11e) { - // Should never happen - throw new ProviderException - ("Cannot retrieve mechanism info", p11e); - } - if (info == null) { - // XXX Unable to retrieve the supported key length from - // the underlying native impl. Skip the checking for now. - return keySize; - } - // PKCS#11 defines these to be in number of bytes except for - // RC4 which is in bits. However, some PKCS#11 impls still use - // bytes for all mechs, e.g. NSS. We try to detect this - // inconsistency if the minKeySize seems unreasonably small. - int minKeySize = (int)info.ulMinKeySize; - int maxKeySize = (int)info.ulMaxKeySize; - if (keyGenMech != CKM_RC4_KEY_GEN || minKeySize < 8) { - minKeySize = (int)info.ulMinKeySize << 3; - maxKeySize = (int)info.ulMaxKeySize << 3; - } - // Explicitly disallow keys shorter than 40-bits for security - if (minKeySize < 40) minKeySize = 40; - if (keySize < minKeySize || keySize > maxKeySize) { - throw new InvalidAlgorithmParameterException - ("Key length must be between " + minKeySize + - " and " + maxKeySize + " bits"); - } - if (keyGenMech == CKM_AES_KEY_GEN) { - if ((keySize != 128) && (keySize != 192) && - (keySize != 256)) { - throw new InvalidAlgorithmParameterException - ("AES key length must be " + minKeySize + - (maxKeySize >= 192? ", 192":"") + - (maxKeySize >= 256? ", or 256":"") + " bits"); - } - } - sigKeySize = keySize; - } - return sigKeySize; - } - - P11KeyGenerator(Token token, String algorithm, long mechanism) - throws PKCS11Exception { - super(); - this.token = token; - this.algorithm = algorithm; - this.mechanism = mechanism; - - if (this.mechanism == CKM_DES3_KEY_GEN) { - /* Given the current lookup order specified in SunPKCS11.java, - if CKM_DES2_KEY_GEN is used to construct this object, it - means that CKM_DES3_KEY_GEN is disabled or unsupported. - */ - supportBothKeySizes = - (token.provider.config.isEnabled(CKM_DES2_KEY_GEN) && - (token.getMechanismInfo(CKM_DES2_KEY_GEN) != null)); - } - setDefaultKeySize(); - } - - // set default keysize and also initialize keyType - private void setDefaultKeySize() { - switch ((int)mechanism) { - case (int)CKM_DES_KEY_GEN: - keySize = 64; - keyType = CKK_DES; - break; - case (int)CKM_DES2_KEY_GEN: - keySize = 128; - keyType = CKK_DES2; - break; - case (int)CKM_DES3_KEY_GEN: - keySize = 192; - keyType = CKK_DES3; - break; - case (int)CKM_AES_KEY_GEN: - keySize = 128; - keyType = CKK_AES; - break; - case (int)CKM_RC4_KEY_GEN: - keySize = 128; - keyType = CKK_RC4; - break; - case (int)CKM_BLOWFISH_KEY_GEN: - keySize = 128; - keyType = CKK_BLOWFISH; - break; - default: - throw new ProviderException("Unknown mechanism " + mechanism); - } - try { - significantKeySize = checkKeySize(mechanism, keySize, token); - } catch (InvalidAlgorithmParameterException iape) { - throw new ProviderException("Unsupported default key size", iape); - } - } - - // see JCE spec - protected void engineInit(SecureRandom random) { - token.ensureValid(); - setDefaultKeySize(); - } - - // see JCE spec - protected void engineInit(AlgorithmParameterSpec params, - SecureRandom random) throws InvalidAlgorithmParameterException { - throw new InvalidAlgorithmParameterException - ("AlgorithmParameterSpec not supported"); - } - - // see JCE spec - protected void engineInit(int keySize, SecureRandom random) { - token.ensureValid(); - int newSignificantKeySize; - try { - newSignificantKeySize = checkKeySize(mechanism, keySize, token); - } catch (InvalidAlgorithmParameterException iape) { - throw (InvalidParameterException) - (new InvalidParameterException().initCause(iape)); - } - if ((mechanism == CKM_DES2_KEY_GEN) || - (mechanism == CKM_DES3_KEY_GEN)) { - long newMechanism = (newSignificantKeySize == 112 ? - CKM_DES2_KEY_GEN : CKM_DES3_KEY_GEN); - if (mechanism != newMechanism) { - if (supportBothKeySizes) { - mechanism = newMechanism; - // Adjust keyType to reflect the mechanism change - keyType = (mechanism == CKM_DES2_KEY_GEN ? - CKK_DES2 : CKK_DES3); - } else { - throw new InvalidParameterException - ("Only " + significantKeySize + - "-bit DESede is supported"); - } - } - } - this.keySize = keySize; - this.significantKeySize = newSignificantKeySize; - } - - // see JCE spec - protected SecretKey engineGenerateKey() { - Session session = null; - try { - session = token.getObjSession(); - CK_ATTRIBUTE[] attributes; - switch ((int)keyType) { - case (int)CKK_DES: - case (int)CKK_DES2: - case (int)CKK_DES3: - // fixed length, do not specify CKA_VALUE_LEN - attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), - }; - break; - default: - attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), - new CK_ATTRIBUTE(CKA_VALUE_LEN, keySize >> 3), - }; - break; - } - attributes = token.getAttributes - (O_GENERATE, CKO_SECRET_KEY, keyType, attributes); - long keyID = token.p11.C_GenerateKey - (session.id(), new CK_MECHANISM(mechanism), attributes); - return P11Key.secretKey - (session, keyID, algorithm, significantKeySize, attributes); - } catch (PKCS11Exception e) { - throw new ProviderException("Could not generate key", e); - } finally { - token.releaseSession(session); - } - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyGenerator.java 2017-01-20 09:52:32.354289182 -0800 @@ -0,0 +1,284 @@ +/* + * Copyright (c) 2003, 2008, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11; + +import java.security.*; +import java.security.spec.AlgorithmParameterSpec; + +import javax.crypto.*; + +import static sun.security.pkcs11.TemplateManager.*; +import sun.security.pkcs11.wrapper.*; +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + +/** + * KeyGenerator implementation class. This class currently supports + * DES, DESede, AES, ARCFOUR, and Blowfish. + * + * @author Andreas Sterbenz + * @since 1.5 + */ +final class P11KeyGenerator extends KeyGeneratorSpi { + + // token instance + private final Token token; + + // algorithm name + private final String algorithm; + + // mechanism id + private long mechanism; + + // raw key size in bits, e.g. 64 for DES. Always valid. + private int keySize; + + // bits of entropy in the key, e.g. 56 for DES. Always valid. + private int significantKeySize; + + // keyType (CKK_*), needed for TemplateManager call only. + private long keyType; + + // for determining if both 112 and 168 bits of DESede key lengths + // are supported. + private boolean supportBothKeySizes; + + /** + * Utility method for checking if the specified key size is valid + * and within the supported range. Return the significant key size + * upon successful validation. + * @param keyGenMech the PKCS#11 key generation mechanism. + * @param keySize the to-be-checked key size for this mechanism. + * @param token token which provides this mechanism. + * @return the significant key size (in bits) corresponding to the + * specified key size. + * @throws InvalidParameterException if the specified key size is invalid. + * @throws ProviderException if this mechanism isn't supported by SunPKCS11 + * or underlying native impl. + */ + static int checkKeySize(long keyGenMech, int keySize, Token token) + throws InvalidAlgorithmParameterException, ProviderException { + int sigKeySize; + switch ((int)keyGenMech) { + case (int)CKM_DES_KEY_GEN: + if ((keySize != 64) && (keySize != 56)) { + throw new InvalidAlgorithmParameterException + ("DES key length must be 56 bits"); + } + sigKeySize = 56; + break; + case (int)CKM_DES2_KEY_GEN: + case (int)CKM_DES3_KEY_GEN: + if ((keySize == 112) || (keySize == 128)) { + sigKeySize = 112; + } else if ((keySize == 168) || (keySize == 192)) { + sigKeySize = 168; + } else { + throw new InvalidAlgorithmParameterException + ("DESede key length must be 112, or 168 bits"); + } + break; + default: + // Handle all variable-key-length algorithms here + CK_MECHANISM_INFO info = null; + try { + info = token.getMechanismInfo(keyGenMech); + } catch (PKCS11Exception p11e) { + // Should never happen + throw new ProviderException + ("Cannot retrieve mechanism info", p11e); + } + if (info == null) { + // XXX Unable to retrieve the supported key length from + // the underlying native impl. Skip the checking for now. + return keySize; + } + // PKCS#11 defines these to be in number of bytes except for + // RC4 which is in bits. However, some PKCS#11 impls still use + // bytes for all mechs, e.g. NSS. We try to detect this + // inconsistency if the minKeySize seems unreasonably small. + int minKeySize = (int)info.ulMinKeySize; + int maxKeySize = (int)info.ulMaxKeySize; + if (keyGenMech != CKM_RC4_KEY_GEN || minKeySize < 8) { + minKeySize = (int)info.ulMinKeySize << 3; + maxKeySize = (int)info.ulMaxKeySize << 3; + } + // Explicitly disallow keys shorter than 40-bits for security + if (minKeySize < 40) minKeySize = 40; + if (keySize < minKeySize || keySize > maxKeySize) { + throw new InvalidAlgorithmParameterException + ("Key length must be between " + minKeySize + + " and " + maxKeySize + " bits"); + } + if (keyGenMech == CKM_AES_KEY_GEN) { + if ((keySize != 128) && (keySize != 192) && + (keySize != 256)) { + throw new InvalidAlgorithmParameterException + ("AES key length must be " + minKeySize + + (maxKeySize >= 192? ", 192":"") + + (maxKeySize >= 256? ", or 256":"") + " bits"); + } + } + sigKeySize = keySize; + } + return sigKeySize; + } + + P11KeyGenerator(Token token, String algorithm, long mechanism) + throws PKCS11Exception { + super(); + this.token = token; + this.algorithm = algorithm; + this.mechanism = mechanism; + + if (this.mechanism == CKM_DES3_KEY_GEN) { + /* Given the current lookup order specified in SunPKCS11.java, + if CKM_DES2_KEY_GEN is used to construct this object, it + means that CKM_DES3_KEY_GEN is disabled or unsupported. + */ + supportBothKeySizes = + (token.provider.config.isEnabled(CKM_DES2_KEY_GEN) && + (token.getMechanismInfo(CKM_DES2_KEY_GEN) != null)); + } + setDefaultKeySize(); + } + + // set default keysize and also initialize keyType + private void setDefaultKeySize() { + switch ((int)mechanism) { + case (int)CKM_DES_KEY_GEN: + keySize = 64; + keyType = CKK_DES; + break; + case (int)CKM_DES2_KEY_GEN: + keySize = 128; + keyType = CKK_DES2; + break; + case (int)CKM_DES3_KEY_GEN: + keySize = 192; + keyType = CKK_DES3; + break; + case (int)CKM_AES_KEY_GEN: + keySize = 128; + keyType = CKK_AES; + break; + case (int)CKM_RC4_KEY_GEN: + keySize = 128; + keyType = CKK_RC4; + break; + case (int)CKM_BLOWFISH_KEY_GEN: + keySize = 128; + keyType = CKK_BLOWFISH; + break; + default: + throw new ProviderException("Unknown mechanism " + mechanism); + } + try { + significantKeySize = checkKeySize(mechanism, keySize, token); + } catch (InvalidAlgorithmParameterException iape) { + throw new ProviderException("Unsupported default key size", iape); + } + } + + // see JCE spec + protected void engineInit(SecureRandom random) { + token.ensureValid(); + setDefaultKeySize(); + } + + // see JCE spec + protected void engineInit(AlgorithmParameterSpec params, + SecureRandom random) throws InvalidAlgorithmParameterException { + throw new InvalidAlgorithmParameterException + ("AlgorithmParameterSpec not supported"); + } + + // see JCE spec + protected void engineInit(int keySize, SecureRandom random) { + token.ensureValid(); + int newSignificantKeySize; + try { + newSignificantKeySize = checkKeySize(mechanism, keySize, token); + } catch (InvalidAlgorithmParameterException iape) { + throw (InvalidParameterException) + (new InvalidParameterException().initCause(iape)); + } + if ((mechanism == CKM_DES2_KEY_GEN) || + (mechanism == CKM_DES3_KEY_GEN)) { + long newMechanism = (newSignificantKeySize == 112 ? + CKM_DES2_KEY_GEN : CKM_DES3_KEY_GEN); + if (mechanism != newMechanism) { + if (supportBothKeySizes) { + mechanism = newMechanism; + // Adjust keyType to reflect the mechanism change + keyType = (mechanism == CKM_DES2_KEY_GEN ? + CKK_DES2 : CKK_DES3); + } else { + throw new InvalidParameterException + ("Only " + significantKeySize + + "-bit DESede is supported"); + } + } + } + this.keySize = keySize; + this.significantKeySize = newSignificantKeySize; + } + + // see JCE spec + protected SecretKey engineGenerateKey() { + Session session = null; + try { + session = token.getObjSession(); + CK_ATTRIBUTE[] attributes; + switch ((int)keyType) { + case (int)CKK_DES: + case (int)CKK_DES2: + case (int)CKK_DES3: + // fixed length, do not specify CKA_VALUE_LEN + attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), + }; + break; + default: + attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), + new CK_ATTRIBUTE(CKA_VALUE_LEN, keySize >> 3), + }; + break; + } + attributes = token.getAttributes + (O_GENERATE, CKO_SECRET_KEY, keyType, attributes); + long keyID = token.p11.C_GenerateKey + (session.id(), new CK_MECHANISM(mechanism), attributes); + return P11Key.secretKey + (session, keyID, algorithm, significantKeySize, attributes); + } catch (PKCS11Exception e) { + throw new ProviderException("Could not generate key", e); + } finally { + token.releaseSession(session); + } + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11KeyPairGenerator.java 2017-01-20 09:52:34.042289118 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,429 +0,0 @@ -/* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.pkcs11; - -import java.math.BigInteger; - -import java.security.*; -import java.security.spec.*; - -import javax.crypto.spec.DHParameterSpec; - -import sun.security.provider.ParameterCache; - -import static sun.security.pkcs11.TemplateManager.*; -import sun.security.pkcs11.wrapper.*; -import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - -import sun.security.rsa.RSAKeyFactory; - -/** - * KeyPairGenerator implementation class. This class currently supports - * RSA, DSA, DH, and EC. - * - * Note that for DSA and DH we rely on the Sun and SunJCE providers to - * obtain the parameters from. - * - * @author Andreas Sterbenz - * @since 1.5 - */ -final class P11KeyPairGenerator extends KeyPairGeneratorSpi { - - // token instance - private final Token token; - - // algorithm name - private final String algorithm; - - // mechanism id - private final long mechanism; - - // selected or default key size, always valid - private int keySize; - - // parameters specified via init, if any - private AlgorithmParameterSpec params; - - // for RSA, selected or default value of public exponent, always valid - private BigInteger rsaPublicExponent = RSAKeyGenParameterSpec.F4; - - // the supported keysize range of the native PKCS11 library - // if the value cannot be retrieved or unspecified, -1 is used. - private final int minKeySize; - private final int maxKeySize; - - // SecureRandom instance, if specified in init - private SecureRandom random; - - P11KeyPairGenerator(Token token, String algorithm, long mechanism) - throws PKCS11Exception { - super(); - int minKeyLen = -1; - int maxKeyLen = -1; - try { - CK_MECHANISM_INFO mechInfo = token.getMechanismInfo(mechanism); - if (mechInfo != null) { - minKeyLen = (int) mechInfo.ulMinKeySize; - maxKeyLen = (int) mechInfo.ulMaxKeySize; - } - } catch (PKCS11Exception p11e) { - // Should never happen - throw new ProviderException - ("Unexpected error while getting mechanism info", p11e); - } - // set default key sizes and apply our own algorithm-specific limits - // override lower limit to disallow unsecure keys being generated - // override upper limit to deter DOS attack - if (algorithm.equals("EC")) { - keySize = 256; - if ((minKeyLen == -1) || (minKeyLen < 112)) { - minKeyLen = 112; - } - if ((maxKeyLen == -1) || (maxKeyLen > 2048)) { - maxKeyLen = 2048; - } - } else { - if (algorithm.equals("DSA")) { - // keep default keysize at 1024 since larger keysizes may be - // incompatible with SHA1withDSA and SHA-2 Signature algs - // may not be supported by native pkcs11 implementations - keySize = 1024; - } else { - // RSA and DH - keySize = 2048; - } - if ((minKeyLen == -1) || (minKeyLen < 512)) { - minKeyLen = 512; - } - if (algorithm.equals("RSA")) { - if ((maxKeyLen == -1) || (maxKeyLen > 64 * 1024)) { - maxKeyLen = 64 * 1024; - } - } - } - - // auto-adjust default keysize in case it's out-of-range - if ((minKeyLen != -1) && (keySize < minKeyLen)) { - keySize = minKeyLen; - } - if ((maxKeyLen != -1) && (keySize > maxKeyLen)) { - keySize = maxKeyLen; - } - this.token = token; - this.algorithm = algorithm; - this.mechanism = mechanism; - this.minKeySize = minKeyLen; - this.maxKeySize = maxKeyLen; - initialize(keySize, null); - } - - // see JCA spec - @Override - public void initialize(int keySize, SecureRandom random) { - token.ensureValid(); - try { - checkKeySize(keySize, null); - } catch (InvalidAlgorithmParameterException e) { - throw new InvalidParameterException(e.getMessage()); - } - this.params = null; - if (algorithm.equals("EC")) { - params = P11ECKeyFactory.getECParameterSpec(keySize); - if (params == null) { - throw new InvalidParameterException( - "No EC parameters available for key size " - + keySize + " bits"); - } - } - this.keySize = keySize; - this.random = random; - } - - // see JCA spec - @Override - public void initialize(AlgorithmParameterSpec params, SecureRandom random) - throws InvalidAlgorithmParameterException { - token.ensureValid(); - int tmpKeySize; - if (algorithm.equals("DH")) { - if (params instanceof DHParameterSpec == false) { - throw new InvalidAlgorithmParameterException - ("DHParameterSpec required for Diffie-Hellman"); - } - DHParameterSpec dhParams = (DHParameterSpec) params; - tmpKeySize = dhParams.getP().bitLength(); - checkKeySize(tmpKeySize, dhParams); - // XXX sanity check params - } else if (algorithm.equals("RSA")) { - if (params instanceof RSAKeyGenParameterSpec == false) { - throw new InvalidAlgorithmParameterException - ("RSAKeyGenParameterSpec required for RSA"); - } - RSAKeyGenParameterSpec rsaParams = - (RSAKeyGenParameterSpec) params; - tmpKeySize = rsaParams.getKeysize(); - checkKeySize(tmpKeySize, rsaParams); - // override the supplied params to null - params = null; - this.rsaPublicExponent = rsaParams.getPublicExponent(); - // XXX sanity check params - } else if (algorithm.equals("DSA")) { - if (params instanceof DSAParameterSpec == false) { - throw new InvalidAlgorithmParameterException - ("DSAParameterSpec required for DSA"); - } - DSAParameterSpec dsaParams = (DSAParameterSpec) params; - tmpKeySize = dsaParams.getP().bitLength(); - checkKeySize(tmpKeySize, dsaParams); - // XXX sanity check params - } else if (algorithm.equals("EC")) { - ECParameterSpec ecParams; - if (params instanceof ECParameterSpec) { - ecParams = P11ECKeyFactory.getECParameterSpec( - (ECParameterSpec)params); - if (ecParams == null) { - throw new InvalidAlgorithmParameterException - ("Unsupported curve: " + params); - } - } else if (params instanceof ECGenParameterSpec) { - String name = ((ECGenParameterSpec) params).getName(); - ecParams = P11ECKeyFactory.getECParameterSpec(name); - if (ecParams == null) { - throw new InvalidAlgorithmParameterException - ("Unknown curve name: " + name); - } - // override the supplied params with the derived one - params = ecParams; - } else { - throw new InvalidAlgorithmParameterException - ("ECParameterSpec or ECGenParameterSpec required for EC"); - } - tmpKeySize = ecParams.getCurve().getField().getFieldSize(); - checkKeySize(tmpKeySize, ecParams); - } else { - throw new ProviderException("Unknown algorithm: " + algorithm); - } - this.keySize = tmpKeySize; - this.params = params; - this.random = random; - } - - private void checkKeySize(int keySize, AlgorithmParameterSpec params) - throws InvalidAlgorithmParameterException { - // check native range first - if ((minKeySize != -1) && (keySize < minKeySize)) { - throw new InvalidAlgorithmParameterException(algorithm + - " key must be at least " + minKeySize + " bits. " + - "The specific key size " + keySize + " is not supported"); - } - if ((maxKeySize != -1) && (keySize > maxKeySize)) { - throw new InvalidAlgorithmParameterException(algorithm + - " key must be at most " + maxKeySize + " bits. " + - "The specific key size " + keySize + " is not supported"); - } - - // check our own algorithm-specific limits also - if (algorithm.equals("EC")) { - if (keySize < 112) { - throw new InvalidAlgorithmParameterException( - "EC key size must be at least 112 bit. " + - "The specific key size " + keySize + " is not supported"); - } - if (keySize > 2048) { - // sanity check, nobody really wants keys this large - throw new InvalidAlgorithmParameterException( - "EC key size must be at most 2048 bit. " + - "The specific key size " + keySize + " is not supported"); - } - } else { - // RSA, DH, DSA - if (keySize < 512) { - throw new InvalidAlgorithmParameterException(algorithm + - " key size must be at least 512 bit. " + - "The specific key size " + keySize + " is not supported"); - } - if (algorithm.equals("RSA")) { - BigInteger tmpExponent = rsaPublicExponent; - if (params != null) { - tmpExponent = - ((RSAKeyGenParameterSpec)params).getPublicExponent(); - } - try { - // Reuse the checking in SunRsaSign provider. - // If maxKeySize is -1, then replace it with - // Integer.MAX_VALUE to indicate no limit. - RSAKeyFactory.checkKeyLengths(keySize, tmpExponent, - minKeySize, - (maxKeySize==-1? Integer.MAX_VALUE:maxKeySize)); - } catch (InvalidKeyException e) { - throw new InvalidAlgorithmParameterException(e); - } - } else if (algorithm.equals("DH")) { - if (params != null) { // initialized with specified parameters - // sanity check, nobody really wants keys this large - if (keySize > 64 * 1024) { - throw new InvalidAlgorithmParameterException( - "DH key size must be at most 65536 bit. " + - "The specific key size " + - keySize + " is not supported"); - } - } else { // default parameters will be used. - // Range is based on the values in - // sun.security.provider.ParameterCache class. - if ((keySize > 8192) || (keySize < 512) || - ((keySize & 0x3f) != 0)) { - throw new InvalidAlgorithmParameterException( - "DH key size must be multiple of 64, and can " + - "only range from 512 to 8192 (inclusive). " + - "The specific key size " + - keySize + " is not supported"); - } - - DHParameterSpec cache = - ParameterCache.getCachedDHParameterSpec(keySize); - // Except 2048 and 3072, not yet support generation of - // parameters bigger than 1024 bits. - if ((cache == null) && (keySize > 1024)) { - throw new InvalidAlgorithmParameterException( - "Unsupported " + keySize + - "-bit DH parameter generation"); - } - } - } else { - // this restriction is in the spec for DSA - if ((keySize != 3072) && (keySize != 2048) && - ((keySize > 1024) || ((keySize & 0x3f) != 0))) { - throw new InvalidAlgorithmParameterException( - "DSA key must be multiples of 64 if less than " + - "1024 bits, or 2048, 3072 bits. " + - "The specific key size " + - keySize + " is not supported"); - } - } - } - } - - // see JCA spec - @Override - public KeyPair generateKeyPair() { - token.ensureValid(); - CK_ATTRIBUTE[] publicKeyTemplate; - CK_ATTRIBUTE[] privateKeyTemplate; - long keyType; - if (algorithm.equals("RSA")) { - keyType = CKK_RSA; - publicKeyTemplate = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_MODULUS_BITS, keySize), - new CK_ATTRIBUTE(CKA_PUBLIC_EXPONENT, rsaPublicExponent), - }; - privateKeyTemplate = new CK_ATTRIBUTE[] { - // empty - }; - } else if (algorithm.equals("DSA")) { - keyType = CKK_DSA; - DSAParameterSpec dsaParams; - if (params == null) { - try { - dsaParams = ParameterCache.getDSAParameterSpec - (keySize, random); - } catch (GeneralSecurityException e) { - throw new ProviderException - ("Could not generate DSA parameters", e); - } - } else { - dsaParams = (DSAParameterSpec)params; - } - publicKeyTemplate = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_PRIME, dsaParams.getP()), - new CK_ATTRIBUTE(CKA_SUBPRIME, dsaParams.getQ()), - new CK_ATTRIBUTE(CKA_BASE, dsaParams.getG()), - }; - privateKeyTemplate = new CK_ATTRIBUTE[] { - // empty - }; - } else if (algorithm.equals("DH")) { - keyType = CKK_DH; - DHParameterSpec dhParams; - int privateBits; - if (params == null) { - try { - dhParams = ParameterCache.getDHParameterSpec - (keySize, random); - } catch (GeneralSecurityException e) { - throw new ProviderException - ("Could not generate DH parameters", e); - } - privateBits = 0; - } else { - dhParams = (DHParameterSpec)params; - privateBits = dhParams.getL(); - } - if (privateBits <= 0) { - // XXX find better defaults - privateBits = (keySize >= 1024) ? 768 : 512; - } - publicKeyTemplate = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_PRIME, dhParams.getP()), - new CK_ATTRIBUTE(CKA_BASE, dhParams.getG()) - }; - privateKeyTemplate = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_VALUE_BITS, privateBits), - }; - } else if (algorithm.equals("EC")) { - keyType = CKK_EC; - byte[] encodedParams = - P11ECKeyFactory.encodeParameters((ECParameterSpec)params); - publicKeyTemplate = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_EC_PARAMS, encodedParams), - }; - privateKeyTemplate = new CK_ATTRIBUTE[] { - // empty - }; - } else { - throw new ProviderException("Unknown algorithm: " + algorithm); - } - Session session = null; - try { - session = token.getObjSession(); - publicKeyTemplate = token.getAttributes - (O_GENERATE, CKO_PUBLIC_KEY, keyType, publicKeyTemplate); - privateKeyTemplate = token.getAttributes - (O_GENERATE, CKO_PRIVATE_KEY, keyType, privateKeyTemplate); - long[] keyIDs = token.p11.C_GenerateKeyPair - (session.id(), new CK_MECHANISM(mechanism), - publicKeyTemplate, privateKeyTemplate); - PublicKey publicKey = P11Key.publicKey - (session, keyIDs[0], algorithm, keySize, publicKeyTemplate); - PrivateKey privateKey = P11Key.privateKey - (session, keyIDs[1], algorithm, keySize, privateKeyTemplate); - return new KeyPair(publicKey, privateKey); - } catch (PKCS11Exception e) { - throw new ProviderException(e); - } finally { - token.releaseSession(session); - } - } -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyPairGenerator.java 2017-01-20 09:52:33.486289139 -0800 @@ -0,0 +1,429 @@ +/* + * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11; + +import java.math.BigInteger; + +import java.security.*; +import java.security.spec.*; + +import javax.crypto.spec.DHParameterSpec; + +import sun.security.provider.ParameterCache; + +import static sun.security.pkcs11.TemplateManager.*; +import sun.security.pkcs11.wrapper.*; +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + +import sun.security.rsa.RSAKeyFactory; + +/** + * KeyPairGenerator implementation class. This class currently supports + * RSA, DSA, DH, and EC. + * + * Note that for DSA and DH we rely on the Sun and SunJCE providers to + * obtain the parameters from. + * + * @author Andreas Sterbenz + * @since 1.5 + */ +final class P11KeyPairGenerator extends KeyPairGeneratorSpi { + + // token instance + private final Token token; + + // algorithm name + private final String algorithm; + + // mechanism id + private final long mechanism; + + // selected or default key size, always valid + private int keySize; + + // parameters specified via init, if any + private AlgorithmParameterSpec params; + + // for RSA, selected or default value of public exponent, always valid + private BigInteger rsaPublicExponent = RSAKeyGenParameterSpec.F4; + + // the supported keysize range of the native PKCS11 library + // if the value cannot be retrieved or unspecified, -1 is used. + private final int minKeySize; + private final int maxKeySize; + + // SecureRandom instance, if specified in init + private SecureRandom random; + + P11KeyPairGenerator(Token token, String algorithm, long mechanism) + throws PKCS11Exception { + super(); + int minKeyLen = -1; + int maxKeyLen = -1; + try { + CK_MECHANISM_INFO mechInfo = token.getMechanismInfo(mechanism); + if (mechInfo != null) { + minKeyLen = (int) mechInfo.ulMinKeySize; + maxKeyLen = (int) mechInfo.ulMaxKeySize; + } + } catch (PKCS11Exception p11e) { + // Should never happen + throw new ProviderException + ("Unexpected error while getting mechanism info", p11e); + } + // set default key sizes and apply our own algorithm-specific limits + // override lower limit to disallow unsecure keys being generated + // override upper limit to deter DOS attack + if (algorithm.equals("EC")) { + keySize = 256; + if ((minKeyLen == -1) || (minKeyLen < 112)) { + minKeyLen = 112; + } + if ((maxKeyLen == -1) || (maxKeyLen > 2048)) { + maxKeyLen = 2048; + } + } else { + if (algorithm.equals("DSA")) { + // keep default keysize at 1024 since larger keysizes may be + // incompatible with SHA1withDSA and SHA-2 Signature algs + // may not be supported by native pkcs11 implementations + keySize = 1024; + } else { + // RSA and DH + keySize = 2048; + } + if ((minKeyLen == -1) || (minKeyLen < 512)) { + minKeyLen = 512; + } + if (algorithm.equals("RSA")) { + if ((maxKeyLen == -1) || (maxKeyLen > 64 * 1024)) { + maxKeyLen = 64 * 1024; + } + } + } + + // auto-adjust default keysize in case it's out-of-range + if ((minKeyLen != -1) && (keySize < minKeyLen)) { + keySize = minKeyLen; + } + if ((maxKeyLen != -1) && (keySize > maxKeyLen)) { + keySize = maxKeyLen; + } + this.token = token; + this.algorithm = algorithm; + this.mechanism = mechanism; + this.minKeySize = minKeyLen; + this.maxKeySize = maxKeyLen; + initialize(keySize, null); + } + + // see JCA spec + @Override + public void initialize(int keySize, SecureRandom random) { + token.ensureValid(); + try { + checkKeySize(keySize, null); + } catch (InvalidAlgorithmParameterException e) { + throw new InvalidParameterException(e.getMessage()); + } + this.params = null; + if (algorithm.equals("EC")) { + params = P11ECKeyFactory.getECParameterSpec(keySize); + if (params == null) { + throw new InvalidParameterException( + "No EC parameters available for key size " + + keySize + " bits"); + } + } + this.keySize = keySize; + this.random = random; + } + + // see JCA spec + @Override + public void initialize(AlgorithmParameterSpec params, SecureRandom random) + throws InvalidAlgorithmParameterException { + token.ensureValid(); + int tmpKeySize; + if (algorithm.equals("DH")) { + if (params instanceof DHParameterSpec == false) { + throw new InvalidAlgorithmParameterException + ("DHParameterSpec required for Diffie-Hellman"); + } + DHParameterSpec dhParams = (DHParameterSpec) params; + tmpKeySize = dhParams.getP().bitLength(); + checkKeySize(tmpKeySize, dhParams); + // XXX sanity check params + } else if (algorithm.equals("RSA")) { + if (params instanceof RSAKeyGenParameterSpec == false) { + throw new InvalidAlgorithmParameterException + ("RSAKeyGenParameterSpec required for RSA"); + } + RSAKeyGenParameterSpec rsaParams = + (RSAKeyGenParameterSpec) params; + tmpKeySize = rsaParams.getKeysize(); + checkKeySize(tmpKeySize, rsaParams); + // override the supplied params to null + params = null; + this.rsaPublicExponent = rsaParams.getPublicExponent(); + // XXX sanity check params + } else if (algorithm.equals("DSA")) { + if (params instanceof DSAParameterSpec == false) { + throw new InvalidAlgorithmParameterException + ("DSAParameterSpec required for DSA"); + } + DSAParameterSpec dsaParams = (DSAParameterSpec) params; + tmpKeySize = dsaParams.getP().bitLength(); + checkKeySize(tmpKeySize, dsaParams); + // XXX sanity check params + } else if (algorithm.equals("EC")) { + ECParameterSpec ecParams; + if (params instanceof ECParameterSpec) { + ecParams = P11ECKeyFactory.getECParameterSpec( + (ECParameterSpec)params); + if (ecParams == null) { + throw new InvalidAlgorithmParameterException + ("Unsupported curve: " + params); + } + } else if (params instanceof ECGenParameterSpec) { + String name = ((ECGenParameterSpec) params).getName(); + ecParams = P11ECKeyFactory.getECParameterSpec(name); + if (ecParams == null) { + throw new InvalidAlgorithmParameterException + ("Unknown curve name: " + name); + } + // override the supplied params with the derived one + params = ecParams; + } else { + throw new InvalidAlgorithmParameterException + ("ECParameterSpec or ECGenParameterSpec required for EC"); + } + tmpKeySize = ecParams.getCurve().getField().getFieldSize(); + checkKeySize(tmpKeySize, ecParams); + } else { + throw new ProviderException("Unknown algorithm: " + algorithm); + } + this.keySize = tmpKeySize; + this.params = params; + this.random = random; + } + + private void checkKeySize(int keySize, AlgorithmParameterSpec params) + throws InvalidAlgorithmParameterException { + // check native range first + if ((minKeySize != -1) && (keySize < minKeySize)) { + throw new InvalidAlgorithmParameterException(algorithm + + " key must be at least " + minKeySize + " bits. " + + "The specific key size " + keySize + " is not supported"); + } + if ((maxKeySize != -1) && (keySize > maxKeySize)) { + throw new InvalidAlgorithmParameterException(algorithm + + " key must be at most " + maxKeySize + " bits. " + + "The specific key size " + keySize + " is not supported"); + } + + // check our own algorithm-specific limits also + if (algorithm.equals("EC")) { + if (keySize < 112) { + throw new InvalidAlgorithmParameterException( + "EC key size must be at least 112 bit. " + + "The specific key size " + keySize + " is not supported"); + } + if (keySize > 2048) { + // sanity check, nobody really wants keys this large + throw new InvalidAlgorithmParameterException( + "EC key size must be at most 2048 bit. " + + "The specific key size " + keySize + " is not supported"); + } + } else { + // RSA, DH, DSA + if (keySize < 512) { + throw new InvalidAlgorithmParameterException(algorithm + + " key size must be at least 512 bit. " + + "The specific key size " + keySize + " is not supported"); + } + if (algorithm.equals("RSA")) { + BigInteger tmpExponent = rsaPublicExponent; + if (params != null) { + tmpExponent = + ((RSAKeyGenParameterSpec)params).getPublicExponent(); + } + try { + // Reuse the checking in SunRsaSign provider. + // If maxKeySize is -1, then replace it with + // Integer.MAX_VALUE to indicate no limit. + RSAKeyFactory.checkKeyLengths(keySize, tmpExponent, + minKeySize, + (maxKeySize==-1? Integer.MAX_VALUE:maxKeySize)); + } catch (InvalidKeyException e) { + throw new InvalidAlgorithmParameterException(e); + } + } else if (algorithm.equals("DH")) { + if (params != null) { // initialized with specified parameters + // sanity check, nobody really wants keys this large + if (keySize > 64 * 1024) { + throw new InvalidAlgorithmParameterException( + "DH key size must be at most 65536 bit. " + + "The specific key size " + + keySize + " is not supported"); + } + } else { // default parameters will be used. + // Range is based on the values in + // sun.security.provider.ParameterCache class. + if ((keySize > 8192) || (keySize < 512) || + ((keySize & 0x3f) != 0)) { + throw new InvalidAlgorithmParameterException( + "DH key size must be multiple of 64, and can " + + "only range from 512 to 8192 (inclusive). " + + "The specific key size " + + keySize + " is not supported"); + } + + DHParameterSpec cache = + ParameterCache.getCachedDHParameterSpec(keySize); + // Except 2048 and 3072, not yet support generation of + // parameters bigger than 1024 bits. + if ((cache == null) && (keySize > 1024)) { + throw new InvalidAlgorithmParameterException( + "Unsupported " + keySize + + "-bit DH parameter generation"); + } + } + } else { + // this restriction is in the spec for DSA + if ((keySize != 3072) && (keySize != 2048) && + ((keySize > 1024) || ((keySize & 0x3f) != 0))) { + throw new InvalidAlgorithmParameterException( + "DSA key must be multiples of 64 if less than " + + "1024 bits, or 2048, 3072 bits. " + + "The specific key size " + + keySize + " is not supported"); + } + } + } + } + + // see JCA spec + @Override + public KeyPair generateKeyPair() { + token.ensureValid(); + CK_ATTRIBUTE[] publicKeyTemplate; + CK_ATTRIBUTE[] privateKeyTemplate; + long keyType; + if (algorithm.equals("RSA")) { + keyType = CKK_RSA; + publicKeyTemplate = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_MODULUS_BITS, keySize), + new CK_ATTRIBUTE(CKA_PUBLIC_EXPONENT, rsaPublicExponent), + }; + privateKeyTemplate = new CK_ATTRIBUTE[] { + // empty + }; + } else if (algorithm.equals("DSA")) { + keyType = CKK_DSA; + DSAParameterSpec dsaParams; + if (params == null) { + try { + dsaParams = ParameterCache.getDSAParameterSpec + (keySize, random); + } catch (GeneralSecurityException e) { + throw new ProviderException + ("Could not generate DSA parameters", e); + } + } else { + dsaParams = (DSAParameterSpec)params; + } + publicKeyTemplate = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_PRIME, dsaParams.getP()), + new CK_ATTRIBUTE(CKA_SUBPRIME, dsaParams.getQ()), + new CK_ATTRIBUTE(CKA_BASE, dsaParams.getG()), + }; + privateKeyTemplate = new CK_ATTRIBUTE[] { + // empty + }; + } else if (algorithm.equals("DH")) { + keyType = CKK_DH; + DHParameterSpec dhParams; + int privateBits; + if (params == null) { + try { + dhParams = ParameterCache.getDHParameterSpec + (keySize, random); + } catch (GeneralSecurityException e) { + throw new ProviderException + ("Could not generate DH parameters", e); + } + privateBits = 0; + } else { + dhParams = (DHParameterSpec)params; + privateBits = dhParams.getL(); + } + if (privateBits <= 0) { + // XXX find better defaults + privateBits = (keySize >= 1024) ? 768 : 512; + } + publicKeyTemplate = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_PRIME, dhParams.getP()), + new CK_ATTRIBUTE(CKA_BASE, dhParams.getG()) + }; + privateKeyTemplate = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_VALUE_BITS, privateBits), + }; + } else if (algorithm.equals("EC")) { + keyType = CKK_EC; + byte[] encodedParams = + P11ECKeyFactory.encodeParameters((ECParameterSpec)params); + publicKeyTemplate = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_EC_PARAMS, encodedParams), + }; + privateKeyTemplate = new CK_ATTRIBUTE[] { + // empty + }; + } else { + throw new ProviderException("Unknown algorithm: " + algorithm); + } + Session session = null; + try { + session = token.getObjSession(); + publicKeyTemplate = token.getAttributes + (O_GENERATE, CKO_PUBLIC_KEY, keyType, publicKeyTemplate); + privateKeyTemplate = token.getAttributes + (O_GENERATE, CKO_PRIVATE_KEY, keyType, privateKeyTemplate); + long[] keyIDs = token.p11.C_GenerateKeyPair + (session.id(), new CK_MECHANISM(mechanism), + publicKeyTemplate, privateKeyTemplate); + PublicKey publicKey = P11Key.publicKey + (session, keyIDs[0], algorithm, keySize, publicKeyTemplate); + PrivateKey privateKey = P11Key.privateKey + (session, keyIDs[1], algorithm, keySize, privateKeyTemplate); + return new KeyPair(publicKey, privateKey); + } catch (PKCS11Exception e) { + throw new ProviderException(e); + } finally { + token.releaseSession(session); + } + } +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11KeyStore.java 2017-01-20 09:52:34.562289099 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,2683 +0,0 @@ -/* - * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.pkcs11; - -import java.math.BigInteger; - -import java.io.InputStream; -import java.io.OutputStream; -import java.io.IOException; -import java.io.ByteArrayInputStream; -import java.io.UnsupportedEncodingException; - -import java.util.Arrays; -import java.util.Collections; -import java.util.Date; -import java.util.Enumeration; -import java.util.ArrayList; -import java.util.HashSet; -import java.util.HashMap; -import java.util.Set; - -import java.security.*; -import java.security.KeyStore.*; - -import java.security.cert.Certificate; -import java.security.cert.X509Certificate; -import java.security.cert.CertificateFactory; -import java.security.cert.CertificateException; - -import java.security.interfaces.*; -import java.security.spec.*; - -import javax.crypto.SecretKey; -import javax.crypto.interfaces.*; - -import javax.security.auth.x500.X500Principal; -import javax.security.auth.login.LoginException; -import javax.security.auth.callback.Callback; -import javax.security.auth.callback.PasswordCallback; -import javax.security.auth.callback.CallbackHandler; -import javax.security.auth.callback.UnsupportedCallbackException; - -import sun.security.util.Debug; -import sun.security.util.DerValue; -import sun.security.util.ECUtil; - -import sun.security.pkcs11.Secmod.*; -import static sun.security.pkcs11.P11Util.*; - -import sun.security.pkcs11.wrapper.*; -import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - -import sun.security.rsa.RSAKeyFactory; - -final class P11KeyStore extends KeyStoreSpi { - - private static final CK_ATTRIBUTE ATTR_CLASS_CERT = - new CK_ATTRIBUTE(CKA_CLASS, CKO_CERTIFICATE); - private static final CK_ATTRIBUTE ATTR_CLASS_PKEY = - new CK_ATTRIBUTE(CKA_CLASS, CKO_PRIVATE_KEY); - private static final CK_ATTRIBUTE ATTR_CLASS_SKEY = - new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY); - - private static final CK_ATTRIBUTE ATTR_X509_CERT_TYPE = - new CK_ATTRIBUTE(CKA_CERTIFICATE_TYPE, CKC_X_509); - - private static final CK_ATTRIBUTE ATTR_TOKEN_TRUE = - new CK_ATTRIBUTE(CKA_TOKEN, true); - - // XXX for testing purposes only - // - NSS doesn't support persistent secret keys - // (key type gets mangled if secret key is a token key) - // - if debug is turned on, then this is set to false - private static CK_ATTRIBUTE ATTR_SKEY_TOKEN_TRUE = ATTR_TOKEN_TRUE; - - private static final CK_ATTRIBUTE ATTR_TRUSTED_TRUE = - new CK_ATTRIBUTE(CKA_TRUSTED, true); - private static final CK_ATTRIBUTE ATTR_PRIVATE_TRUE = - new CK_ATTRIBUTE(CKA_PRIVATE, true); - - private static final long NO_HANDLE = -1; - private static final long FINDOBJECTS_MAX = 100; - private static final String ALIAS_SEP = "/"; - - private static final boolean NSS_TEST = false; - private static final Debug debug = - Debug.getInstance("pkcs11keystore"); - private static boolean CKA_TRUSTED_SUPPORTED = true; - - private final Token token; - - // If multiple certs are found to share the same CKA_LABEL - // at load time (NSS-style keystore), then the keystore is read - // and the unique keystore aliases are mapped to the entries. - // However, write capabilities are disabled. - private boolean writeDisabled = false; - - // Map of unique keystore aliases to entries in the token - private HashMap aliasMap; - - // whether to use NSS Secmod info for trust attributes - private final boolean useSecmodTrust; - - // if useSecmodTrust == true, which type of trust we are interested in - private Secmod.TrustType nssTrustType; - - /** - * The underlying token may contain multiple certs belonging to the - * same "personality" (for example, a signing cert and encryption cert), - * all sharing the same CKA_LABEL. These must be resolved - * into unique keystore aliases. - * - * In addition, private keys and certs may not have a CKA_LABEL. - * It is assumed that a private key and corresponding certificate - * share the same CKA_ID, and that the CKA_ID is unique across the token. - * The CKA_ID may not be human-readable. - * These pairs must be resolved into unique keystore aliases. - * - * Furthermore, secret keys are assumed to have a CKA_LABEL - * unique across the entire token. - * - * When the KeyStore is loaded, instances of this class are - * created to represent the private keys/secret keys/certs - * that reside on the token. - */ - private static class AliasInfo { - - // CKA_CLASS - entry type - private CK_ATTRIBUTE type = null; - - // CKA_LABEL of cert and secret key - private String label = null; - - // CKA_ID of the private key/cert pair - private byte[] id = null; - - // CKA_TRUSTED - true if cert is trusted - private boolean trusted = false; - - // either end-entity cert or trusted cert depending on 'type' - private X509Certificate cert = null; - - // chain - private X509Certificate[] chain = null; - - // true if CKA_ID for private key and cert match up - private boolean matched = false; - - // SecretKeyEntry - public AliasInfo(String label) { - this.type = ATTR_CLASS_SKEY; - this.label = label; - } - - // PrivateKeyEntry - public AliasInfo(String label, - byte[] id, - boolean trusted, - X509Certificate cert) { - this.type = ATTR_CLASS_PKEY; - this.label = label; - this.id = id; - this.trusted = trusted; - this.cert = cert; - } - - public String toString() { - StringBuilder sb = new StringBuilder(); - if (type == ATTR_CLASS_PKEY) { - sb.append("\ttype=[private key]\n"); - } else if (type == ATTR_CLASS_SKEY) { - sb.append("\ttype=[secret key]\n"); - } else if (type == ATTR_CLASS_CERT) { - sb.append("\ttype=[trusted cert]\n"); - } - sb.append("\tlabel=[" + label + "]\n"); - if (id == null) { - sb.append("\tid=[null]\n"); - } else { - sb.append("\tid=" + P11KeyStore.getID(id) + "\n"); - } - sb.append("\ttrusted=[" + trusted + "]\n"); - sb.append("\tmatched=[" + matched + "]\n"); - if (cert == null) { - sb.append("\tcert=[null]\n"); - } else { - sb.append("\tcert=[\tsubject: " + - cert.getSubjectX500Principal() + - "\n\t\tissuer: " + - cert.getIssuerX500Principal() + - "\n\t\tserialNum: " + - cert.getSerialNumber().toString() + - "]"); - } - return sb.toString(); - } - } - - /** - * callback handler for passing password to Provider.login method - */ - private static class PasswordCallbackHandler implements CallbackHandler { - - private char[] password; - - private PasswordCallbackHandler(char[] password) { - if (password != null) { - this.password = password.clone(); - } - } - - public void handle(Callback[] callbacks) - throws IOException, UnsupportedCallbackException { - if (!(callbacks[0] instanceof PasswordCallback)) { - throw new UnsupportedCallbackException(callbacks[0]); - } - PasswordCallback pc = (PasswordCallback)callbacks[0]; - pc.setPassword(password); // this clones the password if not null - } - - protected void finalize() throws Throwable { - if (password != null) { - Arrays.fill(password, ' '); - } - super.finalize(); - } - } - - /** - * getTokenObject return value. - * - * if object is not found, type is set to null. - * otherwise, type is set to the requested type. - */ - private static class THandle { - private final long handle; // token object handle - private final CK_ATTRIBUTE type; // CKA_CLASS - - private THandle(long handle, CK_ATTRIBUTE type) { - this.handle = handle; - this.type = type; - } - } - - P11KeyStore(Token token) { - this.token = token; - this.useSecmodTrust = token.provider.nssUseSecmodTrust; - } - - /** - * Returns the key associated with the given alias. - * The key must have been associated with - * the alias by a call to setKeyEntry, - * or by a call to setEntry with a - * PrivateKeyEntry or SecretKeyEntry. - * - * @param alias the alias name - * @param password the password, which must be null - * - * @return the requested key, or null if the given alias does not exist - * or does not identify a key-related entry. - * - * @exception NoSuchAlgorithmException if the algorithm for recovering the - * key cannot be found - * @exception UnrecoverableKeyException if the key cannot be recovered - */ - public synchronized Key engineGetKey(String alias, char[] password) - throws NoSuchAlgorithmException, UnrecoverableKeyException { - - token.ensureValid(); - if (password != null && !token.config.getKeyStoreCompatibilityMode()) { - throw new NoSuchAlgorithmException("password must be null"); - } - - AliasInfo aliasInfo = aliasMap.get(alias); - if (aliasInfo == null || aliasInfo.type == ATTR_CLASS_CERT) { - return null; - } - - Session session = null; - try { - session = token.getOpSession(); - - if (aliasInfo.type == ATTR_CLASS_PKEY) { - THandle h = getTokenObject(session, - aliasInfo.type, - aliasInfo.id, - null); - if (h.type == ATTR_CLASS_PKEY) { - return loadPkey(session, h.handle); - } - } else { - THandle h = getTokenObject(session, - ATTR_CLASS_SKEY, - null, - alias); - if (h.type == ATTR_CLASS_SKEY) { - return loadSkey(session, h.handle); - } - } - - // did not find anything - return null; - } catch (PKCS11Exception | KeyStoreException e) { - throw new ProviderException(e); - } finally { - token.releaseSession(session); - } - } - - /** - * Returns the certificate chain associated with the given alias. - * The certificate chain must have been associated with the alias - * by a call to setKeyEntry, - * or by a call to setEntry with a - * PrivateKeyEntry. - * - * @param alias the alias name - * - * @return the certificate chain (ordered with the user's certificate first - * and the root certificate authority last), or null if the given alias - * does not exist or does not contain a certificate chain - */ - public synchronized Certificate[] engineGetCertificateChain(String alias) { - - token.ensureValid(); - - AliasInfo aliasInfo = aliasMap.get(alias); - if (aliasInfo == null || aliasInfo.type != ATTR_CLASS_PKEY) { - return null; - } - return aliasInfo.chain; - } - - /** - * Returns the certificate associated with the given alias. - * - *

If the given alias name identifies an entry - * created by a call to setCertificateEntry, - * or created by a call to setEntry with a - * TrustedCertificateEntry, - * then the trusted certificate contained in that entry is returned. - * - *

If the given alias name identifies an entry - * created by a call to setKeyEntry, - * or created by a call to setEntry with a - * PrivateKeyEntry, - * then the first element of the certificate chain in that entry - * (if a chain exists) is returned. - * - * @param alias the alias name - * - * @return the certificate, or null if the given alias does not exist or - * does not contain a certificate. - */ - public synchronized Certificate engineGetCertificate(String alias) { - token.ensureValid(); - - AliasInfo aliasInfo = aliasMap.get(alias); - if (aliasInfo == null) { - return null; - } - return aliasInfo.cert; - } - - /** - * Returns the creation date of the entry identified by the given alias. - * - * @param alias the alias name - * - * @return the creation date of this entry, or null if the given alias does - * not exist - */ - public Date engineGetCreationDate(String alias) { - token.ensureValid(); - throw new ProviderException(new UnsupportedOperationException()); - } - - /** - * Assigns the given key to the given alias, protecting it with the given - * password. - * - *

If the given key is of type java.security.PrivateKey, - * it must be accompanied by a certificate chain certifying the - * corresponding public key. - * - *

If the given alias already exists, the keystore information - * associated with it is overridden by the given key (and possibly - * certificate chain). - * - * @param alias the alias name - * @param key the key to be associated with the alias - * @param password the password to protect the key - * @param chain the certificate chain for the corresponding public - * key (only required if the given key is of type - * java.security.PrivateKey). - * - * @exception KeyStoreException if the given key cannot be protected, or - * this operation fails for some other reason - */ - public synchronized void engineSetKeyEntry(String alias, Key key, - char[] password, - Certificate[] chain) - throws KeyStoreException { - - token.ensureValid(); - checkWrite(); - - if (!(key instanceof PrivateKey) && !(key instanceof SecretKey)) { - throw new KeyStoreException("key must be PrivateKey or SecretKey"); - } else if (key instanceof PrivateKey && chain == null) { - throw new KeyStoreException - ("PrivateKey must be accompanied by non-null chain"); - } else if (key instanceof SecretKey && chain != null) { - throw new KeyStoreException - ("SecretKey must be accompanied by null chain"); - } else if (password != null && - !token.config.getKeyStoreCompatibilityMode()) { - throw new KeyStoreException("Password must be null"); - } - - KeyStore.Entry entry = null; - try { - if (key instanceof PrivateKey) { - entry = new KeyStore.PrivateKeyEntry((PrivateKey)key, chain); - } else if (key instanceof SecretKey) { - entry = new KeyStore.SecretKeyEntry((SecretKey)key); - } - } catch (NullPointerException | IllegalArgumentException e) { - throw new KeyStoreException(e); - } - engineSetEntry(alias, entry, new KeyStore.PasswordProtection(password)); - } - - /** - * Assigns the given key (that has already been protected) to the given - * alias. - * - *

If the protected key is of type - * java.security.PrivateKey, - * it must be accompanied by a certificate chain certifying the - * corresponding public key. - * - *

If the given alias already exists, the keystore information - * associated with it is overridden by the given key (and possibly - * certificate chain). - * - * @param alias the alias name - * @param key the key (in protected format) to be associated with the alias - * @param chain the certificate chain for the corresponding public - * key (only useful if the protected key is of type - * java.security.PrivateKey). - * - * @exception KeyStoreException if this operation fails. - */ - public void engineSetKeyEntry(String alias, byte[] key, Certificate[] chain) - throws KeyStoreException { - token.ensureValid(); - throw new ProviderException(new UnsupportedOperationException()); - } - - /** - * Assigns the given certificate to the given alias. - * - *

If the given alias identifies an existing entry - * created by a call to setCertificateEntry, - * or created by a call to setEntry with a - * TrustedCertificateEntry, - * the trusted certificate in the existing entry - * is overridden by the given certificate. - * - * @param alias the alias name - * @param cert the certificate - * - * @exception KeyStoreException if the given alias already exists and does - * not identify an entry containing a trusted certificate, - * or this operation fails for some other reason. - */ - public synchronized void engineSetCertificateEntry - (String alias, Certificate cert) throws KeyStoreException { - - token.ensureValid(); - checkWrite(); - - if (cert == null) { - throw new KeyStoreException("invalid null certificate"); - } - - KeyStore.Entry entry = null; - entry = new KeyStore.TrustedCertificateEntry(cert); - engineSetEntry(alias, entry, null); - } - - /** - * Deletes the entry identified by the given alias from this keystore. - * - * @param alias the alias name - * - * @exception KeyStoreException if the entry cannot be removed. - */ - public synchronized void engineDeleteEntry(String alias) - throws KeyStoreException { - token.ensureValid(); - - if (token.isWriteProtected()) { - throw new KeyStoreException("token write-protected"); - } - checkWrite(); - deleteEntry(alias); - } - - /** - * XXX - not sure whether to keep this - */ - private boolean deleteEntry(String alias) throws KeyStoreException { - AliasInfo aliasInfo = aliasMap.get(alias); - if (aliasInfo != null) { - - aliasMap.remove(alias); - - try { - if (aliasInfo.type == ATTR_CLASS_CERT) { - // trusted certificate entry - return destroyCert(aliasInfo.id); - } else if (aliasInfo.type == ATTR_CLASS_PKEY) { - // private key entry - return destroyPkey(aliasInfo.id) && - destroyChain(aliasInfo.id); - } else if (aliasInfo.type == ATTR_CLASS_SKEY) { - // secret key entry - return destroySkey(alias); - } else { - throw new KeyStoreException("unexpected entry type"); - } - } catch (PKCS11Exception | CertificateException e) { - throw new KeyStoreException(e); - } - } - return false; - } - - /** - * Lists all the alias names of this keystore. - * - * @return enumeration of the alias names - */ - public synchronized Enumeration engineAliases() { - token.ensureValid(); - - // don't want returned enumeration to iterate off actual keySet - - // otherwise applications that iterate and modify the keystore - // may run into concurrent modification problems - return Collections.enumeration(new HashSet(aliasMap.keySet())); - } - - /** - * Checks if the given alias exists in this keystore. - * - * @param alias the alias name - * - * @return true if the alias exists, false otherwise - */ - public synchronized boolean engineContainsAlias(String alias) { - token.ensureValid(); - return aliasMap.containsKey(alias); - } - - /** - * Retrieves the number of entries in this keystore. - * - * @return the number of entries in this keystore - */ - public synchronized int engineSize() { - token.ensureValid(); - return aliasMap.size(); - } - - /** - * Returns true if the entry identified by the given alias - * was created by a call to setKeyEntry, - * or created by a call to setEntry with a - * PrivateKeyEntry or a SecretKeyEntry. - * - * @param alias the alias for the keystore entry to be checked - * - * @return true if the entry identified by the given alias is a - * key-related, false otherwise. - */ - public synchronized boolean engineIsKeyEntry(String alias) { - token.ensureValid(); - - AliasInfo aliasInfo = aliasMap.get(alias); - if (aliasInfo == null || aliasInfo.type == ATTR_CLASS_CERT) { - return false; - } - return true; - } - - /** - * Returns true if the entry identified by the given alias - * was created by a call to setCertificateEntry, - * or created by a call to setEntry with a - * TrustedCertificateEntry. - * - * @param alias the alias for the keystore entry to be checked - * - * @return true if the entry identified by the given alias contains a - * trusted certificate, false otherwise. - */ - public synchronized boolean engineIsCertificateEntry(String alias) { - token.ensureValid(); - - AliasInfo aliasInfo = aliasMap.get(alias); - if (aliasInfo == null || aliasInfo.type != ATTR_CLASS_CERT) { - return false; - } - return true; - } - - /** - * Returns the (alias) name of the first keystore entry whose certificate - * matches the given certificate. - * - *

This method attempts to match the given certificate with each - * keystore entry. If the entry being considered was - * created by a call to setCertificateEntry, - * or created by a call to setEntry with a - * TrustedCertificateEntry, - * then the given certificate is compared to that entry's certificate. - * - *

If the entry being considered was - * created by a call to setKeyEntry, - * or created by a call to setEntry with a - * PrivateKeyEntry, - * then the given certificate is compared to the first - * element of that entry's certificate chain. - * - * @param cert the certificate to match with. - * - * @return the alias name of the first entry with matching certificate, - * or null if no such entry exists in this keystore. - */ - public synchronized String engineGetCertificateAlias(Certificate cert) { - token.ensureValid(); - Enumeration e = engineAliases(); - while (e.hasMoreElements()) { - String alias = e.nextElement(); - Certificate tokenCert = engineGetCertificate(alias); - if (tokenCert != null && tokenCert.equals(cert)) { - return alias; - } - } - return null; - } - - /** - * engineStore currently is a No-op. - * Entries are stored to the token during engineSetEntry - * - * @param stream this must be null - * @param password this must be null - */ - public synchronized void engineStore(OutputStream stream, char[] password) - throws IOException, NoSuchAlgorithmException, CertificateException { - token.ensureValid(); - if (stream != null && !token.config.getKeyStoreCompatibilityMode()) { - throw new IOException("output stream must be null"); - } - - if (password != null && !token.config.getKeyStoreCompatibilityMode()) { - throw new IOException("password must be null"); - } - } - - /** - * engineStore currently is a No-op. - * Entries are stored to the token during engineSetEntry - * - * @param param this must be null - * - * @exception IllegalArgumentException if the given - * KeyStore.LoadStoreParameter - * input is not null - */ - public synchronized void engineStore(KeyStore.LoadStoreParameter param) - throws IOException, NoSuchAlgorithmException, CertificateException { - token.ensureValid(); - if (param != null) { - throw new IllegalArgumentException - ("LoadStoreParameter must be null"); - } - } - - /** - * Loads the keystore. - * - * @param stream the input stream, which must be null - * @param password the password used to unlock the keystore, - * or null if the token supports a - * CKF_PROTECTED_AUTHENTICATION_PATH - * - * @exception IOException if the given stream is not - * null, if the token supports a - * CKF_PROTECTED_AUTHENTICATION_PATH and a non-null - * password is given, of if the token login operation failed - */ - public synchronized void engineLoad(InputStream stream, char[] password) - throws IOException, NoSuchAlgorithmException, CertificateException { - - token.ensureValid(); - - if (NSS_TEST) { - ATTR_SKEY_TOKEN_TRUE = new CK_ATTRIBUTE(CKA_TOKEN, false); - } - - if (stream != null && !token.config.getKeyStoreCompatibilityMode()) { - throw new IOException("input stream must be null"); - } - - if (useSecmodTrust) { - nssTrustType = Secmod.TrustType.ALL; - } - - try { - if (password == null) { - login(null); - } else { - login(new PasswordCallbackHandler(password)); - } - } catch(LoginException e) { - Throwable cause = e.getCause(); - if (cause instanceof PKCS11Exception) { - PKCS11Exception pe = (PKCS11Exception) cause; - if (pe.getErrorCode() == CKR_PIN_INCORRECT) { - // if password is wrong, the cause of the IOException - // should be an UnrecoverableKeyException - throw new IOException("load failed", - new UnrecoverableKeyException().initCause(e)); - } - } - throw new IOException("load failed", e); - } - - try { - if (mapLabels() == true) { - // CKA_LABELs are shared by multiple certs - writeDisabled = true; - } - if (debug != null) { - dumpTokenMap(); - } - } catch (KeyStoreException | PKCS11Exception e) { - throw new IOException("load failed", e); - } - } - - /** - * Loads the keystore using the given - * KeyStore.LoadStoreParameter. - * - *

The LoadStoreParameter.getProtectionParameter() - * method is expected to return a KeyStore.PasswordProtection - * object. The password is retrieved from that object and used - * to unlock the PKCS#11 token. - * - *

If the token supports a CKF_PROTECTED_AUTHENTICATION_PATH - * then the provided password must be null. - * - * @param param the KeyStore.LoadStoreParameter - * - * @exception IllegalArgumentException if the given - * KeyStore.LoadStoreParameter is null, - * or if that parameter returns a null - * ProtectionParameter object. - * input is not recognized - * @exception IOException if the token supports a - * CKF_PROTECTED_AUTHENTICATION_PATH and the provided password - * is non-null, or if the token login operation fails - */ - public synchronized void engineLoad(KeyStore.LoadStoreParameter param) - throws IOException, NoSuchAlgorithmException, - CertificateException { - - token.ensureValid(); - - if (NSS_TEST) { - ATTR_SKEY_TOKEN_TRUE = new CK_ATTRIBUTE(CKA_TOKEN, false); - } - - // if caller wants to pass a NULL password, - // force it to pass a non-NULL PasswordProtection that returns - // a NULL password - - if (param == null) { - throw new IllegalArgumentException - ("invalid null LoadStoreParameter"); - } - if (useSecmodTrust) { - if (param instanceof Secmod.KeyStoreLoadParameter) { - nssTrustType = ((Secmod.KeyStoreLoadParameter)param).getTrustType(); - } else { - nssTrustType = Secmod.TrustType.ALL; - } - } - - CallbackHandler handler; - KeyStore.ProtectionParameter pp = param.getProtectionParameter(); - if (pp instanceof PasswordProtection) { - char[] password = ((PasswordProtection)pp).getPassword(); - if (password == null) { - handler = null; - } else { - handler = new PasswordCallbackHandler(password); - } - } else if (pp instanceof CallbackHandlerProtection) { - handler = ((CallbackHandlerProtection)pp).getCallbackHandler(); - } else { - throw new IllegalArgumentException - ("ProtectionParameter must be either " + - "PasswordProtection or CallbackHandlerProtection"); - } - - try { - login(handler); - if (mapLabels() == true) { - // CKA_LABELs are shared by multiple certs - writeDisabled = true; - } - if (debug != null) { - dumpTokenMap(); - } - } catch (LoginException | KeyStoreException | PKCS11Exception e) { - throw new IOException("load failed", e); - } - } - - private void login(CallbackHandler handler) throws LoginException { - if ((token.tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH) == 0) { - token.provider.login(null, handler); - } else { - // token supports protected authentication path - // (external pin-pad, for example) - if (handler != null && - !token.config.getKeyStoreCompatibilityMode()) { - throw new LoginException("can not specify password if token " + - "supports protected authentication path"); - } - - // must rely on application-set or default handler - // if one is necessary - token.provider.login(null, null); - } - } - - /** - * Get a KeyStore.Entry for the specified alias - * - * @param alias get the KeyStore.Entry for this alias - * @param protParam this must be null - * - * @return the KeyStore.Entry for the specified alias, - * or null if there is no such entry - * - * @exception KeyStoreException if the operation failed - * @exception NoSuchAlgorithmException if the algorithm for recovering the - * entry cannot be found - * @exception UnrecoverableEntryException if the specified - * protParam were insufficient or invalid - * - * @since 1.5 - */ - public synchronized KeyStore.Entry engineGetEntry(String alias, - KeyStore.ProtectionParameter protParam) - throws KeyStoreException, NoSuchAlgorithmException, - UnrecoverableEntryException { - - token.ensureValid(); - - if (protParam != null && - protParam instanceof KeyStore.PasswordProtection && - ((KeyStore.PasswordProtection)protParam).getPassword() != null && - !token.config.getKeyStoreCompatibilityMode()) { - throw new KeyStoreException("ProtectionParameter must be null"); - } - - AliasInfo aliasInfo = aliasMap.get(alias); - if (aliasInfo == null) { - if (debug != null) { - debug.println("engineGetEntry did not find alias [" + - alias + - "] in map"); - } - return null; - } - - Session session = null; - try { - session = token.getOpSession(); - - if (aliasInfo.type == ATTR_CLASS_CERT) { - // trusted certificate entry - if (debug != null) { - debug.println("engineGetEntry found trusted cert entry"); - } - return new KeyStore.TrustedCertificateEntry(aliasInfo.cert); - } else if (aliasInfo.type == ATTR_CLASS_SKEY) { - // secret key entry - if (debug != null) { - debug.println("engineGetEntry found secret key entry"); - } - - THandle h = getTokenObject - (session, ATTR_CLASS_SKEY, null, aliasInfo.label); - if (h.type != ATTR_CLASS_SKEY) { - throw new KeyStoreException - ("expected but could not find secret key"); - } else { - SecretKey skey = loadSkey(session, h.handle); - return new KeyStore.SecretKeyEntry(skey); - } - } else { - // private key entry - if (debug != null) { - debug.println("engineGetEntry found private key entry"); - } - - THandle h = getTokenObject - (session, ATTR_CLASS_PKEY, aliasInfo.id, null); - if (h.type != ATTR_CLASS_PKEY) { - throw new KeyStoreException - ("expected but could not find private key"); - } else { - PrivateKey pkey = loadPkey(session, h.handle); - Certificate[] chain = aliasInfo.chain; - if ((pkey != null) && (chain != null)) { - return new KeyStore.PrivateKeyEntry(pkey, chain); - } else { - if (debug != null) { - debug.println - ("engineGetEntry got null cert chain or private key"); - } - } - } - } - return null; - } catch (PKCS11Exception pe) { - throw new KeyStoreException(pe); - } finally { - token.releaseSession(session); - } - } - - /** - * Save a KeyStore.Entry under the specified alias. - * - *

If an entry already exists for the specified alias, - * it is overridden. - * - *

This KeyStore implementation only supports the standard - * entry types, and only supports X509Certificates in - * TrustedCertificateEntries. Also, this implementation does not support - * protecting entries using a different password - * from the one used for token login. - * - *

Entries are immediately stored on the token. - * - * @param alias save the KeyStore.Entry under this alias - * @param entry the Entry to save - * @param protParam this must be null - * - * @exception KeyStoreException if this operation fails - * - * @since 1.5 - */ - public synchronized void engineSetEntry(String alias, KeyStore.Entry entry, - KeyStore.ProtectionParameter protParam) - throws KeyStoreException { - - token.ensureValid(); - checkWrite(); - - if (protParam != null && - protParam instanceof KeyStore.PasswordProtection && - ((KeyStore.PasswordProtection)protParam).getPassword() != null && - !token.config.getKeyStoreCompatibilityMode()) { - throw new KeyStoreException(new UnsupportedOperationException - ("ProtectionParameter must be null")); - } - - if (token.isWriteProtected()) { - throw new KeyStoreException("token write-protected"); - } - - if (entry instanceof KeyStore.TrustedCertificateEntry) { - - if (useSecmodTrust == false) { - // PKCS #11 does not allow app to modify trusted certs - - throw new KeyStoreException(new UnsupportedOperationException - ("trusted certificates may only be set by " + - "token initialization application")); - } - Module module = token.provider.nssModule; - if ((module.type != ModuleType.KEYSTORE) && (module.type != ModuleType.FIPS)) { - // XXX allow TRUSTANCHOR module - throw new KeyStoreException("Trusted certificates can only be " - + "added to the NSS KeyStore module"); - } - Certificate cert = ((TrustedCertificateEntry)entry).getTrustedCertificate(); - if (cert instanceof X509Certificate == false) { - throw new KeyStoreException("Certificate must be an X509Certificate"); - } - X509Certificate xcert = (X509Certificate)cert; - AliasInfo info = aliasMap.get(alias); - if (info != null) { - // XXX try to update - deleteEntry(alias); - } - try { - storeCert(alias, xcert); - module.setTrust(token, xcert); - mapLabels(); - } catch (PKCS11Exception | CertificateException e) { - throw new KeyStoreException(e); - } - - } else { - - if (entry instanceof KeyStore.PrivateKeyEntry) { - - PrivateKey key = - ((KeyStore.PrivateKeyEntry)entry).getPrivateKey(); - if (!(key instanceof P11Key) && - !(key instanceof RSAPrivateKey) && - !(key instanceof DSAPrivateKey) && - !(key instanceof DHPrivateKey) && - !(key instanceof ECPrivateKey)) { - throw new KeyStoreException("unsupported key type: " + - key.getClass().getName()); - } - - // only support X509Certificate chains - Certificate[] chain = - ((KeyStore.PrivateKeyEntry)entry).getCertificateChain(); - if (!(chain instanceof X509Certificate[])) { - throw new KeyStoreException - (new UnsupportedOperationException - ("unsupported certificate array type: " + - chain.getClass().getName())); - } - - try { - boolean updatedAlias = false; - Set aliases = aliasMap.keySet(); - for (String oldAlias : aliases) { - - // see if there's an existing entry with the same info - - AliasInfo aliasInfo = aliasMap.get(oldAlias); - if (aliasInfo.type == ATTR_CLASS_PKEY && - aliasInfo.cert.getPublicKey().equals - (chain[0].getPublicKey())) { - - // found existing entry - - // caller is renaming entry or updating cert chain - // - // set new CKA_LABEL/CKA_ID - // and update certs if necessary - - updatePkey(alias, - aliasInfo.id, - (X509Certificate[])chain, - !aliasInfo.cert.equals(chain[0])); - updatedAlias = true; - break; - } - } - - if (!updatedAlias) { - // caller adding new entry - engineDeleteEntry(alias); - storePkey(alias, (KeyStore.PrivateKeyEntry)entry); - } - - } catch (PKCS11Exception | CertificateException pe) { - throw new KeyStoreException(pe); - } - - } else if (entry instanceof KeyStore.SecretKeyEntry) { - - KeyStore.SecretKeyEntry ske = (KeyStore.SecretKeyEntry)entry; - SecretKey skey = ske.getSecretKey(); - - try { - // first check if the key already exists - AliasInfo aliasInfo = aliasMap.get(alias); - - if (aliasInfo != null) { - engineDeleteEntry(alias); - } - storeSkey(alias, ske); - - } catch (PKCS11Exception pe) { - throw new KeyStoreException(pe); - } - - } else { - throw new KeyStoreException(new UnsupportedOperationException - ("unsupported entry type: " + entry.getClass().getName())); - } - - try { - - // XXX NSS does not write out the CKA_ID we pass to them - // - // therefore we must re-map labels - // (can not simply update aliasMap) - - mapLabels(); - if (debug != null) { - dumpTokenMap(); - } - } catch (PKCS11Exception | CertificateException pe) { - throw new KeyStoreException(pe); - } - } - - if (debug != null) { - debug.println - ("engineSetEntry added new entry for [" + - alias + - "] to token"); - } - } - - /** - * Determines if the keystore Entry for the specified - * alias is an instance or subclass of the specified - * entryClass. - * - * @param alias the alias name - * @param entryClass the entry class - * - * @return true if the keystore Entry for the specified - * alias is an instance or subclass of the - * specified entryClass, false otherwise - */ - public synchronized boolean engineEntryInstanceOf - (String alias, Class entryClass) { - token.ensureValid(); - return super.engineEntryInstanceOf(alias, entryClass); - } - - private X509Certificate loadCert(Session session, long oHandle) - throws PKCS11Exception, CertificateException { - - CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] - { new CK_ATTRIBUTE(CKA_VALUE) }; - token.p11.C_GetAttributeValue(session.id(), oHandle, attrs); - - byte[] bytes = attrs[0].getByteArray(); - if (bytes == null) { - throw new CertificateException - ("unexpectedly retrieved null byte array"); - } - CertificateFactory cf = CertificateFactory.getInstance("X.509"); - return (X509Certificate)cf.generateCertificate - (new ByteArrayInputStream(bytes)); - } - - private X509Certificate[] loadChain(Session session, - X509Certificate endCert) - throws PKCS11Exception, CertificateException { - - ArrayList lChain = null; - - if (endCert.getSubjectX500Principal().equals - (endCert.getIssuerX500Principal())) { - // self signed - return new X509Certificate[] { endCert }; - } else { - lChain = new ArrayList(); - lChain.add(endCert); - } - - // try loading remaining certs in chain by following - // issuer->subject links - - X509Certificate next = endCert; - while (true) { - CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] { - ATTR_TOKEN_TRUE, - ATTR_CLASS_CERT, - new CK_ATTRIBUTE(CKA_SUBJECT, - next.getIssuerX500Principal().getEncoded()) }; - long[] ch = findObjects(session, attrs); - - if (ch == null || ch.length == 0) { - // done - break; - } else { - // if more than one found, use first - if (debug != null && ch.length > 1) { - debug.println("engineGetEntry found " + - ch.length + - " certificate entries for subject [" + - next.getIssuerX500Principal().toString() + - "] in token - using first entry"); - } - - next = loadCert(session, ch[0]); - lChain.add(next); - if (next.getSubjectX500Principal().equals - (next.getIssuerX500Principal())) { - // self signed - break; - } - } - } - - return lChain.toArray(new X509Certificate[lChain.size()]); - } - - private SecretKey loadSkey(Session session, long oHandle) - throws PKCS11Exception { - - CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_KEY_TYPE) }; - token.p11.C_GetAttributeValue(session.id(), oHandle, attrs); - long kType = attrs[0].getLong(); - - String keyType = null; - int keyLength = -1; - - // XXX NSS mangles the stored key type for secret key token objects - - if (kType == CKK_DES || kType == CKK_DES3) { - if (kType == CKK_DES) { - keyType = "DES"; - keyLength = 64; - } else if (kType == CKK_DES3) { - keyType = "DESede"; - keyLength = 192; - } - } else { - if (kType == CKK_AES) { - keyType = "AES"; - } else if (kType == CKK_BLOWFISH) { - keyType = "Blowfish"; - } else if (kType == CKK_RC4) { - keyType = "ARCFOUR"; - } else { - if (debug != null) { - debug.println("unknown key type [" + - kType + - "] - using 'Generic Secret'"); - } - keyType = "Generic Secret"; - } - - // XXX NSS problem CKR_ATTRIBUTE_TYPE_INVALID? - if (NSS_TEST) { - keyLength = 128; - } else { - attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_VALUE_LEN) }; - token.p11.C_GetAttributeValue(session.id(), oHandle, attrs); - keyLength = (int)attrs[0].getLong(); - } - } - - return P11Key.secretKey(session, oHandle, keyType, keyLength, null); - } - - private PrivateKey loadPkey(Session session, long oHandle) - throws PKCS11Exception, KeyStoreException { - - CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_KEY_TYPE) }; - token.p11.C_GetAttributeValue(session.id(), oHandle, attrs); - long kType = attrs[0].getLong(); - String keyType = null; - int keyLength = 0; - - if (kType == CKK_RSA) { - - keyType = "RSA"; - - attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_MODULUS) }; - token.p11.C_GetAttributeValue(session.id(), oHandle, attrs); - BigInteger modulus = attrs[0].getBigInteger(); - keyLength = modulus.bitLength(); - - // This check will combine our "don't care" values here - // with the system-wide min/max values. - try { - RSAKeyFactory.checkKeyLengths(keyLength, null, - -1, Integer.MAX_VALUE); - } catch (InvalidKeyException e) { - throw new KeyStoreException(e.getMessage()); - } - - return P11Key.privateKey(session, - oHandle, - keyType, - keyLength, - null); - - } else if (kType == CKK_DSA) { - - keyType = "DSA"; - - attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_PRIME) }; - token.p11.C_GetAttributeValue(session.id(), oHandle, attrs); - BigInteger prime = attrs[0].getBigInteger(); - keyLength = prime.bitLength(); - - return P11Key.privateKey(session, - oHandle, - keyType, - keyLength, - null); - - } else if (kType == CKK_DH) { - - keyType = "DH"; - - attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_PRIME) }; - token.p11.C_GetAttributeValue(session.id(), oHandle, attrs); - BigInteger prime = attrs[0].getBigInteger(); - keyLength = prime.bitLength(); - - return P11Key.privateKey(session, - oHandle, - keyType, - keyLength, - null); - - } else if (kType == CKK_EC) { - - attrs = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_EC_PARAMS), - }; - token.p11.C_GetAttributeValue(session.id(), oHandle, attrs); - byte[] encodedParams = attrs[0].getByteArray(); - try { - ECParameterSpec params = - ECUtil.getECParameterSpec(null, encodedParams); - keyLength = params.getCurve().getField().getFieldSize(); - } catch (IOException e) { - // we do not want to accept key with unsupported parameters - throw new KeyStoreException("Unsupported parameters", e); - } - - return P11Key.privateKey(session, oHandle, "EC", keyLength, null); - - } else { - if (debug != null) { - debug.println("unknown key type [" + kType + "]"); - } - throw new KeyStoreException("unknown key type"); - } - } - - - /** - * XXX On ibutton, when you C_SetAttribute(CKA_ID) for a private key - * it not only changes the CKA_ID of the private key, - * it changes the CKA_ID of the corresponding cert too. - * And vice versa. - * - * XXX On ibutton, CKR_DEVICE_ERROR if you C_SetAttribute(CKA_ID) - * for a private key, and then try to delete the corresponding cert. - * So this code reverses the order. - * After the cert is first destroyed (if necessary), - * then the CKA_ID of the private key can be changed successfully. - * - * @param replaceCert if true, then caller is updating alias info for - * existing cert (only update CKA_ID/CKA_LABEL). - * if false, then caller is updating cert chain - * (delete old end cert and add new chain). - */ - private void updatePkey(String alias, - byte[] cka_id, - X509Certificate[] chain, - boolean replaceCert) throws - KeyStoreException, CertificateException, PKCS11Exception { - - // XXX - // - // always set replaceCert to true - // - // NSS does not allow resetting of CKA_LABEL on an existing cert - // (C_SetAttribute call succeeds, but is ignored) - - replaceCert = true; - - Session session = null; - try { - session = token.getOpSession(); - - // first get private key object handle and hang onto it - - THandle h = getTokenObject(session, ATTR_CLASS_PKEY, cka_id, null); - long pKeyHandle; - if (h.type == ATTR_CLASS_PKEY) { - pKeyHandle = h.handle; - } else { - throw new KeyStoreException - ("expected but could not find private key " + - "with CKA_ID " + - getID(cka_id)); - } - - // next find existing end entity cert - - h = getTokenObject(session, ATTR_CLASS_CERT, cka_id, null); - if (h.type != ATTR_CLASS_CERT) { - throw new KeyStoreException - ("expected but could not find certificate " + - "with CKA_ID " + - getID(cka_id)); - } else { - if (replaceCert) { - // replacing existing cert and chain - destroyChain(cka_id); - } else { - // renaming alias for existing cert - CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_LABEL, alias), - new CK_ATTRIBUTE(CKA_ID, alias) }; - token.p11.C_SetAttributeValue - (session.id(), h.handle, attrs); - } - } - - // add new chain - - if (replaceCert) { - // add all certs in chain - storeChain(alias, chain); - } else { - // already updated alias info for existing end cert - - // just update CA certs - storeCaCerts(chain, 1); - } - - // finally update CKA_ID for private key - // - // ibutton may have already done this (that is ok) - - CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_ID, alias) }; - token.p11.C_SetAttributeValue(session.id(), pKeyHandle, attrs); - - if (debug != null) { - debug.println("updatePkey set new alias [" + - alias + - "] for private key entry"); - } - } finally { - token.releaseSession(session); - } - } - - private void updateP11Pkey(String alias, CK_ATTRIBUTE attribute, P11Key key) - throws PKCS11Exception { - - // if token key, update alias. - // if session key, convert to token key. - - Session session = null; - try { - session = token.getOpSession(); - if (key.tokenObject == true) { - - // token key - set new CKA_ID - - CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_ID, alias) }; - token.p11.C_SetAttributeValue - (session.id(), key.keyID, attrs); - if (debug != null) { - debug.println("updateP11Pkey set new alias [" + - alias + - "] for key entry"); - } - } else { - - // session key - convert to token key and set CKA_ID - - CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] { - ATTR_TOKEN_TRUE, - new CK_ATTRIBUTE(CKA_ID, alias), - }; - if (attribute != null) { - attrs = addAttribute(attrs, attribute); - } - token.p11.C_CopyObject(session.id(), key.keyID, attrs); - if (debug != null) { - debug.println("updateP11Pkey copied private session key " + - "for [" + - alias + - "] to token entry"); - } - } - } finally { - token.releaseSession(session); - } - } - - private void storeCert(String alias, X509Certificate cert) - throws PKCS11Exception, CertificateException { - - ArrayList attrList = new ArrayList(); - attrList.add(ATTR_TOKEN_TRUE); - attrList.add(ATTR_CLASS_CERT); - attrList.add(ATTR_X509_CERT_TYPE); - attrList.add(new CK_ATTRIBUTE(CKA_SUBJECT, - cert.getSubjectX500Principal().getEncoded())); - attrList.add(new CK_ATTRIBUTE(CKA_ISSUER, - cert.getIssuerX500Principal().getEncoded())); - attrList.add(new CK_ATTRIBUTE(CKA_SERIAL_NUMBER, - cert.getSerialNumber().toByteArray())); - attrList.add(new CK_ATTRIBUTE(CKA_VALUE, cert.getEncoded())); - - if (alias != null) { - attrList.add(new CK_ATTRIBUTE(CKA_LABEL, alias)); - attrList.add(new CK_ATTRIBUTE(CKA_ID, alias)); - } else { - // ibutton requires something to be set - // - alias must be unique - attrList.add(new CK_ATTRIBUTE(CKA_ID, - getID(cert.getSubjectX500Principal().getName - (X500Principal.CANONICAL), cert))); - } - - Session session = null; - try { - session = token.getOpSession(); - token.p11.C_CreateObject(session.id(), - attrList.toArray(new CK_ATTRIBUTE[attrList.size()])); - } finally { - token.releaseSession(session); - } - } - - private void storeChain(String alias, X509Certificate[] chain) - throws PKCS11Exception, CertificateException { - - // add new chain - // - // end cert has CKA_LABEL and CKA_ID set to alias. - // other certs in chain have neither set. - - storeCert(alias, chain[0]); - storeCaCerts(chain, 1); - } - - private void storeCaCerts(X509Certificate[] chain, int start) - throws PKCS11Exception, CertificateException { - - // do not add duplicate CA cert if already in token - // - // XXX ibutton stores duplicate CA certs, NSS does not - - Session session = null; - HashSet cacerts = new HashSet(); - try { - session = token.getOpSession(); - CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] { - ATTR_TOKEN_TRUE, - ATTR_CLASS_CERT }; - long[] handles = findObjects(session, attrs); - - // load certs currently on the token - for (long handle : handles) { - cacerts.add(loadCert(session, handle)); - } - } finally { - token.releaseSession(session); - } - - for (int i = start; i < chain.length; i++) { - if (!cacerts.contains(chain[i])) { - storeCert(null, chain[i]); - } else if (debug != null) { - debug.println("ignoring duplicate CA cert for [" + - chain[i].getSubjectX500Principal() + - "]"); - } - } - } - - private void storeSkey(String alias, KeyStore.SecretKeyEntry ske) - throws PKCS11Exception, KeyStoreException { - - SecretKey skey = ske.getSecretKey(); - // No need to specify CKA_CLASS, CKA_KEY_TYPE, CKA_VALUE since - // they are handled in P11SecretKeyFactory.createKey() method. - CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] { - ATTR_SKEY_TOKEN_TRUE, - ATTR_PRIVATE_TRUE, - new CK_ATTRIBUTE(CKA_LABEL, alias), - }; - try { - P11SecretKeyFactory.convertKey(token, skey, null, attrs); - } catch (InvalidKeyException ike) { - // re-throw KeyStoreException to match javadoc - throw new KeyStoreException("Cannot convert to PKCS11 keys", ike); - } - - // update global alias map - aliasMap.put(alias, new AliasInfo(alias)); - - if (debug != null) { - debug.println("storeSkey created token secret key for [" + - alias + "]"); - } - } - - private static CK_ATTRIBUTE[] addAttribute(CK_ATTRIBUTE[] attrs, CK_ATTRIBUTE attr) { - int n = attrs.length; - CK_ATTRIBUTE[] newAttrs = new CK_ATTRIBUTE[n + 1]; - System.arraycopy(attrs, 0, newAttrs, 0, n); - newAttrs[n] = attr; - return newAttrs; - } - - private void storePkey(String alias, KeyStore.PrivateKeyEntry pke) - throws PKCS11Exception, CertificateException, KeyStoreException { - - PrivateKey key = pke.getPrivateKey(); - CK_ATTRIBUTE[] attrs = null; - - // If the key is a token object on this token, update it instead - // of creating a duplicate key object. - // Otherwise, treat a P11Key like any other key, if it is extractable. - if (key instanceof P11Key) { - P11Key p11Key = (P11Key)key; - if (p11Key.tokenObject && (p11Key.token == this.token)) { - updateP11Pkey(alias, null, p11Key); - storeChain(alias, (X509Certificate[])pke.getCertificateChain()); - return; - } - } - - boolean useNDB = token.config.getNssNetscapeDbWorkaround(); - PublicKey publicKey = pke.getCertificate().getPublicKey(); - - if (key instanceof RSAPrivateKey) { - - X509Certificate cert = (X509Certificate)pke.getCertificate(); - attrs = getRsaPrivKeyAttrs - (alias, (RSAPrivateKey)key, cert.getSubjectX500Principal()); - - } else if (key instanceof DSAPrivateKey) { - - DSAPrivateKey dsaKey = (DSAPrivateKey)key; - - CK_ATTRIBUTE[] idAttrs = getIdAttributes(key, publicKey, false, useNDB); - if (idAttrs[0] == null) { - idAttrs[0] = new CK_ATTRIBUTE(CKA_ID, alias); - } - - attrs = new CK_ATTRIBUTE[] { - ATTR_TOKEN_TRUE, - ATTR_CLASS_PKEY, - ATTR_PRIVATE_TRUE, - new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_DSA), - idAttrs[0], - new CK_ATTRIBUTE(CKA_PRIME, dsaKey.getParams().getP()), - new CK_ATTRIBUTE(CKA_SUBPRIME, dsaKey.getParams().getQ()), - new CK_ATTRIBUTE(CKA_BASE, dsaKey.getParams().getG()), - new CK_ATTRIBUTE(CKA_VALUE, dsaKey.getX()), - }; - if (idAttrs[1] != null) { - attrs = addAttribute(attrs, idAttrs[1]); - } - - attrs = token.getAttributes - (TemplateManager.O_IMPORT, CKO_PRIVATE_KEY, CKK_DSA, attrs); - - if (debug != null) { - debug.println("storePkey created DSA template"); - } - - } else if (key instanceof DHPrivateKey) { - - DHPrivateKey dhKey = (DHPrivateKey)key; - - CK_ATTRIBUTE[] idAttrs = getIdAttributes(key, publicKey, false, useNDB); - if (idAttrs[0] == null) { - idAttrs[0] = new CK_ATTRIBUTE(CKA_ID, alias); - } - - attrs = new CK_ATTRIBUTE[] { - ATTR_TOKEN_TRUE, - ATTR_CLASS_PKEY, - ATTR_PRIVATE_TRUE, - new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_DH), - idAttrs[0], - new CK_ATTRIBUTE(CKA_PRIME, dhKey.getParams().getP()), - new CK_ATTRIBUTE(CKA_BASE, dhKey.getParams().getG()), - new CK_ATTRIBUTE(CKA_VALUE, dhKey.getX()), - }; - if (idAttrs[1] != null) { - attrs = addAttribute(attrs, idAttrs[1]); - } - - attrs = token.getAttributes - (TemplateManager.O_IMPORT, CKO_PRIVATE_KEY, CKK_DH, attrs); - - } else if (key instanceof ECPrivateKey) { - - ECPrivateKey ecKey = (ECPrivateKey)key; - - CK_ATTRIBUTE[] idAttrs = getIdAttributes(key, publicKey, false, useNDB); - if (idAttrs[0] == null) { - idAttrs[0] = new CK_ATTRIBUTE(CKA_ID, alias); - } - - byte[] encodedParams = - ECUtil.encodeECParameterSpec(null, ecKey.getParams()); - attrs = new CK_ATTRIBUTE[] { - ATTR_TOKEN_TRUE, - ATTR_CLASS_PKEY, - ATTR_PRIVATE_TRUE, - new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_EC), - idAttrs[0], - new CK_ATTRIBUTE(CKA_VALUE, ecKey.getS()), - new CK_ATTRIBUTE(CKA_EC_PARAMS, encodedParams), - }; - if (idAttrs[1] != null) { - attrs = addAttribute(attrs, idAttrs[1]); - } - - attrs = token.getAttributes - (TemplateManager.O_IMPORT, CKO_PRIVATE_KEY, CKK_EC, attrs); - - if (debug != null) { - debug.println("storePkey created EC template"); - } - - } else if (key instanceof P11Key) { - // sensitive/non-extractable P11Key - P11Key p11Key = (P11Key)key; - if (p11Key.token != this.token) { - throw new KeyStoreException - ("Cannot move sensitive keys across tokens"); - } - CK_ATTRIBUTE netscapeDB = null; - if (useNDB) { - // Note that this currently fails due to an NSS bug. - // They do not allow the CKA_NETSCAPE_DB attribute to be - // specified during C_CopyObject() and fail with - // CKR_ATTRIBUTE_READ_ONLY. - // But if we did not specify it, they would fail with - // CKA_TEMPLATE_INCOMPLETE, so leave this code in here. - CK_ATTRIBUTE[] idAttrs = getIdAttributes(key, publicKey, false, true); - netscapeDB = idAttrs[1]; - } - // Update the key object. - updateP11Pkey(alias, netscapeDB, p11Key); - storeChain(alias, (X509Certificate[])pke.getCertificateChain()); - return; - - } else { - throw new KeyStoreException("unsupported key type: " + key); - } - - Session session = null; - try { - session = token.getOpSession(); - - // create private key entry - token.p11.C_CreateObject(session.id(), attrs); - if (debug != null) { - debug.println("storePkey created token key for [" + - alias + - "]"); - } - } finally { - token.releaseSession(session); - } - - storeChain(alias, (X509Certificate[])pke.getCertificateChain()); - } - - private CK_ATTRIBUTE[] getRsaPrivKeyAttrs(String alias, - RSAPrivateKey key, - X500Principal subject) throws PKCS11Exception { - - // subject is currently ignored - could be used to set CKA_SUBJECT - - CK_ATTRIBUTE[] attrs = null; - if (key instanceof RSAPrivateCrtKey) { - - if (debug != null) { - debug.println("creating RSAPrivateCrtKey attrs"); - } - - RSAPrivateCrtKey rsaKey = (RSAPrivateCrtKey)key; - - attrs = new CK_ATTRIBUTE[] { - ATTR_TOKEN_TRUE, - ATTR_CLASS_PKEY, - ATTR_PRIVATE_TRUE, - new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_RSA), - new CK_ATTRIBUTE(CKA_ID, alias), - new CK_ATTRIBUTE(CKA_MODULUS, - rsaKey.getModulus()), - new CK_ATTRIBUTE(CKA_PRIVATE_EXPONENT, - rsaKey.getPrivateExponent()), - new CK_ATTRIBUTE(CKA_PUBLIC_EXPONENT, - rsaKey.getPublicExponent()), - new CK_ATTRIBUTE(CKA_PRIME_1, - rsaKey.getPrimeP()), - new CK_ATTRIBUTE(CKA_PRIME_2, - rsaKey.getPrimeQ()), - new CK_ATTRIBUTE(CKA_EXPONENT_1, - rsaKey.getPrimeExponentP()), - new CK_ATTRIBUTE(CKA_EXPONENT_2, - rsaKey.getPrimeExponentQ()), - new CK_ATTRIBUTE(CKA_COEFFICIENT, - rsaKey.getCrtCoefficient()) }; - attrs = token.getAttributes - (TemplateManager.O_IMPORT, CKO_PRIVATE_KEY, CKK_RSA, attrs); - - } else { - - if (debug != null) { - debug.println("creating RSAPrivateKey attrs"); - } - - RSAPrivateKey rsaKey = key; - - attrs = new CK_ATTRIBUTE[] { - ATTR_TOKEN_TRUE, - ATTR_CLASS_PKEY, - ATTR_PRIVATE_TRUE, - new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_RSA), - new CK_ATTRIBUTE(CKA_ID, alias), - new CK_ATTRIBUTE(CKA_MODULUS, - rsaKey.getModulus()), - new CK_ATTRIBUTE(CKA_PRIVATE_EXPONENT, - rsaKey.getPrivateExponent()) }; - attrs = token.getAttributes - (TemplateManager.O_IMPORT, CKO_PRIVATE_KEY, CKK_RSA, attrs); - } - - return attrs; - } - - /** - * Compute the CKA_ID and/or CKA_NETSCAPE_DB attributes that should be - * used for this private key. It uses the same algorithm to calculate the - * values as NSS. The public and private keys MUST match for the result to - * be correct. - * - * It returns a 2 element array with CKA_ID at index 0 and CKA_NETSCAPE_DB - * at index 1. The boolean flags determine what is to be calculated. - * If false or if we could not calculate the value, that element is null. - * - * NOTE that we currently do not use the CKA_ID value calculated by this - * method. - */ - private CK_ATTRIBUTE[] getIdAttributes(PrivateKey privateKey, - PublicKey publicKey, boolean id, boolean netscapeDb) { - CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[2]; - if ((id || netscapeDb) == false) { - return attrs; - } - String alg = privateKey.getAlgorithm(); - if (id && alg.equals("RSA") && (publicKey instanceof RSAPublicKey)) { - // CKA_NETSCAPE_DB not needed for RSA public keys - BigInteger n = ((RSAPublicKey)publicKey).getModulus(); - attrs[0] = new CK_ATTRIBUTE(CKA_ID, sha1(getMagnitude(n))); - } else if (alg.equals("DSA") && (publicKey instanceof DSAPublicKey)) { - BigInteger y = ((DSAPublicKey)publicKey).getY(); - if (id) { - attrs[0] = new CK_ATTRIBUTE(CKA_ID, sha1(getMagnitude(y))); - } - if (netscapeDb) { - attrs[1] = new CK_ATTRIBUTE(CKA_NETSCAPE_DB, y); - } - } else if (alg.equals("DH") && (publicKey instanceof DHPublicKey)) { - BigInteger y = ((DHPublicKey)publicKey).getY(); - if (id) { - attrs[0] = new CK_ATTRIBUTE(CKA_ID, sha1(getMagnitude(y))); - } - if (netscapeDb) { - attrs[1] = new CK_ATTRIBUTE(CKA_NETSCAPE_DB, y); - } - } else if (alg.equals("EC") && (publicKey instanceof ECPublicKey)) { - ECPublicKey ecPub = (ECPublicKey)publicKey; - ECPoint point = ecPub.getW(); - ECParameterSpec params = ecPub.getParams(); - byte[] encodedPoint = ECUtil.encodePoint(point, params.getCurve()); - if (id) { - attrs[0] = new CK_ATTRIBUTE(CKA_ID, sha1(encodedPoint)); - } - if (netscapeDb) { - attrs[1] = new CK_ATTRIBUTE(CKA_NETSCAPE_DB, encodedPoint); - } - } else { - throw new RuntimeException("Unknown key algorithm " + alg); - } - return attrs; - } - - /** - * return true if cert destroyed - */ - private boolean destroyCert(byte[] cka_id) - throws PKCS11Exception, KeyStoreException { - Session session = null; - try { - session = token.getOpSession(); - THandle h = getTokenObject(session, ATTR_CLASS_CERT, cka_id, null); - if (h.type != ATTR_CLASS_CERT) { - return false; - } - - token.p11.C_DestroyObject(session.id(), h.handle); - if (debug != null) { - debug.println("destroyCert destroyed cert with CKA_ID [" + - getID(cka_id) + - "]"); - } - return true; - } finally { - token.releaseSession(session); - } - } - - /** - * return true if chain destroyed - */ - private boolean destroyChain(byte[] cka_id) - throws PKCS11Exception, CertificateException, KeyStoreException { - - Session session = null; - try { - session = token.getOpSession(); - - THandle h = getTokenObject(session, ATTR_CLASS_CERT, cka_id, null); - if (h.type != ATTR_CLASS_CERT) { - if (debug != null) { - debug.println("destroyChain could not find " + - "end entity cert with CKA_ID [0x" + - Functions.toHexString(cka_id) + - "]"); - } - return false; - } - - X509Certificate endCert = loadCert(session, h.handle); - token.p11.C_DestroyObject(session.id(), h.handle); - if (debug != null) { - debug.println("destroyChain destroyed end entity cert " + - "with CKA_ID [" + - getID(cka_id) + - "]"); - } - - // build chain following issuer->subject links - - X509Certificate next = endCert; - while (true) { - - if (next.getSubjectX500Principal().equals - (next.getIssuerX500Principal())) { - // self signed - done - break; - } - - CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] { - ATTR_TOKEN_TRUE, - ATTR_CLASS_CERT, - new CK_ATTRIBUTE(CKA_SUBJECT, - next.getIssuerX500Principal().getEncoded()) }; - long[] ch = findObjects(session, attrs); - - if (ch == null || ch.length == 0) { - // done - break; - } else { - // if more than one found, use first - if (debug != null && ch.length > 1) { - debug.println("destroyChain found " + - ch.length + - " certificate entries for subject [" + - next.getIssuerX500Principal() + - "] in token - using first entry"); - } - - next = loadCert(session, ch[0]); - - // only delete if not part of any other chain - - attrs = new CK_ATTRIBUTE[] { - ATTR_TOKEN_TRUE, - ATTR_CLASS_CERT, - new CK_ATTRIBUTE(CKA_ISSUER, - next.getSubjectX500Principal().getEncoded()) }; - long[] issuers = findObjects(session, attrs); - - boolean destroyIt = false; - if (issuers == null || issuers.length == 0) { - // no other certs with this issuer - - // destroy it - destroyIt = true; - } else if (issuers.length == 1) { - X509Certificate iCert = loadCert(session, issuers[0]); - if (next.equals(iCert)) { - // only cert with issuer is itself (self-signed) - - // destroy it - destroyIt = true; - } - } - - if (destroyIt) { - token.p11.C_DestroyObject(session.id(), ch[0]); - if (debug != null) { - debug.println - ("destroyChain destroyed cert in chain " + - "with subject [" + - next.getSubjectX500Principal() + "]"); - } - } else { - if (debug != null) { - debug.println("destroyChain did not destroy " + - "shared cert in chain with subject [" + - next.getSubjectX500Principal() + "]"); - } - } - } - } - - return true; - - } finally { - token.releaseSession(session); - } - } - - /** - * return true if secret key destroyed - */ - private boolean destroySkey(String alias) - throws PKCS11Exception, KeyStoreException { - Session session = null; - try { - session = token.getOpSession(); - - THandle h = getTokenObject(session, ATTR_CLASS_SKEY, null, alias); - if (h.type != ATTR_CLASS_SKEY) { - if (debug != null) { - debug.println("destroySkey did not find secret key " + - "with CKA_LABEL [" + - alias + - "]"); - } - return false; - } - token.p11.C_DestroyObject(session.id(), h.handle); - return true; - } finally { - token.releaseSession(session); - } - } - - /** - * return true if private key destroyed - */ - private boolean destroyPkey(byte[] cka_id) - throws PKCS11Exception, KeyStoreException { - Session session = null; - try { - session = token.getOpSession(); - - THandle h = getTokenObject(session, ATTR_CLASS_PKEY, cka_id, null); - if (h.type != ATTR_CLASS_PKEY) { - if (debug != null) { - debug.println - ("destroyPkey did not find private key with CKA_ID [" + - getID(cka_id) + - "]"); - } - return false; - } - token.p11.C_DestroyObject(session.id(), h.handle); - return true; - } finally { - token.releaseSession(session); - } - } - - /** - * build [alias + issuer + serialNumber] string from a cert - */ - private String getID(String alias, X509Certificate cert) { - X500Principal issuer = cert.getIssuerX500Principal(); - BigInteger serialNum = cert.getSerialNumber(); - - return alias + - ALIAS_SEP + - issuer.getName(X500Principal.CANONICAL) + - ALIAS_SEP + - serialNum.toString(); - } - - /** - * build CKA_ID string from bytes - */ - private static String getID(byte[] bytes) { - boolean printable = true; - for (int i = 0; i < bytes.length; i++) { - if (!DerValue.isPrintableStringChar((char)bytes[i])) { - printable = false; - break; - } - } - - if (!printable) { - return "0x" + Functions.toHexString(bytes); - } else { - try { - return new String(bytes, "UTF-8"); - } catch (UnsupportedEncodingException uee) { - return "0x" + Functions.toHexString(bytes); - } - } - } - - /** - * find an object on the token - * - * @param type either ATTR_CLASS_CERT, ATTR_CLASS_PKEY, or ATTR_CLASS_SKEY - * @param cka_id the CKA_ID if type is ATTR_CLASS_CERT or ATTR_CLASS_PKEY - * @param cka_label the CKA_LABEL if type is ATTR_CLASS_SKEY - */ - private THandle getTokenObject(Session session, - CK_ATTRIBUTE type, - byte[] cka_id, - String cka_label) - throws PKCS11Exception, KeyStoreException { - - CK_ATTRIBUTE[] attrs; - if (type == ATTR_CLASS_SKEY) { - attrs = new CK_ATTRIBUTE[] { - ATTR_SKEY_TOKEN_TRUE, - new CK_ATTRIBUTE(CKA_LABEL, cka_label), - type }; - } else { - attrs = new CK_ATTRIBUTE[] { - ATTR_TOKEN_TRUE, - new CK_ATTRIBUTE(CKA_ID, cka_id), - type }; - } - long[] h = findObjects(session, attrs); - if (h.length == 0) { - if (debug != null) { - if (type == ATTR_CLASS_SKEY) { - debug.println("getTokenObject did not find secret key " + - "with CKA_LABEL [" + - cka_label + - "]"); - } else if (type == ATTR_CLASS_CERT) { - debug.println - ("getTokenObject did not find cert with CKA_ID [" + - getID(cka_id) + - "]"); - } else { - debug.println("getTokenObject did not find private key " + - "with CKA_ID [" + - getID(cka_id) + - "]"); - } - } - } else if (h.length == 1) { - - // found object handle - return it - return new THandle(h[0], type); - - } else { - - // found multiple object handles - - // see if token ignored CKA_LABEL during search (e.g. NSS) - - if (type == ATTR_CLASS_SKEY) { - - ArrayList list = new ArrayList(h.length); - for (int i = 0; i < h.length; i++) { - - CK_ATTRIBUTE[] label = new CK_ATTRIBUTE[] - { new CK_ATTRIBUTE(CKA_LABEL) }; - token.p11.C_GetAttributeValue(session.id(), h[i], label); - if (label[0].pValue != null && - cka_label.equals(new String(label[0].getCharArray()))) { - list.add(new THandle(h[i], ATTR_CLASS_SKEY)); - } - } - if (list.size() == 1) { - // yes, there was only one CKA_LABEL that matched - return list.get(0); - } else { - throw new KeyStoreException("invalid KeyStore state: " + - "found " + - list.size() + - " secret keys sharing CKA_LABEL [" + - cka_label + - "]"); - } - } else if (type == ATTR_CLASS_CERT) { - throw new KeyStoreException("invalid KeyStore state: " + - "found " + - h.length + - " certificates sharing CKA_ID " + - getID(cka_id)); - } else { - throw new KeyStoreException("invalid KeyStore state: " + - "found " + - h.length + - " private keys sharing CKA_ID " + - getID(cka_id)); - } - } - return new THandle(NO_HANDLE, null); - } - - /** - * Create a mapping of all key pairs, trusted certs, and secret keys - * on the token into logical KeyStore entries unambiguously - * accessible via an alias. - * - * If the token is removed, the map may contain stale values. - * KeyStore.load should be called to re-create the map. - * - * Assume all private keys and matching certs share a unique CKA_ID. - * - * Assume all secret keys have a unique CKA_LABEL. - * - * @return true if multiple certs found sharing the same CKA_LABEL - * (if so, write capabilities are disabled) - */ - private boolean mapLabels() throws - PKCS11Exception, CertificateException, KeyStoreException { - - CK_ATTRIBUTE[] trustedAttr = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_TRUSTED) }; - - Session session = null; - try { - session = token.getOpSession(); - - // get all private key CKA_IDs - - ArrayList pkeyIDs = new ArrayList(); - CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] { - ATTR_TOKEN_TRUE, - ATTR_CLASS_PKEY, - }; - long[] handles = findObjects(session, attrs); - - for (long handle : handles) { - attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_ID) }; - token.p11.C_GetAttributeValue(session.id(), handle, attrs); - - if (attrs[0].pValue != null) { - pkeyIDs.add(attrs[0].getByteArray()); - } - } - - // Get all certificates - // - // If cert does not have a CKA_LABEL nor CKA_ID, it is ignored. - // - // Get the CKA_LABEL for each cert - // (if the cert does not have a CKA_LABEL, use the CKA_ID). - // - // Map each cert to the its CKA_LABEL - // (multiple certs may be mapped to a single CKA_LABEL) - - HashMap> certMap = - new HashMap>(); - - attrs = new CK_ATTRIBUTE[] { - ATTR_TOKEN_TRUE, - ATTR_CLASS_CERT, - }; - handles = findObjects(session, attrs); - - for (long handle : handles) { - attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_LABEL) }; - - String cka_label = null; - byte[] cka_id = null; - try { - token.p11.C_GetAttributeValue(session.id(), handle, attrs); - if (attrs[0].pValue != null) { - // there is a CKA_LABEL - cka_label = new String(attrs[0].getCharArray()); - } - } catch (PKCS11Exception pe) { - if (pe.getErrorCode() != CKR_ATTRIBUTE_TYPE_INVALID) { - throw pe; - } - - // GetAttributeValue for CKA_LABEL not supported - // - // XXX SCA1000 - } - - // get CKA_ID - - attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_ID) }; - token.p11.C_GetAttributeValue(session.id(), handle, attrs); - if (attrs[0].pValue == null) { - if (cka_label == null) { - // no cka_label nor cka_id - ignore - continue; - } - } else { - if (cka_label == null) { - // use CKA_ID as CKA_LABEL - cka_label = getID(attrs[0].getByteArray()); - } - cka_id = attrs[0].getByteArray(); - } - - X509Certificate cert = loadCert(session, handle); - - // get CKA_TRUSTED - - boolean cka_trusted = false; - - if (useSecmodTrust) { - cka_trusted = Secmod.getInstance().isTrusted(cert, nssTrustType); - } else { - if (CKA_TRUSTED_SUPPORTED) { - try { - token.p11.C_GetAttributeValue - (session.id(), handle, trustedAttr); - cka_trusted = trustedAttr[0].getBoolean(); - } catch (PKCS11Exception pe) { - if (pe.getErrorCode() == CKR_ATTRIBUTE_TYPE_INVALID) { - // XXX NSS, ibutton, sca1000 - CKA_TRUSTED_SUPPORTED = false; - if (debug != null) { - debug.println - ("CKA_TRUSTED attribute not supported"); - } - } - } - } - } - - HashSet infoSet = certMap.get(cka_label); - if (infoSet == null) { - infoSet = new HashSet(2); - certMap.put(cka_label, infoSet); - } - - // initially create private key entry AliasInfo entries - - // these entries will get resolved into their true - // entry types later - - infoSet.add(new AliasInfo - (cka_label, - cka_id, - cka_trusted, - cert)); - } - - // create list secret key CKA_LABELS - - // if there are duplicates (either between secret keys, - // or between a secret key and another object), - // throw an exception - HashMap sKeyMap = - new HashMap(); - - attrs = new CK_ATTRIBUTE[] { - ATTR_SKEY_TOKEN_TRUE, - ATTR_CLASS_SKEY, - }; - handles = findObjects(session, attrs); - - for (long handle : handles) { - attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_LABEL) }; - token.p11.C_GetAttributeValue(session.id(), handle, attrs); - if (attrs[0].pValue != null) { - - // there is a CKA_LABEL - String cka_label = new String(attrs[0].getCharArray()); - if (sKeyMap.get(cka_label) == null) { - sKeyMap.put(cka_label, new AliasInfo(cka_label)); - } else { - throw new KeyStoreException("invalid KeyStore state: " + - "found multiple secret keys sharing same " + - "CKA_LABEL [" + - cka_label + - "]"); - } - } - } - - // update global aliasMap with alias mappings - ArrayList matchedCerts = - mapPrivateKeys(pkeyIDs, certMap); - boolean sharedLabel = mapCerts(matchedCerts, certMap); - mapSecretKeys(sKeyMap); - - return sharedLabel; - - } finally { - token.releaseSession(session); - } - } - - /** - * for each private key CKA_ID, find corresponding cert with same CKA_ID. - * if found cert, see if cert CKA_LABEL is unique. - * if CKA_LABEL unique, map private key/cert alias to that CKA_LABEL. - * if CKA_LABEL not unique, map private key/cert alias to: - * CKA_LABEL + ALIAS_SEP + ISSUER + ALIAS_SEP + SERIAL - * if cert not found, ignore private key - * (don't support private key entries without a cert chain yet) - * - * @return a list of AliasInfo entries that represents all matches - */ - private ArrayList mapPrivateKeys(ArrayList pkeyIDs, - HashMap> certMap) - throws PKCS11Exception, CertificateException { - - // reset global alias map - aliasMap = new HashMap(); - - // list of matched certs that we will return - ArrayList matchedCerts = new ArrayList(); - - for (byte[] pkeyID : pkeyIDs) { - - // try to find a matching CKA_ID in a certificate - - boolean foundMatch = false; - Set certLabels = certMap.keySet(); - for (String certLabel : certLabels) { - - // get cert CKA_IDs (if present) for each cert - - HashSet infoSet = certMap.get(certLabel); - for (AliasInfo aliasInfo : infoSet) { - if (Arrays.equals(pkeyID, aliasInfo.id)) { - - // found private key with matching cert - - if (infoSet.size() == 1) { - // unique CKA_LABEL - use certLabel as alias - aliasInfo.matched = true; - aliasMap.put(certLabel, aliasInfo); - } else { - // create new alias - aliasInfo.matched = true; - aliasMap.put(getID(certLabel, aliasInfo.cert), - aliasInfo); - } - matchedCerts.add(aliasInfo); - foundMatch = true; - break; - } - } - if (foundMatch) { - break; - } - } - - if (!foundMatch) { - if (debug != null) { - debug.println - ("did not find match for private key with CKA_ID [" + - getID(pkeyID) + - "] (ignoring entry)"); - } - } - } - - return matchedCerts; - } - - /** - * for each cert not matched with a private key but is CKA_TRUSTED: - * if CKA_LABEL unique, map cert to CKA_LABEL. - * if CKA_LABEL not unique, map cert to [label+issuer+serialNum] - * - * if CKA_TRUSTED not supported, treat all certs not part of a chain - * as trusted - * - * @return true if multiple certs found sharing the same CKA_LABEL - */ - private boolean mapCerts(ArrayList matchedCerts, - HashMap> certMap) - throws PKCS11Exception, CertificateException { - - // load all cert chains - for (AliasInfo aliasInfo : matchedCerts) { - Session session = null; - try { - session = token.getOpSession(); - aliasInfo.chain = loadChain(session, aliasInfo.cert); - } finally { - token.releaseSession(session); - } - } - - // find all certs in certMap not part of a cert chain - // - these are trusted - - boolean sharedLabel = false; - - Set certLabels = certMap.keySet(); - for (String certLabel : certLabels) { - HashSet infoSet = certMap.get(certLabel); - for (AliasInfo aliasInfo : infoSet) { - - if (aliasInfo.matched == true) { - // already found a private key match for this cert - - // just continue - aliasInfo.trusted = false; - continue; - } - - // cert in this aliasInfo is not matched yet - // - // if CKA_TRUSTED_SUPPORTED == true, - // then check if cert is trusted - - if (CKA_TRUSTED_SUPPORTED) { - if (aliasInfo.trusted) { - // trusted certificate - if (mapTrustedCert - (certLabel, aliasInfo, infoSet) == true) { - sharedLabel = true; - } - } - continue; - } - - // CKA_TRUSTED_SUPPORTED == false - // - // XXX treat all certs not part of a chain as trusted - // XXX - // XXX Unsupported - // - // boolean partOfChain = false; - // for (AliasInfo matchedInfo : matchedCerts) { - // for (int i = 0; i < matchedInfo.chain.length; i++) { - // if (matchedInfo.chain[i].equals(aliasInfo.cert)) { - // partOfChain = true; - // break; - // } - // } - // if (partOfChain) { - // break; - // } - // } - // - // if (!partOfChain) { - // if (mapTrustedCert(certLabel,aliasInfo,infoSet) == true){ - // sharedLabel = true; - // } - // } else { - // if (debug != null) { - // debug.println("ignoring unmatched/untrusted cert " + - // "that is part of cert chain - cert subject is [" + - // aliasInfo.cert.getSubjectX500Principal().getName - // (X500Principal.CANONICAL) + - // "]"); - // } - // } - } - } - - return sharedLabel; - } - - private boolean mapTrustedCert(String certLabel, - AliasInfo aliasInfo, - HashSet infoSet) { - - boolean sharedLabel = false; - - aliasInfo.type = ATTR_CLASS_CERT; - aliasInfo.trusted = true; - if (infoSet.size() == 1) { - // unique CKA_LABEL - use certLabel as alias - aliasMap.put(certLabel, aliasInfo); - } else { - // create new alias - sharedLabel = true; - aliasMap.put(getID(certLabel, aliasInfo.cert), aliasInfo); - } - - return sharedLabel; - } - - /** - * If the secret key shares a CKA_LABEL with another entry, - * throw an exception - */ - private void mapSecretKeys(HashMap sKeyMap) - throws KeyStoreException { - for (String label : sKeyMap.keySet()) { - if (aliasMap.containsKey(label)) { - throw new KeyStoreException("invalid KeyStore state: " + - "found secret key sharing CKA_LABEL [" + - label + - "] with another token object"); - } - } - aliasMap.putAll(sKeyMap); - } - - private void dumpTokenMap() { - Set aliases = aliasMap.keySet(); - System.out.println("Token Alias Map:"); - if (aliases.isEmpty()) { - System.out.println(" [empty]"); - } else { - for (String s : aliases) { - System.out.println(" " + s + aliasMap.get(s)); - } - } - } - - private void checkWrite() throws KeyStoreException { - if (writeDisabled) { - throw new KeyStoreException - ("This PKCS11KeyStore does not support write capabilities"); - } - } - - private final static long[] LONG0 = new long[0]; - - private static long[] findObjects(Session session, CK_ATTRIBUTE[] attrs) - throws PKCS11Exception { - Token token = session.token; - long[] handles = LONG0; - token.p11.C_FindObjectsInit(session.id(), attrs); - while (true) { - long[] h = token.p11.C_FindObjects(session.id(), FINDOBJECTS_MAX); - if (h.length == 0) { - break; - } - handles = P11Util.concat(handles, h); - } - token.p11.C_FindObjectsFinal(session.id()); - return handles; - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyStore.java 2017-01-20 09:52:34.346289107 -0800 @@ -0,0 +1,2683 @@ +/* + * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11; + +import java.math.BigInteger; + +import java.io.InputStream; +import java.io.OutputStream; +import java.io.IOException; +import java.io.ByteArrayInputStream; +import java.io.UnsupportedEncodingException; + +import java.util.Arrays; +import java.util.Collections; +import java.util.Date; +import java.util.Enumeration; +import java.util.ArrayList; +import java.util.HashSet; +import java.util.HashMap; +import java.util.Set; + +import java.security.*; +import java.security.KeyStore.*; + +import java.security.cert.Certificate; +import java.security.cert.X509Certificate; +import java.security.cert.CertificateFactory; +import java.security.cert.CertificateException; + +import java.security.interfaces.*; +import java.security.spec.*; + +import javax.crypto.SecretKey; +import javax.crypto.interfaces.*; + +import javax.security.auth.x500.X500Principal; +import javax.security.auth.login.LoginException; +import javax.security.auth.callback.Callback; +import javax.security.auth.callback.PasswordCallback; +import javax.security.auth.callback.CallbackHandler; +import javax.security.auth.callback.UnsupportedCallbackException; + +import sun.security.util.Debug; +import sun.security.util.DerValue; +import sun.security.util.ECUtil; + +import sun.security.pkcs11.Secmod.*; +import static sun.security.pkcs11.P11Util.*; + +import sun.security.pkcs11.wrapper.*; +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + +import sun.security.rsa.RSAKeyFactory; + +final class P11KeyStore extends KeyStoreSpi { + + private static final CK_ATTRIBUTE ATTR_CLASS_CERT = + new CK_ATTRIBUTE(CKA_CLASS, CKO_CERTIFICATE); + private static final CK_ATTRIBUTE ATTR_CLASS_PKEY = + new CK_ATTRIBUTE(CKA_CLASS, CKO_PRIVATE_KEY); + private static final CK_ATTRIBUTE ATTR_CLASS_SKEY = + new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY); + + private static final CK_ATTRIBUTE ATTR_X509_CERT_TYPE = + new CK_ATTRIBUTE(CKA_CERTIFICATE_TYPE, CKC_X_509); + + private static final CK_ATTRIBUTE ATTR_TOKEN_TRUE = + new CK_ATTRIBUTE(CKA_TOKEN, true); + + // XXX for testing purposes only + // - NSS doesn't support persistent secret keys + // (key type gets mangled if secret key is a token key) + // - if debug is turned on, then this is set to false + private static CK_ATTRIBUTE ATTR_SKEY_TOKEN_TRUE = ATTR_TOKEN_TRUE; + + private static final CK_ATTRIBUTE ATTR_TRUSTED_TRUE = + new CK_ATTRIBUTE(CKA_TRUSTED, true); + private static final CK_ATTRIBUTE ATTR_PRIVATE_TRUE = + new CK_ATTRIBUTE(CKA_PRIVATE, true); + + private static final long NO_HANDLE = -1; + private static final long FINDOBJECTS_MAX = 100; + private static final String ALIAS_SEP = "/"; + + private static final boolean NSS_TEST = false; + private static final Debug debug = + Debug.getInstance("pkcs11keystore"); + private static boolean CKA_TRUSTED_SUPPORTED = true; + + private final Token token; + + // If multiple certs are found to share the same CKA_LABEL + // at load time (NSS-style keystore), then the keystore is read + // and the unique keystore aliases are mapped to the entries. + // However, write capabilities are disabled. + private boolean writeDisabled = false; + + // Map of unique keystore aliases to entries in the token + private HashMap aliasMap; + + // whether to use NSS Secmod info for trust attributes + private final boolean useSecmodTrust; + + // if useSecmodTrust == true, which type of trust we are interested in + private Secmod.TrustType nssTrustType; + + /** + * The underlying token may contain multiple certs belonging to the + * same "personality" (for example, a signing cert and encryption cert), + * all sharing the same CKA_LABEL. These must be resolved + * into unique keystore aliases. + * + * In addition, private keys and certs may not have a CKA_LABEL. + * It is assumed that a private key and corresponding certificate + * share the same CKA_ID, and that the CKA_ID is unique across the token. + * The CKA_ID may not be human-readable. + * These pairs must be resolved into unique keystore aliases. + * + * Furthermore, secret keys are assumed to have a CKA_LABEL + * unique across the entire token. + * + * When the KeyStore is loaded, instances of this class are + * created to represent the private keys/secret keys/certs + * that reside on the token. + */ + private static class AliasInfo { + + // CKA_CLASS - entry type + private CK_ATTRIBUTE type = null; + + // CKA_LABEL of cert and secret key + private String label = null; + + // CKA_ID of the private key/cert pair + private byte[] id = null; + + // CKA_TRUSTED - true if cert is trusted + private boolean trusted = false; + + // either end-entity cert or trusted cert depending on 'type' + private X509Certificate cert = null; + + // chain + private X509Certificate[] chain = null; + + // true if CKA_ID for private key and cert match up + private boolean matched = false; + + // SecretKeyEntry + public AliasInfo(String label) { + this.type = ATTR_CLASS_SKEY; + this.label = label; + } + + // PrivateKeyEntry + public AliasInfo(String label, + byte[] id, + boolean trusted, + X509Certificate cert) { + this.type = ATTR_CLASS_PKEY; + this.label = label; + this.id = id; + this.trusted = trusted; + this.cert = cert; + } + + public String toString() { + StringBuilder sb = new StringBuilder(); + if (type == ATTR_CLASS_PKEY) { + sb.append("\ttype=[private key]\n"); + } else if (type == ATTR_CLASS_SKEY) { + sb.append("\ttype=[secret key]\n"); + } else if (type == ATTR_CLASS_CERT) { + sb.append("\ttype=[trusted cert]\n"); + } + sb.append("\tlabel=[" + label + "]\n"); + if (id == null) { + sb.append("\tid=[null]\n"); + } else { + sb.append("\tid=" + P11KeyStore.getID(id) + "\n"); + } + sb.append("\ttrusted=[" + trusted + "]\n"); + sb.append("\tmatched=[" + matched + "]\n"); + if (cert == null) { + sb.append("\tcert=[null]\n"); + } else { + sb.append("\tcert=[\tsubject: " + + cert.getSubjectX500Principal() + + "\n\t\tissuer: " + + cert.getIssuerX500Principal() + + "\n\t\tserialNum: " + + cert.getSerialNumber().toString() + + "]"); + } + return sb.toString(); + } + } + + /** + * callback handler for passing password to Provider.login method + */ + private static class PasswordCallbackHandler implements CallbackHandler { + + private char[] password; + + private PasswordCallbackHandler(char[] password) { + if (password != null) { + this.password = password.clone(); + } + } + + public void handle(Callback[] callbacks) + throws IOException, UnsupportedCallbackException { + if (!(callbacks[0] instanceof PasswordCallback)) { + throw new UnsupportedCallbackException(callbacks[0]); + } + PasswordCallback pc = (PasswordCallback)callbacks[0]; + pc.setPassword(password); // this clones the password if not null + } + + protected void finalize() throws Throwable { + if (password != null) { + Arrays.fill(password, ' '); + } + super.finalize(); + } + } + + /** + * getTokenObject return value. + * + * if object is not found, type is set to null. + * otherwise, type is set to the requested type. + */ + private static class THandle { + private final long handle; // token object handle + private final CK_ATTRIBUTE type; // CKA_CLASS + + private THandle(long handle, CK_ATTRIBUTE type) { + this.handle = handle; + this.type = type; + } + } + + P11KeyStore(Token token) { + this.token = token; + this.useSecmodTrust = token.provider.nssUseSecmodTrust; + } + + /** + * Returns the key associated with the given alias. + * The key must have been associated with + * the alias by a call to setKeyEntry, + * or by a call to setEntry with a + * PrivateKeyEntry or SecretKeyEntry. + * + * @param alias the alias name + * @param password the password, which must be null + * + * @return the requested key, or null if the given alias does not exist + * or does not identify a key-related entry. + * + * @exception NoSuchAlgorithmException if the algorithm for recovering the + * key cannot be found + * @exception UnrecoverableKeyException if the key cannot be recovered + */ + public synchronized Key engineGetKey(String alias, char[] password) + throws NoSuchAlgorithmException, UnrecoverableKeyException { + + token.ensureValid(); + if (password != null && !token.config.getKeyStoreCompatibilityMode()) { + throw new NoSuchAlgorithmException("password must be null"); + } + + AliasInfo aliasInfo = aliasMap.get(alias); + if (aliasInfo == null || aliasInfo.type == ATTR_CLASS_CERT) { + return null; + } + + Session session = null; + try { + session = token.getOpSession(); + + if (aliasInfo.type == ATTR_CLASS_PKEY) { + THandle h = getTokenObject(session, + aliasInfo.type, + aliasInfo.id, + null); + if (h.type == ATTR_CLASS_PKEY) { + return loadPkey(session, h.handle); + } + } else { + THandle h = getTokenObject(session, + ATTR_CLASS_SKEY, + null, + alias); + if (h.type == ATTR_CLASS_SKEY) { + return loadSkey(session, h.handle); + } + } + + // did not find anything + return null; + } catch (PKCS11Exception | KeyStoreException e) { + throw new ProviderException(e); + } finally { + token.releaseSession(session); + } + } + + /** + * Returns the certificate chain associated with the given alias. + * The certificate chain must have been associated with the alias + * by a call to setKeyEntry, + * or by a call to setEntry with a + * PrivateKeyEntry. + * + * @param alias the alias name + * + * @return the certificate chain (ordered with the user's certificate first + * and the root certificate authority last), or null if the given alias + * does not exist or does not contain a certificate chain + */ + public synchronized Certificate[] engineGetCertificateChain(String alias) { + + token.ensureValid(); + + AliasInfo aliasInfo = aliasMap.get(alias); + if (aliasInfo == null || aliasInfo.type != ATTR_CLASS_PKEY) { + return null; + } + return aliasInfo.chain; + } + + /** + * Returns the certificate associated with the given alias. + * + *

If the given alias name identifies an entry + * created by a call to setCertificateEntry, + * or created by a call to setEntry with a + * TrustedCertificateEntry, + * then the trusted certificate contained in that entry is returned. + * + *

If the given alias name identifies an entry + * created by a call to setKeyEntry, + * or created by a call to setEntry with a + * PrivateKeyEntry, + * then the first element of the certificate chain in that entry + * (if a chain exists) is returned. + * + * @param alias the alias name + * + * @return the certificate, or null if the given alias does not exist or + * does not contain a certificate. + */ + public synchronized Certificate engineGetCertificate(String alias) { + token.ensureValid(); + + AliasInfo aliasInfo = aliasMap.get(alias); + if (aliasInfo == null) { + return null; + } + return aliasInfo.cert; + } + + /** + * Returns the creation date of the entry identified by the given alias. + * + * @param alias the alias name + * + * @return the creation date of this entry, or null if the given alias does + * not exist + */ + public Date engineGetCreationDate(String alias) { + token.ensureValid(); + throw new ProviderException(new UnsupportedOperationException()); + } + + /** + * Assigns the given key to the given alias, protecting it with the given + * password. + * + *

If the given key is of type java.security.PrivateKey, + * it must be accompanied by a certificate chain certifying the + * corresponding public key. + * + *

If the given alias already exists, the keystore information + * associated with it is overridden by the given key (and possibly + * certificate chain). + * + * @param alias the alias name + * @param key the key to be associated with the alias + * @param password the password to protect the key + * @param chain the certificate chain for the corresponding public + * key (only required if the given key is of type + * java.security.PrivateKey). + * + * @exception KeyStoreException if the given key cannot be protected, or + * this operation fails for some other reason + */ + public synchronized void engineSetKeyEntry(String alias, Key key, + char[] password, + Certificate[] chain) + throws KeyStoreException { + + token.ensureValid(); + checkWrite(); + + if (!(key instanceof PrivateKey) && !(key instanceof SecretKey)) { + throw new KeyStoreException("key must be PrivateKey or SecretKey"); + } else if (key instanceof PrivateKey && chain == null) { + throw new KeyStoreException + ("PrivateKey must be accompanied by non-null chain"); + } else if (key instanceof SecretKey && chain != null) { + throw new KeyStoreException + ("SecretKey must be accompanied by null chain"); + } else if (password != null && + !token.config.getKeyStoreCompatibilityMode()) { + throw new KeyStoreException("Password must be null"); + } + + KeyStore.Entry entry = null; + try { + if (key instanceof PrivateKey) { + entry = new KeyStore.PrivateKeyEntry((PrivateKey)key, chain); + } else if (key instanceof SecretKey) { + entry = new KeyStore.SecretKeyEntry((SecretKey)key); + } + } catch (NullPointerException | IllegalArgumentException e) { + throw new KeyStoreException(e); + } + engineSetEntry(alias, entry, new KeyStore.PasswordProtection(password)); + } + + /** + * Assigns the given key (that has already been protected) to the given + * alias. + * + *

If the protected key is of type + * java.security.PrivateKey, + * it must be accompanied by a certificate chain certifying the + * corresponding public key. + * + *

If the given alias already exists, the keystore information + * associated with it is overridden by the given key (and possibly + * certificate chain). + * + * @param alias the alias name + * @param key the key (in protected format) to be associated with the alias + * @param chain the certificate chain for the corresponding public + * key (only useful if the protected key is of type + * java.security.PrivateKey). + * + * @exception KeyStoreException if this operation fails. + */ + public void engineSetKeyEntry(String alias, byte[] key, Certificate[] chain) + throws KeyStoreException { + token.ensureValid(); + throw new ProviderException(new UnsupportedOperationException()); + } + + /** + * Assigns the given certificate to the given alias. + * + *

If the given alias identifies an existing entry + * created by a call to setCertificateEntry, + * or created by a call to setEntry with a + * TrustedCertificateEntry, + * the trusted certificate in the existing entry + * is overridden by the given certificate. + * + * @param alias the alias name + * @param cert the certificate + * + * @exception KeyStoreException if the given alias already exists and does + * not identify an entry containing a trusted certificate, + * or this operation fails for some other reason. + */ + public synchronized void engineSetCertificateEntry + (String alias, Certificate cert) throws KeyStoreException { + + token.ensureValid(); + checkWrite(); + + if (cert == null) { + throw new KeyStoreException("invalid null certificate"); + } + + KeyStore.Entry entry = null; + entry = new KeyStore.TrustedCertificateEntry(cert); + engineSetEntry(alias, entry, null); + } + + /** + * Deletes the entry identified by the given alias from this keystore. + * + * @param alias the alias name + * + * @exception KeyStoreException if the entry cannot be removed. + */ + public synchronized void engineDeleteEntry(String alias) + throws KeyStoreException { + token.ensureValid(); + + if (token.isWriteProtected()) { + throw new KeyStoreException("token write-protected"); + } + checkWrite(); + deleteEntry(alias); + } + + /** + * XXX - not sure whether to keep this + */ + private boolean deleteEntry(String alias) throws KeyStoreException { + AliasInfo aliasInfo = aliasMap.get(alias); + if (aliasInfo != null) { + + aliasMap.remove(alias); + + try { + if (aliasInfo.type == ATTR_CLASS_CERT) { + // trusted certificate entry + return destroyCert(aliasInfo.id); + } else if (aliasInfo.type == ATTR_CLASS_PKEY) { + // private key entry + return destroyPkey(aliasInfo.id) && + destroyChain(aliasInfo.id); + } else if (aliasInfo.type == ATTR_CLASS_SKEY) { + // secret key entry + return destroySkey(alias); + } else { + throw new KeyStoreException("unexpected entry type"); + } + } catch (PKCS11Exception | CertificateException e) { + throw new KeyStoreException(e); + } + } + return false; + } + + /** + * Lists all the alias names of this keystore. + * + * @return enumeration of the alias names + */ + public synchronized Enumeration engineAliases() { + token.ensureValid(); + + // don't want returned enumeration to iterate off actual keySet - + // otherwise applications that iterate and modify the keystore + // may run into concurrent modification problems + return Collections.enumeration(new HashSet(aliasMap.keySet())); + } + + /** + * Checks if the given alias exists in this keystore. + * + * @param alias the alias name + * + * @return true if the alias exists, false otherwise + */ + public synchronized boolean engineContainsAlias(String alias) { + token.ensureValid(); + return aliasMap.containsKey(alias); + } + + /** + * Retrieves the number of entries in this keystore. + * + * @return the number of entries in this keystore + */ + public synchronized int engineSize() { + token.ensureValid(); + return aliasMap.size(); + } + + /** + * Returns true if the entry identified by the given alias + * was created by a call to setKeyEntry, + * or created by a call to setEntry with a + * PrivateKeyEntry or a SecretKeyEntry. + * + * @param alias the alias for the keystore entry to be checked + * + * @return true if the entry identified by the given alias is a + * key-related, false otherwise. + */ + public synchronized boolean engineIsKeyEntry(String alias) { + token.ensureValid(); + + AliasInfo aliasInfo = aliasMap.get(alias); + if (aliasInfo == null || aliasInfo.type == ATTR_CLASS_CERT) { + return false; + } + return true; + } + + /** + * Returns true if the entry identified by the given alias + * was created by a call to setCertificateEntry, + * or created by a call to setEntry with a + * TrustedCertificateEntry. + * + * @param alias the alias for the keystore entry to be checked + * + * @return true if the entry identified by the given alias contains a + * trusted certificate, false otherwise. + */ + public synchronized boolean engineIsCertificateEntry(String alias) { + token.ensureValid(); + + AliasInfo aliasInfo = aliasMap.get(alias); + if (aliasInfo == null || aliasInfo.type != ATTR_CLASS_CERT) { + return false; + } + return true; + } + + /** + * Returns the (alias) name of the first keystore entry whose certificate + * matches the given certificate. + * + *

This method attempts to match the given certificate with each + * keystore entry. If the entry being considered was + * created by a call to setCertificateEntry, + * or created by a call to setEntry with a + * TrustedCertificateEntry, + * then the given certificate is compared to that entry's certificate. + * + *

If the entry being considered was + * created by a call to setKeyEntry, + * or created by a call to setEntry with a + * PrivateKeyEntry, + * then the given certificate is compared to the first + * element of that entry's certificate chain. + * + * @param cert the certificate to match with. + * + * @return the alias name of the first entry with matching certificate, + * or null if no such entry exists in this keystore. + */ + public synchronized String engineGetCertificateAlias(Certificate cert) { + token.ensureValid(); + Enumeration e = engineAliases(); + while (e.hasMoreElements()) { + String alias = e.nextElement(); + Certificate tokenCert = engineGetCertificate(alias); + if (tokenCert != null && tokenCert.equals(cert)) { + return alias; + } + } + return null; + } + + /** + * engineStore currently is a No-op. + * Entries are stored to the token during engineSetEntry + * + * @param stream this must be null + * @param password this must be null + */ + public synchronized void engineStore(OutputStream stream, char[] password) + throws IOException, NoSuchAlgorithmException, CertificateException { + token.ensureValid(); + if (stream != null && !token.config.getKeyStoreCompatibilityMode()) { + throw new IOException("output stream must be null"); + } + + if (password != null && !token.config.getKeyStoreCompatibilityMode()) { + throw new IOException("password must be null"); + } + } + + /** + * engineStore currently is a No-op. + * Entries are stored to the token during engineSetEntry + * + * @param param this must be null + * + * @exception IllegalArgumentException if the given + * KeyStore.LoadStoreParameter + * input is not null + */ + public synchronized void engineStore(KeyStore.LoadStoreParameter param) + throws IOException, NoSuchAlgorithmException, CertificateException { + token.ensureValid(); + if (param != null) { + throw new IllegalArgumentException + ("LoadStoreParameter must be null"); + } + } + + /** + * Loads the keystore. + * + * @param stream the input stream, which must be null + * @param password the password used to unlock the keystore, + * or null if the token supports a + * CKF_PROTECTED_AUTHENTICATION_PATH + * + * @exception IOException if the given stream is not + * null, if the token supports a + * CKF_PROTECTED_AUTHENTICATION_PATH and a non-null + * password is given, of if the token login operation failed + */ + public synchronized void engineLoad(InputStream stream, char[] password) + throws IOException, NoSuchAlgorithmException, CertificateException { + + token.ensureValid(); + + if (NSS_TEST) { + ATTR_SKEY_TOKEN_TRUE = new CK_ATTRIBUTE(CKA_TOKEN, false); + } + + if (stream != null && !token.config.getKeyStoreCompatibilityMode()) { + throw new IOException("input stream must be null"); + } + + if (useSecmodTrust) { + nssTrustType = Secmod.TrustType.ALL; + } + + try { + if (password == null) { + login(null); + } else { + login(new PasswordCallbackHandler(password)); + } + } catch(LoginException e) { + Throwable cause = e.getCause(); + if (cause instanceof PKCS11Exception) { + PKCS11Exception pe = (PKCS11Exception) cause; + if (pe.getErrorCode() == CKR_PIN_INCORRECT) { + // if password is wrong, the cause of the IOException + // should be an UnrecoverableKeyException + throw new IOException("load failed", + new UnrecoverableKeyException().initCause(e)); + } + } + throw new IOException("load failed", e); + } + + try { + if (mapLabels() == true) { + // CKA_LABELs are shared by multiple certs + writeDisabled = true; + } + if (debug != null) { + dumpTokenMap(); + } + } catch (KeyStoreException | PKCS11Exception e) { + throw new IOException("load failed", e); + } + } + + /** + * Loads the keystore using the given + * KeyStore.LoadStoreParameter. + * + *

The LoadStoreParameter.getProtectionParameter() + * method is expected to return a KeyStore.PasswordProtection + * object. The password is retrieved from that object and used + * to unlock the PKCS#11 token. + * + *

If the token supports a CKF_PROTECTED_AUTHENTICATION_PATH + * then the provided password must be null. + * + * @param param the KeyStore.LoadStoreParameter + * + * @exception IllegalArgumentException if the given + * KeyStore.LoadStoreParameter is null, + * or if that parameter returns a null + * ProtectionParameter object. + * input is not recognized + * @exception IOException if the token supports a + * CKF_PROTECTED_AUTHENTICATION_PATH and the provided password + * is non-null, or if the token login operation fails + */ + public synchronized void engineLoad(KeyStore.LoadStoreParameter param) + throws IOException, NoSuchAlgorithmException, + CertificateException { + + token.ensureValid(); + + if (NSS_TEST) { + ATTR_SKEY_TOKEN_TRUE = new CK_ATTRIBUTE(CKA_TOKEN, false); + } + + // if caller wants to pass a NULL password, + // force it to pass a non-NULL PasswordProtection that returns + // a NULL password + + if (param == null) { + throw new IllegalArgumentException + ("invalid null LoadStoreParameter"); + } + if (useSecmodTrust) { + if (param instanceof Secmod.KeyStoreLoadParameter) { + nssTrustType = ((Secmod.KeyStoreLoadParameter)param).getTrustType(); + } else { + nssTrustType = Secmod.TrustType.ALL; + } + } + + CallbackHandler handler; + KeyStore.ProtectionParameter pp = param.getProtectionParameter(); + if (pp instanceof PasswordProtection) { + char[] password = ((PasswordProtection)pp).getPassword(); + if (password == null) { + handler = null; + } else { + handler = new PasswordCallbackHandler(password); + } + } else if (pp instanceof CallbackHandlerProtection) { + handler = ((CallbackHandlerProtection)pp).getCallbackHandler(); + } else { + throw new IllegalArgumentException + ("ProtectionParameter must be either " + + "PasswordProtection or CallbackHandlerProtection"); + } + + try { + login(handler); + if (mapLabels() == true) { + // CKA_LABELs are shared by multiple certs + writeDisabled = true; + } + if (debug != null) { + dumpTokenMap(); + } + } catch (LoginException | KeyStoreException | PKCS11Exception e) { + throw new IOException("load failed", e); + } + } + + private void login(CallbackHandler handler) throws LoginException { + if ((token.tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH) == 0) { + token.provider.login(null, handler); + } else { + // token supports protected authentication path + // (external pin-pad, for example) + if (handler != null && + !token.config.getKeyStoreCompatibilityMode()) { + throw new LoginException("can not specify password if token " + + "supports protected authentication path"); + } + + // must rely on application-set or default handler + // if one is necessary + token.provider.login(null, null); + } + } + + /** + * Get a KeyStore.Entry for the specified alias + * + * @param alias get the KeyStore.Entry for this alias + * @param protParam this must be null + * + * @return the KeyStore.Entry for the specified alias, + * or null if there is no such entry + * + * @exception KeyStoreException if the operation failed + * @exception NoSuchAlgorithmException if the algorithm for recovering the + * entry cannot be found + * @exception UnrecoverableEntryException if the specified + * protParam were insufficient or invalid + * + * @since 1.5 + */ + public synchronized KeyStore.Entry engineGetEntry(String alias, + KeyStore.ProtectionParameter protParam) + throws KeyStoreException, NoSuchAlgorithmException, + UnrecoverableEntryException { + + token.ensureValid(); + + if (protParam != null && + protParam instanceof KeyStore.PasswordProtection && + ((KeyStore.PasswordProtection)protParam).getPassword() != null && + !token.config.getKeyStoreCompatibilityMode()) { + throw new KeyStoreException("ProtectionParameter must be null"); + } + + AliasInfo aliasInfo = aliasMap.get(alias); + if (aliasInfo == null) { + if (debug != null) { + debug.println("engineGetEntry did not find alias [" + + alias + + "] in map"); + } + return null; + } + + Session session = null; + try { + session = token.getOpSession(); + + if (aliasInfo.type == ATTR_CLASS_CERT) { + // trusted certificate entry + if (debug != null) { + debug.println("engineGetEntry found trusted cert entry"); + } + return new KeyStore.TrustedCertificateEntry(aliasInfo.cert); + } else if (aliasInfo.type == ATTR_CLASS_SKEY) { + // secret key entry + if (debug != null) { + debug.println("engineGetEntry found secret key entry"); + } + + THandle h = getTokenObject + (session, ATTR_CLASS_SKEY, null, aliasInfo.label); + if (h.type != ATTR_CLASS_SKEY) { + throw new KeyStoreException + ("expected but could not find secret key"); + } else { + SecretKey skey = loadSkey(session, h.handle); + return new KeyStore.SecretKeyEntry(skey); + } + } else { + // private key entry + if (debug != null) { + debug.println("engineGetEntry found private key entry"); + } + + THandle h = getTokenObject + (session, ATTR_CLASS_PKEY, aliasInfo.id, null); + if (h.type != ATTR_CLASS_PKEY) { + throw new KeyStoreException + ("expected but could not find private key"); + } else { + PrivateKey pkey = loadPkey(session, h.handle); + Certificate[] chain = aliasInfo.chain; + if ((pkey != null) && (chain != null)) { + return new KeyStore.PrivateKeyEntry(pkey, chain); + } else { + if (debug != null) { + debug.println + ("engineGetEntry got null cert chain or private key"); + } + } + } + } + return null; + } catch (PKCS11Exception pe) { + throw new KeyStoreException(pe); + } finally { + token.releaseSession(session); + } + } + + /** + * Save a KeyStore.Entry under the specified alias. + * + *

If an entry already exists for the specified alias, + * it is overridden. + * + *

This KeyStore implementation only supports the standard + * entry types, and only supports X509Certificates in + * TrustedCertificateEntries. Also, this implementation does not support + * protecting entries using a different password + * from the one used for token login. + * + *

Entries are immediately stored on the token. + * + * @param alias save the KeyStore.Entry under this alias + * @param entry the Entry to save + * @param protParam this must be null + * + * @exception KeyStoreException if this operation fails + * + * @since 1.5 + */ + public synchronized void engineSetEntry(String alias, KeyStore.Entry entry, + KeyStore.ProtectionParameter protParam) + throws KeyStoreException { + + token.ensureValid(); + checkWrite(); + + if (protParam != null && + protParam instanceof KeyStore.PasswordProtection && + ((KeyStore.PasswordProtection)protParam).getPassword() != null && + !token.config.getKeyStoreCompatibilityMode()) { + throw new KeyStoreException(new UnsupportedOperationException + ("ProtectionParameter must be null")); + } + + if (token.isWriteProtected()) { + throw new KeyStoreException("token write-protected"); + } + + if (entry instanceof KeyStore.TrustedCertificateEntry) { + + if (useSecmodTrust == false) { + // PKCS #11 does not allow app to modify trusted certs - + throw new KeyStoreException(new UnsupportedOperationException + ("trusted certificates may only be set by " + + "token initialization application")); + } + Module module = token.provider.nssModule; + if ((module.type != ModuleType.KEYSTORE) && (module.type != ModuleType.FIPS)) { + // XXX allow TRUSTANCHOR module + throw new KeyStoreException("Trusted certificates can only be " + + "added to the NSS KeyStore module"); + } + Certificate cert = ((TrustedCertificateEntry)entry).getTrustedCertificate(); + if (cert instanceof X509Certificate == false) { + throw new KeyStoreException("Certificate must be an X509Certificate"); + } + X509Certificate xcert = (X509Certificate)cert; + AliasInfo info = aliasMap.get(alias); + if (info != null) { + // XXX try to update + deleteEntry(alias); + } + try { + storeCert(alias, xcert); + module.setTrust(token, xcert); + mapLabels(); + } catch (PKCS11Exception | CertificateException e) { + throw new KeyStoreException(e); + } + + } else { + + if (entry instanceof KeyStore.PrivateKeyEntry) { + + PrivateKey key = + ((KeyStore.PrivateKeyEntry)entry).getPrivateKey(); + if (!(key instanceof P11Key) && + !(key instanceof RSAPrivateKey) && + !(key instanceof DSAPrivateKey) && + !(key instanceof DHPrivateKey) && + !(key instanceof ECPrivateKey)) { + throw new KeyStoreException("unsupported key type: " + + key.getClass().getName()); + } + + // only support X509Certificate chains + Certificate[] chain = + ((KeyStore.PrivateKeyEntry)entry).getCertificateChain(); + if (!(chain instanceof X509Certificate[])) { + throw new KeyStoreException + (new UnsupportedOperationException + ("unsupported certificate array type: " + + chain.getClass().getName())); + } + + try { + boolean updatedAlias = false; + Set aliases = aliasMap.keySet(); + for (String oldAlias : aliases) { + + // see if there's an existing entry with the same info + + AliasInfo aliasInfo = aliasMap.get(oldAlias); + if (aliasInfo.type == ATTR_CLASS_PKEY && + aliasInfo.cert.getPublicKey().equals + (chain[0].getPublicKey())) { + + // found existing entry - + // caller is renaming entry or updating cert chain + // + // set new CKA_LABEL/CKA_ID + // and update certs if necessary + + updatePkey(alias, + aliasInfo.id, + (X509Certificate[])chain, + !aliasInfo.cert.equals(chain[0])); + updatedAlias = true; + break; + } + } + + if (!updatedAlias) { + // caller adding new entry + engineDeleteEntry(alias); + storePkey(alias, (KeyStore.PrivateKeyEntry)entry); + } + + } catch (PKCS11Exception | CertificateException pe) { + throw new KeyStoreException(pe); + } + + } else if (entry instanceof KeyStore.SecretKeyEntry) { + + KeyStore.SecretKeyEntry ske = (KeyStore.SecretKeyEntry)entry; + SecretKey skey = ske.getSecretKey(); + + try { + // first check if the key already exists + AliasInfo aliasInfo = aliasMap.get(alias); + + if (aliasInfo != null) { + engineDeleteEntry(alias); + } + storeSkey(alias, ske); + + } catch (PKCS11Exception pe) { + throw new KeyStoreException(pe); + } + + } else { + throw new KeyStoreException(new UnsupportedOperationException + ("unsupported entry type: " + entry.getClass().getName())); + } + + try { + + // XXX NSS does not write out the CKA_ID we pass to them + // + // therefore we must re-map labels + // (can not simply update aliasMap) + + mapLabels(); + if (debug != null) { + dumpTokenMap(); + } + } catch (PKCS11Exception | CertificateException pe) { + throw new KeyStoreException(pe); + } + } + + if (debug != null) { + debug.println + ("engineSetEntry added new entry for [" + + alias + + "] to token"); + } + } + + /** + * Determines if the keystore Entry for the specified + * alias is an instance or subclass of the specified + * entryClass. + * + * @param alias the alias name + * @param entryClass the entry class + * + * @return true if the keystore Entry for the specified + * alias is an instance or subclass of the + * specified entryClass, false otherwise + */ + public synchronized boolean engineEntryInstanceOf + (String alias, Class entryClass) { + token.ensureValid(); + return super.engineEntryInstanceOf(alias, entryClass); + } + + private X509Certificate loadCert(Session session, long oHandle) + throws PKCS11Exception, CertificateException { + + CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] + { new CK_ATTRIBUTE(CKA_VALUE) }; + token.p11.C_GetAttributeValue(session.id(), oHandle, attrs); + + byte[] bytes = attrs[0].getByteArray(); + if (bytes == null) { + throw new CertificateException + ("unexpectedly retrieved null byte array"); + } + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + return (X509Certificate)cf.generateCertificate + (new ByteArrayInputStream(bytes)); + } + + private X509Certificate[] loadChain(Session session, + X509Certificate endCert) + throws PKCS11Exception, CertificateException { + + ArrayList lChain = null; + + if (endCert.getSubjectX500Principal().equals + (endCert.getIssuerX500Principal())) { + // self signed + return new X509Certificate[] { endCert }; + } else { + lChain = new ArrayList(); + lChain.add(endCert); + } + + // try loading remaining certs in chain by following + // issuer->subject links + + X509Certificate next = endCert; + while (true) { + CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] { + ATTR_TOKEN_TRUE, + ATTR_CLASS_CERT, + new CK_ATTRIBUTE(CKA_SUBJECT, + next.getIssuerX500Principal().getEncoded()) }; + long[] ch = findObjects(session, attrs); + + if (ch == null || ch.length == 0) { + // done + break; + } else { + // if more than one found, use first + if (debug != null && ch.length > 1) { + debug.println("engineGetEntry found " + + ch.length + + " certificate entries for subject [" + + next.getIssuerX500Principal().toString() + + "] in token - using first entry"); + } + + next = loadCert(session, ch[0]); + lChain.add(next); + if (next.getSubjectX500Principal().equals + (next.getIssuerX500Principal())) { + // self signed + break; + } + } + } + + return lChain.toArray(new X509Certificate[lChain.size()]); + } + + private SecretKey loadSkey(Session session, long oHandle) + throws PKCS11Exception { + + CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_KEY_TYPE) }; + token.p11.C_GetAttributeValue(session.id(), oHandle, attrs); + long kType = attrs[0].getLong(); + + String keyType = null; + int keyLength = -1; + + // XXX NSS mangles the stored key type for secret key token objects + + if (kType == CKK_DES || kType == CKK_DES3) { + if (kType == CKK_DES) { + keyType = "DES"; + keyLength = 64; + } else if (kType == CKK_DES3) { + keyType = "DESede"; + keyLength = 192; + } + } else { + if (kType == CKK_AES) { + keyType = "AES"; + } else if (kType == CKK_BLOWFISH) { + keyType = "Blowfish"; + } else if (kType == CKK_RC4) { + keyType = "ARCFOUR"; + } else { + if (debug != null) { + debug.println("unknown key type [" + + kType + + "] - using 'Generic Secret'"); + } + keyType = "Generic Secret"; + } + + // XXX NSS problem CKR_ATTRIBUTE_TYPE_INVALID? + if (NSS_TEST) { + keyLength = 128; + } else { + attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_VALUE_LEN) }; + token.p11.C_GetAttributeValue(session.id(), oHandle, attrs); + keyLength = (int)attrs[0].getLong(); + } + } + + return P11Key.secretKey(session, oHandle, keyType, keyLength, null); + } + + private PrivateKey loadPkey(Session session, long oHandle) + throws PKCS11Exception, KeyStoreException { + + CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_KEY_TYPE) }; + token.p11.C_GetAttributeValue(session.id(), oHandle, attrs); + long kType = attrs[0].getLong(); + String keyType = null; + int keyLength = 0; + + if (kType == CKK_RSA) { + + keyType = "RSA"; + + attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_MODULUS) }; + token.p11.C_GetAttributeValue(session.id(), oHandle, attrs); + BigInteger modulus = attrs[0].getBigInteger(); + keyLength = modulus.bitLength(); + + // This check will combine our "don't care" values here + // with the system-wide min/max values. + try { + RSAKeyFactory.checkKeyLengths(keyLength, null, + -1, Integer.MAX_VALUE); + } catch (InvalidKeyException e) { + throw new KeyStoreException(e.getMessage()); + } + + return P11Key.privateKey(session, + oHandle, + keyType, + keyLength, + null); + + } else if (kType == CKK_DSA) { + + keyType = "DSA"; + + attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_PRIME) }; + token.p11.C_GetAttributeValue(session.id(), oHandle, attrs); + BigInteger prime = attrs[0].getBigInteger(); + keyLength = prime.bitLength(); + + return P11Key.privateKey(session, + oHandle, + keyType, + keyLength, + null); + + } else if (kType == CKK_DH) { + + keyType = "DH"; + + attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_PRIME) }; + token.p11.C_GetAttributeValue(session.id(), oHandle, attrs); + BigInteger prime = attrs[0].getBigInteger(); + keyLength = prime.bitLength(); + + return P11Key.privateKey(session, + oHandle, + keyType, + keyLength, + null); + + } else if (kType == CKK_EC) { + + attrs = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_EC_PARAMS), + }; + token.p11.C_GetAttributeValue(session.id(), oHandle, attrs); + byte[] encodedParams = attrs[0].getByteArray(); + try { + ECParameterSpec params = + ECUtil.getECParameterSpec(null, encodedParams); + keyLength = params.getCurve().getField().getFieldSize(); + } catch (IOException e) { + // we do not want to accept key with unsupported parameters + throw new KeyStoreException("Unsupported parameters", e); + } + + return P11Key.privateKey(session, oHandle, "EC", keyLength, null); + + } else { + if (debug != null) { + debug.println("unknown key type [" + kType + "]"); + } + throw new KeyStoreException("unknown key type"); + } + } + + + /** + * XXX On ibutton, when you C_SetAttribute(CKA_ID) for a private key + * it not only changes the CKA_ID of the private key, + * it changes the CKA_ID of the corresponding cert too. + * And vice versa. + * + * XXX On ibutton, CKR_DEVICE_ERROR if you C_SetAttribute(CKA_ID) + * for a private key, and then try to delete the corresponding cert. + * So this code reverses the order. + * After the cert is first destroyed (if necessary), + * then the CKA_ID of the private key can be changed successfully. + * + * @param replaceCert if true, then caller is updating alias info for + * existing cert (only update CKA_ID/CKA_LABEL). + * if false, then caller is updating cert chain + * (delete old end cert and add new chain). + */ + private void updatePkey(String alias, + byte[] cka_id, + X509Certificate[] chain, + boolean replaceCert) throws + KeyStoreException, CertificateException, PKCS11Exception { + + // XXX + // + // always set replaceCert to true + // + // NSS does not allow resetting of CKA_LABEL on an existing cert + // (C_SetAttribute call succeeds, but is ignored) + + replaceCert = true; + + Session session = null; + try { + session = token.getOpSession(); + + // first get private key object handle and hang onto it + + THandle h = getTokenObject(session, ATTR_CLASS_PKEY, cka_id, null); + long pKeyHandle; + if (h.type == ATTR_CLASS_PKEY) { + pKeyHandle = h.handle; + } else { + throw new KeyStoreException + ("expected but could not find private key " + + "with CKA_ID " + + getID(cka_id)); + } + + // next find existing end entity cert + + h = getTokenObject(session, ATTR_CLASS_CERT, cka_id, null); + if (h.type != ATTR_CLASS_CERT) { + throw new KeyStoreException + ("expected but could not find certificate " + + "with CKA_ID " + + getID(cka_id)); + } else { + if (replaceCert) { + // replacing existing cert and chain + destroyChain(cka_id); + } else { + // renaming alias for existing cert + CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_LABEL, alias), + new CK_ATTRIBUTE(CKA_ID, alias) }; + token.p11.C_SetAttributeValue + (session.id(), h.handle, attrs); + } + } + + // add new chain + + if (replaceCert) { + // add all certs in chain + storeChain(alias, chain); + } else { + // already updated alias info for existing end cert - + // just update CA certs + storeCaCerts(chain, 1); + } + + // finally update CKA_ID for private key + // + // ibutton may have already done this (that is ok) + + CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_ID, alias) }; + token.p11.C_SetAttributeValue(session.id(), pKeyHandle, attrs); + + if (debug != null) { + debug.println("updatePkey set new alias [" + + alias + + "] for private key entry"); + } + } finally { + token.releaseSession(session); + } + } + + private void updateP11Pkey(String alias, CK_ATTRIBUTE attribute, P11Key key) + throws PKCS11Exception { + + // if token key, update alias. + // if session key, convert to token key. + + Session session = null; + try { + session = token.getOpSession(); + if (key.tokenObject == true) { + + // token key - set new CKA_ID + + CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_ID, alias) }; + token.p11.C_SetAttributeValue + (session.id(), key.keyID, attrs); + if (debug != null) { + debug.println("updateP11Pkey set new alias [" + + alias + + "] for key entry"); + } + } else { + + // session key - convert to token key and set CKA_ID + + CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] { + ATTR_TOKEN_TRUE, + new CK_ATTRIBUTE(CKA_ID, alias), + }; + if (attribute != null) { + attrs = addAttribute(attrs, attribute); + } + token.p11.C_CopyObject(session.id(), key.keyID, attrs); + if (debug != null) { + debug.println("updateP11Pkey copied private session key " + + "for [" + + alias + + "] to token entry"); + } + } + } finally { + token.releaseSession(session); + } + } + + private void storeCert(String alias, X509Certificate cert) + throws PKCS11Exception, CertificateException { + + ArrayList attrList = new ArrayList(); + attrList.add(ATTR_TOKEN_TRUE); + attrList.add(ATTR_CLASS_CERT); + attrList.add(ATTR_X509_CERT_TYPE); + attrList.add(new CK_ATTRIBUTE(CKA_SUBJECT, + cert.getSubjectX500Principal().getEncoded())); + attrList.add(new CK_ATTRIBUTE(CKA_ISSUER, + cert.getIssuerX500Principal().getEncoded())); + attrList.add(new CK_ATTRIBUTE(CKA_SERIAL_NUMBER, + cert.getSerialNumber().toByteArray())); + attrList.add(new CK_ATTRIBUTE(CKA_VALUE, cert.getEncoded())); + + if (alias != null) { + attrList.add(new CK_ATTRIBUTE(CKA_LABEL, alias)); + attrList.add(new CK_ATTRIBUTE(CKA_ID, alias)); + } else { + // ibutton requires something to be set + // - alias must be unique + attrList.add(new CK_ATTRIBUTE(CKA_ID, + getID(cert.getSubjectX500Principal().getName + (X500Principal.CANONICAL), cert))); + } + + Session session = null; + try { + session = token.getOpSession(); + token.p11.C_CreateObject(session.id(), + attrList.toArray(new CK_ATTRIBUTE[attrList.size()])); + } finally { + token.releaseSession(session); + } + } + + private void storeChain(String alias, X509Certificate[] chain) + throws PKCS11Exception, CertificateException { + + // add new chain + // + // end cert has CKA_LABEL and CKA_ID set to alias. + // other certs in chain have neither set. + + storeCert(alias, chain[0]); + storeCaCerts(chain, 1); + } + + private void storeCaCerts(X509Certificate[] chain, int start) + throws PKCS11Exception, CertificateException { + + // do not add duplicate CA cert if already in token + // + // XXX ibutton stores duplicate CA certs, NSS does not + + Session session = null; + HashSet cacerts = new HashSet(); + try { + session = token.getOpSession(); + CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] { + ATTR_TOKEN_TRUE, + ATTR_CLASS_CERT }; + long[] handles = findObjects(session, attrs); + + // load certs currently on the token + for (long handle : handles) { + cacerts.add(loadCert(session, handle)); + } + } finally { + token.releaseSession(session); + } + + for (int i = start; i < chain.length; i++) { + if (!cacerts.contains(chain[i])) { + storeCert(null, chain[i]); + } else if (debug != null) { + debug.println("ignoring duplicate CA cert for [" + + chain[i].getSubjectX500Principal() + + "]"); + } + } + } + + private void storeSkey(String alias, KeyStore.SecretKeyEntry ske) + throws PKCS11Exception, KeyStoreException { + + SecretKey skey = ske.getSecretKey(); + // No need to specify CKA_CLASS, CKA_KEY_TYPE, CKA_VALUE since + // they are handled in P11SecretKeyFactory.createKey() method. + CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] { + ATTR_SKEY_TOKEN_TRUE, + ATTR_PRIVATE_TRUE, + new CK_ATTRIBUTE(CKA_LABEL, alias), + }; + try { + P11SecretKeyFactory.convertKey(token, skey, null, attrs); + } catch (InvalidKeyException ike) { + // re-throw KeyStoreException to match javadoc + throw new KeyStoreException("Cannot convert to PKCS11 keys", ike); + } + + // update global alias map + aliasMap.put(alias, new AliasInfo(alias)); + + if (debug != null) { + debug.println("storeSkey created token secret key for [" + + alias + "]"); + } + } + + private static CK_ATTRIBUTE[] addAttribute(CK_ATTRIBUTE[] attrs, CK_ATTRIBUTE attr) { + int n = attrs.length; + CK_ATTRIBUTE[] newAttrs = new CK_ATTRIBUTE[n + 1]; + System.arraycopy(attrs, 0, newAttrs, 0, n); + newAttrs[n] = attr; + return newAttrs; + } + + private void storePkey(String alias, KeyStore.PrivateKeyEntry pke) + throws PKCS11Exception, CertificateException, KeyStoreException { + + PrivateKey key = pke.getPrivateKey(); + CK_ATTRIBUTE[] attrs = null; + + // If the key is a token object on this token, update it instead + // of creating a duplicate key object. + // Otherwise, treat a P11Key like any other key, if it is extractable. + if (key instanceof P11Key) { + P11Key p11Key = (P11Key)key; + if (p11Key.tokenObject && (p11Key.token == this.token)) { + updateP11Pkey(alias, null, p11Key); + storeChain(alias, (X509Certificate[])pke.getCertificateChain()); + return; + } + } + + boolean useNDB = token.config.getNssNetscapeDbWorkaround(); + PublicKey publicKey = pke.getCertificate().getPublicKey(); + + if (key instanceof RSAPrivateKey) { + + X509Certificate cert = (X509Certificate)pke.getCertificate(); + attrs = getRsaPrivKeyAttrs + (alias, (RSAPrivateKey)key, cert.getSubjectX500Principal()); + + } else if (key instanceof DSAPrivateKey) { + + DSAPrivateKey dsaKey = (DSAPrivateKey)key; + + CK_ATTRIBUTE[] idAttrs = getIdAttributes(key, publicKey, false, useNDB); + if (idAttrs[0] == null) { + idAttrs[0] = new CK_ATTRIBUTE(CKA_ID, alias); + } + + attrs = new CK_ATTRIBUTE[] { + ATTR_TOKEN_TRUE, + ATTR_CLASS_PKEY, + ATTR_PRIVATE_TRUE, + new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_DSA), + idAttrs[0], + new CK_ATTRIBUTE(CKA_PRIME, dsaKey.getParams().getP()), + new CK_ATTRIBUTE(CKA_SUBPRIME, dsaKey.getParams().getQ()), + new CK_ATTRIBUTE(CKA_BASE, dsaKey.getParams().getG()), + new CK_ATTRIBUTE(CKA_VALUE, dsaKey.getX()), + }; + if (idAttrs[1] != null) { + attrs = addAttribute(attrs, idAttrs[1]); + } + + attrs = token.getAttributes + (TemplateManager.O_IMPORT, CKO_PRIVATE_KEY, CKK_DSA, attrs); + + if (debug != null) { + debug.println("storePkey created DSA template"); + } + + } else if (key instanceof DHPrivateKey) { + + DHPrivateKey dhKey = (DHPrivateKey)key; + + CK_ATTRIBUTE[] idAttrs = getIdAttributes(key, publicKey, false, useNDB); + if (idAttrs[0] == null) { + idAttrs[0] = new CK_ATTRIBUTE(CKA_ID, alias); + } + + attrs = new CK_ATTRIBUTE[] { + ATTR_TOKEN_TRUE, + ATTR_CLASS_PKEY, + ATTR_PRIVATE_TRUE, + new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_DH), + idAttrs[0], + new CK_ATTRIBUTE(CKA_PRIME, dhKey.getParams().getP()), + new CK_ATTRIBUTE(CKA_BASE, dhKey.getParams().getG()), + new CK_ATTRIBUTE(CKA_VALUE, dhKey.getX()), + }; + if (idAttrs[1] != null) { + attrs = addAttribute(attrs, idAttrs[1]); + } + + attrs = token.getAttributes + (TemplateManager.O_IMPORT, CKO_PRIVATE_KEY, CKK_DH, attrs); + + } else if (key instanceof ECPrivateKey) { + + ECPrivateKey ecKey = (ECPrivateKey)key; + + CK_ATTRIBUTE[] idAttrs = getIdAttributes(key, publicKey, false, useNDB); + if (idAttrs[0] == null) { + idAttrs[0] = new CK_ATTRIBUTE(CKA_ID, alias); + } + + byte[] encodedParams = + ECUtil.encodeECParameterSpec(null, ecKey.getParams()); + attrs = new CK_ATTRIBUTE[] { + ATTR_TOKEN_TRUE, + ATTR_CLASS_PKEY, + ATTR_PRIVATE_TRUE, + new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_EC), + idAttrs[0], + new CK_ATTRIBUTE(CKA_VALUE, ecKey.getS()), + new CK_ATTRIBUTE(CKA_EC_PARAMS, encodedParams), + }; + if (idAttrs[1] != null) { + attrs = addAttribute(attrs, idAttrs[1]); + } + + attrs = token.getAttributes + (TemplateManager.O_IMPORT, CKO_PRIVATE_KEY, CKK_EC, attrs); + + if (debug != null) { + debug.println("storePkey created EC template"); + } + + } else if (key instanceof P11Key) { + // sensitive/non-extractable P11Key + P11Key p11Key = (P11Key)key; + if (p11Key.token != this.token) { + throw new KeyStoreException + ("Cannot move sensitive keys across tokens"); + } + CK_ATTRIBUTE netscapeDB = null; + if (useNDB) { + // Note that this currently fails due to an NSS bug. + // They do not allow the CKA_NETSCAPE_DB attribute to be + // specified during C_CopyObject() and fail with + // CKR_ATTRIBUTE_READ_ONLY. + // But if we did not specify it, they would fail with + // CKA_TEMPLATE_INCOMPLETE, so leave this code in here. + CK_ATTRIBUTE[] idAttrs = getIdAttributes(key, publicKey, false, true); + netscapeDB = idAttrs[1]; + } + // Update the key object. + updateP11Pkey(alias, netscapeDB, p11Key); + storeChain(alias, (X509Certificate[])pke.getCertificateChain()); + return; + + } else { + throw new KeyStoreException("unsupported key type: " + key); + } + + Session session = null; + try { + session = token.getOpSession(); + + // create private key entry + token.p11.C_CreateObject(session.id(), attrs); + if (debug != null) { + debug.println("storePkey created token key for [" + + alias + + "]"); + } + } finally { + token.releaseSession(session); + } + + storeChain(alias, (X509Certificate[])pke.getCertificateChain()); + } + + private CK_ATTRIBUTE[] getRsaPrivKeyAttrs(String alias, + RSAPrivateKey key, + X500Principal subject) throws PKCS11Exception { + + // subject is currently ignored - could be used to set CKA_SUBJECT + + CK_ATTRIBUTE[] attrs = null; + if (key instanceof RSAPrivateCrtKey) { + + if (debug != null) { + debug.println("creating RSAPrivateCrtKey attrs"); + } + + RSAPrivateCrtKey rsaKey = (RSAPrivateCrtKey)key; + + attrs = new CK_ATTRIBUTE[] { + ATTR_TOKEN_TRUE, + ATTR_CLASS_PKEY, + ATTR_PRIVATE_TRUE, + new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_RSA), + new CK_ATTRIBUTE(CKA_ID, alias), + new CK_ATTRIBUTE(CKA_MODULUS, + rsaKey.getModulus()), + new CK_ATTRIBUTE(CKA_PRIVATE_EXPONENT, + rsaKey.getPrivateExponent()), + new CK_ATTRIBUTE(CKA_PUBLIC_EXPONENT, + rsaKey.getPublicExponent()), + new CK_ATTRIBUTE(CKA_PRIME_1, + rsaKey.getPrimeP()), + new CK_ATTRIBUTE(CKA_PRIME_2, + rsaKey.getPrimeQ()), + new CK_ATTRIBUTE(CKA_EXPONENT_1, + rsaKey.getPrimeExponentP()), + new CK_ATTRIBUTE(CKA_EXPONENT_2, + rsaKey.getPrimeExponentQ()), + new CK_ATTRIBUTE(CKA_COEFFICIENT, + rsaKey.getCrtCoefficient()) }; + attrs = token.getAttributes + (TemplateManager.O_IMPORT, CKO_PRIVATE_KEY, CKK_RSA, attrs); + + } else { + + if (debug != null) { + debug.println("creating RSAPrivateKey attrs"); + } + + RSAPrivateKey rsaKey = key; + + attrs = new CK_ATTRIBUTE[] { + ATTR_TOKEN_TRUE, + ATTR_CLASS_PKEY, + ATTR_PRIVATE_TRUE, + new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_RSA), + new CK_ATTRIBUTE(CKA_ID, alias), + new CK_ATTRIBUTE(CKA_MODULUS, + rsaKey.getModulus()), + new CK_ATTRIBUTE(CKA_PRIVATE_EXPONENT, + rsaKey.getPrivateExponent()) }; + attrs = token.getAttributes + (TemplateManager.O_IMPORT, CKO_PRIVATE_KEY, CKK_RSA, attrs); + } + + return attrs; + } + + /** + * Compute the CKA_ID and/or CKA_NETSCAPE_DB attributes that should be + * used for this private key. It uses the same algorithm to calculate the + * values as NSS. The public and private keys MUST match for the result to + * be correct. + * + * It returns a 2 element array with CKA_ID at index 0 and CKA_NETSCAPE_DB + * at index 1. The boolean flags determine what is to be calculated. + * If false or if we could not calculate the value, that element is null. + * + * NOTE that we currently do not use the CKA_ID value calculated by this + * method. + */ + private CK_ATTRIBUTE[] getIdAttributes(PrivateKey privateKey, + PublicKey publicKey, boolean id, boolean netscapeDb) { + CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[2]; + if ((id || netscapeDb) == false) { + return attrs; + } + String alg = privateKey.getAlgorithm(); + if (id && alg.equals("RSA") && (publicKey instanceof RSAPublicKey)) { + // CKA_NETSCAPE_DB not needed for RSA public keys + BigInteger n = ((RSAPublicKey)publicKey).getModulus(); + attrs[0] = new CK_ATTRIBUTE(CKA_ID, sha1(getMagnitude(n))); + } else if (alg.equals("DSA") && (publicKey instanceof DSAPublicKey)) { + BigInteger y = ((DSAPublicKey)publicKey).getY(); + if (id) { + attrs[0] = new CK_ATTRIBUTE(CKA_ID, sha1(getMagnitude(y))); + } + if (netscapeDb) { + attrs[1] = new CK_ATTRIBUTE(CKA_NETSCAPE_DB, y); + } + } else if (alg.equals("DH") && (publicKey instanceof DHPublicKey)) { + BigInteger y = ((DHPublicKey)publicKey).getY(); + if (id) { + attrs[0] = new CK_ATTRIBUTE(CKA_ID, sha1(getMagnitude(y))); + } + if (netscapeDb) { + attrs[1] = new CK_ATTRIBUTE(CKA_NETSCAPE_DB, y); + } + } else if (alg.equals("EC") && (publicKey instanceof ECPublicKey)) { + ECPublicKey ecPub = (ECPublicKey)publicKey; + ECPoint point = ecPub.getW(); + ECParameterSpec params = ecPub.getParams(); + byte[] encodedPoint = ECUtil.encodePoint(point, params.getCurve()); + if (id) { + attrs[0] = new CK_ATTRIBUTE(CKA_ID, sha1(encodedPoint)); + } + if (netscapeDb) { + attrs[1] = new CK_ATTRIBUTE(CKA_NETSCAPE_DB, encodedPoint); + } + } else { + throw new RuntimeException("Unknown key algorithm " + alg); + } + return attrs; + } + + /** + * return true if cert destroyed + */ + private boolean destroyCert(byte[] cka_id) + throws PKCS11Exception, KeyStoreException { + Session session = null; + try { + session = token.getOpSession(); + THandle h = getTokenObject(session, ATTR_CLASS_CERT, cka_id, null); + if (h.type != ATTR_CLASS_CERT) { + return false; + } + + token.p11.C_DestroyObject(session.id(), h.handle); + if (debug != null) { + debug.println("destroyCert destroyed cert with CKA_ID [" + + getID(cka_id) + + "]"); + } + return true; + } finally { + token.releaseSession(session); + } + } + + /** + * return true if chain destroyed + */ + private boolean destroyChain(byte[] cka_id) + throws PKCS11Exception, CertificateException, KeyStoreException { + + Session session = null; + try { + session = token.getOpSession(); + + THandle h = getTokenObject(session, ATTR_CLASS_CERT, cka_id, null); + if (h.type != ATTR_CLASS_CERT) { + if (debug != null) { + debug.println("destroyChain could not find " + + "end entity cert with CKA_ID [0x" + + Functions.toHexString(cka_id) + + "]"); + } + return false; + } + + X509Certificate endCert = loadCert(session, h.handle); + token.p11.C_DestroyObject(session.id(), h.handle); + if (debug != null) { + debug.println("destroyChain destroyed end entity cert " + + "with CKA_ID [" + + getID(cka_id) + + "]"); + } + + // build chain following issuer->subject links + + X509Certificate next = endCert; + while (true) { + + if (next.getSubjectX500Principal().equals + (next.getIssuerX500Principal())) { + // self signed - done + break; + } + + CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] { + ATTR_TOKEN_TRUE, + ATTR_CLASS_CERT, + new CK_ATTRIBUTE(CKA_SUBJECT, + next.getIssuerX500Principal().getEncoded()) }; + long[] ch = findObjects(session, attrs); + + if (ch == null || ch.length == 0) { + // done + break; + } else { + // if more than one found, use first + if (debug != null && ch.length > 1) { + debug.println("destroyChain found " + + ch.length + + " certificate entries for subject [" + + next.getIssuerX500Principal() + + "] in token - using first entry"); + } + + next = loadCert(session, ch[0]); + + // only delete if not part of any other chain + + attrs = new CK_ATTRIBUTE[] { + ATTR_TOKEN_TRUE, + ATTR_CLASS_CERT, + new CK_ATTRIBUTE(CKA_ISSUER, + next.getSubjectX500Principal().getEncoded()) }; + long[] issuers = findObjects(session, attrs); + + boolean destroyIt = false; + if (issuers == null || issuers.length == 0) { + // no other certs with this issuer - + // destroy it + destroyIt = true; + } else if (issuers.length == 1) { + X509Certificate iCert = loadCert(session, issuers[0]); + if (next.equals(iCert)) { + // only cert with issuer is itself (self-signed) - + // destroy it + destroyIt = true; + } + } + + if (destroyIt) { + token.p11.C_DestroyObject(session.id(), ch[0]); + if (debug != null) { + debug.println + ("destroyChain destroyed cert in chain " + + "with subject [" + + next.getSubjectX500Principal() + "]"); + } + } else { + if (debug != null) { + debug.println("destroyChain did not destroy " + + "shared cert in chain with subject [" + + next.getSubjectX500Principal() + "]"); + } + } + } + } + + return true; + + } finally { + token.releaseSession(session); + } + } + + /** + * return true if secret key destroyed + */ + private boolean destroySkey(String alias) + throws PKCS11Exception, KeyStoreException { + Session session = null; + try { + session = token.getOpSession(); + + THandle h = getTokenObject(session, ATTR_CLASS_SKEY, null, alias); + if (h.type != ATTR_CLASS_SKEY) { + if (debug != null) { + debug.println("destroySkey did not find secret key " + + "with CKA_LABEL [" + + alias + + "]"); + } + return false; + } + token.p11.C_DestroyObject(session.id(), h.handle); + return true; + } finally { + token.releaseSession(session); + } + } + + /** + * return true if private key destroyed + */ + private boolean destroyPkey(byte[] cka_id) + throws PKCS11Exception, KeyStoreException { + Session session = null; + try { + session = token.getOpSession(); + + THandle h = getTokenObject(session, ATTR_CLASS_PKEY, cka_id, null); + if (h.type != ATTR_CLASS_PKEY) { + if (debug != null) { + debug.println + ("destroyPkey did not find private key with CKA_ID [" + + getID(cka_id) + + "]"); + } + return false; + } + token.p11.C_DestroyObject(session.id(), h.handle); + return true; + } finally { + token.releaseSession(session); + } + } + + /** + * build [alias + issuer + serialNumber] string from a cert + */ + private String getID(String alias, X509Certificate cert) { + X500Principal issuer = cert.getIssuerX500Principal(); + BigInteger serialNum = cert.getSerialNumber(); + + return alias + + ALIAS_SEP + + issuer.getName(X500Principal.CANONICAL) + + ALIAS_SEP + + serialNum.toString(); + } + + /** + * build CKA_ID string from bytes + */ + private static String getID(byte[] bytes) { + boolean printable = true; + for (int i = 0; i < bytes.length; i++) { + if (!DerValue.isPrintableStringChar((char)bytes[i])) { + printable = false; + break; + } + } + + if (!printable) { + return "0x" + Functions.toHexString(bytes); + } else { + try { + return new String(bytes, "UTF-8"); + } catch (UnsupportedEncodingException uee) { + return "0x" + Functions.toHexString(bytes); + } + } + } + + /** + * find an object on the token + * + * @param type either ATTR_CLASS_CERT, ATTR_CLASS_PKEY, or ATTR_CLASS_SKEY + * @param cka_id the CKA_ID if type is ATTR_CLASS_CERT or ATTR_CLASS_PKEY + * @param cka_label the CKA_LABEL if type is ATTR_CLASS_SKEY + */ + private THandle getTokenObject(Session session, + CK_ATTRIBUTE type, + byte[] cka_id, + String cka_label) + throws PKCS11Exception, KeyStoreException { + + CK_ATTRIBUTE[] attrs; + if (type == ATTR_CLASS_SKEY) { + attrs = new CK_ATTRIBUTE[] { + ATTR_SKEY_TOKEN_TRUE, + new CK_ATTRIBUTE(CKA_LABEL, cka_label), + type }; + } else { + attrs = new CK_ATTRIBUTE[] { + ATTR_TOKEN_TRUE, + new CK_ATTRIBUTE(CKA_ID, cka_id), + type }; + } + long[] h = findObjects(session, attrs); + if (h.length == 0) { + if (debug != null) { + if (type == ATTR_CLASS_SKEY) { + debug.println("getTokenObject did not find secret key " + + "with CKA_LABEL [" + + cka_label + + "]"); + } else if (type == ATTR_CLASS_CERT) { + debug.println + ("getTokenObject did not find cert with CKA_ID [" + + getID(cka_id) + + "]"); + } else { + debug.println("getTokenObject did not find private key " + + "with CKA_ID [" + + getID(cka_id) + + "]"); + } + } + } else if (h.length == 1) { + + // found object handle - return it + return new THandle(h[0], type); + + } else { + + // found multiple object handles - + // see if token ignored CKA_LABEL during search (e.g. NSS) + + if (type == ATTR_CLASS_SKEY) { + + ArrayList list = new ArrayList(h.length); + for (int i = 0; i < h.length; i++) { + + CK_ATTRIBUTE[] label = new CK_ATTRIBUTE[] + { new CK_ATTRIBUTE(CKA_LABEL) }; + token.p11.C_GetAttributeValue(session.id(), h[i], label); + if (label[0].pValue != null && + cka_label.equals(new String(label[0].getCharArray()))) { + list.add(new THandle(h[i], ATTR_CLASS_SKEY)); + } + } + if (list.size() == 1) { + // yes, there was only one CKA_LABEL that matched + return list.get(0); + } else { + throw new KeyStoreException("invalid KeyStore state: " + + "found " + + list.size() + + " secret keys sharing CKA_LABEL [" + + cka_label + + "]"); + } + } else if (type == ATTR_CLASS_CERT) { + throw new KeyStoreException("invalid KeyStore state: " + + "found " + + h.length + + " certificates sharing CKA_ID " + + getID(cka_id)); + } else { + throw new KeyStoreException("invalid KeyStore state: " + + "found " + + h.length + + " private keys sharing CKA_ID " + + getID(cka_id)); + } + } + return new THandle(NO_HANDLE, null); + } + + /** + * Create a mapping of all key pairs, trusted certs, and secret keys + * on the token into logical KeyStore entries unambiguously + * accessible via an alias. + * + * If the token is removed, the map may contain stale values. + * KeyStore.load should be called to re-create the map. + * + * Assume all private keys and matching certs share a unique CKA_ID. + * + * Assume all secret keys have a unique CKA_LABEL. + * + * @return true if multiple certs found sharing the same CKA_LABEL + * (if so, write capabilities are disabled) + */ + private boolean mapLabels() throws + PKCS11Exception, CertificateException, KeyStoreException { + + CK_ATTRIBUTE[] trustedAttr = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_TRUSTED) }; + + Session session = null; + try { + session = token.getOpSession(); + + // get all private key CKA_IDs + + ArrayList pkeyIDs = new ArrayList(); + CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] { + ATTR_TOKEN_TRUE, + ATTR_CLASS_PKEY, + }; + long[] handles = findObjects(session, attrs); + + for (long handle : handles) { + attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_ID) }; + token.p11.C_GetAttributeValue(session.id(), handle, attrs); + + if (attrs[0].pValue != null) { + pkeyIDs.add(attrs[0].getByteArray()); + } + } + + // Get all certificates + // + // If cert does not have a CKA_LABEL nor CKA_ID, it is ignored. + // + // Get the CKA_LABEL for each cert + // (if the cert does not have a CKA_LABEL, use the CKA_ID). + // + // Map each cert to the its CKA_LABEL + // (multiple certs may be mapped to a single CKA_LABEL) + + HashMap> certMap = + new HashMap>(); + + attrs = new CK_ATTRIBUTE[] { + ATTR_TOKEN_TRUE, + ATTR_CLASS_CERT, + }; + handles = findObjects(session, attrs); + + for (long handle : handles) { + attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_LABEL) }; + + String cka_label = null; + byte[] cka_id = null; + try { + token.p11.C_GetAttributeValue(session.id(), handle, attrs); + if (attrs[0].pValue != null) { + // there is a CKA_LABEL + cka_label = new String(attrs[0].getCharArray()); + } + } catch (PKCS11Exception pe) { + if (pe.getErrorCode() != CKR_ATTRIBUTE_TYPE_INVALID) { + throw pe; + } + + // GetAttributeValue for CKA_LABEL not supported + // + // XXX SCA1000 + } + + // get CKA_ID + + attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_ID) }; + token.p11.C_GetAttributeValue(session.id(), handle, attrs); + if (attrs[0].pValue == null) { + if (cka_label == null) { + // no cka_label nor cka_id - ignore + continue; + } + } else { + if (cka_label == null) { + // use CKA_ID as CKA_LABEL + cka_label = getID(attrs[0].getByteArray()); + } + cka_id = attrs[0].getByteArray(); + } + + X509Certificate cert = loadCert(session, handle); + + // get CKA_TRUSTED + + boolean cka_trusted = false; + + if (useSecmodTrust) { + cka_trusted = Secmod.getInstance().isTrusted(cert, nssTrustType); + } else { + if (CKA_TRUSTED_SUPPORTED) { + try { + token.p11.C_GetAttributeValue + (session.id(), handle, trustedAttr); + cka_trusted = trustedAttr[0].getBoolean(); + } catch (PKCS11Exception pe) { + if (pe.getErrorCode() == CKR_ATTRIBUTE_TYPE_INVALID) { + // XXX NSS, ibutton, sca1000 + CKA_TRUSTED_SUPPORTED = false; + if (debug != null) { + debug.println + ("CKA_TRUSTED attribute not supported"); + } + } + } + } + } + + HashSet infoSet = certMap.get(cka_label); + if (infoSet == null) { + infoSet = new HashSet(2); + certMap.put(cka_label, infoSet); + } + + // initially create private key entry AliasInfo entries - + // these entries will get resolved into their true + // entry types later + + infoSet.add(new AliasInfo + (cka_label, + cka_id, + cka_trusted, + cert)); + } + + // create list secret key CKA_LABELS - + // if there are duplicates (either between secret keys, + // or between a secret key and another object), + // throw an exception + HashMap sKeyMap = + new HashMap(); + + attrs = new CK_ATTRIBUTE[] { + ATTR_SKEY_TOKEN_TRUE, + ATTR_CLASS_SKEY, + }; + handles = findObjects(session, attrs); + + for (long handle : handles) { + attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_LABEL) }; + token.p11.C_GetAttributeValue(session.id(), handle, attrs); + if (attrs[0].pValue != null) { + + // there is a CKA_LABEL + String cka_label = new String(attrs[0].getCharArray()); + if (sKeyMap.get(cka_label) == null) { + sKeyMap.put(cka_label, new AliasInfo(cka_label)); + } else { + throw new KeyStoreException("invalid KeyStore state: " + + "found multiple secret keys sharing same " + + "CKA_LABEL [" + + cka_label + + "]"); + } + } + } + + // update global aliasMap with alias mappings + ArrayList matchedCerts = + mapPrivateKeys(pkeyIDs, certMap); + boolean sharedLabel = mapCerts(matchedCerts, certMap); + mapSecretKeys(sKeyMap); + + return sharedLabel; + + } finally { + token.releaseSession(session); + } + } + + /** + * for each private key CKA_ID, find corresponding cert with same CKA_ID. + * if found cert, see if cert CKA_LABEL is unique. + * if CKA_LABEL unique, map private key/cert alias to that CKA_LABEL. + * if CKA_LABEL not unique, map private key/cert alias to: + * CKA_LABEL + ALIAS_SEP + ISSUER + ALIAS_SEP + SERIAL + * if cert not found, ignore private key + * (don't support private key entries without a cert chain yet) + * + * @return a list of AliasInfo entries that represents all matches + */ + private ArrayList mapPrivateKeys(ArrayList pkeyIDs, + HashMap> certMap) + throws PKCS11Exception, CertificateException { + + // reset global alias map + aliasMap = new HashMap(); + + // list of matched certs that we will return + ArrayList matchedCerts = new ArrayList(); + + for (byte[] pkeyID : pkeyIDs) { + + // try to find a matching CKA_ID in a certificate + + boolean foundMatch = false; + Set certLabels = certMap.keySet(); + for (String certLabel : certLabels) { + + // get cert CKA_IDs (if present) for each cert + + HashSet infoSet = certMap.get(certLabel); + for (AliasInfo aliasInfo : infoSet) { + if (Arrays.equals(pkeyID, aliasInfo.id)) { + + // found private key with matching cert + + if (infoSet.size() == 1) { + // unique CKA_LABEL - use certLabel as alias + aliasInfo.matched = true; + aliasMap.put(certLabel, aliasInfo); + } else { + // create new alias + aliasInfo.matched = true; + aliasMap.put(getID(certLabel, aliasInfo.cert), + aliasInfo); + } + matchedCerts.add(aliasInfo); + foundMatch = true; + break; + } + } + if (foundMatch) { + break; + } + } + + if (!foundMatch) { + if (debug != null) { + debug.println + ("did not find match for private key with CKA_ID [" + + getID(pkeyID) + + "] (ignoring entry)"); + } + } + } + + return matchedCerts; + } + + /** + * for each cert not matched with a private key but is CKA_TRUSTED: + * if CKA_LABEL unique, map cert to CKA_LABEL. + * if CKA_LABEL not unique, map cert to [label+issuer+serialNum] + * + * if CKA_TRUSTED not supported, treat all certs not part of a chain + * as trusted + * + * @return true if multiple certs found sharing the same CKA_LABEL + */ + private boolean mapCerts(ArrayList matchedCerts, + HashMap> certMap) + throws PKCS11Exception, CertificateException { + + // load all cert chains + for (AliasInfo aliasInfo : matchedCerts) { + Session session = null; + try { + session = token.getOpSession(); + aliasInfo.chain = loadChain(session, aliasInfo.cert); + } finally { + token.releaseSession(session); + } + } + + // find all certs in certMap not part of a cert chain + // - these are trusted + + boolean sharedLabel = false; + + Set certLabels = certMap.keySet(); + for (String certLabel : certLabels) { + HashSet infoSet = certMap.get(certLabel); + for (AliasInfo aliasInfo : infoSet) { + + if (aliasInfo.matched == true) { + // already found a private key match for this cert - + // just continue + aliasInfo.trusted = false; + continue; + } + + // cert in this aliasInfo is not matched yet + // + // if CKA_TRUSTED_SUPPORTED == true, + // then check if cert is trusted + + if (CKA_TRUSTED_SUPPORTED) { + if (aliasInfo.trusted) { + // trusted certificate + if (mapTrustedCert + (certLabel, aliasInfo, infoSet) == true) { + sharedLabel = true; + } + } + continue; + } + + // CKA_TRUSTED_SUPPORTED == false + // + // XXX treat all certs not part of a chain as trusted + // XXX + // XXX Unsupported + // + // boolean partOfChain = false; + // for (AliasInfo matchedInfo : matchedCerts) { + // for (int i = 0; i < matchedInfo.chain.length; i++) { + // if (matchedInfo.chain[i].equals(aliasInfo.cert)) { + // partOfChain = true; + // break; + // } + // } + // if (partOfChain) { + // break; + // } + // } + // + // if (!partOfChain) { + // if (mapTrustedCert(certLabel,aliasInfo,infoSet) == true){ + // sharedLabel = true; + // } + // } else { + // if (debug != null) { + // debug.println("ignoring unmatched/untrusted cert " + + // "that is part of cert chain - cert subject is [" + + // aliasInfo.cert.getSubjectX500Principal().getName + // (X500Principal.CANONICAL) + + // "]"); + // } + // } + } + } + + return sharedLabel; + } + + private boolean mapTrustedCert(String certLabel, + AliasInfo aliasInfo, + HashSet infoSet) { + + boolean sharedLabel = false; + + aliasInfo.type = ATTR_CLASS_CERT; + aliasInfo.trusted = true; + if (infoSet.size() == 1) { + // unique CKA_LABEL - use certLabel as alias + aliasMap.put(certLabel, aliasInfo); + } else { + // create new alias + sharedLabel = true; + aliasMap.put(getID(certLabel, aliasInfo.cert), aliasInfo); + } + + return sharedLabel; + } + + /** + * If the secret key shares a CKA_LABEL with another entry, + * throw an exception + */ + private void mapSecretKeys(HashMap sKeyMap) + throws KeyStoreException { + for (String label : sKeyMap.keySet()) { + if (aliasMap.containsKey(label)) { + throw new KeyStoreException("invalid KeyStore state: " + + "found secret key sharing CKA_LABEL [" + + label + + "] with another token object"); + } + } + aliasMap.putAll(sKeyMap); + } + + private void dumpTokenMap() { + Set aliases = aliasMap.keySet(); + System.out.println("Token Alias Map:"); + if (aliases.isEmpty()) { + System.out.println(" [empty]"); + } else { + for (String s : aliases) { + System.out.println(" " + s + aliasMap.get(s)); + } + } + } + + private void checkWrite() throws KeyStoreException { + if (writeDisabled) { + throw new KeyStoreException + ("This PKCS11KeyStore does not support write capabilities"); + } + } + + private final static long[] LONG0 = new long[0]; + + private static long[] findObjects(Session session, CK_ATTRIBUTE[] attrs) + throws PKCS11Exception { + Token token = session.token; + long[] handles = LONG0; + token.p11.C_FindObjectsInit(session.id(), attrs); + while (true) { + long[] h = token.p11.C_FindObjects(session.id(), FINDOBJECTS_MAX); + if (h.length == 0) { + break; + } + handles = P11Util.concat(handles, h); + } + token.p11.C_FindObjectsFinal(session.id()); + return handles; + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11Mac.java 2017-01-20 09:52:35.158289076 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,269 +0,0 @@ -/* - * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.pkcs11; - -import java.util.*; -import java.nio.ByteBuffer; - -import java.security.*; -import java.security.spec.AlgorithmParameterSpec; - -import javax.crypto.MacSpi; - -import sun.nio.ch.DirectBuffer; - -import sun.security.pkcs11.wrapper.*; -import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - -/** - * MAC implementation class. This class currently supports HMAC using - * MD5, SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 and the SSL3 MAC - * using MD5 and SHA-1. - * - * Note that unlike other classes (e.g. Signature), this does not - * composite various operations if the token only supports part of the - * required functionality. The MAC implementations in SunJCE already - * do exactly that by implementing an MAC on top of MessageDigests. We - * could not do any better than they. - * - * @author Andreas Sterbenz - * @since 1.5 - */ -final class P11Mac extends MacSpi { - - /* unitialized, all fields except session have arbitrary values */ - private final static int S_UNINIT = 1; - - /* session initialized, no data processed yet */ - private final static int S_RESET = 2; - - /* session initialized, data processed */ - private final static int S_UPDATE = 3; - - /* transitional state after doFinal() before we go to S_UNINIT */ - private final static int S_DOFINAL = 4; - - // token instance - private final Token token; - - // algorithm name - private final String algorithm; - - // mechanism id - private final long mechanism; - - // mechanism object - private final CK_MECHANISM ckMechanism; - - // length of the MAC in bytes - private final int macLength; - - // key instance used, if operation active - private P11Key p11Key; - - // associated session, if any - private Session session; - - // state, one of S_* above - private int state; - - // one byte buffer for the update(byte) method, initialized on demand - private byte[] oneByte; - - P11Mac(Token token, String algorithm, long mechanism) - throws PKCS11Exception { - super(); - this.token = token; - this.algorithm = algorithm; - this.mechanism = mechanism; - Long params = null; - switch ((int)mechanism) { - case (int)CKM_MD5_HMAC: - macLength = 16; - break; - case (int)CKM_SHA_1_HMAC: - macLength = 20; - break; - case (int)CKM_SHA224_HMAC: - macLength = 28; - break; - case (int)CKM_SHA256_HMAC: - macLength = 32; - break; - case (int)CKM_SHA384_HMAC: - macLength = 48; - break; - case (int)CKM_SHA512_HMAC: - macLength = 64; - break; - case (int)CKM_SSL3_MD5_MAC: - macLength = 16; - params = Long.valueOf(16); - break; - case (int)CKM_SSL3_SHA1_MAC: - macLength = 20; - params = Long.valueOf(20); - break; - default: - throw new ProviderException("Unknown mechanism: " + mechanism); - } - ckMechanism = new CK_MECHANISM(mechanism, params); - state = S_UNINIT; - initialize(); - } - - private void ensureInitialized() throws PKCS11Exception { - token.ensureValid(); - if (state == S_UNINIT) { - initialize(); - } - } - - private void cancelOperation() { - token.ensureValid(); - if (state == S_UNINIT) { - return; - } - state = S_UNINIT; - if ((session == null) || (token.explicitCancel == false)) { - return; - } - try { - token.p11.C_SignFinal(session.id(), 0); - } catch (PKCS11Exception e) { - throw new ProviderException("Cancel failed", e); - } - } - - private void initialize() throws PKCS11Exception { - if (state == S_RESET) { - return; - } - if (session == null) { - session = token.getOpSession(); - } - if (p11Key != null) { - token.p11.C_SignInit - (session.id(), ckMechanism, p11Key.keyID); - state = S_RESET; - } else { - state = S_UNINIT; - } - } - - // see JCE spec - protected int engineGetMacLength() { - return macLength; - } - - // see JCE spec - protected void engineReset() { - // the framework insists on calling reset() after doFinal(), - // but we prefer to take care of reinitialization ourselves - if (state == S_DOFINAL) { - state = S_UNINIT; - return; - } - cancelOperation(); - try { - initialize(); - } catch (PKCS11Exception e) { - throw new ProviderException("reset() failed, ", e); - } - } - - // see JCE spec - protected void engineInit(Key key, AlgorithmParameterSpec params) - throws InvalidKeyException, InvalidAlgorithmParameterException { - if (params != null) { - throw new InvalidAlgorithmParameterException - ("Parameters not supported"); - } - cancelOperation(); - p11Key = P11SecretKeyFactory.convertKey(token, key, algorithm); - try { - initialize(); - } catch (PKCS11Exception e) { - throw new InvalidKeyException("init() failed", e); - } - } - - // see JCE spec - protected byte[] engineDoFinal() { - try { - ensureInitialized(); - byte[] mac = token.p11.C_SignFinal(session.id(), 0); - state = S_DOFINAL; - return mac; - } catch (PKCS11Exception e) { - throw new ProviderException("doFinal() failed", e); - } finally { - session = token.releaseSession(session); - } - } - - // see JCE spec - protected void engineUpdate(byte input) { - if (oneByte == null) { - oneByte = new byte[1]; - } - oneByte[0] = input; - engineUpdate(oneByte, 0, 1); - } - - // see JCE spec - protected void engineUpdate(byte[] b, int ofs, int len) { - try { - ensureInitialized(); - token.p11.C_SignUpdate(session.id(), 0, b, ofs, len); - state = S_UPDATE; - } catch (PKCS11Exception e) { - throw new ProviderException("update() failed", e); - } - } - - // see JCE spec - protected void engineUpdate(ByteBuffer byteBuffer) { - try { - ensureInitialized(); - int len = byteBuffer.remaining(); - if (len <= 0) { - return; - } - if (byteBuffer instanceof DirectBuffer == false) { - super.engineUpdate(byteBuffer); - return; - } - long addr = ((DirectBuffer)byteBuffer).address(); - int ofs = byteBuffer.position(); - token.p11.C_SignUpdate(session.id(), addr + ofs, null, 0, len); - byteBuffer.position(ofs + len); - state = S_UPDATE; - } catch (PKCS11Exception e) { - throw new ProviderException("update() failed", e); - } - } -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java 2017-01-20 09:52:34.706289093 -0800 @@ -0,0 +1,269 @@ +/* + * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11; + +import java.util.*; +import java.nio.ByteBuffer; + +import java.security.*; +import java.security.spec.AlgorithmParameterSpec; + +import javax.crypto.MacSpi; + +import sun.nio.ch.DirectBuffer; + +import sun.security.pkcs11.wrapper.*; +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + +/** + * MAC implementation class. This class currently supports HMAC using + * MD5, SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 and the SSL3 MAC + * using MD5 and SHA-1. + * + * Note that unlike other classes (e.g. Signature), this does not + * composite various operations if the token only supports part of the + * required functionality. The MAC implementations in SunJCE already + * do exactly that by implementing an MAC on top of MessageDigests. We + * could not do any better than they. + * + * @author Andreas Sterbenz + * @since 1.5 + */ +final class P11Mac extends MacSpi { + + /* unitialized, all fields except session have arbitrary values */ + private final static int S_UNINIT = 1; + + /* session initialized, no data processed yet */ + private final static int S_RESET = 2; + + /* session initialized, data processed */ + private final static int S_UPDATE = 3; + + /* transitional state after doFinal() before we go to S_UNINIT */ + private final static int S_DOFINAL = 4; + + // token instance + private final Token token; + + // algorithm name + private final String algorithm; + + // mechanism id + private final long mechanism; + + // mechanism object + private final CK_MECHANISM ckMechanism; + + // length of the MAC in bytes + private final int macLength; + + // key instance used, if operation active + private P11Key p11Key; + + // associated session, if any + private Session session; + + // state, one of S_* above + private int state; + + // one byte buffer for the update(byte) method, initialized on demand + private byte[] oneByte; + + P11Mac(Token token, String algorithm, long mechanism) + throws PKCS11Exception { + super(); + this.token = token; + this.algorithm = algorithm; + this.mechanism = mechanism; + Long params = null; + switch ((int)mechanism) { + case (int)CKM_MD5_HMAC: + macLength = 16; + break; + case (int)CKM_SHA_1_HMAC: + macLength = 20; + break; + case (int)CKM_SHA224_HMAC: + macLength = 28; + break; + case (int)CKM_SHA256_HMAC: + macLength = 32; + break; + case (int)CKM_SHA384_HMAC: + macLength = 48; + break; + case (int)CKM_SHA512_HMAC: + macLength = 64; + break; + case (int)CKM_SSL3_MD5_MAC: + macLength = 16; + params = Long.valueOf(16); + break; + case (int)CKM_SSL3_SHA1_MAC: + macLength = 20; + params = Long.valueOf(20); + break; + default: + throw new ProviderException("Unknown mechanism: " + mechanism); + } + ckMechanism = new CK_MECHANISM(mechanism, params); + state = S_UNINIT; + initialize(); + } + + private void ensureInitialized() throws PKCS11Exception { + token.ensureValid(); + if (state == S_UNINIT) { + initialize(); + } + } + + private void cancelOperation() { + token.ensureValid(); + if (state == S_UNINIT) { + return; + } + state = S_UNINIT; + if ((session == null) || (token.explicitCancel == false)) { + return; + } + try { + token.p11.C_SignFinal(session.id(), 0); + } catch (PKCS11Exception e) { + throw new ProviderException("Cancel failed", e); + } + } + + private void initialize() throws PKCS11Exception { + if (state == S_RESET) { + return; + } + if (session == null) { + session = token.getOpSession(); + } + if (p11Key != null) { + token.p11.C_SignInit + (session.id(), ckMechanism, p11Key.keyID); + state = S_RESET; + } else { + state = S_UNINIT; + } + } + + // see JCE spec + protected int engineGetMacLength() { + return macLength; + } + + // see JCE spec + protected void engineReset() { + // the framework insists on calling reset() after doFinal(), + // but we prefer to take care of reinitialization ourselves + if (state == S_DOFINAL) { + state = S_UNINIT; + return; + } + cancelOperation(); + try { + initialize(); + } catch (PKCS11Exception e) { + throw new ProviderException("reset() failed, ", e); + } + } + + // see JCE spec + protected void engineInit(Key key, AlgorithmParameterSpec params) + throws InvalidKeyException, InvalidAlgorithmParameterException { + if (params != null) { + throw new InvalidAlgorithmParameterException + ("Parameters not supported"); + } + cancelOperation(); + p11Key = P11SecretKeyFactory.convertKey(token, key, algorithm); + try { + initialize(); + } catch (PKCS11Exception e) { + throw new InvalidKeyException("init() failed", e); + } + } + + // see JCE spec + protected byte[] engineDoFinal() { + try { + ensureInitialized(); + byte[] mac = token.p11.C_SignFinal(session.id(), 0); + state = S_DOFINAL; + return mac; + } catch (PKCS11Exception e) { + throw new ProviderException("doFinal() failed", e); + } finally { + session = token.releaseSession(session); + } + } + + // see JCE spec + protected void engineUpdate(byte input) { + if (oneByte == null) { + oneByte = new byte[1]; + } + oneByte[0] = input; + engineUpdate(oneByte, 0, 1); + } + + // see JCE spec + protected void engineUpdate(byte[] b, int ofs, int len) { + try { + ensureInitialized(); + token.p11.C_SignUpdate(session.id(), 0, b, ofs, len); + state = S_UPDATE; + } catch (PKCS11Exception e) { + throw new ProviderException("update() failed", e); + } + } + + // see JCE spec + protected void engineUpdate(ByteBuffer byteBuffer) { + try { + ensureInitialized(); + int len = byteBuffer.remaining(); + if (len <= 0) { + return; + } + if (byteBuffer instanceof DirectBuffer == false) { + super.engineUpdate(byteBuffer); + return; + } + long addr = ((DirectBuffer)byteBuffer).address(); + int ofs = byteBuffer.position(); + token.p11.C_SignUpdate(session.id(), addr + ofs, null, 0, len); + byteBuffer.position(ofs + len); + state = S_UPDATE; + } catch (PKCS11Exception e) { + throw new ProviderException("update() failed", e); + } + } +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11RSACipher.java 2017-01-20 09:52:35.690289056 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,677 +0,0 @@ -/* - * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.pkcs11; - -import java.security.*; -import java.security.spec.AlgorithmParameterSpec; -import java.security.spec.*; - -import java.util.Locale; - -import javax.crypto.*; -import javax.crypto.spec.*; - -import static sun.security.pkcs11.TemplateManager.*; -import sun.security.pkcs11.wrapper.*; -import static sun.security.pkcs11.wrapper.PKCS11Constants.*; -import sun.security.internal.spec.TlsRsaPremasterSecretParameterSpec; -import sun.security.util.KeyUtil; - -/** - * RSA Cipher implementation class. We currently only support - * PKCS#1 v1.5 padding on top of CKM_RSA_PKCS. - * - * @author Andreas Sterbenz - * @since 1.5 - */ -final class P11RSACipher extends CipherSpi { - - // minimum length of PKCS#1 v1.5 padding - private final static int PKCS1_MIN_PADDING_LENGTH = 11; - - // constant byte[] of length 0 - private final static byte[] B0 = new byte[0]; - - // mode constant for public key encryption - private final static int MODE_ENCRYPT = 1; - // mode constant for private key decryption - private final static int MODE_DECRYPT = 2; - // mode constant for private key encryption (signing) - private final static int MODE_SIGN = 3; - // mode constant for public key decryption (verifying) - private final static int MODE_VERIFY = 4; - - // padding type constant for NoPadding - private final static int PAD_NONE = 1; - // padding type constant for PKCS1Padding - private final static int PAD_PKCS1 = 2; - - // token instance - private final Token token; - - // algorithm name (always "RSA") - private final String algorithm; - - // mechanism id - private final long mechanism; - - // associated session, if any - private Session session; - - // mode, one of MODE_* above - private int mode; - - // padding, one of PAD_* above - private int padType; - - private byte[] buffer; - private int bufOfs; - - // key, if init() was called - private P11Key p11Key; - - // flag indicating whether an operation is initialized - private boolean initialized; - - // maximum input data size allowed - // for decryption, this is the length of the key - // for encryption, length of the key minus minimum padding length - private int maxInputSize; - - // maximum output size. this is the length of the key - private int outputSize; - - // cipher parameter for TLS RSA premaster secret - private AlgorithmParameterSpec spec = null; - - // the source of randomness - private SecureRandom random; - - P11RSACipher(Token token, String algorithm, long mechanism) - throws PKCS11Exception { - super(); - this.token = token; - this.algorithm = "RSA"; - this.mechanism = mechanism; - } - - // modes do not make sense for RSA, but allow ECB - // see JCE spec - protected void engineSetMode(String mode) throws NoSuchAlgorithmException { - if (mode.equalsIgnoreCase("ECB") == false) { - throw new NoSuchAlgorithmException("Unsupported mode " + mode); - } - } - - protected void engineSetPadding(String padding) - throws NoSuchPaddingException { - String lowerPadding = padding.toLowerCase(Locale.ENGLISH); - if (lowerPadding.equals("pkcs1padding")) { - padType = PAD_PKCS1; - } else if (lowerPadding.equals("nopadding")) { - padType = PAD_NONE; - } else { - throw new NoSuchPaddingException("Unsupported padding " + padding); - } - } - - // return 0 as block size, we are not a block cipher - // see JCE spec - protected int engineGetBlockSize() { - return 0; - } - - // return the output size - // see JCE spec - protected int engineGetOutputSize(int inputLen) { - return outputSize; - } - - // no IV, return null - // see JCE spec - protected byte[] engineGetIV() { - return null; - } - - // no parameters, return null - // see JCE spec - protected AlgorithmParameters engineGetParameters() { - return null; - } - - // see JCE spec - protected void engineInit(int opmode, Key key, SecureRandom random) - throws InvalidKeyException { - implInit(opmode, key); - } - - // see JCE spec - @SuppressWarnings("deprecation") - protected void engineInit(int opmode, Key key, - AlgorithmParameterSpec params, SecureRandom random) - throws InvalidKeyException, InvalidAlgorithmParameterException { - if (params != null) { - if (!(params instanceof TlsRsaPremasterSecretParameterSpec)) { - throw new InvalidAlgorithmParameterException( - "Parameters not supported"); - } - spec = params; - this.random = random; // for TLS RSA premaster secret - } - implInit(opmode, key); - } - - // see JCE spec - protected void engineInit(int opmode, Key key, AlgorithmParameters params, - SecureRandom random) - throws InvalidKeyException, InvalidAlgorithmParameterException { - if (params != null) { - throw new InvalidAlgorithmParameterException( - "Parameters not supported"); - } - implInit(opmode, key); - } - - private void implInit(int opmode, Key key) throws InvalidKeyException { - cancelOperation(); - p11Key = P11KeyFactory.convertKey(token, key, algorithm); - boolean encrypt; - if (opmode == Cipher.ENCRYPT_MODE) { - encrypt = true; - } else if (opmode == Cipher.DECRYPT_MODE) { - encrypt = false; - } else if (opmode == Cipher.WRAP_MODE) { - if (p11Key.isPublic() == false) { - throw new InvalidKeyException - ("Wrap has to be used with public keys"); - } - // No further setup needed for C_Wrap(). We'll initialize later if - // we can't use C_Wrap(). - return; - } else if (opmode == Cipher.UNWRAP_MODE) { - if (p11Key.isPrivate() == false) { - throw new InvalidKeyException - ("Unwrap has to be used with private keys"); - } - // No further setup needed for C_Unwrap(). We'll initialize later - // if we can't use C_Unwrap(). - return; - } else { - throw new InvalidKeyException("Unsupported mode: " + opmode); - } - if (p11Key.isPublic()) { - mode = encrypt ? MODE_ENCRYPT : MODE_VERIFY; - } else if (p11Key.isPrivate()) { - mode = encrypt ? MODE_SIGN : MODE_DECRYPT; - } else { - throw new InvalidKeyException("Unknown key type: " + p11Key); - } - int n = (p11Key.length() + 7) >> 3; - outputSize = n; - buffer = new byte[n]; - maxInputSize = ((padType == PAD_PKCS1 && encrypt) ? - (n - PKCS1_MIN_PADDING_LENGTH) : n); - try { - initialize(); - } catch (PKCS11Exception e) { - throw new InvalidKeyException("init() failed", e); - } - } - - private void cancelOperation() { - token.ensureValid(); - if (initialized == false) { - return; - } - initialized = false; - if ((session == null) || (token.explicitCancel == false)) { - return; - } - if (session.hasObjects() == false) { - session = token.killSession(session); - return; - } - try { - PKCS11 p11 = token.p11; - int inLen = maxInputSize; - int outLen = buffer.length; - switch (mode) { - case MODE_ENCRYPT: - p11.C_Encrypt - (session.id(), buffer, 0, inLen, buffer, 0, outLen); - break; - case MODE_DECRYPT: - p11.C_Decrypt - (session.id(), buffer, 0, inLen, buffer, 0, outLen); - break; - case MODE_SIGN: - byte[] tmpBuffer = new byte[maxInputSize]; - p11.C_Sign - (session.id(), tmpBuffer); - break; - case MODE_VERIFY: - p11.C_VerifyRecover - (session.id(), buffer, 0, inLen, buffer, 0, outLen); - break; - default: - throw new ProviderException("internal error"); - } - } catch (PKCS11Exception e) { - // XXX ensure this always works, ignore error - } - } - - private void ensureInitialized() throws PKCS11Exception { - token.ensureValid(); - if (initialized == false) { - initialize(); - } - } - - private void initialize() throws PKCS11Exception { - if (session == null) { - session = token.getOpSession(); - } - PKCS11 p11 = token.p11; - CK_MECHANISM ckMechanism = new CK_MECHANISM(mechanism); - switch (mode) { - case MODE_ENCRYPT: - p11.C_EncryptInit(session.id(), ckMechanism, p11Key.keyID); - break; - case MODE_DECRYPT: - p11.C_DecryptInit(session.id(), ckMechanism, p11Key.keyID); - break; - case MODE_SIGN: - p11.C_SignInit(session.id(), ckMechanism, p11Key.keyID); - break; - case MODE_VERIFY: - p11.C_VerifyRecoverInit(session.id(), ckMechanism, p11Key.keyID); - break; - default: - throw new AssertionError("internal error"); - } - bufOfs = 0; - initialized = true; - } - - private void implUpdate(byte[] in, int inOfs, int inLen) { - try { - ensureInitialized(); - } catch (PKCS11Exception e) { - throw new ProviderException("update() failed", e); - } - if ((inLen == 0) || (in == null)) { - return; - } - if (bufOfs + inLen > maxInputSize) { - bufOfs = maxInputSize + 1; - return; - } - System.arraycopy(in, inOfs, buffer, bufOfs, inLen); - bufOfs += inLen; - } - - private int implDoFinal(byte[] out, int outOfs, int outLen) - throws BadPaddingException, IllegalBlockSizeException { - if (bufOfs > maxInputSize) { - throw new IllegalBlockSizeException("Data must not be longer " - + "than " + maxInputSize + " bytes"); - } - try { - ensureInitialized(); - PKCS11 p11 = token.p11; - int n; - switch (mode) { - case MODE_ENCRYPT: - n = p11.C_Encrypt - (session.id(), buffer, 0, bufOfs, out, outOfs, outLen); - break; - case MODE_DECRYPT: - n = p11.C_Decrypt - (session.id(), buffer, 0, bufOfs, out, outOfs, outLen); - break; - case MODE_SIGN: - byte[] tmpBuffer = new byte[bufOfs]; - System.arraycopy(buffer, 0, tmpBuffer, 0, bufOfs); - tmpBuffer = p11.C_Sign(session.id(), tmpBuffer); - if (tmpBuffer.length > outLen) { - throw new BadPaddingException( - "Output buffer (" + outLen + ") is too small to " + - "hold the produced data (" + tmpBuffer.length + ")"); - } - System.arraycopy(tmpBuffer, 0, out, outOfs, tmpBuffer.length); - n = tmpBuffer.length; - break; - case MODE_VERIFY: - n = p11.C_VerifyRecover - (session.id(), buffer, 0, bufOfs, out, outOfs, outLen); - break; - default: - throw new ProviderException("internal error"); - } - return n; - } catch (PKCS11Exception e) { - throw (BadPaddingException)new BadPaddingException - ("doFinal() failed").initCause(e); - } finally { - initialized = false; - session = token.releaseSession(session); - } - } - - // see JCE spec - protected byte[] engineUpdate(byte[] in, int inOfs, int inLen) { - implUpdate(in, inOfs, inLen); - return B0; - } - - // see JCE spec - protected int engineUpdate(byte[] in, int inOfs, int inLen, - byte[] out, int outOfs) throws ShortBufferException { - implUpdate(in, inOfs, inLen); - return 0; - } - - // see JCE spec - protected byte[] engineDoFinal(byte[] in, int inOfs, int inLen) - throws IllegalBlockSizeException, BadPaddingException { - implUpdate(in, inOfs, inLen); - int n = implDoFinal(buffer, 0, buffer.length); - byte[] out = new byte[n]; - System.arraycopy(buffer, 0, out, 0, n); - return out; - } - - // see JCE spec - protected int engineDoFinal(byte[] in, int inOfs, int inLen, - byte[] out, int outOfs) throws ShortBufferException, - IllegalBlockSizeException, BadPaddingException { - implUpdate(in, inOfs, inLen); - return implDoFinal(out, outOfs, out.length - outOfs); - } - - private byte[] doFinal() throws BadPaddingException, - IllegalBlockSizeException { - byte[] t = new byte[2048]; - int n = implDoFinal(t, 0, t.length); - byte[] out = new byte[n]; - System.arraycopy(t, 0, out, 0, n); - return out; - } - - // see JCE spec - protected byte[] engineWrap(Key key) throws InvalidKeyException, - IllegalBlockSizeException { - String keyAlg = key.getAlgorithm(); - P11Key sKey = null; - try { - // The conversion may fail, e.g. trying to wrap an AES key on - // a token that does not support AES, or when the key size is - // not within the range supported by the token. - sKey = P11SecretKeyFactory.convertKey(token, key, keyAlg); - } catch (InvalidKeyException ike) { - byte[] toBeWrappedKey = key.getEncoded(); - if (toBeWrappedKey == null) { - throw new InvalidKeyException - ("wrap() failed, no encoding available", ike); - } - // Directly encrypt the key encoding when key conversion failed - implInit(Cipher.ENCRYPT_MODE, p11Key); - implUpdate(toBeWrappedKey, 0, toBeWrappedKey.length); - try { - return doFinal(); - } catch (BadPaddingException bpe) { - // should not occur - throw new InvalidKeyException("wrap() failed", bpe); - } finally { - // Restore original mode - implInit(Cipher.WRAP_MODE, p11Key); - } - } - Session s = null; - try { - s = token.getOpSession(); - return token.p11.C_WrapKey(s.id(), new CK_MECHANISM(mechanism), - p11Key.keyID, sKey.keyID); - } catch (PKCS11Exception e) { - throw new InvalidKeyException("wrap() failed", e); - } finally { - token.releaseSession(s); - } - } - - // see JCE spec - @SuppressWarnings("deprecation") - protected Key engineUnwrap(byte[] wrappedKey, String algorithm, - int type) throws InvalidKeyException, NoSuchAlgorithmException { - - boolean isTlsRsaPremasterSecret = - algorithm.equals("TlsRsaPremasterSecret"); - Exception failover = null; - - // Should C_Unwrap be preferred for non-TLS RSA premaster secret? - if (token.supportsRawSecretKeyImport()) { - // XXX implement unwrap using C_Unwrap() for all keys - implInit(Cipher.DECRYPT_MODE, p11Key); - try { - if (wrappedKey.length > maxInputSize) { - throw new InvalidKeyException("Key is too long for unwrapping"); - } - - byte[] encoded = null; - implUpdate(wrappedKey, 0, wrappedKey.length); - try { - encoded = doFinal(); - } catch (BadPaddingException e) { - if (isTlsRsaPremasterSecret) { - failover = e; - } else { - throw new InvalidKeyException("Unwrapping failed", e); - } - } catch (IllegalBlockSizeException e) { - // should not occur, handled with length check above - throw new InvalidKeyException("Unwrapping failed", e); - } - - if (isTlsRsaPremasterSecret) { - if (!(spec instanceof TlsRsaPremasterSecretParameterSpec)) { - throw new IllegalStateException( - "No TlsRsaPremasterSecretParameterSpec specified"); - } - - // polish the TLS premaster secret - TlsRsaPremasterSecretParameterSpec psps = - (TlsRsaPremasterSecretParameterSpec)spec; - encoded = KeyUtil.checkTlsPreMasterSecretKey( - psps.getClientVersion(), psps.getServerVersion(), - random, encoded, (failover != null)); - } - - return ConstructKeys.constructKey(encoded, algorithm, type); - } finally { - // Restore original mode - implInit(Cipher.UNWRAP_MODE, p11Key); - } - } else { - Session s = null; - SecretKey secretKey = null; - try { - try { - s = token.getObjSession(); - long keyType = CKK_GENERIC_SECRET; - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), - new CK_ATTRIBUTE(CKA_KEY_TYPE, keyType), - }; - attributes = token.getAttributes( - O_IMPORT, CKO_SECRET_KEY, keyType, attributes); - long keyID = token.p11.C_UnwrapKey(s.id(), - new CK_MECHANISM(mechanism), p11Key.keyID, - wrappedKey, attributes); - secretKey = P11Key.secretKey(s, keyID, - algorithm, 48 << 3, attributes); - } catch (PKCS11Exception e) { - if (isTlsRsaPremasterSecret) { - failover = e; - } else { - throw new InvalidKeyException("unwrap() failed", e); - } - } - - if (isTlsRsaPremasterSecret) { - TlsRsaPremasterSecretParameterSpec psps = - (TlsRsaPremasterSecretParameterSpec)spec; - - // Please use the tricky failover as the parameter so that - // smart compiler won't dispose the unused variable. - secretKey = polishPreMasterSecretKey(token, s, - failover, secretKey, - psps.getClientVersion(), psps.getServerVersion()); - } - - return secretKey; - } finally { - token.releaseSession(s); - } - } - } - - // see JCE spec - protected int engineGetKeySize(Key key) throws InvalidKeyException { - int n = P11KeyFactory.convertKey(token, key, algorithm).length(); - return n; - } - - private static SecretKey polishPreMasterSecretKey( - Token token, Session session, - Exception failover, SecretKey unwrappedKey, - int clientVersion, int serverVersion) { - - SecretKey newKey; - CK_VERSION version = new CK_VERSION( - (clientVersion >>> 8) & 0xFF, clientVersion & 0xFF); - try { - CK_ATTRIBUTE[] attributes = token.getAttributes( - O_GENERATE, CKO_SECRET_KEY, - CKK_GENERIC_SECRET, new CK_ATTRIBUTE[0]); - long keyID = token.p11.C_GenerateKey(session.id(), - new CK_MECHANISM(CKM_SSL3_PRE_MASTER_KEY_GEN, version), - attributes); - newKey = P11Key.secretKey(session, - keyID, "TlsRsaPremasterSecret", 48 << 3, attributes); - } catch (PKCS11Exception e) { - throw new ProviderException( - "Could not generate premaster secret", e); - } - - return (failover == null) ? unwrappedKey : newKey; - } - -} - -final class ConstructKeys { - /** - * Construct a public key from its encoding. - * - * @param encodedKey the encoding of a public key. - * - * @param encodedKeyAlgorithm the algorithm the encodedKey is for. - * - * @return a public key constructed from the encodedKey. - */ - private static final PublicKey constructPublicKey(byte[] encodedKey, - String encodedKeyAlgorithm) - throws InvalidKeyException, NoSuchAlgorithmException { - try { - KeyFactory keyFactory = - KeyFactory.getInstance(encodedKeyAlgorithm); - X509EncodedKeySpec keySpec = new X509EncodedKeySpec(encodedKey); - return keyFactory.generatePublic(keySpec); - } catch (NoSuchAlgorithmException nsae) { - throw new NoSuchAlgorithmException("No installed providers " + - "can create keys for the " + - encodedKeyAlgorithm + - "algorithm", nsae); - } catch (InvalidKeySpecException ike) { - throw new InvalidKeyException("Cannot construct public key", ike); - } - } - - /** - * Construct a private key from its encoding. - * - * @param encodedKey the encoding of a private key. - * - * @param encodedKeyAlgorithm the algorithm the wrapped key is for. - * - * @return a private key constructed from the encodedKey. - */ - private static final PrivateKey constructPrivateKey(byte[] encodedKey, - String encodedKeyAlgorithm) throws InvalidKeyException, - NoSuchAlgorithmException { - try { - KeyFactory keyFactory = - KeyFactory.getInstance(encodedKeyAlgorithm); - PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(encodedKey); - return keyFactory.generatePrivate(keySpec); - } catch (NoSuchAlgorithmException nsae) { - throw new NoSuchAlgorithmException("No installed providers " + - "can create keys for the " + - encodedKeyAlgorithm + - "algorithm", nsae); - } catch (InvalidKeySpecException ike) { - throw new InvalidKeyException("Cannot construct private key", ike); - } - } - - /** - * Construct a secret key from its encoding. - * - * @param encodedKey the encoding of a secret key. - * - * @param encodedKeyAlgorithm the algorithm the secret key is for. - * - * @return a secret key constructed from the encodedKey. - */ - private static final SecretKey constructSecretKey(byte[] encodedKey, - String encodedKeyAlgorithm) { - return new SecretKeySpec(encodedKey, encodedKeyAlgorithm); - } - - static final Key constructKey(byte[] encoding, String keyAlgorithm, - int keyType) throws InvalidKeyException, NoSuchAlgorithmException { - switch (keyType) { - case Cipher.SECRET_KEY: - return constructSecretKey(encoding, keyAlgorithm); - case Cipher.PRIVATE_KEY: - return constructPrivateKey(encoding, keyAlgorithm); - case Cipher.PUBLIC_KEY: - return constructPublicKey(encoding, keyAlgorithm); - default: - throw new InvalidKeyException("Unknown keytype " + keyType); - } - } -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSACipher.java 2017-01-20 09:52:35.470289064 -0800 @@ -0,0 +1,677 @@ +/* + * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11; + +import java.security.*; +import java.security.spec.AlgorithmParameterSpec; +import java.security.spec.*; + +import java.util.Locale; + +import javax.crypto.*; +import javax.crypto.spec.*; + +import static sun.security.pkcs11.TemplateManager.*; +import sun.security.pkcs11.wrapper.*; +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; +import sun.security.internal.spec.TlsRsaPremasterSecretParameterSpec; +import sun.security.util.KeyUtil; + +/** + * RSA Cipher implementation class. We currently only support + * PKCS#1 v1.5 padding on top of CKM_RSA_PKCS. + * + * @author Andreas Sterbenz + * @since 1.5 + */ +final class P11RSACipher extends CipherSpi { + + // minimum length of PKCS#1 v1.5 padding + private final static int PKCS1_MIN_PADDING_LENGTH = 11; + + // constant byte[] of length 0 + private final static byte[] B0 = new byte[0]; + + // mode constant for public key encryption + private final static int MODE_ENCRYPT = 1; + // mode constant for private key decryption + private final static int MODE_DECRYPT = 2; + // mode constant for private key encryption (signing) + private final static int MODE_SIGN = 3; + // mode constant for public key decryption (verifying) + private final static int MODE_VERIFY = 4; + + // padding type constant for NoPadding + private final static int PAD_NONE = 1; + // padding type constant for PKCS1Padding + private final static int PAD_PKCS1 = 2; + + // token instance + private final Token token; + + // algorithm name (always "RSA") + private final String algorithm; + + // mechanism id + private final long mechanism; + + // associated session, if any + private Session session; + + // mode, one of MODE_* above + private int mode; + + // padding, one of PAD_* above + private int padType; + + private byte[] buffer; + private int bufOfs; + + // key, if init() was called + private P11Key p11Key; + + // flag indicating whether an operation is initialized + private boolean initialized; + + // maximum input data size allowed + // for decryption, this is the length of the key + // for encryption, length of the key minus minimum padding length + private int maxInputSize; + + // maximum output size. this is the length of the key + private int outputSize; + + // cipher parameter for TLS RSA premaster secret + private AlgorithmParameterSpec spec = null; + + // the source of randomness + private SecureRandom random; + + P11RSACipher(Token token, String algorithm, long mechanism) + throws PKCS11Exception { + super(); + this.token = token; + this.algorithm = "RSA"; + this.mechanism = mechanism; + } + + // modes do not make sense for RSA, but allow ECB + // see JCE spec + protected void engineSetMode(String mode) throws NoSuchAlgorithmException { + if (mode.equalsIgnoreCase("ECB") == false) { + throw new NoSuchAlgorithmException("Unsupported mode " + mode); + } + } + + protected void engineSetPadding(String padding) + throws NoSuchPaddingException { + String lowerPadding = padding.toLowerCase(Locale.ENGLISH); + if (lowerPadding.equals("pkcs1padding")) { + padType = PAD_PKCS1; + } else if (lowerPadding.equals("nopadding")) { + padType = PAD_NONE; + } else { + throw new NoSuchPaddingException("Unsupported padding " + padding); + } + } + + // return 0 as block size, we are not a block cipher + // see JCE spec + protected int engineGetBlockSize() { + return 0; + } + + // return the output size + // see JCE spec + protected int engineGetOutputSize(int inputLen) { + return outputSize; + } + + // no IV, return null + // see JCE spec + protected byte[] engineGetIV() { + return null; + } + + // no parameters, return null + // see JCE spec + protected AlgorithmParameters engineGetParameters() { + return null; + } + + // see JCE spec + protected void engineInit(int opmode, Key key, SecureRandom random) + throws InvalidKeyException { + implInit(opmode, key); + } + + // see JCE spec + @SuppressWarnings("deprecation") + protected void engineInit(int opmode, Key key, + AlgorithmParameterSpec params, SecureRandom random) + throws InvalidKeyException, InvalidAlgorithmParameterException { + if (params != null) { + if (!(params instanceof TlsRsaPremasterSecretParameterSpec)) { + throw new InvalidAlgorithmParameterException( + "Parameters not supported"); + } + spec = params; + this.random = random; // for TLS RSA premaster secret + } + implInit(opmode, key); + } + + // see JCE spec + protected void engineInit(int opmode, Key key, AlgorithmParameters params, + SecureRandom random) + throws InvalidKeyException, InvalidAlgorithmParameterException { + if (params != null) { + throw new InvalidAlgorithmParameterException( + "Parameters not supported"); + } + implInit(opmode, key); + } + + private void implInit(int opmode, Key key) throws InvalidKeyException { + cancelOperation(); + p11Key = P11KeyFactory.convertKey(token, key, algorithm); + boolean encrypt; + if (opmode == Cipher.ENCRYPT_MODE) { + encrypt = true; + } else if (opmode == Cipher.DECRYPT_MODE) { + encrypt = false; + } else if (opmode == Cipher.WRAP_MODE) { + if (p11Key.isPublic() == false) { + throw new InvalidKeyException + ("Wrap has to be used with public keys"); + } + // No further setup needed for C_Wrap(). We'll initialize later if + // we can't use C_Wrap(). + return; + } else if (opmode == Cipher.UNWRAP_MODE) { + if (p11Key.isPrivate() == false) { + throw new InvalidKeyException + ("Unwrap has to be used with private keys"); + } + // No further setup needed for C_Unwrap(). We'll initialize later + // if we can't use C_Unwrap(). + return; + } else { + throw new InvalidKeyException("Unsupported mode: " + opmode); + } + if (p11Key.isPublic()) { + mode = encrypt ? MODE_ENCRYPT : MODE_VERIFY; + } else if (p11Key.isPrivate()) { + mode = encrypt ? MODE_SIGN : MODE_DECRYPT; + } else { + throw new InvalidKeyException("Unknown key type: " + p11Key); + } + int n = (p11Key.length() + 7) >> 3; + outputSize = n; + buffer = new byte[n]; + maxInputSize = ((padType == PAD_PKCS1 && encrypt) ? + (n - PKCS1_MIN_PADDING_LENGTH) : n); + try { + initialize(); + } catch (PKCS11Exception e) { + throw new InvalidKeyException("init() failed", e); + } + } + + private void cancelOperation() { + token.ensureValid(); + if (initialized == false) { + return; + } + initialized = false; + if ((session == null) || (token.explicitCancel == false)) { + return; + } + if (session.hasObjects() == false) { + session = token.killSession(session); + return; + } + try { + PKCS11 p11 = token.p11; + int inLen = maxInputSize; + int outLen = buffer.length; + switch (mode) { + case MODE_ENCRYPT: + p11.C_Encrypt + (session.id(), buffer, 0, inLen, buffer, 0, outLen); + break; + case MODE_DECRYPT: + p11.C_Decrypt + (session.id(), buffer, 0, inLen, buffer, 0, outLen); + break; + case MODE_SIGN: + byte[] tmpBuffer = new byte[maxInputSize]; + p11.C_Sign + (session.id(), tmpBuffer); + break; + case MODE_VERIFY: + p11.C_VerifyRecover + (session.id(), buffer, 0, inLen, buffer, 0, outLen); + break; + default: + throw new ProviderException("internal error"); + } + } catch (PKCS11Exception e) { + // XXX ensure this always works, ignore error + } + } + + private void ensureInitialized() throws PKCS11Exception { + token.ensureValid(); + if (initialized == false) { + initialize(); + } + } + + private void initialize() throws PKCS11Exception { + if (session == null) { + session = token.getOpSession(); + } + PKCS11 p11 = token.p11; + CK_MECHANISM ckMechanism = new CK_MECHANISM(mechanism); + switch (mode) { + case MODE_ENCRYPT: + p11.C_EncryptInit(session.id(), ckMechanism, p11Key.keyID); + break; + case MODE_DECRYPT: + p11.C_DecryptInit(session.id(), ckMechanism, p11Key.keyID); + break; + case MODE_SIGN: + p11.C_SignInit(session.id(), ckMechanism, p11Key.keyID); + break; + case MODE_VERIFY: + p11.C_VerifyRecoverInit(session.id(), ckMechanism, p11Key.keyID); + break; + default: + throw new AssertionError("internal error"); + } + bufOfs = 0; + initialized = true; + } + + private void implUpdate(byte[] in, int inOfs, int inLen) { + try { + ensureInitialized(); + } catch (PKCS11Exception e) { + throw new ProviderException("update() failed", e); + } + if ((inLen == 0) || (in == null)) { + return; + } + if (bufOfs + inLen > maxInputSize) { + bufOfs = maxInputSize + 1; + return; + } + System.arraycopy(in, inOfs, buffer, bufOfs, inLen); + bufOfs += inLen; + } + + private int implDoFinal(byte[] out, int outOfs, int outLen) + throws BadPaddingException, IllegalBlockSizeException { + if (bufOfs > maxInputSize) { + throw new IllegalBlockSizeException("Data must not be longer " + + "than " + maxInputSize + " bytes"); + } + try { + ensureInitialized(); + PKCS11 p11 = token.p11; + int n; + switch (mode) { + case MODE_ENCRYPT: + n = p11.C_Encrypt + (session.id(), buffer, 0, bufOfs, out, outOfs, outLen); + break; + case MODE_DECRYPT: + n = p11.C_Decrypt + (session.id(), buffer, 0, bufOfs, out, outOfs, outLen); + break; + case MODE_SIGN: + byte[] tmpBuffer = new byte[bufOfs]; + System.arraycopy(buffer, 0, tmpBuffer, 0, bufOfs); + tmpBuffer = p11.C_Sign(session.id(), tmpBuffer); + if (tmpBuffer.length > outLen) { + throw new BadPaddingException( + "Output buffer (" + outLen + ") is too small to " + + "hold the produced data (" + tmpBuffer.length + ")"); + } + System.arraycopy(tmpBuffer, 0, out, outOfs, tmpBuffer.length); + n = tmpBuffer.length; + break; + case MODE_VERIFY: + n = p11.C_VerifyRecover + (session.id(), buffer, 0, bufOfs, out, outOfs, outLen); + break; + default: + throw new ProviderException("internal error"); + } + return n; + } catch (PKCS11Exception e) { + throw (BadPaddingException)new BadPaddingException + ("doFinal() failed").initCause(e); + } finally { + initialized = false; + session = token.releaseSession(session); + } + } + + // see JCE spec + protected byte[] engineUpdate(byte[] in, int inOfs, int inLen) { + implUpdate(in, inOfs, inLen); + return B0; + } + + // see JCE spec + protected int engineUpdate(byte[] in, int inOfs, int inLen, + byte[] out, int outOfs) throws ShortBufferException { + implUpdate(in, inOfs, inLen); + return 0; + } + + // see JCE spec + protected byte[] engineDoFinal(byte[] in, int inOfs, int inLen) + throws IllegalBlockSizeException, BadPaddingException { + implUpdate(in, inOfs, inLen); + int n = implDoFinal(buffer, 0, buffer.length); + byte[] out = new byte[n]; + System.arraycopy(buffer, 0, out, 0, n); + return out; + } + + // see JCE spec + protected int engineDoFinal(byte[] in, int inOfs, int inLen, + byte[] out, int outOfs) throws ShortBufferException, + IllegalBlockSizeException, BadPaddingException { + implUpdate(in, inOfs, inLen); + return implDoFinal(out, outOfs, out.length - outOfs); + } + + private byte[] doFinal() throws BadPaddingException, + IllegalBlockSizeException { + byte[] t = new byte[2048]; + int n = implDoFinal(t, 0, t.length); + byte[] out = new byte[n]; + System.arraycopy(t, 0, out, 0, n); + return out; + } + + // see JCE spec + protected byte[] engineWrap(Key key) throws InvalidKeyException, + IllegalBlockSizeException { + String keyAlg = key.getAlgorithm(); + P11Key sKey = null; + try { + // The conversion may fail, e.g. trying to wrap an AES key on + // a token that does not support AES, or when the key size is + // not within the range supported by the token. + sKey = P11SecretKeyFactory.convertKey(token, key, keyAlg); + } catch (InvalidKeyException ike) { + byte[] toBeWrappedKey = key.getEncoded(); + if (toBeWrappedKey == null) { + throw new InvalidKeyException + ("wrap() failed, no encoding available", ike); + } + // Directly encrypt the key encoding when key conversion failed + implInit(Cipher.ENCRYPT_MODE, p11Key); + implUpdate(toBeWrappedKey, 0, toBeWrappedKey.length); + try { + return doFinal(); + } catch (BadPaddingException bpe) { + // should not occur + throw new InvalidKeyException("wrap() failed", bpe); + } finally { + // Restore original mode + implInit(Cipher.WRAP_MODE, p11Key); + } + } + Session s = null; + try { + s = token.getOpSession(); + return token.p11.C_WrapKey(s.id(), new CK_MECHANISM(mechanism), + p11Key.keyID, sKey.keyID); + } catch (PKCS11Exception e) { + throw new InvalidKeyException("wrap() failed", e); + } finally { + token.releaseSession(s); + } + } + + // see JCE spec + @SuppressWarnings("deprecation") + protected Key engineUnwrap(byte[] wrappedKey, String algorithm, + int type) throws InvalidKeyException, NoSuchAlgorithmException { + + boolean isTlsRsaPremasterSecret = + algorithm.equals("TlsRsaPremasterSecret"); + Exception failover = null; + + // Should C_Unwrap be preferred for non-TLS RSA premaster secret? + if (token.supportsRawSecretKeyImport()) { + // XXX implement unwrap using C_Unwrap() for all keys + implInit(Cipher.DECRYPT_MODE, p11Key); + try { + if (wrappedKey.length > maxInputSize) { + throw new InvalidKeyException("Key is too long for unwrapping"); + } + + byte[] encoded = null; + implUpdate(wrappedKey, 0, wrappedKey.length); + try { + encoded = doFinal(); + } catch (BadPaddingException e) { + if (isTlsRsaPremasterSecret) { + failover = e; + } else { + throw new InvalidKeyException("Unwrapping failed", e); + } + } catch (IllegalBlockSizeException e) { + // should not occur, handled with length check above + throw new InvalidKeyException("Unwrapping failed", e); + } + + if (isTlsRsaPremasterSecret) { + if (!(spec instanceof TlsRsaPremasterSecretParameterSpec)) { + throw new IllegalStateException( + "No TlsRsaPremasterSecretParameterSpec specified"); + } + + // polish the TLS premaster secret + TlsRsaPremasterSecretParameterSpec psps = + (TlsRsaPremasterSecretParameterSpec)spec; + encoded = KeyUtil.checkTlsPreMasterSecretKey( + psps.getClientVersion(), psps.getServerVersion(), + random, encoded, (failover != null)); + } + + return ConstructKeys.constructKey(encoded, algorithm, type); + } finally { + // Restore original mode + implInit(Cipher.UNWRAP_MODE, p11Key); + } + } else { + Session s = null; + SecretKey secretKey = null; + try { + try { + s = token.getObjSession(); + long keyType = CKK_GENERIC_SECRET; + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), + new CK_ATTRIBUTE(CKA_KEY_TYPE, keyType), + }; + attributes = token.getAttributes( + O_IMPORT, CKO_SECRET_KEY, keyType, attributes); + long keyID = token.p11.C_UnwrapKey(s.id(), + new CK_MECHANISM(mechanism), p11Key.keyID, + wrappedKey, attributes); + secretKey = P11Key.secretKey(s, keyID, + algorithm, 48 << 3, attributes); + } catch (PKCS11Exception e) { + if (isTlsRsaPremasterSecret) { + failover = e; + } else { + throw new InvalidKeyException("unwrap() failed", e); + } + } + + if (isTlsRsaPremasterSecret) { + TlsRsaPremasterSecretParameterSpec psps = + (TlsRsaPremasterSecretParameterSpec)spec; + + // Please use the tricky failover as the parameter so that + // smart compiler won't dispose the unused variable. + secretKey = polishPreMasterSecretKey(token, s, + failover, secretKey, + psps.getClientVersion(), psps.getServerVersion()); + } + + return secretKey; + } finally { + token.releaseSession(s); + } + } + } + + // see JCE spec + protected int engineGetKeySize(Key key) throws InvalidKeyException { + int n = P11KeyFactory.convertKey(token, key, algorithm).length(); + return n; + } + + private static SecretKey polishPreMasterSecretKey( + Token token, Session session, + Exception failover, SecretKey unwrappedKey, + int clientVersion, int serverVersion) { + + SecretKey newKey; + CK_VERSION version = new CK_VERSION( + (clientVersion >>> 8) & 0xFF, clientVersion & 0xFF); + try { + CK_ATTRIBUTE[] attributes = token.getAttributes( + O_GENERATE, CKO_SECRET_KEY, + CKK_GENERIC_SECRET, new CK_ATTRIBUTE[0]); + long keyID = token.p11.C_GenerateKey(session.id(), + new CK_MECHANISM(CKM_SSL3_PRE_MASTER_KEY_GEN, version), + attributes); + newKey = P11Key.secretKey(session, + keyID, "TlsRsaPremasterSecret", 48 << 3, attributes); + } catch (PKCS11Exception e) { + throw new ProviderException( + "Could not generate premaster secret", e); + } + + return (failover == null) ? unwrappedKey : newKey; + } + +} + +final class ConstructKeys { + /** + * Construct a public key from its encoding. + * + * @param encodedKey the encoding of a public key. + * + * @param encodedKeyAlgorithm the algorithm the encodedKey is for. + * + * @return a public key constructed from the encodedKey. + */ + private static final PublicKey constructPublicKey(byte[] encodedKey, + String encodedKeyAlgorithm) + throws InvalidKeyException, NoSuchAlgorithmException { + try { + KeyFactory keyFactory = + KeyFactory.getInstance(encodedKeyAlgorithm); + X509EncodedKeySpec keySpec = new X509EncodedKeySpec(encodedKey); + return keyFactory.generatePublic(keySpec); + } catch (NoSuchAlgorithmException nsae) { + throw new NoSuchAlgorithmException("No installed providers " + + "can create keys for the " + + encodedKeyAlgorithm + + "algorithm", nsae); + } catch (InvalidKeySpecException ike) { + throw new InvalidKeyException("Cannot construct public key", ike); + } + } + + /** + * Construct a private key from its encoding. + * + * @param encodedKey the encoding of a private key. + * + * @param encodedKeyAlgorithm the algorithm the wrapped key is for. + * + * @return a private key constructed from the encodedKey. + */ + private static final PrivateKey constructPrivateKey(byte[] encodedKey, + String encodedKeyAlgorithm) throws InvalidKeyException, + NoSuchAlgorithmException { + try { + KeyFactory keyFactory = + KeyFactory.getInstance(encodedKeyAlgorithm); + PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(encodedKey); + return keyFactory.generatePrivate(keySpec); + } catch (NoSuchAlgorithmException nsae) { + throw new NoSuchAlgorithmException("No installed providers " + + "can create keys for the " + + encodedKeyAlgorithm + + "algorithm", nsae); + } catch (InvalidKeySpecException ike) { + throw new InvalidKeyException("Cannot construct private key", ike); + } + } + + /** + * Construct a secret key from its encoding. + * + * @param encodedKey the encoding of a secret key. + * + * @param encodedKeyAlgorithm the algorithm the secret key is for. + * + * @return a secret key constructed from the encodedKey. + */ + private static final SecretKey constructSecretKey(byte[] encodedKey, + String encodedKeyAlgorithm) { + return new SecretKeySpec(encodedKey, encodedKeyAlgorithm); + } + + static final Key constructKey(byte[] encoding, String keyAlgorithm, + int keyType) throws InvalidKeyException, NoSuchAlgorithmException { + switch (keyType) { + case Cipher.SECRET_KEY: + return constructSecretKey(encoding, keyAlgorithm); + case Cipher.PRIVATE_KEY: + return constructPrivateKey(encoding, keyAlgorithm); + case Cipher.PUBLIC_KEY: + return constructPublicKey(encoding, keyAlgorithm); + default: + throw new InvalidKeyException("Unknown keytype " + keyType); + } + } +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11RSAKeyFactory.java 2017-01-20 09:52:36.194289037 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,325 +0,0 @@ -/* - * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.pkcs11; - -import java.math.BigInteger; - -import java.security.*; -import java.security.interfaces.*; -import java.security.spec.*; - -import static sun.security.pkcs11.TemplateManager.*; -import sun.security.pkcs11.wrapper.*; -import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - -import sun.security.rsa.RSAKeyFactory; - -/** - * RSA KeyFactory implementation. - * - * @author Andreas Sterbenz - * @since 1.5 - */ -final class P11RSAKeyFactory extends P11KeyFactory { - - P11RSAKeyFactory(Token token, String algorithm) { - super(token, algorithm); - } - - PublicKey implTranslatePublicKey(PublicKey key) throws InvalidKeyException { - try { - if (key instanceof RSAPublicKey) { - RSAPublicKey rsaKey = (RSAPublicKey)key; - return generatePublic( - rsaKey.getModulus(), - rsaKey.getPublicExponent() - ); - } else if ("X.509".equals(key.getFormat())) { - // let SunRsaSign provider parse for us, then recurse - byte[] encoded = key.getEncoded(); - key = new sun.security.rsa.RSAPublicKeyImpl(encoded); - return implTranslatePublicKey(key); - } else { - throw new InvalidKeyException("PublicKey must be instance " - + "of RSAPublicKey or have X.509 encoding"); - } - } catch (PKCS11Exception e) { - throw new InvalidKeyException("Could not create RSA public key", e); - } - } - - PrivateKey implTranslatePrivateKey(PrivateKey key) - throws InvalidKeyException { - try { - if (key instanceof RSAPrivateCrtKey) { - RSAPrivateCrtKey rsaKey = (RSAPrivateCrtKey)key; - return generatePrivate( - rsaKey.getModulus(), - rsaKey.getPublicExponent(), - rsaKey.getPrivateExponent(), - rsaKey.getPrimeP(), - rsaKey.getPrimeQ(), - rsaKey.getPrimeExponentP(), - rsaKey.getPrimeExponentQ(), - rsaKey.getCrtCoefficient() - ); - } else if (key instanceof RSAPrivateKey) { - RSAPrivateKey rsaKey = (RSAPrivateKey)key; - return generatePrivate( - rsaKey.getModulus(), - rsaKey.getPrivateExponent() - ); - } else if ("PKCS#8".equals(key.getFormat())) { - // let SunRsaSign provider parse for us, then recurse - byte[] encoded = key.getEncoded(); - key = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(encoded); - return implTranslatePrivateKey(key); - } else { - throw new InvalidKeyException("Private key must be instance " - + "of RSAPrivate(Crt)Key or have PKCS#8 encoding"); - } - } catch (PKCS11Exception e) { - throw new InvalidKeyException("Could not create RSA private key", e); - } - } - - // see JCA spec - protected PublicKey engineGeneratePublic(KeySpec keySpec) - throws InvalidKeySpecException { - token.ensureValid(); - if (keySpec instanceof X509EncodedKeySpec) { - try { - byte[] encoded = ((X509EncodedKeySpec)keySpec).getEncoded(); - PublicKey key = new sun.security.rsa.RSAPublicKeyImpl(encoded); - return implTranslatePublicKey(key); - } catch (InvalidKeyException e) { - throw new InvalidKeySpecException - ("Could not create RSA public key", e); - } - } - if (keySpec instanceof RSAPublicKeySpec == false) { - throw new InvalidKeySpecException("Only RSAPublicKeySpec and " - + "X509EncodedKeySpec supported for RSA public keys"); - } - try { - RSAPublicKeySpec rs = (RSAPublicKeySpec)keySpec; - return generatePublic( - rs.getModulus(), - rs.getPublicExponent() - ); - } catch (PKCS11Exception | InvalidKeyException e) { - throw new InvalidKeySpecException - ("Could not create RSA public key", e); - } - } - - // see JCA spec - protected PrivateKey engineGeneratePrivate(KeySpec keySpec) - throws InvalidKeySpecException { - token.ensureValid(); - if (keySpec instanceof PKCS8EncodedKeySpec) { - try { - byte[] encoded = ((PKCS8EncodedKeySpec)keySpec).getEncoded(); - PrivateKey key = - sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(encoded); - return implTranslatePrivateKey(key); - } catch (GeneralSecurityException e) { - throw new InvalidKeySpecException - ("Could not create RSA private key", e); - } - } - try { - if (keySpec instanceof RSAPrivateCrtKeySpec) { - RSAPrivateCrtKeySpec rs = (RSAPrivateCrtKeySpec)keySpec; - return generatePrivate( - rs.getModulus(), - rs.getPublicExponent(), - rs.getPrivateExponent(), - rs.getPrimeP(), - rs.getPrimeQ(), - rs.getPrimeExponentP(), - rs.getPrimeExponentQ(), - rs.getCrtCoefficient() - ); - } else if (keySpec instanceof RSAPrivateKeySpec) { - RSAPrivateKeySpec rs = (RSAPrivateKeySpec)keySpec; - return generatePrivate( - rs.getModulus(), - rs.getPrivateExponent() - ); - } else { - throw new InvalidKeySpecException("Only RSAPrivate(Crt)KeySpec " - + "and PKCS8EncodedKeySpec supported for RSA private keys"); - } - } catch (PKCS11Exception | InvalidKeyException e) { - throw new InvalidKeySpecException - ("Could not create RSA private key", e); - } - } - - private PublicKey generatePublic(BigInteger n, BigInteger e) - throws PKCS11Exception, InvalidKeyException { - RSAKeyFactory.checkKeyLengths(n.bitLength(), e, -1, 64 * 1024); - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_CLASS, CKO_PUBLIC_KEY), - new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_RSA), - new CK_ATTRIBUTE(CKA_MODULUS, n), - new CK_ATTRIBUTE(CKA_PUBLIC_EXPONENT, e), - }; - attributes = token.getAttributes - (O_IMPORT, CKO_PUBLIC_KEY, CKK_RSA, attributes); - Session session = null; - try { - session = token.getObjSession(); - long keyID = token.p11.C_CreateObject(session.id(), attributes); - return P11Key.publicKey - (session, keyID, "RSA", n.bitLength(), attributes); - } finally { - token.releaseSession(session); - } - } - - private PrivateKey generatePrivate(BigInteger n, BigInteger d) - throws PKCS11Exception, InvalidKeyException { - RSAKeyFactory.checkKeyLengths(n.bitLength(), null, -1, 64 * 1024); - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_CLASS, CKO_PRIVATE_KEY), - new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_RSA), - new CK_ATTRIBUTE(CKA_MODULUS, n), - new CK_ATTRIBUTE(CKA_PRIVATE_EXPONENT, d), - }; - attributes = token.getAttributes - (O_IMPORT, CKO_PRIVATE_KEY, CKK_RSA, attributes); - Session session = null; - try { - session = token.getObjSession(); - long keyID = token.p11.C_CreateObject(session.id(), attributes); - return P11Key.privateKey - (session, keyID, "RSA", n.bitLength(), attributes); - } finally { - token.releaseSession(session); - } - } - - private PrivateKey generatePrivate(BigInteger n, BigInteger e, - BigInteger d, BigInteger p, BigInteger q, BigInteger pe, - BigInteger qe, BigInteger coeff) throws PKCS11Exception, - InvalidKeyException { - RSAKeyFactory.checkKeyLengths(n.bitLength(), e, -1, 64 * 1024); - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_CLASS, CKO_PRIVATE_KEY), - new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_RSA), - new CK_ATTRIBUTE(CKA_MODULUS, n), - new CK_ATTRIBUTE(CKA_PUBLIC_EXPONENT, e), - new CK_ATTRIBUTE(CKA_PRIVATE_EXPONENT, d), - new CK_ATTRIBUTE(CKA_PRIME_1, p), - new CK_ATTRIBUTE(CKA_PRIME_2, q), - new CK_ATTRIBUTE(CKA_EXPONENT_1, pe), - new CK_ATTRIBUTE(CKA_EXPONENT_2, qe), - new CK_ATTRIBUTE(CKA_COEFFICIENT, coeff), - }; - attributes = token.getAttributes - (O_IMPORT, CKO_PRIVATE_KEY, CKK_RSA, attributes); - Session session = null; - try { - session = token.getObjSession(); - long keyID = token.p11.C_CreateObject(session.id(), attributes); - return P11Key.privateKey - (session, keyID, "RSA", n.bitLength(), attributes); - } finally { - token.releaseSession(session); - } - } - - T implGetPublicKeySpec(P11Key key, Class keySpec, - Session[] session) throws PKCS11Exception, InvalidKeySpecException { - if (RSAPublicKeySpec.class.isAssignableFrom(keySpec)) { - session[0] = token.getObjSession(); - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_MODULUS), - new CK_ATTRIBUTE(CKA_PUBLIC_EXPONENT), - }; - token.p11.C_GetAttributeValue(session[0].id(), key.keyID, attributes); - KeySpec spec = new RSAPublicKeySpec( - attributes[0].getBigInteger(), - attributes[1].getBigInteger() - ); - return keySpec.cast(spec); - } else { // X.509 handled in superclass - throw new InvalidKeySpecException("Only RSAPublicKeySpec and " - + "X509EncodedKeySpec supported for RSA public keys"); - } - } - - T implGetPrivateKeySpec(P11Key key, Class keySpec, - Session[] session) throws PKCS11Exception, InvalidKeySpecException { - if (RSAPrivateCrtKeySpec.class.isAssignableFrom(keySpec)) { - session[0] = token.getObjSession(); - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_MODULUS), - new CK_ATTRIBUTE(CKA_PUBLIC_EXPONENT), - new CK_ATTRIBUTE(CKA_PRIVATE_EXPONENT), - new CK_ATTRIBUTE(CKA_PRIME_1), - new CK_ATTRIBUTE(CKA_PRIME_2), - new CK_ATTRIBUTE(CKA_EXPONENT_1), - new CK_ATTRIBUTE(CKA_EXPONENT_2), - new CK_ATTRIBUTE(CKA_COEFFICIENT), - }; - token.p11.C_GetAttributeValue(session[0].id(), key.keyID, attributes); - KeySpec spec = new RSAPrivateCrtKeySpec( - attributes[0].getBigInteger(), - attributes[1].getBigInteger(), - attributes[2].getBigInteger(), - attributes[3].getBigInteger(), - attributes[4].getBigInteger(), - attributes[5].getBigInteger(), - attributes[6].getBigInteger(), - attributes[7].getBigInteger() - ); - return keySpec.cast(spec); - } else if (RSAPrivateKeySpec.class.isAssignableFrom(keySpec)) { - session[0] = token.getObjSession(); - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_MODULUS), - new CK_ATTRIBUTE(CKA_PRIVATE_EXPONENT), - }; - token.p11.C_GetAttributeValue(session[0].id(), key.keyID, attributes); - KeySpec spec = new RSAPrivateKeySpec( - attributes[0].getBigInteger(), - attributes[1].getBigInteger() - ); - return keySpec.cast(spec); - } else { // PKCS#8 handled in superclass - throw new InvalidKeySpecException("Only RSAPrivate(Crt)KeySpec " - + "and PKCS8EncodedKeySpec supported for RSA private keys"); - } - } - - KeyFactory implGetSoftwareFactory() throws GeneralSecurityException { - return KeyFactory.getInstance("RSA", P11Util.getSunRsaSignProvider()); - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSAKeyFactory.java 2017-01-20 09:52:35.898289048 -0800 @@ -0,0 +1,325 @@ +/* + * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11; + +import java.math.BigInteger; + +import java.security.*; +import java.security.interfaces.*; +import java.security.spec.*; + +import static sun.security.pkcs11.TemplateManager.*; +import sun.security.pkcs11.wrapper.*; +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + +import sun.security.rsa.RSAKeyFactory; + +/** + * RSA KeyFactory implementation. + * + * @author Andreas Sterbenz + * @since 1.5 + */ +final class P11RSAKeyFactory extends P11KeyFactory { + + P11RSAKeyFactory(Token token, String algorithm) { + super(token, algorithm); + } + + PublicKey implTranslatePublicKey(PublicKey key) throws InvalidKeyException { + try { + if (key instanceof RSAPublicKey) { + RSAPublicKey rsaKey = (RSAPublicKey)key; + return generatePublic( + rsaKey.getModulus(), + rsaKey.getPublicExponent() + ); + } else if ("X.509".equals(key.getFormat())) { + // let SunRsaSign provider parse for us, then recurse + byte[] encoded = key.getEncoded(); + key = new sun.security.rsa.RSAPublicKeyImpl(encoded); + return implTranslatePublicKey(key); + } else { + throw new InvalidKeyException("PublicKey must be instance " + + "of RSAPublicKey or have X.509 encoding"); + } + } catch (PKCS11Exception e) { + throw new InvalidKeyException("Could not create RSA public key", e); + } + } + + PrivateKey implTranslatePrivateKey(PrivateKey key) + throws InvalidKeyException { + try { + if (key instanceof RSAPrivateCrtKey) { + RSAPrivateCrtKey rsaKey = (RSAPrivateCrtKey)key; + return generatePrivate( + rsaKey.getModulus(), + rsaKey.getPublicExponent(), + rsaKey.getPrivateExponent(), + rsaKey.getPrimeP(), + rsaKey.getPrimeQ(), + rsaKey.getPrimeExponentP(), + rsaKey.getPrimeExponentQ(), + rsaKey.getCrtCoefficient() + ); + } else if (key instanceof RSAPrivateKey) { + RSAPrivateKey rsaKey = (RSAPrivateKey)key; + return generatePrivate( + rsaKey.getModulus(), + rsaKey.getPrivateExponent() + ); + } else if ("PKCS#8".equals(key.getFormat())) { + // let SunRsaSign provider parse for us, then recurse + byte[] encoded = key.getEncoded(); + key = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(encoded); + return implTranslatePrivateKey(key); + } else { + throw new InvalidKeyException("Private key must be instance " + + "of RSAPrivate(Crt)Key or have PKCS#8 encoding"); + } + } catch (PKCS11Exception e) { + throw new InvalidKeyException("Could not create RSA private key", e); + } + } + + // see JCA spec + protected PublicKey engineGeneratePublic(KeySpec keySpec) + throws InvalidKeySpecException { + token.ensureValid(); + if (keySpec instanceof X509EncodedKeySpec) { + try { + byte[] encoded = ((X509EncodedKeySpec)keySpec).getEncoded(); + PublicKey key = new sun.security.rsa.RSAPublicKeyImpl(encoded); + return implTranslatePublicKey(key); + } catch (InvalidKeyException e) { + throw new InvalidKeySpecException + ("Could not create RSA public key", e); + } + } + if (keySpec instanceof RSAPublicKeySpec == false) { + throw new InvalidKeySpecException("Only RSAPublicKeySpec and " + + "X509EncodedKeySpec supported for RSA public keys"); + } + try { + RSAPublicKeySpec rs = (RSAPublicKeySpec)keySpec; + return generatePublic( + rs.getModulus(), + rs.getPublicExponent() + ); + } catch (PKCS11Exception | InvalidKeyException e) { + throw new InvalidKeySpecException + ("Could not create RSA public key", e); + } + } + + // see JCA spec + protected PrivateKey engineGeneratePrivate(KeySpec keySpec) + throws InvalidKeySpecException { + token.ensureValid(); + if (keySpec instanceof PKCS8EncodedKeySpec) { + try { + byte[] encoded = ((PKCS8EncodedKeySpec)keySpec).getEncoded(); + PrivateKey key = + sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(encoded); + return implTranslatePrivateKey(key); + } catch (GeneralSecurityException e) { + throw new InvalidKeySpecException + ("Could not create RSA private key", e); + } + } + try { + if (keySpec instanceof RSAPrivateCrtKeySpec) { + RSAPrivateCrtKeySpec rs = (RSAPrivateCrtKeySpec)keySpec; + return generatePrivate( + rs.getModulus(), + rs.getPublicExponent(), + rs.getPrivateExponent(), + rs.getPrimeP(), + rs.getPrimeQ(), + rs.getPrimeExponentP(), + rs.getPrimeExponentQ(), + rs.getCrtCoefficient() + ); + } else if (keySpec instanceof RSAPrivateKeySpec) { + RSAPrivateKeySpec rs = (RSAPrivateKeySpec)keySpec; + return generatePrivate( + rs.getModulus(), + rs.getPrivateExponent() + ); + } else { + throw new InvalidKeySpecException("Only RSAPrivate(Crt)KeySpec " + + "and PKCS8EncodedKeySpec supported for RSA private keys"); + } + } catch (PKCS11Exception | InvalidKeyException e) { + throw new InvalidKeySpecException + ("Could not create RSA private key", e); + } + } + + private PublicKey generatePublic(BigInteger n, BigInteger e) + throws PKCS11Exception, InvalidKeyException { + RSAKeyFactory.checkKeyLengths(n.bitLength(), e, -1, 64 * 1024); + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_CLASS, CKO_PUBLIC_KEY), + new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_RSA), + new CK_ATTRIBUTE(CKA_MODULUS, n), + new CK_ATTRIBUTE(CKA_PUBLIC_EXPONENT, e), + }; + attributes = token.getAttributes + (O_IMPORT, CKO_PUBLIC_KEY, CKK_RSA, attributes); + Session session = null; + try { + session = token.getObjSession(); + long keyID = token.p11.C_CreateObject(session.id(), attributes); + return P11Key.publicKey + (session, keyID, "RSA", n.bitLength(), attributes); + } finally { + token.releaseSession(session); + } + } + + private PrivateKey generatePrivate(BigInteger n, BigInteger d) + throws PKCS11Exception, InvalidKeyException { + RSAKeyFactory.checkKeyLengths(n.bitLength(), null, -1, 64 * 1024); + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_CLASS, CKO_PRIVATE_KEY), + new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_RSA), + new CK_ATTRIBUTE(CKA_MODULUS, n), + new CK_ATTRIBUTE(CKA_PRIVATE_EXPONENT, d), + }; + attributes = token.getAttributes + (O_IMPORT, CKO_PRIVATE_KEY, CKK_RSA, attributes); + Session session = null; + try { + session = token.getObjSession(); + long keyID = token.p11.C_CreateObject(session.id(), attributes); + return P11Key.privateKey + (session, keyID, "RSA", n.bitLength(), attributes); + } finally { + token.releaseSession(session); + } + } + + private PrivateKey generatePrivate(BigInteger n, BigInteger e, + BigInteger d, BigInteger p, BigInteger q, BigInteger pe, + BigInteger qe, BigInteger coeff) throws PKCS11Exception, + InvalidKeyException { + RSAKeyFactory.checkKeyLengths(n.bitLength(), e, -1, 64 * 1024); + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_CLASS, CKO_PRIVATE_KEY), + new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_RSA), + new CK_ATTRIBUTE(CKA_MODULUS, n), + new CK_ATTRIBUTE(CKA_PUBLIC_EXPONENT, e), + new CK_ATTRIBUTE(CKA_PRIVATE_EXPONENT, d), + new CK_ATTRIBUTE(CKA_PRIME_1, p), + new CK_ATTRIBUTE(CKA_PRIME_2, q), + new CK_ATTRIBUTE(CKA_EXPONENT_1, pe), + new CK_ATTRIBUTE(CKA_EXPONENT_2, qe), + new CK_ATTRIBUTE(CKA_COEFFICIENT, coeff), + }; + attributes = token.getAttributes + (O_IMPORT, CKO_PRIVATE_KEY, CKK_RSA, attributes); + Session session = null; + try { + session = token.getObjSession(); + long keyID = token.p11.C_CreateObject(session.id(), attributes); + return P11Key.privateKey + (session, keyID, "RSA", n.bitLength(), attributes); + } finally { + token.releaseSession(session); + } + } + + T implGetPublicKeySpec(P11Key key, Class keySpec, + Session[] session) throws PKCS11Exception, InvalidKeySpecException { + if (RSAPublicKeySpec.class.isAssignableFrom(keySpec)) { + session[0] = token.getObjSession(); + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_MODULUS), + new CK_ATTRIBUTE(CKA_PUBLIC_EXPONENT), + }; + token.p11.C_GetAttributeValue(session[0].id(), key.keyID, attributes); + KeySpec spec = new RSAPublicKeySpec( + attributes[0].getBigInteger(), + attributes[1].getBigInteger() + ); + return keySpec.cast(spec); + } else { // X.509 handled in superclass + throw new InvalidKeySpecException("Only RSAPublicKeySpec and " + + "X509EncodedKeySpec supported for RSA public keys"); + } + } + + T implGetPrivateKeySpec(P11Key key, Class keySpec, + Session[] session) throws PKCS11Exception, InvalidKeySpecException { + if (RSAPrivateCrtKeySpec.class.isAssignableFrom(keySpec)) { + session[0] = token.getObjSession(); + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_MODULUS), + new CK_ATTRIBUTE(CKA_PUBLIC_EXPONENT), + new CK_ATTRIBUTE(CKA_PRIVATE_EXPONENT), + new CK_ATTRIBUTE(CKA_PRIME_1), + new CK_ATTRIBUTE(CKA_PRIME_2), + new CK_ATTRIBUTE(CKA_EXPONENT_1), + new CK_ATTRIBUTE(CKA_EXPONENT_2), + new CK_ATTRIBUTE(CKA_COEFFICIENT), + }; + token.p11.C_GetAttributeValue(session[0].id(), key.keyID, attributes); + KeySpec spec = new RSAPrivateCrtKeySpec( + attributes[0].getBigInteger(), + attributes[1].getBigInteger(), + attributes[2].getBigInteger(), + attributes[3].getBigInteger(), + attributes[4].getBigInteger(), + attributes[5].getBigInteger(), + attributes[6].getBigInteger(), + attributes[7].getBigInteger() + ); + return keySpec.cast(spec); + } else if (RSAPrivateKeySpec.class.isAssignableFrom(keySpec)) { + session[0] = token.getObjSession(); + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_MODULUS), + new CK_ATTRIBUTE(CKA_PRIVATE_EXPONENT), + }; + token.p11.C_GetAttributeValue(session[0].id(), key.keyID, attributes); + KeySpec spec = new RSAPrivateKeySpec( + attributes[0].getBigInteger(), + attributes[1].getBigInteger() + ); + return keySpec.cast(spec); + } else { // PKCS#8 handled in superclass + throw new InvalidKeySpecException("Only RSAPrivate(Crt)KeySpec " + + "and PKCS8EncodedKeySpec supported for RSA private keys"); + } + } + + KeyFactory implGetSoftwareFactory() throws GeneralSecurityException { + return KeyFactory.getInstance("RSA", P11Util.getSunRsaSignProvider()); + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java 2017-01-20 09:52:36.554289023 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,358 +0,0 @@ -/* - * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.pkcs11; - -import java.util.*; - -import java.security.*; -import java.security.spec.*; - -import javax.crypto.*; -import javax.crypto.spec.*; - -import static sun.security.pkcs11.TemplateManager.*; -import sun.security.pkcs11.wrapper.*; -import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - -/** - * SecretKeyFactory implementation class. This class currently supports - * DES, DESede, AES, ARCFOUR, and Blowfish. - * - * @author Andreas Sterbenz - * @since 1.5 - */ -final class P11SecretKeyFactory extends SecretKeyFactorySpi { - - // token instance - private final Token token; - - // algorithm name - private final String algorithm; - - P11SecretKeyFactory(Token token, String algorithm) { - super(); - this.token = token; - this.algorithm = algorithm; - } - - private static final Map keyTypes; - - static { - keyTypes = new HashMap(); - addKeyType("RC4", CKK_RC4); - addKeyType("ARCFOUR", CKK_RC4); - addKeyType("DES", CKK_DES); - addKeyType("DESede", CKK_DES3); - addKeyType("AES", CKK_AES); - addKeyType("Blowfish", CKK_BLOWFISH); - - // we don't implement RC2 or IDEA, but we want to be able to generate - // keys for those SSL/TLS ciphersuites. - addKeyType("RC2", CKK_RC2); - addKeyType("IDEA", CKK_IDEA); - - addKeyType("TlsPremasterSecret", PCKK_TLSPREMASTER); - addKeyType("TlsRsaPremasterSecret", PCKK_TLSRSAPREMASTER); - addKeyType("TlsMasterSecret", PCKK_TLSMASTER); - addKeyType("Generic", CKK_GENERIC_SECRET); - } - - private static void addKeyType(String name, long id) { - Long l = Long.valueOf(id); - keyTypes.put(name, l); - keyTypes.put(name.toUpperCase(Locale.ENGLISH), l); - } - - static long getKeyType(String algorithm) { - Long l = keyTypes.get(algorithm); - if (l == null) { - algorithm = algorithm.toUpperCase(Locale.ENGLISH); - l = keyTypes.get(algorithm); - if (l == null) { - if (algorithm.startsWith("HMAC")) { - return PCKK_HMAC; - } else if (algorithm.startsWith("SSLMAC")) { - return PCKK_SSLMAC; - } - } - } - return (l != null) ? l.longValue() : -1; - } - - /** - * Convert an arbitrary key of algorithm into a P11Key of provider. - * Used in engineTranslateKey(), P11Cipher.init(), and P11Mac.init(). - */ - static P11Key convertKey(Token token, Key key, String algo) - throws InvalidKeyException { - return convertKey(token, key, algo, null); - } - - /** - * Convert an arbitrary key of algorithm w/ custom attributes into a - * P11Key of provider. - * Used in P11KeyStore.storeSkey. - */ - static P11Key convertKey(Token token, Key key, String algo, - CK_ATTRIBUTE[] extraAttrs) - throws InvalidKeyException { - token.ensureValid(); - if (key == null) { - throw new InvalidKeyException("Key must not be null"); - } - if (key instanceof SecretKey == false) { - throw new InvalidKeyException("Key must be a SecretKey"); - } - long algoType; - if (algo == null) { - algo = key.getAlgorithm(); - algoType = getKeyType(algo); - } else { - algoType = getKeyType(algo); - long keyAlgorithmType = getKeyType(key.getAlgorithm()); - if (algoType != keyAlgorithmType) { - if ((algoType == PCKK_HMAC) || (algoType == PCKK_SSLMAC)) { - // ignore key algorithm for MACs - } else { - throw new InvalidKeyException - ("Key algorithm must be " + algo); - } - } - } - if (key instanceof P11Key) { - P11Key p11Key = (P11Key)key; - if (p11Key.token == token) { - if (extraAttrs != null) { - Session session = null; - try { - session = token.getObjSession(); - long newKeyID = token.p11.C_CopyObject(session.id(), - p11Key.keyID, extraAttrs); - p11Key = (P11Key) (P11Key.secretKey(session, - newKeyID, p11Key.algorithm, p11Key.keyLength, - extraAttrs)); - } catch (PKCS11Exception p11e) { - throw new InvalidKeyException - ("Cannot duplicate the PKCS11 key", p11e); - } finally { - token.releaseSession(session); - } - } - return p11Key; - } - } - P11Key p11Key = token.secretCache.get(key); - if (p11Key != null) { - return p11Key; - } - if ("RAW".equalsIgnoreCase(key.getFormat()) == false) { - throw new InvalidKeyException("Encoded format must be RAW"); - } - byte[] encoded = key.getEncoded(); - p11Key = createKey(token, encoded, algo, algoType, extraAttrs); - token.secretCache.put(key, p11Key); - return p11Key; - } - - static void fixDESParity(byte[] key, int offset) { - for (int i = 0; i < 8; i++) { - int b = key[offset] & 0xfe; - b |= (Integer.bitCount(b) & 1) ^ 1; - key[offset++] = (byte)b; - } - } - - private static P11Key createKey(Token token, byte[] encoded, - String algorithm, long keyType, CK_ATTRIBUTE[] extraAttrs) - throws InvalidKeyException { - int n = encoded.length << 3; - int keyLength = n; - try { - switch ((int)keyType) { - case (int)CKK_DES: - keyLength = - P11KeyGenerator.checkKeySize(CKM_DES_KEY_GEN, n, token); - fixDESParity(encoded, 0); - break; - case (int)CKK_DES3: - keyLength = - P11KeyGenerator.checkKeySize(CKM_DES3_KEY_GEN, n, token); - fixDESParity(encoded, 0); - fixDESParity(encoded, 8); - if (keyLength == 112) { - keyType = CKK_DES2; - } else { - keyType = CKK_DES3; - fixDESParity(encoded, 16); - } - break; - case (int)CKK_AES: - keyLength = - P11KeyGenerator.checkKeySize(CKM_AES_KEY_GEN, n, token); - break; - case (int)CKK_RC4: - keyLength = - P11KeyGenerator.checkKeySize(CKM_RC4_KEY_GEN, n, token); - break; - case (int)CKK_BLOWFISH: - keyLength = - P11KeyGenerator.checkKeySize(CKM_BLOWFISH_KEY_GEN, n, - token); - break; - case (int)CKK_GENERIC_SECRET: - case (int)PCKK_TLSPREMASTER: - case (int)PCKK_TLSRSAPREMASTER: - case (int)PCKK_TLSMASTER: - keyType = CKK_GENERIC_SECRET; - break; - case (int)PCKK_SSLMAC: - case (int)PCKK_HMAC: - if (n == 0) { - throw new InvalidKeyException - ("MAC keys must not be empty"); - } - keyType = CKK_GENERIC_SECRET; - break; - default: - throw new InvalidKeyException("Unknown algorithm " + - algorithm); - } - } catch (InvalidAlgorithmParameterException iape) { - throw new InvalidKeyException("Invalid key for " + algorithm, - iape); - } catch (ProviderException pe) { - throw new InvalidKeyException("Could not create key", pe); - } - Session session = null; - try { - CK_ATTRIBUTE[] attributes; - if (extraAttrs != null) { - attributes = new CK_ATTRIBUTE[3 + extraAttrs.length]; - System.arraycopy(extraAttrs, 0, attributes, 3, - extraAttrs.length); - } else { - attributes = new CK_ATTRIBUTE[3]; - } - attributes[0] = new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY); - attributes[1] = new CK_ATTRIBUTE(CKA_KEY_TYPE, keyType); - attributes[2] = new CK_ATTRIBUTE(CKA_VALUE, encoded); - attributes = token.getAttributes - (O_IMPORT, CKO_SECRET_KEY, keyType, attributes); - session = token.getObjSession(); - long keyID = token.p11.C_CreateObject(session.id(), attributes); - P11Key p11Key = (P11Key)P11Key.secretKey - (session, keyID, algorithm, keyLength, attributes); - return p11Key; - } catch (PKCS11Exception e) { - throw new InvalidKeyException("Could not create key", e); - } finally { - token.releaseSession(session); - } - } - - // see JCE spec - protected SecretKey engineGenerateSecret(KeySpec keySpec) - throws InvalidKeySpecException { - token.ensureValid(); - if (keySpec == null) { - throw new InvalidKeySpecException("KeySpec must not be null"); - } - if (keySpec instanceof SecretKeySpec) { - try { - Key key = convertKey(token, (SecretKey)keySpec, algorithm); - return (SecretKey)key; - } catch (InvalidKeyException e) { - throw new InvalidKeySpecException(e); - } - } else if (algorithm.equalsIgnoreCase("DES")) { - if (keySpec instanceof DESKeySpec) { - byte[] keyBytes = ((DESKeySpec)keySpec).getKey(); - keySpec = new SecretKeySpec(keyBytes, "DES"); - return engineGenerateSecret(keySpec); - } - } else if (algorithm.equalsIgnoreCase("DESede")) { - if (keySpec instanceof DESedeKeySpec) { - byte[] keyBytes = ((DESedeKeySpec)keySpec).getKey(); - keySpec = new SecretKeySpec(keyBytes, "DESede"); - return engineGenerateSecret(keySpec); - } - } - throw new InvalidKeySpecException - ("Unsupported spec: " + keySpec.getClass().getName()); - } - - private byte[] getKeyBytes(SecretKey key) throws InvalidKeySpecException { - try { - key = engineTranslateKey(key); - if ("RAW".equalsIgnoreCase(key.getFormat()) == false) { - throw new InvalidKeySpecException - ("Could not obtain key bytes"); - } - byte[] k = key.getEncoded(); - return k; - } catch (InvalidKeyException e) { - throw new InvalidKeySpecException(e); - } - } - - // see JCE spec - protected KeySpec engineGetKeySpec(SecretKey key, Class keySpec) - throws InvalidKeySpecException { - token.ensureValid(); - if ((key == null) || (keySpec == null)) { - throw new InvalidKeySpecException - ("key and keySpec must not be null"); - } - if (SecretKeySpec.class.isAssignableFrom(keySpec)) { - return new SecretKeySpec(getKeyBytes(key), algorithm); - } else if (algorithm.equalsIgnoreCase("DES")) { - try { - if (DESKeySpec.class.isAssignableFrom(keySpec)) { - return new DESKeySpec(getKeyBytes(key)); - } - } catch (InvalidKeyException e) { - throw new InvalidKeySpecException(e); - } - } else if (algorithm.equalsIgnoreCase("DESede")) { - try { - if (DESedeKeySpec.class.isAssignableFrom(keySpec)) { - return new DESedeKeySpec(getKeyBytes(key)); - } - } catch (InvalidKeyException e) { - throw new InvalidKeySpecException(e); - } - } - throw new InvalidKeySpecException - ("Unsupported spec: " + keySpec.getName()); - } - - // see JCE spec - protected SecretKey engineTranslateKey(SecretKey key) - throws InvalidKeyException { - return (SecretKey)convertKey(token, key, algorithm); - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java 2017-01-20 09:52:36.338289031 -0800 @@ -0,0 +1,358 @@ +/* + * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11; + +import java.util.*; + +import java.security.*; +import java.security.spec.*; + +import javax.crypto.*; +import javax.crypto.spec.*; + +import static sun.security.pkcs11.TemplateManager.*; +import sun.security.pkcs11.wrapper.*; +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + +/** + * SecretKeyFactory implementation class. This class currently supports + * DES, DESede, AES, ARCFOUR, and Blowfish. + * + * @author Andreas Sterbenz + * @since 1.5 + */ +final class P11SecretKeyFactory extends SecretKeyFactorySpi { + + // token instance + private final Token token; + + // algorithm name + private final String algorithm; + + P11SecretKeyFactory(Token token, String algorithm) { + super(); + this.token = token; + this.algorithm = algorithm; + } + + private static final Map keyTypes; + + static { + keyTypes = new HashMap(); + addKeyType("RC4", CKK_RC4); + addKeyType("ARCFOUR", CKK_RC4); + addKeyType("DES", CKK_DES); + addKeyType("DESede", CKK_DES3); + addKeyType("AES", CKK_AES); + addKeyType("Blowfish", CKK_BLOWFISH); + + // we don't implement RC2 or IDEA, but we want to be able to generate + // keys for those SSL/TLS ciphersuites. + addKeyType("RC2", CKK_RC2); + addKeyType("IDEA", CKK_IDEA); + + addKeyType("TlsPremasterSecret", PCKK_TLSPREMASTER); + addKeyType("TlsRsaPremasterSecret", PCKK_TLSRSAPREMASTER); + addKeyType("TlsMasterSecret", PCKK_TLSMASTER); + addKeyType("Generic", CKK_GENERIC_SECRET); + } + + private static void addKeyType(String name, long id) { + Long l = Long.valueOf(id); + keyTypes.put(name, l); + keyTypes.put(name.toUpperCase(Locale.ENGLISH), l); + } + + static long getKeyType(String algorithm) { + Long l = keyTypes.get(algorithm); + if (l == null) { + algorithm = algorithm.toUpperCase(Locale.ENGLISH); + l = keyTypes.get(algorithm); + if (l == null) { + if (algorithm.startsWith("HMAC")) { + return PCKK_HMAC; + } else if (algorithm.startsWith("SSLMAC")) { + return PCKK_SSLMAC; + } + } + } + return (l != null) ? l.longValue() : -1; + } + + /** + * Convert an arbitrary key of algorithm into a P11Key of provider. + * Used in engineTranslateKey(), P11Cipher.init(), and P11Mac.init(). + */ + static P11Key convertKey(Token token, Key key, String algo) + throws InvalidKeyException { + return convertKey(token, key, algo, null); + } + + /** + * Convert an arbitrary key of algorithm w/ custom attributes into a + * P11Key of provider. + * Used in P11KeyStore.storeSkey. + */ + static P11Key convertKey(Token token, Key key, String algo, + CK_ATTRIBUTE[] extraAttrs) + throws InvalidKeyException { + token.ensureValid(); + if (key == null) { + throw new InvalidKeyException("Key must not be null"); + } + if (key instanceof SecretKey == false) { + throw new InvalidKeyException("Key must be a SecretKey"); + } + long algoType; + if (algo == null) { + algo = key.getAlgorithm(); + algoType = getKeyType(algo); + } else { + algoType = getKeyType(algo); + long keyAlgorithmType = getKeyType(key.getAlgorithm()); + if (algoType != keyAlgorithmType) { + if ((algoType == PCKK_HMAC) || (algoType == PCKK_SSLMAC)) { + // ignore key algorithm for MACs + } else { + throw new InvalidKeyException + ("Key algorithm must be " + algo); + } + } + } + if (key instanceof P11Key) { + P11Key p11Key = (P11Key)key; + if (p11Key.token == token) { + if (extraAttrs != null) { + Session session = null; + try { + session = token.getObjSession(); + long newKeyID = token.p11.C_CopyObject(session.id(), + p11Key.keyID, extraAttrs); + p11Key = (P11Key) (P11Key.secretKey(session, + newKeyID, p11Key.algorithm, p11Key.keyLength, + extraAttrs)); + } catch (PKCS11Exception p11e) { + throw new InvalidKeyException + ("Cannot duplicate the PKCS11 key", p11e); + } finally { + token.releaseSession(session); + } + } + return p11Key; + } + } + P11Key p11Key = token.secretCache.get(key); + if (p11Key != null) { + return p11Key; + } + if ("RAW".equalsIgnoreCase(key.getFormat()) == false) { + throw new InvalidKeyException("Encoded format must be RAW"); + } + byte[] encoded = key.getEncoded(); + p11Key = createKey(token, encoded, algo, algoType, extraAttrs); + token.secretCache.put(key, p11Key); + return p11Key; + } + + static void fixDESParity(byte[] key, int offset) { + for (int i = 0; i < 8; i++) { + int b = key[offset] & 0xfe; + b |= (Integer.bitCount(b) & 1) ^ 1; + key[offset++] = (byte)b; + } + } + + private static P11Key createKey(Token token, byte[] encoded, + String algorithm, long keyType, CK_ATTRIBUTE[] extraAttrs) + throws InvalidKeyException { + int n = encoded.length << 3; + int keyLength = n; + try { + switch ((int)keyType) { + case (int)CKK_DES: + keyLength = + P11KeyGenerator.checkKeySize(CKM_DES_KEY_GEN, n, token); + fixDESParity(encoded, 0); + break; + case (int)CKK_DES3: + keyLength = + P11KeyGenerator.checkKeySize(CKM_DES3_KEY_GEN, n, token); + fixDESParity(encoded, 0); + fixDESParity(encoded, 8); + if (keyLength == 112) { + keyType = CKK_DES2; + } else { + keyType = CKK_DES3; + fixDESParity(encoded, 16); + } + break; + case (int)CKK_AES: + keyLength = + P11KeyGenerator.checkKeySize(CKM_AES_KEY_GEN, n, token); + break; + case (int)CKK_RC4: + keyLength = + P11KeyGenerator.checkKeySize(CKM_RC4_KEY_GEN, n, token); + break; + case (int)CKK_BLOWFISH: + keyLength = + P11KeyGenerator.checkKeySize(CKM_BLOWFISH_KEY_GEN, n, + token); + break; + case (int)CKK_GENERIC_SECRET: + case (int)PCKK_TLSPREMASTER: + case (int)PCKK_TLSRSAPREMASTER: + case (int)PCKK_TLSMASTER: + keyType = CKK_GENERIC_SECRET; + break; + case (int)PCKK_SSLMAC: + case (int)PCKK_HMAC: + if (n == 0) { + throw new InvalidKeyException + ("MAC keys must not be empty"); + } + keyType = CKK_GENERIC_SECRET; + break; + default: + throw new InvalidKeyException("Unknown algorithm " + + algorithm); + } + } catch (InvalidAlgorithmParameterException iape) { + throw new InvalidKeyException("Invalid key for " + algorithm, + iape); + } catch (ProviderException pe) { + throw new InvalidKeyException("Could not create key", pe); + } + Session session = null; + try { + CK_ATTRIBUTE[] attributes; + if (extraAttrs != null) { + attributes = new CK_ATTRIBUTE[3 + extraAttrs.length]; + System.arraycopy(extraAttrs, 0, attributes, 3, + extraAttrs.length); + } else { + attributes = new CK_ATTRIBUTE[3]; + } + attributes[0] = new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY); + attributes[1] = new CK_ATTRIBUTE(CKA_KEY_TYPE, keyType); + attributes[2] = new CK_ATTRIBUTE(CKA_VALUE, encoded); + attributes = token.getAttributes + (O_IMPORT, CKO_SECRET_KEY, keyType, attributes); + session = token.getObjSession(); + long keyID = token.p11.C_CreateObject(session.id(), attributes); + P11Key p11Key = (P11Key)P11Key.secretKey + (session, keyID, algorithm, keyLength, attributes); + return p11Key; + } catch (PKCS11Exception e) { + throw new InvalidKeyException("Could not create key", e); + } finally { + token.releaseSession(session); + } + } + + // see JCE spec + protected SecretKey engineGenerateSecret(KeySpec keySpec) + throws InvalidKeySpecException { + token.ensureValid(); + if (keySpec == null) { + throw new InvalidKeySpecException("KeySpec must not be null"); + } + if (keySpec instanceof SecretKeySpec) { + try { + Key key = convertKey(token, (SecretKey)keySpec, algorithm); + return (SecretKey)key; + } catch (InvalidKeyException e) { + throw new InvalidKeySpecException(e); + } + } else if (algorithm.equalsIgnoreCase("DES")) { + if (keySpec instanceof DESKeySpec) { + byte[] keyBytes = ((DESKeySpec)keySpec).getKey(); + keySpec = new SecretKeySpec(keyBytes, "DES"); + return engineGenerateSecret(keySpec); + } + } else if (algorithm.equalsIgnoreCase("DESede")) { + if (keySpec instanceof DESedeKeySpec) { + byte[] keyBytes = ((DESedeKeySpec)keySpec).getKey(); + keySpec = new SecretKeySpec(keyBytes, "DESede"); + return engineGenerateSecret(keySpec); + } + } + throw new InvalidKeySpecException + ("Unsupported spec: " + keySpec.getClass().getName()); + } + + private byte[] getKeyBytes(SecretKey key) throws InvalidKeySpecException { + try { + key = engineTranslateKey(key); + if ("RAW".equalsIgnoreCase(key.getFormat()) == false) { + throw new InvalidKeySpecException + ("Could not obtain key bytes"); + } + byte[] k = key.getEncoded(); + return k; + } catch (InvalidKeyException e) { + throw new InvalidKeySpecException(e); + } + } + + // see JCE spec + protected KeySpec engineGetKeySpec(SecretKey key, Class keySpec) + throws InvalidKeySpecException { + token.ensureValid(); + if ((key == null) || (keySpec == null)) { + throw new InvalidKeySpecException + ("key and keySpec must not be null"); + } + if (SecretKeySpec.class.isAssignableFrom(keySpec)) { + return new SecretKeySpec(getKeyBytes(key), algorithm); + } else if (algorithm.equalsIgnoreCase("DES")) { + try { + if (DESKeySpec.class.isAssignableFrom(keySpec)) { + return new DESKeySpec(getKeyBytes(key)); + } + } catch (InvalidKeyException e) { + throw new InvalidKeySpecException(e); + } + } else if (algorithm.equalsIgnoreCase("DESede")) { + try { + if (DESedeKeySpec.class.isAssignableFrom(keySpec)) { + return new DESedeKeySpec(getKeyBytes(key)); + } + } catch (InvalidKeyException e) { + throw new InvalidKeySpecException(e); + } + } + throw new InvalidKeySpecException + ("Unsupported spec: " + keySpec.getName()); + } + + // see JCE spec + protected SecretKey engineTranslateKey(SecretKey key) + throws InvalidKeyException { + return (SecretKey)convertKey(token, key, algorithm); + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11SecureRandom.java 2017-01-20 09:52:36.918289010 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,200 +0,0 @@ -/* - * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.pkcs11; - -import java.io.*; -import java.security.*; -import sun.security.pkcs11.wrapper.*; - -/** - * SecureRandom implementation class. Some tokens support only - * C_GenerateRandom() and not C_SeedRandom(). In order not to lose an - * application specified seed, we create a SHA1PRNG that we mix with in that - * case. - * - * Note that since SecureRandom is thread safe, we only need one - * instance per PKCS#11 token instance. It is created on demand and cached - * in the SunPKCS11 class. - * - * Also note that we obtain the PKCS#11 session on demand, no need to tie one - * up. - * - * @author Andreas Sterbenz - * @since 1.5 - */ -final class P11SecureRandom extends SecureRandomSpi { - - private static final long serialVersionUID = -8939510236124553291L; - - // token instance - private final Token token; - - // PRNG for mixing, non-null if active (i.e. setSeed() has been called) - private volatile SecureRandom mixRandom; - - // buffer, if mixing is used - private byte[] mixBuffer; - - // bytes remaining in mixBuffer, if mixing is used - private int buffered; - - /* - * we buffer data internally for efficiency but limit the lifetime - * to avoid using stale bits. - */ - // lifetime in ms, currently 100 ms (0.1 s) - private static final long MAX_IBUFFER_TIME = 100; - - // size of the internal buffer - private static final int IBUFFER_SIZE = 32; - - // internal buffer for the random bits - private transient byte[] iBuffer = new byte[IBUFFER_SIZE]; - - // number of bytes remain in iBuffer - private transient int ibuffered = 0; - - // time that data was read into iBuffer - private transient long lastRead = 0L; - - P11SecureRandom(Token token) { - this.token = token; - } - - // see JCA spec - @Override - protected synchronized void engineSetSeed(byte[] seed) { - if (seed == null) { - throw new NullPointerException("seed must not be null"); - } - Session session = null; - try { - session = token.getOpSession(); - token.p11.C_SeedRandom(session.id(), seed); - } catch (PKCS11Exception e) { - // cannot set seed - // let a SHA1PRNG use that seed instead - SecureRandom random = mixRandom; - if (random != null) { - random.setSeed(seed); - } else { - try { - mixBuffer = new byte[20]; - random = SecureRandom.getInstance("SHA1PRNG"); - // initialize object before assigning to class field - random.setSeed(seed); - mixRandom = random; - } catch (NoSuchAlgorithmException ee) { - throw new ProviderException(ee); - } - } - } finally { - token.releaseSession(session); - } - } - - // see JCA spec - @Override - protected void engineNextBytes(byte[] bytes) { - if ((bytes == null) || (bytes.length == 0)) { - return; - } - if (bytes.length <= IBUFFER_SIZE) { - int ofs = 0; - synchronized (iBuffer) { - while (ofs < bytes.length) { - long time = System.currentTimeMillis(); - // refill the internal buffer if empty or stale - if ((ibuffered == 0) || - !(time - lastRead < MAX_IBUFFER_TIME)) { - lastRead = time; - implNextBytes(iBuffer); - ibuffered = IBUFFER_SIZE; - } - // copy the buffered bytes into 'bytes' - while ((ofs < bytes.length) && (ibuffered > 0)) { - bytes[ofs++] = iBuffer[IBUFFER_SIZE - ibuffered--]; - } - } - } - } else { - // avoid using the buffer - just fill bytes directly - implNextBytes(bytes); - } - - } - - // see JCA spec - @Override - protected byte[] engineGenerateSeed(int numBytes) { - byte[] b = new byte[numBytes]; - engineNextBytes(b); - return b; - } - - private void mix(byte[] b) { - SecureRandom random = mixRandom; - if (random == null) { - // avoid mixing if setSeed() has never been called - return; - } - synchronized (this) { - int ofs = 0; - int len = b.length; - while (len-- > 0) { - if (buffered == 0) { - random.nextBytes(mixBuffer); - buffered = mixBuffer.length; - } - b[ofs++] ^= mixBuffer[mixBuffer.length - buffered]; - buffered--; - } - } - } - - // fill up the specified buffer with random bytes, and mix them - private void implNextBytes(byte[] bytes) { - Session session = null; - try { - session = token.getOpSession(); - token.p11.C_GenerateRandom(session.id(), bytes); - mix(bytes); - } catch (PKCS11Exception e) { - throw new ProviderException("nextBytes() failed", e); - } finally { - token.releaseSession(session); - } - } - - private void readObject(ObjectInputStream in) - throws IOException, ClassNotFoundException { - in.defaultReadObject(); - // assign default values to non-null transient fields - iBuffer = new byte[IBUFFER_SIZE]; - ibuffered = 0; - lastRead = 0L; - } -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecureRandom.java 2017-01-20 09:52:36.694289018 -0800 @@ -0,0 +1,200 @@ +/* + * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11; + +import java.io.*; +import java.security.*; +import sun.security.pkcs11.wrapper.*; + +/** + * SecureRandom implementation class. Some tokens support only + * C_GenerateRandom() and not C_SeedRandom(). In order not to lose an + * application specified seed, we create a SHA1PRNG that we mix with in that + * case. + * + * Note that since SecureRandom is thread safe, we only need one + * instance per PKCS#11 token instance. It is created on demand and cached + * in the SunPKCS11 class. + * + * Also note that we obtain the PKCS#11 session on demand, no need to tie one + * up. + * + * @author Andreas Sterbenz + * @since 1.5 + */ +final class P11SecureRandom extends SecureRandomSpi { + + private static final long serialVersionUID = -8939510236124553291L; + + // token instance + private final Token token; + + // PRNG for mixing, non-null if active (i.e. setSeed() has been called) + private volatile SecureRandom mixRandom; + + // buffer, if mixing is used + private byte[] mixBuffer; + + // bytes remaining in mixBuffer, if mixing is used + private int buffered; + + /* + * we buffer data internally for efficiency but limit the lifetime + * to avoid using stale bits. + */ + // lifetime in ms, currently 100 ms (0.1 s) + private static final long MAX_IBUFFER_TIME = 100; + + // size of the internal buffer + private static final int IBUFFER_SIZE = 32; + + // internal buffer for the random bits + private transient byte[] iBuffer = new byte[IBUFFER_SIZE]; + + // number of bytes remain in iBuffer + private transient int ibuffered = 0; + + // time that data was read into iBuffer + private transient long lastRead = 0L; + + P11SecureRandom(Token token) { + this.token = token; + } + + // see JCA spec + @Override + protected synchronized void engineSetSeed(byte[] seed) { + if (seed == null) { + throw new NullPointerException("seed must not be null"); + } + Session session = null; + try { + session = token.getOpSession(); + token.p11.C_SeedRandom(session.id(), seed); + } catch (PKCS11Exception e) { + // cannot set seed + // let a SHA1PRNG use that seed instead + SecureRandom random = mixRandom; + if (random != null) { + random.setSeed(seed); + } else { + try { + mixBuffer = new byte[20]; + random = SecureRandom.getInstance("SHA1PRNG"); + // initialize object before assigning to class field + random.setSeed(seed); + mixRandom = random; + } catch (NoSuchAlgorithmException ee) { + throw new ProviderException(ee); + } + } + } finally { + token.releaseSession(session); + } + } + + // see JCA spec + @Override + protected void engineNextBytes(byte[] bytes) { + if ((bytes == null) || (bytes.length == 0)) { + return; + } + if (bytes.length <= IBUFFER_SIZE) { + int ofs = 0; + synchronized (iBuffer) { + while (ofs < bytes.length) { + long time = System.currentTimeMillis(); + // refill the internal buffer if empty or stale + if ((ibuffered == 0) || + !(time - lastRead < MAX_IBUFFER_TIME)) { + lastRead = time; + implNextBytes(iBuffer); + ibuffered = IBUFFER_SIZE; + } + // copy the buffered bytes into 'bytes' + while ((ofs < bytes.length) && (ibuffered > 0)) { + bytes[ofs++] = iBuffer[IBUFFER_SIZE - ibuffered--]; + } + } + } + } else { + // avoid using the buffer - just fill bytes directly + implNextBytes(bytes); + } + + } + + // see JCA spec + @Override + protected byte[] engineGenerateSeed(int numBytes) { + byte[] b = new byte[numBytes]; + engineNextBytes(b); + return b; + } + + private void mix(byte[] b) { + SecureRandom random = mixRandom; + if (random == null) { + // avoid mixing if setSeed() has never been called + return; + } + synchronized (this) { + int ofs = 0; + int len = b.length; + while (len-- > 0) { + if (buffered == 0) { + random.nextBytes(mixBuffer); + buffered = mixBuffer.length; + } + b[ofs++] ^= mixBuffer[mixBuffer.length - buffered]; + buffered--; + } + } + } + + // fill up the specified buffer with random bytes, and mix them + private void implNextBytes(byte[] bytes) { + Session session = null; + try { + session = token.getOpSession(); + token.p11.C_GenerateRandom(session.id(), bytes); + mix(bytes); + } catch (PKCS11Exception e) { + throw new ProviderException("nextBytes() failed", e); + } finally { + token.releaseSession(session); + } + } + + private void readObject(ObjectInputStream in) + throws IOException, ClassNotFoundException { + in.defaultReadObject(); + // assign default values to non-null transient fields + iBuffer = new byte[IBUFFER_SIZE]; + ibuffered = 0; + lastRead = 0L; + } +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11Signature.java 2017-01-20 09:52:37.286288996 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,833 +0,0 @@ -/* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.pkcs11; - -import java.io.IOException; -import java.math.BigInteger; -import java.nio.ByteBuffer; - -import java.security.*; -import java.security.interfaces.*; -import sun.nio.ch.DirectBuffer; - -import sun.security.util.*; -import sun.security.x509.AlgorithmId; - -import sun.security.rsa.RSASignature; -import sun.security.rsa.RSAPadding; - -import sun.security.pkcs11.wrapper.*; -import static sun.security.pkcs11.wrapper.PKCS11Constants.*; -import sun.security.util.KeyUtil; - -/** - * Signature implementation class. This class currently supports the - * following algorithms: - * - * . DSA - * . NONEwithDSA (RawDSA) - * . SHA1withDSA - * . NONEwithDSAinP1363Format (RawDSAinP1363Format) - * . SHA1withDSAinP1363Format - * . RSA: - * . MD2withRSA - * . MD5withRSA - * . SHA1withRSA - * . SHA224withRSA - * . SHA256withRSA - * . SHA384withRSA - * . SHA512withRSA - * . ECDSA - * . NONEwithECDSA - * . SHA1withECDSA - * . SHA224withECDSA - * . SHA256withECDSA - * . SHA384withECDSA - * . SHA512withECDSA - * . NONEwithECDSAinP1363Format - * . SHA1withECDSAinP1363Format - * . SHA224withECDSAinP1363Format - * . SHA256withECDSAinP1363Format - * . SHA384withECDSAinP1363Format - * . SHA512withECDSAinP1363Format - * - * Note that the underlying PKCS#11 token may support complete signature - * algorithm (e.g. CKM_DSA_SHA1, CKM_MD5_RSA_PKCS), or it may just - * implement the signature algorithm without hashing (e.g. CKM_DSA, CKM_PKCS), - * or it may only implement the raw public key operation (CKM_RSA_X_509). - * This class uses what is available and adds whatever extra processing - * is needed. - * - * @author Andreas Sterbenz - * @since 1.5 - */ -final class P11Signature extends SignatureSpi { - - // token instance - private final Token token; - - // algorithm name - private final String algorithm; - - // name of the key algorithm, currently either RSA or DSA - private final String keyAlgorithm; - - // mechanism id - private final long mechanism; - - // digest algorithm OID, if we encode RSA signature ourselves - private final ObjectIdentifier digestOID; - - // type, one of T_* below - private final int type; - - // key instance used, if init*() was called - private P11Key p11Key; - - // message digest, if we do the digesting ourselves - private final MessageDigest md; - - // associated session, if any - private Session session; - - // mode, one of M_* below - private int mode; - - // flag indicating whether an operation is initialized - private boolean initialized; - - // buffer, for update(byte) or DSA - private final byte[] buffer; - - // total number of bytes processed in current operation - private int bytesProcessed; - - // The format, to be used for DSA and ECDSA signatures. - // If true, the IEEE P1363 format will be used, the concatenation of - // r and s. If false (default), the signature will be formatted as a - // DER-encoded ASN.1 sequence of r and s. - private boolean p1363Format = false; - - // constant for signing mode - private final static int M_SIGN = 1; - // constant for verification mode - private final static int M_VERIFY = 2; - - // constant for type digesting, we do the hashing ourselves - private final static int T_DIGEST = 1; - // constant for type update, token does everything - private final static int T_UPDATE = 2; - // constant for type raw, used with RawDSA and NONEwithECDSA only - private final static int T_RAW = 3; - - // XXX PKCS#11 v2.20 says "should not be longer than 1024 bits", - // but this is a little arbitrary - private final static int RAW_ECDSA_MAX = 128; - - P11Signature(Token token, String algorithm, long mechanism) - throws NoSuchAlgorithmException, PKCS11Exception { - super(); - this.token = token; - this.algorithm = algorithm; - this.mechanism = mechanism; - byte[] buffer = null; - ObjectIdentifier digestOID = null; - MessageDigest md = null; - switch ((int)mechanism) { - case (int)CKM_MD2_RSA_PKCS: - case (int)CKM_MD5_RSA_PKCS: - case (int)CKM_SHA1_RSA_PKCS: - case (int)CKM_SHA224_RSA_PKCS: - case (int)CKM_SHA256_RSA_PKCS: - case (int)CKM_SHA384_RSA_PKCS: - case (int)CKM_SHA512_RSA_PKCS: - keyAlgorithm = "RSA"; - type = T_UPDATE; - buffer = new byte[1]; - break; - case (int)CKM_DSA_SHA1: - keyAlgorithm = "DSA"; - type = T_UPDATE; - buffer = new byte[1]; - break; - case (int)CKM_ECDSA_SHA1: - keyAlgorithm = "EC"; - type = T_UPDATE; - buffer = new byte[1]; - break; - case (int)CKM_DSA: - keyAlgorithm = "DSA"; - if (algorithm.equals("DSA") || - algorithm.equals("DSAinP1363Format")) { - type = T_DIGEST; - md = MessageDigest.getInstance("SHA-1"); - } else if (algorithm.equals("RawDSA") || - algorithm.equals("RawDSAinP1363Format")) { - type = T_RAW; - buffer = new byte[20]; - } else { - throw new ProviderException(algorithm); - } - break; - case (int)CKM_ECDSA: - keyAlgorithm = "EC"; - if (algorithm.equals("NONEwithECDSA") || - algorithm.equals("NONEwithECDSAinP1363Format")) { - type = T_RAW; - buffer = new byte[RAW_ECDSA_MAX]; - } else { - String digestAlg; - if (algorithm.equals("SHA1withECDSA") || - algorithm.equals("SHA1withECDSAinP1363Format")) { - digestAlg = "SHA-1"; - } else if (algorithm.equals("SHA224withECDSA") || - algorithm.equals("SHA224withECDSAinP1363Format")) { - digestAlg = "SHA-224"; - } else if (algorithm.equals("SHA256withECDSA") || - algorithm.equals("SHA256withECDSAinP1363Format")) { - digestAlg = "SHA-256"; - } else if (algorithm.equals("SHA384withECDSA") || - algorithm.equals("SHA384withECDSAinP1363Format")) { - digestAlg = "SHA-384"; - } else if (algorithm.equals("SHA512withECDSA") || - algorithm.equals("SHA512withECDSAinP1363Format")) { - digestAlg = "SHA-512"; - } else { - throw new ProviderException(algorithm); - } - type = T_DIGEST; - md = MessageDigest.getInstance(digestAlg); - } - break; - case (int)CKM_RSA_PKCS: - case (int)CKM_RSA_X_509: - keyAlgorithm = "RSA"; - type = T_DIGEST; - if (algorithm.equals("MD5withRSA")) { - md = MessageDigest.getInstance("MD5"); - digestOID = AlgorithmId.MD5_oid; - } else if (algorithm.equals("SHA1withRSA")) { - md = MessageDigest.getInstance("SHA-1"); - digestOID = AlgorithmId.SHA_oid; - } else if (algorithm.equals("MD2withRSA")) { - md = MessageDigest.getInstance("MD2"); - digestOID = AlgorithmId.MD2_oid; - } else if (algorithm.equals("SHA224withRSA")) { - md = MessageDigest.getInstance("SHA-224"); - digestOID = AlgorithmId.SHA224_oid; - } else if (algorithm.equals("SHA256withRSA")) { - md = MessageDigest.getInstance("SHA-256"); - digestOID = AlgorithmId.SHA256_oid; - } else if (algorithm.equals("SHA384withRSA")) { - md = MessageDigest.getInstance("SHA-384"); - digestOID = AlgorithmId.SHA384_oid; - } else if (algorithm.equals("SHA512withRSA")) { - md = MessageDigest.getInstance("SHA-512"); - digestOID = AlgorithmId.SHA512_oid; - } else { - throw new ProviderException("Unknown signature: " + algorithm); - } - break; - default: - throw new ProviderException("Unknown mechanism: " + mechanism); - } - this.buffer = buffer; - this.digestOID = digestOID; - this.md = md; - if (algorithm.endsWith("inP1363Format")) { - this.p1363Format = true; - } - } - - private void ensureInitialized() { - token.ensureValid(); - if (initialized == false) { - initialize(); - } - } - - private void cancelOperation() { - token.ensureValid(); - if (initialized == false) { - return; - } - initialized = false; - if ((session == null) || (token.explicitCancel == false)) { - return; - } - if (session.hasObjects() == false) { - session = token.killSession(session); - return; - } - // "cancel" operation by finishing it - // XXX make sure all this always works correctly - if (mode == M_SIGN) { - try { - if (type == T_UPDATE) { - token.p11.C_SignFinal(session.id(), 0); - } else { - byte[] digest; - if (type == T_DIGEST) { - digest = md.digest(); - } else { // T_RAW - digest = buffer; - } - token.p11.C_Sign(session.id(), digest); - } - } catch (PKCS11Exception e) { - throw new ProviderException("cancel failed", e); - } - } else { // M_VERIFY - try { - byte[] signature; - if (keyAlgorithm.equals("DSA")) { - signature = new byte[40]; - } else { - signature = new byte[(p11Key.length() + 7) >> 3]; - } - if (type == T_UPDATE) { - token.p11.C_VerifyFinal(session.id(), signature); - } else { - byte[] digest; - if (type == T_DIGEST) { - digest = md.digest(); - } else { // T_RAW - digest = buffer; - } - token.p11.C_Verify(session.id(), digest, signature); - } - } catch (PKCS11Exception e) { - // will fail since the signature is incorrect - // XXX check error code - } - } - } - - // assumes current state is initialized == false - private void initialize() { - try { - if (session == null) { - session = token.getOpSession(); - } - if (mode == M_SIGN) { - token.p11.C_SignInit(session.id(), - new CK_MECHANISM(mechanism), p11Key.keyID); - } else { - token.p11.C_VerifyInit(session.id(), - new CK_MECHANISM(mechanism), p11Key.keyID); - } - initialized = true; - } catch (PKCS11Exception e) { - throw new ProviderException("Initialization failed", e); - } - if (bytesProcessed != 0) { - bytesProcessed = 0; - if (md != null) { - md.reset(); - } - } - } - - private void checkKeySize(String keyAlgo, Key key) - throws InvalidKeyException { - CK_MECHANISM_INFO mechInfo = null; - try { - mechInfo = token.getMechanismInfo(mechanism); - } catch (PKCS11Exception e) { - // should not happen, ignore for now. - } - if (mechInfo == null) { - // skip the check if no native info available - return; - } - int minKeySize = (int) mechInfo.ulMinKeySize; - int maxKeySize = (int) mechInfo.ulMaxKeySize; - // need to override the MAX keysize for SHA1withDSA - if (md != null && mechanism == CKM_DSA && maxKeySize > 1024) { - maxKeySize = 1024; - } - int keySize = 0; - if (key instanceof P11Key) { - keySize = ((P11Key) key).length(); - } else { - if (keyAlgo.equals("RSA")) { - keySize = ((RSAKey) key).getModulus().bitLength(); - } else if (keyAlgo.equals("DSA")) { - keySize = ((DSAKey) key).getParams().getP().bitLength(); - } else if (keyAlgo.equals("EC")) { - keySize = ((ECKey) key).getParams().getCurve().getField().getFieldSize(); - } else { - throw new ProviderException("Error: unsupported algo " + keyAlgo); - } - } - if ((minKeySize != -1) && (keySize < minKeySize)) { - throw new InvalidKeyException(keyAlgo + - " key must be at least " + minKeySize + " bits"); - } - if ((maxKeySize != -1) && (keySize > maxKeySize)) { - throw new InvalidKeyException(keyAlgo + - " key must be at most " + maxKeySize + " bits"); - } - if (keyAlgo.equals("RSA")) { - checkRSAKeyLength(keySize); - } - } - - private void checkRSAKeyLength(int len) throws InvalidKeyException { - RSAPadding padding; - try { - padding = RSAPadding.getInstance - (RSAPadding.PAD_BLOCKTYPE_1, (len + 7) >> 3); - } catch (InvalidAlgorithmParameterException iape) { - throw new InvalidKeyException(iape.getMessage()); - } - int maxDataSize = padding.getMaxDataSize(); - int encodedLength; - if (algorithm.equals("MD5withRSA") || - algorithm.equals("MD2withRSA")) { - encodedLength = 34; - } else if (algorithm.equals("SHA1withRSA")) { - encodedLength = 35; - } else if (algorithm.equals("SHA224withRSA")) { - encodedLength = 47; - } else if (algorithm.equals("SHA256withRSA")) { - encodedLength = 51; - } else if (algorithm.equals("SHA384withRSA")) { - encodedLength = 67; - } else if (algorithm.equals("SHA512withRSA")) { - encodedLength = 83; - } else { - throw new ProviderException("Unknown signature algo: " + algorithm); - } - if (encodedLength > maxDataSize) { - throw new InvalidKeyException - ("Key is too short for this signature algorithm"); - } - } - - // see JCA spec - protected void engineInitVerify(PublicKey publicKey) - throws InvalidKeyException { - if (publicKey == null) { - throw new InvalidKeyException("Key must not be null"); - } - // Need to check key length whenever a new key is set - if (publicKey != p11Key) { - checkKeySize(keyAlgorithm, publicKey); - } - cancelOperation(); - mode = M_VERIFY; - p11Key = P11KeyFactory.convertKey(token, publicKey, keyAlgorithm); - initialize(); - } - - // see JCA spec - protected void engineInitSign(PrivateKey privateKey) - throws InvalidKeyException { - if (privateKey == null) { - throw new InvalidKeyException("Key must not be null"); - } - // Need to check RSA key length whenever a new key is set - if (privateKey != p11Key) { - checkKeySize(keyAlgorithm, privateKey); - } - cancelOperation(); - mode = M_SIGN; - p11Key = P11KeyFactory.convertKey(token, privateKey, keyAlgorithm); - initialize(); - } - - // see JCA spec - protected void engineUpdate(byte b) throws SignatureException { - ensureInitialized(); - switch (type) { - case T_UPDATE: - buffer[0] = b; - engineUpdate(buffer, 0, 1); - break; - case T_DIGEST: - md.update(b); - bytesProcessed++; - break; - case T_RAW: - if (bytesProcessed >= buffer.length) { - bytesProcessed = buffer.length + 1; - return; - } - buffer[bytesProcessed++] = b; - break; - default: - throw new ProviderException("Internal error"); - } - } - - // see JCA spec - protected void engineUpdate(byte[] b, int ofs, int len) - throws SignatureException { - ensureInitialized(); - if (len == 0) { - return; - } - switch (type) { - case T_UPDATE: - try { - if (mode == M_SIGN) { - token.p11.C_SignUpdate(session.id(), 0, b, ofs, len); - } else { - token.p11.C_VerifyUpdate(session.id(), 0, b, ofs, len); - } - bytesProcessed += len; - } catch (PKCS11Exception e) { - throw new ProviderException(e); - } - break; - case T_DIGEST: - md.update(b, ofs, len); - bytesProcessed += len; - break; - case T_RAW: - if (bytesProcessed + len > buffer.length) { - bytesProcessed = buffer.length + 1; - return; - } - System.arraycopy(b, ofs, buffer, bytesProcessed, len); - bytesProcessed += len; - break; - default: - throw new ProviderException("Internal error"); - } - } - - // see JCA spec - protected void engineUpdate(ByteBuffer byteBuffer) { - ensureInitialized(); - int len = byteBuffer.remaining(); - if (len <= 0) { - return; - } - switch (type) { - case T_UPDATE: - if (byteBuffer instanceof DirectBuffer == false) { - // cannot do better than default impl - super.engineUpdate(byteBuffer); - return; - } - long addr = ((DirectBuffer)byteBuffer).address(); - int ofs = byteBuffer.position(); - try { - if (mode == M_SIGN) { - token.p11.C_SignUpdate - (session.id(), addr + ofs, null, 0, len); - } else { - token.p11.C_VerifyUpdate - (session.id(), addr + ofs, null, 0, len); - } - bytesProcessed += len; - byteBuffer.position(ofs + len); - } catch (PKCS11Exception e) { - throw new ProviderException("Update failed", e); - } - break; - case T_DIGEST: - md.update(byteBuffer); - bytesProcessed += len; - break; - case T_RAW: - if (bytesProcessed + len > buffer.length) { - bytesProcessed = buffer.length + 1; - return; - } - byteBuffer.get(buffer, bytesProcessed, len); - bytesProcessed += len; - break; - default: - throw new ProviderException("Internal error"); - } - } - - // see JCA spec - protected byte[] engineSign() throws SignatureException { - ensureInitialized(); - try { - byte[] signature; - if (type == T_UPDATE) { - int len = keyAlgorithm.equals("DSA") ? 40 : 0; - signature = token.p11.C_SignFinal(session.id(), len); - } else { - byte[] digest; - if (type == T_DIGEST) { - digest = md.digest(); - } else { // T_RAW - if (mechanism == CKM_DSA) { - if (bytesProcessed != buffer.length) { - throw new SignatureException - ("Data for RawDSA must be exactly 20 bytes long"); - } - digest = buffer; - } else { // CKM_ECDSA - if (bytesProcessed > buffer.length) { - throw new SignatureException("Data for NONEwithECDSA" - + " must be at most " + RAW_ECDSA_MAX + " bytes long"); - } - digest = new byte[bytesProcessed]; - System.arraycopy(buffer, 0, digest, 0, bytesProcessed); - } - } - if (keyAlgorithm.equals("RSA") == false) { - // DSA and ECDSA - signature = token.p11.C_Sign(session.id(), digest); - } else { // RSA - byte[] data = encodeSignature(digest); - if (mechanism == CKM_RSA_X_509) { - data = pkcs1Pad(data); - } - signature = token.p11.C_Sign(session.id(), data); - } - } - if (keyAlgorithm.equals("RSA")) { - return signature; - } else { - if (p1363Format) { - return signature; - } else { - return dsaToASN1(signature); - } - } - } catch (PKCS11Exception pe) { - throw new ProviderException(pe); - } catch (SignatureException | ProviderException e) { - cancelOperation(); - throw e; - } finally { - initialized = false; - session = token.releaseSession(session); - } - } - - // see JCA spec - protected boolean engineVerify(byte[] signature) throws SignatureException { - ensureInitialized(); - try { - if (!p1363Format) { - if (keyAlgorithm.equals("DSA")) { - signature = asn1ToDSA(signature); - } else if (keyAlgorithm.equals("EC")) { - signature = asn1ToECDSA(signature); - } - } - if (type == T_UPDATE) { - token.p11.C_VerifyFinal(session.id(), signature); - } else { - byte[] digest; - if (type == T_DIGEST) { - digest = md.digest(); - } else { // T_RAW - if (mechanism == CKM_DSA) { - if (bytesProcessed != buffer.length) { - throw new SignatureException - ("Data for RawDSA must be exactly 20 bytes long"); - } - digest = buffer; - } else { - if (bytesProcessed > buffer.length) { - throw new SignatureException("Data for NONEwithECDSA" - + " must be at most " + RAW_ECDSA_MAX + " bytes long"); - } - digest = new byte[bytesProcessed]; - System.arraycopy(buffer, 0, digest, 0, bytesProcessed); - } - } - if (keyAlgorithm.equals("RSA") == false) { - // DSA and ECDSA - token.p11.C_Verify(session.id(), digest, signature); - } else { // RSA - byte[] data = encodeSignature(digest); - if (mechanism == CKM_RSA_X_509) { - data = pkcs1Pad(data); - } - token.p11.C_Verify(session.id(), data, signature); - } - } - return true; - } catch (PKCS11Exception pe) { - long errorCode = pe.getErrorCode(); - if (errorCode == CKR_SIGNATURE_INVALID) { - return false; - } - if (errorCode == CKR_SIGNATURE_LEN_RANGE) { - // return false rather than throwing an exception - return false; - } - // ECF bug? - if (errorCode == CKR_DATA_LEN_RANGE) { - return false; - } - throw new ProviderException(pe); - } catch (SignatureException | ProviderException e) { - cancelOperation(); - throw e; - } finally { - initialized = false; - session = token.releaseSession(session); - } - } - - private byte[] pkcs1Pad(byte[] data) { - try { - int len = (p11Key.length() + 7) >> 3; - RSAPadding padding = RSAPadding.getInstance - (RSAPadding.PAD_BLOCKTYPE_1, len); - byte[] padded = padding.pad(data); - return padded; - } catch (GeneralSecurityException e) { - throw new ProviderException(e); - } - } - - private byte[] encodeSignature(byte[] digest) throws SignatureException { - try { - return RSASignature.encodeSignature(digestOID, digest); - } catch (IOException e) { - throw new SignatureException("Invalid encoding", e); - } - } - -// private static byte[] decodeSignature(byte[] signature) throws IOException { -// return RSASignature.decodeSignature(digestOID, signature); -// } - - // For DSA and ECDSA signatures, PKCS#11 represents them as a simple - // byte array that contains the concatenation of r and s. - // For DSA, r and s are always exactly 20 bytes long. - // For ECDSA, r and s are of variable length, but we know that each - // occupies half of the array. - private static byte[] dsaToASN1(byte[] signature) { - int n = signature.length >> 1; - BigInteger r = new BigInteger(1, P11Util.subarray(signature, 0, n)); - BigInteger s = new BigInteger(1, P11Util.subarray(signature, n, n)); - try { - DerOutputStream outseq = new DerOutputStream(100); - outseq.putInteger(r); - outseq.putInteger(s); - DerValue result = new DerValue(DerValue.tag_Sequence, - outseq.toByteArray()); - return result.toByteArray(); - } catch (java.io.IOException e) { - throw new RuntimeException("Internal error", e); - } - } - - private static byte[] asn1ToDSA(byte[] sig) throws SignatureException { - try { - // Enforce strict DER checking for signatures - DerInputStream in = new DerInputStream(sig, 0, sig.length, false); - DerValue[] values = in.getSequence(2); - - // check number of components in the read sequence - // and trailing data - if ((values.length != 2) || (in.available() != 0)) { - throw new IOException("Invalid encoding for signature"); - } - - BigInteger r = values[0].getPositiveBigInteger(); - BigInteger s = values[1].getPositiveBigInteger(); - - byte[] br = toByteArray(r, 20); - byte[] bs = toByteArray(s, 20); - if ((br == null) || (bs == null)) { - throw new SignatureException("Out of range value for R or S"); - } - return P11Util.concat(br, bs); - } catch (SignatureException e) { - throw e; - } catch (Exception e) { - throw new SignatureException("Invalid encoding for signature", e); - } - } - - private byte[] asn1ToECDSA(byte[] sig) throws SignatureException { - try { - // Enforce strict DER checking for signatures - DerInputStream in = new DerInputStream(sig, 0, sig.length, false); - DerValue[] values = in.getSequence(2); - - // check number of components in the read sequence - // and trailing data - if ((values.length != 2) || (in.available() != 0)) { - throw new IOException("Invalid encoding for signature"); - } - - BigInteger r = values[0].getPositiveBigInteger(); - BigInteger s = values[1].getPositiveBigInteger(); - - // trim leading zeroes - byte[] br = KeyUtil.trimZeroes(r.toByteArray()); - byte[] bs = KeyUtil.trimZeroes(s.toByteArray()); - int k = Math.max(br.length, bs.length); - // r and s each occupy half the array - byte[] res = new byte[k << 1]; - System.arraycopy(br, 0, res, k - br.length, br.length); - System.arraycopy(bs, 0, res, res.length - bs.length, bs.length); - return res; - } catch (Exception e) { - throw new SignatureException("Invalid encoding for signature", e); - } - } - - private static byte[] toByteArray(BigInteger bi, int len) { - byte[] b = bi.toByteArray(); - int n = b.length; - if (n == len) { - return b; - } - if ((n == len + 1) && (b[0] == 0)) { - byte[] t = new byte[len]; - System.arraycopy(b, 1, t, 0, len); - return t; - } - if (n > len) { - return null; - } - // must be smaller - byte[] t = new byte[len]; - System.arraycopy(b, 0, t, (len - n), n); - return t; - } - - // see JCA spec - @SuppressWarnings("deprecation") - protected void engineSetParameter(String param, Object value) - throws InvalidParameterException { - throw new UnsupportedOperationException("setParameter() not supported"); - } - - // see JCA spec - @SuppressWarnings("deprecation") - protected Object engineGetParameter(String param) - throws InvalidParameterException { - throw new UnsupportedOperationException("getParameter() not supported"); - } -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java 2017-01-20 09:52:37.046289005 -0800 @@ -0,0 +1,833 @@ +/* + * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11; + +import java.io.IOException; +import java.math.BigInteger; +import java.nio.ByteBuffer; + +import java.security.*; +import java.security.interfaces.*; +import sun.nio.ch.DirectBuffer; + +import sun.security.util.*; +import sun.security.x509.AlgorithmId; + +import sun.security.rsa.RSASignature; +import sun.security.rsa.RSAPadding; + +import sun.security.pkcs11.wrapper.*; +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; +import sun.security.util.KeyUtil; + +/** + * Signature implementation class. This class currently supports the + * following algorithms: + * + * . DSA + * . NONEwithDSA (RawDSA) + * . SHA1withDSA + * . NONEwithDSAinP1363Format (RawDSAinP1363Format) + * . SHA1withDSAinP1363Format + * . RSA: + * . MD2withRSA + * . MD5withRSA + * . SHA1withRSA + * . SHA224withRSA + * . SHA256withRSA + * . SHA384withRSA + * . SHA512withRSA + * . ECDSA + * . NONEwithECDSA + * . SHA1withECDSA + * . SHA224withECDSA + * . SHA256withECDSA + * . SHA384withECDSA + * . SHA512withECDSA + * . NONEwithECDSAinP1363Format + * . SHA1withECDSAinP1363Format + * . SHA224withECDSAinP1363Format + * . SHA256withECDSAinP1363Format + * . SHA384withECDSAinP1363Format + * . SHA512withECDSAinP1363Format + * + * Note that the underlying PKCS#11 token may support complete signature + * algorithm (e.g. CKM_DSA_SHA1, CKM_MD5_RSA_PKCS), or it may just + * implement the signature algorithm without hashing (e.g. CKM_DSA, CKM_PKCS), + * or it may only implement the raw public key operation (CKM_RSA_X_509). + * This class uses what is available and adds whatever extra processing + * is needed. + * + * @author Andreas Sterbenz + * @since 1.5 + */ +final class P11Signature extends SignatureSpi { + + // token instance + private final Token token; + + // algorithm name + private final String algorithm; + + // name of the key algorithm, currently either RSA or DSA + private final String keyAlgorithm; + + // mechanism id + private final long mechanism; + + // digest algorithm OID, if we encode RSA signature ourselves + private final ObjectIdentifier digestOID; + + // type, one of T_* below + private final int type; + + // key instance used, if init*() was called + private P11Key p11Key; + + // message digest, if we do the digesting ourselves + private final MessageDigest md; + + // associated session, if any + private Session session; + + // mode, one of M_* below + private int mode; + + // flag indicating whether an operation is initialized + private boolean initialized; + + // buffer, for update(byte) or DSA + private final byte[] buffer; + + // total number of bytes processed in current operation + private int bytesProcessed; + + // The format, to be used for DSA and ECDSA signatures. + // If true, the IEEE P1363 format will be used, the concatenation of + // r and s. If false (default), the signature will be formatted as a + // DER-encoded ASN.1 sequence of r and s. + private boolean p1363Format = false; + + // constant for signing mode + private final static int M_SIGN = 1; + // constant for verification mode + private final static int M_VERIFY = 2; + + // constant for type digesting, we do the hashing ourselves + private final static int T_DIGEST = 1; + // constant for type update, token does everything + private final static int T_UPDATE = 2; + // constant for type raw, used with RawDSA and NONEwithECDSA only + private final static int T_RAW = 3; + + // XXX PKCS#11 v2.20 says "should not be longer than 1024 bits", + // but this is a little arbitrary + private final static int RAW_ECDSA_MAX = 128; + + P11Signature(Token token, String algorithm, long mechanism) + throws NoSuchAlgorithmException, PKCS11Exception { + super(); + this.token = token; + this.algorithm = algorithm; + this.mechanism = mechanism; + byte[] buffer = null; + ObjectIdentifier digestOID = null; + MessageDigest md = null; + switch ((int)mechanism) { + case (int)CKM_MD2_RSA_PKCS: + case (int)CKM_MD5_RSA_PKCS: + case (int)CKM_SHA1_RSA_PKCS: + case (int)CKM_SHA224_RSA_PKCS: + case (int)CKM_SHA256_RSA_PKCS: + case (int)CKM_SHA384_RSA_PKCS: + case (int)CKM_SHA512_RSA_PKCS: + keyAlgorithm = "RSA"; + type = T_UPDATE; + buffer = new byte[1]; + break; + case (int)CKM_DSA_SHA1: + keyAlgorithm = "DSA"; + type = T_UPDATE; + buffer = new byte[1]; + break; + case (int)CKM_ECDSA_SHA1: + keyAlgorithm = "EC"; + type = T_UPDATE; + buffer = new byte[1]; + break; + case (int)CKM_DSA: + keyAlgorithm = "DSA"; + if (algorithm.equals("DSA") || + algorithm.equals("DSAinP1363Format")) { + type = T_DIGEST; + md = MessageDigest.getInstance("SHA-1"); + } else if (algorithm.equals("RawDSA") || + algorithm.equals("RawDSAinP1363Format")) { + type = T_RAW; + buffer = new byte[20]; + } else { + throw new ProviderException(algorithm); + } + break; + case (int)CKM_ECDSA: + keyAlgorithm = "EC"; + if (algorithm.equals("NONEwithECDSA") || + algorithm.equals("NONEwithECDSAinP1363Format")) { + type = T_RAW; + buffer = new byte[RAW_ECDSA_MAX]; + } else { + String digestAlg; + if (algorithm.equals("SHA1withECDSA") || + algorithm.equals("SHA1withECDSAinP1363Format")) { + digestAlg = "SHA-1"; + } else if (algorithm.equals("SHA224withECDSA") || + algorithm.equals("SHA224withECDSAinP1363Format")) { + digestAlg = "SHA-224"; + } else if (algorithm.equals("SHA256withECDSA") || + algorithm.equals("SHA256withECDSAinP1363Format")) { + digestAlg = "SHA-256"; + } else if (algorithm.equals("SHA384withECDSA") || + algorithm.equals("SHA384withECDSAinP1363Format")) { + digestAlg = "SHA-384"; + } else if (algorithm.equals("SHA512withECDSA") || + algorithm.equals("SHA512withECDSAinP1363Format")) { + digestAlg = "SHA-512"; + } else { + throw new ProviderException(algorithm); + } + type = T_DIGEST; + md = MessageDigest.getInstance(digestAlg); + } + break; + case (int)CKM_RSA_PKCS: + case (int)CKM_RSA_X_509: + keyAlgorithm = "RSA"; + type = T_DIGEST; + if (algorithm.equals("MD5withRSA")) { + md = MessageDigest.getInstance("MD5"); + digestOID = AlgorithmId.MD5_oid; + } else if (algorithm.equals("SHA1withRSA")) { + md = MessageDigest.getInstance("SHA-1"); + digestOID = AlgorithmId.SHA_oid; + } else if (algorithm.equals("MD2withRSA")) { + md = MessageDigest.getInstance("MD2"); + digestOID = AlgorithmId.MD2_oid; + } else if (algorithm.equals("SHA224withRSA")) { + md = MessageDigest.getInstance("SHA-224"); + digestOID = AlgorithmId.SHA224_oid; + } else if (algorithm.equals("SHA256withRSA")) { + md = MessageDigest.getInstance("SHA-256"); + digestOID = AlgorithmId.SHA256_oid; + } else if (algorithm.equals("SHA384withRSA")) { + md = MessageDigest.getInstance("SHA-384"); + digestOID = AlgorithmId.SHA384_oid; + } else if (algorithm.equals("SHA512withRSA")) { + md = MessageDigest.getInstance("SHA-512"); + digestOID = AlgorithmId.SHA512_oid; + } else { + throw new ProviderException("Unknown signature: " + algorithm); + } + break; + default: + throw new ProviderException("Unknown mechanism: " + mechanism); + } + this.buffer = buffer; + this.digestOID = digestOID; + this.md = md; + if (algorithm.endsWith("inP1363Format")) { + this.p1363Format = true; + } + } + + private void ensureInitialized() { + token.ensureValid(); + if (initialized == false) { + initialize(); + } + } + + private void cancelOperation() { + token.ensureValid(); + if (initialized == false) { + return; + } + initialized = false; + if ((session == null) || (token.explicitCancel == false)) { + return; + } + if (session.hasObjects() == false) { + session = token.killSession(session); + return; + } + // "cancel" operation by finishing it + // XXX make sure all this always works correctly + if (mode == M_SIGN) { + try { + if (type == T_UPDATE) { + token.p11.C_SignFinal(session.id(), 0); + } else { + byte[] digest; + if (type == T_DIGEST) { + digest = md.digest(); + } else { // T_RAW + digest = buffer; + } + token.p11.C_Sign(session.id(), digest); + } + } catch (PKCS11Exception e) { + throw new ProviderException("cancel failed", e); + } + } else { // M_VERIFY + try { + byte[] signature; + if (keyAlgorithm.equals("DSA")) { + signature = new byte[40]; + } else { + signature = new byte[(p11Key.length() + 7) >> 3]; + } + if (type == T_UPDATE) { + token.p11.C_VerifyFinal(session.id(), signature); + } else { + byte[] digest; + if (type == T_DIGEST) { + digest = md.digest(); + } else { // T_RAW + digest = buffer; + } + token.p11.C_Verify(session.id(), digest, signature); + } + } catch (PKCS11Exception e) { + // will fail since the signature is incorrect + // XXX check error code + } + } + } + + // assumes current state is initialized == false + private void initialize() { + try { + if (session == null) { + session = token.getOpSession(); + } + if (mode == M_SIGN) { + token.p11.C_SignInit(session.id(), + new CK_MECHANISM(mechanism), p11Key.keyID); + } else { + token.p11.C_VerifyInit(session.id(), + new CK_MECHANISM(mechanism), p11Key.keyID); + } + initialized = true; + } catch (PKCS11Exception e) { + throw new ProviderException("Initialization failed", e); + } + if (bytesProcessed != 0) { + bytesProcessed = 0; + if (md != null) { + md.reset(); + } + } + } + + private void checkKeySize(String keyAlgo, Key key) + throws InvalidKeyException { + CK_MECHANISM_INFO mechInfo = null; + try { + mechInfo = token.getMechanismInfo(mechanism); + } catch (PKCS11Exception e) { + // should not happen, ignore for now. + } + if (mechInfo == null) { + // skip the check if no native info available + return; + } + int minKeySize = (int) mechInfo.ulMinKeySize; + int maxKeySize = (int) mechInfo.ulMaxKeySize; + // need to override the MAX keysize for SHA1withDSA + if (md != null && mechanism == CKM_DSA && maxKeySize > 1024) { + maxKeySize = 1024; + } + int keySize = 0; + if (key instanceof P11Key) { + keySize = ((P11Key) key).length(); + } else { + if (keyAlgo.equals("RSA")) { + keySize = ((RSAKey) key).getModulus().bitLength(); + } else if (keyAlgo.equals("DSA")) { + keySize = ((DSAKey) key).getParams().getP().bitLength(); + } else if (keyAlgo.equals("EC")) { + keySize = ((ECKey) key).getParams().getCurve().getField().getFieldSize(); + } else { + throw new ProviderException("Error: unsupported algo " + keyAlgo); + } + } + if ((minKeySize != -1) && (keySize < minKeySize)) { + throw new InvalidKeyException(keyAlgo + + " key must be at least " + minKeySize + " bits"); + } + if ((maxKeySize != -1) && (keySize > maxKeySize)) { + throw new InvalidKeyException(keyAlgo + + " key must be at most " + maxKeySize + " bits"); + } + if (keyAlgo.equals("RSA")) { + checkRSAKeyLength(keySize); + } + } + + private void checkRSAKeyLength(int len) throws InvalidKeyException { + RSAPadding padding; + try { + padding = RSAPadding.getInstance + (RSAPadding.PAD_BLOCKTYPE_1, (len + 7) >> 3); + } catch (InvalidAlgorithmParameterException iape) { + throw new InvalidKeyException(iape.getMessage()); + } + int maxDataSize = padding.getMaxDataSize(); + int encodedLength; + if (algorithm.equals("MD5withRSA") || + algorithm.equals("MD2withRSA")) { + encodedLength = 34; + } else if (algorithm.equals("SHA1withRSA")) { + encodedLength = 35; + } else if (algorithm.equals("SHA224withRSA")) { + encodedLength = 47; + } else if (algorithm.equals("SHA256withRSA")) { + encodedLength = 51; + } else if (algorithm.equals("SHA384withRSA")) { + encodedLength = 67; + } else if (algorithm.equals("SHA512withRSA")) { + encodedLength = 83; + } else { + throw new ProviderException("Unknown signature algo: " + algorithm); + } + if (encodedLength > maxDataSize) { + throw new InvalidKeyException + ("Key is too short for this signature algorithm"); + } + } + + // see JCA spec + protected void engineInitVerify(PublicKey publicKey) + throws InvalidKeyException { + if (publicKey == null) { + throw new InvalidKeyException("Key must not be null"); + } + // Need to check key length whenever a new key is set + if (publicKey != p11Key) { + checkKeySize(keyAlgorithm, publicKey); + } + cancelOperation(); + mode = M_VERIFY; + p11Key = P11KeyFactory.convertKey(token, publicKey, keyAlgorithm); + initialize(); + } + + // see JCA spec + protected void engineInitSign(PrivateKey privateKey) + throws InvalidKeyException { + if (privateKey == null) { + throw new InvalidKeyException("Key must not be null"); + } + // Need to check RSA key length whenever a new key is set + if (privateKey != p11Key) { + checkKeySize(keyAlgorithm, privateKey); + } + cancelOperation(); + mode = M_SIGN; + p11Key = P11KeyFactory.convertKey(token, privateKey, keyAlgorithm); + initialize(); + } + + // see JCA spec + protected void engineUpdate(byte b) throws SignatureException { + ensureInitialized(); + switch (type) { + case T_UPDATE: + buffer[0] = b; + engineUpdate(buffer, 0, 1); + break; + case T_DIGEST: + md.update(b); + bytesProcessed++; + break; + case T_RAW: + if (bytesProcessed >= buffer.length) { + bytesProcessed = buffer.length + 1; + return; + } + buffer[bytesProcessed++] = b; + break; + default: + throw new ProviderException("Internal error"); + } + } + + // see JCA spec + protected void engineUpdate(byte[] b, int ofs, int len) + throws SignatureException { + ensureInitialized(); + if (len == 0) { + return; + } + switch (type) { + case T_UPDATE: + try { + if (mode == M_SIGN) { + token.p11.C_SignUpdate(session.id(), 0, b, ofs, len); + } else { + token.p11.C_VerifyUpdate(session.id(), 0, b, ofs, len); + } + bytesProcessed += len; + } catch (PKCS11Exception e) { + throw new ProviderException(e); + } + break; + case T_DIGEST: + md.update(b, ofs, len); + bytesProcessed += len; + break; + case T_RAW: + if (bytesProcessed + len > buffer.length) { + bytesProcessed = buffer.length + 1; + return; + } + System.arraycopy(b, ofs, buffer, bytesProcessed, len); + bytesProcessed += len; + break; + default: + throw new ProviderException("Internal error"); + } + } + + // see JCA spec + protected void engineUpdate(ByteBuffer byteBuffer) { + ensureInitialized(); + int len = byteBuffer.remaining(); + if (len <= 0) { + return; + } + switch (type) { + case T_UPDATE: + if (byteBuffer instanceof DirectBuffer == false) { + // cannot do better than default impl + super.engineUpdate(byteBuffer); + return; + } + long addr = ((DirectBuffer)byteBuffer).address(); + int ofs = byteBuffer.position(); + try { + if (mode == M_SIGN) { + token.p11.C_SignUpdate + (session.id(), addr + ofs, null, 0, len); + } else { + token.p11.C_VerifyUpdate + (session.id(), addr + ofs, null, 0, len); + } + bytesProcessed += len; + byteBuffer.position(ofs + len); + } catch (PKCS11Exception e) { + throw new ProviderException("Update failed", e); + } + break; + case T_DIGEST: + md.update(byteBuffer); + bytesProcessed += len; + break; + case T_RAW: + if (bytesProcessed + len > buffer.length) { + bytesProcessed = buffer.length + 1; + return; + } + byteBuffer.get(buffer, bytesProcessed, len); + bytesProcessed += len; + break; + default: + throw new ProviderException("Internal error"); + } + } + + // see JCA spec + protected byte[] engineSign() throws SignatureException { + ensureInitialized(); + try { + byte[] signature; + if (type == T_UPDATE) { + int len = keyAlgorithm.equals("DSA") ? 40 : 0; + signature = token.p11.C_SignFinal(session.id(), len); + } else { + byte[] digest; + if (type == T_DIGEST) { + digest = md.digest(); + } else { // T_RAW + if (mechanism == CKM_DSA) { + if (bytesProcessed != buffer.length) { + throw new SignatureException + ("Data for RawDSA must be exactly 20 bytes long"); + } + digest = buffer; + } else { // CKM_ECDSA + if (bytesProcessed > buffer.length) { + throw new SignatureException("Data for NONEwithECDSA" + + " must be at most " + RAW_ECDSA_MAX + " bytes long"); + } + digest = new byte[bytesProcessed]; + System.arraycopy(buffer, 0, digest, 0, bytesProcessed); + } + } + if (keyAlgorithm.equals("RSA") == false) { + // DSA and ECDSA + signature = token.p11.C_Sign(session.id(), digest); + } else { // RSA + byte[] data = encodeSignature(digest); + if (mechanism == CKM_RSA_X_509) { + data = pkcs1Pad(data); + } + signature = token.p11.C_Sign(session.id(), data); + } + } + if (keyAlgorithm.equals("RSA")) { + return signature; + } else { + if (p1363Format) { + return signature; + } else { + return dsaToASN1(signature); + } + } + } catch (PKCS11Exception pe) { + throw new ProviderException(pe); + } catch (SignatureException | ProviderException e) { + cancelOperation(); + throw e; + } finally { + initialized = false; + session = token.releaseSession(session); + } + } + + // see JCA spec + protected boolean engineVerify(byte[] signature) throws SignatureException { + ensureInitialized(); + try { + if (!p1363Format) { + if (keyAlgorithm.equals("DSA")) { + signature = asn1ToDSA(signature); + } else if (keyAlgorithm.equals("EC")) { + signature = asn1ToECDSA(signature); + } + } + if (type == T_UPDATE) { + token.p11.C_VerifyFinal(session.id(), signature); + } else { + byte[] digest; + if (type == T_DIGEST) { + digest = md.digest(); + } else { // T_RAW + if (mechanism == CKM_DSA) { + if (bytesProcessed != buffer.length) { + throw new SignatureException + ("Data for RawDSA must be exactly 20 bytes long"); + } + digest = buffer; + } else { + if (bytesProcessed > buffer.length) { + throw new SignatureException("Data for NONEwithECDSA" + + " must be at most " + RAW_ECDSA_MAX + " bytes long"); + } + digest = new byte[bytesProcessed]; + System.arraycopy(buffer, 0, digest, 0, bytesProcessed); + } + } + if (keyAlgorithm.equals("RSA") == false) { + // DSA and ECDSA + token.p11.C_Verify(session.id(), digest, signature); + } else { // RSA + byte[] data = encodeSignature(digest); + if (mechanism == CKM_RSA_X_509) { + data = pkcs1Pad(data); + } + token.p11.C_Verify(session.id(), data, signature); + } + } + return true; + } catch (PKCS11Exception pe) { + long errorCode = pe.getErrorCode(); + if (errorCode == CKR_SIGNATURE_INVALID) { + return false; + } + if (errorCode == CKR_SIGNATURE_LEN_RANGE) { + // return false rather than throwing an exception + return false; + } + // ECF bug? + if (errorCode == CKR_DATA_LEN_RANGE) { + return false; + } + throw new ProviderException(pe); + } catch (SignatureException | ProviderException e) { + cancelOperation(); + throw e; + } finally { + initialized = false; + session = token.releaseSession(session); + } + } + + private byte[] pkcs1Pad(byte[] data) { + try { + int len = (p11Key.length() + 7) >> 3; + RSAPadding padding = RSAPadding.getInstance + (RSAPadding.PAD_BLOCKTYPE_1, len); + byte[] padded = padding.pad(data); + return padded; + } catch (GeneralSecurityException e) { + throw new ProviderException(e); + } + } + + private byte[] encodeSignature(byte[] digest) throws SignatureException { + try { + return RSASignature.encodeSignature(digestOID, digest); + } catch (IOException e) { + throw new SignatureException("Invalid encoding", e); + } + } + +// private static byte[] decodeSignature(byte[] signature) throws IOException { +// return RSASignature.decodeSignature(digestOID, signature); +// } + + // For DSA and ECDSA signatures, PKCS#11 represents them as a simple + // byte array that contains the concatenation of r and s. + // For DSA, r and s are always exactly 20 bytes long. + // For ECDSA, r and s are of variable length, but we know that each + // occupies half of the array. + private static byte[] dsaToASN1(byte[] signature) { + int n = signature.length >> 1; + BigInteger r = new BigInteger(1, P11Util.subarray(signature, 0, n)); + BigInteger s = new BigInteger(1, P11Util.subarray(signature, n, n)); + try { + DerOutputStream outseq = new DerOutputStream(100); + outseq.putInteger(r); + outseq.putInteger(s); + DerValue result = new DerValue(DerValue.tag_Sequence, + outseq.toByteArray()); + return result.toByteArray(); + } catch (java.io.IOException e) { + throw new RuntimeException("Internal error", e); + } + } + + private static byte[] asn1ToDSA(byte[] sig) throws SignatureException { + try { + // Enforce strict DER checking for signatures + DerInputStream in = new DerInputStream(sig, 0, sig.length, false); + DerValue[] values = in.getSequence(2); + + // check number of components in the read sequence + // and trailing data + if ((values.length != 2) || (in.available() != 0)) { + throw new IOException("Invalid encoding for signature"); + } + + BigInteger r = values[0].getPositiveBigInteger(); + BigInteger s = values[1].getPositiveBigInteger(); + + byte[] br = toByteArray(r, 20); + byte[] bs = toByteArray(s, 20); + if ((br == null) || (bs == null)) { + throw new SignatureException("Out of range value for R or S"); + } + return P11Util.concat(br, bs); + } catch (SignatureException e) { + throw e; + } catch (Exception e) { + throw new SignatureException("Invalid encoding for signature", e); + } + } + + private byte[] asn1ToECDSA(byte[] sig) throws SignatureException { + try { + // Enforce strict DER checking for signatures + DerInputStream in = new DerInputStream(sig, 0, sig.length, false); + DerValue[] values = in.getSequence(2); + + // check number of components in the read sequence + // and trailing data + if ((values.length != 2) || (in.available() != 0)) { + throw new IOException("Invalid encoding for signature"); + } + + BigInteger r = values[0].getPositiveBigInteger(); + BigInteger s = values[1].getPositiveBigInteger(); + + // trim leading zeroes + byte[] br = KeyUtil.trimZeroes(r.toByteArray()); + byte[] bs = KeyUtil.trimZeroes(s.toByteArray()); + int k = Math.max(br.length, bs.length); + // r and s each occupy half the array + byte[] res = new byte[k << 1]; + System.arraycopy(br, 0, res, k - br.length, br.length); + System.arraycopy(bs, 0, res, res.length - bs.length, bs.length); + return res; + } catch (Exception e) { + throw new SignatureException("Invalid encoding for signature", e); + } + } + + private static byte[] toByteArray(BigInteger bi, int len) { + byte[] b = bi.toByteArray(); + int n = b.length; + if (n == len) { + return b; + } + if ((n == len + 1) && (b[0] == 0)) { + byte[] t = new byte[len]; + System.arraycopy(b, 1, t, 0, len); + return t; + } + if (n > len) { + return null; + } + // must be smaller + byte[] t = new byte[len]; + System.arraycopy(b, 0, t, (len - n), n); + return t; + } + + // see JCA spec + @SuppressWarnings("deprecation") + protected void engineSetParameter(String param, Object value) + throws InvalidParameterException { + throw new UnsupportedOperationException("setParameter() not supported"); + } + + // see JCA spec + @SuppressWarnings("deprecation") + protected Object engineGetParameter(String param) + throws InvalidParameterException { + throw new UnsupportedOperationException("getParameter() not supported"); + } +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11TlsKeyMaterialGenerator.java 2017-01-20 09:52:37.638288982 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,224 +0,0 @@ -/* - * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.pkcs11; - -import java.util.*; - -import java.security.*; -import java.security.spec.AlgorithmParameterSpec; - -import javax.crypto.*; -import javax.crypto.spec.*; - -import sun.security.internal.spec.*; -import sun.security.internal.interfaces.TlsMasterSecret; - -import static sun.security.pkcs11.TemplateManager.*; -import sun.security.pkcs11.wrapper.*; -import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - -/** - * KeyGenerator to calculate the SSL/TLS key material (cipher keys and ivs, - * mac keys) from the master secret. - * - * @author Andreas Sterbenz - * @since 1.6 - */ -public final class P11TlsKeyMaterialGenerator extends KeyGeneratorSpi { - - private final static String MSG = "TlsKeyMaterialGenerator must be " - + "initialized using a TlsKeyMaterialParameterSpec"; - - // token instance - private final Token token; - - // algorithm name - private final String algorithm; - - // mechanism id - private long mechanism; - - // parameter spec - @SuppressWarnings("deprecation") - private TlsKeyMaterialParameterSpec spec; - - // master secret as a P11Key - private P11Key p11Key; - - // whether SSLv3 is supported - private final boolean supportSSLv3; - - P11TlsKeyMaterialGenerator(Token token, String algorithm, long mechanism) - throws PKCS11Exception { - super(); - this.token = token; - this.algorithm = algorithm; - this.mechanism = mechanism; - - // Given the current lookup order specified in SunPKCS11.java, - // if CKM_SSL3_KEY_AND_MAC_DERIVE is not used to construct this object, - // it means that this mech is disabled or unsupported. - this.supportSSLv3 = (mechanism == CKM_SSL3_KEY_AND_MAC_DERIVE); - } - - protected void engineInit(SecureRandom random) { - throw new InvalidParameterException(MSG); - } - - @SuppressWarnings("deprecation") - protected void engineInit(AlgorithmParameterSpec params, - SecureRandom random) throws InvalidAlgorithmParameterException { - if (params instanceof TlsKeyMaterialParameterSpec == false) { - throw new InvalidAlgorithmParameterException(MSG); - } - - TlsKeyMaterialParameterSpec spec = (TlsKeyMaterialParameterSpec)params; - int version = (spec.getMajorVersion() << 8) | spec.getMinorVersion(); - - if ((version == 0x0300 && !supportSSLv3) || (version < 0x0300) || - (version > 0x0302)) { - throw new InvalidAlgorithmParameterException - ("Only" + (supportSSLv3? " SSL 3.0,": "") + - " TLS 1.0, and TLS 1.1 are supported (0x" + - Integer.toHexString(version) + ")"); - } - try { - p11Key = P11SecretKeyFactory.convertKey - (token, spec.getMasterSecret(), "TlsMasterSecret"); - } catch (InvalidKeyException e) { - throw new InvalidAlgorithmParameterException("init() failed", e); - } - this.spec = spec; - this.mechanism = (version == 0x0300)? - CKM_SSL3_KEY_AND_MAC_DERIVE : CKM_TLS_KEY_AND_MAC_DERIVE; - } - - protected void engineInit(int keysize, SecureRandom random) { - throw new InvalidParameterException(MSG); - } - - @SuppressWarnings("deprecation") - protected SecretKey engineGenerateKey() { - if (spec == null) { - throw new IllegalStateException - ("TlsKeyMaterialGenerator must be initialized"); - } - int macBits = spec.getMacKeyLength() << 3; - int ivBits = spec.getIvLength() << 3; - - int expandedKeyBits = spec.getExpandedCipherKeyLength() << 3; - int keyBits = spec.getCipherKeyLength() << 3; - boolean isExportable; - if (expandedKeyBits != 0) { - isExportable = true; - } else { - isExportable = false; - expandedKeyBits = keyBits; - } - - CK_SSL3_RANDOM_DATA random = new CK_SSL3_RANDOM_DATA - (spec.getClientRandom(), spec.getServerRandom()); - CK_SSL3_KEY_MAT_PARAMS params = new CK_SSL3_KEY_MAT_PARAMS - (macBits, keyBits, ivBits, isExportable, random); - - String cipherAlgorithm = spec.getCipherAlgorithm(); - long keyType = P11SecretKeyFactory.getKeyType(cipherAlgorithm); - if (keyType < 0) { - if (keyBits != 0) { - throw new ProviderException - ("Unknown algorithm: " + spec.getCipherAlgorithm()); - } else { - // NULL encryption ciphersuites - keyType = CKK_GENERIC_SECRET; - } - } - - Session session = null; - try { - session = token.getObjSession(); - CK_ATTRIBUTE[] attributes; - if (keyBits != 0) { - attributes = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), - new CK_ATTRIBUTE(CKA_KEY_TYPE, keyType), - new CK_ATTRIBUTE(CKA_VALUE_LEN, expandedKeyBits >> 3), - }; - } else { - // ciphersuites with NULL ciphers - attributes = new CK_ATTRIBUTE[0]; - } - attributes = token.getAttributes - (O_GENERATE, CKO_SECRET_KEY, keyType, attributes); - // the returned keyID is a dummy, ignore - long keyID = token.p11.C_DeriveKey(session.id(), - new CK_MECHANISM(mechanism, params), p11Key.keyID, attributes); - - CK_SSL3_KEY_MAT_OUT out = params.pReturnedKeyMaterial; - // Note that the MAC keys do not inherit all attributes from the - // template, but they do inherit the sensitive/extractable/token - // flags, which is all P11Key cares about. - SecretKey clientMacKey, serverMacKey; - - // The MAC size may be zero for GCM mode. - // - // PKCS11 does not support GCM mode as the author made the comment, - // so the macBits is unlikely to be zero. It's only a place holder. - if (macBits != 0) { - clientMacKey = P11Key.secretKey - (session, out.hClientMacSecret, "MAC", macBits, attributes); - serverMacKey = P11Key.secretKey - (session, out.hServerMacSecret, "MAC", macBits, attributes); - } else { - clientMacKey = null; - serverMacKey = null; - } - - SecretKey clientCipherKey, serverCipherKey; - if (keyBits != 0) { - clientCipherKey = P11Key.secretKey(session, out.hClientKey, - cipherAlgorithm, expandedKeyBits, attributes); - serverCipherKey = P11Key.secretKey(session, out.hServerKey, - cipherAlgorithm, expandedKeyBits, attributes); - } else { - clientCipherKey = null; - serverCipherKey = null; - } - IvParameterSpec clientIv = (out.pIVClient == null) - ? null : new IvParameterSpec(out.pIVClient); - IvParameterSpec serverIv = (out.pIVServer == null) - ? null : new IvParameterSpec(out.pIVServer); - - return new TlsKeyMaterialSpec(clientMacKey, serverMacKey, - clientCipherKey, clientIv, serverCipherKey, serverIv); - - } catch (Exception e) { - throw new ProviderException("Could not generate key", e); - } finally { - token.releaseSession(session); - } - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsKeyMaterialGenerator.java 2017-01-20 09:52:37.418288991 -0800 @@ -0,0 +1,224 @@ +/* + * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11; + +import java.util.*; + +import java.security.*; +import java.security.spec.AlgorithmParameterSpec; + +import javax.crypto.*; +import javax.crypto.spec.*; + +import sun.security.internal.spec.*; +import sun.security.internal.interfaces.TlsMasterSecret; + +import static sun.security.pkcs11.TemplateManager.*; +import sun.security.pkcs11.wrapper.*; +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + +/** + * KeyGenerator to calculate the SSL/TLS key material (cipher keys and ivs, + * mac keys) from the master secret. + * + * @author Andreas Sterbenz + * @since 1.6 + */ +public final class P11TlsKeyMaterialGenerator extends KeyGeneratorSpi { + + private final static String MSG = "TlsKeyMaterialGenerator must be " + + "initialized using a TlsKeyMaterialParameterSpec"; + + // token instance + private final Token token; + + // algorithm name + private final String algorithm; + + // mechanism id + private long mechanism; + + // parameter spec + @SuppressWarnings("deprecation") + private TlsKeyMaterialParameterSpec spec; + + // master secret as a P11Key + private P11Key p11Key; + + // whether SSLv3 is supported + private final boolean supportSSLv3; + + P11TlsKeyMaterialGenerator(Token token, String algorithm, long mechanism) + throws PKCS11Exception { + super(); + this.token = token; + this.algorithm = algorithm; + this.mechanism = mechanism; + + // Given the current lookup order specified in SunPKCS11.java, + // if CKM_SSL3_KEY_AND_MAC_DERIVE is not used to construct this object, + // it means that this mech is disabled or unsupported. + this.supportSSLv3 = (mechanism == CKM_SSL3_KEY_AND_MAC_DERIVE); + } + + protected void engineInit(SecureRandom random) { + throw new InvalidParameterException(MSG); + } + + @SuppressWarnings("deprecation") + protected void engineInit(AlgorithmParameterSpec params, + SecureRandom random) throws InvalidAlgorithmParameterException { + if (params instanceof TlsKeyMaterialParameterSpec == false) { + throw new InvalidAlgorithmParameterException(MSG); + } + + TlsKeyMaterialParameterSpec spec = (TlsKeyMaterialParameterSpec)params; + int version = (spec.getMajorVersion() << 8) | spec.getMinorVersion(); + + if ((version == 0x0300 && !supportSSLv3) || (version < 0x0300) || + (version > 0x0302)) { + throw new InvalidAlgorithmParameterException + ("Only" + (supportSSLv3? " SSL 3.0,": "") + + " TLS 1.0, and TLS 1.1 are supported (0x" + + Integer.toHexString(version) + ")"); + } + try { + p11Key = P11SecretKeyFactory.convertKey + (token, spec.getMasterSecret(), "TlsMasterSecret"); + } catch (InvalidKeyException e) { + throw new InvalidAlgorithmParameterException("init() failed", e); + } + this.spec = spec; + this.mechanism = (version == 0x0300)? + CKM_SSL3_KEY_AND_MAC_DERIVE : CKM_TLS_KEY_AND_MAC_DERIVE; + } + + protected void engineInit(int keysize, SecureRandom random) { + throw new InvalidParameterException(MSG); + } + + @SuppressWarnings("deprecation") + protected SecretKey engineGenerateKey() { + if (spec == null) { + throw new IllegalStateException + ("TlsKeyMaterialGenerator must be initialized"); + } + int macBits = spec.getMacKeyLength() << 3; + int ivBits = spec.getIvLength() << 3; + + int expandedKeyBits = spec.getExpandedCipherKeyLength() << 3; + int keyBits = spec.getCipherKeyLength() << 3; + boolean isExportable; + if (expandedKeyBits != 0) { + isExportable = true; + } else { + isExportable = false; + expandedKeyBits = keyBits; + } + + CK_SSL3_RANDOM_DATA random = new CK_SSL3_RANDOM_DATA + (spec.getClientRandom(), spec.getServerRandom()); + CK_SSL3_KEY_MAT_PARAMS params = new CK_SSL3_KEY_MAT_PARAMS + (macBits, keyBits, ivBits, isExportable, random); + + String cipherAlgorithm = spec.getCipherAlgorithm(); + long keyType = P11SecretKeyFactory.getKeyType(cipherAlgorithm); + if (keyType < 0) { + if (keyBits != 0) { + throw new ProviderException + ("Unknown algorithm: " + spec.getCipherAlgorithm()); + } else { + // NULL encryption ciphersuites + keyType = CKK_GENERIC_SECRET; + } + } + + Session session = null; + try { + session = token.getObjSession(); + CK_ATTRIBUTE[] attributes; + if (keyBits != 0) { + attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), + new CK_ATTRIBUTE(CKA_KEY_TYPE, keyType), + new CK_ATTRIBUTE(CKA_VALUE_LEN, expandedKeyBits >> 3), + }; + } else { + // ciphersuites with NULL ciphers + attributes = new CK_ATTRIBUTE[0]; + } + attributes = token.getAttributes + (O_GENERATE, CKO_SECRET_KEY, keyType, attributes); + // the returned keyID is a dummy, ignore + long keyID = token.p11.C_DeriveKey(session.id(), + new CK_MECHANISM(mechanism, params), p11Key.keyID, attributes); + + CK_SSL3_KEY_MAT_OUT out = params.pReturnedKeyMaterial; + // Note that the MAC keys do not inherit all attributes from the + // template, but they do inherit the sensitive/extractable/token + // flags, which is all P11Key cares about. + SecretKey clientMacKey, serverMacKey; + + // The MAC size may be zero for GCM mode. + // + // PKCS11 does not support GCM mode as the author made the comment, + // so the macBits is unlikely to be zero. It's only a place holder. + if (macBits != 0) { + clientMacKey = P11Key.secretKey + (session, out.hClientMacSecret, "MAC", macBits, attributes); + serverMacKey = P11Key.secretKey + (session, out.hServerMacSecret, "MAC", macBits, attributes); + } else { + clientMacKey = null; + serverMacKey = null; + } + + SecretKey clientCipherKey, serverCipherKey; + if (keyBits != 0) { + clientCipherKey = P11Key.secretKey(session, out.hClientKey, + cipherAlgorithm, expandedKeyBits, attributes); + serverCipherKey = P11Key.secretKey(session, out.hServerKey, + cipherAlgorithm, expandedKeyBits, attributes); + } else { + clientCipherKey = null; + serverCipherKey = null; + } + IvParameterSpec clientIv = (out.pIVClient == null) + ? null : new IvParameterSpec(out.pIVClient); + IvParameterSpec serverIv = (out.pIVServer == null) + ? null : new IvParameterSpec(out.pIVServer); + + return new TlsKeyMaterialSpec(clientMacKey, serverMacKey, + clientCipherKey, clientIv, serverCipherKey, serverIv); + + } catch (Exception e) { + throw new ProviderException("Could not generate key", e); + } finally { + token.releaseSession(session); + } + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11TlsMasterSecretGenerator.java 2017-01-20 09:52:38.118288964 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,169 +0,0 @@ -/* - * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.pkcs11; - -import java.security.*; -import java.security.spec.AlgorithmParameterSpec; - -import javax.crypto.*; -import javax.crypto.spec.*; - -import sun.security.internal.spec.TlsMasterSecretParameterSpec; - -import static sun.security.pkcs11.TemplateManager.*; -import sun.security.pkcs11.wrapper.*; -import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - -/** - * KeyGenerator for the SSL/TLS master secret. - * - * @author Andreas Sterbenz - * @since 1.6 - */ -public final class P11TlsMasterSecretGenerator extends KeyGeneratorSpi { - - private final static String MSG = "TlsMasterSecretGenerator must be " - + "initialized using a TlsMasterSecretParameterSpec"; - - // token instance - private final Token token; - - // algorithm name - private final String algorithm; - - // mechanism id - private long mechanism; - - @SuppressWarnings("deprecation") - private TlsMasterSecretParameterSpec spec; - private P11Key p11Key; - - CK_VERSION ckVersion; - - // whether SSLv3 is supported - private final boolean supportSSLv3; - - P11TlsMasterSecretGenerator(Token token, String algorithm, long mechanism) - throws PKCS11Exception { - super(); - this.token = token; - this.algorithm = algorithm; - this.mechanism = mechanism; - - // Given the current lookup order specified in SunPKCS11.java, if - // CKM_SSL3_MASTER_KEY_DERIVE is not used to construct this object, - // it means that this mech is disabled or unsupported. - supportSSLv3 = (mechanism == CKM_SSL3_MASTER_KEY_DERIVE); - } - - protected void engineInit(SecureRandom random) { - throw new InvalidParameterException(MSG); - } - - @SuppressWarnings("deprecation") - protected void engineInit(AlgorithmParameterSpec params, - SecureRandom random) throws InvalidAlgorithmParameterException { - if (params instanceof TlsMasterSecretParameterSpec == false) { - throw new InvalidAlgorithmParameterException(MSG); - } - - TlsMasterSecretParameterSpec spec = (TlsMasterSecretParameterSpec)params; - int version = (spec.getMajorVersion() << 8) | spec.getMinorVersion(); - if ((version == 0x0300 && !supportSSLv3) || (version < 0x0300) || - (version > 0x0302)) { - throw new InvalidAlgorithmParameterException - ("Only" + (supportSSLv3? " SSL 3.0,": "") + - " TLS 1.0, and TLS 1.1 are supported (0x" + - Integer.toHexString(version) + ")"); - } - - SecretKey key = spec.getPremasterSecret(); - // algorithm should be either TlsRsaPremasterSecret or TlsPremasterSecret, - // but we omit the check - try { - p11Key = P11SecretKeyFactory.convertKey(token, key, null); - } catch (InvalidKeyException e) { - throw new InvalidAlgorithmParameterException("init() failed", e); - } - this.spec = spec; - if (p11Key.getAlgorithm().equals("TlsRsaPremasterSecret")) { - mechanism = (version == 0x0300) ? CKM_SSL3_MASTER_KEY_DERIVE - : CKM_TLS_MASTER_KEY_DERIVE; - ckVersion = new CK_VERSION(0, 0); - } else { - // Note: we use DH for all non-RSA premaster secrets. That includes - // Kerberos. That should not be a problem because master secret - // calculation is always a straightforward application of the - // TLS PRF (or the SSL equivalent). - // The only thing special about RSA master secret calculation is - // that it extracts the version numbers from the premaster secret. - mechanism = (version == 0x0300) ? CKM_SSL3_MASTER_KEY_DERIVE_DH - : CKM_TLS_MASTER_KEY_DERIVE_DH; - ckVersion = null; - } - } - - protected void engineInit(int keysize, SecureRandom random) { - throw new InvalidParameterException(MSG); - } - - protected SecretKey engineGenerateKey() { - if (spec == null) { - throw new IllegalStateException - ("TlsMasterSecretGenerator must be initialized"); - } - byte[] clientRandom = spec.getClientRandom(); - byte[] serverRandom = spec.getServerRandom(); - CK_SSL3_RANDOM_DATA random = - new CK_SSL3_RANDOM_DATA(clientRandom, serverRandom); - CK_SSL3_MASTER_KEY_DERIVE_PARAMS params = - new CK_SSL3_MASTER_KEY_DERIVE_PARAMS(random, ckVersion); - - Session session = null; - try { - session = token.getObjSession(); - CK_ATTRIBUTE[] attributes = token.getAttributes(O_GENERATE, - CKO_SECRET_KEY, CKK_GENERIC_SECRET, new CK_ATTRIBUTE[0]); - long keyID = token.p11.C_DeriveKey(session.id(), - new CK_MECHANISM(mechanism, params), p11Key.keyID, attributes); - int major, minor; - if (params.pVersion == null) { - major = -1; - minor = -1; - } else { - major = params.pVersion.major; - minor = params.pVersion.minor; - } - SecretKey key = P11Key.masterSecretKey(session, keyID, - "TlsMasterSecret", 48 << 3, attributes, major, minor); - return key; - } catch (Exception e) { - throw new ProviderException("Could not generate key", e); - } finally { - token.releaseSession(session); - } - } -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsMasterSecretGenerator.java 2017-01-20 09:52:37.906288972 -0800 @@ -0,0 +1,169 @@ +/* + * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11; + +import java.security.*; +import java.security.spec.AlgorithmParameterSpec; + +import javax.crypto.*; +import javax.crypto.spec.*; + +import sun.security.internal.spec.TlsMasterSecretParameterSpec; + +import static sun.security.pkcs11.TemplateManager.*; +import sun.security.pkcs11.wrapper.*; +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + +/** + * KeyGenerator for the SSL/TLS master secret. + * + * @author Andreas Sterbenz + * @since 1.6 + */ +public final class P11TlsMasterSecretGenerator extends KeyGeneratorSpi { + + private final static String MSG = "TlsMasterSecretGenerator must be " + + "initialized using a TlsMasterSecretParameterSpec"; + + // token instance + private final Token token; + + // algorithm name + private final String algorithm; + + // mechanism id + private long mechanism; + + @SuppressWarnings("deprecation") + private TlsMasterSecretParameterSpec spec; + private P11Key p11Key; + + CK_VERSION ckVersion; + + // whether SSLv3 is supported + private final boolean supportSSLv3; + + P11TlsMasterSecretGenerator(Token token, String algorithm, long mechanism) + throws PKCS11Exception { + super(); + this.token = token; + this.algorithm = algorithm; + this.mechanism = mechanism; + + // Given the current lookup order specified in SunPKCS11.java, if + // CKM_SSL3_MASTER_KEY_DERIVE is not used to construct this object, + // it means that this mech is disabled or unsupported. + supportSSLv3 = (mechanism == CKM_SSL3_MASTER_KEY_DERIVE); + } + + protected void engineInit(SecureRandom random) { + throw new InvalidParameterException(MSG); + } + + @SuppressWarnings("deprecation") + protected void engineInit(AlgorithmParameterSpec params, + SecureRandom random) throws InvalidAlgorithmParameterException { + if (params instanceof TlsMasterSecretParameterSpec == false) { + throw new InvalidAlgorithmParameterException(MSG); + } + + TlsMasterSecretParameterSpec spec = (TlsMasterSecretParameterSpec)params; + int version = (spec.getMajorVersion() << 8) | spec.getMinorVersion(); + if ((version == 0x0300 && !supportSSLv3) || (version < 0x0300) || + (version > 0x0302)) { + throw new InvalidAlgorithmParameterException + ("Only" + (supportSSLv3? " SSL 3.0,": "") + + " TLS 1.0, and TLS 1.1 are supported (0x" + + Integer.toHexString(version) + ")"); + } + + SecretKey key = spec.getPremasterSecret(); + // algorithm should be either TlsRsaPremasterSecret or TlsPremasterSecret, + // but we omit the check + try { + p11Key = P11SecretKeyFactory.convertKey(token, key, null); + } catch (InvalidKeyException e) { + throw new InvalidAlgorithmParameterException("init() failed", e); + } + this.spec = spec; + if (p11Key.getAlgorithm().equals("TlsRsaPremasterSecret")) { + mechanism = (version == 0x0300) ? CKM_SSL3_MASTER_KEY_DERIVE + : CKM_TLS_MASTER_KEY_DERIVE; + ckVersion = new CK_VERSION(0, 0); + } else { + // Note: we use DH for all non-RSA premaster secrets. That includes + // Kerberos. That should not be a problem because master secret + // calculation is always a straightforward application of the + // TLS PRF (or the SSL equivalent). + // The only thing special about RSA master secret calculation is + // that it extracts the version numbers from the premaster secret. + mechanism = (version == 0x0300) ? CKM_SSL3_MASTER_KEY_DERIVE_DH + : CKM_TLS_MASTER_KEY_DERIVE_DH; + ckVersion = null; + } + } + + protected void engineInit(int keysize, SecureRandom random) { + throw new InvalidParameterException(MSG); + } + + protected SecretKey engineGenerateKey() { + if (spec == null) { + throw new IllegalStateException + ("TlsMasterSecretGenerator must be initialized"); + } + byte[] clientRandom = spec.getClientRandom(); + byte[] serverRandom = spec.getServerRandom(); + CK_SSL3_RANDOM_DATA random = + new CK_SSL3_RANDOM_DATA(clientRandom, serverRandom); + CK_SSL3_MASTER_KEY_DERIVE_PARAMS params = + new CK_SSL3_MASTER_KEY_DERIVE_PARAMS(random, ckVersion); + + Session session = null; + try { + session = token.getObjSession(); + CK_ATTRIBUTE[] attributes = token.getAttributes(O_GENERATE, + CKO_SECRET_KEY, CKK_GENERIC_SECRET, new CK_ATTRIBUTE[0]); + long keyID = token.p11.C_DeriveKey(session.id(), + new CK_MECHANISM(mechanism, params), p11Key.keyID, attributes); + int major, minor; + if (params.pVersion == null) { + major = -1; + minor = -1; + } else { + major = params.pVersion.major; + minor = params.pVersion.minor; + } + SecretKey key = P11Key.masterSecretKey(session, keyID, + "TlsMasterSecret", 48 << 3, attributes, major, minor); + return key; + } catch (Exception e) { + throw new ProviderException("Could not generate key", e); + } finally { + token.releaseSession(session); + } + } +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11TlsPrfGenerator.java 2017-01-20 09:52:38.470288951 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,169 +0,0 @@ -/* - * Copyright (c) 2005, 2014, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.pkcs11; - -import java.security.*; -import java.security.spec.AlgorithmParameterSpec; - -import javax.crypto.*; -import javax.crypto.spec.*; - -import sun.security.internal.spec.TlsPrfParameterSpec; - -import static sun.security.pkcs11.TemplateManager.*; -import sun.security.pkcs11.wrapper.*; -import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - -/** - * KeyGenerator for the TLS PRF. Note that although the PRF is used in a number - * of places during the handshake, this class is usually only used to calculate - * the Finished messages. The reason is that for those other uses more specific - * PKCS#11 mechanisms have been defined (CKM_SSL3_MASTER_KEY_DERIVE, etc.). - * - *

This class supports the CKM_TLS_PRF mechanism from PKCS#11 v2.20 and - * the older NSS private mechanism. - * - * @author Andreas Sterbenz - * @since 1.6 - */ -final class P11TlsPrfGenerator extends KeyGeneratorSpi { - - private final static String MSG = - "TlsPrfGenerator must be initialized using a TlsPrfParameterSpec"; - - // token instance - private final Token token; - - // algorithm name - private final String algorithm; - - // mechanism id - private final long mechanism; - - @SuppressWarnings("deprecation") - private TlsPrfParameterSpec spec; - - private P11Key p11Key; - - P11TlsPrfGenerator(Token token, String algorithm, long mechanism) - throws PKCS11Exception { - super(); - this.token = token; - this.algorithm = algorithm; - this.mechanism = mechanism; - } - - protected void engineInit(SecureRandom random) { - throw new InvalidParameterException(MSG); - } - - @SuppressWarnings("deprecation") - protected void engineInit(AlgorithmParameterSpec params, - SecureRandom random) throws InvalidAlgorithmParameterException { - if (params instanceof TlsPrfParameterSpec == false) { - throw new InvalidAlgorithmParameterException(MSG); - } - this.spec = (TlsPrfParameterSpec)params; - SecretKey key = spec.getSecret(); - if (key == null) { - key = NULL_KEY; - } - try { - p11Key = P11SecretKeyFactory.convertKey(token, key, null); - } catch (InvalidKeyException e) { - throw new InvalidAlgorithmParameterException("init() failed", e); - } - } - - // SecretKeySpec does not allow zero length keys, so we define our - // own class. - // - // As an anonymous class cannot make any guarantees about serialization - // compatibility, it is nonsensical for an anonymous class to define a - // serialVersionUID. Suppress warnings relative to missing serialVersionUID - // field in the anonymous subclass of serializable SecretKey. - @SuppressWarnings("serial") - private static final SecretKey NULL_KEY = new SecretKey() { - public byte[] getEncoded() { - return new byte[0]; - } - public String getFormat() { - return "RAW"; - } - public String getAlgorithm() { - return "Generic"; - } - }; - - protected void engineInit(int keysize, SecureRandom random) { - throw new InvalidParameterException(MSG); - } - - protected SecretKey engineGenerateKey() { - if (spec == null) { - throw new IllegalStateException("TlsPrfGenerator must be initialized"); - } - byte[] label = P11Util.getBytesUTF8(spec.getLabel()); - byte[] seed = spec.getSeed(); - - if (mechanism == CKM_NSS_TLS_PRF_GENERAL) { - Session session = null; - try { - session = token.getOpSession(); - token.p11.C_SignInit - (session.id(), new CK_MECHANISM(mechanism), p11Key.keyID); - token.p11.C_SignUpdate(session.id(), 0, label, 0, label.length); - token.p11.C_SignUpdate(session.id(), 0, seed, 0, seed.length); - byte[] out = token.p11.C_SignFinal - (session.id(), spec.getOutputLength()); - return new SecretKeySpec(out, "TlsPrf"); - } catch (PKCS11Exception e) { - throw new ProviderException("Could not calculate PRF", e); - } finally { - token.releaseSession(session); - } - } - - // mechanism == CKM_TLS_PRF - - byte[] out = new byte[spec.getOutputLength()]; - CK_TLS_PRF_PARAMS params = new CK_TLS_PRF_PARAMS(seed, label, out); - - Session session = null; - try { - session = token.getOpSession(); - long keyID = token.p11.C_DeriveKey(session.id(), - new CK_MECHANISM(mechanism, params), p11Key.keyID, null); - // ignore keyID, returned PRF bytes are in 'out' - return new SecretKeySpec(out, "TlsPrf"); - } catch (PKCS11Exception e) { - throw new ProviderException("Could not calculate PRF", e); - } finally { - token.releaseSession(session); - } - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsPrfGenerator.java 2017-01-20 09:52:38.250288959 -0800 @@ -0,0 +1,169 @@ +/* + * Copyright (c) 2005, 2014, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11; + +import java.security.*; +import java.security.spec.AlgorithmParameterSpec; + +import javax.crypto.*; +import javax.crypto.spec.*; + +import sun.security.internal.spec.TlsPrfParameterSpec; + +import static sun.security.pkcs11.TemplateManager.*; +import sun.security.pkcs11.wrapper.*; +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + +/** + * KeyGenerator for the TLS PRF. Note that although the PRF is used in a number + * of places during the handshake, this class is usually only used to calculate + * the Finished messages. The reason is that for those other uses more specific + * PKCS#11 mechanisms have been defined (CKM_SSL3_MASTER_KEY_DERIVE, etc.). + * + *

This class supports the CKM_TLS_PRF mechanism from PKCS#11 v2.20 and + * the older NSS private mechanism. + * + * @author Andreas Sterbenz + * @since 1.6 + */ +final class P11TlsPrfGenerator extends KeyGeneratorSpi { + + private final static String MSG = + "TlsPrfGenerator must be initialized using a TlsPrfParameterSpec"; + + // token instance + private final Token token; + + // algorithm name + private final String algorithm; + + // mechanism id + private final long mechanism; + + @SuppressWarnings("deprecation") + private TlsPrfParameterSpec spec; + + private P11Key p11Key; + + P11TlsPrfGenerator(Token token, String algorithm, long mechanism) + throws PKCS11Exception { + super(); + this.token = token; + this.algorithm = algorithm; + this.mechanism = mechanism; + } + + protected void engineInit(SecureRandom random) { + throw new InvalidParameterException(MSG); + } + + @SuppressWarnings("deprecation") + protected void engineInit(AlgorithmParameterSpec params, + SecureRandom random) throws InvalidAlgorithmParameterException { + if (params instanceof TlsPrfParameterSpec == false) { + throw new InvalidAlgorithmParameterException(MSG); + } + this.spec = (TlsPrfParameterSpec)params; + SecretKey key = spec.getSecret(); + if (key == null) { + key = NULL_KEY; + } + try { + p11Key = P11SecretKeyFactory.convertKey(token, key, null); + } catch (InvalidKeyException e) { + throw new InvalidAlgorithmParameterException("init() failed", e); + } + } + + // SecretKeySpec does not allow zero length keys, so we define our + // own class. + // + // As an anonymous class cannot make any guarantees about serialization + // compatibility, it is nonsensical for an anonymous class to define a + // serialVersionUID. Suppress warnings relative to missing serialVersionUID + // field in the anonymous subclass of serializable SecretKey. + @SuppressWarnings("serial") + private static final SecretKey NULL_KEY = new SecretKey() { + public byte[] getEncoded() { + return new byte[0]; + } + public String getFormat() { + return "RAW"; + } + public String getAlgorithm() { + return "Generic"; + } + }; + + protected void engineInit(int keysize, SecureRandom random) { + throw new InvalidParameterException(MSG); + } + + protected SecretKey engineGenerateKey() { + if (spec == null) { + throw new IllegalStateException("TlsPrfGenerator must be initialized"); + } + byte[] label = P11Util.getBytesUTF8(spec.getLabel()); + byte[] seed = spec.getSeed(); + + if (mechanism == CKM_NSS_TLS_PRF_GENERAL) { + Session session = null; + try { + session = token.getOpSession(); + token.p11.C_SignInit + (session.id(), new CK_MECHANISM(mechanism), p11Key.keyID); + token.p11.C_SignUpdate(session.id(), 0, label, 0, label.length); + token.p11.C_SignUpdate(session.id(), 0, seed, 0, seed.length); + byte[] out = token.p11.C_SignFinal + (session.id(), spec.getOutputLength()); + return new SecretKeySpec(out, "TlsPrf"); + } catch (PKCS11Exception e) { + throw new ProviderException("Could not calculate PRF", e); + } finally { + token.releaseSession(session); + } + } + + // mechanism == CKM_TLS_PRF + + byte[] out = new byte[spec.getOutputLength()]; + CK_TLS_PRF_PARAMS params = new CK_TLS_PRF_PARAMS(seed, label, out); + + Session session = null; + try { + session = token.getOpSession(); + long keyID = token.p11.C_DeriveKey(session.id(), + new CK_MECHANISM(mechanism, params), p11Key.keyID, null); + // ignore keyID, returned PRF bytes are in 'out' + return new SecretKeySpec(out, "TlsPrf"); + } catch (PKCS11Exception e) { + throw new ProviderException("Could not calculate PRF", e); + } finally { + token.releaseSession(session); + } + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11TlsRsaPremasterSecretGenerator.java 2017-01-20 09:52:38.822288938 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,137 +0,0 @@ -/* - * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.pkcs11; - -import java.security.*; -import java.security.spec.AlgorithmParameterSpec; - -import javax.crypto.*; -import javax.crypto.spec.*; - -import sun.security.internal.spec.TlsRsaPremasterSecretParameterSpec; - -import static sun.security.pkcs11.TemplateManager.*; -import sun.security.pkcs11.wrapper.*; -import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - -/** - * KeyGenerator for the SSL/TLS RSA premaster secret. - * - * @author Andreas Sterbenz - * @since 1.6 - */ -final class P11TlsRsaPremasterSecretGenerator extends KeyGeneratorSpi { - - private final static String MSG = "TlsRsaPremasterSecretGenerator must be " - + "initialized using a TlsRsaPremasterSecretParameterSpec"; - - // token instance - private final Token token; - - // algorithm name - private final String algorithm; - - // mechanism id - private long mechanism; - - @SuppressWarnings("deprecation") - private TlsRsaPremasterSecretParameterSpec spec; - - // whether SSLv3 is supported - private final boolean supportSSLv3; - - P11TlsRsaPremasterSecretGenerator(Token token, String algorithm, long mechanism) - throws PKCS11Exception { - super(); - this.token = token; - this.algorithm = algorithm; - this.mechanism = mechanism; - - // Given the current lookup order specified in SunPKCS11.java, - // if CKM_SSL3_PRE_MASTER_KEY_GEN is not used to construct this object, - // it means that this mech is disabled or unsupported. - this.supportSSLv3 = (mechanism == CKM_SSL3_PRE_MASTER_KEY_GEN); - } - - protected void engineInit(SecureRandom random) { - throw new InvalidParameterException(MSG); - } - - @SuppressWarnings("deprecation") - protected void engineInit(AlgorithmParameterSpec params, - SecureRandom random) throws InvalidAlgorithmParameterException { - if (!(params instanceof TlsRsaPremasterSecretParameterSpec)) { - throw new InvalidAlgorithmParameterException(MSG); - } - - TlsRsaPremasterSecretParameterSpec spec = - (TlsRsaPremasterSecretParameterSpec) params; - - int version = (spec.getMajorVersion() << 8) | spec.getMinorVersion(); - - if ((version == 0x0300 && !supportSSLv3) || (version < 0x0300) || - (version > 0x0302)) { - throw new InvalidAlgorithmParameterException - ("Only" + (supportSSLv3? " SSL 3.0,": "") + - " TLS 1.0, and TLS 1.1 are supported (0x" + - Integer.toHexString(version) + ")"); - } - this.spec = spec; - } - - protected void engineInit(int keysize, SecureRandom random) { - throw new InvalidParameterException(MSG); - } - - // Only can be used in client side to generate TLS RSA premaster secret. - protected SecretKey engineGenerateKey() { - if (spec == null) { - throw new IllegalStateException - ("TlsRsaPremasterSecretGenerator must be initialized"); - } - - CK_VERSION version = new CK_VERSION( - spec.getMajorVersion(), spec.getMinorVersion()); - Session session = null; - try { - session = token.getObjSession(); - CK_ATTRIBUTE[] attributes = token.getAttributes( - O_GENERATE, CKO_SECRET_KEY, - CKK_GENERIC_SECRET, new CK_ATTRIBUTE[0]); - long keyID = token.p11.C_GenerateKey(session.id(), - new CK_MECHANISM(mechanism, version), attributes); - SecretKey key = P11Key.secretKey(session, - keyID, "TlsRsaPremasterSecret", 48 << 3, attributes); - return key; - } catch (PKCS11Exception e) { - throw new ProviderException( - "Could not generate premaster secret", e); - } finally { - token.releaseSession(session); - } - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsRsaPremasterSecretGenerator.java 2017-01-20 09:52:38.602288946 -0800 @@ -0,0 +1,137 @@ +/* + * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11; + +import java.security.*; +import java.security.spec.AlgorithmParameterSpec; + +import javax.crypto.*; +import javax.crypto.spec.*; + +import sun.security.internal.spec.TlsRsaPremasterSecretParameterSpec; + +import static sun.security.pkcs11.TemplateManager.*; +import sun.security.pkcs11.wrapper.*; +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + +/** + * KeyGenerator for the SSL/TLS RSA premaster secret. + * + * @author Andreas Sterbenz + * @since 1.6 + */ +final class P11TlsRsaPremasterSecretGenerator extends KeyGeneratorSpi { + + private final static String MSG = "TlsRsaPremasterSecretGenerator must be " + + "initialized using a TlsRsaPremasterSecretParameterSpec"; + + // token instance + private final Token token; + + // algorithm name + private final String algorithm; + + // mechanism id + private long mechanism; + + @SuppressWarnings("deprecation") + private TlsRsaPremasterSecretParameterSpec spec; + + // whether SSLv3 is supported + private final boolean supportSSLv3; + + P11TlsRsaPremasterSecretGenerator(Token token, String algorithm, long mechanism) + throws PKCS11Exception { + super(); + this.token = token; + this.algorithm = algorithm; + this.mechanism = mechanism; + + // Given the current lookup order specified in SunPKCS11.java, + // if CKM_SSL3_PRE_MASTER_KEY_GEN is not used to construct this object, + // it means that this mech is disabled or unsupported. + this.supportSSLv3 = (mechanism == CKM_SSL3_PRE_MASTER_KEY_GEN); + } + + protected void engineInit(SecureRandom random) { + throw new InvalidParameterException(MSG); + } + + @SuppressWarnings("deprecation") + protected void engineInit(AlgorithmParameterSpec params, + SecureRandom random) throws InvalidAlgorithmParameterException { + if (!(params instanceof TlsRsaPremasterSecretParameterSpec)) { + throw new InvalidAlgorithmParameterException(MSG); + } + + TlsRsaPremasterSecretParameterSpec spec = + (TlsRsaPremasterSecretParameterSpec) params; + + int version = (spec.getMajorVersion() << 8) | spec.getMinorVersion(); + + if ((version == 0x0300 && !supportSSLv3) || (version < 0x0300) || + (version > 0x0302)) { + throw new InvalidAlgorithmParameterException + ("Only" + (supportSSLv3? " SSL 3.0,": "") + + " TLS 1.0, and TLS 1.1 are supported (0x" + + Integer.toHexString(version) + ")"); + } + this.spec = spec; + } + + protected void engineInit(int keysize, SecureRandom random) { + throw new InvalidParameterException(MSG); + } + + // Only can be used in client side to generate TLS RSA premaster secret. + protected SecretKey engineGenerateKey() { + if (spec == null) { + throw new IllegalStateException + ("TlsRsaPremasterSecretGenerator must be initialized"); + } + + CK_VERSION version = new CK_VERSION( + spec.getMajorVersion(), spec.getMinorVersion()); + Session session = null; + try { + session = token.getObjSession(); + CK_ATTRIBUTE[] attributes = token.getAttributes( + O_GENERATE, CKO_SECRET_KEY, + CKK_GENERIC_SECRET, new CK_ATTRIBUTE[0]); + long keyID = token.p11.C_GenerateKey(session.id(), + new CK_MECHANISM(mechanism, version), attributes); + SecretKey key = P11Key.secretKey(session, + keyID, "TlsRsaPremasterSecret", 48 << 3, attributes); + return key; + } catch (PKCS11Exception e) { + throw new ProviderException( + "Could not generate premaster secret", e); + } finally { + token.releaseSession(session); + } + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11Util.java 2017-01-20 09:52:39.170288925 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,182 +0,0 @@ -/* - * Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.pkcs11; - -import java.math.BigInteger; -import java.security.*; - -/** - * Collection of static utility methods. - * - * @author Andreas Sterbenz - * @since 1.5 - */ -public final class P11Util { - - private static Object LOCK = new Object(); - - private static volatile Provider sun, sunRsaSign, sunJce; - - private P11Util() { - // empty - } - - static Provider getSunProvider() { - Provider p = sun; - if (p == null) { - synchronized (LOCK) { - p = getProvider - (sun, "SUN", "sun.security.provider.Sun"); - sun = p; - } - } - return p; - } - - static Provider getSunRsaSignProvider() { - Provider p = sunRsaSign; - if (p == null) { - synchronized (LOCK) { - p = getProvider - (sunRsaSign, "SunRsaSign", "sun.security.rsa.SunRsaSign"); - sunRsaSign = p; - } - } - return p; - } - - static Provider getSunJceProvider() { - Provider p = sunJce; - if (p == null) { - synchronized (LOCK) { - p = getProvider - (sunJce, "SunJCE", "com.sun.crypto.provider.SunJCE"); - sunJce = p; - } - } - return p; - } - - private static Provider getProvider(Provider p, String providerName, - String className) { - if (p != null) { - return p; - } - p = Security.getProvider(providerName); - if (p == null) { - try { - @SuppressWarnings("deprecation") - Object o = Class.forName(className).newInstance(); - p = (Provider)o; - } catch (Exception e) { - throw new ProviderException - ("Could not find provider " + providerName, e); - } - } - return p; - } - - static byte[] convert(byte[] input, int offset, int len) { - if ((offset == 0) && (len == input.length)) { - return input; - } else { - byte[] t = new byte[len]; - System.arraycopy(input, offset, t, 0, len); - return t; - } - } - - static byte[] subarray(byte[] b, int ofs, int len) { - byte[] out = new byte[len]; - System.arraycopy(b, ofs, out, 0, len); - return out; - } - - static byte[] concat(byte[] b1, byte[] b2) { - byte[] b = new byte[b1.length + b2.length]; - System.arraycopy(b1, 0, b, 0, b1.length); - System.arraycopy(b2, 0, b, b1.length, b2.length); - return b; - } - - static long[] concat(long[] b1, long[] b2) { - if (b1.length == 0) { - return b2; - } - long[] b = new long[b1.length + b2.length]; - System.arraycopy(b1, 0, b, 0, b1.length); - System.arraycopy(b2, 0, b, b1.length, b2.length); - return b; - } - - public static byte[] getMagnitude(BigInteger bi) { - byte[] b = bi.toByteArray(); - if ((b.length > 1) && (b[0] == 0)) { - int n = b.length - 1; - byte[] newarray = new byte[n]; - System.arraycopy(b, 1, newarray, 0, n); - b = newarray; - } - return b; - } - - static byte[] getBytesUTF8(String s) { - try { - return s.getBytes("UTF8"); - } catch (java.io.UnsupportedEncodingException e) { - throw new RuntimeException(e); - } - } - - static byte[] sha1(byte[] data) { - try { - MessageDigest md = MessageDigest.getInstance("SHA-1"); - md.update(data); - return md.digest(); - } catch (GeneralSecurityException e) { - throw new ProviderException(e); - } - } - - private final static char[] hexDigits = "0123456789abcdef".toCharArray(); - - static String toString(byte[] b) { - if (b == null) { - return "(null)"; - } - StringBuilder sb = new StringBuilder(b.length * 3); - for (int i = 0; i < b.length; i++) { - int k = b[i] & 0xff; - if (i != 0) { - sb.append(':'); - } - sb.append(hexDigits[k >>> 4]); - sb.append(hexDigits[k & 0xf]); - } - return sb.toString(); - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java 2017-01-20 09:52:38.950288933 -0800 @@ -0,0 +1,182 @@ +/* + * Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11; + +import java.math.BigInteger; +import java.security.*; + +/** + * Collection of static utility methods. + * + * @author Andreas Sterbenz + * @since 1.5 + */ +public final class P11Util { + + private static Object LOCK = new Object(); + + private static volatile Provider sun, sunRsaSign, sunJce; + + private P11Util() { + // empty + } + + static Provider getSunProvider() { + Provider p = sun; + if (p == null) { + synchronized (LOCK) { + p = getProvider + (sun, "SUN", "sun.security.provider.Sun"); + sun = p; + } + } + return p; + } + + static Provider getSunRsaSignProvider() { + Provider p = sunRsaSign; + if (p == null) { + synchronized (LOCK) { + p = getProvider + (sunRsaSign, "SunRsaSign", "sun.security.rsa.SunRsaSign"); + sunRsaSign = p; + } + } + return p; + } + + static Provider getSunJceProvider() { + Provider p = sunJce; + if (p == null) { + synchronized (LOCK) { + p = getProvider + (sunJce, "SunJCE", "com.sun.crypto.provider.SunJCE"); + sunJce = p; + } + } + return p; + } + + private static Provider getProvider(Provider p, String providerName, + String className) { + if (p != null) { + return p; + } + p = Security.getProvider(providerName); + if (p == null) { + try { + @SuppressWarnings("deprecation") + Object o = Class.forName(className).newInstance(); + p = (Provider)o; + } catch (Exception e) { + throw new ProviderException + ("Could not find provider " + providerName, e); + } + } + return p; + } + + static byte[] convert(byte[] input, int offset, int len) { + if ((offset == 0) && (len == input.length)) { + return input; + } else { + byte[] t = new byte[len]; + System.arraycopy(input, offset, t, 0, len); + return t; + } + } + + static byte[] subarray(byte[] b, int ofs, int len) { + byte[] out = new byte[len]; + System.arraycopy(b, ofs, out, 0, len); + return out; + } + + static byte[] concat(byte[] b1, byte[] b2) { + byte[] b = new byte[b1.length + b2.length]; + System.arraycopy(b1, 0, b, 0, b1.length); + System.arraycopy(b2, 0, b, b1.length, b2.length); + return b; + } + + static long[] concat(long[] b1, long[] b2) { + if (b1.length == 0) { + return b2; + } + long[] b = new long[b1.length + b2.length]; + System.arraycopy(b1, 0, b, 0, b1.length); + System.arraycopy(b2, 0, b, b1.length, b2.length); + return b; + } + + public static byte[] getMagnitude(BigInteger bi) { + byte[] b = bi.toByteArray(); + if ((b.length > 1) && (b[0] == 0)) { + int n = b.length - 1; + byte[] newarray = new byte[n]; + System.arraycopy(b, 1, newarray, 0, n); + b = newarray; + } + return b; + } + + static byte[] getBytesUTF8(String s) { + try { + return s.getBytes("UTF8"); + } catch (java.io.UnsupportedEncodingException e) { + throw new RuntimeException(e); + } + } + + static byte[] sha1(byte[] data) { + try { + MessageDigest md = MessageDigest.getInstance("SHA-1"); + md.update(data); + return md.digest(); + } catch (GeneralSecurityException e) { + throw new ProviderException(e); + } + } + + private final static char[] hexDigits = "0123456789abcdef".toCharArray(); + + static String toString(byte[] b) { + if (b == null) { + return "(null)"; + } + StringBuilder sb = new StringBuilder(b.length * 3); + for (int i = 0; i < b.length; i++) { + int k = b[i] & 0xff; + if (i != 0) { + sb.append(':'); + } + sb.append(hexDigits[k >>> 4]); + sb.append(hexDigits[k & 0xf]); + } + return sb.toString(); + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/Secmod.java 2017-01-20 09:52:39.522288911 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,787 +0,0 @@ -/* - * Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.pkcs11; - -import java.io.*; -import java.util.*; - -import java.security.*; -import java.security.KeyStore.*; -import java.security.cert.X509Certificate; - -import sun.security.pkcs11.wrapper.*; -import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - - -/** - * The Secmod class defines the interface to the native NSS - * library and the configuration information it stores in its - * secmod.db file. - * - *

Example code: - * 

- *   Secmod secmod = Secmod.getInstance();
- *   if (secmod.isInitialized() == false) {
- *       secmod.initialize("/home/myself/.mozilla");
- *   }
- *
- *   Provider p = secmod.getModule(ModuleType.KEYSTORE).getProvider();
- *   KeyStore ks = KeyStore.getInstance("PKCS11", p);
- *   ks.load(null, password);
- *
- * - * @since 1.6 - * @author Andreas Sterbenz - */ -public final class Secmod { - - private final static boolean DEBUG = false; - - private final static Secmod INSTANCE; - - static { - sun.security.pkcs11.wrapper.PKCS11.loadNative(); - INSTANCE = new Secmod(); - } - - private final static String NSS_LIB_NAME = "nss3"; - - private final static String SOFTTOKEN_LIB_NAME = "softokn3"; - - private final static String TRUST_LIB_NAME = "nssckbi"; - - // handle to be passed to the native code, 0 means not initialized - private long nssHandle; - - // whether this is a supported version of NSS - private boolean supported; - - // list of the modules - private List modules; - - private String configDir; - - private String nssLibDir; - - private Secmod() { - // empty - } - - /** - * Return the singleton Secmod instance. - */ - public static Secmod getInstance() { - return INSTANCE; - } - - private boolean isLoaded() { - if (nssHandle == 0) { - nssHandle = nssGetLibraryHandle(System.mapLibraryName(NSS_LIB_NAME)); - if (nssHandle != 0) { - fetchVersions(); - } - } - return (nssHandle != 0); - } - - private void fetchVersions() { - supported = nssVersionCheck(nssHandle, "3.7"); - } - - /** - * Test whether this Secmod has been initialized. Returns true - * if NSS has been initialized using either the initialize() method - * or by directly calling the native NSS APIs. The latter may be - * the case if the current process contains components that use - * NSS directly. - * - * @throws IOException if an incompatible version of NSS - * has been loaded - */ - public synchronized boolean isInitialized() throws IOException { - // NSS does not allow us to check if it is initialized already - // assume that if it is loaded it is also initialized - if (isLoaded() == false) { - return false; - } - if (supported == false) { - throw new IOException - ("An incompatible version of NSS is already loaded, " - + "3.7 or later required"); - } - return true; - } - - String getConfigDir() { - return configDir; - } - - String getLibDir() { - return nssLibDir; - } - - /** - * Initialize this Secmod. - * - * @param configDir the directory containing the NSS configuration - * files such as secmod.db - * @param nssLibDir the directory containing the NSS libraries - * (libnss3.so or nss3.dll) or null if the library is on - * the system default shared library path - * - * @throws IOException if NSS has already been initialized, - * the specified directories are invalid, or initialization - * fails for any other reason - */ - public void initialize(String configDir, String nssLibDir) - throws IOException { - initialize(DbMode.READ_WRITE, configDir, nssLibDir, false); - } - - public void initialize(DbMode dbMode, String configDir, String nssLibDir) - throws IOException { - initialize(dbMode, configDir, nssLibDir, false); - } - - public synchronized void initialize(DbMode dbMode, String configDir, - String nssLibDir, boolean nssOptimizeSpace) throws IOException { - - if (isInitialized()) { - throw new IOException("NSS is already initialized"); - } - - if (dbMode == null) { - throw new NullPointerException(); - } - if ((dbMode != DbMode.NO_DB) && (configDir == null)) { - throw new NullPointerException(); - } - String platformLibName = System.mapLibraryName("nss3"); - String platformPath; - if (nssLibDir == null) { - platformPath = platformLibName; - } else { - File base = new File(nssLibDir); - if (base.isDirectory() == false) { - throw new IOException("nssLibDir must be a directory:" + nssLibDir); - } - File platformFile = new File(base, platformLibName); - if (platformFile.isFile() == false) { - throw new FileNotFoundException(platformFile.getPath()); - } - platformPath = platformFile.getPath(); - } - - if (configDir != null) { - File configBase = new File(configDir); - if (configBase.isDirectory() == false ) { - throw new IOException("configDir must be a directory: " + configDir); - } - File secmodFile = new File(configBase, "secmod.db"); - if (secmodFile.isFile() == false) { - throw new FileNotFoundException(secmodFile.getPath()); - } - } - - if (DEBUG) System.out.println("lib: " + platformPath); - nssHandle = nssLoadLibrary(platformPath); - if (DEBUG) System.out.println("handle: " + nssHandle); - fetchVersions(); - if (supported == false) { - throw new IOException - ("The specified version of NSS is incompatible, " - + "3.7 or later required"); - } - - if (DEBUG) System.out.println("dir: " + configDir); - boolean initok = nssInitialize(dbMode.functionName, nssHandle, - configDir, nssOptimizeSpace); - if (DEBUG) System.out.println("init: " + initok); - if (initok == false) { - throw new IOException("NSS initialization failed"); - } - - this.configDir = configDir; - this.nssLibDir = nssLibDir; - } - - /** - * Return an immutable list of all available modules. - * - * @throws IllegalStateException if this Secmod is misconfigured - * or not initialized - */ - public synchronized List getModules() { - try { - if (isInitialized() == false) { - throw new IllegalStateException("NSS not initialized"); - } - } catch (IOException e) { - // IOException if misconfigured - throw new IllegalStateException(e); - } - if (modules == null) { - @SuppressWarnings("unchecked") - List modules = (List)nssGetModuleList(nssHandle, - nssLibDir); - this.modules = Collections.unmodifiableList(modules); - } - return modules; - } - - private static byte[] getDigest(X509Certificate cert, String algorithm) { - try { - MessageDigest md = MessageDigest.getInstance(algorithm); - return md.digest(cert.getEncoded()); - } catch (GeneralSecurityException e) { - throw new ProviderException(e); - } - } - - boolean isTrusted(X509Certificate cert, TrustType trustType) { - Bytes bytes = new Bytes(getDigest(cert, "SHA-1")); - TrustAttributes attr = getModuleTrust(ModuleType.KEYSTORE, bytes); - if (attr == null) { - attr = getModuleTrust(ModuleType.FIPS, bytes); - if (attr == null) { - attr = getModuleTrust(ModuleType.TRUSTANCHOR, bytes); - } - } - return (attr == null) ? false : attr.isTrusted(trustType); - } - - private TrustAttributes getModuleTrust(ModuleType type, Bytes bytes) { - Module module = getModule(type); - TrustAttributes t = (module == null) ? null : module.getTrust(bytes); - return t; - } - - /** - * Constants describing the different types of NSS modules. - * For this API, NSS modules are classified as either one - * of the internal modules delivered as part of NSS or - * as an external module provided by a 3rd party. - */ - public static enum ModuleType { - /** - * The NSS Softtoken crypto module. This is the first - * slot of the softtoken object. - * This module provides - * implementations for cryptographic algorithms but no KeyStore. - */ - CRYPTO, - /** - * The NSS Softtoken KeyStore module. This is the second - * slot of the softtoken object. - * This module provides - * implementations for cryptographic algorithms (after login) - * and the KeyStore. - */ - KEYSTORE, - /** - * The NSS Softtoken module in FIPS mode. Note that in FIPS mode the - * softtoken presents only one slot, not separate CRYPTO and KEYSTORE - * slots as in non-FIPS mode. - */ - FIPS, - /** - * The NSS builtin trust anchor module. This is the - * NSSCKBI object. It provides no crypto functions. - */ - TRUSTANCHOR, - /** - * An external module. - */ - EXTERNAL, - } - - /** - * Returns the first module of the specified type. If no such - * module exists, this method returns null. - * - * @throws IllegalStateException if this Secmod is misconfigured - * or not initialized - */ - public Module getModule(ModuleType type) { - for (Module module : getModules()) { - if (module.getType() == type) { - return module; - } - } - return null; - } - - static final String TEMPLATE_EXTERNAL = - "library = %s\n" - + "name = \"%s\"\n" - + "slotListIndex = %d\n"; - - static final String TEMPLATE_TRUSTANCHOR = - "library = %s\n" - + "name = \"NSS Trust Anchors\"\n" - + "slotListIndex = 0\n" - + "enabledMechanisms = { KeyStore }\n" - + "nssUseSecmodTrust = true\n"; - - static final String TEMPLATE_CRYPTO = - "library = %s\n" - + "name = \"NSS SoftToken Crypto\"\n" - + "slotListIndex = 0\n" - + "disabledMechanisms = { KeyStore }\n"; - - static final String TEMPLATE_KEYSTORE = - "library = %s\n" - + "name = \"NSS SoftToken KeyStore\"\n" - + "slotListIndex = 1\n" - + "nssUseSecmodTrust = true\n"; - - static final String TEMPLATE_FIPS = - "library = %s\n" - + "name = \"NSS FIPS SoftToken\"\n" - + "slotListIndex = 0\n" - + "nssUseSecmodTrust = true\n"; - - /** - * A representation of one PKCS#11 slot in a PKCS#11 module. - */ - public static final class Module { - // path of the native library - final String libraryName; - // descriptive name used by NSS - final String commonName; - final int slot; - final ModuleType type; - - private String config; - private SunPKCS11 provider; - - // trust attributes. Used for the KEYSTORE and TRUSTANCHOR modules only - private Map trust; - - Module(String libraryDir, String libraryName, String commonName, - boolean fips, int slot) { - ModuleType type; - - if ((libraryName == null) || (libraryName.length() == 0)) { - // must be softtoken - libraryName = System.mapLibraryName(SOFTTOKEN_LIB_NAME); - if (fips == false) { - type = (slot == 0) ? ModuleType.CRYPTO : ModuleType.KEYSTORE; - } else { - type = ModuleType.FIPS; - if (slot != 0) { - throw new RuntimeException - ("Slot index should be 0 for FIPS slot"); - } - } - } else { - if (libraryName.endsWith(System.mapLibraryName(TRUST_LIB_NAME)) - || commonName.equals("Builtin Roots Module")) { - type = ModuleType.TRUSTANCHOR; - } else { - type = ModuleType.EXTERNAL; - } - if (fips) { - throw new RuntimeException("FIPS flag set for non-internal " - + "module: " + libraryName + ", " + commonName); - } - } - // On Ubuntu the libsoftokn3 library is located in a subdirectory - // of the system libraries directory. (Since Ubuntu 11.04.) - File libraryFile = new File(libraryDir, libraryName); - if (!libraryFile.isFile()) { - File failover = new File(libraryDir, "nss/" + libraryName); - if (failover.isFile()) { - libraryFile = failover; - } - } - this.libraryName = libraryFile.getPath(); - this.commonName = commonName; - this.slot = slot; - this.type = type; - initConfiguration(); - } - - private void initConfiguration() { - switch (type) { - case EXTERNAL: - config = String.format(TEMPLATE_EXTERNAL, libraryName, - commonName + " " + slot, slot); - break; - case CRYPTO: - config = String.format(TEMPLATE_CRYPTO, libraryName); - break; - case KEYSTORE: - config = String.format(TEMPLATE_KEYSTORE, libraryName); - break; - case FIPS: - config = String.format(TEMPLATE_FIPS, libraryName); - break; - case TRUSTANCHOR: - config = String.format(TEMPLATE_TRUSTANCHOR, libraryName); - break; - default: - throw new RuntimeException("Unknown module type: " + type); - } - } - - /** - * Get the configuration for this module. This is a string - * in the SunPKCS11 configuration format. It can be - * customized with additional options and then made - * current using the setConfiguration() method. - */ - @Deprecated - public synchronized String getConfiguration() { - return config; - } - - /** - * Set the configuration for this module. - * - * @throws IllegalStateException if the associated provider - * instance has already been created. - */ - @Deprecated - public synchronized void setConfiguration(String config) { - if (provider != null) { - throw new IllegalStateException("Provider instance already created"); - } - this.config = config; - } - - /** - * Return the pathname of the native library that implements - * this module. For example, /usr/lib/libpkcs11.so. - */ - public String getLibraryName() { - return libraryName; - } - - /** - * Returns the type of this module. - */ - public ModuleType getType() { - return type; - } - - /** - * Returns the provider instance that is associated with this - * module. The first call to this method creates the provider - * instance. - */ - @Deprecated - public synchronized Provider getProvider() { - if (provider == null) { - provider = newProvider(); - } - return provider; - } - - synchronized boolean hasInitializedProvider() { - return provider != null; - } - - void setProvider(SunPKCS11 p) { - if (provider != null) { - throw new ProviderException("Secmod provider already initialized"); - } - provider = p; - } - - private SunPKCS11 newProvider() { - try { - return new SunPKCS11(new Config("--" + config)); - } catch (Exception e) { - // XXX - throw new ProviderException(e); - } - } - - synchronized void setTrust(Token token, X509Certificate cert) { - Bytes bytes = new Bytes(getDigest(cert, "SHA-1")); - TrustAttributes attr = getTrust(bytes); - if (attr == null) { - attr = new TrustAttributes(token, cert, bytes, CKT_NETSCAPE_TRUSTED_DELEGATOR); - trust.put(bytes, attr); - } else { - // does it already have the correct trust settings? - if (attr.isTrusted(TrustType.ALL) == false) { - // XXX not yet implemented - throw new ProviderException("Cannot change existing trust attributes"); - } - } - } - - TrustAttributes getTrust(Bytes hash) { - if (trust == null) { - // If provider is not set, create a temporary provider to - // retrieve the trust information. This can happen if we need - // to get the trust information for the trustanchor module - // because we need to look for user customized settings in the - // keystore module (which may not have a provider created yet). - // Creating a temporary provider and then dropping it on the - // floor immediately is flawed, but it's the best we can do - // for now. - synchronized (this) { - SunPKCS11 p = provider; - if (p == null) { - p = newProvider(); - } - try { - trust = Secmod.getTrust(p); - } catch (PKCS11Exception e) { - throw new RuntimeException(e); - } - } - } - return trust.get(hash); - } - - public String toString() { - return - commonName + " (" + type + ", " + libraryName + ", slot " + slot + ")"; - } - - } - - /** - * Constants representing NSS trust categories. - */ - public static enum TrustType { - /** Trusted for all purposes */ - ALL, - /** Trusted for SSL client authentication */ - CLIENT_AUTH, - /** Trusted for SSL server authentication */ - SERVER_AUTH, - /** Trusted for code signing */ - CODE_SIGNING, - /** Trusted for email protection */ - EMAIL_PROTECTION, - } - - public static enum DbMode { - READ_WRITE("NSS_InitReadWrite"), - READ_ONLY ("NSS_Init"), - NO_DB ("NSS_NoDB_Init"); - - final String functionName; - DbMode(String functionName) { - this.functionName = functionName; - } - } - - /** - * A LoadStoreParameter for use with the NSS Softtoken or - * NSS TrustAnchor KeyStores. - *

- * It allows the set of trusted certificates that are returned by - * the KeyStore to be specified. - */ - public static final class KeyStoreLoadParameter implements LoadStoreParameter { - final TrustType trustType; - final ProtectionParameter protection; - public KeyStoreLoadParameter(TrustType trustType, char[] password) { - this(trustType, new PasswordProtection(password)); - - } - public KeyStoreLoadParameter(TrustType trustType, ProtectionParameter prot) { - if (trustType == null) { - throw new NullPointerException("trustType must not be null"); - } - this.trustType = trustType; - this.protection = prot; - } - public ProtectionParameter getProtectionParameter() { - return protection; - } - public TrustType getTrustType() { - return trustType; - } - } - - static class TrustAttributes { - final long handle; - final long clientAuth, serverAuth, codeSigning, emailProtection; - final byte[] shaHash; - TrustAttributes(Token token, X509Certificate cert, Bytes bytes, long trustValue) { - Session session = null; - try { - session = token.getOpSession(); - // XXX use KeyStore TrustType settings to determine which - // attributes to set - CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_TOKEN, true), - new CK_ATTRIBUTE(CKA_CLASS, CKO_NETSCAPE_TRUST), - new CK_ATTRIBUTE(CKA_NETSCAPE_TRUST_SERVER_AUTH, trustValue), - new CK_ATTRIBUTE(CKA_NETSCAPE_TRUST_CODE_SIGNING, trustValue), - new CK_ATTRIBUTE(CKA_NETSCAPE_TRUST_EMAIL_PROTECTION, trustValue), - new CK_ATTRIBUTE(CKA_NETSCAPE_TRUST_CLIENT_AUTH, trustValue), - new CK_ATTRIBUTE(CKA_NETSCAPE_CERT_SHA1_HASH, bytes.b), - new CK_ATTRIBUTE(CKA_NETSCAPE_CERT_MD5_HASH, getDigest(cert, "MD5")), - new CK_ATTRIBUTE(CKA_ISSUER, cert.getIssuerX500Principal().getEncoded()), - new CK_ATTRIBUTE(CKA_SERIAL_NUMBER, cert.getSerialNumber().toByteArray()), - // XXX per PKCS#11 spec, the serial number should be in ASN.1 - }; - handle = token.p11.C_CreateObject(session.id(), attrs); - shaHash = bytes.b; - clientAuth = trustValue; - serverAuth = trustValue; - codeSigning = trustValue; - emailProtection = trustValue; - } catch (PKCS11Exception e) { - throw new ProviderException("Could not create trust object", e); - } finally { - token.releaseSession(session); - } - } - TrustAttributes(Token token, Session session, long handle) - throws PKCS11Exception { - this.handle = handle; - CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_NETSCAPE_TRUST_SERVER_AUTH), - new CK_ATTRIBUTE(CKA_NETSCAPE_TRUST_CODE_SIGNING), - new CK_ATTRIBUTE(CKA_NETSCAPE_TRUST_EMAIL_PROTECTION), - new CK_ATTRIBUTE(CKA_NETSCAPE_CERT_SHA1_HASH), - }; - - token.p11.C_GetAttributeValue(session.id(), handle, attrs); - serverAuth = attrs[0].getLong(); - codeSigning = attrs[1].getLong(); - emailProtection = attrs[2].getLong(); - shaHash = attrs[3].getByteArray(); - - attrs = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_NETSCAPE_TRUST_CLIENT_AUTH), - }; - long c; - try { - token.p11.C_GetAttributeValue(session.id(), handle, attrs); - c = attrs[0].getLong(); - } catch (PKCS11Exception e) { - // trust anchor module does not support this attribute - c = serverAuth; - } - clientAuth = c; - } - Bytes getHash() { - return new Bytes(shaHash); - } - boolean isTrusted(TrustType type) { - switch (type) { - case CLIENT_AUTH: - return isTrusted(clientAuth); - case SERVER_AUTH: - return isTrusted(serverAuth); - case CODE_SIGNING: - return isTrusted(codeSigning); - case EMAIL_PROTECTION: - return isTrusted(emailProtection); - case ALL: - return isTrusted(TrustType.CLIENT_AUTH) - && isTrusted(TrustType.SERVER_AUTH) - && isTrusted(TrustType.CODE_SIGNING) - && isTrusted(TrustType.EMAIL_PROTECTION); - default: - return false; - } - } - - private boolean isTrusted(long l) { - // XXX CKT_TRUSTED? - return (l == CKT_NETSCAPE_TRUSTED_DELEGATOR); - } - - } - - private static class Bytes { - final byte[] b; - Bytes(byte[] b) { - this.b = b; - } - public int hashCode() { - return Arrays.hashCode(b); - } - public boolean equals(Object o) { - if (this == o) { - return true; - } - if (o instanceof Bytes == false) { - return false; - } - Bytes other = (Bytes)o; - return Arrays.equals(this.b, other.b); - } - } - - private static Map getTrust(SunPKCS11 provider) - throws PKCS11Exception { - Map trustMap = new HashMap(); - Token token = provider.getToken(); - Session session = null; - boolean exceptionOccurred = true; - try { - session = token.getOpSession(); - int MAX_NUM = 8192; - CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] { - new CK_ATTRIBUTE(CKA_CLASS, CKO_NETSCAPE_TRUST), - }; - token.p11.C_FindObjectsInit(session.id(), attrs); - long[] handles = token.p11.C_FindObjects(session.id(), MAX_NUM); - token.p11.C_FindObjectsFinal(session.id()); - if (DEBUG) System.out.println("handles: " + handles.length); - - for (long handle : handles) { - try { - TrustAttributes trust = new TrustAttributes(token, session, handle); - trustMap.put(trust.getHash(), trust); - } catch (PKCS11Exception e) { - // skip put on pkcs11 error - } - } - exceptionOccurred = false; - } finally { - if (exceptionOccurred) { - token.killSession(session); - } else { - token.releaseSession(session); - } - } - return trustMap; - } - - private static native long nssGetLibraryHandle(String libraryName); - - private static native long nssLoadLibrary(String name) throws IOException; - - private static native boolean nssVersionCheck(long handle, String minVersion); - - private static native boolean nssInitialize(String functionName, long handle, String configDir, boolean nssOptimizeSpace); - - private static native Object nssGetModuleList(long handle, String libDir); - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Secmod.java 2017-01-20 09:52:39.302288920 -0800 @@ -0,0 +1,787 @@ +/* + * Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11; + +import java.io.*; +import java.util.*; + +import java.security.*; +import java.security.KeyStore.*; +import java.security.cert.X509Certificate; + +import sun.security.pkcs11.wrapper.*; +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + + +/** + * The Secmod class defines the interface to the native NSS + * library and the configuration information it stores in its + * secmod.db file. + * + *

Example code: + * 

+ *   Secmod secmod = Secmod.getInstance();
+ *   if (secmod.isInitialized() == false) {
+ *       secmod.initialize("/home/myself/.mozilla");
+ *   }
+ *
+ *   Provider p = secmod.getModule(ModuleType.KEYSTORE).getProvider();
+ *   KeyStore ks = KeyStore.getInstance("PKCS11", p);
+ *   ks.load(null, password);
+ *
+ * + * @since 1.6 + * @author Andreas Sterbenz + */ +public final class Secmod { + + private final static boolean DEBUG = false; + + private final static Secmod INSTANCE; + + static { + sun.security.pkcs11.wrapper.PKCS11.loadNative(); + INSTANCE = new Secmod(); + } + + private final static String NSS_LIB_NAME = "nss3"; + + private final static String SOFTTOKEN_LIB_NAME = "softokn3"; + + private final static String TRUST_LIB_NAME = "nssckbi"; + + // handle to be passed to the native code, 0 means not initialized + private long nssHandle; + + // whether this is a supported version of NSS + private boolean supported; + + // list of the modules + private List modules; + + private String configDir; + + private String nssLibDir; + + private Secmod() { + // empty + } + + /** + * Return the singleton Secmod instance. + */ + public static Secmod getInstance() { + return INSTANCE; + } + + private boolean isLoaded() { + if (nssHandle == 0) { + nssHandle = nssGetLibraryHandle(System.mapLibraryName(NSS_LIB_NAME)); + if (nssHandle != 0) { + fetchVersions(); + } + } + return (nssHandle != 0); + } + + private void fetchVersions() { + supported = nssVersionCheck(nssHandle, "3.7"); + } + + /** + * Test whether this Secmod has been initialized. Returns true + * if NSS has been initialized using either the initialize() method + * or by directly calling the native NSS APIs. The latter may be + * the case if the current process contains components that use + * NSS directly. + * + * @throws IOException if an incompatible version of NSS + * has been loaded + */ + public synchronized boolean isInitialized() throws IOException { + // NSS does not allow us to check if it is initialized already + // assume that if it is loaded it is also initialized + if (isLoaded() == false) { + return false; + } + if (supported == false) { + throw new IOException + ("An incompatible version of NSS is already loaded, " + + "3.7 or later required"); + } + return true; + } + + String getConfigDir() { + return configDir; + } + + String getLibDir() { + return nssLibDir; + } + + /** + * Initialize this Secmod. + * + * @param configDir the directory containing the NSS configuration + * files such as secmod.db + * @param nssLibDir the directory containing the NSS libraries + * (libnss3.so or nss3.dll) or null if the library is on + * the system default shared library path + * + * @throws IOException if NSS has already been initialized, + * the specified directories are invalid, or initialization + * fails for any other reason + */ + public void initialize(String configDir, String nssLibDir) + throws IOException { + initialize(DbMode.READ_WRITE, configDir, nssLibDir, false); + } + + public void initialize(DbMode dbMode, String configDir, String nssLibDir) + throws IOException { + initialize(dbMode, configDir, nssLibDir, false); + } + + public synchronized void initialize(DbMode dbMode, String configDir, + String nssLibDir, boolean nssOptimizeSpace) throws IOException { + + if (isInitialized()) { + throw new IOException("NSS is already initialized"); + } + + if (dbMode == null) { + throw new NullPointerException(); + } + if ((dbMode != DbMode.NO_DB) && (configDir == null)) { + throw new NullPointerException(); + } + String platformLibName = System.mapLibraryName("nss3"); + String platformPath; + if (nssLibDir == null) { + platformPath = platformLibName; + } else { + File base = new File(nssLibDir); + if (base.isDirectory() == false) { + throw new IOException("nssLibDir must be a directory:" + nssLibDir); + } + File platformFile = new File(base, platformLibName); + if (platformFile.isFile() == false) { + throw new FileNotFoundException(platformFile.getPath()); + } + platformPath = platformFile.getPath(); + } + + if (configDir != null) { + File configBase = new File(configDir); + if (configBase.isDirectory() == false ) { + throw new IOException("configDir must be a directory: " + configDir); + } + File secmodFile = new File(configBase, "secmod.db"); + if (secmodFile.isFile() == false) { + throw new FileNotFoundException(secmodFile.getPath()); + } + } + + if (DEBUG) System.out.println("lib: " + platformPath); + nssHandle = nssLoadLibrary(platformPath); + if (DEBUG) System.out.println("handle: " + nssHandle); + fetchVersions(); + if (supported == false) { + throw new IOException + ("The specified version of NSS is incompatible, " + + "3.7 or later required"); + } + + if (DEBUG) System.out.println("dir: " + configDir); + boolean initok = nssInitialize(dbMode.functionName, nssHandle, + configDir, nssOptimizeSpace); + if (DEBUG) System.out.println("init: " + initok); + if (initok == false) { + throw new IOException("NSS initialization failed"); + } + + this.configDir = configDir; + this.nssLibDir = nssLibDir; + } + + /** + * Return an immutable list of all available modules. + * + * @throws IllegalStateException if this Secmod is misconfigured + * or not initialized + */ + public synchronized List getModules() { + try { + if (isInitialized() == false) { + throw new IllegalStateException("NSS not initialized"); + } + } catch (IOException e) { + // IOException if misconfigured + throw new IllegalStateException(e); + } + if (modules == null) { + @SuppressWarnings("unchecked") + List modules = (List)nssGetModuleList(nssHandle, + nssLibDir); + this.modules = Collections.unmodifiableList(modules); + } + return modules; + } + + private static byte[] getDigest(X509Certificate cert, String algorithm) { + try { + MessageDigest md = MessageDigest.getInstance(algorithm); + return md.digest(cert.getEncoded()); + } catch (GeneralSecurityException e) { + throw new ProviderException(e); + } + } + + boolean isTrusted(X509Certificate cert, TrustType trustType) { + Bytes bytes = new Bytes(getDigest(cert, "SHA-1")); + TrustAttributes attr = getModuleTrust(ModuleType.KEYSTORE, bytes); + if (attr == null) { + attr = getModuleTrust(ModuleType.FIPS, bytes); + if (attr == null) { + attr = getModuleTrust(ModuleType.TRUSTANCHOR, bytes); + } + } + return (attr == null) ? false : attr.isTrusted(trustType); + } + + private TrustAttributes getModuleTrust(ModuleType type, Bytes bytes) { + Module module = getModule(type); + TrustAttributes t = (module == null) ? null : module.getTrust(bytes); + return t; + } + + /** + * Constants describing the different types of NSS modules. + * For this API, NSS modules are classified as either one + * of the internal modules delivered as part of NSS or + * as an external module provided by a 3rd party. + */ + public static enum ModuleType { + /** + * The NSS Softtoken crypto module. This is the first + * slot of the softtoken object. + * This module provides + * implementations for cryptographic algorithms but no KeyStore. + */ + CRYPTO, + /** + * The NSS Softtoken KeyStore module. This is the second + * slot of the softtoken object. + * This module provides + * implementations for cryptographic algorithms (after login) + * and the KeyStore. + */ + KEYSTORE, + /** + * The NSS Softtoken module in FIPS mode. Note that in FIPS mode the + * softtoken presents only one slot, not separate CRYPTO and KEYSTORE + * slots as in non-FIPS mode. + */ + FIPS, + /** + * The NSS builtin trust anchor module. This is the + * NSSCKBI object. It provides no crypto functions. + */ + TRUSTANCHOR, + /** + * An external module. + */ + EXTERNAL, + } + + /** + * Returns the first module of the specified type. If no such + * module exists, this method returns null. + * + * @throws IllegalStateException if this Secmod is misconfigured + * or not initialized + */ + public Module getModule(ModuleType type) { + for (Module module : getModules()) { + if (module.getType() == type) { + return module; + } + } + return null; + } + + static final String TEMPLATE_EXTERNAL = + "library = %s\n" + + "name = \"%s\"\n" + + "slotListIndex = %d\n"; + + static final String TEMPLATE_TRUSTANCHOR = + "library = %s\n" + + "name = \"NSS Trust Anchors\"\n" + + "slotListIndex = 0\n" + + "enabledMechanisms = { KeyStore }\n" + + "nssUseSecmodTrust = true\n"; + + static final String TEMPLATE_CRYPTO = + "library = %s\n" + + "name = \"NSS SoftToken Crypto\"\n" + + "slotListIndex = 0\n" + + "disabledMechanisms = { KeyStore }\n"; + + static final String TEMPLATE_KEYSTORE = + "library = %s\n" + + "name = \"NSS SoftToken KeyStore\"\n" + + "slotListIndex = 1\n" + + "nssUseSecmodTrust = true\n"; + + static final String TEMPLATE_FIPS = + "library = %s\n" + + "name = \"NSS FIPS SoftToken\"\n" + + "slotListIndex = 0\n" + + "nssUseSecmodTrust = true\n"; + + /** + * A representation of one PKCS#11 slot in a PKCS#11 module. + */ + public static final class Module { + // path of the native library + final String libraryName; + // descriptive name used by NSS + final String commonName; + final int slot; + final ModuleType type; + + private String config; + private SunPKCS11 provider; + + // trust attributes. Used for the KEYSTORE and TRUSTANCHOR modules only + private Map trust; + + Module(String libraryDir, String libraryName, String commonName, + boolean fips, int slot) { + ModuleType type; + + if ((libraryName == null) || (libraryName.length() == 0)) { + // must be softtoken + libraryName = System.mapLibraryName(SOFTTOKEN_LIB_NAME); + if (fips == false) { + type = (slot == 0) ? ModuleType.CRYPTO : ModuleType.KEYSTORE; + } else { + type = ModuleType.FIPS; + if (slot != 0) { + throw new RuntimeException + ("Slot index should be 0 for FIPS slot"); + } + } + } else { + if (libraryName.endsWith(System.mapLibraryName(TRUST_LIB_NAME)) + || commonName.equals("Builtin Roots Module")) { + type = ModuleType.TRUSTANCHOR; + } else { + type = ModuleType.EXTERNAL; + } + if (fips) { + throw new RuntimeException("FIPS flag set for non-internal " + + "module: " + libraryName + ", " + commonName); + } + } + // On Ubuntu the libsoftokn3 library is located in a subdirectory + // of the system libraries directory. (Since Ubuntu 11.04.) + File libraryFile = new File(libraryDir, libraryName); + if (!libraryFile.isFile()) { + File failover = new File(libraryDir, "nss/" + libraryName); + if (failover.isFile()) { + libraryFile = failover; + } + } + this.libraryName = libraryFile.getPath(); + this.commonName = commonName; + this.slot = slot; + this.type = type; + initConfiguration(); + } + + private void initConfiguration() { + switch (type) { + case EXTERNAL: + config = String.format(TEMPLATE_EXTERNAL, libraryName, + commonName + " " + slot, slot); + break; + case CRYPTO: + config = String.format(TEMPLATE_CRYPTO, libraryName); + break; + case KEYSTORE: + config = String.format(TEMPLATE_KEYSTORE, libraryName); + break; + case FIPS: + config = String.format(TEMPLATE_FIPS, libraryName); + break; + case TRUSTANCHOR: + config = String.format(TEMPLATE_TRUSTANCHOR, libraryName); + break; + default: + throw new RuntimeException("Unknown module type: " + type); + } + } + + /** + * Get the configuration for this module. This is a string + * in the SunPKCS11 configuration format. It can be + * customized with additional options and then made + * current using the setConfiguration() method. + */ + @Deprecated + public synchronized String getConfiguration() { + return config; + } + + /** + * Set the configuration for this module. + * + * @throws IllegalStateException if the associated provider + * instance has already been created. + */ + @Deprecated + public synchronized void setConfiguration(String config) { + if (provider != null) { + throw new IllegalStateException("Provider instance already created"); + } + this.config = config; + } + + /** + * Return the pathname of the native library that implements + * this module. For example, /usr/lib/libpkcs11.so. + */ + public String getLibraryName() { + return libraryName; + } + + /** + * Returns the type of this module. + */ + public ModuleType getType() { + return type; + } + + /** + * Returns the provider instance that is associated with this + * module. The first call to this method creates the provider + * instance. + */ + @Deprecated + public synchronized Provider getProvider() { + if (provider == null) { + provider = newProvider(); + } + return provider; + } + + synchronized boolean hasInitializedProvider() { + return provider != null; + } + + void setProvider(SunPKCS11 p) { + if (provider != null) { + throw new ProviderException("Secmod provider already initialized"); + } + provider = p; + } + + private SunPKCS11 newProvider() { + try { + return new SunPKCS11(new Config("--" + config)); + } catch (Exception e) { + // XXX + throw new ProviderException(e); + } + } + + synchronized void setTrust(Token token, X509Certificate cert) { + Bytes bytes = new Bytes(getDigest(cert, "SHA-1")); + TrustAttributes attr = getTrust(bytes); + if (attr == null) { + attr = new TrustAttributes(token, cert, bytes, CKT_NETSCAPE_TRUSTED_DELEGATOR); + trust.put(bytes, attr); + } else { + // does it already have the correct trust settings? + if (attr.isTrusted(TrustType.ALL) == false) { + // XXX not yet implemented + throw new ProviderException("Cannot change existing trust attributes"); + } + } + } + + TrustAttributes getTrust(Bytes hash) { + if (trust == null) { + // If provider is not set, create a temporary provider to + // retrieve the trust information. This can happen if we need + // to get the trust information for the trustanchor module + // because we need to look for user customized settings in the + // keystore module (which may not have a provider created yet). + // Creating a temporary provider and then dropping it on the + // floor immediately is flawed, but it's the best we can do + // for now. + synchronized (this) { + SunPKCS11 p = provider; + if (p == null) { + p = newProvider(); + } + try { + trust = Secmod.getTrust(p); + } catch (PKCS11Exception e) { + throw new RuntimeException(e); + } + } + } + return trust.get(hash); + } + + public String toString() { + return + commonName + " (" + type + ", " + libraryName + ", slot " + slot + ")"; + } + + } + + /** + * Constants representing NSS trust categories. + */ + public static enum TrustType { + /** Trusted for all purposes */ + ALL, + /** Trusted for SSL client authentication */ + CLIENT_AUTH, + /** Trusted for SSL server authentication */ + SERVER_AUTH, + /** Trusted for code signing */ + CODE_SIGNING, + /** Trusted for email protection */ + EMAIL_PROTECTION, + } + + public static enum DbMode { + READ_WRITE("NSS_InitReadWrite"), + READ_ONLY ("NSS_Init"), + NO_DB ("NSS_NoDB_Init"); + + final String functionName; + DbMode(String functionName) { + this.functionName = functionName; + } + } + + /** + * A LoadStoreParameter for use with the NSS Softtoken or + * NSS TrustAnchor KeyStores. + *

+ * It allows the set of trusted certificates that are returned by + * the KeyStore to be specified. + */ + public static final class KeyStoreLoadParameter implements LoadStoreParameter { + final TrustType trustType; + final ProtectionParameter protection; + public KeyStoreLoadParameter(TrustType trustType, char[] password) { + this(trustType, new PasswordProtection(password)); + + } + public KeyStoreLoadParameter(TrustType trustType, ProtectionParameter prot) { + if (trustType == null) { + throw new NullPointerException("trustType must not be null"); + } + this.trustType = trustType; + this.protection = prot; + } + public ProtectionParameter getProtectionParameter() { + return protection; + } + public TrustType getTrustType() { + return trustType; + } + } + + static class TrustAttributes { + final long handle; + final long clientAuth, serverAuth, codeSigning, emailProtection; + final byte[] shaHash; + TrustAttributes(Token token, X509Certificate cert, Bytes bytes, long trustValue) { + Session session = null; + try { + session = token.getOpSession(); + // XXX use KeyStore TrustType settings to determine which + // attributes to set + CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_TOKEN, true), + new CK_ATTRIBUTE(CKA_CLASS, CKO_NETSCAPE_TRUST), + new CK_ATTRIBUTE(CKA_NETSCAPE_TRUST_SERVER_AUTH, trustValue), + new CK_ATTRIBUTE(CKA_NETSCAPE_TRUST_CODE_SIGNING, trustValue), + new CK_ATTRIBUTE(CKA_NETSCAPE_TRUST_EMAIL_PROTECTION, trustValue), + new CK_ATTRIBUTE(CKA_NETSCAPE_TRUST_CLIENT_AUTH, trustValue), + new CK_ATTRIBUTE(CKA_NETSCAPE_CERT_SHA1_HASH, bytes.b), + new CK_ATTRIBUTE(CKA_NETSCAPE_CERT_MD5_HASH, getDigest(cert, "MD5")), + new CK_ATTRIBUTE(CKA_ISSUER, cert.getIssuerX500Principal().getEncoded()), + new CK_ATTRIBUTE(CKA_SERIAL_NUMBER, cert.getSerialNumber().toByteArray()), + // XXX per PKCS#11 spec, the serial number should be in ASN.1 + }; + handle = token.p11.C_CreateObject(session.id(), attrs); + shaHash = bytes.b; + clientAuth = trustValue; + serverAuth = trustValue; + codeSigning = trustValue; + emailProtection = trustValue; + } catch (PKCS11Exception e) { + throw new ProviderException("Could not create trust object", e); + } finally { + token.releaseSession(session); + } + } + TrustAttributes(Token token, Session session, long handle) + throws PKCS11Exception { + this.handle = handle; + CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_NETSCAPE_TRUST_SERVER_AUTH), + new CK_ATTRIBUTE(CKA_NETSCAPE_TRUST_CODE_SIGNING), + new CK_ATTRIBUTE(CKA_NETSCAPE_TRUST_EMAIL_PROTECTION), + new CK_ATTRIBUTE(CKA_NETSCAPE_CERT_SHA1_HASH), + }; + + token.p11.C_GetAttributeValue(session.id(), handle, attrs); + serverAuth = attrs[0].getLong(); + codeSigning = attrs[1].getLong(); + emailProtection = attrs[2].getLong(); + shaHash = attrs[3].getByteArray(); + + attrs = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_NETSCAPE_TRUST_CLIENT_AUTH), + }; + long c; + try { + token.p11.C_GetAttributeValue(session.id(), handle, attrs); + c = attrs[0].getLong(); + } catch (PKCS11Exception e) { + // trust anchor module does not support this attribute + c = serverAuth; + } + clientAuth = c; + } + Bytes getHash() { + return new Bytes(shaHash); + } + boolean isTrusted(TrustType type) { + switch (type) { + case CLIENT_AUTH: + return isTrusted(clientAuth); + case SERVER_AUTH: + return isTrusted(serverAuth); + case CODE_SIGNING: + return isTrusted(codeSigning); + case EMAIL_PROTECTION: + return isTrusted(emailProtection); + case ALL: + return isTrusted(TrustType.CLIENT_AUTH) + && isTrusted(TrustType.SERVER_AUTH) + && isTrusted(TrustType.CODE_SIGNING) + && isTrusted(TrustType.EMAIL_PROTECTION); + default: + return false; + } + } + + private boolean isTrusted(long l) { + // XXX CKT_TRUSTED? + return (l == CKT_NETSCAPE_TRUSTED_DELEGATOR); + } + + } + + private static class Bytes { + final byte[] b; + Bytes(byte[] b) { + this.b = b; + } + public int hashCode() { + return Arrays.hashCode(b); + } + public boolean equals(Object o) { + if (this == o) { + return true; + } + if (o instanceof Bytes == false) { + return false; + } + Bytes other = (Bytes)o; + return Arrays.equals(this.b, other.b); + } + } + + private static Map getTrust(SunPKCS11 provider) + throws PKCS11Exception { + Map trustMap = new HashMap(); + Token token = provider.getToken(); + Session session = null; + boolean exceptionOccurred = true; + try { + session = token.getOpSession(); + int MAX_NUM = 8192; + CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_CLASS, CKO_NETSCAPE_TRUST), + }; + token.p11.C_FindObjectsInit(session.id(), attrs); + long[] handles = token.p11.C_FindObjects(session.id(), MAX_NUM); + token.p11.C_FindObjectsFinal(session.id()); + if (DEBUG) System.out.println("handles: " + handles.length); + + for (long handle : handles) { + try { + TrustAttributes trust = new TrustAttributes(token, session, handle); + trustMap.put(trust.getHash(), trust); + } catch (PKCS11Exception e) { + // skip put on pkcs11 error + } + } + exceptionOccurred = false; + } finally { + if (exceptionOccurred) { + token.killSession(session); + } else { + token.releaseSession(session); + } + } + return trustMap; + } + + private static native long nssGetLibraryHandle(String libraryName); + + private static native long nssLoadLibrary(String name) throws IOException; + + private static native boolean nssVersionCheck(long handle, String minVersion); + + private static native boolean nssInitialize(String functionName, long handle, String configDir, boolean nssOptimizeSpace); + + private static native Object nssGetModuleList(long handle, String libDir); + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/Session.java 2017-01-20 09:52:39.870288898 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,189 +0,0 @@ -/* - * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.pkcs11; - -import java.lang.ref.*; -import java.util.*; -import java.util.concurrent.atomic.AtomicInteger; - -import java.security.*; - -import sun.security.pkcs11.wrapper.*; - -/** - * A session object. Sessions are obtained via the SessionManager, - * see there for details. Most code will only ever need one method in - * this class, the id() method to obtain the session id. - * - * @author Andreas Sterbenz - * @since 1.5 - */ -final class Session implements Comparable { - - // time after which to close idle sessions, in milliseconds (3 minutes) - private final static long MAX_IDLE_TIME = 3 * 60 * 1000; - - // token instance - final Token token; - - // session id - private final long id; - - // number of objects created within this session - private final AtomicInteger createdObjects; - - // time this session was last used - // not synchronized/volatile for performance, so may be unreliable - // this could lead to idle sessions being closed early, but that is harmless - private long lastAccess; - - private final SessionRef sessionRef; - - Session(Token token, long id) { - this.token = token; - this.id = id; - createdObjects = new AtomicInteger(); - id(); - sessionRef = new SessionRef(this, id, token); - } - - public int compareTo(Session other) { - if (this.lastAccess == other.lastAccess) { - return 0; - } else { - return (this.lastAccess < other.lastAccess) ? -1 : 1; - } - } - - boolean isLive(long currentTime) { - return currentTime - lastAccess < MAX_IDLE_TIME; - } - - long idInternal() { - return id; - } - - long id() { - if (token.isPresent(this.id) == false) { - throw new ProviderException("Token has been removed"); - } - lastAccess = System.currentTimeMillis(); - return id; - } - - void addObject() { - int n = createdObjects.incrementAndGet(); - // XXX update statistics in session manager if n == 1 - } - - void removeObject() { - int n = createdObjects.decrementAndGet(); - if (n == 0) { - token.sessionManager.demoteObjSession(this); - } else if (n < 0) { - throw new ProviderException("Internal error: objects created " + n); - } - } - - boolean hasObjects() { - return createdObjects.get() != 0; - } - - void close() { - if (hasObjects()) { - throw new ProviderException( - "Internal error: close session with active objects"); - } - sessionRef.dispose(); - } -} - -/* - * NOTE: Use PhantomReference here and not WeakReference - * otherwise the sessions maybe closed before other objects - * which are still being finalized. - */ -final class SessionRef extends PhantomReference - implements Comparable { - - private static ReferenceQueue refQueue = - new ReferenceQueue(); - - private static Set refList = - Collections.synchronizedSortedSet(new TreeSet()); - - static ReferenceQueue referenceQueue() { - return refQueue; - } - - static int totalCount() { - return refList.size(); - } - - private static void drainRefQueueBounded() { - while (true) { - SessionRef next = (SessionRef) refQueue.poll(); - if (next == null) break; - next.dispose(); - } - } - - // handle to the native session - private long id; - private Token token; - - SessionRef(Session session, long id, Token token) { - super(session, refQueue); - this.id = id; - this.token = token; - refList.add(this); - // TBD: run at some interval and not every time? - drainRefQueueBounded(); - } - - void dispose() { - refList.remove(this); - try { - if (token.isPresent(id)) { - token.p11.C_CloseSession(id); - } - } catch (PKCS11Exception e1) { - // ignore - } catch (ProviderException e2) { - // ignore - } finally { - this.clear(); - } - } - - public int compareTo(SessionRef other) { - if (this.id == other.id) { - return 0; - } else { - return (this.id < other.id) ? -1 : 1; - } - } -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Session.java 2017-01-20 09:52:39.650288906 -0800 @@ -0,0 +1,189 @@ +/* + * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11; + +import java.lang.ref.*; +import java.util.*; +import java.util.concurrent.atomic.AtomicInteger; + +import java.security.*; + +import sun.security.pkcs11.wrapper.*; + +/** + * A session object. Sessions are obtained via the SessionManager, + * see there for details. Most code will only ever need one method in + * this class, the id() method to obtain the session id. + * + * @author Andreas Sterbenz + * @since 1.5 + */ +final class Session implements Comparable { + + // time after which to close idle sessions, in milliseconds (3 minutes) + private final static long MAX_IDLE_TIME = 3 * 60 * 1000; + + // token instance + final Token token; + + // session id + private final long id; + + // number of objects created within this session + private final AtomicInteger createdObjects; + + // time this session was last used + // not synchronized/volatile for performance, so may be unreliable + // this could lead to idle sessions being closed early, but that is harmless + private long lastAccess; + + private final SessionRef sessionRef; + + Session(Token token, long id) { + this.token = token; + this.id = id; + createdObjects = new AtomicInteger(); + id(); + sessionRef = new SessionRef(this, id, token); + } + + public int compareTo(Session other) { + if (this.lastAccess == other.lastAccess) { + return 0; + } else { + return (this.lastAccess < other.lastAccess) ? -1 : 1; + } + } + + boolean isLive(long currentTime) { + return currentTime - lastAccess < MAX_IDLE_TIME; + } + + long idInternal() { + return id; + } + + long id() { + if (token.isPresent(this.id) == false) { + throw new ProviderException("Token has been removed"); + } + lastAccess = System.currentTimeMillis(); + return id; + } + + void addObject() { + int n = createdObjects.incrementAndGet(); + // XXX update statistics in session manager if n == 1 + } + + void removeObject() { + int n = createdObjects.decrementAndGet(); + if (n == 0) { + token.sessionManager.demoteObjSession(this); + } else if (n < 0) { + throw new ProviderException("Internal error: objects created " + n); + } + } + + boolean hasObjects() { + return createdObjects.get() != 0; + } + + void close() { + if (hasObjects()) { + throw new ProviderException( + "Internal error: close session with active objects"); + } + sessionRef.dispose(); + } +} + +/* + * NOTE: Use PhantomReference here and not WeakReference + * otherwise the sessions maybe closed before other objects + * which are still being finalized. + */ +final class SessionRef extends PhantomReference + implements Comparable { + + private static ReferenceQueue refQueue = + new ReferenceQueue(); + + private static Set refList = + Collections.synchronizedSortedSet(new TreeSet()); + + static ReferenceQueue referenceQueue() { + return refQueue; + } + + static int totalCount() { + return refList.size(); + } + + private static void drainRefQueueBounded() { + while (true) { + SessionRef next = (SessionRef) refQueue.poll(); + if (next == null) break; + next.dispose(); + } + } + + // handle to the native session + private long id; + private Token token; + + SessionRef(Session session, long id, Token token) { + super(session, refQueue); + this.id = id; + this.token = token; + refList.add(this); + // TBD: run at some interval and not every time? + drainRefQueueBounded(); + } + + void dispose() { + refList.remove(this); + try { + if (token.isPresent(id)) { + token.p11.C_CloseSession(id); + } + } catch (PKCS11Exception e1) { + // ignore + } catch (ProviderException e2) { + // ignore + } finally { + this.clear(); + } + } + + public int compareTo(SessionRef other) { + if (this.id == other.id) { + return 0; + } else { + return (this.id < other.id) ? -1 : 1; + } + } +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/SessionManager.java 2017-01-20 09:52:40.226288885 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,296 +0,0 @@ -/* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.pkcs11; - -import java.util.*; - -import java.security.ProviderException; - -import sun.security.util.Debug; - -import sun.security.pkcs11.wrapper.*; -import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - -import java.util.concurrent.LinkedBlockingQueue; -import java.util.concurrent.atomic.AtomicInteger; - -/** - * Session manager. There is one session manager object per PKCS#11 - * provider. It allows code to checkout a session, release it - * back to the pool, or force it to be closed. - * - * The session manager pools sessions to minimize the number of - * C_OpenSession() and C_CloseSession() that have to be made. It - * maintains two pools: one for "object" sessions and one for - * "operation" sessions. - * - * The reason for this separation is how PKCS#11 deals with session objects. - * It defines that when a session is closed, all objects created within - * that session are destroyed. In other words, we may never close a session - * while a Key created it in is still in use. We would like to keep the - * number of such sessions low. Note that we occasionally want to explicitly - * close a session, see P11Signature. - * - * NOTE that sessions obtained from this class SHOULD be returned using - * either releaseSession() or closeSession() using a finally block when - * not needed anymore. Otherwise, they will be left for cleanup via the - * PhantomReference mechanism when GC kicks in, but it's best not to rely - * on that since GC may not run timely enough since the native PKCS11 library - * is also consuming memory. - * - * Note that sessions are automatically closed when they are not used for a - * period of time, see Session. - * - * @author Andreas Sterbenz - * @since 1.5 - */ -final class SessionManager { - - private final static int DEFAULT_MAX_SESSIONS = 32; - - private final static Debug debug = Debug.getInstance("pkcs11"); - - // token instance - private final Token token; - - // maximum number of sessions to open with this token - private final int maxSessions; - - // total number of active sessions - private AtomicInteger activeSessions = new AtomicInteger(); - - // pool of available object sessions - private final Pool objSessions; - - // pool of available operation sessions - private final Pool opSessions; - - // maximum number of active sessions during this invocation, for debugging - private int maxActiveSessions; - private Object maxActiveSessionsLock; - - // flags to use in the C_OpenSession() call - private final long openSessionFlags; - - SessionManager(Token token) { - long n; - if (token.isWriteProtected()) { - openSessionFlags = CKF_SERIAL_SESSION; - n = token.tokenInfo.ulMaxSessionCount; - } else { - openSessionFlags = CKF_SERIAL_SESSION | CKF_RW_SESSION; - n = token.tokenInfo.ulMaxRwSessionCount; - } - if (n == CK_EFFECTIVELY_INFINITE) { - n = Integer.MAX_VALUE; - } else if ((n == CK_UNAVAILABLE_INFORMATION) || (n < 0)) { - // choose an arbitrary concrete value - n = DEFAULT_MAX_SESSIONS; - } - maxSessions = (int)Math.min(n, Integer.MAX_VALUE); - this.token = token; - this.objSessions = new Pool(this, true); - this.opSessions = new Pool(this, false); - if (debug != null) { - maxActiveSessionsLock = new Object(); - } - } - - // returns whether only a fairly low number of sessions are - // supported by this token. - boolean lowMaxSessions() { - return (maxSessions <= DEFAULT_MAX_SESSIONS); - } - - Session getObjSession() throws PKCS11Exception { - Session session = objSessions.poll(); - if (session != null) { - return ensureValid(session); - } - session = opSessions.poll(); - if (session != null) { - return ensureValid(session); - } - session = openSession(); - return ensureValid(session); - } - - Session getOpSession() throws PKCS11Exception { - Session session = opSessions.poll(); - if (session != null) { - return ensureValid(session); - } - // create a new session rather than re-using an obj session - // that avoids potential expensive cancels() for Signatures & RSACipher - if (maxSessions == Integer.MAX_VALUE || - activeSessions.get() < maxSessions) { - session = openSession(); - return ensureValid(session); - } - session = objSessions.poll(); - if (session != null) { - return ensureValid(session); - } - throw new ProviderException("Could not obtain session"); - } - - private Session ensureValid(Session session) { - session.id(); - return session; - } - - Session killSession(Session session) { - if ((session == null) || (token.isValid() == false)) { - return null; - } - if (debug != null) { - String location = new Exception().getStackTrace()[2].toString(); - System.out.println("Killing session (" + location + ") active: " - + activeSessions.get()); - } - closeSession(session); - return null; - } - - Session releaseSession(Session session) { - if ((session == null) || (token.isValid() == false)) { - return null; - } - - if (session.hasObjects()) { - objSessions.release(session); - } else { - opSessions.release(session); - } - return null; - } - - void demoteObjSession(Session session) { - if (token.isValid() == false) { - return; - } - if (debug != null) { - System.out.println("Demoting session, active: " + - activeSessions.get()); - } - boolean present = objSessions.remove(session); - if (present == false) { - // session is currently in use - // will be added to correct pool on release, nothing to do now - return; - } - opSessions.release(session); - } - - private Session openSession() throws PKCS11Exception { - if ((maxSessions != Integer.MAX_VALUE) && - (activeSessions.get() >= maxSessions)) { - throw new ProviderException("No more sessions available"); - } - - long id = token.p11.C_OpenSession - (token.provider.slotID, openSessionFlags, null, null); - Session session = new Session(token, id); - activeSessions.incrementAndGet(); - if (debug != null) { - synchronized(maxActiveSessionsLock) { - if (activeSessions.get() > maxActiveSessions) { - maxActiveSessions = activeSessions.get(); - if (maxActiveSessions % 10 == 0) { - System.out.println("Open sessions: " + maxActiveSessions); - } - } - } - } - return session; - } - - private void closeSession(Session session) { - session.close(); - activeSessions.decrementAndGet(); - } - - public static final class Pool { - - private final SessionManager mgr; - private final AbstractQueue pool; - private final int SESSION_MAX = 5; - - // Object session pools can contain unlimited sessions. - // Operation session pools are limited and enforced by the queue. - Pool(SessionManager mgr, boolean obj) { - this.mgr = mgr; - if (obj) { - pool = new LinkedBlockingQueue(); - } else { - pool = new LinkedBlockingQueue(SESSION_MAX); - } - } - - boolean remove(Session session) { - return pool.remove(session); - } - - Session poll() { - return pool.poll(); - } - - void release(Session session) { - // Object session pools never return false, only Operation ones - if (!pool.offer(session)) { - mgr.closeSession(session); - free(); - } - } - - // Free any old operation session if this queue is full - void free() { - int n = SESSION_MAX; - int i = 0; - Session oldestSession; - long time = System.currentTimeMillis(); - // Check if the session head is too old and continue through pool - // until only one is left. - do { - oldestSession = pool.peek(); - if (oldestSession == null || oldestSession.isLive(time) || - !pool.remove(oldestSession)) { - break; - } - - i++; - mgr.closeSession(oldestSession); - } while ((n - i) > 1); - - if (debug != null) { - System.out.println("Closing " + i + " idle sessions, active: " - + mgr.activeSessions); - } - } - - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SessionManager.java 2017-01-20 09:52:40.002288893 -0800 @@ -0,0 +1,296 @@ +/* + * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11; + +import java.util.*; + +import java.security.ProviderException; + +import sun.security.util.Debug; + +import sun.security.pkcs11.wrapper.*; +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + +import java.util.concurrent.LinkedBlockingQueue; +import java.util.concurrent.atomic.AtomicInteger; + +/** + * Session manager. There is one session manager object per PKCS#11 + * provider. It allows code to checkout a session, release it + * back to the pool, or force it to be closed. + * + * The session manager pools sessions to minimize the number of + * C_OpenSession() and C_CloseSession() that have to be made. It + * maintains two pools: one for "object" sessions and one for + * "operation" sessions. + * + * The reason for this separation is how PKCS#11 deals with session objects. + * It defines that when a session is closed, all objects created within + * that session are destroyed. In other words, we may never close a session + * while a Key created it in is still in use. We would like to keep the + * number of such sessions low. Note that we occasionally want to explicitly + * close a session, see P11Signature. + * + * NOTE that sessions obtained from this class SHOULD be returned using + * either releaseSession() or closeSession() using a finally block when + * not needed anymore. Otherwise, they will be left for cleanup via the + * PhantomReference mechanism when GC kicks in, but it's best not to rely + * on that since GC may not run timely enough since the native PKCS11 library + * is also consuming memory. + * + * Note that sessions are automatically closed when they are not used for a + * period of time, see Session. + * + * @author Andreas Sterbenz + * @since 1.5 + */ +final class SessionManager { + + private final static int DEFAULT_MAX_SESSIONS = 32; + + private final static Debug debug = Debug.getInstance("pkcs11"); + + // token instance + private final Token token; + + // maximum number of sessions to open with this token + private final int maxSessions; + + // total number of active sessions + private AtomicInteger activeSessions = new AtomicInteger(); + + // pool of available object sessions + private final Pool objSessions; + + // pool of available operation sessions + private final Pool opSessions; + + // maximum number of active sessions during this invocation, for debugging + private int maxActiveSessions; + private Object maxActiveSessionsLock; + + // flags to use in the C_OpenSession() call + private final long openSessionFlags; + + SessionManager(Token token) { + long n; + if (token.isWriteProtected()) { + openSessionFlags = CKF_SERIAL_SESSION; + n = token.tokenInfo.ulMaxSessionCount; + } else { + openSessionFlags = CKF_SERIAL_SESSION | CKF_RW_SESSION; + n = token.tokenInfo.ulMaxRwSessionCount; + } + if (n == CK_EFFECTIVELY_INFINITE) { + n = Integer.MAX_VALUE; + } else if ((n == CK_UNAVAILABLE_INFORMATION) || (n < 0)) { + // choose an arbitrary concrete value + n = DEFAULT_MAX_SESSIONS; + } + maxSessions = (int)Math.min(n, Integer.MAX_VALUE); + this.token = token; + this.objSessions = new Pool(this, true); + this.opSessions = new Pool(this, false); + if (debug != null) { + maxActiveSessionsLock = new Object(); + } + } + + // returns whether only a fairly low number of sessions are + // supported by this token. + boolean lowMaxSessions() { + return (maxSessions <= DEFAULT_MAX_SESSIONS); + } + + Session getObjSession() throws PKCS11Exception { + Session session = objSessions.poll(); + if (session != null) { + return ensureValid(session); + } + session = opSessions.poll(); + if (session != null) { + return ensureValid(session); + } + session = openSession(); + return ensureValid(session); + } + + Session getOpSession() throws PKCS11Exception { + Session session = opSessions.poll(); + if (session != null) { + return ensureValid(session); + } + // create a new session rather than re-using an obj session + // that avoids potential expensive cancels() for Signatures & RSACipher + if (maxSessions == Integer.MAX_VALUE || + activeSessions.get() < maxSessions) { + session = openSession(); + return ensureValid(session); + } + session = objSessions.poll(); + if (session != null) { + return ensureValid(session); + } + throw new ProviderException("Could not obtain session"); + } + + private Session ensureValid(Session session) { + session.id(); + return session; + } + + Session killSession(Session session) { + if ((session == null) || (token.isValid() == false)) { + return null; + } + if (debug != null) { + String location = new Exception().getStackTrace()[2].toString(); + System.out.println("Killing session (" + location + ") active: " + + activeSessions.get()); + } + closeSession(session); + return null; + } + + Session releaseSession(Session session) { + if ((session == null) || (token.isValid() == false)) { + return null; + } + + if (session.hasObjects()) { + objSessions.release(session); + } else { + opSessions.release(session); + } + return null; + } + + void demoteObjSession(Session session) { + if (token.isValid() == false) { + return; + } + if (debug != null) { + System.out.println("Demoting session, active: " + + activeSessions.get()); + } + boolean present = objSessions.remove(session); + if (present == false) { + // session is currently in use + // will be added to correct pool on release, nothing to do now + return; + } + opSessions.release(session); + } + + private Session openSession() throws PKCS11Exception { + if ((maxSessions != Integer.MAX_VALUE) && + (activeSessions.get() >= maxSessions)) { + throw new ProviderException("No more sessions available"); + } + + long id = token.p11.C_OpenSession + (token.provider.slotID, openSessionFlags, null, null); + Session session = new Session(token, id); + activeSessions.incrementAndGet(); + if (debug != null) { + synchronized(maxActiveSessionsLock) { + if (activeSessions.get() > maxActiveSessions) { + maxActiveSessions = activeSessions.get(); + if (maxActiveSessions % 10 == 0) { + System.out.println("Open sessions: " + maxActiveSessions); + } + } + } + } + return session; + } + + private void closeSession(Session session) { + session.close(); + activeSessions.decrementAndGet(); + } + + public static final class Pool { + + private final SessionManager mgr; + private final AbstractQueue pool; + private final int SESSION_MAX = 5; + + // Object session pools can contain unlimited sessions. + // Operation session pools are limited and enforced by the queue. + Pool(SessionManager mgr, boolean obj) { + this.mgr = mgr; + if (obj) { + pool = new LinkedBlockingQueue(); + } else { + pool = new LinkedBlockingQueue(SESSION_MAX); + } + } + + boolean remove(Session session) { + return pool.remove(session); + } + + Session poll() { + return pool.poll(); + } + + void release(Session session) { + // Object session pools never return false, only Operation ones + if (!pool.offer(session)) { + mgr.closeSession(session); + free(); + } + } + + // Free any old operation session if this queue is full + void free() { + int n = SESSION_MAX; + int i = 0; + Session oldestSession; + long time = System.currentTimeMillis(); + // Check if the session head is too old and continue through pool + // until only one is left. + do { + oldestSession = pool.peek(); + if (oldestSession == null || oldestSession.isLive(time) || + !pool.remove(oldestSession)) { + break; + } + + i++; + mgr.closeSession(oldestSession); + } while ((n - i) > 1); + + if (debug != null) { + System.out.println("Closing " + i + " idle sessions, active: " + + mgr.activeSessions); + } + } + + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/SunPKCS11.java 2017-01-20 09:52:40.590288871 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,1506 +0,0 @@ -/* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.pkcs11; - -import java.io.*; -import java.util.*; - -import java.security.*; -import java.security.interfaces.*; - -import javax.crypto.interfaces.*; - -import javax.security.auth.Subject; -import javax.security.auth.login.LoginException; -import javax.security.auth.login.FailedLoginException; -import javax.security.auth.callback.Callback; -import javax.security.auth.callback.CallbackHandler; -import javax.security.auth.callback.ConfirmationCallback; -import javax.security.auth.callback.PasswordCallback; -import javax.security.auth.callback.TextOutputCallback; - -import sun.security.util.Debug; -import sun.security.util.ResourcesMgr; -import static sun.security.util.SecurityConstants.PROVIDER_VER; - -import sun.security.pkcs11.Secmod.*; - -import sun.security.pkcs11.wrapper.*; -import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - -/** - * PKCS#11 provider main class. - * - * @author Andreas Sterbenz - * @since 1.5 - */ -public final class SunPKCS11 extends AuthProvider { - - private static final long serialVersionUID = -1354835039035306505L; - - static final Debug debug = Debug.getInstance("sunpkcs11"); - - // the PKCS11 object through which we make the native calls - final PKCS11 p11; - - // configuration information - final Config config; - - // id of the PKCS#11 slot we are using - final long slotID; - - private CallbackHandler pHandler; - private final Object LOCK_HANDLER = new Object(); - - final boolean removable; - - final Module nssModule; - - final boolean nssUseSecmodTrust; - - private volatile Token token; - - private TokenPoller poller; - - Token getToken() { - return token; - } - - public SunPKCS11() { - super("SunPKCS11", PROVIDER_VER, - "Unconfigured and unusable PKCS11 provider"); - p11 = null; - config = null; - slotID = 0; - pHandler = null; - removable = false; - nssModule = null; - nssUseSecmodTrust = false; - token = null; - poller = null; - } - - @Override - public Provider configure(String configArg) throws InvalidParameterException { - final String newConfigName = checkNull(configArg); - try { - return AccessController.doPrivileged(new PrivilegedExceptionAction<>() { - @Override - public SunPKCS11 run() throws Exception { - return new SunPKCS11(new Config(newConfigName)); - } - }); - } catch (PrivilegedActionException pae) { - InvalidParameterException ipe = - new InvalidParameterException("Error configuring SunPKCS11 provider"); - throw (InvalidParameterException) ipe.initCause(pae.getException()); - } - } - - @Override - public boolean isConfigured() { - return (config != null); - } - - private static T checkNull(T obj) { - if (obj == null) { - throw new NullPointerException(); - } - return obj; - } - - // Used by Secmod - SunPKCS11(Config c) { - super("SunPKCS11-" + c.getName(), PROVIDER_VER, c.getDescription()); - this.config = c; - - if (debug != null) { - System.out.println("SunPKCS11 loading " + config.getFileName()); - } - - String library = config.getLibrary(); - String functionList = config.getFunctionList(); - long slotID = config.getSlotID(); - int slotListIndex = config.getSlotListIndex(); - - boolean useSecmod = config.getNssUseSecmod(); - boolean nssUseSecmodTrust = config.getNssUseSecmodTrust(); - Module nssModule = null; - - // - // Initialization via Secmod. The way this works is as follows: - // SunPKCS11 is either in normal mode or in NSS Secmod mode. - // Secmod is activated by specifying one or more of the following - // options in the config file: - // nssUseSecmod, nssSecmodDirectory, nssLibrary, nssModule - // - // XXX add more explanation here - // - // If we are in Secmod mode and configured to use either the - // nssKeyStore or the nssTrustAnchors module, we automatically - // switch to using the NSS trust attributes for trusted certs - // (KeyStore). - // - - if (useSecmod) { - // note: Config ensures library/slot/slotListIndex not specified - // in secmod mode. - Secmod secmod = Secmod.getInstance(); - DbMode nssDbMode = config.getNssDbMode(); - try { - String nssLibraryDirectory = config.getNssLibraryDirectory(); - String nssSecmodDirectory = config.getNssSecmodDirectory(); - boolean nssOptimizeSpace = config.getNssOptimizeSpace(); - - if (secmod.isInitialized()) { - if (nssSecmodDirectory != null) { - String s = secmod.getConfigDir(); - if ((s != null) && - (s.equals(nssSecmodDirectory) == false)) { - throw new ProviderException("Secmod directory " - + nssSecmodDirectory - + " invalid, NSS already initialized with " - + s); - } - } - if (nssLibraryDirectory != null) { - String s = secmod.getLibDir(); - if ((s != null) && - (s.equals(nssLibraryDirectory) == false)) { - throw new ProviderException("NSS library directory " - + nssLibraryDirectory - + " invalid, NSS already initialized with " - + s); - } - } - } else { - if (nssDbMode != DbMode.NO_DB) { - if (nssSecmodDirectory == null) { - throw new ProviderException( - "Secmod not initialized and " - + "nssSecmodDirectory not specified"); - } - } else { - if (nssSecmodDirectory != null) { - throw new ProviderException( - "nssSecmodDirectory must not be " - + "specified in noDb mode"); - } - } - secmod.initialize(nssDbMode, nssSecmodDirectory, - nssLibraryDirectory, nssOptimizeSpace); - } - } catch (IOException e) { - // XXX which exception to throw - throw new ProviderException("Could not initialize NSS", e); - } - List modules = secmod.getModules(); - if (config.getShowInfo()) { - System.out.println("NSS modules: " + modules); - } - - String moduleName = config.getNssModule(); - if (moduleName == null) { - nssModule = secmod.getModule(ModuleType.FIPS); - if (nssModule != null) { - moduleName = "fips"; - } else { - moduleName = (nssDbMode == DbMode.NO_DB) ? - "crypto" : "keystore"; - } - } - if (moduleName.equals("fips")) { - nssModule = secmod.getModule(ModuleType.FIPS); - nssUseSecmodTrust = true; - functionList = "FC_GetFunctionList"; - } else if (moduleName.equals("keystore")) { - nssModule = secmod.getModule(ModuleType.KEYSTORE); - nssUseSecmodTrust = true; - } else if (moduleName.equals("crypto")) { - nssModule = secmod.getModule(ModuleType.CRYPTO); - } else if (moduleName.equals("trustanchors")) { - // XXX should the option be called trustanchor or trustanchors?? - nssModule = secmod.getModule(ModuleType.TRUSTANCHOR); - nssUseSecmodTrust = true; - } else if (moduleName.startsWith("external-")) { - int moduleIndex; - try { - moduleIndex = Integer.parseInt - (moduleName.substring("external-".length())); - } catch (NumberFormatException e) { - moduleIndex = -1; - } - if (moduleIndex < 1) { - throw new ProviderException - ("Invalid external module: " + moduleName); - } - int k = 0; - for (Module module : modules) { - if (module.getType() == ModuleType.EXTERNAL) { - if (++k == moduleIndex) { - nssModule = module; - break; - } - } - } - if (nssModule == null) { - throw new ProviderException("Invalid module " + moduleName - + ": only " + k + " external NSS modules available"); - } - } else { - throw new ProviderException( - "Unknown NSS module: " + moduleName); - } - if (nssModule == null) { - throw new ProviderException( - "NSS module not available: " + moduleName); - } - if (nssModule.hasInitializedProvider()) { - throw new ProviderException("Secmod module already configured"); - } - library = nssModule.libraryName; - slotListIndex = nssModule.slot; - } - this.nssUseSecmodTrust = nssUseSecmodTrust; - this.nssModule = nssModule; - - File libraryFile = new File(library); - // if the filename is a simple filename without path - // (e.g. "libpkcs11.so"), it may refer to a library somewhere on the - // OS library search path. Omit the test for file existance as that - // only looks in the current directory. - if (libraryFile.getName().equals(library) == false) { - if (new File(library).isFile() == false) { - String msg = "Library " + library + " does not exist"; - if (config.getHandleStartupErrors() == Config.ERR_HALT) { - throw new ProviderException(msg); - } else { - throw new UnsupportedOperationException(msg); - } - } - } - - try { - if (debug != null) { - debug.println("Initializing PKCS#11 library " + library); - } - CK_C_INITIALIZE_ARGS initArgs = new CK_C_INITIALIZE_ARGS(); - String nssArgs = config.getNssArgs(); - if (nssArgs != null) { - initArgs.pReserved = nssArgs; - } - // request multithreaded access first - initArgs.flags = CKF_OS_LOCKING_OK; - PKCS11 tmpPKCS11; - try { - tmpPKCS11 = PKCS11.getInstance( - library, functionList, initArgs, - config.getOmitInitialize()); - } catch (PKCS11Exception e) { - if (debug != null) { - debug.println("Multi-threaded initialization failed: " + e); - } - if (config.getAllowSingleThreadedModules() == false) { - throw e; - } - // fall back to single threaded access - if (nssArgs == null) { - // if possible, use null initArgs for better compatibility - initArgs = null; - } else { - initArgs.flags = 0; - } - tmpPKCS11 = PKCS11.getInstance(library, - functionList, initArgs, config.getOmitInitialize()); - } - p11 = tmpPKCS11; - - CK_INFO p11Info = p11.C_GetInfo(); - if (p11Info.cryptokiVersion.major < 2) { - throw new ProviderException("Only PKCS#11 v2.0 and later " - + "supported, library version is v" + p11Info.cryptokiVersion); - } - boolean showInfo = config.getShowInfo(); - if (showInfo) { - System.out.println("Information for provider " + getName()); - System.out.println("Library info:"); - System.out.println(p11Info); - } - - if ((slotID < 0) || showInfo) { - long[] slots = p11.C_GetSlotList(false); - if (showInfo) { - System.out.println("All slots: " + toString(slots)); - slots = p11.C_GetSlotList(true); - System.out.println("Slots with tokens: " + toString(slots)); - } - if (slotID < 0) { - if ((slotListIndex < 0) - || (slotListIndex >= slots.length)) { - throw new ProviderException("slotListIndex is " - + slotListIndex - + " but token only has " + slots.length + " slots"); - } - slotID = slots[slotListIndex]; - } - } - this.slotID = slotID; - CK_SLOT_INFO slotInfo = p11.C_GetSlotInfo(slotID); - removable = (slotInfo.flags & CKF_REMOVABLE_DEVICE) != 0; - initToken(slotInfo); - if (nssModule != null) { - nssModule.setProvider(this); - } - } catch (Exception e) { - if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { - throw new UnsupportedOperationException - ("Initialization failed", e); - } else { - throw new ProviderException - ("Initialization failed", e); - } - } - } - - private static String toString(long[] longs) { - if (longs.length == 0) { - return "(none)"; - } - StringBuilder sb = new StringBuilder(); - sb.append(longs[0]); - for (int i = 1; i < longs.length; i++) { - sb.append(", "); - sb.append(longs[i]); - } - return sb.toString(); - } - - public boolean equals(Object obj) { - return this == obj; - } - - public int hashCode() { - return System.identityHashCode(this); - } - - private static String[] s(String ...aliases) { - return aliases; - } - - private static final class Descriptor { - final String type; - final String algorithm; - final String className; - final String[] aliases; - final int[] mechanisms; - - private Descriptor(String type, String algorithm, String className, - String[] aliases, int[] mechanisms) { - this.type = type; - this.algorithm = algorithm; - this.className = className; - this.aliases = aliases; - this.mechanisms = mechanisms; - } - private P11Service service(Token token, int mechanism) { - return new P11Service - (token, type, algorithm, className, aliases, mechanism); - } - public String toString() { - return type + "." + algorithm; - } - } - - // Map from mechanism to List of Descriptors that should be - // registered if the mechanism is supported - private final static Map> descriptors = - new HashMap>(); - - private static int[] m(long m1) { - return new int[] {(int)m1}; - } - - private static int[] m(long m1, long m2) { - return new int[] {(int)m1, (int)m2}; - } - - private static int[] m(long m1, long m2, long m3) { - return new int[] {(int)m1, (int)m2, (int)m3}; - } - - private static int[] m(long m1, long m2, long m3, long m4) { - return new int[] {(int)m1, (int)m2, (int)m3, (int)m4}; - } - - private static void d(String type, String algorithm, String className, - int[] m) { - register(new Descriptor(type, algorithm, className, null, m)); - } - - private static void d(String type, String algorithm, String className, - String[] aliases, int[] m) { - register(new Descriptor(type, algorithm, className, aliases, m)); - } - - private static void register(Descriptor d) { - for (int i = 0; i < d.mechanisms.length; i++) { - int m = d.mechanisms[i]; - Integer key = Integer.valueOf(m); - List list = descriptors.get(key); - if (list == null) { - list = new ArrayList(); - descriptors.put(key, list); - } - list.add(d); - } - } - - private final static String MD = "MessageDigest"; - - private final static String SIG = "Signature"; - - private final static String KPG = "KeyPairGenerator"; - - private final static String KG = "KeyGenerator"; - - private final static String AGP = "AlgorithmParameters"; - - private final static String KF = "KeyFactory"; - - private final static String SKF = "SecretKeyFactory"; - - private final static String CIP = "Cipher"; - - private final static String MAC = "Mac"; - - private final static String KA = "KeyAgreement"; - - private final static String KS = "KeyStore"; - - private final static String SR = "SecureRandom"; - - static { - // names of all the implementation classes - // use local variables, only used here - String P11Digest = "sun.security.pkcs11.P11Digest"; - String P11MAC = "sun.security.pkcs11.P11MAC"; - String P11KeyPairGenerator = "sun.security.pkcs11.P11KeyPairGenerator"; - String P11KeyGenerator = "sun.security.pkcs11.P11KeyGenerator"; - String P11RSAKeyFactory = "sun.security.pkcs11.P11RSAKeyFactory"; - String P11DSAKeyFactory = "sun.security.pkcs11.P11DSAKeyFactory"; - String P11DHKeyFactory = "sun.security.pkcs11.P11DHKeyFactory"; - String P11KeyAgreement = "sun.security.pkcs11.P11KeyAgreement"; - String P11SecretKeyFactory = "sun.security.pkcs11.P11SecretKeyFactory"; - String P11Cipher = "sun.security.pkcs11.P11Cipher"; - String P11RSACipher = "sun.security.pkcs11.P11RSACipher"; - String P11Signature = "sun.security.pkcs11.P11Signature"; - - // XXX register all aliases - - d(MD, "MD2", P11Digest, - m(CKM_MD2)); - d(MD, "MD5", P11Digest, - m(CKM_MD5)); - d(MD, "SHA1", P11Digest, - s("SHA", "SHA-1", "1.3.14.3.2.26", "OID.1.3.14.3.2.26"), - m(CKM_SHA_1)); - - d(MD, "SHA-224", P11Digest, - s("2.16.840.1.101.3.4.2.4", "OID.2.16.840.1.101.3.4.2.4"), - m(CKM_SHA224)); - d(MD, "SHA-256", P11Digest, - s("2.16.840.1.101.3.4.2.1", "OID.2.16.840.1.101.3.4.2.1"), - m(CKM_SHA256)); - d(MD, "SHA-384", P11Digest, - s("2.16.840.1.101.3.4.2.2", "OID.2.16.840.1.101.3.4.2.2"), - m(CKM_SHA384)); - d(MD, "SHA-512", P11Digest, - s("2.16.840.1.101.3.4.2.3", "OID.2.16.840.1.101.3.4.2.3"), - m(CKM_SHA512)); - - d(MAC, "HmacMD5", P11MAC, - m(CKM_MD5_HMAC)); - d(MAC, "HmacSHA1", P11MAC, - s("1.2.840.113549.2.7", "OID.1.2.840.113549.2.7"), - m(CKM_SHA_1_HMAC)); - d(MAC, "HmacSHA224", P11MAC, - s("1.2.840.113549.2.8", "OID.1.2.840.113549.2.8"), - m(CKM_SHA224_HMAC)); - d(MAC, "HmacSHA256", P11MAC, - s("1.2.840.113549.2.9", "OID.1.2.840.113549.2.9"), - m(CKM_SHA256_HMAC)); - d(MAC, "HmacSHA384", P11MAC, - s("1.2.840.113549.2.10", "OID.1.2.840.113549.2.10"), - m(CKM_SHA384_HMAC)); - d(MAC, "HmacSHA512", P11MAC, - s("1.2.840.113549.2.11", "OID.1.2.840.113549.2.11"), - m(CKM_SHA512_HMAC)); - d(MAC, "SslMacMD5", P11MAC, - m(CKM_SSL3_MD5_MAC)); - d(MAC, "SslMacSHA1", P11MAC, - m(CKM_SSL3_SHA1_MAC)); - - d(KPG, "RSA", P11KeyPairGenerator, - m(CKM_RSA_PKCS_KEY_PAIR_GEN)); - d(KPG, "DSA", P11KeyPairGenerator, - s("1.3.14.3.2.12", "1.2.840.10040.4.1", "OID.1.2.840.10040.4.1"), - m(CKM_DSA_KEY_PAIR_GEN)); - d(KPG, "DH", P11KeyPairGenerator, s("DiffieHellman"), - m(CKM_DH_PKCS_KEY_PAIR_GEN)); - d(KPG, "EC", P11KeyPairGenerator, - m(CKM_EC_KEY_PAIR_GEN)); - - d(KG, "ARCFOUR", P11KeyGenerator, s("RC4"), - m(CKM_RC4_KEY_GEN)); - d(KG, "DES", P11KeyGenerator, - m(CKM_DES_KEY_GEN)); - d(KG, "DESede", P11KeyGenerator, - m(CKM_DES3_KEY_GEN, CKM_DES2_KEY_GEN)); - d(KG, "AES", P11KeyGenerator, - m(CKM_AES_KEY_GEN)); - d(KG, "Blowfish", P11KeyGenerator, - m(CKM_BLOWFISH_KEY_GEN)); - - // register (Secret)KeyFactories if there are any mechanisms - // for a particular algorithm that we support - d(KF, "RSA", P11RSAKeyFactory, - m(CKM_RSA_PKCS_KEY_PAIR_GEN, CKM_RSA_PKCS, CKM_RSA_X_509)); - d(KF, "DSA", P11DSAKeyFactory, - s("1.3.14.3.2.12", "1.2.840.10040.4.1", "OID.1.2.840.10040.4.1"), - m(CKM_DSA_KEY_PAIR_GEN, CKM_DSA, CKM_DSA_SHA1)); - d(KF, "DH", P11DHKeyFactory, s("DiffieHellman"), - m(CKM_DH_PKCS_KEY_PAIR_GEN, CKM_DH_PKCS_DERIVE)); - d(KF, "EC", P11DHKeyFactory, - m(CKM_EC_KEY_PAIR_GEN, CKM_ECDH1_DERIVE, - CKM_ECDSA, CKM_ECDSA_SHA1)); - - // AlgorithmParameters for EC. - // Only needed until we have an EC implementation in the SUN provider. - d(AGP, "EC", "sun.security.util.ECParameters", - s("1.2.840.10045.2.1"), - m(CKM_EC_KEY_PAIR_GEN, CKM_ECDH1_DERIVE, - CKM_ECDSA, CKM_ECDSA_SHA1)); - - d(KA, "DH", P11KeyAgreement, s("DiffieHellman"), - m(CKM_DH_PKCS_DERIVE)); - d(KA, "ECDH", "sun.security.pkcs11.P11ECDHKeyAgreement", - m(CKM_ECDH1_DERIVE)); - - d(SKF, "ARCFOUR", P11SecretKeyFactory, s("RC4"), - m(CKM_RC4)); - d(SKF, "DES", P11SecretKeyFactory, - m(CKM_DES_CBC)); - d(SKF, "DESede", P11SecretKeyFactory, - m(CKM_DES3_CBC)); - d(SKF, "AES", P11SecretKeyFactory, - s("2.16.840.1.101.3.4.1", "OID.2.16.840.1.101.3.4.1"), - m(CKM_AES_CBC)); - d(SKF, "Blowfish", P11SecretKeyFactory, - m(CKM_BLOWFISH_CBC)); - - // XXX attributes for Ciphers (supported modes, padding) - d(CIP, "ARCFOUR", P11Cipher, s("RC4"), - m(CKM_RC4)); - d(CIP, "DES/CBC/NoPadding", P11Cipher, - m(CKM_DES_CBC)); - d(CIP, "DES/CBC/PKCS5Padding", P11Cipher, - m(CKM_DES_CBC_PAD, CKM_DES_CBC)); - d(CIP, "DES/ECB/NoPadding", P11Cipher, - m(CKM_DES_ECB)); - d(CIP, "DES/ECB/PKCS5Padding", P11Cipher, s("DES"), - m(CKM_DES_ECB)); - - d(CIP, "DESede/CBC/NoPadding", P11Cipher, - m(CKM_DES3_CBC)); - d(CIP, "DESede/CBC/PKCS5Padding", P11Cipher, - m(CKM_DES3_CBC_PAD, CKM_DES3_CBC)); - d(CIP, "DESede/ECB/NoPadding", P11Cipher, - m(CKM_DES3_ECB)); - d(CIP, "DESede/ECB/PKCS5Padding", P11Cipher, s("DESede"), - m(CKM_DES3_ECB)); - d(CIP, "AES/CBC/NoPadding", P11Cipher, - m(CKM_AES_CBC)); - d(CIP, "AES_128/CBC/NoPadding", P11Cipher, - s("2.16.840.1.101.3.4.1.2", "OID.2.16.840.1.101.3.4.1.2"), - m(CKM_AES_CBC)); - d(CIP, "AES_192/CBC/NoPadding", P11Cipher, - s("2.16.840.1.101.3.4.1.22", "OID.2.16.840.1.101.3.4.1.22"), - m(CKM_AES_CBC)); - d(CIP, "AES_256/CBC/NoPadding", P11Cipher, - s("2.16.840.1.101.3.4.1.42", "OID.2.16.840.1.101.3.4.1.42"), - m(CKM_AES_CBC)); - d(CIP, "AES/CBC/PKCS5Padding", P11Cipher, - m(CKM_AES_CBC_PAD, CKM_AES_CBC)); - d(CIP, "AES/ECB/NoPadding", P11Cipher, - m(CKM_AES_ECB)); - d(CIP, "AES_128/ECB/NoPadding", P11Cipher, - s("2.16.840.1.101.3.4.1.1", "OID.2.16.840.1.101.3.4.1.1"), - m(CKM_AES_ECB)); - d(CIP, "AES_192/ECB/NoPadding", P11Cipher, - s("2.16.840.1.101.3.4.1.21", "OID.2.16.840.1.101.3.4.1.21"), - m(CKM_AES_ECB)); - d(CIP, "AES_256/ECB/NoPadding", P11Cipher, - s("2.16.840.1.101.3.4.1.41", "OID.2.16.840.1.101.3.4.1.41"), - m(CKM_AES_ECB)); - d(CIP, "AES/ECB/PKCS5Padding", P11Cipher, s("AES"), - m(CKM_AES_ECB)); - d(CIP, "AES/CTR/NoPadding", P11Cipher, - m(CKM_AES_CTR)); - d(CIP, "Blowfish/CBC/NoPadding", P11Cipher, - m(CKM_BLOWFISH_CBC)); - d(CIP, "Blowfish/CBC/PKCS5Padding", P11Cipher, - m(CKM_BLOWFISH_CBC)); - - // XXX RSA_X_509, RSA_OAEP not yet supported - d(CIP, "RSA/ECB/PKCS1Padding", P11RSACipher, s("RSA"), - m(CKM_RSA_PKCS)); - d(CIP, "RSA/ECB/NoPadding", P11RSACipher, - m(CKM_RSA_X_509)); - - d(SIG, "RawDSA", P11Signature, s("NONEwithDSA"), - m(CKM_DSA)); - d(SIG, "DSA", P11Signature, - s("SHA1withDSA", "1.3.14.3.2.13", "1.3.14.3.2.27", - "1.2.840.10040.4.3", "OID.1.2.840.10040.4.3"), - m(CKM_DSA_SHA1, CKM_DSA)); - d(SIG, "RawDSAinP1363Format", P11Signature, - s("NONEwithDSAinP1363Format"), - m(CKM_DSA)); - d(SIG, "DSAinP1363Format", P11Signature, - s("SHA1withDSAinP1363Format"), - m(CKM_DSA_SHA1, CKM_DSA)); - d(SIG, "NONEwithECDSA", P11Signature, - m(CKM_ECDSA)); - d(SIG, "SHA1withECDSA", P11Signature, - s("ECDSA", "1.2.840.10045.4.1", "OID.1.2.840.10045.4.1"), - m(CKM_ECDSA_SHA1, CKM_ECDSA)); - d(SIG, "SHA224withECDSA", P11Signature, - s("1.2.840.10045.4.3.1", "OID.1.2.840.10045.4.3.1"), - m(CKM_ECDSA)); - d(SIG, "SHA256withECDSA", P11Signature, - s("1.2.840.10045.4.3.2", "OID.1.2.840.10045.4.3.2"), - m(CKM_ECDSA)); - d(SIG, "SHA384withECDSA", P11Signature, - s("1.2.840.10045.4.3.3", "OID.1.2.840.10045.4.3.3"), - m(CKM_ECDSA)); - d(SIG, "SHA512withECDSA", P11Signature, - s("1.2.840.10045.4.3.4", "OID.1.2.840.10045.4.3.4"), - m(CKM_ECDSA)); - d(SIG, "NONEwithECDSAinP1363Format", P11Signature, - m(CKM_ECDSA)); - d(SIG, "SHA1withECDSAinP1363Format", P11Signature, - m(CKM_ECDSA_SHA1, CKM_ECDSA)); - d(SIG, "SHA224withECDSAinP1363Format", P11Signature, - m(CKM_ECDSA)); - d(SIG, "SHA256withECDSAinP1363Format", P11Signature, - m(CKM_ECDSA)); - d(SIG, "SHA384withECDSAinP1363Format", P11Signature, - m(CKM_ECDSA)); - d(SIG, "SHA512withECDSAinP1363Format", P11Signature, - m(CKM_ECDSA)); - d(SIG, "MD2withRSA", P11Signature, - s("1.2.840.113549.1.1.2", "OID.1.2.840.113549.1.1.2"), - m(CKM_MD2_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); - d(SIG, "MD5withRSA", P11Signature, - s("1.2.840.113549.1.1.4", "OID.1.2.840.113549.1.1.4"), - m(CKM_MD5_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); - d(SIG, "SHA1withRSA", P11Signature, - s("1.2.840.113549.1.1.5", "OID.1.2.840.113549.1.1.5", - "1.3.14.3.2.29"), - m(CKM_SHA1_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); - d(SIG, "SHA224withRSA", P11Signature, - s("1.2.840.113549.1.1.14", "OID.1.2.840.113549.1.1.14"), - m(CKM_SHA224_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); - d(SIG, "SHA256withRSA", P11Signature, - s("1.2.840.113549.1.1.11", "OID.1.2.840.113549.1.1.11"), - m(CKM_SHA256_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); - d(SIG, "SHA384withRSA", P11Signature, - s("1.2.840.113549.1.1.12", "OID.1.2.840.113549.1.1.12"), - m(CKM_SHA384_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); - d(SIG, "SHA512withRSA", P11Signature, - s("1.2.840.113549.1.1.13", "OID.1.2.840.113549.1.1.13"), - m(CKM_SHA512_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); - - /* - * TLS 1.2 uses a different hash algorithm than 1.0/1.1 for the - * PRF calculations. As of 2010, there is no PKCS11-level - * support for TLS 1.2 PRF calculations, and no known OS's have - * an internal variant we could use. Therefore for TLS 1.2, we - * are updating JSSE to request different provider algorithms - * (e.g. "SunTls12Prf"), and currently only SunJCE has these - * TLS 1.2 algorithms. - * - * If we reused the names such as "SunTlsPrf", the PKCS11 - * providers would need be updated to fail correctly when - * presented with the wrong version number (via - * Provider.Service.supportsParameters()), and we would also - * need to add the appropriate supportsParamters() checks into - * KeyGenerators (not currently there). - * - * In the future, if PKCS11 support is added, we will restructure - * this. - */ - d(KG, "SunTlsRsaPremasterSecret", - "sun.security.pkcs11.P11TlsRsaPremasterSecretGenerator", - m(CKM_SSL3_PRE_MASTER_KEY_GEN, CKM_TLS_PRE_MASTER_KEY_GEN)); - d(KG, "SunTlsMasterSecret", - "sun.security.pkcs11.P11TlsMasterSecretGenerator", - m(CKM_SSL3_MASTER_KEY_DERIVE, CKM_TLS_MASTER_KEY_DERIVE, - CKM_SSL3_MASTER_KEY_DERIVE_DH, - CKM_TLS_MASTER_KEY_DERIVE_DH)); - d(KG, "SunTlsKeyMaterial", - "sun.security.pkcs11.P11TlsKeyMaterialGenerator", - m(CKM_SSL3_KEY_AND_MAC_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE)); - d(KG, "SunTlsPrf", "sun.security.pkcs11.P11TlsPrfGenerator", - m(CKM_TLS_PRF, CKM_NSS_TLS_PRF_GENERAL)); - } - - // background thread that periodically checks for token insertion - // if no token is present. We need to do that in a separate thread because - // the insertion check may block for quite a long time on some tokens. - private static class TokenPoller implements Runnable { - private final SunPKCS11 provider; - private volatile boolean enabled; - private TokenPoller(SunPKCS11 provider) { - this.provider = provider; - enabled = true; - } - public void run() { - int interval = provider.config.getInsertionCheckInterval(); - while (enabled) { - try { - Thread.sleep(interval); - } catch (InterruptedException e) { - break; - } - if (enabled == false) { - break; - } - try { - provider.initToken(null); - } catch (PKCS11Exception e) { - // ignore - } - } - } - void disable() { - enabled = false; - } - } - - // create the poller thread, if not already active - private void createPoller() { - if (poller != null) { - return; - } - final TokenPoller poller = new TokenPoller(this); - Thread t = new Thread(null, poller, "Poller " + getName(), 0, false); - t.setContextClassLoader(null); - t.setDaemon(true); - t.setPriority(Thread.MIN_PRIORITY); - t.start(); - this.poller = poller; - } - - // destroy the poller thread, if active - private void destroyPoller() { - if (poller != null) { - poller.disable(); - poller = null; - } - } - - private boolean hasValidToken() { - /* Commented out to work with Solaris softtoken impl which - returns 0-value flags, e.g. both REMOVABLE_DEVICE and - TOKEN_PRESENT are false, when it can't access the token. - if (removable == false) { - return true; - } - */ - Token token = this.token; - return (token != null) && token.isValid(); - } - - // destroy the token. Called if we detect that it has been removed - synchronized void uninitToken(Token token) { - if (this.token != token) { - // mismatch, our token must already be destroyed - return; - } - destroyPoller(); - this.token = null; - // unregister all algorithms - AccessController.doPrivileged(new PrivilegedAction() { - public Object run() { - clear(); - return null; - } - }); - createPoller(); - } - - // test if a token is present and initialize this provider for it if so. - // does nothing if no token is found - // called from constructor and by poller - private void initToken(CK_SLOT_INFO slotInfo) throws PKCS11Exception { - if (slotInfo == null) { - slotInfo = p11.C_GetSlotInfo(slotID); - } - if (removable && (slotInfo.flags & CKF_TOKEN_PRESENT) == 0) { - createPoller(); - return; - } - destroyPoller(); - boolean showInfo = config.getShowInfo(); - if (showInfo) { - System.out.println("Slot info for slot " + slotID + ":"); - System.out.println(slotInfo); - } - final Token token = new Token(this); - if (showInfo) { - System.out.println - ("Token info for token in slot " + slotID + ":"); - System.out.println(token.tokenInfo); - } - long[] supportedMechanisms = p11.C_GetMechanismList(slotID); - - // Create a map from the various Descriptors to the "most - // preferred" mechanism that was defined during the - // static initialization. For example, DES/CBC/PKCS5Padding - // could be mapped to CKM_DES_CBC_PAD or CKM_DES_CBC. Prefer - // the earliest entry. When asked for "DES/CBC/PKCS5Padding", we - // return a CKM_DES_CBC_PAD. - final Map supportedAlgs = - new HashMap(); - for (int i = 0; i < supportedMechanisms.length; i++) { - long longMech = supportedMechanisms[i]; - boolean isEnabled = config.isEnabled(longMech); - if (showInfo) { - CK_MECHANISM_INFO mechInfo = - p11.C_GetMechanismInfo(slotID, longMech); - System.out.println("Mechanism " + - Functions.getMechanismName(longMech) + ":"); - if (isEnabled == false) { - System.out.println("DISABLED in configuration"); - } - System.out.println(mechInfo); - } - if (isEnabled == false) { - continue; - } - // we do not know of mechs with the upper 32 bits set - if (longMech >>> 32 != 0) { - continue; - } - int mech = (int)longMech; - Integer integerMech = Integer.valueOf(mech); - List ds = descriptors.get(integerMech); - if (ds == null) { - continue; - } - for (Descriptor d : ds) { - Integer oldMech = supportedAlgs.get(d); - if (oldMech == null) { - supportedAlgs.put(d, integerMech); - continue; - } - // See if there is something "more preferred" - // than what we currently have in the supportedAlgs - // map. - int intOldMech = oldMech.intValue(); - for (int j = 0; j < d.mechanisms.length; j++) { - int nextMech = d.mechanisms[j]; - if (mech == nextMech) { - supportedAlgs.put(d, integerMech); - break; - } else if (intOldMech == nextMech) { - break; - } - } - } - - } - - // register algorithms in provider - AccessController.doPrivileged(new PrivilegedAction() { - public Object run() { - for (Map.Entry entry - : supportedAlgs.entrySet()) { - Descriptor d = entry.getKey(); - int mechanism = entry.getValue().intValue(); - Service s = d.service(token, mechanism); - putService(s); - } - if (((token.tokenInfo.flags & CKF_RNG) != 0) - && config.isEnabled(PCKM_SECURERANDOM) - && !token.sessionManager.lowMaxSessions()) { - // do not register SecureRandom if the token does - // not support many sessions. if we did, we might - // run out of sessions in the middle of a - // nextBytes() call where we cannot fail over. - putService(new P11Service(token, SR, "PKCS11", - "sun.security.pkcs11.P11SecureRandom", null, - PCKM_SECURERANDOM)); - } - if (config.isEnabled(PCKM_KEYSTORE)) { - putService(new P11Service(token, KS, "PKCS11", - "sun.security.pkcs11.P11KeyStore", - s("PKCS11-" + config.getName()), - PCKM_KEYSTORE)); - } - return null; - } - }); - - this.token = token; - } - - private static final class P11Service extends Service { - - private final Token token; - - private final long mechanism; - - P11Service(Token token, String type, String algorithm, - String className, String[] al, long mechanism) { - super(token.provider, type, algorithm, className, toList(al), - type.equals(SR) ? Map.of("ThreadSafe", "true") : null); - this.token = token; - this.mechanism = mechanism & 0xFFFFFFFFL; - } - - private static List toList(String[] aliases) { - return (aliases == null) ? null : Arrays.asList(aliases); - } - - public Object newInstance(Object param) - throws NoSuchAlgorithmException { - if (token.isValid() == false) { - throw new NoSuchAlgorithmException("Token has been removed"); - } - try { - return newInstance0(param); - } catch (PKCS11Exception e) { - throw new NoSuchAlgorithmException(e); - } - } - - public Object newInstance0(Object param) throws - PKCS11Exception, NoSuchAlgorithmException { - String algorithm = getAlgorithm(); - String type = getType(); - if (type == MD) { - return new P11Digest(token, algorithm, mechanism); - } else if (type == CIP) { - if (algorithm.startsWith("RSA")) { - return new P11RSACipher(token, algorithm, mechanism); - } else { - return new P11Cipher(token, algorithm, mechanism); - } - } else if (type == SIG) { - return new P11Signature(token, algorithm, mechanism); - } else if (type == MAC) { - return new P11Mac(token, algorithm, mechanism); - } else if (type == KPG) { - return new P11KeyPairGenerator(token, algorithm, mechanism); - } else if (type == KA) { - if (algorithm.equals("ECDH")) { - return new P11ECDHKeyAgreement(token, algorithm, mechanism); - } else { - return new P11KeyAgreement(token, algorithm, mechanism); - } - } else if (type == KF) { - return token.getKeyFactory(algorithm); - } else if (type == SKF) { - return new P11SecretKeyFactory(token, algorithm); - } else if (type == KG) { - // reference equality - if (algorithm == "SunTlsRsaPremasterSecret") { - return new P11TlsRsaPremasterSecretGenerator( - token, algorithm, mechanism); - } else if (algorithm == "SunTlsMasterSecret") { - return new P11TlsMasterSecretGenerator( - token, algorithm, mechanism); - } else if (algorithm == "SunTlsKeyMaterial") { - return new P11TlsKeyMaterialGenerator( - token, algorithm, mechanism); - } else if (algorithm == "SunTlsPrf") { - return new P11TlsPrfGenerator(token, algorithm, mechanism); - } else { - return new P11KeyGenerator(token, algorithm, mechanism); - } - } else if (type == SR) { - return token.getRandom(); - } else if (type == KS) { - return token.getKeyStore(); - } else if (type == AGP) { - return new sun.security.util.ECParameters(); - } else { - throw new NoSuchAlgorithmException("Unknown type: " + type); - } - } - - public boolean supportsParameter(Object param) { - if ((param == null) || (token.isValid() == false)) { - return false; - } - if (param instanceof Key == false) { - throw new InvalidParameterException("Parameter must be a Key"); - } - String algorithm = getAlgorithm(); - String type = getType(); - Key key = (Key)param; - String keyAlgorithm = key.getAlgorithm(); - // RSA signatures and cipher - if (((type == CIP) && algorithm.startsWith("RSA")) - || (type == SIG) && algorithm.endsWith("RSA")) { - if (keyAlgorithm.equals("RSA") == false) { - return false; - } - return isLocalKey(key) - || (key instanceof RSAPrivateKey) - || (key instanceof RSAPublicKey); - } - // EC - if (((type == KA) && algorithm.equals("ECDH")) - || ((type == SIG) && algorithm.contains("ECDSA"))) { - if (keyAlgorithm.equals("EC") == false) { - return false; - } - return isLocalKey(key) - || (key instanceof ECPrivateKey) - || (key instanceof ECPublicKey); - } - // DSA signatures - if ((type == SIG) && algorithm.contains("DSA") && - !algorithm.contains("ECDSA")) { - if (keyAlgorithm.equals("DSA") == false) { - return false; - } - return isLocalKey(key) - || (key instanceof DSAPrivateKey) - || (key instanceof DSAPublicKey); - } - // MACs and symmetric ciphers - if ((type == CIP) || (type == MAC)) { - // do not check algorithm name, mismatch is unlikely anyway - return isLocalKey(key) || "RAW".equals(key.getFormat()); - } - // DH key agreement - if (type == KA) { - if (keyAlgorithm.equals("DH") == false) { - return false; - } - return isLocalKey(key) - || (key instanceof DHPrivateKey) - || (key instanceof DHPublicKey); - } - // should not reach here, - // unknown engine type or algorithm - throw new AssertionError - ("SunPKCS11 error: " + type + ", " + algorithm); - } - - private boolean isLocalKey(Key key) { - return (key instanceof P11Key) && (((P11Key)key).token == token); - } - - public String toString() { - return super.toString() + - " (" + Functions.getMechanismName(mechanism) + ")"; - } - - } - - /** - * Log in to this provider. - * - *

If the token expects a PIN to be supplied by the caller, - * the handler implementation must support - * a PasswordCallback. - * - *

To determine if the token supports a protected authentication path, - * the CK_TOKEN_INFO flag, CKF_PROTECTED_AUTHENTICATION_PATH, is consulted. - * - * @param subject this parameter is ignored - * @param handler the CallbackHandler used by - * this provider to communicate with the caller - * - * @throws IllegalStateException if the provider requires configuration - * and Provider.configure has not been called - * @throws LoginException if the login operation fails - * @throws SecurityException if the does not pass a security check for - * SecurityPermission("authProvider.name"), - * where name is the value returned by - * this provider's getName method - */ - public void login(Subject subject, CallbackHandler handler) - throws LoginException { - - if (!isConfigured()) { - throw new IllegalStateException("Configuration is required"); - } - - // security check - SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - if (debug != null) { - debug.println("checking login permission"); - } - sm.checkPermission(new SecurityPermission - ("authProvider." + this.getName())); - } - - if (hasValidToken() == false) { - throw new LoginException("No token present"); - } - - // see if a login is required - - if ((token.tokenInfo.flags & CKF_LOGIN_REQUIRED) == 0) { - if (debug != null) { - debug.println("login operation not required for token - " + - "ignoring login request"); - } - return; - } - - // see if user already logged in - - try { - if (token.isLoggedInNow(null)) { - // user already logged in - if (debug != null) { - debug.println("user already logged in"); - } - return; - } - } catch (PKCS11Exception e) { - // ignore - fall thru and attempt login - } - - // get the pin if necessary - - char[] pin = null; - if ((token.tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH) == 0) { - - // get password - - CallbackHandler myHandler = getCallbackHandler(handler); - if (myHandler == null) { - // XXX PolicyTool is dependent on this message text - throw new LoginException - ("no password provided, and no callback handler " + - "available for retrieving password"); - } - - java.text.MessageFormat form = new java.text.MessageFormat - (ResourcesMgr.getString - ("PKCS11.Token.providerName.Password.")); - Object[] source = { getName() }; - - PasswordCallback pcall = new PasswordCallback(form.format(source), - false); - Callback[] callbacks = { pcall }; - try { - myHandler.handle(callbacks); - } catch (Exception e) { - LoginException le = new LoginException - ("Unable to perform password callback"); - le.initCause(e); - throw le; - } - - pin = pcall.getPassword(); - pcall.clearPassword(); - if (pin == null) { - if (debug != null) { - debug.println("caller passed NULL pin"); - } - } - } - - // perform token login - - Session session = null; - try { - session = token.getOpSession(); - - // pin is NULL if using CKF_PROTECTED_AUTHENTICATION_PATH - p11.C_Login(session.id(), CKU_USER, pin); - if (debug != null) { - debug.println("login succeeded"); - } - } catch (PKCS11Exception pe) { - if (pe.getErrorCode() == CKR_USER_ALREADY_LOGGED_IN) { - // let this one go - if (debug != null) { - debug.println("user already logged in"); - } - return; - } else if (pe.getErrorCode() == CKR_PIN_INCORRECT) { - FailedLoginException fle = new FailedLoginException(); - fle.initCause(pe); - throw fle; - } else { - LoginException le = new LoginException(); - le.initCause(pe); - throw le; - } - } finally { - token.releaseSession(session); - if (pin != null) { - Arrays.fill(pin, ' '); - } - } - - // we do not store the PIN in the subject for now - } - - /** - * Log out from this provider - * - * @throws IllegalStateException if the provider requires configuration - * and Provider.configure has not been called - * @throws LoginException if the logout operation fails - * @throws SecurityException if the does not pass a security check for - * SecurityPermission("authProvider.name"), - * where name is the value returned by - * this provider's getName method - */ - public void logout() throws LoginException { - - if (!isConfigured()) { - throw new IllegalStateException("Configuration is required"); - } - - // security check - SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - sm.checkPermission - (new SecurityPermission("authProvider." + this.getName())); - } - - if (hasValidToken() == false) { - // app may call logout for cleanup, allow - return; - } - - if ((token.tokenInfo.flags & CKF_LOGIN_REQUIRED) == 0) { - if (debug != null) { - debug.println("logout operation not required for token - " + - "ignoring logout request"); - } - return; - } - - try { - if (token.isLoggedInNow(null) == false) { - if (debug != null) { - debug.println("user not logged in"); - } - return; - } - } catch (PKCS11Exception e) { - // ignore - } - - // perform token logout - - Session session = null; - try { - session = token.getOpSession(); - p11.C_Logout(session.id()); - if (debug != null) { - debug.println("logout succeeded"); - } - } catch (PKCS11Exception pe) { - if (pe.getErrorCode() == CKR_USER_NOT_LOGGED_IN) { - // let this one go - if (debug != null) { - debug.println("user not logged in"); - } - return; - } - LoginException le = new LoginException(); - le.initCause(pe); - throw le; - } finally { - token.releaseSession(session); - } - } - - /** - * Set a CallbackHandler - * - *

The provider uses this handler if one is not passed to the - * login method. The provider also uses this handler - * if it invokes login on behalf of callers. - * In either case if a handler is not set via this method, - * the provider queries the - * auth.login.defaultCallbackHandler security property - * for the fully qualified class name of a default handler implementation. - * If the security property is not set, - * the provider is assumed to have alternative means - * for obtaining authentication information. - * - * @param handler a CallbackHandler for obtaining - * authentication information, which may be null - * - * @throws IllegalStateException if the provider requires configuration - * and Provider.configure has not been called - * @throws SecurityException if the caller does not pass a - * security check for - * SecurityPermission("authProvider.name"), - * where name is the value returned by - * this provider's getName method - */ - public void setCallbackHandler(CallbackHandler handler) { - - if (!isConfigured()) { - throw new IllegalStateException("Configuration is required"); - } - - // security check - SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - sm.checkPermission - (new SecurityPermission("authProvider." + this.getName())); - } - - synchronized (LOCK_HANDLER) { - pHandler = handler; - } - } - - private CallbackHandler getCallbackHandler(CallbackHandler handler) { - - // get default handler if necessary - - if (handler != null) { - return handler; - } - - if (debug != null) { - debug.println("getting provider callback handler"); - } - - synchronized (LOCK_HANDLER) { - // see if handler was set via setCallbackHandler - if (pHandler != null) { - return pHandler; - } - - try { - if (debug != null) { - debug.println("getting default callback handler"); - } - - CallbackHandler myHandler = AccessController.doPrivileged - (new PrivilegedExceptionAction() { - public CallbackHandler run() throws Exception { - - String defaultHandler = - java.security.Security.getProperty - ("auth.login.defaultCallbackHandler"); - - if (defaultHandler == null || - defaultHandler.length() == 0) { - - // ok - if (debug != null) { - debug.println("no default handler set"); - } - return null; - } - - Class c = Class.forName - (defaultHandler, - true, - Thread.currentThread().getContextClassLoader()); - if (!javax.security.auth.callback.CallbackHandler.class.isAssignableFrom(c)) { - // not the right subtype - if (debug != null) { - debug.println("default handler " + defaultHandler + - " is not a CallbackHandler"); - } - return null; - } - @SuppressWarnings("deprecation") - Object result = c.newInstance(); - return (CallbackHandler)result; - } - }); - // save it - pHandler = myHandler; - return myHandler; - - } catch (PrivilegedActionException pae) { - // ok - if (debug != null) { - debug.println("Unable to load default callback handler"); - pae.printStackTrace(); - } - } - } - return null; - } - - private Object writeReplace() throws ObjectStreamException { - return new SunPKCS11Rep(this); - } - - /** - * Serialized representation of the SunPKCS11 provider. - */ - private static class SunPKCS11Rep implements Serializable { - - static final long serialVersionUID = -2896606995897745419L; - - private final String providerName; - - private final String configName; - - SunPKCS11Rep(SunPKCS11 provider) throws NotSerializableException { - providerName = provider.getName(); - configName = provider.config.getFileName(); - if (Security.getProvider(providerName) != provider) { - throw new NotSerializableException("Only SunPKCS11 providers " - + "installed in java.security.Security can be serialized"); - } - } - - private Object readResolve() throws ObjectStreamException { - SunPKCS11 p = (SunPKCS11)Security.getProvider(providerName); - if ((p == null) || (p.config.getFileName().equals(configName) == false)) { - throw new NotSerializableException("Could not find " - + providerName + " in installed providers"); - } - return p; - } - } -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java 2017-01-20 09:52:40.358288880 -0800 @@ -0,0 +1,1506 @@ +/* + * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11; + +import java.io.*; +import java.util.*; + +import java.security.*; +import java.security.interfaces.*; + +import javax.crypto.interfaces.*; + +import javax.security.auth.Subject; +import javax.security.auth.login.LoginException; +import javax.security.auth.login.FailedLoginException; +import javax.security.auth.callback.Callback; +import javax.security.auth.callback.CallbackHandler; +import javax.security.auth.callback.ConfirmationCallback; +import javax.security.auth.callback.PasswordCallback; +import javax.security.auth.callback.TextOutputCallback; + +import sun.security.util.Debug; +import sun.security.util.ResourcesMgr; +import static sun.security.util.SecurityConstants.PROVIDER_VER; + +import sun.security.pkcs11.Secmod.*; + +import sun.security.pkcs11.wrapper.*; +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + +/** + * PKCS#11 provider main class. + * + * @author Andreas Sterbenz + * @since 1.5 + */ +public final class SunPKCS11 extends AuthProvider { + + private static final long serialVersionUID = -1354835039035306505L; + + static final Debug debug = Debug.getInstance("sunpkcs11"); + + // the PKCS11 object through which we make the native calls + final PKCS11 p11; + + // configuration information + final Config config; + + // id of the PKCS#11 slot we are using + final long slotID; + + private CallbackHandler pHandler; + private final Object LOCK_HANDLER = new Object(); + + final boolean removable; + + final Module nssModule; + + final boolean nssUseSecmodTrust; + + private volatile Token token; + + private TokenPoller poller; + + Token getToken() { + return token; + } + + public SunPKCS11() { + super("SunPKCS11", PROVIDER_VER, + "Unconfigured and unusable PKCS11 provider"); + p11 = null; + config = null; + slotID = 0; + pHandler = null; + removable = false; + nssModule = null; + nssUseSecmodTrust = false; + token = null; + poller = null; + } + + @Override + public Provider configure(String configArg) throws InvalidParameterException { + final String newConfigName = checkNull(configArg); + try { + return AccessController.doPrivileged(new PrivilegedExceptionAction<>() { + @Override + public SunPKCS11 run() throws Exception { + return new SunPKCS11(new Config(newConfigName)); + } + }); + } catch (PrivilegedActionException pae) { + InvalidParameterException ipe = + new InvalidParameterException("Error configuring SunPKCS11 provider"); + throw (InvalidParameterException) ipe.initCause(pae.getException()); + } + } + + @Override + public boolean isConfigured() { + return (config != null); + } + + private static T checkNull(T obj) { + if (obj == null) { + throw new NullPointerException(); + } + return obj; + } + + // Used by Secmod + SunPKCS11(Config c) { + super("SunPKCS11-" + c.getName(), PROVIDER_VER, c.getDescription()); + this.config = c; + + if (debug != null) { + System.out.println("SunPKCS11 loading " + config.getFileName()); + } + + String library = config.getLibrary(); + String functionList = config.getFunctionList(); + long slotID = config.getSlotID(); + int slotListIndex = config.getSlotListIndex(); + + boolean useSecmod = config.getNssUseSecmod(); + boolean nssUseSecmodTrust = config.getNssUseSecmodTrust(); + Module nssModule = null; + + // + // Initialization via Secmod. The way this works is as follows: + // SunPKCS11 is either in normal mode or in NSS Secmod mode. + // Secmod is activated by specifying one or more of the following + // options in the config file: + // nssUseSecmod, nssSecmodDirectory, nssLibrary, nssModule + // + // XXX add more explanation here + // + // If we are in Secmod mode and configured to use either the + // nssKeyStore or the nssTrustAnchors module, we automatically + // switch to using the NSS trust attributes for trusted certs + // (KeyStore). + // + + if (useSecmod) { + // note: Config ensures library/slot/slotListIndex not specified + // in secmod mode. + Secmod secmod = Secmod.getInstance(); + DbMode nssDbMode = config.getNssDbMode(); + try { + String nssLibraryDirectory = config.getNssLibraryDirectory(); + String nssSecmodDirectory = config.getNssSecmodDirectory(); + boolean nssOptimizeSpace = config.getNssOptimizeSpace(); + + if (secmod.isInitialized()) { + if (nssSecmodDirectory != null) { + String s = secmod.getConfigDir(); + if ((s != null) && + (s.equals(nssSecmodDirectory) == false)) { + throw new ProviderException("Secmod directory " + + nssSecmodDirectory + + " invalid, NSS already initialized with " + + s); + } + } + if (nssLibraryDirectory != null) { + String s = secmod.getLibDir(); + if ((s != null) && + (s.equals(nssLibraryDirectory) == false)) { + throw new ProviderException("NSS library directory " + + nssLibraryDirectory + + " invalid, NSS already initialized with " + + s); + } + } + } else { + if (nssDbMode != DbMode.NO_DB) { + if (nssSecmodDirectory == null) { + throw new ProviderException( + "Secmod not initialized and " + + "nssSecmodDirectory not specified"); + } + } else { + if (nssSecmodDirectory != null) { + throw new ProviderException( + "nssSecmodDirectory must not be " + + "specified in noDb mode"); + } + } + secmod.initialize(nssDbMode, nssSecmodDirectory, + nssLibraryDirectory, nssOptimizeSpace); + } + } catch (IOException e) { + // XXX which exception to throw + throw new ProviderException("Could not initialize NSS", e); + } + List modules = secmod.getModules(); + if (config.getShowInfo()) { + System.out.println("NSS modules: " + modules); + } + + String moduleName = config.getNssModule(); + if (moduleName == null) { + nssModule = secmod.getModule(ModuleType.FIPS); + if (nssModule != null) { + moduleName = "fips"; + } else { + moduleName = (nssDbMode == DbMode.NO_DB) ? + "crypto" : "keystore"; + } + } + if (moduleName.equals("fips")) { + nssModule = secmod.getModule(ModuleType.FIPS); + nssUseSecmodTrust = true; + functionList = "FC_GetFunctionList"; + } else if (moduleName.equals("keystore")) { + nssModule = secmod.getModule(ModuleType.KEYSTORE); + nssUseSecmodTrust = true; + } else if (moduleName.equals("crypto")) { + nssModule = secmod.getModule(ModuleType.CRYPTO); + } else if (moduleName.equals("trustanchors")) { + // XXX should the option be called trustanchor or trustanchors?? + nssModule = secmod.getModule(ModuleType.TRUSTANCHOR); + nssUseSecmodTrust = true; + } else if (moduleName.startsWith("external-")) { + int moduleIndex; + try { + moduleIndex = Integer.parseInt + (moduleName.substring("external-".length())); + } catch (NumberFormatException e) { + moduleIndex = -1; + } + if (moduleIndex < 1) { + throw new ProviderException + ("Invalid external module: " + moduleName); + } + int k = 0; + for (Module module : modules) { + if (module.getType() == ModuleType.EXTERNAL) { + if (++k == moduleIndex) { + nssModule = module; + break; + } + } + } + if (nssModule == null) { + throw new ProviderException("Invalid module " + moduleName + + ": only " + k + " external NSS modules available"); + } + } else { + throw new ProviderException( + "Unknown NSS module: " + moduleName); + } + if (nssModule == null) { + throw new ProviderException( + "NSS module not available: " + moduleName); + } + if (nssModule.hasInitializedProvider()) { + throw new ProviderException("Secmod module already configured"); + } + library = nssModule.libraryName; + slotListIndex = nssModule.slot; + } + this.nssUseSecmodTrust = nssUseSecmodTrust; + this.nssModule = nssModule; + + File libraryFile = new File(library); + // if the filename is a simple filename without path + // (e.g. "libpkcs11.so"), it may refer to a library somewhere on the + // OS library search path. Omit the test for file existance as that + // only looks in the current directory. + if (libraryFile.getName().equals(library) == false) { + if (new File(library).isFile() == false) { + String msg = "Library " + library + " does not exist"; + if (config.getHandleStartupErrors() == Config.ERR_HALT) { + throw new ProviderException(msg); + } else { + throw new UnsupportedOperationException(msg); + } + } + } + + try { + if (debug != null) { + debug.println("Initializing PKCS#11 library " + library); + } + CK_C_INITIALIZE_ARGS initArgs = new CK_C_INITIALIZE_ARGS(); + String nssArgs = config.getNssArgs(); + if (nssArgs != null) { + initArgs.pReserved = nssArgs; + } + // request multithreaded access first + initArgs.flags = CKF_OS_LOCKING_OK; + PKCS11 tmpPKCS11; + try { + tmpPKCS11 = PKCS11.getInstance( + library, functionList, initArgs, + config.getOmitInitialize()); + } catch (PKCS11Exception e) { + if (debug != null) { + debug.println("Multi-threaded initialization failed: " + e); + } + if (config.getAllowSingleThreadedModules() == false) { + throw e; + } + // fall back to single threaded access + if (nssArgs == null) { + // if possible, use null initArgs for better compatibility + initArgs = null; + } else { + initArgs.flags = 0; + } + tmpPKCS11 = PKCS11.getInstance(library, + functionList, initArgs, config.getOmitInitialize()); + } + p11 = tmpPKCS11; + + CK_INFO p11Info = p11.C_GetInfo(); + if (p11Info.cryptokiVersion.major < 2) { + throw new ProviderException("Only PKCS#11 v2.0 and later " + + "supported, library version is v" + p11Info.cryptokiVersion); + } + boolean showInfo = config.getShowInfo(); + if (showInfo) { + System.out.println("Information for provider " + getName()); + System.out.println("Library info:"); + System.out.println(p11Info); + } + + if ((slotID < 0) || showInfo) { + long[] slots = p11.C_GetSlotList(false); + if (showInfo) { + System.out.println("All slots: " + toString(slots)); + slots = p11.C_GetSlotList(true); + System.out.println("Slots with tokens: " + toString(slots)); + } + if (slotID < 0) { + if ((slotListIndex < 0) + || (slotListIndex >= slots.length)) { + throw new ProviderException("slotListIndex is " + + slotListIndex + + " but token only has " + slots.length + " slots"); + } + slotID = slots[slotListIndex]; + } + } + this.slotID = slotID; + CK_SLOT_INFO slotInfo = p11.C_GetSlotInfo(slotID); + removable = (slotInfo.flags & CKF_REMOVABLE_DEVICE) != 0; + initToken(slotInfo); + if (nssModule != null) { + nssModule.setProvider(this); + } + } catch (Exception e) { + if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { + throw new UnsupportedOperationException + ("Initialization failed", e); + } else { + throw new ProviderException + ("Initialization failed", e); + } + } + } + + private static String toString(long[] longs) { + if (longs.length == 0) { + return "(none)"; + } + StringBuilder sb = new StringBuilder(); + sb.append(longs[0]); + for (int i = 1; i < longs.length; i++) { + sb.append(", "); + sb.append(longs[i]); + } + return sb.toString(); + } + + public boolean equals(Object obj) { + return this == obj; + } + + public int hashCode() { + return System.identityHashCode(this); + } + + private static String[] s(String ...aliases) { + return aliases; + } + + private static final class Descriptor { + final String type; + final String algorithm; + final String className; + final String[] aliases; + final int[] mechanisms; + + private Descriptor(String type, String algorithm, String className, + String[] aliases, int[] mechanisms) { + this.type = type; + this.algorithm = algorithm; + this.className = className; + this.aliases = aliases; + this.mechanisms = mechanisms; + } + private P11Service service(Token token, int mechanism) { + return new P11Service + (token, type, algorithm, className, aliases, mechanism); + } + public String toString() { + return type + "." + algorithm; + } + } + + // Map from mechanism to List of Descriptors that should be + // registered if the mechanism is supported + private final static Map> descriptors = + new HashMap>(); + + private static int[] m(long m1) { + return new int[] {(int)m1}; + } + + private static int[] m(long m1, long m2) { + return new int[] {(int)m1, (int)m2}; + } + + private static int[] m(long m1, long m2, long m3) { + return new int[] {(int)m1, (int)m2, (int)m3}; + } + + private static int[] m(long m1, long m2, long m3, long m4) { + return new int[] {(int)m1, (int)m2, (int)m3, (int)m4}; + } + + private static void d(String type, String algorithm, String className, + int[] m) { + register(new Descriptor(type, algorithm, className, null, m)); + } + + private static void d(String type, String algorithm, String className, + String[] aliases, int[] m) { + register(new Descriptor(type, algorithm, className, aliases, m)); + } + + private static void register(Descriptor d) { + for (int i = 0; i < d.mechanisms.length; i++) { + int m = d.mechanisms[i]; + Integer key = Integer.valueOf(m); + List list = descriptors.get(key); + if (list == null) { + list = new ArrayList(); + descriptors.put(key, list); + } + list.add(d); + } + } + + private final static String MD = "MessageDigest"; + + private final static String SIG = "Signature"; + + private final static String KPG = "KeyPairGenerator"; + + private final static String KG = "KeyGenerator"; + + private final static String AGP = "AlgorithmParameters"; + + private final static String KF = "KeyFactory"; + + private final static String SKF = "SecretKeyFactory"; + + private final static String CIP = "Cipher"; + + private final static String MAC = "Mac"; + + private final static String KA = "KeyAgreement"; + + private final static String KS = "KeyStore"; + + private final static String SR = "SecureRandom"; + + static { + // names of all the implementation classes + // use local variables, only used here + String P11Digest = "sun.security.pkcs11.P11Digest"; + String P11MAC = "sun.security.pkcs11.P11MAC"; + String P11KeyPairGenerator = "sun.security.pkcs11.P11KeyPairGenerator"; + String P11KeyGenerator = "sun.security.pkcs11.P11KeyGenerator"; + String P11RSAKeyFactory = "sun.security.pkcs11.P11RSAKeyFactory"; + String P11DSAKeyFactory = "sun.security.pkcs11.P11DSAKeyFactory"; + String P11DHKeyFactory = "sun.security.pkcs11.P11DHKeyFactory"; + String P11KeyAgreement = "sun.security.pkcs11.P11KeyAgreement"; + String P11SecretKeyFactory = "sun.security.pkcs11.P11SecretKeyFactory"; + String P11Cipher = "sun.security.pkcs11.P11Cipher"; + String P11RSACipher = "sun.security.pkcs11.P11RSACipher"; + String P11Signature = "sun.security.pkcs11.P11Signature"; + + // XXX register all aliases + + d(MD, "MD2", P11Digest, + m(CKM_MD2)); + d(MD, "MD5", P11Digest, + m(CKM_MD5)); + d(MD, "SHA1", P11Digest, + s("SHA", "SHA-1", "1.3.14.3.2.26", "OID.1.3.14.3.2.26"), + m(CKM_SHA_1)); + + d(MD, "SHA-224", P11Digest, + s("2.16.840.1.101.3.4.2.4", "OID.2.16.840.1.101.3.4.2.4"), + m(CKM_SHA224)); + d(MD, "SHA-256", P11Digest, + s("2.16.840.1.101.3.4.2.1", "OID.2.16.840.1.101.3.4.2.1"), + m(CKM_SHA256)); + d(MD, "SHA-384", P11Digest, + s("2.16.840.1.101.3.4.2.2", "OID.2.16.840.1.101.3.4.2.2"), + m(CKM_SHA384)); + d(MD, "SHA-512", P11Digest, + s("2.16.840.1.101.3.4.2.3", "OID.2.16.840.1.101.3.4.2.3"), + m(CKM_SHA512)); + + d(MAC, "HmacMD5", P11MAC, + m(CKM_MD5_HMAC)); + d(MAC, "HmacSHA1", P11MAC, + s("1.2.840.113549.2.7", "OID.1.2.840.113549.2.7"), + m(CKM_SHA_1_HMAC)); + d(MAC, "HmacSHA224", P11MAC, + s("1.2.840.113549.2.8", "OID.1.2.840.113549.2.8"), + m(CKM_SHA224_HMAC)); + d(MAC, "HmacSHA256", P11MAC, + s("1.2.840.113549.2.9", "OID.1.2.840.113549.2.9"), + m(CKM_SHA256_HMAC)); + d(MAC, "HmacSHA384", P11MAC, + s("1.2.840.113549.2.10", "OID.1.2.840.113549.2.10"), + m(CKM_SHA384_HMAC)); + d(MAC, "HmacSHA512", P11MAC, + s("1.2.840.113549.2.11", "OID.1.2.840.113549.2.11"), + m(CKM_SHA512_HMAC)); + d(MAC, "SslMacMD5", P11MAC, + m(CKM_SSL3_MD5_MAC)); + d(MAC, "SslMacSHA1", P11MAC, + m(CKM_SSL3_SHA1_MAC)); + + d(KPG, "RSA", P11KeyPairGenerator, + m(CKM_RSA_PKCS_KEY_PAIR_GEN)); + d(KPG, "DSA", P11KeyPairGenerator, + s("1.3.14.3.2.12", "1.2.840.10040.4.1", "OID.1.2.840.10040.4.1"), + m(CKM_DSA_KEY_PAIR_GEN)); + d(KPG, "DH", P11KeyPairGenerator, s("DiffieHellman"), + m(CKM_DH_PKCS_KEY_PAIR_GEN)); + d(KPG, "EC", P11KeyPairGenerator, + m(CKM_EC_KEY_PAIR_GEN)); + + d(KG, "ARCFOUR", P11KeyGenerator, s("RC4"), + m(CKM_RC4_KEY_GEN)); + d(KG, "DES", P11KeyGenerator, + m(CKM_DES_KEY_GEN)); + d(KG, "DESede", P11KeyGenerator, + m(CKM_DES3_KEY_GEN, CKM_DES2_KEY_GEN)); + d(KG, "AES", P11KeyGenerator, + m(CKM_AES_KEY_GEN)); + d(KG, "Blowfish", P11KeyGenerator, + m(CKM_BLOWFISH_KEY_GEN)); + + // register (Secret)KeyFactories if there are any mechanisms + // for a particular algorithm that we support + d(KF, "RSA", P11RSAKeyFactory, + m(CKM_RSA_PKCS_KEY_PAIR_GEN, CKM_RSA_PKCS, CKM_RSA_X_509)); + d(KF, "DSA", P11DSAKeyFactory, + s("1.3.14.3.2.12", "1.2.840.10040.4.1", "OID.1.2.840.10040.4.1"), + m(CKM_DSA_KEY_PAIR_GEN, CKM_DSA, CKM_DSA_SHA1)); + d(KF, "DH", P11DHKeyFactory, s("DiffieHellman"), + m(CKM_DH_PKCS_KEY_PAIR_GEN, CKM_DH_PKCS_DERIVE)); + d(KF, "EC", P11DHKeyFactory, + m(CKM_EC_KEY_PAIR_GEN, CKM_ECDH1_DERIVE, + CKM_ECDSA, CKM_ECDSA_SHA1)); + + // AlgorithmParameters for EC. + // Only needed until we have an EC implementation in the SUN provider. + d(AGP, "EC", "sun.security.util.ECParameters", + s("1.2.840.10045.2.1"), + m(CKM_EC_KEY_PAIR_GEN, CKM_ECDH1_DERIVE, + CKM_ECDSA, CKM_ECDSA_SHA1)); + + d(KA, "DH", P11KeyAgreement, s("DiffieHellman"), + m(CKM_DH_PKCS_DERIVE)); + d(KA, "ECDH", "sun.security.pkcs11.P11ECDHKeyAgreement", + m(CKM_ECDH1_DERIVE)); + + d(SKF, "ARCFOUR", P11SecretKeyFactory, s("RC4"), + m(CKM_RC4)); + d(SKF, "DES", P11SecretKeyFactory, + m(CKM_DES_CBC)); + d(SKF, "DESede", P11SecretKeyFactory, + m(CKM_DES3_CBC)); + d(SKF, "AES", P11SecretKeyFactory, + s("2.16.840.1.101.3.4.1", "OID.2.16.840.1.101.3.4.1"), + m(CKM_AES_CBC)); + d(SKF, "Blowfish", P11SecretKeyFactory, + m(CKM_BLOWFISH_CBC)); + + // XXX attributes for Ciphers (supported modes, padding) + d(CIP, "ARCFOUR", P11Cipher, s("RC4"), + m(CKM_RC4)); + d(CIP, "DES/CBC/NoPadding", P11Cipher, + m(CKM_DES_CBC)); + d(CIP, "DES/CBC/PKCS5Padding", P11Cipher, + m(CKM_DES_CBC_PAD, CKM_DES_CBC)); + d(CIP, "DES/ECB/NoPadding", P11Cipher, + m(CKM_DES_ECB)); + d(CIP, "DES/ECB/PKCS5Padding", P11Cipher, s("DES"), + m(CKM_DES_ECB)); + + d(CIP, "DESede/CBC/NoPadding", P11Cipher, + m(CKM_DES3_CBC)); + d(CIP, "DESede/CBC/PKCS5Padding", P11Cipher, + m(CKM_DES3_CBC_PAD, CKM_DES3_CBC)); + d(CIP, "DESede/ECB/NoPadding", P11Cipher, + m(CKM_DES3_ECB)); + d(CIP, "DESede/ECB/PKCS5Padding", P11Cipher, s("DESede"), + m(CKM_DES3_ECB)); + d(CIP, "AES/CBC/NoPadding", P11Cipher, + m(CKM_AES_CBC)); + d(CIP, "AES_128/CBC/NoPadding", P11Cipher, + s("2.16.840.1.101.3.4.1.2", "OID.2.16.840.1.101.3.4.1.2"), + m(CKM_AES_CBC)); + d(CIP, "AES_192/CBC/NoPadding", P11Cipher, + s("2.16.840.1.101.3.4.1.22", "OID.2.16.840.1.101.3.4.1.22"), + m(CKM_AES_CBC)); + d(CIP, "AES_256/CBC/NoPadding", P11Cipher, + s("2.16.840.1.101.3.4.1.42", "OID.2.16.840.1.101.3.4.1.42"), + m(CKM_AES_CBC)); + d(CIP, "AES/CBC/PKCS5Padding", P11Cipher, + m(CKM_AES_CBC_PAD, CKM_AES_CBC)); + d(CIP, "AES/ECB/NoPadding", P11Cipher, + m(CKM_AES_ECB)); + d(CIP, "AES_128/ECB/NoPadding", P11Cipher, + s("2.16.840.1.101.3.4.1.1", "OID.2.16.840.1.101.3.4.1.1"), + m(CKM_AES_ECB)); + d(CIP, "AES_192/ECB/NoPadding", P11Cipher, + s("2.16.840.1.101.3.4.1.21", "OID.2.16.840.1.101.3.4.1.21"), + m(CKM_AES_ECB)); + d(CIP, "AES_256/ECB/NoPadding", P11Cipher, + s("2.16.840.1.101.3.4.1.41", "OID.2.16.840.1.101.3.4.1.41"), + m(CKM_AES_ECB)); + d(CIP, "AES/ECB/PKCS5Padding", P11Cipher, s("AES"), + m(CKM_AES_ECB)); + d(CIP, "AES/CTR/NoPadding", P11Cipher, + m(CKM_AES_CTR)); + d(CIP, "Blowfish/CBC/NoPadding", P11Cipher, + m(CKM_BLOWFISH_CBC)); + d(CIP, "Blowfish/CBC/PKCS5Padding", P11Cipher, + m(CKM_BLOWFISH_CBC)); + + // XXX RSA_X_509, RSA_OAEP not yet supported + d(CIP, "RSA/ECB/PKCS1Padding", P11RSACipher, s("RSA"), + m(CKM_RSA_PKCS)); + d(CIP, "RSA/ECB/NoPadding", P11RSACipher, + m(CKM_RSA_X_509)); + + d(SIG, "RawDSA", P11Signature, s("NONEwithDSA"), + m(CKM_DSA)); + d(SIG, "DSA", P11Signature, + s("SHA1withDSA", "1.3.14.3.2.13", "1.3.14.3.2.27", + "1.2.840.10040.4.3", "OID.1.2.840.10040.4.3"), + m(CKM_DSA_SHA1, CKM_DSA)); + d(SIG, "RawDSAinP1363Format", P11Signature, + s("NONEwithDSAinP1363Format"), + m(CKM_DSA)); + d(SIG, "DSAinP1363Format", P11Signature, + s("SHA1withDSAinP1363Format"), + m(CKM_DSA_SHA1, CKM_DSA)); + d(SIG, "NONEwithECDSA", P11Signature, + m(CKM_ECDSA)); + d(SIG, "SHA1withECDSA", P11Signature, + s("ECDSA", "1.2.840.10045.4.1", "OID.1.2.840.10045.4.1"), + m(CKM_ECDSA_SHA1, CKM_ECDSA)); + d(SIG, "SHA224withECDSA", P11Signature, + s("1.2.840.10045.4.3.1", "OID.1.2.840.10045.4.3.1"), + m(CKM_ECDSA)); + d(SIG, "SHA256withECDSA", P11Signature, + s("1.2.840.10045.4.3.2", "OID.1.2.840.10045.4.3.2"), + m(CKM_ECDSA)); + d(SIG, "SHA384withECDSA", P11Signature, + s("1.2.840.10045.4.3.3", "OID.1.2.840.10045.4.3.3"), + m(CKM_ECDSA)); + d(SIG, "SHA512withECDSA", P11Signature, + s("1.2.840.10045.4.3.4", "OID.1.2.840.10045.4.3.4"), + m(CKM_ECDSA)); + d(SIG, "NONEwithECDSAinP1363Format", P11Signature, + m(CKM_ECDSA)); + d(SIG, "SHA1withECDSAinP1363Format", P11Signature, + m(CKM_ECDSA_SHA1, CKM_ECDSA)); + d(SIG, "SHA224withECDSAinP1363Format", P11Signature, + m(CKM_ECDSA)); + d(SIG, "SHA256withECDSAinP1363Format", P11Signature, + m(CKM_ECDSA)); + d(SIG, "SHA384withECDSAinP1363Format", P11Signature, + m(CKM_ECDSA)); + d(SIG, "SHA512withECDSAinP1363Format", P11Signature, + m(CKM_ECDSA)); + d(SIG, "MD2withRSA", P11Signature, + s("1.2.840.113549.1.1.2", "OID.1.2.840.113549.1.1.2"), + m(CKM_MD2_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); + d(SIG, "MD5withRSA", P11Signature, + s("1.2.840.113549.1.1.4", "OID.1.2.840.113549.1.1.4"), + m(CKM_MD5_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); + d(SIG, "SHA1withRSA", P11Signature, + s("1.2.840.113549.1.1.5", "OID.1.2.840.113549.1.1.5", + "1.3.14.3.2.29"), + m(CKM_SHA1_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); + d(SIG, "SHA224withRSA", P11Signature, + s("1.2.840.113549.1.1.14", "OID.1.2.840.113549.1.1.14"), + m(CKM_SHA224_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); + d(SIG, "SHA256withRSA", P11Signature, + s("1.2.840.113549.1.1.11", "OID.1.2.840.113549.1.1.11"), + m(CKM_SHA256_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); + d(SIG, "SHA384withRSA", P11Signature, + s("1.2.840.113549.1.1.12", "OID.1.2.840.113549.1.1.12"), + m(CKM_SHA384_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); + d(SIG, "SHA512withRSA", P11Signature, + s("1.2.840.113549.1.1.13", "OID.1.2.840.113549.1.1.13"), + m(CKM_SHA512_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); + + /* + * TLS 1.2 uses a different hash algorithm than 1.0/1.1 for the + * PRF calculations. As of 2010, there is no PKCS11-level + * support for TLS 1.2 PRF calculations, and no known OS's have + * an internal variant we could use. Therefore for TLS 1.2, we + * are updating JSSE to request different provider algorithms + * (e.g. "SunTls12Prf"), and currently only SunJCE has these + * TLS 1.2 algorithms. + * + * If we reused the names such as "SunTlsPrf", the PKCS11 + * providers would need be updated to fail correctly when + * presented with the wrong version number (via + * Provider.Service.supportsParameters()), and we would also + * need to add the appropriate supportsParamters() checks into + * KeyGenerators (not currently there). + * + * In the future, if PKCS11 support is added, we will restructure + * this. + */ + d(KG, "SunTlsRsaPremasterSecret", + "sun.security.pkcs11.P11TlsRsaPremasterSecretGenerator", + m(CKM_SSL3_PRE_MASTER_KEY_GEN, CKM_TLS_PRE_MASTER_KEY_GEN)); + d(KG, "SunTlsMasterSecret", + "sun.security.pkcs11.P11TlsMasterSecretGenerator", + m(CKM_SSL3_MASTER_KEY_DERIVE, CKM_TLS_MASTER_KEY_DERIVE, + CKM_SSL3_MASTER_KEY_DERIVE_DH, + CKM_TLS_MASTER_KEY_DERIVE_DH)); + d(KG, "SunTlsKeyMaterial", + "sun.security.pkcs11.P11TlsKeyMaterialGenerator", + m(CKM_SSL3_KEY_AND_MAC_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE)); + d(KG, "SunTlsPrf", "sun.security.pkcs11.P11TlsPrfGenerator", + m(CKM_TLS_PRF, CKM_NSS_TLS_PRF_GENERAL)); + } + + // background thread that periodically checks for token insertion + // if no token is present. We need to do that in a separate thread because + // the insertion check may block for quite a long time on some tokens. + private static class TokenPoller implements Runnable { + private final SunPKCS11 provider; + private volatile boolean enabled; + private TokenPoller(SunPKCS11 provider) { + this.provider = provider; + enabled = true; + } + public void run() { + int interval = provider.config.getInsertionCheckInterval(); + while (enabled) { + try { + Thread.sleep(interval); + } catch (InterruptedException e) { + break; + } + if (enabled == false) { + break; + } + try { + provider.initToken(null); + } catch (PKCS11Exception e) { + // ignore + } + } + } + void disable() { + enabled = false; + } + } + + // create the poller thread, if not already active + private void createPoller() { + if (poller != null) { + return; + } + final TokenPoller poller = new TokenPoller(this); + Thread t = new Thread(null, poller, "Poller " + getName(), 0, false); + t.setContextClassLoader(null); + t.setDaemon(true); + t.setPriority(Thread.MIN_PRIORITY); + t.start(); + this.poller = poller; + } + + // destroy the poller thread, if active + private void destroyPoller() { + if (poller != null) { + poller.disable(); + poller = null; + } + } + + private boolean hasValidToken() { + /* Commented out to work with Solaris softtoken impl which + returns 0-value flags, e.g. both REMOVABLE_DEVICE and + TOKEN_PRESENT are false, when it can't access the token. + if (removable == false) { + return true; + } + */ + Token token = this.token; + return (token != null) && token.isValid(); + } + + // destroy the token. Called if we detect that it has been removed + synchronized void uninitToken(Token token) { + if (this.token != token) { + // mismatch, our token must already be destroyed + return; + } + destroyPoller(); + this.token = null; + // unregister all algorithms + AccessController.doPrivileged(new PrivilegedAction() { + public Object run() { + clear(); + return null; + } + }); + createPoller(); + } + + // test if a token is present and initialize this provider for it if so. + // does nothing if no token is found + // called from constructor and by poller + private void initToken(CK_SLOT_INFO slotInfo) throws PKCS11Exception { + if (slotInfo == null) { + slotInfo = p11.C_GetSlotInfo(slotID); + } + if (removable && (slotInfo.flags & CKF_TOKEN_PRESENT) == 0) { + createPoller(); + return; + } + destroyPoller(); + boolean showInfo = config.getShowInfo(); + if (showInfo) { + System.out.println("Slot info for slot " + slotID + ":"); + System.out.println(slotInfo); + } + final Token token = new Token(this); + if (showInfo) { + System.out.println + ("Token info for token in slot " + slotID + ":"); + System.out.println(token.tokenInfo); + } + long[] supportedMechanisms = p11.C_GetMechanismList(slotID); + + // Create a map from the various Descriptors to the "most + // preferred" mechanism that was defined during the + // static initialization. For example, DES/CBC/PKCS5Padding + // could be mapped to CKM_DES_CBC_PAD or CKM_DES_CBC. Prefer + // the earliest entry. When asked for "DES/CBC/PKCS5Padding", we + // return a CKM_DES_CBC_PAD. + final Map supportedAlgs = + new HashMap(); + for (int i = 0; i < supportedMechanisms.length; i++) { + long longMech = supportedMechanisms[i]; + boolean isEnabled = config.isEnabled(longMech); + if (showInfo) { + CK_MECHANISM_INFO mechInfo = + p11.C_GetMechanismInfo(slotID, longMech); + System.out.println("Mechanism " + + Functions.getMechanismName(longMech) + ":"); + if (isEnabled == false) { + System.out.println("DISABLED in configuration"); + } + System.out.println(mechInfo); + } + if (isEnabled == false) { + continue; + } + // we do not know of mechs with the upper 32 bits set + if (longMech >>> 32 != 0) { + continue; + } + int mech = (int)longMech; + Integer integerMech = Integer.valueOf(mech); + List ds = descriptors.get(integerMech); + if (ds == null) { + continue; + } + for (Descriptor d : ds) { + Integer oldMech = supportedAlgs.get(d); + if (oldMech == null) { + supportedAlgs.put(d, integerMech); + continue; + } + // See if there is something "more preferred" + // than what we currently have in the supportedAlgs + // map. + int intOldMech = oldMech.intValue(); + for (int j = 0; j < d.mechanisms.length; j++) { + int nextMech = d.mechanisms[j]; + if (mech == nextMech) { + supportedAlgs.put(d, integerMech); + break; + } else if (intOldMech == nextMech) { + break; + } + } + } + + } + + // register algorithms in provider + AccessController.doPrivileged(new PrivilegedAction() { + public Object run() { + for (Map.Entry entry + : supportedAlgs.entrySet()) { + Descriptor d = entry.getKey(); + int mechanism = entry.getValue().intValue(); + Service s = d.service(token, mechanism); + putService(s); + } + if (((token.tokenInfo.flags & CKF_RNG) != 0) + && config.isEnabled(PCKM_SECURERANDOM) + && !token.sessionManager.lowMaxSessions()) { + // do not register SecureRandom if the token does + // not support many sessions. if we did, we might + // run out of sessions in the middle of a + // nextBytes() call where we cannot fail over. + putService(new P11Service(token, SR, "PKCS11", + "sun.security.pkcs11.P11SecureRandom", null, + PCKM_SECURERANDOM)); + } + if (config.isEnabled(PCKM_KEYSTORE)) { + putService(new P11Service(token, KS, "PKCS11", + "sun.security.pkcs11.P11KeyStore", + s("PKCS11-" + config.getName()), + PCKM_KEYSTORE)); + } + return null; + } + }); + + this.token = token; + } + + private static final class P11Service extends Service { + + private final Token token; + + private final long mechanism; + + P11Service(Token token, String type, String algorithm, + String className, String[] al, long mechanism) { + super(token.provider, type, algorithm, className, toList(al), + type.equals(SR) ? Map.of("ThreadSafe", "true") : null); + this.token = token; + this.mechanism = mechanism & 0xFFFFFFFFL; + } + + private static List toList(String[] aliases) { + return (aliases == null) ? null : Arrays.asList(aliases); + } + + public Object newInstance(Object param) + throws NoSuchAlgorithmException { + if (token.isValid() == false) { + throw new NoSuchAlgorithmException("Token has been removed"); + } + try { + return newInstance0(param); + } catch (PKCS11Exception e) { + throw new NoSuchAlgorithmException(e); + } + } + + public Object newInstance0(Object param) throws + PKCS11Exception, NoSuchAlgorithmException { + String algorithm = getAlgorithm(); + String type = getType(); + if (type == MD) { + return new P11Digest(token, algorithm, mechanism); + } else if (type == CIP) { + if (algorithm.startsWith("RSA")) { + return new P11RSACipher(token, algorithm, mechanism); + } else { + return new P11Cipher(token, algorithm, mechanism); + } + } else if (type == SIG) { + return new P11Signature(token, algorithm, mechanism); + } else if (type == MAC) { + return new P11Mac(token, algorithm, mechanism); + } else if (type == KPG) { + return new P11KeyPairGenerator(token, algorithm, mechanism); + } else if (type == KA) { + if (algorithm.equals("ECDH")) { + return new P11ECDHKeyAgreement(token, algorithm, mechanism); + } else { + return new P11KeyAgreement(token, algorithm, mechanism); + } + } else if (type == KF) { + return token.getKeyFactory(algorithm); + } else if (type == SKF) { + return new P11SecretKeyFactory(token, algorithm); + } else if (type == KG) { + // reference equality + if (algorithm == "SunTlsRsaPremasterSecret") { + return new P11TlsRsaPremasterSecretGenerator( + token, algorithm, mechanism); + } else if (algorithm == "SunTlsMasterSecret") { + return new P11TlsMasterSecretGenerator( + token, algorithm, mechanism); + } else if (algorithm == "SunTlsKeyMaterial") { + return new P11TlsKeyMaterialGenerator( + token, algorithm, mechanism); + } else if (algorithm == "SunTlsPrf") { + return new P11TlsPrfGenerator(token, algorithm, mechanism); + } else { + return new P11KeyGenerator(token, algorithm, mechanism); + } + } else if (type == SR) { + return token.getRandom(); + } else if (type == KS) { + return token.getKeyStore(); + } else if (type == AGP) { + return new sun.security.util.ECParameters(); + } else { + throw new NoSuchAlgorithmException("Unknown type: " + type); + } + } + + public boolean supportsParameter(Object param) { + if ((param == null) || (token.isValid() == false)) { + return false; + } + if (param instanceof Key == false) { + throw new InvalidParameterException("Parameter must be a Key"); + } + String algorithm = getAlgorithm(); + String type = getType(); + Key key = (Key)param; + String keyAlgorithm = key.getAlgorithm(); + // RSA signatures and cipher + if (((type == CIP) && algorithm.startsWith("RSA")) + || (type == SIG) && algorithm.endsWith("RSA")) { + if (keyAlgorithm.equals("RSA") == false) { + return false; + } + return isLocalKey(key) + || (key instanceof RSAPrivateKey) + || (key instanceof RSAPublicKey); + } + // EC + if (((type == KA) && algorithm.equals("ECDH")) + || ((type == SIG) && algorithm.contains("ECDSA"))) { + if (keyAlgorithm.equals("EC") == false) { + return false; + } + return isLocalKey(key) + || (key instanceof ECPrivateKey) + || (key instanceof ECPublicKey); + } + // DSA signatures + if ((type == SIG) && algorithm.contains("DSA") && + !algorithm.contains("ECDSA")) { + if (keyAlgorithm.equals("DSA") == false) { + return false; + } + return isLocalKey(key) + || (key instanceof DSAPrivateKey) + || (key instanceof DSAPublicKey); + } + // MACs and symmetric ciphers + if ((type == CIP) || (type == MAC)) { + // do not check algorithm name, mismatch is unlikely anyway + return isLocalKey(key) || "RAW".equals(key.getFormat()); + } + // DH key agreement + if (type == KA) { + if (keyAlgorithm.equals("DH") == false) { + return false; + } + return isLocalKey(key) + || (key instanceof DHPrivateKey) + || (key instanceof DHPublicKey); + } + // should not reach here, + // unknown engine type or algorithm + throw new AssertionError + ("SunPKCS11 error: " + type + ", " + algorithm); + } + + private boolean isLocalKey(Key key) { + return (key instanceof P11Key) && (((P11Key)key).token == token); + } + + public String toString() { + return super.toString() + + " (" + Functions.getMechanismName(mechanism) + ")"; + } + + } + + /** + * Log in to this provider. + * + *

If the token expects a PIN to be supplied by the caller, + * the handler implementation must support + * a PasswordCallback. + * + *

To determine if the token supports a protected authentication path, + * the CK_TOKEN_INFO flag, CKF_PROTECTED_AUTHENTICATION_PATH, is consulted. + * + * @param subject this parameter is ignored + * @param handler the CallbackHandler used by + * this provider to communicate with the caller + * + * @throws IllegalStateException if the provider requires configuration + * and Provider.configure has not been called + * @throws LoginException if the login operation fails + * @throws SecurityException if the does not pass a security check for + * SecurityPermission("authProvider.name"), + * where name is the value returned by + * this provider's getName method + */ + public void login(Subject subject, CallbackHandler handler) + throws LoginException { + + if (!isConfigured()) { + throw new IllegalStateException("Configuration is required"); + } + + // security check + SecurityManager sm = System.getSecurityManager(); + if (sm != null) { + if (debug != null) { + debug.println("checking login permission"); + } + sm.checkPermission(new SecurityPermission + ("authProvider." + this.getName())); + } + + if (hasValidToken() == false) { + throw new LoginException("No token present"); + } + + // see if a login is required + + if ((token.tokenInfo.flags & CKF_LOGIN_REQUIRED) == 0) { + if (debug != null) { + debug.println("login operation not required for token - " + + "ignoring login request"); + } + return; + } + + // see if user already logged in + + try { + if (token.isLoggedInNow(null)) { + // user already logged in + if (debug != null) { + debug.println("user already logged in"); + } + return; + } + } catch (PKCS11Exception e) { + // ignore - fall thru and attempt login + } + + // get the pin if necessary + + char[] pin = null; + if ((token.tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH) == 0) { + + // get password + + CallbackHandler myHandler = getCallbackHandler(handler); + if (myHandler == null) { + // XXX PolicyTool is dependent on this message text + throw new LoginException + ("no password provided, and no callback handler " + + "available for retrieving password"); + } + + java.text.MessageFormat form = new java.text.MessageFormat + (ResourcesMgr.getString + ("PKCS11.Token.providerName.Password.")); + Object[] source = { getName() }; + + PasswordCallback pcall = new PasswordCallback(form.format(source), + false); + Callback[] callbacks = { pcall }; + try { + myHandler.handle(callbacks); + } catch (Exception e) { + LoginException le = new LoginException + ("Unable to perform password callback"); + le.initCause(e); + throw le; + } + + pin = pcall.getPassword(); + pcall.clearPassword(); + if (pin == null) { + if (debug != null) { + debug.println("caller passed NULL pin"); + } + } + } + + // perform token login + + Session session = null; + try { + session = token.getOpSession(); + + // pin is NULL if using CKF_PROTECTED_AUTHENTICATION_PATH + p11.C_Login(session.id(), CKU_USER, pin); + if (debug != null) { + debug.println("login succeeded"); + } + } catch (PKCS11Exception pe) { + if (pe.getErrorCode() == CKR_USER_ALREADY_LOGGED_IN) { + // let this one go + if (debug != null) { + debug.println("user already logged in"); + } + return; + } else if (pe.getErrorCode() == CKR_PIN_INCORRECT) { + FailedLoginException fle = new FailedLoginException(); + fle.initCause(pe); + throw fle; + } else { + LoginException le = new LoginException(); + le.initCause(pe); + throw le; + } + } finally { + token.releaseSession(session); + if (pin != null) { + Arrays.fill(pin, ' '); + } + } + + // we do not store the PIN in the subject for now + } + + /** + * Log out from this provider + * + * @throws IllegalStateException if the provider requires configuration + * and Provider.configure has not been called + * @throws LoginException if the logout operation fails + * @throws SecurityException if the does not pass a security check for + * SecurityPermission("authProvider.name"), + * where name is the value returned by + * this provider's getName method + */ + public void logout() throws LoginException { + + if (!isConfigured()) { + throw new IllegalStateException("Configuration is required"); + } + + // security check + SecurityManager sm = System.getSecurityManager(); + if (sm != null) { + sm.checkPermission + (new SecurityPermission("authProvider." + this.getName())); + } + + if (hasValidToken() == false) { + // app may call logout for cleanup, allow + return; + } + + if ((token.tokenInfo.flags & CKF_LOGIN_REQUIRED) == 0) { + if (debug != null) { + debug.println("logout operation not required for token - " + + "ignoring logout request"); + } + return; + } + + try { + if (token.isLoggedInNow(null) == false) { + if (debug != null) { + debug.println("user not logged in"); + } + return; + } + } catch (PKCS11Exception e) { + // ignore + } + + // perform token logout + + Session session = null; + try { + session = token.getOpSession(); + p11.C_Logout(session.id()); + if (debug != null) { + debug.println("logout succeeded"); + } + } catch (PKCS11Exception pe) { + if (pe.getErrorCode() == CKR_USER_NOT_LOGGED_IN) { + // let this one go + if (debug != null) { + debug.println("user not logged in"); + } + return; + } + LoginException le = new LoginException(); + le.initCause(pe); + throw le; + } finally { + token.releaseSession(session); + } + } + + /** + * Set a CallbackHandler + * + *

The provider uses this handler if one is not passed to the + * login method. The provider also uses this handler + * if it invokes login on behalf of callers. + * In either case if a handler is not set via this method, + * the provider queries the + * auth.login.defaultCallbackHandler security property + * for the fully qualified class name of a default handler implementation. + * If the security property is not set, + * the provider is assumed to have alternative means + * for obtaining authentication information. + * + * @param handler a CallbackHandler for obtaining + * authentication information, which may be null + * + * @throws IllegalStateException if the provider requires configuration + * and Provider.configure has not been called + * @throws SecurityException if the caller does not pass a + * security check for + * SecurityPermission("authProvider.name"), + * where name is the value returned by + * this provider's getName method + */ + public void setCallbackHandler(CallbackHandler handler) { + + if (!isConfigured()) { + throw new IllegalStateException("Configuration is required"); + } + + // security check + SecurityManager sm = System.getSecurityManager(); + if (sm != null) { + sm.checkPermission + (new SecurityPermission("authProvider." + this.getName())); + } + + synchronized (LOCK_HANDLER) { + pHandler = handler; + } + } + + private CallbackHandler getCallbackHandler(CallbackHandler handler) { + + // get default handler if necessary + + if (handler != null) { + return handler; + } + + if (debug != null) { + debug.println("getting provider callback handler"); + } + + synchronized (LOCK_HANDLER) { + // see if handler was set via setCallbackHandler + if (pHandler != null) { + return pHandler; + } + + try { + if (debug != null) { + debug.println("getting default callback handler"); + } + + CallbackHandler myHandler = AccessController.doPrivileged + (new PrivilegedExceptionAction() { + public CallbackHandler run() throws Exception { + + String defaultHandler = + java.security.Security.getProperty + ("auth.login.defaultCallbackHandler"); + + if (defaultHandler == null || + defaultHandler.length() == 0) { + + // ok + if (debug != null) { + debug.println("no default handler set"); + } + return null; + } + + Class c = Class.forName + (defaultHandler, + true, + Thread.currentThread().getContextClassLoader()); + if (!javax.security.auth.callback.CallbackHandler.class.isAssignableFrom(c)) { + // not the right subtype + if (debug != null) { + debug.println("default handler " + defaultHandler + + " is not a CallbackHandler"); + } + return null; + } + @SuppressWarnings("deprecation") + Object result = c.newInstance(); + return (CallbackHandler)result; + } + }); + // save it + pHandler = myHandler; + return myHandler; + + } catch (PrivilegedActionException pae) { + // ok + if (debug != null) { + debug.println("Unable to load default callback handler"); + pae.printStackTrace(); + } + } + } + return null; + } + + private Object writeReplace() throws ObjectStreamException { + return new SunPKCS11Rep(this); + } + + /** + * Serialized representation of the SunPKCS11 provider. + */ + private static class SunPKCS11Rep implements Serializable { + + static final long serialVersionUID = -2896606995897745419L; + + private final String providerName; + + private final String configName; + + SunPKCS11Rep(SunPKCS11 provider) throws NotSerializableException { + providerName = provider.getName(); + configName = provider.config.getFileName(); + if (Security.getProvider(providerName) != provider) { + throw new NotSerializableException("Only SunPKCS11 providers " + + "installed in java.security.Security can be serialized"); + } + } + + private Object readResolve() throws ObjectStreamException { + SunPKCS11 p = (SunPKCS11)Security.getProvider(providerName); + if ((p == null) || (p.config.getFileName().equals(configName) == false)) { + throw new NotSerializableException("Could not find " + + providerName + " in installed providers"); + } + return p; + } + } +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/TemplateManager.java 2017-01-20 09:52:40.942288858 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,241 +0,0 @@ -/* - * Copyright (c) 2003, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.pkcs11; - -import java.util.*; -import java.util.concurrent.*; - -import sun.security.pkcs11.wrapper.*; -import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - -/** - * TemplateManager class. - * - * Not all PKCS#11 tokens are created equal. One token may require that one - * value is specified when creating a certain type of object. Another token - * may require a different value. Yet another token may only work if the - * attribute is not specified at all. - * - * In order to allow an application to work unmodified with all those - * different tokens, the SunPKCS11 provider makes the attributes that are - * specified and their value configurable. Hence, only the SunPKCS11 - * configuration file has to be tweaked at deployment time to allow all - * existing applications to be used. - * - * The template manager is responsible for reading the attribute configuration - * information and to make it available to the various internal components - * of the SunPKCS11 provider. - * - * @author Andreas Sterbenz - * @since 1.5 - */ -final class TemplateManager { - - private final static boolean DEBUG = false; - - // constant for any operation (either O_IMPORT or O_GENERATE) - final static String O_ANY = "*"; - // constant for operation create ("importing" existing key material) - final static String O_IMPORT = "import"; - // constant for operation generate (generating new key material) - final static String O_GENERATE = "generate"; - - private static class KeyAndTemplate { - final TemplateKey key; - final Template template; - - KeyAndTemplate(TemplateKey key, Template template) { - this.key = key; - this.template = template; - } - } - - // primitive templates contains the individual template configuration - // entries from the configuration file - private final List primitiveTemplates; - - // composite templates is a cache of the exact configuration template for - // each specific TemplateKey (no wildcards). the entries are created - // on demand during first use by compositing all applicable - // primitive template entries. the result is then stored in this map - // for performance - private final Map compositeTemplates; - - TemplateManager() { - primitiveTemplates = new ArrayList(); - compositeTemplates = new ConcurrentHashMap(); - } - - // add a template. Called by Config. - void addTemplate(String op, long objectClass, long keyAlgorithm, - CK_ATTRIBUTE[] attrs) { - TemplateKey key = new TemplateKey(op, objectClass, keyAlgorithm); - Template template = new Template(attrs); - if (DEBUG) { - System.out.println("Adding " + key + " -> " + template); - } - primitiveTemplates.add(new KeyAndTemplate(key, template)); - } - - private Template getTemplate(TemplateKey key) { - Template template = compositeTemplates.get(key); - if (template == null) { - template = buildCompositeTemplate(key); - compositeTemplates.put(key, template); - } - return template; - } - - // Get the attributes for the requested op and combine them with attrs. - // This is the method called by the implementation to obtain the - // attributes. - CK_ATTRIBUTE[] getAttributes(String op, long type, long alg, - CK_ATTRIBUTE[] attrs) { - TemplateKey key = new TemplateKey(op, type, alg); - Template template = getTemplate(key); - CK_ATTRIBUTE[] newAttrs = template.getAttributes(attrs); - if (DEBUG) { - System.out.println(key + " -> " + Arrays.asList(newAttrs)); - } - return newAttrs; - } - - // build a composite template for the given key - private Template buildCompositeTemplate(TemplateKey key) { - Template comp = new Template(); - // iterate through primitive templates and add all that apply - for (KeyAndTemplate entry : primitiveTemplates) { - if (entry.key.appliesTo(key)) { - comp.add(entry.template); - } - } - return comp; - } - - /** - * Nested class representing a template identifier. - */ - private static final class TemplateKey { - final String operation; - final long keyType; - final long keyAlgorithm; - TemplateKey(String operation, long keyType, long keyAlgorithm) { - this.operation = operation; - this.keyType = keyType; - this.keyAlgorithm = keyAlgorithm; - } - public boolean equals(Object obj) { - if (this == obj) { - return true; - } - if (obj instanceof TemplateKey == false) { - return false; - } - TemplateKey other = (TemplateKey)obj; - boolean match = this.operation.equals(other.operation) - && (this.keyType == other.keyType) - && (this.keyAlgorithm == other.keyAlgorithm); - return match; - } - public int hashCode() { - return operation.hashCode() + (int)keyType + (int)keyAlgorithm; - } - boolean appliesTo(TemplateKey key) { - if (operation.equals(O_ANY) || operation.equals(key.operation)) { - if ((keyType == PCKO_ANY) || (keyType == key.keyType)) { - if ((keyAlgorithm == PCKK_ANY) - || (keyAlgorithm == key.keyAlgorithm)) { - return true; - } - } - } - return false; - } - public String toString() { - return "(" + operation + "," - + Functions.getObjectClassName(keyType) - + "," + Functions.getKeyName(keyAlgorithm) + ")"; - } - } - - /** - * Nested class representing template attributes. - */ - private static final class Template { - - private final static CK_ATTRIBUTE[] A0 = new CK_ATTRIBUTE[0]; - - private CK_ATTRIBUTE[] attributes; - - Template() { - attributes = A0; - } - - Template(CK_ATTRIBUTE[] attributes) { - this.attributes = attributes; - } - - void add(Template template) { - attributes = getAttributes(template.attributes); - } - - CK_ATTRIBUTE[] getAttributes(CK_ATTRIBUTE[] attrs) { - return combine(attributes, attrs); - } - - /** - * Combine two sets of attributes. The second set has precedence - * over the first and overrides its settings. - */ - private static CK_ATTRIBUTE[] combine(CK_ATTRIBUTE[] attrs1, - CK_ATTRIBUTE[] attrs2) { - List attrs = new ArrayList(); - for (CK_ATTRIBUTE attr : attrs1) { - if (attr.pValue != null) { - attrs.add(attr); - } - } - for (CK_ATTRIBUTE attr2 : attrs2) { - long type = attr2.type; - for (CK_ATTRIBUTE attr1 : attrs1) { - if (attr1.type == type) { - attrs.remove(attr1); - } - } - if (attr2.pValue != null) { - attrs.add(attr2); - } - } - return attrs.toArray(A0); - } - - public String toString() { - return Arrays.asList(attributes).toString(); - } - - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/TemplateManager.java 2017-01-20 09:52:40.718288866 -0800 @@ -0,0 +1,241 @@ +/* + * Copyright (c) 2003, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11; + +import java.util.*; +import java.util.concurrent.*; + +import sun.security.pkcs11.wrapper.*; +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + +/** + * TemplateManager class. + * + * Not all PKCS#11 tokens are created equal. One token may require that one + * value is specified when creating a certain type of object. Another token + * may require a different value. Yet another token may only work if the + * attribute is not specified at all. + * + * In order to allow an application to work unmodified with all those + * different tokens, the SunPKCS11 provider makes the attributes that are + * specified and their value configurable. Hence, only the SunPKCS11 + * configuration file has to be tweaked at deployment time to allow all + * existing applications to be used. + * + * The template manager is responsible for reading the attribute configuration + * information and to make it available to the various internal components + * of the SunPKCS11 provider. + * + * @author Andreas Sterbenz + * @since 1.5 + */ +final class TemplateManager { + + private final static boolean DEBUG = false; + + // constant for any operation (either O_IMPORT or O_GENERATE) + final static String O_ANY = "*"; + // constant for operation create ("importing" existing key material) + final static String O_IMPORT = "import"; + // constant for operation generate (generating new key material) + final static String O_GENERATE = "generate"; + + private static class KeyAndTemplate { + final TemplateKey key; + final Template template; + + KeyAndTemplate(TemplateKey key, Template template) { + this.key = key; + this.template = template; + } + } + + // primitive templates contains the individual template configuration + // entries from the configuration file + private final List primitiveTemplates; + + // composite templates is a cache of the exact configuration template for + // each specific TemplateKey (no wildcards). the entries are created + // on demand during first use by compositing all applicable + // primitive template entries. the result is then stored in this map + // for performance + private final Map compositeTemplates; + + TemplateManager() { + primitiveTemplates = new ArrayList(); + compositeTemplates = new ConcurrentHashMap(); + } + + // add a template. Called by Config. + void addTemplate(String op, long objectClass, long keyAlgorithm, + CK_ATTRIBUTE[] attrs) { + TemplateKey key = new TemplateKey(op, objectClass, keyAlgorithm); + Template template = new Template(attrs); + if (DEBUG) { + System.out.println("Adding " + key + " -> " + template); + } + primitiveTemplates.add(new KeyAndTemplate(key, template)); + } + + private Template getTemplate(TemplateKey key) { + Template template = compositeTemplates.get(key); + if (template == null) { + template = buildCompositeTemplate(key); + compositeTemplates.put(key, template); + } + return template; + } + + // Get the attributes for the requested op and combine them with attrs. + // This is the method called by the implementation to obtain the + // attributes. + CK_ATTRIBUTE[] getAttributes(String op, long type, long alg, + CK_ATTRIBUTE[] attrs) { + TemplateKey key = new TemplateKey(op, type, alg); + Template template = getTemplate(key); + CK_ATTRIBUTE[] newAttrs = template.getAttributes(attrs); + if (DEBUG) { + System.out.println(key + " -> " + Arrays.asList(newAttrs)); + } + return newAttrs; + } + + // build a composite template for the given key + private Template buildCompositeTemplate(TemplateKey key) { + Template comp = new Template(); + // iterate through primitive templates and add all that apply + for (KeyAndTemplate entry : primitiveTemplates) { + if (entry.key.appliesTo(key)) { + comp.add(entry.template); + } + } + return comp; + } + + /** + * Nested class representing a template identifier. + */ + private static final class TemplateKey { + final String operation; + final long keyType; + final long keyAlgorithm; + TemplateKey(String operation, long keyType, long keyAlgorithm) { + this.operation = operation; + this.keyType = keyType; + this.keyAlgorithm = keyAlgorithm; + } + public boolean equals(Object obj) { + if (this == obj) { + return true; + } + if (obj instanceof TemplateKey == false) { + return false; + } + TemplateKey other = (TemplateKey)obj; + boolean match = this.operation.equals(other.operation) + && (this.keyType == other.keyType) + && (this.keyAlgorithm == other.keyAlgorithm); + return match; + } + public int hashCode() { + return operation.hashCode() + (int)keyType + (int)keyAlgorithm; + } + boolean appliesTo(TemplateKey key) { + if (operation.equals(O_ANY) || operation.equals(key.operation)) { + if ((keyType == PCKO_ANY) || (keyType == key.keyType)) { + if ((keyAlgorithm == PCKK_ANY) + || (keyAlgorithm == key.keyAlgorithm)) { + return true; + } + } + } + return false; + } + public String toString() { + return "(" + operation + "," + + Functions.getObjectClassName(keyType) + + "," + Functions.getKeyName(keyAlgorithm) + ")"; + } + } + + /** + * Nested class representing template attributes. + */ + private static final class Template { + + private final static CK_ATTRIBUTE[] A0 = new CK_ATTRIBUTE[0]; + + private CK_ATTRIBUTE[] attributes; + + Template() { + attributes = A0; + } + + Template(CK_ATTRIBUTE[] attributes) { + this.attributes = attributes; + } + + void add(Template template) { + attributes = getAttributes(template.attributes); + } + + CK_ATTRIBUTE[] getAttributes(CK_ATTRIBUTE[] attrs) { + return combine(attributes, attrs); + } + + /** + * Combine two sets of attributes. The second set has precedence + * over the first and overrides its settings. + */ + private static CK_ATTRIBUTE[] combine(CK_ATTRIBUTE[] attrs1, + CK_ATTRIBUTE[] attrs2) { + List attrs = new ArrayList(); + for (CK_ATTRIBUTE attr : attrs1) { + if (attr.pValue != null) { + attrs.add(attr); + } + } + for (CK_ATTRIBUTE attr2 : attrs2) { + long type = attr2.type; + for (CK_ATTRIBUTE attr1 : attrs1) { + if (attr1.type == type) { + attrs.remove(attr1); + } + } + if (attr2.pValue != null) { + attrs.add(attr2); + } + } + return attrs.toArray(A0); + } + + public String toString() { + return Arrays.asList(attributes).toString(); + } + + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/Token.java 2017-01-20 09:52:41.290288845 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,450 +0,0 @@ -/* - * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.pkcs11; - -import java.util.*; -import java.util.concurrent.ConcurrentHashMap; -import java.io.*; -import java.lang.ref.*; - -import java.security.*; -import javax.security.auth.login.LoginException; - -import sun.security.jca.JCAUtil; - -import sun.security.pkcs11.wrapper.*; -import static sun.security.pkcs11.TemplateManager.*; -import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - -/** - * PKCS#11 token. - * - * @author Andreas Sterbenz - * @since 1.5 - */ -class Token implements Serializable { - - // need to be serializable to allow SecureRandom to be serialized - private static final long serialVersionUID = 2541527649100571747L; - - // how often to check if the token is still present (in ms) - // this is different from checking if a token has been inserted, - // that is done in SunPKCS11. Currently 50 ms. - private final static long CHECK_INTERVAL = 50; - - final SunPKCS11 provider; - - final PKCS11 p11; - - final Config config; - - final CK_TOKEN_INFO tokenInfo; - - // session manager to pool sessions - final SessionManager sessionManager; - - // template manager to customize the attributes used when creating objects - private final TemplateManager templateManager; - - // flag indicating whether we need to explicitly cancel operations - // we started on the token. If false, we assume operations are - // automatically cancelled once we start another one - final boolean explicitCancel; - - // translation cache for secret keys - final KeyCache secretCache; - - // translation cache for asymmetric keys (public and private) - final KeyCache privateCache; - - // cached instances of the various key factories, initialized on demand - private volatile P11KeyFactory rsaFactory, dsaFactory, dhFactory, ecFactory; - - // table which maps mechanisms to the corresponding cached - // MechanismInfo objects - private final Map mechInfoMap; - - // single SecureRandomSpi instance we use per token - // initialized on demand (if supported) - private volatile P11SecureRandom secureRandom; - - // single KeyStoreSpi instance we use per provider - // initialized on demand - private volatile P11KeyStore keyStore; - - // whether this token is a removable token - private final boolean removable; - - // for removable tokens: whether this token is valid or has been removed - private volatile boolean valid; - - // for removable tokens: time last checked for token presence - private long lastPresentCheck; - - // unique token id, used for serialization only - private byte[] tokenId; - - // flag indicating whether the token is write protected - private boolean writeProtected; - - // flag indicating whether we are logged in - private volatile boolean loggedIn; - - // time we last checked login status - private long lastLoginCheck; - - // mutex for token-present-check - private final static Object CHECK_LOCK = new Object(); - - // object for indicating unsupported mechanism in 'mechInfoMap' - private final static CK_MECHANISM_INFO INVALID_MECH = - new CK_MECHANISM_INFO(0, 0, 0); - - // flag indicating whether the token supports raw secret key material import - private Boolean supportsRawSecretKeyImport; - - Token(SunPKCS11 provider) throws PKCS11Exception { - this.provider = provider; - this.removable = provider.removable; - this.valid = true; - p11 = provider.p11; - config = provider.config; - tokenInfo = p11.C_GetTokenInfo(provider.slotID); - writeProtected = (tokenInfo.flags & CKF_WRITE_PROTECTED) != 0; - // create session manager and open a test session - SessionManager sessionManager; - try { - sessionManager = new SessionManager(this); - Session s = sessionManager.getOpSession(); - sessionManager.releaseSession(s); - } catch (PKCS11Exception e) { - if (writeProtected) { - throw e; - } - // token might not permit RW sessions even though - // CKF_WRITE_PROTECTED is not set - writeProtected = true; - sessionManager = new SessionManager(this); - Session s = sessionManager.getOpSession(); - sessionManager.releaseSession(s); - } - this.sessionManager = sessionManager; - secretCache = new KeyCache(); - privateCache = new KeyCache(); - templateManager = config.getTemplateManager(); - explicitCancel = config.getExplicitCancel(); - mechInfoMap = - new ConcurrentHashMap(10); - } - - boolean isWriteProtected() { - return writeProtected; - } - - // return whether the token supports raw secret key material import - boolean supportsRawSecretKeyImport() { - if (supportsRawSecretKeyImport == null) { - SecureRandom random = JCAUtil.getSecureRandom(); - byte[] encoded = new byte[48]; - random.nextBytes(encoded); - - CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[3]; - attributes[0] = new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY); - attributes[1] = new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_GENERIC_SECRET); - attributes[2] = new CK_ATTRIBUTE(CKA_VALUE, encoded); - - Session session = null; - try { - attributes = getAttributes(O_IMPORT, - CKO_SECRET_KEY, CKK_GENERIC_SECRET, attributes); - session = getObjSession(); - long keyID = p11.C_CreateObject(session.id(), attributes); - - supportsRawSecretKeyImport = Boolean.TRUE; - } catch (PKCS11Exception e) { - supportsRawSecretKeyImport = Boolean.FALSE; - } finally { - releaseSession(session); - } - } - - return supportsRawSecretKeyImport; - } - - // return whether we are logged in - // uses cached result if current. session is optional and may be null - boolean isLoggedIn(Session session) throws PKCS11Exception { - // volatile load first - boolean loggedIn = this.loggedIn; - long time = System.currentTimeMillis(); - if (time - lastLoginCheck > CHECK_INTERVAL) { - loggedIn = isLoggedInNow(session); - lastLoginCheck = time; - } - return loggedIn; - } - - // return whether we are logged in now - // does not use cache - boolean isLoggedInNow(Session session) throws PKCS11Exception { - boolean allocSession = (session == null); - try { - if (allocSession) { - session = getOpSession(); - } - CK_SESSION_INFO info = p11.C_GetSessionInfo(session.id()); - boolean loggedIn = (info.state == CKS_RO_USER_FUNCTIONS) || - (info.state == CKS_RW_USER_FUNCTIONS); - this.loggedIn = loggedIn; - return loggedIn; - } finally { - if (allocSession) { - releaseSession(session); - } - } - } - - // ensure that we are logged in - // call provider.login() if not - void ensureLoggedIn(Session session) throws PKCS11Exception, LoginException { - if (isLoggedIn(session) == false) { - provider.login(null, null); - } - } - - // return whether this token object is valid (i.e. token not removed) - // returns value from last check, does not perform new check - boolean isValid() { - if (removable == false) { - return true; - } - return valid; - } - - void ensureValid() { - if (isValid() == false) { - throw new ProviderException("Token has been removed"); - } - } - - // return whether a token is present (i.e. token not removed) - // returns cached value if current, otherwise performs new check - boolean isPresent(long sessionID) { - if (removable == false) { - return true; - } - if (valid == false) { - return false; - } - long time = System.currentTimeMillis(); - if ((time - lastPresentCheck) >= CHECK_INTERVAL) { - synchronized (CHECK_LOCK) { - if ((time - lastPresentCheck) >= CHECK_INTERVAL) { - boolean ok = false; - try { - // check if token still present - CK_SLOT_INFO slotInfo = - provider.p11.C_GetSlotInfo(provider.slotID); - if ((slotInfo.flags & CKF_TOKEN_PRESENT) != 0) { - // if the token has been removed and re-inserted, - // the token should return an error - CK_SESSION_INFO sessInfo = - provider.p11.C_GetSessionInfo - (sessionID); - ok = true; - } - } catch (PKCS11Exception e) { - // empty - } - valid = ok; - lastPresentCheck = System.currentTimeMillis(); - if (ok == false) { - destroy(); - } - } - } - } - return valid; - } - - void destroy() { - valid = false; - provider.uninitToken(this); - } - - Session getObjSession() throws PKCS11Exception { - return sessionManager.getObjSession(); - } - - Session getOpSession() throws PKCS11Exception { - return sessionManager.getOpSession(); - } - - Session releaseSession(Session session) { - return sessionManager.releaseSession(session); - } - - Session killSession(Session session) { - return sessionManager.killSession(session); - } - - CK_ATTRIBUTE[] getAttributes(String op, long type, long alg, - CK_ATTRIBUTE[] attrs) throws PKCS11Exception { - CK_ATTRIBUTE[] newAttrs = - templateManager.getAttributes(op, type, alg, attrs); - for (CK_ATTRIBUTE attr : newAttrs) { - if (attr.type == CKA_TOKEN) { - if (attr.getBoolean()) { - try { - ensureLoggedIn(null); - } catch (LoginException e) { - throw new ProviderException("Login failed", e); - } - } - // break once we have found a CKA_TOKEN attribute - break; - } - } - return newAttrs; - } - - P11KeyFactory getKeyFactory(String algorithm) { - P11KeyFactory f; - if (algorithm.equals("RSA")) { - f = rsaFactory; - if (f == null) { - f = new P11RSAKeyFactory(this, algorithm); - rsaFactory = f; - } - } else if (algorithm.equals("DSA")) { - f = dsaFactory; - if (f == null) { - f = new P11DSAKeyFactory(this, algorithm); - dsaFactory = f; - } - } else if (algorithm.equals("DH")) { - f = dhFactory; - if (f == null) { - f = new P11DHKeyFactory(this, algorithm); - dhFactory = f; - } - } else if (algorithm.equals("EC")) { - f = ecFactory; - if (f == null) { - f = new P11ECKeyFactory(this, algorithm); - ecFactory = f; - } - } else { - throw new ProviderException("Unknown algorithm " + algorithm); - } - return f; - } - - P11SecureRandom getRandom() { - if (secureRandom == null) { - secureRandom = new P11SecureRandom(this); - } - return secureRandom; - } - - P11KeyStore getKeyStore() { - if (keyStore == null) { - keyStore = new P11KeyStore(this); - } - return keyStore; - } - - CK_MECHANISM_INFO getMechanismInfo(long mechanism) throws PKCS11Exception { - CK_MECHANISM_INFO result = mechInfoMap.get(mechanism); - if (result == null) { - try { - result = p11.C_GetMechanismInfo(provider.slotID, - mechanism); - mechInfoMap.put(mechanism, result); - } catch (PKCS11Exception e) { - if (e.getErrorCode() != PKCS11Constants.CKR_MECHANISM_INVALID) { - throw e; - } else { - mechInfoMap.put(mechanism, INVALID_MECH); - } - } - } else if (result == INVALID_MECH) { - result = null; - } - return result; - } - - private synchronized byte[] getTokenId() { - if (tokenId == null) { - SecureRandom random = JCAUtil.getSecureRandom(); - tokenId = new byte[20]; - random.nextBytes(tokenId); - serializedTokens.add(new WeakReference(this)); - } - return tokenId; - } - - // list of all tokens that have been serialized within this VM - // NOTE that elements are never removed from this list - // the assumption is that the number of tokens that are serialized - // is relatively small - private static final List> serializedTokens = - new ArrayList>(); - - private Object writeReplace() throws ObjectStreamException { - if (isValid() == false) { - throw new NotSerializableException("Token has been removed"); - } - return new TokenRep(this); - } - - // serialized representation of a token - // tokens can only be de-serialized within the same VM invocation - // and if the token has not been removed in the meantime - private static class TokenRep implements Serializable { - - private static final long serialVersionUID = 3503721168218219807L; - - private final byte[] tokenId; - - TokenRep(Token token) { - tokenId = token.getTokenId(); - } - - private Object readResolve() throws ObjectStreamException { - for (Reference tokenRef : serializedTokens) { - Token token = tokenRef.get(); - if ((token != null) && token.isValid()) { - if (Arrays.equals(token.getTokenId(), tokenId)) { - return token; - } - } - } - throw new NotSerializableException("Could not find token"); - } - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java 2017-01-20 09:52:41.070288853 -0800 @@ -0,0 +1,450 @@ +/* + * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11; + +import java.util.*; +import java.util.concurrent.ConcurrentHashMap; +import java.io.*; +import java.lang.ref.*; + +import java.security.*; +import javax.security.auth.login.LoginException; + +import sun.security.jca.JCAUtil; + +import sun.security.pkcs11.wrapper.*; +import static sun.security.pkcs11.TemplateManager.*; +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + +/** + * PKCS#11 token. + * + * @author Andreas Sterbenz + * @since 1.5 + */ +class Token implements Serializable { + + // need to be serializable to allow SecureRandom to be serialized + private static final long serialVersionUID = 2541527649100571747L; + + // how often to check if the token is still present (in ms) + // this is different from checking if a token has been inserted, + // that is done in SunPKCS11. Currently 50 ms. + private final static long CHECK_INTERVAL = 50; + + final SunPKCS11 provider; + + final PKCS11 p11; + + final Config config; + + final CK_TOKEN_INFO tokenInfo; + + // session manager to pool sessions + final SessionManager sessionManager; + + // template manager to customize the attributes used when creating objects + private final TemplateManager templateManager; + + // flag indicating whether we need to explicitly cancel operations + // we started on the token. If false, we assume operations are + // automatically cancelled once we start another one + final boolean explicitCancel; + + // translation cache for secret keys + final KeyCache secretCache; + + // translation cache for asymmetric keys (public and private) + final KeyCache privateCache; + + // cached instances of the various key factories, initialized on demand + private volatile P11KeyFactory rsaFactory, dsaFactory, dhFactory, ecFactory; + + // table which maps mechanisms to the corresponding cached + // MechanismInfo objects + private final Map mechInfoMap; + + // single SecureRandomSpi instance we use per token + // initialized on demand (if supported) + private volatile P11SecureRandom secureRandom; + + // single KeyStoreSpi instance we use per provider + // initialized on demand + private volatile P11KeyStore keyStore; + + // whether this token is a removable token + private final boolean removable; + + // for removable tokens: whether this token is valid or has been removed + private volatile boolean valid; + + // for removable tokens: time last checked for token presence + private long lastPresentCheck; + + // unique token id, used for serialization only + private byte[] tokenId; + + // flag indicating whether the token is write protected + private boolean writeProtected; + + // flag indicating whether we are logged in + private volatile boolean loggedIn; + + // time we last checked login status + private long lastLoginCheck; + + // mutex for token-present-check + private final static Object CHECK_LOCK = new Object(); + + // object for indicating unsupported mechanism in 'mechInfoMap' + private final static CK_MECHANISM_INFO INVALID_MECH = + new CK_MECHANISM_INFO(0, 0, 0); + + // flag indicating whether the token supports raw secret key material import + private Boolean supportsRawSecretKeyImport; + + Token(SunPKCS11 provider) throws PKCS11Exception { + this.provider = provider; + this.removable = provider.removable; + this.valid = true; + p11 = provider.p11; + config = provider.config; + tokenInfo = p11.C_GetTokenInfo(provider.slotID); + writeProtected = (tokenInfo.flags & CKF_WRITE_PROTECTED) != 0; + // create session manager and open a test session + SessionManager sessionManager; + try { + sessionManager = new SessionManager(this); + Session s = sessionManager.getOpSession(); + sessionManager.releaseSession(s); + } catch (PKCS11Exception e) { + if (writeProtected) { + throw e; + } + // token might not permit RW sessions even though + // CKF_WRITE_PROTECTED is not set + writeProtected = true; + sessionManager = new SessionManager(this); + Session s = sessionManager.getOpSession(); + sessionManager.releaseSession(s); + } + this.sessionManager = sessionManager; + secretCache = new KeyCache(); + privateCache = new KeyCache(); + templateManager = config.getTemplateManager(); + explicitCancel = config.getExplicitCancel(); + mechInfoMap = + new ConcurrentHashMap(10); + } + + boolean isWriteProtected() { + return writeProtected; + } + + // return whether the token supports raw secret key material import + boolean supportsRawSecretKeyImport() { + if (supportsRawSecretKeyImport == null) { + SecureRandom random = JCAUtil.getSecureRandom(); + byte[] encoded = new byte[48]; + random.nextBytes(encoded); + + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[3]; + attributes[0] = new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY); + attributes[1] = new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_GENERIC_SECRET); + attributes[2] = new CK_ATTRIBUTE(CKA_VALUE, encoded); + + Session session = null; + try { + attributes = getAttributes(O_IMPORT, + CKO_SECRET_KEY, CKK_GENERIC_SECRET, attributes); + session = getObjSession(); + long keyID = p11.C_CreateObject(session.id(), attributes); + + supportsRawSecretKeyImport = Boolean.TRUE; + } catch (PKCS11Exception e) { + supportsRawSecretKeyImport = Boolean.FALSE; + } finally { + releaseSession(session); + } + } + + return supportsRawSecretKeyImport; + } + + // return whether we are logged in + // uses cached result if current. session is optional and may be null + boolean isLoggedIn(Session session) throws PKCS11Exception { + // volatile load first + boolean loggedIn = this.loggedIn; + long time = System.currentTimeMillis(); + if (time - lastLoginCheck > CHECK_INTERVAL) { + loggedIn = isLoggedInNow(session); + lastLoginCheck = time; + } + return loggedIn; + } + + // return whether we are logged in now + // does not use cache + boolean isLoggedInNow(Session session) throws PKCS11Exception { + boolean allocSession = (session == null); + try { + if (allocSession) { + session = getOpSession(); + } + CK_SESSION_INFO info = p11.C_GetSessionInfo(session.id()); + boolean loggedIn = (info.state == CKS_RO_USER_FUNCTIONS) || + (info.state == CKS_RW_USER_FUNCTIONS); + this.loggedIn = loggedIn; + return loggedIn; + } finally { + if (allocSession) { + releaseSession(session); + } + } + } + + // ensure that we are logged in + // call provider.login() if not + void ensureLoggedIn(Session session) throws PKCS11Exception, LoginException { + if (isLoggedIn(session) == false) { + provider.login(null, null); + } + } + + // return whether this token object is valid (i.e. token not removed) + // returns value from last check, does not perform new check + boolean isValid() { + if (removable == false) { + return true; + } + return valid; + } + + void ensureValid() { + if (isValid() == false) { + throw new ProviderException("Token has been removed"); + } + } + + // return whether a token is present (i.e. token not removed) + // returns cached value if current, otherwise performs new check + boolean isPresent(long sessionID) { + if (removable == false) { + return true; + } + if (valid == false) { + return false; + } + long time = System.currentTimeMillis(); + if ((time - lastPresentCheck) >= CHECK_INTERVAL) { + synchronized (CHECK_LOCK) { + if ((time - lastPresentCheck) >= CHECK_INTERVAL) { + boolean ok = false; + try { + // check if token still present + CK_SLOT_INFO slotInfo = + provider.p11.C_GetSlotInfo(provider.slotID); + if ((slotInfo.flags & CKF_TOKEN_PRESENT) != 0) { + // if the token has been removed and re-inserted, + // the token should return an error + CK_SESSION_INFO sessInfo = + provider.p11.C_GetSessionInfo + (sessionID); + ok = true; + } + } catch (PKCS11Exception e) { + // empty + } + valid = ok; + lastPresentCheck = System.currentTimeMillis(); + if (ok == false) { + destroy(); + } + } + } + } + return valid; + } + + void destroy() { + valid = false; + provider.uninitToken(this); + } + + Session getObjSession() throws PKCS11Exception { + return sessionManager.getObjSession(); + } + + Session getOpSession() throws PKCS11Exception { + return sessionManager.getOpSession(); + } + + Session releaseSession(Session session) { + return sessionManager.releaseSession(session); + } + + Session killSession(Session session) { + return sessionManager.killSession(session); + } + + CK_ATTRIBUTE[] getAttributes(String op, long type, long alg, + CK_ATTRIBUTE[] attrs) throws PKCS11Exception { + CK_ATTRIBUTE[] newAttrs = + templateManager.getAttributes(op, type, alg, attrs); + for (CK_ATTRIBUTE attr : newAttrs) { + if (attr.type == CKA_TOKEN) { + if (attr.getBoolean()) { + try { + ensureLoggedIn(null); + } catch (LoginException e) { + throw new ProviderException("Login failed", e); + } + } + // break once we have found a CKA_TOKEN attribute + break; + } + } + return newAttrs; + } + + P11KeyFactory getKeyFactory(String algorithm) { + P11KeyFactory f; + if (algorithm.equals("RSA")) { + f = rsaFactory; + if (f == null) { + f = new P11RSAKeyFactory(this, algorithm); + rsaFactory = f; + } + } else if (algorithm.equals("DSA")) { + f = dsaFactory; + if (f == null) { + f = new P11DSAKeyFactory(this, algorithm); + dsaFactory = f; + } + } else if (algorithm.equals("DH")) { + f = dhFactory; + if (f == null) { + f = new P11DHKeyFactory(this, algorithm); + dhFactory = f; + } + } else if (algorithm.equals("EC")) { + f = ecFactory; + if (f == null) { + f = new P11ECKeyFactory(this, algorithm); + ecFactory = f; + } + } else { + throw new ProviderException("Unknown algorithm " + algorithm); + } + return f; + } + + P11SecureRandom getRandom() { + if (secureRandom == null) { + secureRandom = new P11SecureRandom(this); + } + return secureRandom; + } + + P11KeyStore getKeyStore() { + if (keyStore == null) { + keyStore = new P11KeyStore(this); + } + return keyStore; + } + + CK_MECHANISM_INFO getMechanismInfo(long mechanism) throws PKCS11Exception { + CK_MECHANISM_INFO result = mechInfoMap.get(mechanism); + if (result == null) { + try { + result = p11.C_GetMechanismInfo(provider.slotID, + mechanism); + mechInfoMap.put(mechanism, result); + } catch (PKCS11Exception e) { + if (e.getErrorCode() != PKCS11Constants.CKR_MECHANISM_INVALID) { + throw e; + } else { + mechInfoMap.put(mechanism, INVALID_MECH); + } + } + } else if (result == INVALID_MECH) { + result = null; + } + return result; + } + + private synchronized byte[] getTokenId() { + if (tokenId == null) { + SecureRandom random = JCAUtil.getSecureRandom(); + tokenId = new byte[20]; + random.nextBytes(tokenId); + serializedTokens.add(new WeakReference(this)); + } + return tokenId; + } + + // list of all tokens that have been serialized within this VM + // NOTE that elements are never removed from this list + // the assumption is that the number of tokens that are serialized + // is relatively small + private static final List> serializedTokens = + new ArrayList>(); + + private Object writeReplace() throws ObjectStreamException { + if (isValid() == false) { + throw new NotSerializableException("Token has been removed"); + } + return new TokenRep(this); + } + + // serialized representation of a token + // tokens can only be de-serialized within the same VM invocation + // and if the token has not been removed in the meantime + private static class TokenRep implements Serializable { + + private static final long serialVersionUID = 3503721168218219807L; + + private final byte[] tokenId; + + TokenRep(Token token) { + tokenId = token.getTokenId(); + } + + private Object readResolve() throws ObjectStreamException { + for (Reference tokenRef : serializedTokens) { + Token token = tokenRef.get(); + if ((token != null) && token.isValid()) { + if (Arrays.equals(token.getTokenId(), tokenId)) { + return token; + } + } + } + throw new NotSerializableException("Could not find token"); + } + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_AES_CTR_PARAMS.java 2017-01-20 09:52:41.650288831 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,66 +0,0 @@ -/* - * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.pkcs11.wrapper; - -/** - * This class represents the necessary parameters required by - * the CKM_AES_CTR mechanism as defined in CK_AES_CTR_PARAMS structure.

- * PKCS#11 structure: - * 

- * typedef struct CK_AES_CTR_PARAMS {
- *   CK_ULONG ulCounterBits;
- *   CK_BYTE cb[16];
- * } CK_AES_CTR_PARAMS;
- *
- * - * @author Yu-Ching Valerie Peng - * @since 1.7 - */ -public class CK_AES_CTR_PARAMS { - - private final long ulCounterBits; - private final byte[] cb; - - public CK_AES_CTR_PARAMS(byte[] cb) { - ulCounterBits = 128; - this.cb = cb.clone(); - } - - public String toString() { - StringBuilder sb = new StringBuilder(); - - sb.append(Constants.INDENT); - sb.append("ulCounterBits: "); - sb.append(ulCounterBits); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("cb: "); - sb.append(Functions.toHexString(cb)); - - return sb.toString(); - } -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_AES_CTR_PARAMS.java 2017-01-20 09:52:41.422288840 -0800 @@ -0,0 +1,66 @@ +/* + * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11.wrapper; + +/** + * This class represents the necessary parameters required by + * the CKM_AES_CTR mechanism as defined in CK_AES_CTR_PARAMS structure.

+ * PKCS#11 structure: + * 

+ * typedef struct CK_AES_CTR_PARAMS {
+ *   CK_ULONG ulCounterBits;
+ *   CK_BYTE cb[16];
+ * } CK_AES_CTR_PARAMS;
+ *
+ * + * @author Yu-Ching Valerie Peng + * @since 1.7 + */ +public class CK_AES_CTR_PARAMS { + + private final long ulCounterBits; + private final byte[] cb; + + public CK_AES_CTR_PARAMS(byte[] cb) { + ulCounterBits = 128; + this.cb = cb.clone(); + } + + public String toString() { + StringBuilder sb = new StringBuilder(); + + sb.append(Constants.INDENT); + sb.append("ulCounterBits: "); + sb.append(ulCounterBits); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("cb: "); + sb.append(Functions.toHexString(cb)); + + return sb.toString(); + } +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_ATTRIBUTE.java 2017-01-20 09:52:42.014288817 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,229 +0,0 @@ -/* - * Copyright (c) 2003, 2006, Oracle and/or its affiliates. All rights reserved. - */ - -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package sun.security.pkcs11.wrapper; - -import java.math.BigInteger; - -import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - -/** - * class CK_ATTRIBUTE includes the type, value and length of an attribute.

- * PKCS#11 structure: - * 

- * typedef struct CK_ATTRIBUTE {  
- *   CK_ATTRIBUTE_TYPE type;  
- *   CK_VOID_PTR pValue;  
- *   CK_ULONG ulValueLen;
- * } CK_ATTRIBUTE;
- *
- * - * @author Karl Scheibelhofer - * @author Martin Schlaeffer - */ -public class CK_ATTRIBUTE { - - // common attributes - // NOTE that CK_ATTRIBUTE is a mutable classes but these attributes - // *MUST NEVER* be modified, e.g. by using them in a - // C_GetAttributeValue() call! - - public final static CK_ATTRIBUTE TOKEN_FALSE = - new CK_ATTRIBUTE(CKA_TOKEN, false); - - public final static CK_ATTRIBUTE SENSITIVE_FALSE = - new CK_ATTRIBUTE(CKA_SENSITIVE, false); - - public final static CK_ATTRIBUTE EXTRACTABLE_TRUE = - new CK_ATTRIBUTE(CKA_EXTRACTABLE, true); - - public final static CK_ATTRIBUTE ENCRYPT_TRUE = - new CK_ATTRIBUTE(CKA_ENCRYPT, true); - - public final static CK_ATTRIBUTE DECRYPT_TRUE = - new CK_ATTRIBUTE(CKA_DECRYPT, true); - - public final static CK_ATTRIBUTE WRAP_TRUE = - new CK_ATTRIBUTE(CKA_WRAP, true); - - public final static CK_ATTRIBUTE UNWRAP_TRUE = - new CK_ATTRIBUTE(CKA_UNWRAP, true); - - public final static CK_ATTRIBUTE SIGN_TRUE = - new CK_ATTRIBUTE(CKA_SIGN, true); - - public final static CK_ATTRIBUTE VERIFY_TRUE = - new CK_ATTRIBUTE(CKA_VERIFY, true); - - public final static CK_ATTRIBUTE SIGN_RECOVER_TRUE = - new CK_ATTRIBUTE(CKA_SIGN_RECOVER, true); - - public final static CK_ATTRIBUTE VERIFY_RECOVER_TRUE = - new CK_ATTRIBUTE(CKA_VERIFY_RECOVER, true); - - public final static CK_ATTRIBUTE DERIVE_TRUE = - new CK_ATTRIBUTE(CKA_DERIVE, true); - - public final static CK_ATTRIBUTE ENCRYPT_NULL = - new CK_ATTRIBUTE(CKA_ENCRYPT); - - public final static CK_ATTRIBUTE DECRYPT_NULL = - new CK_ATTRIBUTE(CKA_DECRYPT); - - public final static CK_ATTRIBUTE WRAP_NULL = - new CK_ATTRIBUTE(CKA_WRAP); - - public final static CK_ATTRIBUTE UNWRAP_NULL = - new CK_ATTRIBUTE(CKA_UNWRAP); - - public CK_ATTRIBUTE() { - // empty - } - - public CK_ATTRIBUTE(long type) { - this.type = type; - } - - public CK_ATTRIBUTE(long type, Object pValue) { - this.type = type; - this.pValue = pValue; - } - - public CK_ATTRIBUTE(long type, boolean value) { - this.type = type; - this.pValue = Boolean.valueOf(value); - } - - public CK_ATTRIBUTE(long type, long value) { - this.type = type; - this.pValue = Long.valueOf(value); - } - - public CK_ATTRIBUTE(long type, BigInteger value) { - this.type = type; - this.pValue = sun.security.pkcs11.P11Util.getMagnitude(value); - } - - public BigInteger getBigInteger() { - if (pValue instanceof byte[] == false) { - throw new RuntimeException("Not a byte[]"); - } - return new BigInteger(1, (byte[])pValue); - } - - public boolean getBoolean() { - if (pValue instanceof Boolean == false) { - throw new RuntimeException - ("Not a Boolean: " + pValue.getClass().getName()); - } - return ((Boolean)pValue).booleanValue(); - } - - public char[] getCharArray() { - if (pValue instanceof char[] == false) { - throw new RuntimeException("Not a char[]"); - } - return (char[])pValue; - } - - public byte[] getByteArray() { - if (pValue instanceof byte[] == false) { - throw new RuntimeException("Not a byte[]"); - } - return (byte[])pValue; - } - - public long getLong() { - if (pValue instanceof Long == false) { - throw new RuntimeException - ("Not a Long: " + pValue.getClass().getName()); - } - return ((Long)pValue).longValue(); - } - - /** - * PKCS#11: - * 
-     *   CK_ATTRIBUTE_TYPE type;
-     *
- */ - public long type; - - /** - * PKCS#11: - * 
-     *   CK_VOID_PTR pValue;
-     *   CK_ULONG ulValueLen;
-     *
- */ - public Object pValue; - - /** - * Returns the string representation of CK_ATTRIBUTE. - * - * @return the string representation of CK_ATTRIBUTE - */ - public String toString() { - String prefix = Functions.getAttributeName(type) + " = "; - if (type == CKA_CLASS) { - return prefix + Functions.getObjectClassName(getLong()); - } else if (type == CKA_KEY_TYPE) { - return prefix + Functions.getKeyName(getLong()); - } else { - String s; - if (pValue instanceof char[]) { - s = new String((char[])pValue); - } else if (pValue instanceof byte[]) { - s = Functions.toHexString((byte[])pValue); - } else { - s = String.valueOf(pValue); - } - return prefix + s; - } - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ATTRIBUTE.java 2017-01-20 09:52:41.794288826 -0800 @@ -0,0 +1,229 @@ +/* + * Copyright (c) 2003, 2006, Oracle and/or its affiliates. All rights reserved. + */ + +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +package sun.security.pkcs11.wrapper; + +import java.math.BigInteger; + +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + +/** + * class CK_ATTRIBUTE includes the type, value and length of an attribute.

+ * PKCS#11 structure: + * 

+ * typedef struct CK_ATTRIBUTE {  
+ *   CK_ATTRIBUTE_TYPE type;  
+ *   CK_VOID_PTR pValue;  
+ *   CK_ULONG ulValueLen;
+ * } CK_ATTRIBUTE;
+ *
+ * + * @author Karl Scheibelhofer + * @author Martin Schlaeffer + */ +public class CK_ATTRIBUTE { + + // common attributes + // NOTE that CK_ATTRIBUTE is a mutable classes but these attributes + // *MUST NEVER* be modified, e.g. by using them in a + // C_GetAttributeValue() call! + + public final static CK_ATTRIBUTE TOKEN_FALSE = + new CK_ATTRIBUTE(CKA_TOKEN, false); + + public final static CK_ATTRIBUTE SENSITIVE_FALSE = + new CK_ATTRIBUTE(CKA_SENSITIVE, false); + + public final static CK_ATTRIBUTE EXTRACTABLE_TRUE = + new CK_ATTRIBUTE(CKA_EXTRACTABLE, true); + + public final static CK_ATTRIBUTE ENCRYPT_TRUE = + new CK_ATTRIBUTE(CKA_ENCRYPT, true); + + public final static CK_ATTRIBUTE DECRYPT_TRUE = + new CK_ATTRIBUTE(CKA_DECRYPT, true); + + public final static CK_ATTRIBUTE WRAP_TRUE = + new CK_ATTRIBUTE(CKA_WRAP, true); + + public final static CK_ATTRIBUTE UNWRAP_TRUE = + new CK_ATTRIBUTE(CKA_UNWRAP, true); + + public final static CK_ATTRIBUTE SIGN_TRUE = + new CK_ATTRIBUTE(CKA_SIGN, true); + + public final static CK_ATTRIBUTE VERIFY_TRUE = + new CK_ATTRIBUTE(CKA_VERIFY, true); + + public final static CK_ATTRIBUTE SIGN_RECOVER_TRUE = + new CK_ATTRIBUTE(CKA_SIGN_RECOVER, true); + + public final static CK_ATTRIBUTE VERIFY_RECOVER_TRUE = + new CK_ATTRIBUTE(CKA_VERIFY_RECOVER, true); + + public final static CK_ATTRIBUTE DERIVE_TRUE = + new CK_ATTRIBUTE(CKA_DERIVE, true); + + public final static CK_ATTRIBUTE ENCRYPT_NULL = + new CK_ATTRIBUTE(CKA_ENCRYPT); + + public final static CK_ATTRIBUTE DECRYPT_NULL = + new CK_ATTRIBUTE(CKA_DECRYPT); + + public final static CK_ATTRIBUTE WRAP_NULL = + new CK_ATTRIBUTE(CKA_WRAP); + + public final static CK_ATTRIBUTE UNWRAP_NULL = + new CK_ATTRIBUTE(CKA_UNWRAP); + + public CK_ATTRIBUTE() { + // empty + } + + public CK_ATTRIBUTE(long type) { + this.type = type; + } + + public CK_ATTRIBUTE(long type, Object pValue) { + this.type = type; + this.pValue = pValue; + } + + public CK_ATTRIBUTE(long type, boolean value) { + this.type = type; + this.pValue = Boolean.valueOf(value); + } + + public CK_ATTRIBUTE(long type, long value) { + this.type = type; + this.pValue = Long.valueOf(value); + } + + public CK_ATTRIBUTE(long type, BigInteger value) { + this.type = type; + this.pValue = sun.security.pkcs11.P11Util.getMagnitude(value); + } + + public BigInteger getBigInteger() { + if (pValue instanceof byte[] == false) { + throw new RuntimeException("Not a byte[]"); + } + return new BigInteger(1, (byte[])pValue); + } + + public boolean getBoolean() { + if (pValue instanceof Boolean == false) { + throw new RuntimeException + ("Not a Boolean: " + pValue.getClass().getName()); + } + return ((Boolean)pValue).booleanValue(); + } + + public char[] getCharArray() { + if (pValue instanceof char[] == false) { + throw new RuntimeException("Not a char[]"); + } + return (char[])pValue; + } + + public byte[] getByteArray() { + if (pValue instanceof byte[] == false) { + throw new RuntimeException("Not a byte[]"); + } + return (byte[])pValue; + } + + public long getLong() { + if (pValue instanceof Long == false) { + throw new RuntimeException + ("Not a Long: " + pValue.getClass().getName()); + } + return ((Long)pValue).longValue(); + } + + /** + * PKCS#11: + * 
+     *   CK_ATTRIBUTE_TYPE type;
+     *
+ */ + public long type; + + /** + * PKCS#11: + * 
+     *   CK_VOID_PTR pValue;
+     *   CK_ULONG ulValueLen;
+     *
+ */ + public Object pValue; + + /** + * Returns the string representation of CK_ATTRIBUTE. + * + * @return the string representation of CK_ATTRIBUTE + */ + public String toString() { + String prefix = Functions.getAttributeName(type) + " = "; + if (type == CKA_CLASS) { + return prefix + Functions.getObjectClassName(getLong()); + } else if (type == CKA_KEY_TYPE) { + return prefix + Functions.getKeyName(getLong()); + } else { + String s; + if (pValue instanceof char[]) { + s = new String((char[])pValue); + } else if (pValue instanceof byte[]) { + s = Functions.toHexString((byte[])pValue); + } else { + s = String.valueOf(pValue); + } + return prefix + s; + } + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_CREATEMUTEX.java 2017-01-20 09:52:42.366288804 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,68 +0,0 @@ -/* - * reserved comment block - * DO NOT REMOVE OR ALTER! - */ -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package sun.security.pkcs11.wrapper; - - - -/** - * interface CK_CREATEMUTEX. - * - * @author Karl Scheibelhofer <Karl.Scheibelhofer@iaik.at> - * @author Martin Schlaeffer <schlaeff@sbox.tugraz.at> - */ -public interface CK_CREATEMUTEX { - - /** - * Method CK_CREATEMUTEX - * - * @return The mutex (lock) object. - * @exception PKCS11Exception - */ - public Object CK_CREATEMUTEX() throws PKCS11Exception; - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_CREATEMUTEX.java 2017-01-20 09:52:42.146288812 -0800 @@ -0,0 +1,68 @@ +/* + * reserved comment block + * DO NOT REMOVE OR ALTER! + */ +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +package sun.security.pkcs11.wrapper; + + + +/** + * interface CK_CREATEMUTEX. + * + * @author Karl Scheibelhofer <Karl.Scheibelhofer@iaik.at> + * @author Martin Schlaeffer <schlaeff@sbox.tugraz.at> + */ +public interface CK_CREATEMUTEX { + + /** + * Method CK_CREATEMUTEX + * + * @return The mutex (lock) object. + * @exception PKCS11Exception + */ + public Object CK_CREATEMUTEX() throws PKCS11Exception; + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_C_INITIALIZE_ARGS.java 2017-01-20 09:52:42.714288791 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,120 +0,0 @@ -/* - * reserved comment block - * DO NOT REMOVE OR ALTER! - */ -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package sun.security.pkcs11.wrapper; - - - -/** - * class CK_C_INITIALIZE_ARGS contains the optional arguments for the - * C_Initialize function.

- * PKCS#11 structure: - * 

- * typedef struct CK_C_INITIALIZE_ARGS {  
- *   CK_CREATEMUTEX CreateMutex;  
- *   CK_DESTROYMUTEX DestroyMutex;  
- *   CK_LOCKMUTEX LockMutex;  
- *   CK_UNLOCKMUTEX UnlockMutex;  
- *   CK_FLAGS flags;  
- *   CK_VOID_PTR pReserved;  
- * } CK_C_INITIALIZE_ARGS;
- *
- * - * @author Karl Scheibelhofer - * @author Martin Schlaeffer - */ -public class CK_C_INITIALIZE_ARGS { - - /** - * PKCS#11: - * 
-     *   CK_CREATEMUTEX CreateMutex;
-     *
- */ - public CK_CREATEMUTEX CreateMutex; - - /** - * PKCS#11: - * 
-     *   CK_DESTROYMUTEX DestroyMutex;
-     *
- */ - public CK_DESTROYMUTEX DestroyMutex; - - /** - * PKCS#11: - * 
-     *   CK_LOCKMUTEX LockMutex;
-     *
- */ - public CK_LOCKMUTEX LockMutex; - - /** - * PKCS#11: - * 
-     *   CK_UNLOCKMUTEX UnlockMutex;
-     *
- */ - public CK_UNLOCKMUTEX UnlockMutex; - - /** - * PKCS#11: - * 
-     *   CK_FLAGS flags;
-     *
- */ - public long flags; - - /** - * PKCS#11: - * 
-     *   CK_VOID_PTR pReserved;
-     *
- */ - public Object pReserved; - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_C_INITIALIZE_ARGS.java 2017-01-20 09:52:42.494288799 -0800 @@ -0,0 +1,120 @@ +/* + * reserved comment block + * DO NOT REMOVE OR ALTER! + */ +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +package sun.security.pkcs11.wrapper; + + + +/** + * class CK_C_INITIALIZE_ARGS contains the optional arguments for the + * C_Initialize function.

+ * PKCS#11 structure: + * 

+ * typedef struct CK_C_INITIALIZE_ARGS {  
+ *   CK_CREATEMUTEX CreateMutex;  
+ *   CK_DESTROYMUTEX DestroyMutex;  
+ *   CK_LOCKMUTEX LockMutex;  
+ *   CK_UNLOCKMUTEX UnlockMutex;  
+ *   CK_FLAGS flags;  
+ *   CK_VOID_PTR pReserved;  
+ * } CK_C_INITIALIZE_ARGS;
+ *
+ * + * @author Karl Scheibelhofer + * @author Martin Schlaeffer + */ +public class CK_C_INITIALIZE_ARGS { + + /** + * PKCS#11: + * 
+     *   CK_CREATEMUTEX CreateMutex;
+     *
+ */ + public CK_CREATEMUTEX CreateMutex; + + /** + * PKCS#11: + * 
+     *   CK_DESTROYMUTEX DestroyMutex;
+     *
+ */ + public CK_DESTROYMUTEX DestroyMutex; + + /** + * PKCS#11: + * 
+     *   CK_LOCKMUTEX LockMutex;
+     *
+ */ + public CK_LOCKMUTEX LockMutex; + + /** + * PKCS#11: + * 
+     *   CK_UNLOCKMUTEX UnlockMutex;
+     *
+ */ + public CK_UNLOCKMUTEX UnlockMutex; + + /** + * PKCS#11: + * 
+     *   CK_FLAGS flags;
+     *
+ */ + public long flags; + + /** + * PKCS#11: + * 
+     *   CK_VOID_PTR pReserved;
+     *
+ */ + public Object pReserved; + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_DATE.java 2017-01-20 09:52:43.150288774 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,137 +0,0 @@ -/* - * reserved comment block - * DO NOT REMOVE OR ALTER! - */ -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package sun.security.pkcs11.wrapper; - - - -/** - * class .

- * PKCS#11 structure: - * 

- * typedef struct CK_DATE {  
- *   CK_CHAR year[4];  
- *   CK_CHAR month[2];  
- *   CK_CHAR day[2];  
- * } CK_DATE;
- *
- * - * @author Karl Scheibelhofer - * @author Martin Schlaeffer - */ -public class CK_DATE implements Cloneable { - - /** - * PKCS#11: - * 
-     *   CK_CHAR year[4];   - the year ("1900" - "9999")
-     *
- */ - public char[] year; /* the year ("1900" - "9999") */ - - /** - * PKCS#11: - * 
-     *   CK_CHAR month[2];  - the month ("01" - "12")
-     *
- */ - public char[] month; /* the month ("01" - "12") */ - - /** - * PKCS#11: - * 
-     *   CK_CHAR day[2];    - the day ("01" - "31")
-     *
- */ - public char[] day; /* the day ("01" - "31") */ - - public CK_DATE(char[] year, char[] month, char[] day) { - this.year = year; - this.month = month; - this.day = day; - } - - /** - * Create a (deep) clone of this object. - * - * @return A clone of this object. - */ - public Object clone() { - CK_DATE copy = null; - try { - copy = (CK_DATE) super.clone(); - } catch (CloneNotSupportedException cnse) { - // re-throw as RuntimeException - throw (RuntimeException) - (new RuntimeException("Clone error").initCause(cnse)); - } - copy.year = this.year.clone(); - copy.month = this.month.clone(); - copy.day = this.day.clone(); - - return copy; - } - - /** - * Returns the string representation of CK_DATE. - * - * @return the string representation of CK_DATE - */ - public String toString() { - StringBuilder sb = new StringBuilder(); - - sb.append(new String(day)); - sb.append('.'); - sb.append(new String(month)); - sb.append('.'); - sb.append(new String(year)); - sb.append(" (DD.MM.YYYY)"); - - return sb.toString(); - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_DATE.java 2017-01-20 09:52:42.942288782 -0800 @@ -0,0 +1,137 @@ +/* + * reserved comment block + * DO NOT REMOVE OR ALTER! + */ +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +package sun.security.pkcs11.wrapper; + + + +/** + * class .

+ * PKCS#11 structure: + * 

+ * typedef struct CK_DATE {  
+ *   CK_CHAR year[4];  
+ *   CK_CHAR month[2];  
+ *   CK_CHAR day[2];  
+ * } CK_DATE;
+ *
+ * + * @author Karl Scheibelhofer + * @author Martin Schlaeffer + */ +public class CK_DATE implements Cloneable { + + /** + * PKCS#11: + * 
+     *   CK_CHAR year[4];   - the year ("1900" - "9999")
+     *
+ */ + public char[] year; /* the year ("1900" - "9999") */ + + /** + * PKCS#11: + * 
+     *   CK_CHAR month[2];  - the month ("01" - "12")
+     *
+ */ + public char[] month; /* the month ("01" - "12") */ + + /** + * PKCS#11: + * 
+     *   CK_CHAR day[2];    - the day ("01" - "31")
+     *
+ */ + public char[] day; /* the day ("01" - "31") */ + + public CK_DATE(char[] year, char[] month, char[] day) { + this.year = year; + this.month = month; + this.day = day; + } + + /** + * Create a (deep) clone of this object. + * + * @return A clone of this object. + */ + public Object clone() { + CK_DATE copy = null; + try { + copy = (CK_DATE) super.clone(); + } catch (CloneNotSupportedException cnse) { + // re-throw as RuntimeException + throw (RuntimeException) + (new RuntimeException("Clone error").initCause(cnse)); + } + copy.year = this.year.clone(); + copy.month = this.month.clone(); + copy.day = this.day.clone(); + + return copy; + } + + /** + * Returns the string representation of CK_DATE. + * + * @return the string representation of CK_DATE + */ + public String toString() { + StringBuilder sb = new StringBuilder(); + + sb.append(new String(day)); + sb.append('.'); + sb.append(new String(month)); + sb.append('.'); + sb.append(new String(year)); + sb.append(" (DD.MM.YYYY)"); + + return sb.toString(); + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_DESTROYMUTEX.java 2017-01-20 09:52:43.494288761 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,68 +0,0 @@ -/* - * reserved comment block - * DO NOT REMOVE OR ALTER! - */ -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package sun.security.pkcs11.wrapper; - - - -/** - * interface CK_DESTROYMUTEX.

- * - * @author Karl Scheibelhofer - * @author Martin Schlaeffer - */ -public interface CK_DESTROYMUTEX { - - /** - * Method CK_DESTROYMUTEX - * - * @param pMutex The mutex (lock) object. - * @exception PKCS11Exception - */ - public void CK_DESTROYMUTEX(Object pMutex) throws PKCS11Exception; - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_DESTROYMUTEX.java 2017-01-20 09:52:43.278288770 -0800 @@ -0,0 +1,68 @@ +/* + * reserved comment block + * DO NOT REMOVE OR ALTER! + */ +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +package sun.security.pkcs11.wrapper; + + + +/** + * interface CK_DESTROYMUTEX.

+ * + * @author Karl Scheibelhofer + * @author Martin Schlaeffer + */ +public interface CK_DESTROYMUTEX { + + /** + * Method CK_DESTROYMUTEX + * + * @param pMutex The mutex (lock) object. + * @exception PKCS11Exception + */ + public void CK_DESTROYMUTEX(Object pMutex) throws PKCS11Exception; + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java 2017-01-20 09:52:43.850288748 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,138 +0,0 @@ -/* - * Copyright (c) 2003, 2006, Oracle and/or its affiliates. All rights reserved. - */ - -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package sun.security.pkcs11.wrapper; - - - -/** - * class CK_ECDH1_DERIVE_PARAMS provides the parameters to the - * CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE mechanisms.

- * PKCS#11 structure: - * 

- * typedef struct CK_ECDH1_DERIVE_PARAMS {
- *   CK_EC_KDF_TYPE kdf;
- *   CK_ULONG ulSharedDataLen;
- *   CK_BYTE_PTR pSharedData;
- *   CK_ULONG ulPublicDataLen;
- *   CK_BYTE_PTR pPublicData;
- * } CK_ECDH1_DERIVE_PARAMS;
- *
- * - * @author Karl Scheibelhofer - */ -public class CK_ECDH1_DERIVE_PARAMS { - - /** - * PKCS#11: - * 
-     *   CK_EC_KDF_TYPE kdf;
-     *
- */ - public long kdf; - - /** - * PKCS#11: - * 
-     *   CK_ULONG ulSharedDataLen;
-     *   CK_BYTE_PTR pSharedData;
-     *
- */ - public byte[] pSharedData; - - /** - * PKCS#11: - * 
-     *   CK_ULONG ulPublicDataLen;
-     *   CK_BYTE_PTR pPublicData;
-     *
- */ - public byte[] pPublicData; - - public CK_ECDH1_DERIVE_PARAMS(long kdf, byte[] pSharedData, byte[] pPublicData) { - this.kdf = kdf; - this.pSharedData = pSharedData; - this.pPublicData = pPublicData; - } - - /** - * Returns the string representation of CK_PKCS5_PBKD2_PARAMS. - * - * @return the string representation of CK_PKCS5_PBKD2_PARAMS - */ - public String toString() { - StringBuilder sb = new StringBuilder(); - - sb.append(Constants.INDENT); - sb.append("kdf: 0x"); - sb.append(Functions.toFullHexString(kdf)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("pSharedDataLen: "); - sb.append(pSharedData.length); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("pSharedData: "); - sb.append(Functions.toHexString(pSharedData)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("pPublicDataLen: "); - sb.append(pPublicData.length); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("pPublicData: "); - sb.append(Functions.toHexString(pPublicData)); - //buffer.append(Constants.NEWLINE); - - return sb.toString(); - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java 2017-01-20 09:52:43.626288756 -0800 @@ -0,0 +1,138 @@ +/* + * Copyright (c) 2003, 2006, Oracle and/or its affiliates. All rights reserved. + */ + +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +package sun.security.pkcs11.wrapper; + + + +/** + * class CK_ECDH1_DERIVE_PARAMS provides the parameters to the + * CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE mechanisms.

+ * PKCS#11 structure: + * 

+ * typedef struct CK_ECDH1_DERIVE_PARAMS {
+ *   CK_EC_KDF_TYPE kdf;
+ *   CK_ULONG ulSharedDataLen;
+ *   CK_BYTE_PTR pSharedData;
+ *   CK_ULONG ulPublicDataLen;
+ *   CK_BYTE_PTR pPublicData;
+ * } CK_ECDH1_DERIVE_PARAMS;
+ *
+ * + * @author Karl Scheibelhofer + */ +public class CK_ECDH1_DERIVE_PARAMS { + + /** + * PKCS#11: + * 
+     *   CK_EC_KDF_TYPE kdf;
+     *
+ */ + public long kdf; + + /** + * PKCS#11: + * 
+     *   CK_ULONG ulSharedDataLen;
+     *   CK_BYTE_PTR pSharedData;
+     *
+ */ + public byte[] pSharedData; + + /** + * PKCS#11: + * 
+     *   CK_ULONG ulPublicDataLen;
+     *   CK_BYTE_PTR pPublicData;
+     *
+ */ + public byte[] pPublicData; + + public CK_ECDH1_DERIVE_PARAMS(long kdf, byte[] pSharedData, byte[] pPublicData) { + this.kdf = kdf; + this.pSharedData = pSharedData; + this.pPublicData = pPublicData; + } + + /** + * Returns the string representation of CK_PKCS5_PBKD2_PARAMS. + * + * @return the string representation of CK_PKCS5_PBKD2_PARAMS + */ + public String toString() { + StringBuilder sb = new StringBuilder(); + + sb.append(Constants.INDENT); + sb.append("kdf: 0x"); + sb.append(Functions.toFullHexString(kdf)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("pSharedDataLen: "); + sb.append(pSharedData.length); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("pSharedData: "); + sb.append(Functions.toHexString(pSharedData)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("pPublicDataLen: "); + sb.append(pPublicData.length); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("pPublicData: "); + sb.append(Functions.toHexString(pPublicData)); + //buffer.append(Constants.NEWLINE); + + return sb.toString(); + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_ECDH2_DERIVE_PARAMS.java 2017-01-20 09:52:44.198288735 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,181 +0,0 @@ -/* - * reserved comment block - * DO NOT REMOVE OR ALTER! - */ -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package sun.security.pkcs11.wrapper; - - - -/** - * class CK_ECDH2_DERIVE_PARAMS provides the parameters to the - * CKM_ECMQV_DERIVE mechanism.

- * PKCS#11 structure: - * 

- * typedef struct CK_ECDH2_DERIVE_PARAMS {
- *   CK_EC_KDF_TYPE kdf;
- *   CK_ULONG ulSharedDataLen;
- *   CK_BYTE_PTR pSharedData;
- *   CK_ULONG ulPublicDataLen;
- *   CK_BYTE_PTR pPublicData;
- *   CK_ULONG ulPrivateDataLen;
- *   CK_OBJECT_HANDLE hPrivateData;
- *   CK_ULONG ulPublicDataLen2;
- *   CK_BYTE_PTR pPublicData2;
- * } CK_ECDH2_DERIVE_PARAMS;
- *
- * - * @author Karl Scheibelhofer - */ -public class CK_ECDH2_DERIVE_PARAMS { - - /** - * PKCS#11: - * 
-     *   CK_EC_KDF_TYPE kdf;
-     *
- */ - public long kdf; - - /** - * PKCS#11: - * 
-     *   CK_ULONG ulSharedDataLen;
-     *   CK_BYTE_PTR pSharedData;
-     *
- */ - public byte[] pSharedData; - - /** - * PKCS#11: - * 
-     *   CK_ULONG ulPublicDataLen;
-     *   CK_BYTE_PTR pPublicData;
-     *
- */ - public byte[] pPublicData; - - /** - * PKCS#11: - * 
-     *   CK_ULONG ulPrivateDataLen;
-     *
- */ - public long ulPrivateDataLen; - - /** - * PKCS#11: - * 
-     *   CK_OBJECT_HANDLE hPrivateData;
-     *
- */ - public long hPrivateData; - - /** - * PKCS#11: - * 
-     *   CK_ULONG ulPublicDataLen2;
-     *   CK_BYTE_PTR pPublicData2;
-     *
- */ - public byte[] pPublicData2; - - /** - * Returns the string representation of CK_PKCS5_PBKD2_PARAMS. - * - * @return the string representation of CK_PKCS5_PBKD2_PARAMS - */ - public String toString() { - StringBuilder sb = new StringBuilder(); - - sb.append(Constants.INDENT); - sb.append("kdf: 0x"); - sb.append(Functions.toFullHexString(kdf)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("pSharedDataLen: "); - sb.append(pSharedData.length); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("pSharedData: "); - sb.append(Functions.toHexString(pSharedData)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("pPublicDataLen: "); - sb.append(pPublicData.length); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("pPublicData: "); - sb.append(Functions.toHexString(pPublicData)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("ulPrivateDataLen: "); - sb.append(ulPrivateDataLen); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("hPrivateData: "); - sb.append(hPrivateData); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("pPublicDataLen2: "); - sb.append(pPublicData2.length); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("pPublicData2: "); - sb.append(Functions.toHexString(pPublicData2)); - //buffer.append(Constants.NEWLINE); - - return sb.toString(); - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH2_DERIVE_PARAMS.java 2017-01-20 09:52:43.978288743 -0800 @@ -0,0 +1,181 @@ +/* + * reserved comment block + * DO NOT REMOVE OR ALTER! + */ +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +package sun.security.pkcs11.wrapper; + + + +/** + * class CK_ECDH2_DERIVE_PARAMS provides the parameters to the + * CKM_ECMQV_DERIVE mechanism.

+ * PKCS#11 structure: + * 

+ * typedef struct CK_ECDH2_DERIVE_PARAMS {
+ *   CK_EC_KDF_TYPE kdf;
+ *   CK_ULONG ulSharedDataLen;
+ *   CK_BYTE_PTR pSharedData;
+ *   CK_ULONG ulPublicDataLen;
+ *   CK_BYTE_PTR pPublicData;
+ *   CK_ULONG ulPrivateDataLen;
+ *   CK_OBJECT_HANDLE hPrivateData;
+ *   CK_ULONG ulPublicDataLen2;
+ *   CK_BYTE_PTR pPublicData2;
+ * } CK_ECDH2_DERIVE_PARAMS;
+ *
+ * + * @author Karl Scheibelhofer + */ +public class CK_ECDH2_DERIVE_PARAMS { + + /** + * PKCS#11: + * 
+     *   CK_EC_KDF_TYPE kdf;
+     *
+ */ + public long kdf; + + /** + * PKCS#11: + * 
+     *   CK_ULONG ulSharedDataLen;
+     *   CK_BYTE_PTR pSharedData;
+     *
+ */ + public byte[] pSharedData; + + /** + * PKCS#11: + * 
+     *   CK_ULONG ulPublicDataLen;
+     *   CK_BYTE_PTR pPublicData;
+     *
+ */ + public byte[] pPublicData; + + /** + * PKCS#11: + * 
+     *   CK_ULONG ulPrivateDataLen;
+     *
+ */ + public long ulPrivateDataLen; + + /** + * PKCS#11: + * 
+     *   CK_OBJECT_HANDLE hPrivateData;
+     *
+ */ + public long hPrivateData; + + /** + * PKCS#11: + * 
+     *   CK_ULONG ulPublicDataLen2;
+     *   CK_BYTE_PTR pPublicData2;
+     *
+ */ + public byte[] pPublicData2; + + /** + * Returns the string representation of CK_PKCS5_PBKD2_PARAMS. + * + * @return the string representation of CK_PKCS5_PBKD2_PARAMS + */ + public String toString() { + StringBuilder sb = new StringBuilder(); + + sb.append(Constants.INDENT); + sb.append("kdf: 0x"); + sb.append(Functions.toFullHexString(kdf)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("pSharedDataLen: "); + sb.append(pSharedData.length); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("pSharedData: "); + sb.append(Functions.toHexString(pSharedData)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("pPublicDataLen: "); + sb.append(pPublicData.length); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("pPublicData: "); + sb.append(Functions.toHexString(pPublicData)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("ulPrivateDataLen: "); + sb.append(ulPrivateDataLen); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("hPrivateData: "); + sb.append(hPrivateData); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("pPublicDataLen2: "); + sb.append(pPublicData2.length); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("pPublicData2: "); + sb.append(Functions.toHexString(pPublicData2)); + //buffer.append(Constants.NEWLINE); + + return sb.toString(); + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_INFO.java 2017-01-20 09:52:44.542288722 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,164 +0,0 @@ -/* - * reserved comment block - * DO NOT REMOVE OR ALTER! - */ -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package sun.security.pkcs11.wrapper; - - - -/** - * class CK_INFO provides general information about Cryptoki.

- * PKCS#11 structure: - * 

- *  typedef struct CK_INFO {  
- *    CK_VERSION cryptokiVersion;  
- *    CK_UTF8CHAR manufacturerID[32];  
- *    CK_FLAGS flags;  
- *    CK_UTF8CHAR libraryDescription[32];  
- *    CK_VERSION libraryVersion;  
- *  } CK_INFO;
- *
- * - * @author Karl Scheibelhofer - * @author Martin Schlaeffer - */ -public class CK_INFO { - - /** - * Cryptoki interface version number

- * PKCS#11: - * 

-     *   CK_VERSION cryptokiVersion;
-     *
- */ - public CK_VERSION cryptokiVersion; - - /** - * ID of the Cryptoki library manufacturer. must be blank - * padded - only the first 32 chars will be used

- * PKCS#11: - * 

-     *   CK_UTF8CHAR manufacturerID[32];
-     *
- */ - public char[] manufacturerID; - - /** - * bit flags reserved for future versions. must be zero

- * PKCS#11: - * 

-     *   CK_FLAGS flags;
-     *
- */ - public long flags; - - -/* libraryDescription and libraryVersion are new for v2.0 */ - - /** - * must be blank padded - only the first 32 chars will be used

- * PKCS#11: - * 

-     *   CK_UTF8CHAR libraryDescription[32];
-     *
- */ - public char[] libraryDescription; - - /** - * Cryptoki library version number

- * PKCS#11: - * 

-     *   CK_VERSION libraryVersion;
-     *
- */ - public CK_VERSION libraryVersion; - - public CK_INFO(CK_VERSION cryptoVer, char[] vendor, long flags, - char[] libDesc, CK_VERSION libVer) { - this.cryptokiVersion = cryptoVer; - this.manufacturerID = vendor; - this.flags = flags; - this.libraryDescription = libDesc; - this.libraryVersion = libVer; - } - - /** - * Returns the string representation of CK_INFO. - * - * @return the string representation of CK_INFO - */ - public String toString() { - StringBuilder sb = new StringBuilder(); - - sb.append(Constants.INDENT); - sb.append("cryptokiVersion: "); - sb.append(cryptokiVersion.toString()); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("manufacturerID: "); - sb.append(new String(manufacturerID)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("flags: "); - sb.append(Functions.toBinaryString(flags)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("libraryDescription: "); - sb.append(new String(libraryDescription)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("libraryVersion: "); - sb.append(libraryVersion.toString()); - //buffer.append(Constants.NEWLINE); - - return sb.toString() ; - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_INFO.java 2017-01-20 09:52:44.326288730 -0800 @@ -0,0 +1,164 @@ +/* + * reserved comment block + * DO NOT REMOVE OR ALTER! + */ +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +package sun.security.pkcs11.wrapper; + + + +/** + * class CK_INFO provides general information about Cryptoki.

+ * PKCS#11 structure: + * 

+ *  typedef struct CK_INFO {  
+ *    CK_VERSION cryptokiVersion;  
+ *    CK_UTF8CHAR manufacturerID[32];  
+ *    CK_FLAGS flags;  
+ *    CK_UTF8CHAR libraryDescription[32];  
+ *    CK_VERSION libraryVersion;  
+ *  } CK_INFO;
+ *
+ * + * @author Karl Scheibelhofer + * @author Martin Schlaeffer + */ +public class CK_INFO { + + /** + * Cryptoki interface version number

+ * PKCS#11: + * 

+     *   CK_VERSION cryptokiVersion;
+     *
+ */ + public CK_VERSION cryptokiVersion; + + /** + * ID of the Cryptoki library manufacturer. must be blank + * padded - only the first 32 chars will be used

+ * PKCS#11: + * 

+     *   CK_UTF8CHAR manufacturerID[32];
+     *
+ */ + public char[] manufacturerID; + + /** + * bit flags reserved for future versions. must be zero

+ * PKCS#11: + * 

+     *   CK_FLAGS flags;
+     *
+ */ + public long flags; + + +/* libraryDescription and libraryVersion are new for v2.0 */ + + /** + * must be blank padded - only the first 32 chars will be used

+ * PKCS#11: + * 

+     *   CK_UTF8CHAR libraryDescription[32];
+     *
+ */ + public char[] libraryDescription; + + /** + * Cryptoki library version number

+ * PKCS#11: + * 

+     *   CK_VERSION libraryVersion;
+     *
+ */ + public CK_VERSION libraryVersion; + + public CK_INFO(CK_VERSION cryptoVer, char[] vendor, long flags, + char[] libDesc, CK_VERSION libVer) { + this.cryptokiVersion = cryptoVer; + this.manufacturerID = vendor; + this.flags = flags; + this.libraryDescription = libDesc; + this.libraryVersion = libVer; + } + + /** + * Returns the string representation of CK_INFO. + * + * @return the string representation of CK_INFO + */ + public String toString() { + StringBuilder sb = new StringBuilder(); + + sb.append(Constants.INDENT); + sb.append("cryptokiVersion: "); + sb.append(cryptokiVersion.toString()); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("manufacturerID: "); + sb.append(new String(manufacturerID)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("flags: "); + sb.append(Functions.toBinaryString(flags)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("libraryDescription: "); + sb.append(new String(libraryDescription)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("libraryVersion: "); + sb.append(libraryVersion.toString()); + //buffer.append(Constants.NEWLINE); + + return sb.toString() ; + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_LOCKMUTEX.java 2017-01-20 09:52:44.894288709 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,68 +0,0 @@ -/* - * reserved comment block - * DO NOT REMOVE OR ALTER! - */ -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package sun.security.pkcs11.wrapper; - - - -/** - * interface CK_LOCKMUTEX

- * - * @author Karl Scheibelhofer - * @author Martin Schlaeffer - */ -public interface CK_LOCKMUTEX { - - /** - * Method CK_LOCKMUTEX - * - * @param pMutex The mutex (lock) object to lock. - * @exception PKCS11Exception - */ - public void CK_LOCKMUTEX(Object pMutex) throws PKCS11Exception; - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_LOCKMUTEX.java 2017-01-20 09:52:44.674288717 -0800 @@ -0,0 +1,68 @@ +/* + * reserved comment block + * DO NOT REMOVE OR ALTER! + */ +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +package sun.security.pkcs11.wrapper; + + + +/** + * interface CK_LOCKMUTEX

+ * + * @author Karl Scheibelhofer + * @author Martin Schlaeffer + */ +public interface CK_LOCKMUTEX { + + /** + * Method CK_LOCKMUTEX + * + * @param pMutex The mutex (lock) object to lock. + * @exception PKCS11Exception + */ + public void CK_LOCKMUTEX(Object pMutex) throws PKCS11Exception; + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java 2017-01-20 09:52:45.250288695 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,166 +0,0 @@ -/* - * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. - */ - -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package sun.security.pkcs11.wrapper; - -import java.math.BigInteger; -import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - -/** - * class CK_MECHANISM specifies a particular mechanism and any parameters it - * requires.

- * PKCS#11 structure: - * 

- *  typedef struct CK_MECHANISM {  
- *    CK_MECHANISM_TYPE mechanism;  
- *    CK_VOID_PTR pParameter;  
- *    CK_ULONG ulParameterLen;  
- *  } CK_MECHANISM;
- *
- * - * @author Karl Scheibelhofer - * @author Martin Schlaeffer - */ -public class CK_MECHANISM { - - /** - * PKCS#11: - * 
-     *   CK_MECHANISM_TYPE mechanism;
-     *
- */ - public long mechanism; - - /** - * PKCS#11: - * 
-     *   CK_VOID_PTR pParameter;
-     *   CK_ULONG ulParameterLen;
-     *
- */ - public Object pParameter; - - public CK_MECHANISM() { - // empty - } - - public CK_MECHANISM(long mechanism) { - this.mechanism = mechanism; - } - - // We don't have a (long,Object) constructor to force type checking. - // This makes sure we don't accidentally pass a class that the native - // code cannot handle. - - public CK_MECHANISM(long mechanism, byte[] pParameter) { - init(mechanism, pParameter); - } - - public CK_MECHANISM(long mechanism, BigInteger b) { - init(mechanism, sun.security.pkcs11.P11Util.getMagnitude(b)); - } - - public CK_MECHANISM(long mechanism, CK_VERSION version) { - init(mechanism, version); - } - - public CK_MECHANISM(long mechanism, CK_SSL3_MASTER_KEY_DERIVE_PARAMS params) { - init(mechanism, params); - } - - public CK_MECHANISM(long mechanism, CK_SSL3_KEY_MAT_PARAMS params) { - init(mechanism, params); - } - - public CK_MECHANISM(long mechanism, CK_TLS_PRF_PARAMS params) { - init(mechanism, params); - } - - public CK_MECHANISM(long mechanism, CK_ECDH1_DERIVE_PARAMS params) { - init(mechanism, params); - } - - public CK_MECHANISM(long mechanism, Long params) { - init(mechanism, params); - } - - public CK_MECHANISM(long mechanism, CK_AES_CTR_PARAMS params) { - init(mechanism, params); - } - - private void init(long mechanism, Object pParameter) { - this.mechanism = mechanism; - this.pParameter = pParameter; - } - - /** - * Returns the string representation of CK_MECHANISM. - * - * @return the string representation of CK_MECHANISM - */ - public String toString() { - StringBuilder sb = new StringBuilder(); - - sb.append(Constants.INDENT); - sb.append("mechanism: "); - sb.append(mechanism); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("pParameter: "); - sb.append(pParameter.toString()); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("ulParameterLen: ??"); - //buffer.append(pParameter.length); - //buffer.append(Constants.NEWLINE); - - return sb.toString() ; - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java 2017-01-20 09:52:45.026288704 -0800 @@ -0,0 +1,166 @@ +/* + * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. + */ + +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +package sun.security.pkcs11.wrapper; + +import java.math.BigInteger; +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + +/** + * class CK_MECHANISM specifies a particular mechanism and any parameters it + * requires.

+ * PKCS#11 structure: + * 

+ *  typedef struct CK_MECHANISM {  
+ *    CK_MECHANISM_TYPE mechanism;  
+ *    CK_VOID_PTR pParameter;  
+ *    CK_ULONG ulParameterLen;  
+ *  } CK_MECHANISM;
+ *
+ * + * @author Karl Scheibelhofer + * @author Martin Schlaeffer + */ +public class CK_MECHANISM { + + /** + * PKCS#11: + * 
+     *   CK_MECHANISM_TYPE mechanism;
+     *
+ */ + public long mechanism; + + /** + * PKCS#11: + * 
+     *   CK_VOID_PTR pParameter;
+     *   CK_ULONG ulParameterLen;
+     *
+ */ + public Object pParameter; + + public CK_MECHANISM() { + // empty + } + + public CK_MECHANISM(long mechanism) { + this.mechanism = mechanism; + } + + // We don't have a (long,Object) constructor to force type checking. + // This makes sure we don't accidentally pass a class that the native + // code cannot handle. + + public CK_MECHANISM(long mechanism, byte[] pParameter) { + init(mechanism, pParameter); + } + + public CK_MECHANISM(long mechanism, BigInteger b) { + init(mechanism, sun.security.pkcs11.P11Util.getMagnitude(b)); + } + + public CK_MECHANISM(long mechanism, CK_VERSION version) { + init(mechanism, version); + } + + public CK_MECHANISM(long mechanism, CK_SSL3_MASTER_KEY_DERIVE_PARAMS params) { + init(mechanism, params); + } + + public CK_MECHANISM(long mechanism, CK_SSL3_KEY_MAT_PARAMS params) { + init(mechanism, params); + } + + public CK_MECHANISM(long mechanism, CK_TLS_PRF_PARAMS params) { + init(mechanism, params); + } + + public CK_MECHANISM(long mechanism, CK_ECDH1_DERIVE_PARAMS params) { + init(mechanism, params); + } + + public CK_MECHANISM(long mechanism, Long params) { + init(mechanism, params); + } + + public CK_MECHANISM(long mechanism, CK_AES_CTR_PARAMS params) { + init(mechanism, params); + } + + private void init(long mechanism, Object pParameter) { + this.mechanism = mechanism; + this.pParameter = pParameter; + } + + /** + * Returns the string representation of CK_MECHANISM. + * + * @return the string representation of CK_MECHANISM + */ + public String toString() { + StringBuilder sb = new StringBuilder(); + + sb.append(Constants.INDENT); + sb.append("mechanism: "); + sb.append(mechanism); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("pParameter: "); + sb.append(pParameter.toString()); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("ulParameterLen: ??"); + //buffer.append(pParameter.length); + //buffer.append(Constants.NEWLINE); + + return sb.toString() ; + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM_INFO.java 2017-01-20 09:52:45.598288682 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,127 +0,0 @@ -/* - * reserved comment block - * DO NOT REMOVE OR ALTER! - */ -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package sun.security.pkcs11.wrapper; - - - -/** - * class CK_MECHANISM_INFO provides information about a particular mechanism. - *

- * PKCS#11 structure: - * 

- * typedef struct CK_MECHANISM_INFO {  
- *   CK_ULONG ulMinKeySize;  
- *   CK_ULONG ulMaxKeySize;  
- *   CK_FLAGS flags;  
- * } CK_MECHANISM_INFO;
- *
- * - * @author Karl Scheibelhofer - * @author Martin Schlaeffer - */ -public class CK_MECHANISM_INFO { - - /** - * PKCS#11: - * 
-     *   CK_ULONG ulMinKeySize;
-     *
- */ - public long ulMinKeySize; - - /** - * PKCS#11: - * 
-     *   CK_ULONG ulMaxKeySize;
-     *
- */ - public long ulMaxKeySize; - - /** - * PKCS#11: - * 
-     *   CK_FLAGS flags;
-     *
- */ - public long flags; - - public CK_MECHANISM_INFO(long minKeySize, long maxKeySize, - long flags) { - this.ulMinKeySize = minKeySize; - this.ulMaxKeySize = maxKeySize; - this.flags = flags; - } - - /** - * Returns the string representation of CK_MECHANISM_INFO. - * - * @return the string representation of CK_MECHANISM_INFO - */ - public String toString() { - StringBuilder sb = new StringBuilder(); - - sb.append(Constants.INDENT); - sb.append("ulMinKeySize: "); - sb.append(String.valueOf(ulMinKeySize)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("ulMaxKeySize: "); - sb.append(String.valueOf(ulMaxKeySize)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("flags: "); - sb.append(String.valueOf(flags)); - sb.append(" = "); - sb.append(Functions.mechanismInfoFlagsToString(flags)); - //buffer.append(Constants.NEWLINE); - - return sb.toString() ; - } -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM_INFO.java 2017-01-20 09:52:45.378288690 -0800 @@ -0,0 +1,127 @@ +/* + * reserved comment block + * DO NOT REMOVE OR ALTER! + */ +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +package sun.security.pkcs11.wrapper; + + + +/** + * class CK_MECHANISM_INFO provides information about a particular mechanism. + *

+ * PKCS#11 structure: + * 

+ * typedef struct CK_MECHANISM_INFO {  
+ *   CK_ULONG ulMinKeySize;  
+ *   CK_ULONG ulMaxKeySize;  
+ *   CK_FLAGS flags;  
+ * } CK_MECHANISM_INFO;
+ *
+ * + * @author Karl Scheibelhofer + * @author Martin Schlaeffer + */ +public class CK_MECHANISM_INFO { + + /** + * PKCS#11: + * 
+     *   CK_ULONG ulMinKeySize;
+     *
+ */ + public long ulMinKeySize; + + /** + * PKCS#11: + * 
+     *   CK_ULONG ulMaxKeySize;
+     *
+ */ + public long ulMaxKeySize; + + /** + * PKCS#11: + * 
+     *   CK_FLAGS flags;
+     *
+ */ + public long flags; + + public CK_MECHANISM_INFO(long minKeySize, long maxKeySize, + long flags) { + this.ulMinKeySize = minKeySize; + this.ulMaxKeySize = maxKeySize; + this.flags = flags; + } + + /** + * Returns the string representation of CK_MECHANISM_INFO. + * + * @return the string representation of CK_MECHANISM_INFO + */ + public String toString() { + StringBuilder sb = new StringBuilder(); + + sb.append(Constants.INDENT); + sb.append("ulMinKeySize: "); + sb.append(String.valueOf(ulMinKeySize)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("ulMaxKeySize: "); + sb.append(String.valueOf(ulMaxKeySize)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("flags: "); + sb.append(String.valueOf(flags)); + sb.append(" = "); + sb.append(Functions.mechanismInfoFlagsToString(flags)); + //buffer.append(Constants.NEWLINE); + + return sb.toString() ; + } +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_NOTIFY.java 2017-01-20 09:52:45.950288669 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,70 +0,0 @@ -/* - * reserved comment block - * DO NOT REMOVE OR ALTER! - */ -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package sun.security.pkcs11.wrapper; - - - -/** - * interface CK_NOTIFY.

- * - * @author Karl Scheibelhofer - * @author Martin Schlaeffer - */ -public interface CK_NOTIFY { - - /** - * Method CK_NOTIFY - * - * @param hSession - * @param event - * @param pApplication - * @exception PKCS11Exception - */ - public void CK_NOTIFY(long hSession, long event, Object pApplication) throws PKCS11Exception; - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_NOTIFY.java 2017-01-20 09:52:45.730288677 -0800 @@ -0,0 +1,70 @@ +/* + * reserved comment block + * DO NOT REMOVE OR ALTER! + */ +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +package sun.security.pkcs11.wrapper; + + + +/** + * interface CK_NOTIFY.

+ * + * @author Karl Scheibelhofer + * @author Martin Schlaeffer + */ +public interface CK_NOTIFY { + + /** + * Method CK_NOTIFY + * + * @param hSession + * @param event + * @param pApplication + * @exception PKCS11Exception + */ + public void CK_NOTIFY(long hSession, long event, Object pApplication) throws PKCS11Exception; + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java 2017-01-20 09:52:46.298288656 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,147 +0,0 @@ -/* - * reserved comment block - * DO NOT REMOVE OR ALTER! - */ -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package sun.security.pkcs11.wrapper; - - - -/** - * class CK_PBE_PARAMS provides all of the necessary information required byte - * the CKM_PBE mechanisms and the CKM_PBA_SHA1_WITH_SHA1_HMAC mechanism.

- * PKCS#11 structure: - * 

- * typedef struct CK_PBE_PARAMS {
- *   CK_CHAR_PTR pInitVector;
- *   CK_CHAR_PTR pPassword;
- *   CK_ULONG ulPasswordLen;
- *   CK_CHAR_PTR pSalt;
- *   CK_ULONG ulSaltLen;
- *   CK_ULONG ulIteration;
- * } CK_PBE_PARAMS;
- *
- * - * @author Karl Scheibelhofer - * @author Martin Schlaeffer - */ -public class CK_PBE_PARAMS { - - /** - * PKCS#11: - * 
-     *   CK_CHAR_PTR pInitVector;
-     *
- */ - public char[] pInitVector; - - /** - * PKCS#11: - * 
-     *   CK_CHAR_PTR pPassword;
-     *   CK_ULONG ulPasswordLen;
-     *
- */ - public char[] pPassword; - - /** - * PKCS#11: - * 
-     *   CK_CHAR_PTR pSalt
-     *   CK_ULONG ulSaltLen;
-     *
- */ - public char[] pSalt; - - /** - * PKCS#11: - * 
-     *   CK_ULONG ulIteration;
-     *
- */ - public long ulIteration; - - /** - * Returns the string representation of CK_PBE_PARAMS. - * - * @return the string representation of CK_PBE_PARAMS - */ - public String toString() { - StringBuilder sb = new StringBuilder(); - - sb.append(Constants.INDENT); - sb.append("pInitVector: "); - sb.append(pInitVector); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("ulPasswordLen: "); - sb.append(pPassword.length); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("pPassword: "); - sb.append(pPassword); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("ulSaltLen: "); - sb.append(pSalt.length); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("pSalt: "); - sb.append(pSalt); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("ulIteration: "); - sb.append(ulIteration); - //buffer.append(Constants.NEWLINE); - - return sb.toString(); - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java 2017-01-20 09:52:46.078288664 -0800 @@ -0,0 +1,147 @@ +/* + * reserved comment block + * DO NOT REMOVE OR ALTER! + */ +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +package sun.security.pkcs11.wrapper; + + + +/** + * class CK_PBE_PARAMS provides all of the necessary information required byte + * the CKM_PBE mechanisms and the CKM_PBA_SHA1_WITH_SHA1_HMAC mechanism.

+ * PKCS#11 structure: + * 

+ * typedef struct CK_PBE_PARAMS {
+ *   CK_CHAR_PTR pInitVector;
+ *   CK_CHAR_PTR pPassword;
+ *   CK_ULONG ulPasswordLen;
+ *   CK_CHAR_PTR pSalt;
+ *   CK_ULONG ulSaltLen;
+ *   CK_ULONG ulIteration;
+ * } CK_PBE_PARAMS;
+ *
+ * + * @author Karl Scheibelhofer + * @author Martin Schlaeffer + */ +public class CK_PBE_PARAMS { + + /** + * PKCS#11: + * 
+     *   CK_CHAR_PTR pInitVector;
+     *
+ */ + public char[] pInitVector; + + /** + * PKCS#11: + * 
+     *   CK_CHAR_PTR pPassword;
+     *   CK_ULONG ulPasswordLen;
+     *
+ */ + public char[] pPassword; + + /** + * PKCS#11: + * 
+     *   CK_CHAR_PTR pSalt
+     *   CK_ULONG ulSaltLen;
+     *
+ */ + public char[] pSalt; + + /** + * PKCS#11: + * 
+     *   CK_ULONG ulIteration;
+     *
+ */ + public long ulIteration; + + /** + * Returns the string representation of CK_PBE_PARAMS. + * + * @return the string representation of CK_PBE_PARAMS + */ + public String toString() { + StringBuilder sb = new StringBuilder(); + + sb.append(Constants.INDENT); + sb.append("pInitVector: "); + sb.append(pInitVector); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("ulPasswordLen: "); + sb.append(pPassword.length); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("pPassword: "); + sb.append(pPassword); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("ulSaltLen: "); + sb.append(pSalt.length); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("pSalt: "); + sb.append(pSalt); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("ulIteration: "); + sb.append(ulIteration); + //buffer.append(Constants.NEWLINE); + + return sb.toString(); + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java 2017-01-20 09:52:46.646288642 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,161 +0,0 @@ -/* - * reserved comment block - * DO NOT REMOVE OR ALTER! - */ -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package sun.security.pkcs11.wrapper; - - - -/** - * class CK_PKCS5_PBKD2_PARAMS provides the parameters to the CKM_PKCS5_PBKD2 - * mechanism.

- * PKCS#11 structure: - * 

- * typedef struct CK_PKCS5_PBKD2_PARAMS {
- *   CK_PKCS5_PBKD2_SALT_SOURCE_TYPE saltSource;
- *   CK_VOID_PTR pSaltSourceData;
- *   CK_ULONG ulSaltSourceDataLen;
- *   CK_ULONG iterations;
- *   CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
- *   CK_VOID_PTR pPrfData;
- *   CK_ULONG ulPrfDataLen;
- * } CK_PKCS5_PBKD2_PARAMS;
- *
- * - * @author Karl Scheibelhofer - * @author Martin Schlaeffer - */ -public class CK_PKCS5_PBKD2_PARAMS { - - /** - * PKCS#11: - * 
-     *   CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
-     *
- */ - public long saltSource; - - /** - * PKCS#11: - * 
-     *   CK_VOID_PTR pSaltSourceData;
-     *   CK_ULONG ulSaltSourceDataLen;
-     *
- */ - public byte[] pSaltSourceData; - - /** - * PKCS#11: - * 
-     *   CK_ULONG iterations;
-     *
- */ - public long iterations; - - /** - * PKCS#11: - * 
-     *   CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
-     *
- */ - public long prf; - - /** - * PKCS#11: - * 
-     *   CK_VOID_PTR pPrfData;
-     *   CK_ULONG ulPrfDataLen;
-     *
- */ - public byte[] pPrfData; - - /** - * Returns the string representation of CK_PKCS5_PBKD2_PARAMS. - * - * @return the string representation of CK_PKCS5_PBKD2_PARAMS - */ - public String toString() { - StringBuilder sb = new StringBuilder(); - - sb.append(Constants.INDENT); - sb.append("saltSource: "); - sb.append(saltSource); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("pSaltSourceData: "); - sb.append(Functions.toHexString(pSaltSourceData)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("ulSaltSourceDataLen: "); - sb.append(pSaltSourceData.length); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("iterations: "); - sb.append(iterations); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("prf: "); - sb.append(prf); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("pPrfData: "); - sb.append(Functions.toHexString(pPrfData)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("ulPrfDataLen: "); - sb.append(pPrfData.length); - //buffer.append(Constants.NEWLINE); - - return sb.toString(); - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java 2017-01-20 09:52:46.426288651 -0800 @@ -0,0 +1,161 @@ +/* + * reserved comment block + * DO NOT REMOVE OR ALTER! + */ +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +package sun.security.pkcs11.wrapper; + + + +/** + * class CK_PKCS5_PBKD2_PARAMS provides the parameters to the CKM_PKCS5_PBKD2 + * mechanism.

+ * PKCS#11 structure: + * 

+ * typedef struct CK_PKCS5_PBKD2_PARAMS {
+ *   CK_PKCS5_PBKD2_SALT_SOURCE_TYPE saltSource;
+ *   CK_VOID_PTR pSaltSourceData;
+ *   CK_ULONG ulSaltSourceDataLen;
+ *   CK_ULONG iterations;
+ *   CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
+ *   CK_VOID_PTR pPrfData;
+ *   CK_ULONG ulPrfDataLen;
+ * } CK_PKCS5_PBKD2_PARAMS;
+ *
+ * + * @author Karl Scheibelhofer + * @author Martin Schlaeffer + */ +public class CK_PKCS5_PBKD2_PARAMS { + + /** + * PKCS#11: + * 
+     *   CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
+     *
+ */ + public long saltSource; + + /** + * PKCS#11: + * 
+     *   CK_VOID_PTR pSaltSourceData;
+     *   CK_ULONG ulSaltSourceDataLen;
+     *
+ */ + public byte[] pSaltSourceData; + + /** + * PKCS#11: + * 
+     *   CK_ULONG iterations;
+     *
+ */ + public long iterations; + + /** + * PKCS#11: + * 
+     *   CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
+     *
+ */ + public long prf; + + /** + * PKCS#11: + * 
+     *   CK_VOID_PTR pPrfData;
+     *   CK_ULONG ulPrfDataLen;
+     *
+ */ + public byte[] pPrfData; + + /** + * Returns the string representation of CK_PKCS5_PBKD2_PARAMS. + * + * @return the string representation of CK_PKCS5_PBKD2_PARAMS + */ + public String toString() { + StringBuilder sb = new StringBuilder(); + + sb.append(Constants.INDENT); + sb.append("saltSource: "); + sb.append(saltSource); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("pSaltSourceData: "); + sb.append(Functions.toHexString(pSaltSourceData)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("ulSaltSourceDataLen: "); + sb.append(pSaltSourceData.length); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("iterations: "); + sb.append(iterations); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("prf: "); + sb.append(prf); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("pPrfData: "); + sb.append(Functions.toHexString(pPrfData)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("ulPrfDataLen: "); + sb.append(pPrfData.length); + //buffer.append(Constants.NEWLINE); + + return sb.toString(); + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_OAEP_PARAMS.java 2017-01-20 09:52:46.994288629 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,143 +0,0 @@ -/* - * reserved comment block - * DO NOT REMOVE OR ALTER! - */ -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package sun.security.pkcs11.wrapper; - - - -/** - * class CK_RSA_PKCS_OAEP_PARAMS provides the parameters to the - * CKM_RSA_PKCS_OAEP mechanism.

- * PKCS#11 structure: - * 

- * typedef struct CK_RSA_PKCS_OAEP_PARAMS {
- *   CK_MECHANISM_TYPE hashAlg;
- *   CK_RSA_PKCS_OAEP_MGF_TYPE mgf;
- *   CK_RSA_PKCS_OAEP_SOURCE_TYPE source;
- *   CK_VOID_PTR pSourceData;
- *   CK_ULONG ulSourceDataLen;
- * } CK_RSA_PKCS_OAEP_PARAMS;
- *
- * - * @author Karl Scheibelhofer - * @author Martin Schlaeffer - */ -public class CK_RSA_PKCS_OAEP_PARAMS { - - /** - * PKCS#11: - * 
-     *   CK_MECHANISM_TYPE hashAlg;
-     *
- */ - public long hashAlg; - - /** - * PKCS#11: - * 
-     *   CK_RSA_PKCS_OAEP_MGF_TYPE mgf;
-     *
- */ - public long mgf; - - /** - * PKCS#11: - * 
-     *   CK_RSA_PKCS_OAEP_SOURCE_TYPE source;
-     *
- */ - public long source; - - /** - * PKCS#11: - * 
-     *   CK_VOID_PTR pSourceData;
-     *   CK_ULONG ulSourceDataLen;
-     *
- */ - public byte[] pSourceData; - - //CK_ULONG ulSourceDataLen; - // ulSourceDataLen == pSourceData.length - - /** - * Returns the string representation of CK_RSA_PKCS_OAEP_PARAMS. - * - * @return the string representation of CK_RSA_PKCS_OAEP_PARAMS - */ - public String toString() { - StringBuilder sb = new StringBuilder(); - - sb.append(Constants.INDENT); - sb.append("hashAlg: "); - sb.append(hashAlg); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("mgf: "); - sb.append(mgf); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("source: "); - sb.append(source); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("pSourceData: "); - sb.append(pSourceData.toString()); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("pSourceDataLen: "); - sb.append(Functions.toHexString(pSourceData)); - //buffer.append(Constants.NEWLINE); - - return sb.toString() ; - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_OAEP_PARAMS.java 2017-01-20 09:52:46.774288638 -0800 @@ -0,0 +1,143 @@ +/* + * reserved comment block + * DO NOT REMOVE OR ALTER! + */ +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +package sun.security.pkcs11.wrapper; + + + +/** + * class CK_RSA_PKCS_OAEP_PARAMS provides the parameters to the + * CKM_RSA_PKCS_OAEP mechanism.

+ * PKCS#11 structure: + * 

+ * typedef struct CK_RSA_PKCS_OAEP_PARAMS {
+ *   CK_MECHANISM_TYPE hashAlg;
+ *   CK_RSA_PKCS_OAEP_MGF_TYPE mgf;
+ *   CK_RSA_PKCS_OAEP_SOURCE_TYPE source;
+ *   CK_VOID_PTR pSourceData;
+ *   CK_ULONG ulSourceDataLen;
+ * } CK_RSA_PKCS_OAEP_PARAMS;
+ *
+ * + * @author Karl Scheibelhofer + * @author Martin Schlaeffer + */ +public class CK_RSA_PKCS_OAEP_PARAMS { + + /** + * PKCS#11: + * 
+     *   CK_MECHANISM_TYPE hashAlg;
+     *
+ */ + public long hashAlg; + + /** + * PKCS#11: + * 
+     *   CK_RSA_PKCS_OAEP_MGF_TYPE mgf;
+     *
+ */ + public long mgf; + + /** + * PKCS#11: + * 
+     *   CK_RSA_PKCS_OAEP_SOURCE_TYPE source;
+     *
+ */ + public long source; + + /** + * PKCS#11: + * 
+     *   CK_VOID_PTR pSourceData;
+     *   CK_ULONG ulSourceDataLen;
+     *
+ */ + public byte[] pSourceData; + + //CK_ULONG ulSourceDataLen; + // ulSourceDataLen == pSourceData.length + + /** + * Returns the string representation of CK_RSA_PKCS_OAEP_PARAMS. + * + * @return the string representation of CK_RSA_PKCS_OAEP_PARAMS + */ + public String toString() { + StringBuilder sb = new StringBuilder(); + + sb.append(Constants.INDENT); + sb.append("hashAlg: "); + sb.append(hashAlg); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("mgf: "); + sb.append(mgf); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("source: "); + sb.append(source); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("pSourceData: "); + sb.append(pSourceData.toString()); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("pSourceDataLen: "); + sb.append(Functions.toHexString(pSourceData)); + //buffer.append(Constants.NEWLINE); + + return sb.toString() ; + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java 2017-01-20 09:52:47.346288616 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,118 +0,0 @@ -/* - * reserved comment block - * DO NOT REMOVE OR ALTER! - */ -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package sun.security.pkcs11.wrapper; - - - -/** - * class CK_RSA_PKCS_PSS_PARAMS provides the parameters to the CKM_RSA_PKCS_OAEP - * mechanism.

- * PKCS#11 structure: - * 

- * typedef struct CK_RSA_PKCS_PSS_PARAMS {
- *   CK_MECHANISM_TYPE hashAlg;
- *   CK_RSA_PKCS_MGF_TYPE mgf;
- *   CK_ULONG sLen;
- * } CK_RSA_PKCS_PSS_PARAMS;
- *
- * - * @author Karl Scheibelhofer - */ -public class CK_RSA_PKCS_PSS_PARAMS { - - /** - * PKCS#11: - * 
-     *   CK_MECHANISM_TYPE hashAlg;
-     *
- */ - public long hashAlg; - - /** - * PKCS#11: - * 
-     *   CK_RSA_PKCS_MGF_TYPE mgf;
-     *
- */ - public long mgf; - - /** - * PKCS#11: - * 
-     *   CK_ULONG sLen;
-     *
- */ - public long sLen; - - /** - * Returns the string representation of CK_PKCS5_PBKD2_PARAMS. - * - * @return the string representation of CK_PKCS5_PBKD2_PARAMS - */ - public String toString() { - StringBuilder sb = new StringBuilder(); - - sb.append(Constants.INDENT); - sb.append("hashAlg: 0x"); - sb.append(Functions.toFullHexString(hashAlg)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("mgf: 0x"); - sb.append(Functions.toFullHexString(mgf)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("sLen: "); - sb.append(sLen); - //buffer.append(Constants.NEWLINE); - - return sb.toString(); - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java 2017-01-20 09:52:47.126288624 -0800 @@ -0,0 +1,118 @@ +/* + * reserved comment block + * DO NOT REMOVE OR ALTER! + */ +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +package sun.security.pkcs11.wrapper; + + + +/** + * class CK_RSA_PKCS_PSS_PARAMS provides the parameters to the CKM_RSA_PKCS_OAEP + * mechanism.

+ * PKCS#11 structure: + * 

+ * typedef struct CK_RSA_PKCS_PSS_PARAMS {
+ *   CK_MECHANISM_TYPE hashAlg;
+ *   CK_RSA_PKCS_MGF_TYPE mgf;
+ *   CK_ULONG sLen;
+ * } CK_RSA_PKCS_PSS_PARAMS;
+ *
+ * + * @author Karl Scheibelhofer + */ +public class CK_RSA_PKCS_PSS_PARAMS { + + /** + * PKCS#11: + * 
+     *   CK_MECHANISM_TYPE hashAlg;
+     *
+ */ + public long hashAlg; + + /** + * PKCS#11: + * 
+     *   CK_RSA_PKCS_MGF_TYPE mgf;
+     *
+ */ + public long mgf; + + /** + * PKCS#11: + * 
+     *   CK_ULONG sLen;
+     *
+ */ + public long sLen; + + /** + * Returns the string representation of CK_PKCS5_PBKD2_PARAMS. + * + * @return the string representation of CK_PKCS5_PBKD2_PARAMS + */ + public String toString() { + StringBuilder sb = new StringBuilder(); + + sb.append(Constants.INDENT); + sb.append("hashAlg: 0x"); + sb.append(Functions.toFullHexString(hashAlg)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("mgf: 0x"); + sb.append(Functions.toFullHexString(mgf)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("sLen: "); + sb.append(sLen); + //buffer.append(Constants.NEWLINE); + + return sb.toString(); + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_SESSION_INFO.java 2017-01-20 09:52:47.694288603 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,142 +0,0 @@ -/* - * reserved comment block - * DO NOT REMOVE OR ALTER! - */ -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package sun.security.pkcs11.wrapper; - - - -/** - * class CK_SESSION_INFO provides information about a session.

- * PKCS#11 structure: - * 

- * typedef struct CK_SESSION_INFO {  
- *   CK_SLOT_ID slotID;  
- *   CK_STATE state;  
- *   CK_FLAGS flags;  
- *   CK_ULONG ulDeviceError;  
- * } CK_SESSION_INFO;
- *
- * - * @author Karl Scheibelhofer - * @author Martin Schlaeffer - */ -public class CK_SESSION_INFO { - - /** - * PKCS#11: - * 
-     *   CK_SLOT_ID slotID;
-     *
- */ - public long slotID; - - /** - * PKCS#11: - * 
-     *   CK_STATE state;
-     *
- */ - public long state; - - /** - * PKCS#11: - * 
-     *   CK_FLAGS flags;
-     *
- */ - public long flags; /* see below */ - - /* ulDeviceError was changed from CK_USHORT to CK_ULONG for - * v2.0 */ - /** - * PKCS#11: - * 
-     *   CK_ULONG ulDeviceError;
-     *
- */ - public long ulDeviceError; /* device-dependent error code */ - - public CK_SESSION_INFO(long slotID, long state, - long flags, long ulDeviceError) { - this.slotID = slotID; - this.state = state; - this.flags = flags; - this.ulDeviceError = ulDeviceError; - } - - /** - * Returns the string representation of CK_SESSION_INFO. - * - * @return the string representation of CK_SESSION_INFO - */ - public String toString() { - StringBuilder sb = new StringBuilder(); - - sb.append(Constants.INDENT); - sb.append("slotID: "); - sb.append(String.valueOf(slotID)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("state: "); - sb.append(Functions.sessionStateToString(state)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("flags: "); - sb.append(Functions.sessionInfoFlagsToString(flags)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("ulDeviceError: "); - sb.append(Functions.toHexString(ulDeviceError)); - //buffer.append(Constants.NEWLINE); - - return sb.toString() ; - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_SESSION_INFO.java 2017-01-20 09:52:47.474288611 -0800 @@ -0,0 +1,142 @@ +/* + * reserved comment block + * DO NOT REMOVE OR ALTER! + */ +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +package sun.security.pkcs11.wrapper; + + + +/** + * class CK_SESSION_INFO provides information about a session.

+ * PKCS#11 structure: + * 

+ * typedef struct CK_SESSION_INFO {  
+ *   CK_SLOT_ID slotID;  
+ *   CK_STATE state;  
+ *   CK_FLAGS flags;  
+ *   CK_ULONG ulDeviceError;  
+ * } CK_SESSION_INFO;
+ *
+ * + * @author Karl Scheibelhofer + * @author Martin Schlaeffer + */ +public class CK_SESSION_INFO { + + /** + * PKCS#11: + * 
+     *   CK_SLOT_ID slotID;
+     *
+ */ + public long slotID; + + /** + * PKCS#11: + * 
+     *   CK_STATE state;
+     *
+ */ + public long state; + + /** + * PKCS#11: + * 
+     *   CK_FLAGS flags;
+     *
+ */ + public long flags; /* see below */ + + /* ulDeviceError was changed from CK_USHORT to CK_ULONG for + * v2.0 */ + /** + * PKCS#11: + * 
+     *   CK_ULONG ulDeviceError;
+     *
+ */ + public long ulDeviceError; /* device-dependent error code */ + + public CK_SESSION_INFO(long slotID, long state, + long flags, long ulDeviceError) { + this.slotID = slotID; + this.state = state; + this.flags = flags; + this.ulDeviceError = ulDeviceError; + } + + /** + * Returns the string representation of CK_SESSION_INFO. + * + * @return the string representation of CK_SESSION_INFO + */ + public String toString() { + StringBuilder sb = new StringBuilder(); + + sb.append(Constants.INDENT); + sb.append("slotID: "); + sb.append(String.valueOf(slotID)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("state: "); + sb.append(Functions.sessionStateToString(state)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("flags: "); + sb.append(Functions.sessionInfoFlagsToString(flags)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("ulDeviceError: "); + sb.append(Functions.toHexString(ulDeviceError)); + //buffer.append(Constants.NEWLINE); + + return sb.toString() ; + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_SLOT_INFO.java 2017-01-20 09:52:48.054288589 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,163 +0,0 @@ -/* - * reserved comment block - * DO NOT REMOVE OR ALTER! - */ -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package sun.security.pkcs11.wrapper; - - - -/** - * class CK_SLOT_INFO provides information about a slot.

- * PKCS#11 structure: - * 

- *  typedef struct CK_SLOT_INFO {  
- *    CK_UTF8CHAR slotDescription[64];  
- *    CK_UTF8CHAR manufacturerID[32];  
- *    CK_FLAGS flags;  
- *    CK_VERSION hardwareVersion;  
- *    CK_VERSION firmwareVersion;  
- *  } CK_SLOT_INFO;
- *
- * - * @author Karl Scheibelhofer - * @author Martin Schlaeffer - */ -public class CK_SLOT_INFO { - - /* slotDescription and manufacturerID have been changed from - * CK_CHAR to CK_UTF8CHAR for v2.11. */ - - /** - * must be blank padded and only the first 64 chars will be used

- * PKCS#11: - * 

-     *   CK_UTF8CHAR slotDescription[64];
-     *
- */ - public char[] slotDescription; - - /** - * must be blank padded and only the first 32 chars will be used

- * PKCS#11: - * 

-     *   CK_UTF8CHAR manufacturerID[32];
-     *
- */ - public char[] manufacturerID; - - /** - * PKCS#11: - * 
-     *   CK_FLAGS flags;
-     *
- */ - public long flags; - - /* hardwareVersion and firmwareVersion are new for v2.0 */ - /** - * version of hardware

- * PKCS#11: - * 

-     *   CK_VERSION hardwareVersion;
-     *
- */ - public CK_VERSION hardwareVersion; - - /** - * version of firmware

- * PKCS#11: - * 

-     *   CK_VERSION firmwareVersion;
-     *
- */ - public CK_VERSION firmwareVersion; - - public CK_SLOT_INFO(char[] slotDesc, char[] vendor, - long flags, CK_VERSION hwVer, CK_VERSION fwVer) { - this.slotDescription = slotDesc; - this.manufacturerID = vendor; - this.flags = flags; - this.hardwareVersion = hwVer; - this.firmwareVersion = fwVer; - } - - /** - * Returns the string representation of CK_SLOT_INFO. - * - * @return the string representation of CK_SLOT_INFO - */ - public String toString() { - StringBuilder sb = new StringBuilder(); - - sb.append(Constants.INDENT); - sb.append("slotDescription: "); - sb.append(new String(slotDescription)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("manufacturerID: "); - sb.append(new String(manufacturerID)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("flags: "); - sb.append(Functions.slotInfoFlagsToString(flags)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("hardwareVersion: "); - sb.append(hardwareVersion.toString()); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("firmwareVersion: "); - sb.append(firmwareVersion.toString()); - //buffer.append(Constants.NEWLINE); - - return sb.toString() ; - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_SLOT_INFO.java 2017-01-20 09:52:47.822288598 -0800 @@ -0,0 +1,163 @@ +/* + * reserved comment block + * DO NOT REMOVE OR ALTER! + */ +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +package sun.security.pkcs11.wrapper; + + + +/** + * class CK_SLOT_INFO provides information about a slot.

+ * PKCS#11 structure: + * 

+ *  typedef struct CK_SLOT_INFO {  
+ *    CK_UTF8CHAR slotDescription[64];  
+ *    CK_UTF8CHAR manufacturerID[32];  
+ *    CK_FLAGS flags;  
+ *    CK_VERSION hardwareVersion;  
+ *    CK_VERSION firmwareVersion;  
+ *  } CK_SLOT_INFO;
+ *
+ * + * @author Karl Scheibelhofer + * @author Martin Schlaeffer + */ +public class CK_SLOT_INFO { + + /* slotDescription and manufacturerID have been changed from + * CK_CHAR to CK_UTF8CHAR for v2.11. */ + + /** + * must be blank padded and only the first 64 chars will be used

+ * PKCS#11: + * 

+     *   CK_UTF8CHAR slotDescription[64];
+     *
+ */ + public char[] slotDescription; + + /** + * must be blank padded and only the first 32 chars will be used

+ * PKCS#11: + * 

+     *   CK_UTF8CHAR manufacturerID[32];
+     *
+ */ + public char[] manufacturerID; + + /** + * PKCS#11: + * 
+     *   CK_FLAGS flags;
+     *
+ */ + public long flags; + + /* hardwareVersion and firmwareVersion are new for v2.0 */ + /** + * version of hardware

+ * PKCS#11: + * 

+     *   CK_VERSION hardwareVersion;
+     *
+ */ + public CK_VERSION hardwareVersion; + + /** + * version of firmware

+ * PKCS#11: + * 

+     *   CK_VERSION firmwareVersion;
+     *
+ */ + public CK_VERSION firmwareVersion; + + public CK_SLOT_INFO(char[] slotDesc, char[] vendor, + long flags, CK_VERSION hwVer, CK_VERSION fwVer) { + this.slotDescription = slotDesc; + this.manufacturerID = vendor; + this.flags = flags; + this.hardwareVersion = hwVer; + this.firmwareVersion = fwVer; + } + + /** + * Returns the string representation of CK_SLOT_INFO. + * + * @return the string representation of CK_SLOT_INFO + */ + public String toString() { + StringBuilder sb = new StringBuilder(); + + sb.append(Constants.INDENT); + sb.append("slotDescription: "); + sb.append(new String(slotDescription)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("manufacturerID: "); + sb.append(new String(manufacturerID)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("flags: "); + sb.append(Functions.slotInfoFlagsToString(flags)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("hardwareVersion: "); + sb.append(hardwareVersion.toString()); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("firmwareVersion: "); + sb.append(firmwareVersion.toString()); + //buffer.append(Constants.NEWLINE); + + return sb.toString() ; + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_SSL3_KEY_MAT_OUT.java 2017-01-20 09:52:48.402288576 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,162 +0,0 @@ -/* - * reserved comment block - * DO NOT REMOVE OR ALTER! - */ -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package sun.security.pkcs11.wrapper; - - - -/** - * class CK_SSL3_KEY_MAT_OUT contains the resulting key handles and - * initialization vectors after performing a C_DeriveKey function with the - * CKM_SSL3_KEY_AND_MAC_DERIVE mechanism.

- * PKCS#11 structure: - * 

- * typedef struct CK_SSL3_KEY_MAT_OUT {
- *   CK_OBJECT_HANDLE hClientMacSecret;
- *   CK_OBJECT_HANDLE hServerMacSecret;
- *   CK_OBJECT_HANDLE hClientKey;
- *   CK_OBJECT_HANDLE hServerKey;
- *   CK_BYTE_PTR pIVClient;
- *   CK_BYTE_PTR pIVServer;
- * } CK_SSL3_KEY_MAT_OUT;
- *
- * - * @author Karl Scheibelhofer - * @author Martin Schlaeffer - */ -public class CK_SSL3_KEY_MAT_OUT{ - - /** - * PKCS#11: - * 
-     *   CK_OBJECT_HANDLE hClientMacSecret;
-     *
- */ - public long hClientMacSecret; - - /** - * PKCS#11: - * 
-     *   CK_OBJECT_HANDLE hServerMacSecret;
-     *
- */ - public long hServerMacSecret; - - /** - * PKCS#11: - * 
-     *   CK_OBJECT_HANDLE hClientKey;
-     *
- */ - public long hClientKey; - - /** - * PKCS#11: - * 
-     *   CK_OBJECT_HANDLE hServerKey;
-     *
- */ - public long hServerKey; - - /** - * PKCS#11: - * 
-     *   CK_BYTE_PTR pIVClient;
-     *
- */ - public byte[] pIVClient; - - /** - * PKCS#11: - * 
-     *   CK_BYTE_PTR pIVServer;
-     *
- */ - public byte[] pIVServer; - - /** - * Returns the string representation of CK_SSL3_KEY_MAT_OUT. - * - * @return the string representation of CK_SSL3_KEY_MAT_OUT - */ - public String toString() { - StringBuilder buffer = new StringBuilder(); - - buffer.append(Constants.INDENT); - buffer.append("hClientMacSecret: "); - buffer.append(hClientMacSecret); - buffer.append(Constants.NEWLINE); - - buffer.append(Constants.INDENT); - buffer.append("hServerMacSecret: "); - buffer.append(hServerMacSecret); - buffer.append(Constants.NEWLINE); - - buffer.append(Constants.INDENT); - buffer.append("hClientKey: "); - buffer.append(hClientKey); - buffer.append(Constants.NEWLINE); - - buffer.append(Constants.INDENT); - buffer.append("hServerKey: "); - buffer.append(hServerKey); - buffer.append(Constants.NEWLINE); - - buffer.append(Constants.INDENT); - buffer.append("pIVClient: "); - buffer.append(Functions.toHexString(pIVClient)); - buffer.append(Constants.NEWLINE); - - buffer.append(Constants.INDENT); - buffer.append("pIVServer: "); - buffer.append(Functions.toHexString(pIVServer)); - //buffer.append(Constants.NEWLINE); - - return buffer.toString(); - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_SSL3_KEY_MAT_OUT.java 2017-01-20 09:52:48.182288584 -0800 @@ -0,0 +1,162 @@ +/* + * reserved comment block + * DO NOT REMOVE OR ALTER! + */ +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +package sun.security.pkcs11.wrapper; + + + +/** + * class CK_SSL3_KEY_MAT_OUT contains the resulting key handles and + * initialization vectors after performing a C_DeriveKey function with the + * CKM_SSL3_KEY_AND_MAC_DERIVE mechanism.

+ * PKCS#11 structure: + * 

+ * typedef struct CK_SSL3_KEY_MAT_OUT {
+ *   CK_OBJECT_HANDLE hClientMacSecret;
+ *   CK_OBJECT_HANDLE hServerMacSecret;
+ *   CK_OBJECT_HANDLE hClientKey;
+ *   CK_OBJECT_HANDLE hServerKey;
+ *   CK_BYTE_PTR pIVClient;
+ *   CK_BYTE_PTR pIVServer;
+ * } CK_SSL3_KEY_MAT_OUT;
+ *
+ * + * @author Karl Scheibelhofer + * @author Martin Schlaeffer + */ +public class CK_SSL3_KEY_MAT_OUT{ + + /** + * PKCS#11: + * 
+     *   CK_OBJECT_HANDLE hClientMacSecret;
+     *
+ */ + public long hClientMacSecret; + + /** + * PKCS#11: + * 
+     *   CK_OBJECT_HANDLE hServerMacSecret;
+     *
+ */ + public long hServerMacSecret; + + /** + * PKCS#11: + * 
+     *   CK_OBJECT_HANDLE hClientKey;
+     *
+ */ + public long hClientKey; + + /** + * PKCS#11: + * 
+     *   CK_OBJECT_HANDLE hServerKey;
+     *
+ */ + public long hServerKey; + + /** + * PKCS#11: + * 
+     *   CK_BYTE_PTR pIVClient;
+     *
+ */ + public byte[] pIVClient; + + /** + * PKCS#11: + * 
+     *   CK_BYTE_PTR pIVServer;
+     *
+ */ + public byte[] pIVServer; + + /** + * Returns the string representation of CK_SSL3_KEY_MAT_OUT. + * + * @return the string representation of CK_SSL3_KEY_MAT_OUT + */ + public String toString() { + StringBuilder buffer = new StringBuilder(); + + buffer.append(Constants.INDENT); + buffer.append("hClientMacSecret: "); + buffer.append(hClientMacSecret); + buffer.append(Constants.NEWLINE); + + buffer.append(Constants.INDENT); + buffer.append("hServerMacSecret: "); + buffer.append(hServerMacSecret); + buffer.append(Constants.NEWLINE); + + buffer.append(Constants.INDENT); + buffer.append("hClientKey: "); + buffer.append(hClientKey); + buffer.append(Constants.NEWLINE); + + buffer.append(Constants.INDENT); + buffer.append("hServerKey: "); + buffer.append(hServerKey); + buffer.append(Constants.NEWLINE); + + buffer.append(Constants.INDENT); + buffer.append("pIVClient: "); + buffer.append(Functions.toHexString(pIVClient)); + buffer.append(Constants.NEWLINE); + + buffer.append(Constants.INDENT); + buffer.append("pIVServer: "); + buffer.append(Functions.toHexString(pIVServer)); + //buffer.append(Constants.NEWLINE); + + return buffer.toString(); + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_SSL3_KEY_MAT_PARAMS.java 2017-01-20 09:52:48.750288563 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,175 +0,0 @@ -/* - * Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved. - */ - -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package sun.security.pkcs11.wrapper; - - - -/** - * class CK_SSL3_KEY_MAT_PARAMS provides the parameters to the - * CKM_SSL3_KEY_AND_MAC_DERIVE mechanism.

- * PKCS#11 structure: - * 

- * typedef struct CK_SSL3_KEY_MAT_PARAMS {
- *   CK_ULONG ulMacSizeInBits;
- *   CK_ULONG ulKeySizeInBits;
- *   CK_ULONG ulIVSizeInBits;
- *   CK_BBOOL bIsExport;
- *   CK_SSL3_RANDOM_DATA RandomInfo;
- *   CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
- * } CK_SSL3_KEY_MAT_PARAMS;
- *
- * - * @author Karl Scheibelhofer - * @author Martin Schlaeffer - */ -public class CK_SSL3_KEY_MAT_PARAMS{ - - /** - * PKCS#11: - * 
-     *   CK_ULONG ulMacSizeInBits;
-     *
- */ - public long ulMacSizeInBits; - - /** - * PKCS#11: - * 
-     *   CK_ULONG ulKeySizeInBits;
-     *
- */ - public long ulKeySizeInBits; - - /** - * PKCS#11: - * 
-     *   CK_ULONG ulIVSizeInBits;
-     *
- */ - public long ulIVSizeInBits; - - /** - * PKCS#11: - * 
-     *   CK_BBOOL bIsExport;
-     *
- */ - public boolean bIsExport; - - /** - * PKCS#11: - * 
-     *   CK_SSL3_RANDOM_DATA RandomInfo;
-     *
- */ - public CK_SSL3_RANDOM_DATA RandomInfo; - - /** - * PKCS#11: - * 
-     *   CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
-     *
- */ - public CK_SSL3_KEY_MAT_OUT pReturnedKeyMaterial; - - public CK_SSL3_KEY_MAT_PARAMS(int macSize, int keySize, int ivSize, boolean export, CK_SSL3_RANDOM_DATA random) { - ulMacSizeInBits = macSize; - ulKeySizeInBits = keySize; - ulIVSizeInBits = ivSize; - bIsExport = export; - RandomInfo = random; - pReturnedKeyMaterial = new CK_SSL3_KEY_MAT_OUT(); - if (ivSize != 0) { - int n = ivSize >> 3; - pReturnedKeyMaterial.pIVClient = new byte[n]; - pReturnedKeyMaterial.pIVServer = new byte[n]; - } - } - - /** - * Returns the string representation of CK_SSL3_KEY_MAT_PARAMS. - * - * @return the string representation of CK_SSL3_KEY_MAT_PARAMS - */ - public String toString() { - StringBuilder buffer = new StringBuilder(); - - buffer.append(Constants.INDENT); - buffer.append("ulMacSizeInBits: "); - buffer.append(ulMacSizeInBits); - buffer.append(Constants.NEWLINE); - - buffer.append(Constants.INDENT); - buffer.append("ulKeySizeInBits: "); - buffer.append(ulKeySizeInBits); - buffer.append(Constants.NEWLINE); - - buffer.append(Constants.INDENT); - buffer.append("ulIVSizeInBits: "); - buffer.append(ulIVSizeInBits); - buffer.append(Constants.NEWLINE); - - buffer.append(Constants.INDENT); - buffer.append("bIsExport: "); - buffer.append(bIsExport); - buffer.append(Constants.NEWLINE); - - buffer.append(Constants.INDENT); - buffer.append("RandomInfo: "); - buffer.append(RandomInfo); - buffer.append(Constants.NEWLINE); - - buffer.append(Constants.INDENT); - buffer.append("pReturnedKeyMaterial: "); - buffer.append(pReturnedKeyMaterial); - //buffer.append(Constants.NEWLINE); - - return buffer.toString(); - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_SSL3_KEY_MAT_PARAMS.java 2017-01-20 09:52:48.530288571 -0800 @@ -0,0 +1,175 @@ +/* + * Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved. + */ + +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +package sun.security.pkcs11.wrapper; + + + +/** + * class CK_SSL3_KEY_MAT_PARAMS provides the parameters to the + * CKM_SSL3_KEY_AND_MAC_DERIVE mechanism.

+ * PKCS#11 structure: + * 

+ * typedef struct CK_SSL3_KEY_MAT_PARAMS {
+ *   CK_ULONG ulMacSizeInBits;
+ *   CK_ULONG ulKeySizeInBits;
+ *   CK_ULONG ulIVSizeInBits;
+ *   CK_BBOOL bIsExport;
+ *   CK_SSL3_RANDOM_DATA RandomInfo;
+ *   CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
+ * } CK_SSL3_KEY_MAT_PARAMS;
+ *
+ * + * @author Karl Scheibelhofer + * @author Martin Schlaeffer + */ +public class CK_SSL3_KEY_MAT_PARAMS{ + + /** + * PKCS#11: + * 
+     *   CK_ULONG ulMacSizeInBits;
+     *
+ */ + public long ulMacSizeInBits; + + /** + * PKCS#11: + * 
+     *   CK_ULONG ulKeySizeInBits;
+     *
+ */ + public long ulKeySizeInBits; + + /** + * PKCS#11: + * 
+     *   CK_ULONG ulIVSizeInBits;
+     *
+ */ + public long ulIVSizeInBits; + + /** + * PKCS#11: + * 
+     *   CK_BBOOL bIsExport;
+     *
+ */ + public boolean bIsExport; + + /** + * PKCS#11: + * 
+     *   CK_SSL3_RANDOM_DATA RandomInfo;
+     *
+ */ + public CK_SSL3_RANDOM_DATA RandomInfo; + + /** + * PKCS#11: + * 
+     *   CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
+     *
+ */ + public CK_SSL3_KEY_MAT_OUT pReturnedKeyMaterial; + + public CK_SSL3_KEY_MAT_PARAMS(int macSize, int keySize, int ivSize, boolean export, CK_SSL3_RANDOM_DATA random) { + ulMacSizeInBits = macSize; + ulKeySizeInBits = keySize; + ulIVSizeInBits = ivSize; + bIsExport = export; + RandomInfo = random; + pReturnedKeyMaterial = new CK_SSL3_KEY_MAT_OUT(); + if (ivSize != 0) { + int n = ivSize >> 3; + pReturnedKeyMaterial.pIVClient = new byte[n]; + pReturnedKeyMaterial.pIVServer = new byte[n]; + } + } + + /** + * Returns the string representation of CK_SSL3_KEY_MAT_PARAMS. + * + * @return the string representation of CK_SSL3_KEY_MAT_PARAMS + */ + public String toString() { + StringBuilder buffer = new StringBuilder(); + + buffer.append(Constants.INDENT); + buffer.append("ulMacSizeInBits: "); + buffer.append(ulMacSizeInBits); + buffer.append(Constants.NEWLINE); + + buffer.append(Constants.INDENT); + buffer.append("ulKeySizeInBits: "); + buffer.append(ulKeySizeInBits); + buffer.append(Constants.NEWLINE); + + buffer.append(Constants.INDENT); + buffer.append("ulIVSizeInBits: "); + buffer.append(ulIVSizeInBits); + buffer.append(Constants.NEWLINE); + + buffer.append(Constants.INDENT); + buffer.append("bIsExport: "); + buffer.append(bIsExport); + buffer.append(Constants.NEWLINE); + + buffer.append(Constants.INDENT); + buffer.append("RandomInfo: "); + buffer.append(RandomInfo); + buffer.append(Constants.NEWLINE); + + buffer.append(Constants.INDENT); + buffer.append("pReturnedKeyMaterial: "); + buffer.append(pReturnedKeyMaterial); + //buffer.append(Constants.NEWLINE); + + return buffer.toString(); + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_SSL3_MASTER_KEY_DERIVE_PARAMS.java 2017-01-20 09:52:49.098288550 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,110 +0,0 @@ -/* - * Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved. - */ - -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package sun.security.pkcs11.wrapper; - - - -/** - * class CK_SSL3_MASTER_KEY_DERIVE_PARAMS provides the parameters to the - * CKM_SSL3_MASTER_KEY_DERIVE mechanism.

- * PKCS#11 structure: - * 

- * typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS {
- *   CK_SSL3_RANDOM_DATA RandomInfo;
- *   CK_VERSION_PTR pVersion;
- * } CK_SSL3_MASTER_KEY_DERIVE_PARAMS;
- *
- * - * @author Karl Scheibelhofer - * @author Martin Schlaeffer - */ -public class CK_SSL3_MASTER_KEY_DERIVE_PARAMS { - - /** - * PKCS#11: - * 
-     *   CK_SSL3_RANDOM_DATA RandomInfo;
-     *
- */ - public CK_SSL3_RANDOM_DATA RandomInfo; - - /** - * PKCS#11: - * 
-     *   CK_VERSION_PTR pVersion;
-     *
- */ - public CK_VERSION pVersion; - - public CK_SSL3_MASTER_KEY_DERIVE_PARAMS(CK_SSL3_RANDOM_DATA random, CK_VERSION version) { - RandomInfo = random; - pVersion = version; - } - - /** - * Returns the string representation of CK_SSL3_MASTER_KEY_DERIVE_PARAMS. - * - * @return the string representation of CK_SSL3_MASTER_KEY_DERIVE_PARAMS - */ - public String toString() { - StringBuilder buffer = new StringBuilder(); - - buffer.append(Constants.INDENT); - buffer.append("RandomInfo: "); - buffer.append(RandomInfo); - buffer.append(Constants.NEWLINE); - - buffer.append(Constants.INDENT); - buffer.append("pVersion: "); - buffer.append(pVersion); - //buffer.append(Constants.NEWLINE); - - return buffer.toString(); - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_SSL3_MASTER_KEY_DERIVE_PARAMS.java 2017-01-20 09:52:48.878288558 -0800 @@ -0,0 +1,110 @@ +/* + * Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved. + */ + +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +package sun.security.pkcs11.wrapper; + + + +/** + * class CK_SSL3_MASTER_KEY_DERIVE_PARAMS provides the parameters to the + * CKM_SSL3_MASTER_KEY_DERIVE mechanism.

+ * PKCS#11 structure: + * 

+ * typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS {
+ *   CK_SSL3_RANDOM_DATA RandomInfo;
+ *   CK_VERSION_PTR pVersion;
+ * } CK_SSL3_MASTER_KEY_DERIVE_PARAMS;
+ *
+ * + * @author Karl Scheibelhofer + * @author Martin Schlaeffer + */ +public class CK_SSL3_MASTER_KEY_DERIVE_PARAMS { + + /** + * PKCS#11: + * 
+     *   CK_SSL3_RANDOM_DATA RandomInfo;
+     *
+ */ + public CK_SSL3_RANDOM_DATA RandomInfo; + + /** + * PKCS#11: + * 
+     *   CK_VERSION_PTR pVersion;
+     *
+ */ + public CK_VERSION pVersion; + + public CK_SSL3_MASTER_KEY_DERIVE_PARAMS(CK_SSL3_RANDOM_DATA random, CK_VERSION version) { + RandomInfo = random; + pVersion = version; + } + + /** + * Returns the string representation of CK_SSL3_MASTER_KEY_DERIVE_PARAMS. + * + * @return the string representation of CK_SSL3_MASTER_KEY_DERIVE_PARAMS + */ + public String toString() { + StringBuilder buffer = new StringBuilder(); + + buffer.append(Constants.INDENT); + buffer.append("RandomInfo: "); + buffer.append(RandomInfo); + buffer.append(Constants.NEWLINE); + + buffer.append(Constants.INDENT); + buffer.append("pVersion: "); + buffer.append(pVersion); + //buffer.append(Constants.NEWLINE); + + return buffer.toString(); + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_SSL3_RANDOM_DATA.java 2017-01-20 09:52:49.442288537 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,126 +0,0 @@ -/* - * Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved. - */ - -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package sun.security.pkcs11.wrapper; - - - -/** - * class CK_SSL3_RANDOM_DATA provides information about the random data of a - * client and a server in an SSL context. This class is used by both the - * CKM_SSL3_MASTER_KEY_DERIVE and the CKM_SSL3_KEY_AND_MAC_DERIVE mechanisms. - *

- * PKCS#11 structure: - * 

- * typedef struct CK_SSL3_RANDOM_DATA {
- *   CK_BYTE_PTR pClientRandom;
- *   CK_ULONG ulClientRandomLen;
- *   CK_BYTE_PTR pServerRandom;
- *   CK_ULONG ulServerRandomLen;
- * } CK_SSL3_RANDOM_DATA;
- *
- * - * @author Karl Scheibelhofer - * @author Martin Schlaeffer - */ -public class CK_SSL3_RANDOM_DATA { - - /** - * PKCS#11: - * 
-     *   CK_BYTE_PTR pClientRandom;
-     *   CK_ULONG ulClientRandomLen;
-     *
- */ - public byte[] pClientRandom; - - /** - * PKCS#11: - * 
-     *   CK_BYTE_PTR pServerRandom;
-     *   CK_ULONG ulServerRandomLen;
-     *
- */ - public byte[] pServerRandom; - - public CK_SSL3_RANDOM_DATA(byte[] clientRandom, byte[] serverRandom) { - pClientRandom = clientRandom; - pServerRandom = serverRandom; - } - - /** - * Returns the string representation of CK_SSL3_RANDOM_DATA. - * - * @return the string representation of CK_SSL3_RANDOM_DATA - */ - public String toString() { - StringBuilder buffer = new StringBuilder(); - - buffer.append(Constants.INDENT); - buffer.append("pClientRandom: "); - buffer.append(Functions.toHexString(pClientRandom)); - buffer.append(Constants.NEWLINE); - - buffer.append(Constants.INDENT); - buffer.append("ulClientRandomLen: "); - buffer.append(pClientRandom.length); - buffer.append(Constants.NEWLINE); - - buffer.append(Constants.INDENT); - buffer.append("pServerRandom: "); - buffer.append(Functions.toHexString(pServerRandom)); - buffer.append(Constants.NEWLINE); - - buffer.append(Constants.INDENT); - buffer.append("ulServerRandomLen: "); - buffer.append(pServerRandom.length); - //buffer.append(Constants.NEWLINE); - - return buffer.toString(); - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_SSL3_RANDOM_DATA.java 2017-01-20 09:52:49.222288545 -0800 @@ -0,0 +1,126 @@ +/* + * Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved. + */ + +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +package sun.security.pkcs11.wrapper; + + + +/** + * class CK_SSL3_RANDOM_DATA provides information about the random data of a + * client and a server in an SSL context. This class is used by both the + * CKM_SSL3_MASTER_KEY_DERIVE and the CKM_SSL3_KEY_AND_MAC_DERIVE mechanisms. + *

+ * PKCS#11 structure: + * 

+ * typedef struct CK_SSL3_RANDOM_DATA {
+ *   CK_BYTE_PTR pClientRandom;
+ *   CK_ULONG ulClientRandomLen;
+ *   CK_BYTE_PTR pServerRandom;
+ *   CK_ULONG ulServerRandomLen;
+ * } CK_SSL3_RANDOM_DATA;
+ *
+ * + * @author Karl Scheibelhofer + * @author Martin Schlaeffer + */ +public class CK_SSL3_RANDOM_DATA { + + /** + * PKCS#11: + * 
+     *   CK_BYTE_PTR pClientRandom;
+     *   CK_ULONG ulClientRandomLen;
+     *
+ */ + public byte[] pClientRandom; + + /** + * PKCS#11: + * 
+     *   CK_BYTE_PTR pServerRandom;
+     *   CK_ULONG ulServerRandomLen;
+     *
+ */ + public byte[] pServerRandom; + + public CK_SSL3_RANDOM_DATA(byte[] clientRandom, byte[] serverRandom) { + pClientRandom = clientRandom; + pServerRandom = serverRandom; + } + + /** + * Returns the string representation of CK_SSL3_RANDOM_DATA. + * + * @return the string representation of CK_SSL3_RANDOM_DATA + */ + public String toString() { + StringBuilder buffer = new StringBuilder(); + + buffer.append(Constants.INDENT); + buffer.append("pClientRandom: "); + buffer.append(Functions.toHexString(pClientRandom)); + buffer.append(Constants.NEWLINE); + + buffer.append(Constants.INDENT); + buffer.append("ulClientRandomLen: "); + buffer.append(pClientRandom.length); + buffer.append(Constants.NEWLINE); + + buffer.append(Constants.INDENT); + buffer.append("pServerRandom: "); + buffer.append(Functions.toHexString(pServerRandom)); + buffer.append(Constants.NEWLINE); + + buffer.append(Constants.INDENT); + buffer.append("ulServerRandomLen: "); + buffer.append(pServerRandom.length); + //buffer.append(Constants.NEWLINE); + + return buffer.toString(); + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_TLS_PRF_PARAMS.java 2017-01-20 09:52:49.782288524 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,46 +0,0 @@ -/* - * Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.pkcs11.wrapper; - -/** - * CK_TLS_PRF_PARAMS from PKCS#11 v2.20. - * - * @author Andreas Sterbenz - * @since 1.6 - */ -public class CK_TLS_PRF_PARAMS { - - public byte[] pSeed; - public byte[] pLabel; - public byte[] pOutput; - - public CK_TLS_PRF_PARAMS(byte[] pSeed, byte[] pLabel, byte[] pOutput) { - this.pSeed = pSeed; - this.pLabel = pLabel; - this.pOutput = pOutput; - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_TLS_PRF_PARAMS.java 2017-01-20 09:52:49.566288532 -0800 @@ -0,0 +1,46 @@ +/* + * Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11.wrapper; + +/** + * CK_TLS_PRF_PARAMS from PKCS#11 v2.20. + * + * @author Andreas Sterbenz + * @since 1.6 + */ +public class CK_TLS_PRF_PARAMS { + + public byte[] pSeed; + public byte[] pLabel; + public byte[] pOutput; + + public CK_TLS_PRF_PARAMS(byte[] pSeed, byte[] pLabel, byte[] pOutput) { + this.pSeed = pSeed; + this.pLabel = pLabel; + this.pOutput = pOutput; + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_TOKEN_INFO.java 2017-01-20 09:52:50.146288510 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,389 +0,0 @@ -/* - * Copyright (c) 2003, 2005, Oracle and/or its affiliates. All rights reserved. - */ - -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package sun.security.pkcs11.wrapper; - - - -/** - * class CK_TOKEN_INFO provides information about a token.

- * PKCS#11 structure: - * 

- * typedef struct CK_TOKEN_INFO {  
- *   CK_UTF8CHAR label[32];  
- *   CK_UTF8CHAR manufacturerID[32];  
- *   CK_UTF8CHAR model[16];  
- *   CK_CHAR serialNumber[16];  
- *   CK_FLAGS flags;  
- *   CK_ULONG ulMaxSessionCount;  
- *   CK_ULONG ulSessionCount;  
- *   CK_ULONG ulMaxRwSessionCount;  
- *   CK_ULONG ulRwSessionCount;  
- *   CK_ULONG ulMaxPinLen;  
- *   CK_ULONG ulMinPinLen;  
- *   CK_ULONG ulTotalPublicMemory;  
- *   CK_ULONG ulFreePublicMemory;  
- *   CK_ULONG ulTotalPrivateMemory;  
- *   CK_ULONG ulFreePrivateMemory;  
- *   CK_VERSION hardwareVersion;  
- *   CK_VERSION firmwareVersion;  
- *   CK_CHAR utcTime[16];  
- * } CK_TOKEN_INFO;
- *   
- *
- * - * @author Karl Scheibelhofer - * @author Martin Schlaeffer - */ -public class CK_TOKEN_INFO { - - /* label, manufacturerID, and model have been changed from - * CK_CHAR to CK_UTF8CHAR for v2.11. */ - /** - * must be blank padded and only the first 32 chars will be used

- * PKCS#11: - * 

-     *   CK_UTF8CHAR label[32];
-     *
- */ - public char[] label; /* blank padded */ - - /** - * must be blank padded and only the first 32 chars will be used

- * PKCS#11: - * 

-     *   CK_UTF8CHAR manufacturerID[32];
-     *
- */ - public char[] manufacturerID; /* blank padded */ - - /** - * must be blank padded and only the first 16 chars will be used

- * PKCS#11: - * 

-     *   CK_UTF8CHAR model[16];
-     *
- */ - public char[] model; /* blank padded */ - - /** - * must be blank padded and only the first 16 chars will be used

- * PKCS#11: - * 

-     *   CK_CHAR serialNumber[16];
-     *
- */ - public char[] serialNumber; /* blank padded */ - - /** - * PKCS#11: - * 
-     *   CK_FLAGS flags;
-     *
- */ - public long flags; /* see below */ - - /* ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount, - * ulRwSessionCount, ulMaxPinLen, and ulMinPinLen have all been - * changed from CK_USHORT to CK_ULONG for v2.0 */ - /** - * PKCS#11: - * 
-     *   CK_ULONG ulMaxSessionCount;
-     *
- */ - public long ulMaxSessionCount; /* max open sessions */ - - /** - * PKCS#11: - * 
-     *   CK_ULONG ulSessionCount;
-     *
- */ - public long ulSessionCount; /* sess. now open */ - - /** - * PKCS#11: - * 
-     *   CK_ULONG ulMaxRwSessionCount;
-     *
- */ - public long ulMaxRwSessionCount; /* max R/W sessions */ - - /** - * PKCS#11: - * 
-     *   CK_ULONG ulRwSessionCount;
-     *
- */ - public long ulRwSessionCount; /* R/W sess. now open */ - - /** - * PKCS#11: - * 
-     *   CK_ULONG ulMaxPinLen;
-     *
- */ - public long ulMaxPinLen; /* in bytes */ - - /** - * PKCS#11: - * 
-     *   CK_ULONG ulMinPinLen;
-     *
- */ - public long ulMinPinLen; /* in bytes */ - - /** - * PKCS#11: - * 
-     *   CK_ULONG ulTotalPublicMemory;
-     *
- */ - public long ulTotalPublicMemory; /* in bytes */ - - /** - * PKCS#11: - * 
-     *   CK_ULONG ulFreePublicMemory;
-     *
- */ - public long ulFreePublicMemory; /* in bytes */ - - /** - * PKCS#11: - * 
-     *   CK_ULONG ulTotalPrivateMemory;
-     *
- */ - public long ulTotalPrivateMemory; /* in bytes */ - - /** - * PKCS#11: - * 
-     *   CK_ULONG ulFreePrivateMemory;
-     *
- */ - public long ulFreePrivateMemory; /* in bytes */ - - /* hardwareVersion, firmwareVersion, and time are new for - * v2.0 */ - /** - * PKCS#11: - * 
-     *   CK_VERSION hardwareVersion;
-     *
- */ - public CK_VERSION hardwareVersion; /* version of hardware */ - - /** - * PKCS#11: - * 
-     *   CK_VERSION firmwareVersion;
-     *
- */ - public CK_VERSION firmwareVersion; /* version of firmware */ - - /** - * only the first 16 chars will be used - * PKCS#11: - * 
-     *   CK_CHAR utcTime[16];
-     *
- */ - public char[] utcTime; /* time */ - - public CK_TOKEN_INFO(char[] label, char[] vendor, char[] model, - char[] serialNo, long flags, - long sessionMax, long session, - long rwSessionMax, long rwSession, - long pinLenMax, long pinLenMin, - long totalPubMem, long freePubMem, - long totalPrivMem, long freePrivMem, - CK_VERSION hwVer, CK_VERSION fwVer, char[] utcTime) { - this.label = label; - this.manufacturerID = vendor; - this.model = model; - this.serialNumber = serialNo; - this.flags = flags; - this.ulMaxSessionCount = sessionMax; - this.ulSessionCount = session; - this.ulMaxRwSessionCount = rwSessionMax; - this.ulRwSessionCount = rwSession; - this.ulMaxPinLen = pinLenMax; - this.ulMinPinLen = pinLenMin; - this.ulTotalPublicMemory = totalPubMem; - this.ulFreePublicMemory = freePubMem; - this.ulTotalPrivateMemory = totalPrivMem; - this.ulFreePrivateMemory = freePrivMem; - this.hardwareVersion = hwVer; - this.firmwareVersion = fwVer; - this.utcTime = utcTime; - } - - /** - * Returns the string representation of CK_TOKEN_INFO. - * - * @return the string representation of CK_TOKEN_INFO - */ - public String toString() { - StringBuilder sb = new StringBuilder(); - - sb.append(Constants.INDENT); - sb.append("label: "); - sb.append(new String(label)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("manufacturerID: "); - sb.append(new String(manufacturerID)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("model: "); - sb.append(new String(model)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("serialNumber: "); - sb.append(new String(serialNumber)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("flags: "); - sb.append(Functions.tokenInfoFlagsToString(flags)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("ulMaxSessionCount: "); - sb.append((ulMaxSessionCount == PKCS11Constants.CK_EFFECTIVELY_INFINITE) - ? "CK_EFFECTIVELY_INFINITE" - : (ulMaxSessionCount == PKCS11Constants.CK_UNAVAILABLE_INFORMATION) - ? "CK_UNAVAILABLE_INFORMATION" - : String.valueOf(ulMaxSessionCount)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("ulSessionCount: "); - sb.append((ulSessionCount == PKCS11Constants.CK_UNAVAILABLE_INFORMATION) - ? "CK_UNAVAILABLE_INFORMATION" - : String.valueOf(ulSessionCount)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("ulMaxRwSessionCount: "); - sb.append((ulMaxRwSessionCount == PKCS11Constants.CK_EFFECTIVELY_INFINITE) - ? "CK_EFFECTIVELY_INFINITE" - : (ulMaxRwSessionCount == PKCS11Constants.CK_UNAVAILABLE_INFORMATION) - ? "CK_UNAVAILABLE_INFORMATION" - : String.valueOf(ulMaxRwSessionCount)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("ulRwSessionCount: "); - sb.append((ulRwSessionCount == PKCS11Constants.CK_UNAVAILABLE_INFORMATION) - ? "CK_UNAVAILABLE_INFORMATION" - : String.valueOf(ulRwSessionCount)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("ulMaxPinLen: "); - sb.append(String.valueOf(ulMaxPinLen)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("ulMinPinLen: "); - sb.append(String.valueOf(ulMinPinLen)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("ulTotalPublicMemory: "); - sb.append((ulTotalPublicMemory == PKCS11Constants.CK_UNAVAILABLE_INFORMATION) - ? "CK_UNAVAILABLE_INFORMATION" - : String.valueOf(ulTotalPublicMemory)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("ulFreePublicMemory: "); - sb.append((ulFreePublicMemory == PKCS11Constants.CK_UNAVAILABLE_INFORMATION) - ? "CK_UNAVAILABLE_INFORMATION" - : String.valueOf(ulFreePublicMemory)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("ulTotalPrivateMemory: "); - sb.append((ulTotalPrivateMemory == PKCS11Constants.CK_UNAVAILABLE_INFORMATION) - ? "CK_UNAVAILABLE_INFORMATION" - : String.valueOf(ulTotalPrivateMemory)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("ulFreePrivateMemory: "); - sb.append((ulFreePrivateMemory == PKCS11Constants.CK_UNAVAILABLE_INFORMATION) - ? "CK_UNAVAILABLE_INFORMATION" - : String.valueOf(ulFreePrivateMemory)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("hardwareVersion: "); - sb.append(hardwareVersion.toString()); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("firmwareVersion: "); - sb.append(firmwareVersion.toString()); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("utcTime: "); - sb.append(new String(utcTime)); - //buffer.append(Constants.NEWLINE); - - return sb.toString() ; - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_TOKEN_INFO.java 2017-01-20 09:52:49.926288519 -0800 @@ -0,0 +1,389 @@ +/* + * Copyright (c) 2003, 2005, Oracle and/or its affiliates. All rights reserved. + */ + +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +package sun.security.pkcs11.wrapper; + + + +/** + * class CK_TOKEN_INFO provides information about a token.

+ * PKCS#11 structure: + * 

+ * typedef struct CK_TOKEN_INFO {  
+ *   CK_UTF8CHAR label[32];  
+ *   CK_UTF8CHAR manufacturerID[32];  
+ *   CK_UTF8CHAR model[16];  
+ *   CK_CHAR serialNumber[16];  
+ *   CK_FLAGS flags;  
+ *   CK_ULONG ulMaxSessionCount;  
+ *   CK_ULONG ulSessionCount;  
+ *   CK_ULONG ulMaxRwSessionCount;  
+ *   CK_ULONG ulRwSessionCount;  
+ *   CK_ULONG ulMaxPinLen;  
+ *   CK_ULONG ulMinPinLen;  
+ *   CK_ULONG ulTotalPublicMemory;  
+ *   CK_ULONG ulFreePublicMemory;  
+ *   CK_ULONG ulTotalPrivateMemory;  
+ *   CK_ULONG ulFreePrivateMemory;  
+ *   CK_VERSION hardwareVersion;  
+ *   CK_VERSION firmwareVersion;  
+ *   CK_CHAR utcTime[16];  
+ * } CK_TOKEN_INFO;
+ *   
+ *
+ * + * @author Karl Scheibelhofer + * @author Martin Schlaeffer + */ +public class CK_TOKEN_INFO { + + /* label, manufacturerID, and model have been changed from + * CK_CHAR to CK_UTF8CHAR for v2.11. */ + /** + * must be blank padded and only the first 32 chars will be used

+ * PKCS#11: + * 

+     *   CK_UTF8CHAR label[32];
+     *
+ */ + public char[] label; /* blank padded */ + + /** + * must be blank padded and only the first 32 chars will be used

+ * PKCS#11: + * 

+     *   CK_UTF8CHAR manufacturerID[32];
+     *
+ */ + public char[] manufacturerID; /* blank padded */ + + /** + * must be blank padded and only the first 16 chars will be used

+ * PKCS#11: + * 

+     *   CK_UTF8CHAR model[16];
+     *
+ */ + public char[] model; /* blank padded */ + + /** + * must be blank padded and only the first 16 chars will be used

+ * PKCS#11: + * 

+     *   CK_CHAR serialNumber[16];
+     *
+ */ + public char[] serialNumber; /* blank padded */ + + /** + * PKCS#11: + * 
+     *   CK_FLAGS flags;
+     *
+ */ + public long flags; /* see below */ + + /* ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount, + * ulRwSessionCount, ulMaxPinLen, and ulMinPinLen have all been + * changed from CK_USHORT to CK_ULONG for v2.0 */ + /** + * PKCS#11: + * 
+     *   CK_ULONG ulMaxSessionCount;
+     *
+ */ + public long ulMaxSessionCount; /* max open sessions */ + + /** + * PKCS#11: + * 
+     *   CK_ULONG ulSessionCount;
+     *
+ */ + public long ulSessionCount; /* sess. now open */ + + /** + * PKCS#11: + * 
+     *   CK_ULONG ulMaxRwSessionCount;
+     *
+ */ + public long ulMaxRwSessionCount; /* max R/W sessions */ + + /** + * PKCS#11: + * 
+     *   CK_ULONG ulRwSessionCount;
+     *
+ */ + public long ulRwSessionCount; /* R/W sess. now open */ + + /** + * PKCS#11: + * 
+     *   CK_ULONG ulMaxPinLen;
+     *
+ */ + public long ulMaxPinLen; /* in bytes */ + + /** + * PKCS#11: + * 
+     *   CK_ULONG ulMinPinLen;
+     *
+ */ + public long ulMinPinLen; /* in bytes */ + + /** + * PKCS#11: + * 
+     *   CK_ULONG ulTotalPublicMemory;
+     *
+ */ + public long ulTotalPublicMemory; /* in bytes */ + + /** + * PKCS#11: + * 
+     *   CK_ULONG ulFreePublicMemory;
+     *
+ */ + public long ulFreePublicMemory; /* in bytes */ + + /** + * PKCS#11: + * 
+     *   CK_ULONG ulTotalPrivateMemory;
+     *
+ */ + public long ulTotalPrivateMemory; /* in bytes */ + + /** + * PKCS#11: + * 
+     *   CK_ULONG ulFreePrivateMemory;
+     *
+ */ + public long ulFreePrivateMemory; /* in bytes */ + + /* hardwareVersion, firmwareVersion, and time are new for + * v2.0 */ + /** + * PKCS#11: + * 
+     *   CK_VERSION hardwareVersion;
+     *
+ */ + public CK_VERSION hardwareVersion; /* version of hardware */ + + /** + * PKCS#11: + * 
+     *   CK_VERSION firmwareVersion;
+     *
+ */ + public CK_VERSION firmwareVersion; /* version of firmware */ + + /** + * only the first 16 chars will be used + * PKCS#11: + * 
+     *   CK_CHAR utcTime[16];
+     *
+ */ + public char[] utcTime; /* time */ + + public CK_TOKEN_INFO(char[] label, char[] vendor, char[] model, + char[] serialNo, long flags, + long sessionMax, long session, + long rwSessionMax, long rwSession, + long pinLenMax, long pinLenMin, + long totalPubMem, long freePubMem, + long totalPrivMem, long freePrivMem, + CK_VERSION hwVer, CK_VERSION fwVer, char[] utcTime) { + this.label = label; + this.manufacturerID = vendor; + this.model = model; + this.serialNumber = serialNo; + this.flags = flags; + this.ulMaxSessionCount = sessionMax; + this.ulSessionCount = session; + this.ulMaxRwSessionCount = rwSessionMax; + this.ulRwSessionCount = rwSession; + this.ulMaxPinLen = pinLenMax; + this.ulMinPinLen = pinLenMin; + this.ulTotalPublicMemory = totalPubMem; + this.ulFreePublicMemory = freePubMem; + this.ulTotalPrivateMemory = totalPrivMem; + this.ulFreePrivateMemory = freePrivMem; + this.hardwareVersion = hwVer; + this.firmwareVersion = fwVer; + this.utcTime = utcTime; + } + + /** + * Returns the string representation of CK_TOKEN_INFO. + * + * @return the string representation of CK_TOKEN_INFO + */ + public String toString() { + StringBuilder sb = new StringBuilder(); + + sb.append(Constants.INDENT); + sb.append("label: "); + sb.append(new String(label)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("manufacturerID: "); + sb.append(new String(manufacturerID)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("model: "); + sb.append(new String(model)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("serialNumber: "); + sb.append(new String(serialNumber)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("flags: "); + sb.append(Functions.tokenInfoFlagsToString(flags)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("ulMaxSessionCount: "); + sb.append((ulMaxSessionCount == PKCS11Constants.CK_EFFECTIVELY_INFINITE) + ? "CK_EFFECTIVELY_INFINITE" + : (ulMaxSessionCount == PKCS11Constants.CK_UNAVAILABLE_INFORMATION) + ? "CK_UNAVAILABLE_INFORMATION" + : String.valueOf(ulMaxSessionCount)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("ulSessionCount: "); + sb.append((ulSessionCount == PKCS11Constants.CK_UNAVAILABLE_INFORMATION) + ? "CK_UNAVAILABLE_INFORMATION" + : String.valueOf(ulSessionCount)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("ulMaxRwSessionCount: "); + sb.append((ulMaxRwSessionCount == PKCS11Constants.CK_EFFECTIVELY_INFINITE) + ? "CK_EFFECTIVELY_INFINITE" + : (ulMaxRwSessionCount == PKCS11Constants.CK_UNAVAILABLE_INFORMATION) + ? "CK_UNAVAILABLE_INFORMATION" + : String.valueOf(ulMaxRwSessionCount)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("ulRwSessionCount: "); + sb.append((ulRwSessionCount == PKCS11Constants.CK_UNAVAILABLE_INFORMATION) + ? "CK_UNAVAILABLE_INFORMATION" + : String.valueOf(ulRwSessionCount)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("ulMaxPinLen: "); + sb.append(String.valueOf(ulMaxPinLen)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("ulMinPinLen: "); + sb.append(String.valueOf(ulMinPinLen)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("ulTotalPublicMemory: "); + sb.append((ulTotalPublicMemory == PKCS11Constants.CK_UNAVAILABLE_INFORMATION) + ? "CK_UNAVAILABLE_INFORMATION" + : String.valueOf(ulTotalPublicMemory)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("ulFreePublicMemory: "); + sb.append((ulFreePublicMemory == PKCS11Constants.CK_UNAVAILABLE_INFORMATION) + ? "CK_UNAVAILABLE_INFORMATION" + : String.valueOf(ulFreePublicMemory)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("ulTotalPrivateMemory: "); + sb.append((ulTotalPrivateMemory == PKCS11Constants.CK_UNAVAILABLE_INFORMATION) + ? "CK_UNAVAILABLE_INFORMATION" + : String.valueOf(ulTotalPrivateMemory)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("ulFreePrivateMemory: "); + sb.append((ulFreePrivateMemory == PKCS11Constants.CK_UNAVAILABLE_INFORMATION) + ? "CK_UNAVAILABLE_INFORMATION" + : String.valueOf(ulFreePrivateMemory)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("hardwareVersion: "); + sb.append(hardwareVersion.toString()); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("firmwareVersion: "); + sb.append(firmwareVersion.toString()); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("utcTime: "); + sb.append(new String(utcTime)); + //buffer.append(Constants.NEWLINE); + + return sb.toString() ; + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_UNLOCKMUTEX.java 2017-01-20 09:52:50.502288497 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,68 +0,0 @@ -/* - * reserved comment block - * DO NOT REMOVE OR ALTER! - */ -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package sun.security.pkcs11.wrapper; - - - -/** - * interface CK_UNLOCKMUTEX

- * - * @author Karl Scheibelhofer - * @author Martin Schlaeffer - */ -public interface CK_UNLOCKMUTEX { - - /** - * Method CK_UNLOCKMUTEX - * - * @param pMutex The mutex (lock) object to unlock. - * @exception PKCS11Exception - */ - public void CK_UNLOCKMUTEX(Object pMutex) throws PKCS11Exception; - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_UNLOCKMUTEX.java 2017-01-20 09:52:50.278288505 -0800 @@ -0,0 +1,68 @@ +/* + * reserved comment block + * DO NOT REMOVE OR ALTER! + */ +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +package sun.security.pkcs11.wrapper; + + + +/** + * interface CK_UNLOCKMUTEX

+ * + * @author Karl Scheibelhofer + * @author Martin Schlaeffer + */ +public interface CK_UNLOCKMUTEX { + + /** + * Method CK_UNLOCKMUTEX + * + * @param pMutex The mutex (lock) object to unlock. + * @exception PKCS11Exception + */ + public void CK_UNLOCKMUTEX(Object pMutex) throws PKCS11Exception; + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_VERSION.java 2017-01-20 09:52:50.850288484 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,109 +0,0 @@ -/* - * Copyright (c) 2003, 2005, Oracle and/or its affiliates. All rights reserved. - */ - -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package sun.security.pkcs11.wrapper; - - - -/** - * class CK_VERSION describes the version of a Cryptoki interface, a Cryptoki - * library, or an SSL implementation, or the hardware or firmware version of a - * slot or token.

- * PKCS#11 structure: - * 

- * typedef struct CK_VERSION {  
- *   CK_BYTE major;  
- *   CK_BYTE minor;  
- * } CK_VERSION;
- *
- * - * @author Karl Scheibelhofer - * @author Martin Schlaeffer - */ -public class CK_VERSION { - - /** - * PKCS#11: - * 
-     *   CK_BYTE major;
-     *
- */ - public byte major; /* integer portion of version number */ - - /** - * PKCS#11: - * 
-     *   CK_BYTE minor;
-     *
- */ - public byte minor; /* 1/100ths portion of version number */ - - public CK_VERSION(int major, int minor) { - this.major = (byte)major; - this.minor = (byte)minor; - } - - /** - * Returns the string representation of CK_VERSION. - * - * @return the string representation of CK_VERSION - */ - public String toString() { - StringBuilder buffer = new StringBuilder(); - - buffer.append(major & 0xff); - buffer.append('.'); - int m = minor & 0xff; - if (m < 10) { - buffer.append('0'); - } - buffer.append(m); - - return buffer.toString(); - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_VERSION.java 2017-01-20 09:52:50.634288492 -0800 @@ -0,0 +1,109 @@ +/* + * Copyright (c) 2003, 2005, Oracle and/or its affiliates. All rights reserved. + */ + +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +package sun.security.pkcs11.wrapper; + + + +/** + * class CK_VERSION describes the version of a Cryptoki interface, a Cryptoki + * library, or an SSL implementation, or the hardware or firmware version of a + * slot or token.

+ * PKCS#11 structure: + * 

+ * typedef struct CK_VERSION {  
+ *   CK_BYTE major;  
+ *   CK_BYTE minor;  
+ * } CK_VERSION;
+ *
+ * + * @author Karl Scheibelhofer + * @author Martin Schlaeffer + */ +public class CK_VERSION { + + /** + * PKCS#11: + * 
+     *   CK_BYTE major;
+     *
+ */ + public byte major; /* integer portion of version number */ + + /** + * PKCS#11: + * 
+     *   CK_BYTE minor;
+     *
+ */ + public byte minor; /* 1/100ths portion of version number */ + + public CK_VERSION(int major, int minor) { + this.major = (byte)major; + this.minor = (byte)minor; + } + + /** + * Returns the string representation of CK_VERSION. + * + * @return the string representation of CK_VERSION + */ + public String toString() { + StringBuilder buffer = new StringBuilder(); + + buffer.append(major & 0xff); + buffer.append('.'); + int m = minor & 0xff; + if (m < 10) { + buffer.append('0'); + } + buffer.append(m); + + return buffer.toString(); + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java 2017-01-20 09:52:51.198288471 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,132 +0,0 @@ -/* - * reserved comment block - * DO NOT REMOVE OR ALTER! - */ -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package sun.security.pkcs11.wrapper; - - - -/** - * class CK_X9_42_DH1_DERIVE_PARAMS provides the parameters to the - * CKM_X9_42_DH_DERIVE mechanism.

- * PKCS#11 structure: - * 

- * typedef struct CK_X9_42_DH1_DERIVE_PARAMS {
- *   CK_X9_42_DH_KDF_TYPE kdf;
- *   CK_ULONG ulOtherInfoLen;
- *   CK_BYTE_PTR pOtherInfo;
- *   CK_ULONG ulPublicDataLen;
- *   CK_BYTE_PTR pPublicData;
- * } CK_X9_42_DH1_DERIVE_PARAMS;
- *
- * - * @author Karl Scheibelhofer - */ -public class CK_X9_42_DH1_DERIVE_PARAMS { - - /** - * PKCS#11: - * 
-    *   CK_X9_42_DH_KDF_TYPE kdf;
-     *
- */ - public long kdf; - - /** - * PKCS#11: - * 
-     *   CK_ULONG ulOtherInfoLen;
-     *   CK_BYTE_PTR pOtherInfo;
-     *
- */ - public byte[] pOtherInfo; - - /** - * PKCS#11: - * 
-     *   CK_ULONG ulPublicDataLen;
-     *   CK_BYTE_PTR pPublicData;
-     *
- */ - public byte[] pPublicData; - - /** - * Returns the string representation of CK_PKCS5_PBKD2_PARAMS. - * - * @return the string representation of CK_PKCS5_PBKD2_PARAMS - */ - public String toString() { - StringBuilder sb = new StringBuilder(); - - sb.append(Constants.INDENT); - sb.append("kdf: 0x"); - sb.append(Functions.toFullHexString(kdf)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("pOtherInfoLen: "); - sb.append(pOtherInfo.length); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("pOtherInfo: "); - sb.append(Functions.toHexString(pOtherInfo)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("pPublicDataLen: "); - sb.append(pPublicData.length); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("pPublicData: "); - sb.append(Functions.toHexString(pPublicData)); - //buffer.append(Constants.NEWLINE); - - return sb.toString(); - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java 2017-01-20 09:52:50.974288479 -0800 @@ -0,0 +1,132 @@ +/* + * reserved comment block + * DO NOT REMOVE OR ALTER! + */ +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +package sun.security.pkcs11.wrapper; + + + +/** + * class CK_X9_42_DH1_DERIVE_PARAMS provides the parameters to the + * CKM_X9_42_DH_DERIVE mechanism.

+ * PKCS#11 structure: + * 

+ * typedef struct CK_X9_42_DH1_DERIVE_PARAMS {
+ *   CK_X9_42_DH_KDF_TYPE kdf;
+ *   CK_ULONG ulOtherInfoLen;
+ *   CK_BYTE_PTR pOtherInfo;
+ *   CK_ULONG ulPublicDataLen;
+ *   CK_BYTE_PTR pPublicData;
+ * } CK_X9_42_DH1_DERIVE_PARAMS;
+ *
+ * + * @author Karl Scheibelhofer + */ +public class CK_X9_42_DH1_DERIVE_PARAMS { + + /** + * PKCS#11: + * 
+    *   CK_X9_42_DH_KDF_TYPE kdf;
+     *
+ */ + public long kdf; + + /** + * PKCS#11: + * 
+     *   CK_ULONG ulOtherInfoLen;
+     *   CK_BYTE_PTR pOtherInfo;
+     *
+ */ + public byte[] pOtherInfo; + + /** + * PKCS#11: + * 
+     *   CK_ULONG ulPublicDataLen;
+     *   CK_BYTE_PTR pPublicData;
+     *
+ */ + public byte[] pPublicData; + + /** + * Returns the string representation of CK_PKCS5_PBKD2_PARAMS. + * + * @return the string representation of CK_PKCS5_PBKD2_PARAMS + */ + public String toString() { + StringBuilder sb = new StringBuilder(); + + sb.append(Constants.INDENT); + sb.append("kdf: 0x"); + sb.append(Functions.toFullHexString(kdf)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("pOtherInfoLen: "); + sb.append(pOtherInfo.length); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("pOtherInfo: "); + sb.append(Functions.toHexString(pOtherInfo)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("pPublicDataLen: "); + sb.append(pPublicData.length); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("pPublicData: "); + sb.append(Functions.toHexString(pPublicData)); + //buffer.append(Constants.NEWLINE); + + return sb.toString(); + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH2_DERIVE_PARAMS.java 2017-01-20 09:52:51.546288457 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,181 +0,0 @@ -/* - * reserved comment block - * DO NOT REMOVE OR ALTER! - */ -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package sun.security.pkcs11.wrapper; - - - -/** - * class CK_X9_42_DH2_DERIVE_PARAMS provides the parameters to the - * CKM_X9_42_DH_HYBRID_DERIVE and CKM_X9_42_MQV_DERIVE mechanisms.

- * PKCS#11 structure: - * 

- * typedef struct CK_X9_42_DH2_DERIVE_PARAMS {
- *   CK_X9_42_DH_KDF_TYPE kdf;
- *   CK_ULONG ulOtherInfoLen;
- *   CK_BYTE_PTR pOtherInfo;
- *   CK_ULONG ulPublicDataLen;
- *   CK_BYTE_PTR pPublicData;
- *   CK_ULONG ulPrivateDataLen;
- *   CK_OBJECT_HANDLE hPrivateData;
- *   CK_ULONG ulPublicDataLen2;
- *   CK_BYTE_PTR pPublicData2;
- * } CK_X9_42_DH2_DERIVE_PARAMS;
- *
- * - * @author Karl Scheibelhofer - */ -public class CK_X9_42_DH2_DERIVE_PARAMS { - - /** - * PKCS#11: - * 
-     *   CK_X9_42_DH_KDF_TYPE kdf;
-     *
- */ - public long kdf; - - /** - * PKCS#11: - * 
-     *   CK_ULONG ulOtherInfoLen;
-     *   CK_BYTE_PTR pOtherInfo;
-     *
- */ - public byte[] pOtherInfo; - - /** - * PKCS#11: - * 
-     *   CK_ULONG ulPublicDataLen;
-     *   CK_BYTE_PTR pPublicData;
-     *
- */ - public byte[] pPublicData; - - /** - * PKCS#11: - * 
-     *   CK_ULONG ulPrivateDataLen;
-     *
- */ - public long ulPrivateDataLen; - - /** - * PKCS#11: - * 
-     *   CK_OBJECT_HANDLE hPrivateData;
-     *
- */ - public long hPrivateData; - - /** - * PKCS#11: - * 
-     *   CK_ULONG ulPublicDataLen2;
-     *   CK_BYTE_PTR pPublicData2;
-     *
- */ - public byte[] pPublicData2; - - /** - * Returns the string representation of CK_PKCS5_PBKD2_PARAMS. - * - * @return the string representation of CK_PKCS5_PBKD2_PARAMS - */ - public String toString() { - StringBuilder sb = new StringBuilder(); - - sb.append(Constants.INDENT); - sb.append("kdf: 0x"); - sb.append(Functions.toFullHexString(kdf)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("pOtherInfoLen: "); - sb.append(pOtherInfo.length); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("pOtherInfo: "); - sb.append(Functions.toHexString(pOtherInfo)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("pPublicDataLen: "); - sb.append(pPublicData.length); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("pPublicData: "); - sb.append(Functions.toHexString(pPublicData)); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("ulPrivateDataLen: "); - sb.append(ulPrivateDataLen); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("hPrivateData: "); - sb.append(hPrivateData); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("pPublicDataLen2: "); - sb.append(pPublicData2.length); - sb.append(Constants.NEWLINE); - - sb.append(Constants.INDENT); - sb.append("pPublicData2: "); - sb.append(Functions.toHexString(pPublicData2)); - //buffer.append(Constants.NEWLINE); - - return sb.toString(); - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH2_DERIVE_PARAMS.java 2017-01-20 09:52:51.322288466 -0800 @@ -0,0 +1,181 @@ +/* + * reserved comment block + * DO NOT REMOVE OR ALTER! + */ +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +package sun.security.pkcs11.wrapper; + + + +/** + * class CK_X9_42_DH2_DERIVE_PARAMS provides the parameters to the + * CKM_X9_42_DH_HYBRID_DERIVE and CKM_X9_42_MQV_DERIVE mechanisms.

+ * PKCS#11 structure: + * 

+ * typedef struct CK_X9_42_DH2_DERIVE_PARAMS {
+ *   CK_X9_42_DH_KDF_TYPE kdf;
+ *   CK_ULONG ulOtherInfoLen;
+ *   CK_BYTE_PTR pOtherInfo;
+ *   CK_ULONG ulPublicDataLen;
+ *   CK_BYTE_PTR pPublicData;
+ *   CK_ULONG ulPrivateDataLen;
+ *   CK_OBJECT_HANDLE hPrivateData;
+ *   CK_ULONG ulPublicDataLen2;
+ *   CK_BYTE_PTR pPublicData2;
+ * } CK_X9_42_DH2_DERIVE_PARAMS;
+ *
+ * + * @author Karl Scheibelhofer + */ +public class CK_X9_42_DH2_DERIVE_PARAMS { + + /** + * PKCS#11: + * 
+     *   CK_X9_42_DH_KDF_TYPE kdf;
+     *
+ */ + public long kdf; + + /** + * PKCS#11: + * 
+     *   CK_ULONG ulOtherInfoLen;
+     *   CK_BYTE_PTR pOtherInfo;
+     *
+ */ + public byte[] pOtherInfo; + + /** + * PKCS#11: + * 
+     *   CK_ULONG ulPublicDataLen;
+     *   CK_BYTE_PTR pPublicData;
+     *
+ */ + public byte[] pPublicData; + + /** + * PKCS#11: + * 
+     *   CK_ULONG ulPrivateDataLen;
+     *
+ */ + public long ulPrivateDataLen; + + /** + * PKCS#11: + * 
+     *   CK_OBJECT_HANDLE hPrivateData;
+     *
+ */ + public long hPrivateData; + + /** + * PKCS#11: + * 
+     *   CK_ULONG ulPublicDataLen2;
+     *   CK_BYTE_PTR pPublicData2;
+     *
+ */ + public byte[] pPublicData2; + + /** + * Returns the string representation of CK_PKCS5_PBKD2_PARAMS. + * + * @return the string representation of CK_PKCS5_PBKD2_PARAMS + */ + public String toString() { + StringBuilder sb = new StringBuilder(); + + sb.append(Constants.INDENT); + sb.append("kdf: 0x"); + sb.append(Functions.toFullHexString(kdf)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("pOtherInfoLen: "); + sb.append(pOtherInfo.length); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("pOtherInfo: "); + sb.append(Functions.toHexString(pOtherInfo)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("pPublicDataLen: "); + sb.append(pPublicData.length); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("pPublicData: "); + sb.append(Functions.toHexString(pPublicData)); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("ulPrivateDataLen: "); + sb.append(ulPrivateDataLen); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("hPrivateData: "); + sb.append(hPrivateData); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("pPublicDataLen2: "); + sb.append(pPublicData2.length); + sb.append(Constants.NEWLINE); + + sb.append(Constants.INDENT); + sb.append("pPublicData2: "); + sb.append(Functions.toHexString(pPublicData2)); + //buffer.append(Constants.NEWLINE); + + return sb.toString(); + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/Constants.java 2017-01-20 09:52:51.894288444 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,65 +0,0 @@ -/* - * reserved comment block - * DO NOT REMOVE OR ALTER! - */ -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package sun.security.pkcs11.wrapper; - - - -/** - * This class holds only final static member variables that are constants - * in this package. - * - * @author Karl Scheibelhofer - * @author Martin Schlaeffer - */ -public class Constants { - - public static final String NEWLINE = System.lineSeparator(); - - public static final String INDENT = " "; - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/Constants.java 2017-01-20 09:52:51.674288453 -0800 @@ -0,0 +1,65 @@ +/* + * reserved comment block + * DO NOT REMOVE OR ALTER! + */ +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +package sun.security.pkcs11.wrapper; + + + +/** + * This class holds only final static member variables that are constants + * in this package. + * + * @author Karl Scheibelhofer + * @author Martin Schlaeffer + */ +public class Constants { + + public static final String NEWLINE = System.lineSeparator(); + + public static final String INDENT = " "; + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/Functions.java 2017-01-20 09:52:52.242288431 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,905 +0,0 @@ -/* - * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved. - */ - -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package sun.security.pkcs11.wrapper; - -import java.math.BigInteger; - -import java.util.*; - -import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - -/** - * This class contains onyl static methods. It is the place for all functions - * that are used by several classes in this package. - * - * @author Karl Scheibelhofer - * @author Martin Schlaeffer - */ -public class Functions { - - // maps between ids and their names, forward and reverse - // ids are stored as Integers to save space - // since only the lower 32 bits are ever used anyway - - // mechanisms (CKM_*) - private static final Map mechNames = - new HashMap(); - - private static final Map mechIds = - new HashMap(); - - // key types (CKK_*) - private static final Map keyNames = - new HashMap(); - - private static final Map keyIds = - new HashMap(); - - // attributes (CKA_*) - private static final Map attributeNames = - new HashMap(); - - private static final Map attributeIds = - new HashMap(); - - // object classes (CKO_*) - private static final Map objectClassNames = - new HashMap(); - - private static final Map objectClassIds = - new HashMap(); - - - /** - * For converting numbers to their hex presentation. - */ - private static final char[] HEX_DIGITS = "0123456789ABCDEF".toCharArray(); - - /** - * Converts a long value to a hexadecimal String of length 16. Includes - * leading zeros if necessary. - * - * @param value The long value to be converted. - * @return The hexadecimal string representation of the long value. - */ - public static String toFullHexString(long value) { - long currentValue = value; - StringBuilder sb = new StringBuilder(16); - for(int j = 0; j < 16; j++) { - int currentDigit = (int) currentValue & 0xf; - sb.append(HEX_DIGITS[currentDigit]); - currentValue >>>= 4; - } - - return sb.reverse().toString(); - } - - /** - * Converts a int value to a hexadecimal String of length 8. Includes - * leading zeros if necessary. - * - * @param value The int value to be converted. - * @return The hexadecimal string representation of the int value. - */ - public static String toFullHexString(int value) { - int currentValue = value; - StringBuilder sb = new StringBuilder(8); - for(int i = 0; i < 8; i++) { - int currentDigit = currentValue & 0xf; - sb.append(HEX_DIGITS[currentDigit]); - currentValue >>>= 4; - } - - return sb.reverse().toString(); - } - - /** - * converts a long value to a hexadecimal String - * - * @param value the long value to be converted - * @return the hexadecimal string representation of the long value - */ - public static String toHexString(long value) { - return Long.toHexString(value); - } - - /** - * Converts a byte array to a hexadecimal String. Each byte is presented by - * its two digit hex-code; 0x0A -> "0a", 0x00 -> "00". No leading "0x" is - * included in the result. - * - * @param value the byte array to be converted - * @return the hexadecimal string representation of the byte array - */ - public static String toHexString(byte[] value) { - if (value == null) { - return null; - } - - StringBuilder sb = new StringBuilder(2 * value.length); - int single; - - for (int i = 0; i < value.length; i++) { - single = value[i] & 0xFF; - - if (single < 0x10) { - sb.append('0'); - } - - sb.append(Integer.toString(single, 16)); - } - - return sb.toString(); - } - - /** - * converts a long value to a binary String - * - * @param value the long value to be converted - * @return the binary string representation of the long value - */ - public static String toBinaryString(long value) { - return Long.toString(value, 2); - } - - /** - * converts a byte array to a binary String - * - * @param value the byte array to be converted - * @return the binary string representation of the byte array - */ - public static String toBinaryString(byte[] value) { - BigInteger helpBigInteger = new BigInteger(1, value); - - return helpBigInteger.toString(2); - } - - private static class Flags { - private final long[] flagIds; - private final String[] flagNames; - Flags(long[] flagIds, String[] flagNames) { - if (flagIds.length != flagNames.length) { - throw new AssertionError("Array lengths do not match"); - } - this.flagIds = flagIds; - this.flagNames = flagNames; - } - String toString(long val) { - StringBuilder sb = new StringBuilder(); - boolean first = true; - for (int i = 0; i < flagIds.length; i++) { - if ((val & flagIds[i]) != 0) { - if (first == false) { - sb.append(" | "); - } - sb.append(flagNames[i]); - first = false; - } - } - return sb.toString(); - } - } - - private static final Flags slotInfoFlags = new Flags(new long[] { - CKF_TOKEN_PRESENT, - CKF_REMOVABLE_DEVICE, - CKF_HW_SLOT, - }, new String[] { - "CKF_TOKEN_PRESENT", - "CKF_REMOVABLE_DEVICE", - "CKF_HW_SLOT", - }); - - /** - * converts the long value flags to a SlotInfoFlag string - * - * @param flags the flags to be converted - * @return the SlotInfoFlag string representation of the flags - */ - public static String slotInfoFlagsToString(long flags) { - return slotInfoFlags.toString(flags); - } - - private static final Flags tokenInfoFlags = new Flags(new long[] { - CKF_RNG, - CKF_WRITE_PROTECTED, - CKF_LOGIN_REQUIRED, - CKF_USER_PIN_INITIALIZED, - CKF_RESTORE_KEY_NOT_NEEDED, - CKF_CLOCK_ON_TOKEN, - CKF_PROTECTED_AUTHENTICATION_PATH, - CKF_DUAL_CRYPTO_OPERATIONS, - CKF_TOKEN_INITIALIZED, - CKF_SECONDARY_AUTHENTICATION, - CKF_USER_PIN_COUNT_LOW, - CKF_USER_PIN_FINAL_TRY, - CKF_USER_PIN_LOCKED, - CKF_USER_PIN_TO_BE_CHANGED, - CKF_SO_PIN_COUNT_LOW, - CKF_SO_PIN_FINAL_TRY, - CKF_SO_PIN_LOCKED, - CKF_SO_PIN_TO_BE_CHANGED, - }, new String[] { - "CKF_RNG", - "CKF_WRITE_PROTECTED", - "CKF_LOGIN_REQUIRED", - "CKF_USER_PIN_INITIALIZED", - "CKF_RESTORE_KEY_NOT_NEEDED", - "CKF_CLOCK_ON_TOKEN", - "CKF_PROTECTED_AUTHENTICATION_PATH", - "CKF_DUAL_CRYPTO_OPERATIONS", - "CKF_TOKEN_INITIALIZED", - "CKF_SECONDARY_AUTHENTICATION", - "CKF_USER_PIN_COUNT_LOW", - "CKF_USER_PIN_FINAL_TRY", - "CKF_USER_PIN_LOCKED", - "CKF_USER_PIN_TO_BE_CHANGED", - "CKF_SO_PIN_COUNT_LOW", - "CKF_SO_PIN_FINAL_TRY", - "CKF_SO_PIN_LOCKED", - "CKF_SO_PIN_TO_BE_CHANGED", - }); - - /** - * converts long value flags to a TokenInfoFlag string - * - * @param flags the flags to be converted - * @return the TokenInfoFlag string representation of the flags - */ - public static String tokenInfoFlagsToString(long flags) { - return tokenInfoFlags.toString(flags); - } - - private static final Flags sessionInfoFlags = new Flags(new long[] { - CKF_RW_SESSION, - CKF_SERIAL_SESSION, - }, new String[] { - "CKF_RW_SESSION", - "CKF_SERIAL_SESSION", - }); - - /** - * converts the long value flags to a SessionInfoFlag string - * - * @param flags the flags to be converted - * @return the SessionInfoFlag string representation of the flags - */ - public static String sessionInfoFlagsToString(long flags) { - return sessionInfoFlags.toString(flags); - } - - /** - * converts the long value state to a SessionState string - * - * @param state the state to be converted - * @return the SessionState string representation of the state - */ - public static String sessionStateToString(long state) { - String name; - - if (state == CKS_RO_PUBLIC_SESSION) { - name = "CKS_RO_PUBLIC_SESSION"; - } else if (state == CKS_RO_USER_FUNCTIONS) { - name = "CKS_RO_USER_FUNCTIONS"; - } else if (state == CKS_RW_PUBLIC_SESSION) { - name = "CKS_RW_PUBLIC_SESSION"; - } else if (state == CKS_RW_USER_FUNCTIONS) { - name = "CKS_RW_USER_FUNCTIONS"; - } else if (state == CKS_RW_SO_FUNCTIONS) { - name = "CKS_RW_SO_FUNCTIONS"; - } else { - name = "ERROR: unknown session state 0x" + toFullHexString(state); - } - - return name; - } - - private static final Flags mechanismInfoFlags = new Flags(new long[] { - CKF_HW, - CKF_ENCRYPT, - CKF_DECRYPT, - CKF_DIGEST, - CKF_SIGN, - CKF_SIGN_RECOVER, - CKF_VERIFY, - CKF_VERIFY_RECOVER, - CKF_GENERATE, - CKF_GENERATE_KEY_PAIR, - CKF_WRAP, - CKF_UNWRAP, - CKF_DERIVE, - CKF_EC_F_P, - CKF_EC_F_2M, - CKF_EC_ECPARAMETERS, - CKF_EC_NAMEDCURVE, - CKF_EC_UNCOMPRESS, - CKF_EC_COMPRESS, - CKF_EXTENSION, - }, new String[] { - "CKF_HW", - "CKF_ENCRYPT", - "CKF_DECRYPT", - "CKF_DIGEST", - "CKF_SIGN", - "CKF_SIGN_RECOVER", - "CKF_VERIFY", - "CKF_VERIFY_RECOVER", - "CKF_GENERATE", - "CKF_GENERATE_KEY_PAIR", - "CKF_WRAP", - "CKF_UNWRAP", - "CKF_DERIVE", - "CKF_EC_F_P", - "CKF_EC_F_2M", - "CKF_EC_ECPARAMETERS", - "CKF_EC_NAMEDCURVE", - "CKF_EC_UNCOMPRESS", - "CKF_EC_COMPRESS", - "CKF_EXTENSION", - }); - - /** - * converts the long value flags to a MechanismInfoFlag string - * - * @param flags the flags to be converted - * @return the MechanismInfoFlag string representation of the flags - */ - public static String mechanismInfoFlagsToString(long flags) { - return mechanismInfoFlags.toString(flags); - } - - private static String getName(Map nameMap, long id) { - String name = null; - if ((id >>> 32) == 0) { - name = nameMap.get(Integer.valueOf((int)id)); - } - if (name == null) { - name = "Unknown 0x" + toFullHexString(id); - } - return name; - } - - public static long getId(Map idMap, String name) { - Integer mech = idMap.get(name); - if (mech == null) { - throw new IllegalArgumentException("Unknown name " + name); - } - return mech.intValue() & 0xffffffffL; - } - - public static String getMechanismName(long id) { - return getName(mechNames, id); - } - - public static long getMechanismId(String name) { - return getId(mechIds, name); - } - - public static String getKeyName(long id) { - return getName(keyNames, id); - } - - public static long getKeyId(String name) { - return getId(keyIds, name); - } - - public static String getAttributeName(long id) { - return getName(attributeNames, id); - } - - public static long getAttributeId(String name) { - return getId(attributeIds, name); - } - - public static String getObjectClassName(long id) { - return getName(objectClassNames, id); - } - - public static long getObjectClassId(String name) { - return getId(objectClassIds, name); - } - - /** - * Check the given arrays for equalitiy. This method considers both arrays as - * equal, if both are null or both have the same length and - * contain exactly the same char values. - * - * @param array1 The first array. - * @param array2 The second array. - * @return True, if both arrays are null or both have the same - * length and contain exactly the same char values. False, otherwise. - * @preconditions - * @postconditions - */ - private static boolean equals(char[] array1, char[] array2) { - return Arrays.equals(array1, array2); - } - - /** - * Check the given dates for equalitiy. This method considers both dates as - * equal, if both are null or both contain exactly the same char - * values. - * - * @param date1 The first date. - * @param date2 The second date. - * @return True, if both dates are null or both contain the same - * char values. False, otherwise. - * @preconditions - * @postconditions - */ - public static boolean equals(CK_DATE date1, CK_DATE date2) { - boolean equal = false; - - if (date1 == date2) { - equal = true; - } else if ((date1 != null) && (date2 != null)) { - equal = equals(date1.year, date2.year) - && equals(date1.month, date2.month) - && equals(date1.day, date2.day); - } else { - equal = false; - } - - return equal ; - } - - /** - * Calculate a hash code for the given byte array. - * - * @param array The byte array. - * @return A hash code for the given array. - * @preconditions - * @postconditions - */ - public static int hashCode(byte[] array) { - int hash = 0; - - if (array != null) { - for (int i = 0; (i < 4) && (i < array.length); i++) { - hash ^= (0xFF & array[i]) << ((i%4) << 3); - } - } - - return hash ; - } - - /** - * Calculate a hash code for the given char array. - * - * @param array The char array. - * @return A hash code for the given array. - * @preconditions - * @postconditions - */ - public static int hashCode(char[] array) { - int hash = 0; - - if (array != null) { - for (int i = 0; (i < 4) && (i < array.length); i++) { - hash ^= (0xFFFF & array[i]) << ((i%2) << 4); - } - } - - return hash ; - } - - /** - * Calculate a hash code for the given date object. - * - * @param date The date object. - * @return A hash code for the given date. - * @preconditions - * @postconditions - */ - public static int hashCode(CK_DATE date) { - int hash = 0; - - if (date != null) { - if (date.year.length == 4) { - hash ^= (0xFFFF & date.year[0]) << 16; - hash ^= 0xFFFF & date.year[1]; - hash ^= (0xFFFF & date.year[2]) << 16; - hash ^= 0xFFFF & date.year[3]; - } - if (date.month.length == 2) { - hash ^= (0xFFFF & date.month[0]) << 16; - hash ^= 0xFFFF & date.month[1]; - } - if (date.day.length == 2) { - hash ^= (0xFFFF & date.day[0]) << 16; - hash ^= 0xFFFF & date.day[1]; - } - } - - return hash ; - } - - private static void addMapping(Map nameMap, - Map idMap, long id, String name) { - if ((id >>> 32) != 0) { - throw new AssertionError("Id has high bits set: " + id + ", " + name); - } - Integer intId = Integer.valueOf((int)id); - if (nameMap.put(intId, name) != null) { - throw new AssertionError("Duplicate id: " + id + ", " + name); - } - if (idMap.put(name, intId) != null) { - throw new AssertionError("Duplicate name: " + id + ", " + name); - } - } - - private static void addMech(long id, String name) { - addMapping(mechNames, mechIds, id, name); - } - - private static void addKeyType(long id, String name) { - addMapping(keyNames, keyIds, id, name); - } - - private static void addAttribute(long id, String name) { - addMapping(attributeNames, attributeIds, id, name); - } - - private static void addObjectClass(long id, String name) { - addMapping(objectClassNames, objectClassIds, id, name); - } - - static { - addMech(CKM_RSA_PKCS_KEY_PAIR_GEN, "CKM_RSA_PKCS_KEY_PAIR_GEN"); - addMech(CKM_RSA_PKCS, "CKM_RSA_PKCS"); - addMech(CKM_RSA_9796, "CKM_RSA_9796"); - addMech(CKM_RSA_X_509, "CKM_RSA_X_509"); - addMech(CKM_MD2_RSA_PKCS, "CKM_MD2_RSA_PKCS"); - addMech(CKM_MD5_RSA_PKCS, "CKM_MD5_RSA_PKCS"); - addMech(CKM_SHA1_RSA_PKCS, "CKM_SHA1_RSA_PKCS"); - addMech(CKM_RIPEMD128_RSA_PKCS, "CKM_RIPEMD128_RSA_PKCS"); - addMech(CKM_RIPEMD160_RSA_PKCS, "CKM_RIPEMD160_RSA_PKCS"); - addMech(CKM_RSA_PKCS_OAEP, "CKM_RSA_PKCS_OAEP"); - addMech(CKM_RSA_X9_31_KEY_PAIR_GEN, "CKM_RSA_X9_31_KEY_PAIR_GEN"); - addMech(CKM_RSA_X9_31, "CKM_RSA_X9_31"); - addMech(CKM_SHA1_RSA_X9_31, "CKM_SHA1_RSA_X9_31"); - addMech(CKM_RSA_PKCS_PSS, "CKM_RSA_PKCS_PSS"); - addMech(CKM_SHA1_RSA_PKCS_PSS, "CKM_SHA1_RSA_PKCS_PSS"); - addMech(CKM_DSA_KEY_PAIR_GEN, "CKM_DSA_KEY_PAIR_GEN"); - addMech(CKM_DSA, "CKM_DSA"); - addMech(CKM_DSA_SHA1, "CKM_DSA_SHA1"); - addMech(CKM_DH_PKCS_KEY_PAIR_GEN, "CKM_DH_PKCS_KEY_PAIR_GEN"); - addMech(CKM_DH_PKCS_DERIVE, "CKM_DH_PKCS_DERIVE"); - addMech(CKM_X9_42_DH_KEY_PAIR_GEN, "CKM_X9_42_DH_KEY_PAIR_GEN"); - addMech(CKM_X9_42_DH_DERIVE, "CKM_X9_42_DH_DERIVE"); - addMech(CKM_X9_42_DH_HYBRID_DERIVE, "CKM_X9_42_DH_HYBRID_DERIVE"); - addMech(CKM_X9_42_MQV_DERIVE, "CKM_X9_42_MQV_DERIVE"); - addMech(CKM_SHA224_RSA_PKCS, "CKM_SHA224_RSA_PKCS"); - addMech(CKM_SHA256_RSA_PKCS, "CKM_SHA256_RSA_PKCS"); - addMech(CKM_SHA384_RSA_PKCS, "CKM_SHA384_RSA_PKCS"); - addMech(CKM_SHA512_RSA_PKCS, "CKM_SHA512_RSA_PKCS"); - addMech(CKM_RC2_KEY_GEN, "CKM_RC2_KEY_GEN"); - addMech(CKM_RC2_ECB, "CKM_RC2_ECB"); - addMech(CKM_RC2_CBC, "CKM_RC2_CBC"); - addMech(CKM_RC2_MAC, "CKM_RC2_MAC"); - addMech(CKM_RC2_MAC_GENERAL, "CKM_RC2_MAC_GENERAL"); - addMech(CKM_RC2_CBC_PAD, "CKM_RC2_CBC_PAD"); - addMech(CKM_RC4_KEY_GEN, "CKM_RC4_KEY_GEN"); - addMech(CKM_RC4, "CKM_RC4"); - addMech(CKM_DES_KEY_GEN, "CKM_DES_KEY_GEN"); - addMech(CKM_DES_ECB, "CKM_DES_ECB"); - addMech(CKM_DES_CBC, "CKM_DES_CBC"); - addMech(CKM_DES_MAC, "CKM_DES_MAC"); - addMech(CKM_DES_MAC_GENERAL, "CKM_DES_MAC_GENERAL"); - addMech(CKM_DES_CBC_PAD, "CKM_DES_CBC_PAD"); - addMech(CKM_DES2_KEY_GEN, "CKM_DES2_KEY_GEN"); - addMech(CKM_DES3_KEY_GEN, "CKM_DES3_KEY_GEN"); - addMech(CKM_DES3_ECB, "CKM_DES3_ECB"); - addMech(CKM_DES3_CBC, "CKM_DES3_CBC"); - addMech(CKM_DES3_MAC, "CKM_DES3_MAC"); - addMech(CKM_DES3_MAC_GENERAL, "CKM_DES3_MAC_GENERAL"); - addMech(CKM_DES3_CBC_PAD, "CKM_DES3_CBC_PAD"); - addMech(CKM_CDMF_KEY_GEN, "CKM_CDMF_KEY_GEN"); - addMech(CKM_CDMF_ECB, "CKM_CDMF_ECB"); - addMech(CKM_CDMF_CBC, "CKM_CDMF_CBC"); - addMech(CKM_CDMF_MAC, "CKM_CDMF_MAC"); - addMech(CKM_CDMF_MAC_GENERAL, "CKM_CDMF_MAC_GENERAL"); - addMech(CKM_CDMF_CBC_PAD, "CKM_CDMF_CBC_PAD"); - addMech(CKM_MD2, "CKM_MD2"); - addMech(CKM_MD2_HMAC, "CKM_MD2_HMAC"); - addMech(CKM_MD2_HMAC_GENERAL, "CKM_MD2_HMAC_GENERAL"); - addMech(CKM_MD5, "CKM_MD5"); - addMech(CKM_MD5_HMAC, "CKM_MD5_HMAC"); - addMech(CKM_MD5_HMAC_GENERAL, "CKM_MD5_HMAC_GENERAL"); - addMech(CKM_SHA_1, "CKM_SHA_1"); - addMech(CKM_SHA_1_HMAC, "CKM_SHA_1_HMAC"); - addMech(CKM_SHA_1_HMAC_GENERAL, "CKM_SHA_1_HMAC_GENERAL"); - addMech(CKM_RIPEMD128, "CKM_RIPEMD128"); - addMech(CKM_RIPEMD128_HMAC, "CKM_RIPEMD128_HMAC"); - addMech(CKM_RIPEMD128_HMAC_GENERAL, "CKM_RIPEMD128_HMAC_GENERAL"); - addMech(CKM_RIPEMD160, "CKM_RIPEMD160"); - addMech(CKM_RIPEMD160_HMAC, "CKM_RIPEMD160_HMAC"); - addMech(CKM_RIPEMD160_HMAC_GENERAL, "CKM_RIPEMD160_HMAC_GENERAL"); - addMech(CKM_SHA224, "CKM_SHA224"); - addMech(CKM_SHA224_HMAC, "CKM_SHA224_HMAC"); - addMech(CKM_SHA224_HMAC_GENERAL, "CKM_SHA224_HMAC_GENERAL"); - addMech(CKM_SHA256, "CKM_SHA256"); - addMech(CKM_SHA256_HMAC, "CKM_SHA256_HMAC"); - addMech(CKM_SHA256_HMAC_GENERAL, "CKM_SHA256_HMAC_GENERAL"); - addMech(CKM_SHA384, "CKM_SHA384"); - addMech(CKM_SHA384_HMAC, "CKM_SHA384_HMAC"); - addMech(CKM_SHA384_HMAC_GENERAL, "CKM_SHA384_HMAC_GENERAL"); - addMech(CKM_SHA512, "CKM_SHA512"); - addMech(CKM_SHA512_HMAC, "CKM_SHA512_HMAC"); - addMech(CKM_SHA512_HMAC_GENERAL, "CKM_SHA512_HMAC_GENERAL"); - addMech(CKM_CAST_KEY_GEN, "CKM_CAST_KEY_GEN"); - addMech(CKM_CAST_ECB, "CKM_CAST_ECB"); - addMech(CKM_CAST_CBC, "CKM_CAST_CBC"); - addMech(CKM_CAST_MAC, "CKM_CAST_MAC"); - addMech(CKM_CAST_MAC_GENERAL, "CKM_CAST_MAC_GENERAL"); - addMech(CKM_CAST_CBC_PAD, "CKM_CAST_CBC_PAD"); - addMech(CKM_CAST3_KEY_GEN, "CKM_CAST3_KEY_GEN"); - addMech(CKM_CAST3_ECB, "CKM_CAST3_ECB"); - addMech(CKM_CAST3_CBC, "CKM_CAST3_CBC"); - addMech(CKM_CAST3_MAC, "CKM_CAST3_MAC"); - addMech(CKM_CAST3_MAC_GENERAL, "CKM_CAST3_MAC_GENERAL"); - addMech(CKM_CAST3_CBC_PAD, "CKM_CAST3_CBC_PAD"); - addMech(CKM_CAST128_KEY_GEN, "CKM_CAST128_KEY_GEN"); - addMech(CKM_CAST128_ECB, "CKM_CAST128_ECB"); - addMech(CKM_CAST128_CBC, "CKM_CAST128_CBC"); - addMech(CKM_CAST128_MAC, "CKM_CAST128_MAC"); - addMech(CKM_CAST128_MAC_GENERAL, "CKM_CAST128_MAC_GENERAL"); - addMech(CKM_CAST128_CBC_PAD, "CKM_CAST128_CBC_PAD"); - addMech(CKM_RC5_KEY_GEN, "CKM_RC5_KEY_GEN"); - addMech(CKM_RC5_ECB, "CKM_RC5_ECB"); - addMech(CKM_RC5_CBC, "CKM_RC5_CBC"); - addMech(CKM_RC5_MAC, "CKM_RC5_MAC"); - addMech(CKM_RC5_MAC_GENERAL, "CKM_RC5_MAC_GENERAL"); - addMech(CKM_RC5_CBC_PAD, "CKM_RC5_CBC_PAD"); - addMech(CKM_IDEA_KEY_GEN, "CKM_IDEA_KEY_GEN"); - addMech(CKM_IDEA_ECB, "CKM_IDEA_ECB"); - addMech(CKM_IDEA_CBC, "CKM_IDEA_CBC"); - addMech(CKM_IDEA_MAC, "CKM_IDEA_MAC"); - addMech(CKM_IDEA_MAC_GENERAL, "CKM_IDEA_MAC_GENERAL"); - addMech(CKM_IDEA_CBC_PAD, "CKM_IDEA_CBC_PAD"); - addMech(CKM_GENERIC_SECRET_KEY_GEN, "CKM_GENERIC_SECRET_KEY_GEN"); - addMech(CKM_CONCATENATE_BASE_AND_KEY, "CKM_CONCATENATE_BASE_AND_KEY"); - addMech(CKM_CONCATENATE_BASE_AND_DATA, "CKM_CONCATENATE_BASE_AND_DATA"); - addMech(CKM_CONCATENATE_DATA_AND_BASE, "CKM_CONCATENATE_DATA_AND_BASE"); - addMech(CKM_XOR_BASE_AND_DATA, "CKM_XOR_BASE_AND_DATA"); - addMech(CKM_EXTRACT_KEY_FROM_KEY, "CKM_EXTRACT_KEY_FROM_KEY"); - addMech(CKM_SSL3_PRE_MASTER_KEY_GEN, "CKM_SSL3_PRE_MASTER_KEY_GEN"); - addMech(CKM_SSL3_MASTER_KEY_DERIVE, "CKM_SSL3_MASTER_KEY_DERIVE"); - addMech(CKM_SSL3_KEY_AND_MAC_DERIVE, "CKM_SSL3_KEY_AND_MAC_DERIVE"); - addMech(CKM_SSL3_MASTER_KEY_DERIVE_DH, "CKM_SSL3_MASTER_KEY_DERIVE_DH"); - addMech(CKM_TLS_PRE_MASTER_KEY_GEN, "CKM_TLS_PRE_MASTER_KEY_GEN"); - addMech(CKM_TLS_MASTER_KEY_DERIVE, "CKM_TLS_MASTER_KEY_DERIVE"); - addMech(CKM_TLS_KEY_AND_MAC_DERIVE, "CKM_TLS_KEY_AND_MAC_DERIVE"); - addMech(CKM_TLS_MASTER_KEY_DERIVE_DH, "CKM_TLS_MASTER_KEY_DERIVE_DH"); - addMech(CKM_TLS_PRF, "CKM_TLS_PRF"); - addMech(CKM_SSL3_MD5_MAC, "CKM_SSL3_MD5_MAC"); - addMech(CKM_SSL3_SHA1_MAC, "CKM_SSL3_SHA1_MAC"); - addMech(CKM_MD5_KEY_DERIVATION, "CKM_MD5_KEY_DERIVATION"); - addMech(CKM_MD2_KEY_DERIVATION, "CKM_MD2_KEY_DERIVATION"); - addMech(CKM_SHA1_KEY_DERIVATION, "CKM_SHA1_KEY_DERIVATION"); - addMech(CKM_SHA224_KEY_DERIVATION, "CKM_SHA224_KEY_DERIVATION"); - addMech(CKM_SHA256_KEY_DERIVATION, "CKM_SHA256_KEY_DERIVATION"); - addMech(CKM_SHA384_KEY_DERIVATION, "CKM_SHA384_KEY_DERIVATION"); - addMech(CKM_SHA512_KEY_DERIVATION, "CKM_SHA512_KEY_DERIVATION"); - addMech(CKM_PBE_MD2_DES_CBC, "CKM_PBE_MD2_DES_CBC"); - addMech(CKM_PBE_MD5_DES_CBC, "CKM_PBE_MD5_DES_CBC"); - addMech(CKM_PBE_MD5_CAST_CBC, "CKM_PBE_MD5_CAST_CBC"); - addMech(CKM_PBE_MD5_CAST3_CBC, "CKM_PBE_MD5_CAST3_CBC"); - addMech(CKM_PBE_MD5_CAST128_CBC, "CKM_PBE_MD5_CAST128_CBC"); - addMech(CKM_PBE_SHA1_CAST128_CBC, "CKM_PBE_SHA1_CAST128_CBC"); - addMech(CKM_PBE_SHA1_RC4_128, "CKM_PBE_SHA1_RC4_128"); - addMech(CKM_PBE_SHA1_RC4_40, "CKM_PBE_SHA1_RC4_40"); - addMech(CKM_PBE_SHA1_DES3_EDE_CBC, "CKM_PBE_SHA1_DES3_EDE_CBC"); - addMech(CKM_PBE_SHA1_DES2_EDE_CBC, "CKM_PBE_SHA1_DES2_EDE_CBC"); - addMech(CKM_PBE_SHA1_RC2_128_CBC, "CKM_PBE_SHA1_RC2_128_CBC"); - addMech(CKM_PBE_SHA1_RC2_40_CBC, "CKM_PBE_SHA1_RC2_40_CBC"); - addMech(CKM_PKCS5_PBKD2, "CKM_PKCS5_PBKD2"); - addMech(CKM_PBA_SHA1_WITH_SHA1_HMAC, "CKM_PBA_SHA1_WITH_SHA1_HMAC"); - addMech(CKM_KEY_WRAP_LYNKS, "CKM_KEY_WRAP_LYNKS"); - addMech(CKM_KEY_WRAP_SET_OAEP, "CKM_KEY_WRAP_SET_OAEP"); - addMech(CKM_SKIPJACK_KEY_GEN, "CKM_SKIPJACK_KEY_GEN"); - addMech(CKM_SKIPJACK_ECB64, "CKM_SKIPJACK_ECB64"); - addMech(CKM_SKIPJACK_CBC64, "CKM_SKIPJACK_CBC64"); - addMech(CKM_SKIPJACK_OFB64, "CKM_SKIPJACK_OFB64"); - addMech(CKM_SKIPJACK_CFB64, "CKM_SKIPJACK_CFB64"); - addMech(CKM_SKIPJACK_CFB32, "CKM_SKIPJACK_CFB32"); - addMech(CKM_SKIPJACK_CFB16, "CKM_SKIPJACK_CFB16"); - addMech(CKM_SKIPJACK_CFB8, "CKM_SKIPJACK_CFB8"); - addMech(CKM_SKIPJACK_WRAP, "CKM_SKIPJACK_WRAP"); - addMech(CKM_SKIPJACK_PRIVATE_WRAP, "CKM_SKIPJACK_PRIVATE_WRAP"); - addMech(CKM_SKIPJACK_RELAYX, "CKM_SKIPJACK_RELAYX"); - addMech(CKM_KEA_KEY_PAIR_GEN, "CKM_KEA_KEY_PAIR_GEN"); - addMech(CKM_KEA_KEY_DERIVE, "CKM_KEA_KEY_DERIVE"); - addMech(CKM_FORTEZZA_TIMESTAMP, "CKM_FORTEZZA_TIMESTAMP"); - addMech(CKM_BATON_KEY_GEN, "CKM_BATON_KEY_GEN"); - addMech(CKM_BATON_ECB128, "CKM_BATON_ECB128"); - addMech(CKM_BATON_ECB96, "CKM_BATON_ECB96"); - addMech(CKM_BATON_CBC128, "CKM_BATON_CBC128"); - addMech(CKM_BATON_COUNTER, "CKM_BATON_COUNTER"); - addMech(CKM_BATON_SHUFFLE, "CKM_BATON_SHUFFLE"); - addMech(CKM_BATON_WRAP, "CKM_BATON_WRAP"); - addMech(CKM_EC_KEY_PAIR_GEN, "CKM_EC_KEY_PAIR_GEN"); - addMech(CKM_ECDSA, "CKM_ECDSA"); - addMech(CKM_ECDSA_SHA1, "CKM_ECDSA_SHA1"); - addMech(CKM_ECDH1_DERIVE, "CKM_ECDH1_DERIVE"); - addMech(CKM_ECDH1_COFACTOR_DERIVE, "CKM_ECDH1_COFACTOR_DERIVE"); - addMech(CKM_ECMQV_DERIVE, "CKM_ECMQV_DERIVE"); - addMech(CKM_JUNIPER_KEY_GEN, "CKM_JUNIPER_KEY_GEN"); - addMech(CKM_JUNIPER_ECB128, "CKM_JUNIPER_ECB128"); - addMech(CKM_JUNIPER_CBC128, "CKM_JUNIPER_CBC128"); - addMech(CKM_JUNIPER_COUNTER, "CKM_JUNIPER_COUNTER"); - addMech(CKM_JUNIPER_SHUFFLE, "CKM_JUNIPER_SHUFFLE"); - addMech(CKM_JUNIPER_WRAP, "CKM_JUNIPER_WRAP"); - addMech(CKM_FASTHASH, "CKM_FASTHASH"); - addMech(CKM_AES_KEY_GEN, "CKM_AES_KEY_GEN"); - addMech(CKM_AES_ECB, "CKM_AES_ECB"); - addMech(CKM_AES_CBC, "CKM_AES_CBC"); - addMech(CKM_AES_MAC, "CKM_AES_MAC"); - addMech(CKM_AES_MAC_GENERAL, "CKM_AES_MAC_GENERAL"); - addMech(CKM_AES_CBC_PAD, "CKM_AES_CBC_PAD"); - addMech(CKM_BLOWFISH_KEY_GEN, "CKM_BLOWFISH_KEY_GEN"); - addMech(CKM_BLOWFISH_CBC, "CKM_BLOWFISH_CBC"); - addMech(CKM_DSA_PARAMETER_GEN, "CKM_DSA_PARAMETER_GEN"); - addMech(CKM_DH_PKCS_PARAMETER_GEN, "CKM_DH_PKCS_PARAMETER_GEN"); - addMech(CKM_X9_42_DH_PARAMETER_GEN, "CKM_X9_42_DH_PARAMETER_GEN"); - addMech(CKM_VENDOR_DEFINED, "CKM_VENDOR_DEFINED"); - - addMech(CKM_NSS_TLS_PRF_GENERAL, "CKM_NSS_TLS_PRF_GENERAL"); - - addMech(PCKM_SECURERANDOM, "SecureRandom"); - addMech(PCKM_KEYSTORE, "KeyStore"); - - addKeyType(CKK_RSA, "CKK_RSA"); - addKeyType(CKK_DSA, "CKK_DSA"); - addKeyType(CKK_DH, "CKK_DH"); - addKeyType(CKK_EC, "CKK_EC"); - addKeyType(CKK_X9_42_DH, "CKK_X9_42_DH"); - addKeyType(CKK_KEA, "CKK_KEA"); - addKeyType(CKK_GENERIC_SECRET, "CKK_GENERIC_SECRET"); - addKeyType(CKK_RC2, "CKK_RC2"); - addKeyType(CKK_RC4, "CKK_RC4"); - addKeyType(CKK_DES, "CKK_DES"); - addKeyType(CKK_DES2, "CKK_DES2"); - addKeyType(CKK_DES3, "CKK_DES3"); - addKeyType(CKK_CAST, "CKK_CAST"); - addKeyType(CKK_CAST3, "CKK_CAST3"); - addKeyType(CKK_CAST128, "CKK_CAST128"); - addKeyType(CKK_RC5, "CKK_RC5"); - addKeyType(CKK_IDEA, "CKK_IDEA"); - addKeyType(CKK_SKIPJACK, "CKK_SKIPJACK"); - addKeyType(CKK_BATON, "CKK_BATON"); - addKeyType(CKK_JUNIPER, "CKK_JUNIPER"); - addKeyType(CKK_CDMF, "CKK_CDMF"); - addKeyType(CKK_AES, "CKK_AES"); - addKeyType(CKK_BLOWFISH, "CKK_BLOWFISH"); - addKeyType(CKK_VENDOR_DEFINED, "CKK_VENDOR_DEFINED"); - - addKeyType(PCKK_ANY, "*"); - - addAttribute(CKA_CLASS, "CKA_CLASS"); - addAttribute(CKA_TOKEN, "CKA_TOKEN"); - addAttribute(CKA_PRIVATE, "CKA_PRIVATE"); - addAttribute(CKA_LABEL, "CKA_LABEL"); - addAttribute(CKA_APPLICATION, "CKA_APPLICATION"); - addAttribute(CKA_VALUE, "CKA_VALUE"); - addAttribute(CKA_OBJECT_ID, "CKA_OBJECT_ID"); - addAttribute(CKA_CERTIFICATE_TYPE, "CKA_CERTIFICATE_TYPE"); - addAttribute(CKA_ISSUER, "CKA_ISSUER"); - addAttribute(CKA_SERIAL_NUMBER, "CKA_SERIAL_NUMBER"); - addAttribute(CKA_AC_ISSUER, "CKA_AC_ISSUER"); - addAttribute(CKA_OWNER, "CKA_OWNER"); - addAttribute(CKA_ATTR_TYPES, "CKA_ATTR_TYPES"); - addAttribute(CKA_TRUSTED, "CKA_TRUSTED"); - addAttribute(CKA_KEY_TYPE, "CKA_KEY_TYPE"); - addAttribute(CKA_SUBJECT, "CKA_SUBJECT"); - addAttribute(CKA_ID, "CKA_ID"); - addAttribute(CKA_SENSITIVE, "CKA_SENSITIVE"); - addAttribute(CKA_ENCRYPT, "CKA_ENCRYPT"); - addAttribute(CKA_DECRYPT, "CKA_DECRYPT"); - addAttribute(CKA_WRAP, "CKA_WRAP"); - addAttribute(CKA_UNWRAP, "CKA_UNWRAP"); - addAttribute(CKA_SIGN, "CKA_SIGN"); - addAttribute(CKA_SIGN_RECOVER, "CKA_SIGN_RECOVER"); - addAttribute(CKA_VERIFY, "CKA_VERIFY"); - addAttribute(CKA_VERIFY_RECOVER, "CKA_VERIFY_RECOVER"); - addAttribute(CKA_DERIVE, "CKA_DERIVE"); - addAttribute(CKA_START_DATE, "CKA_START_DATE"); - addAttribute(CKA_END_DATE, "CKA_END_DATE"); - addAttribute(CKA_MODULUS, "CKA_MODULUS"); - addAttribute(CKA_MODULUS_BITS, "CKA_MODULUS_BITS"); - addAttribute(CKA_PUBLIC_EXPONENT, "CKA_PUBLIC_EXPONENT"); - addAttribute(CKA_PRIVATE_EXPONENT, "CKA_PRIVATE_EXPONENT"); - addAttribute(CKA_PRIME_1, "CKA_PRIME_1"); - addAttribute(CKA_PRIME_2, "CKA_PRIME_2"); - addAttribute(CKA_EXPONENT_1, "CKA_EXPONENT_1"); - addAttribute(CKA_EXPONENT_2, "CKA_EXPONENT_2"); - addAttribute(CKA_COEFFICIENT, "CKA_COEFFICIENT"); - addAttribute(CKA_PRIME, "CKA_PRIME"); - addAttribute(CKA_SUBPRIME, "CKA_SUBPRIME"); - addAttribute(CKA_BASE, "CKA_BASE"); - addAttribute(CKA_PRIME_BITS, "CKA_PRIME_BITS"); - addAttribute(CKA_SUB_PRIME_BITS, "CKA_SUB_PRIME_BITS"); - addAttribute(CKA_VALUE_BITS, "CKA_VALUE_BITS"); - addAttribute(CKA_VALUE_LEN, "CKA_VALUE_LEN"); - addAttribute(CKA_EXTRACTABLE, "CKA_EXTRACTABLE"); - addAttribute(CKA_LOCAL, "CKA_LOCAL"); - addAttribute(CKA_NEVER_EXTRACTABLE, "CKA_NEVER_EXTRACTABLE"); - addAttribute(CKA_ALWAYS_SENSITIVE, "CKA_ALWAYS_SENSITIVE"); - addAttribute(CKA_KEY_GEN_MECHANISM, "CKA_KEY_GEN_MECHANISM"); - addAttribute(CKA_MODIFIABLE, "CKA_MODIFIABLE"); - addAttribute(CKA_EC_PARAMS, "CKA_EC_PARAMS"); - addAttribute(CKA_EC_POINT, "CKA_EC_POINT"); - addAttribute(CKA_SECONDARY_AUTH, "CKA_SECONDARY_AUTH"); - addAttribute(CKA_AUTH_PIN_FLAGS, "CKA_AUTH_PIN_FLAGS"); - addAttribute(CKA_HW_FEATURE_TYPE, "CKA_HW_FEATURE_TYPE"); - addAttribute(CKA_RESET_ON_INIT, "CKA_RESET_ON_INIT"); - addAttribute(CKA_HAS_RESET, "CKA_HAS_RESET"); - addAttribute(CKA_VENDOR_DEFINED, "CKA_VENDOR_DEFINED"); - addAttribute(CKA_NETSCAPE_DB, "CKA_NETSCAPE_DB"); - - addAttribute(CKA_NETSCAPE_TRUST_SERVER_AUTH, "CKA_NETSCAPE_TRUST_SERVER_AUTH"); - addAttribute(CKA_NETSCAPE_TRUST_CLIENT_AUTH, "CKA_NETSCAPE_TRUST_CLIENT_AUTH"); - addAttribute(CKA_NETSCAPE_TRUST_CODE_SIGNING, "CKA_NETSCAPE_TRUST_CODE_SIGNING"); - addAttribute(CKA_NETSCAPE_TRUST_EMAIL_PROTECTION, "CKA_NETSCAPE_TRUST_EMAIL_PROTECTION"); - addAttribute(CKA_NETSCAPE_CERT_SHA1_HASH, "CKA_NETSCAPE_CERT_SHA1_HASH"); - addAttribute(CKA_NETSCAPE_CERT_MD5_HASH, "CKA_NETSCAPE_CERT_MD5_HASH"); - - addObjectClass(CKO_DATA, "CKO_DATA"); - addObjectClass(CKO_CERTIFICATE, "CKO_CERTIFICATE"); - addObjectClass(CKO_PUBLIC_KEY, "CKO_PUBLIC_KEY"); - addObjectClass(CKO_PRIVATE_KEY, "CKO_PRIVATE_KEY"); - addObjectClass(CKO_SECRET_KEY, "CKO_SECRET_KEY"); - addObjectClass(CKO_HW_FEATURE, "CKO_HW_FEATURE"); - addObjectClass(CKO_DOMAIN_PARAMETERS, "CKO_DOMAIN_PARAMETERS"); - addObjectClass(CKO_VENDOR_DEFINED, "CKO_VENDOR_DEFINED"); - - addObjectClass(PCKO_ANY, "*"); - - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/Functions.java 2017-01-20 09:52:52.022288439 -0800 @@ -0,0 +1,905 @@ +/* + * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved. + */ + +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +package sun.security.pkcs11.wrapper; + +import java.math.BigInteger; + +import java.util.*; + +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + +/** + * This class contains onyl static methods. It is the place for all functions + * that are used by several classes in this package. + * + * @author Karl Scheibelhofer + * @author Martin Schlaeffer + */ +public class Functions { + + // maps between ids and their names, forward and reverse + // ids are stored as Integers to save space + // since only the lower 32 bits are ever used anyway + + // mechanisms (CKM_*) + private static final Map mechNames = + new HashMap(); + + private static final Map mechIds = + new HashMap(); + + // key types (CKK_*) + private static final Map keyNames = + new HashMap(); + + private static final Map keyIds = + new HashMap(); + + // attributes (CKA_*) + private static final Map attributeNames = + new HashMap(); + + private static final Map attributeIds = + new HashMap(); + + // object classes (CKO_*) + private static final Map objectClassNames = + new HashMap(); + + private static final Map objectClassIds = + new HashMap(); + + + /** + * For converting numbers to their hex presentation. + */ + private static final char[] HEX_DIGITS = "0123456789ABCDEF".toCharArray(); + + /** + * Converts a long value to a hexadecimal String of length 16. Includes + * leading zeros if necessary. + * + * @param value The long value to be converted. + * @return The hexadecimal string representation of the long value. + */ + public static String toFullHexString(long value) { + long currentValue = value; + StringBuilder sb = new StringBuilder(16); + for(int j = 0; j < 16; j++) { + int currentDigit = (int) currentValue & 0xf; + sb.append(HEX_DIGITS[currentDigit]); + currentValue >>>= 4; + } + + return sb.reverse().toString(); + } + + /** + * Converts a int value to a hexadecimal String of length 8. Includes + * leading zeros if necessary. + * + * @param value The int value to be converted. + * @return The hexadecimal string representation of the int value. + */ + public static String toFullHexString(int value) { + int currentValue = value; + StringBuilder sb = new StringBuilder(8); + for(int i = 0; i < 8; i++) { + int currentDigit = currentValue & 0xf; + sb.append(HEX_DIGITS[currentDigit]); + currentValue >>>= 4; + } + + return sb.reverse().toString(); + } + + /** + * converts a long value to a hexadecimal String + * + * @param value the long value to be converted + * @return the hexadecimal string representation of the long value + */ + public static String toHexString(long value) { + return Long.toHexString(value); + } + + /** + * Converts a byte array to a hexadecimal String. Each byte is presented by + * its two digit hex-code; 0x0A -> "0a", 0x00 -> "00". No leading "0x" is + * included in the result. + * + * @param value the byte array to be converted + * @return the hexadecimal string representation of the byte array + */ + public static String toHexString(byte[] value) { + if (value == null) { + return null; + } + + StringBuilder sb = new StringBuilder(2 * value.length); + int single; + + for (int i = 0; i < value.length; i++) { + single = value[i] & 0xFF; + + if (single < 0x10) { + sb.append('0'); + } + + sb.append(Integer.toString(single, 16)); + } + + return sb.toString(); + } + + /** + * converts a long value to a binary String + * + * @param value the long value to be converted + * @return the binary string representation of the long value + */ + public static String toBinaryString(long value) { + return Long.toString(value, 2); + } + + /** + * converts a byte array to a binary String + * + * @param value the byte array to be converted + * @return the binary string representation of the byte array + */ + public static String toBinaryString(byte[] value) { + BigInteger helpBigInteger = new BigInteger(1, value); + + return helpBigInteger.toString(2); + } + + private static class Flags { + private final long[] flagIds; + private final String[] flagNames; + Flags(long[] flagIds, String[] flagNames) { + if (flagIds.length != flagNames.length) { + throw new AssertionError("Array lengths do not match"); + } + this.flagIds = flagIds; + this.flagNames = flagNames; + } + String toString(long val) { + StringBuilder sb = new StringBuilder(); + boolean first = true; + for (int i = 0; i < flagIds.length; i++) { + if ((val & flagIds[i]) != 0) { + if (first == false) { + sb.append(" | "); + } + sb.append(flagNames[i]); + first = false; + } + } + return sb.toString(); + } + } + + private static final Flags slotInfoFlags = new Flags(new long[] { + CKF_TOKEN_PRESENT, + CKF_REMOVABLE_DEVICE, + CKF_HW_SLOT, + }, new String[] { + "CKF_TOKEN_PRESENT", + "CKF_REMOVABLE_DEVICE", + "CKF_HW_SLOT", + }); + + /** + * converts the long value flags to a SlotInfoFlag string + * + * @param flags the flags to be converted + * @return the SlotInfoFlag string representation of the flags + */ + public static String slotInfoFlagsToString(long flags) { + return slotInfoFlags.toString(flags); + } + + private static final Flags tokenInfoFlags = new Flags(new long[] { + CKF_RNG, + CKF_WRITE_PROTECTED, + CKF_LOGIN_REQUIRED, + CKF_USER_PIN_INITIALIZED, + CKF_RESTORE_KEY_NOT_NEEDED, + CKF_CLOCK_ON_TOKEN, + CKF_PROTECTED_AUTHENTICATION_PATH, + CKF_DUAL_CRYPTO_OPERATIONS, + CKF_TOKEN_INITIALIZED, + CKF_SECONDARY_AUTHENTICATION, + CKF_USER_PIN_COUNT_LOW, + CKF_USER_PIN_FINAL_TRY, + CKF_USER_PIN_LOCKED, + CKF_USER_PIN_TO_BE_CHANGED, + CKF_SO_PIN_COUNT_LOW, + CKF_SO_PIN_FINAL_TRY, + CKF_SO_PIN_LOCKED, + CKF_SO_PIN_TO_BE_CHANGED, + }, new String[] { + "CKF_RNG", + "CKF_WRITE_PROTECTED", + "CKF_LOGIN_REQUIRED", + "CKF_USER_PIN_INITIALIZED", + "CKF_RESTORE_KEY_NOT_NEEDED", + "CKF_CLOCK_ON_TOKEN", + "CKF_PROTECTED_AUTHENTICATION_PATH", + "CKF_DUAL_CRYPTO_OPERATIONS", + "CKF_TOKEN_INITIALIZED", + "CKF_SECONDARY_AUTHENTICATION", + "CKF_USER_PIN_COUNT_LOW", + "CKF_USER_PIN_FINAL_TRY", + "CKF_USER_PIN_LOCKED", + "CKF_USER_PIN_TO_BE_CHANGED", + "CKF_SO_PIN_COUNT_LOW", + "CKF_SO_PIN_FINAL_TRY", + "CKF_SO_PIN_LOCKED", + "CKF_SO_PIN_TO_BE_CHANGED", + }); + + /** + * converts long value flags to a TokenInfoFlag string + * + * @param flags the flags to be converted + * @return the TokenInfoFlag string representation of the flags + */ + public static String tokenInfoFlagsToString(long flags) { + return tokenInfoFlags.toString(flags); + } + + private static final Flags sessionInfoFlags = new Flags(new long[] { + CKF_RW_SESSION, + CKF_SERIAL_SESSION, + }, new String[] { + "CKF_RW_SESSION", + "CKF_SERIAL_SESSION", + }); + + /** + * converts the long value flags to a SessionInfoFlag string + * + * @param flags the flags to be converted + * @return the SessionInfoFlag string representation of the flags + */ + public static String sessionInfoFlagsToString(long flags) { + return sessionInfoFlags.toString(flags); + } + + /** + * converts the long value state to a SessionState string + * + * @param state the state to be converted + * @return the SessionState string representation of the state + */ + public static String sessionStateToString(long state) { + String name; + + if (state == CKS_RO_PUBLIC_SESSION) { + name = "CKS_RO_PUBLIC_SESSION"; + } else if (state == CKS_RO_USER_FUNCTIONS) { + name = "CKS_RO_USER_FUNCTIONS"; + } else if (state == CKS_RW_PUBLIC_SESSION) { + name = "CKS_RW_PUBLIC_SESSION"; + } else if (state == CKS_RW_USER_FUNCTIONS) { + name = "CKS_RW_USER_FUNCTIONS"; + } else if (state == CKS_RW_SO_FUNCTIONS) { + name = "CKS_RW_SO_FUNCTIONS"; + } else { + name = "ERROR: unknown session state 0x" + toFullHexString(state); + } + + return name; + } + + private static final Flags mechanismInfoFlags = new Flags(new long[] { + CKF_HW, + CKF_ENCRYPT, + CKF_DECRYPT, + CKF_DIGEST, + CKF_SIGN, + CKF_SIGN_RECOVER, + CKF_VERIFY, + CKF_VERIFY_RECOVER, + CKF_GENERATE, + CKF_GENERATE_KEY_PAIR, + CKF_WRAP, + CKF_UNWRAP, + CKF_DERIVE, + CKF_EC_F_P, + CKF_EC_F_2M, + CKF_EC_ECPARAMETERS, + CKF_EC_NAMEDCURVE, + CKF_EC_UNCOMPRESS, + CKF_EC_COMPRESS, + CKF_EXTENSION, + }, new String[] { + "CKF_HW", + "CKF_ENCRYPT", + "CKF_DECRYPT", + "CKF_DIGEST", + "CKF_SIGN", + "CKF_SIGN_RECOVER", + "CKF_VERIFY", + "CKF_VERIFY_RECOVER", + "CKF_GENERATE", + "CKF_GENERATE_KEY_PAIR", + "CKF_WRAP", + "CKF_UNWRAP", + "CKF_DERIVE", + "CKF_EC_F_P", + "CKF_EC_F_2M", + "CKF_EC_ECPARAMETERS", + "CKF_EC_NAMEDCURVE", + "CKF_EC_UNCOMPRESS", + "CKF_EC_COMPRESS", + "CKF_EXTENSION", + }); + + /** + * converts the long value flags to a MechanismInfoFlag string + * + * @param flags the flags to be converted + * @return the MechanismInfoFlag string representation of the flags + */ + public static String mechanismInfoFlagsToString(long flags) { + return mechanismInfoFlags.toString(flags); + } + + private static String getName(Map nameMap, long id) { + String name = null; + if ((id >>> 32) == 0) { + name = nameMap.get(Integer.valueOf((int)id)); + } + if (name == null) { + name = "Unknown 0x" + toFullHexString(id); + } + return name; + } + + public static long getId(Map idMap, String name) { + Integer mech = idMap.get(name); + if (mech == null) { + throw new IllegalArgumentException("Unknown name " + name); + } + return mech.intValue() & 0xffffffffL; + } + + public static String getMechanismName(long id) { + return getName(mechNames, id); + } + + public static long getMechanismId(String name) { + return getId(mechIds, name); + } + + public static String getKeyName(long id) { + return getName(keyNames, id); + } + + public static long getKeyId(String name) { + return getId(keyIds, name); + } + + public static String getAttributeName(long id) { + return getName(attributeNames, id); + } + + public static long getAttributeId(String name) { + return getId(attributeIds, name); + } + + public static String getObjectClassName(long id) { + return getName(objectClassNames, id); + } + + public static long getObjectClassId(String name) { + return getId(objectClassIds, name); + } + + /** + * Check the given arrays for equalitiy. This method considers both arrays as + * equal, if both are null or both have the same length and + * contain exactly the same char values. + * + * @param array1 The first array. + * @param array2 The second array. + * @return True, if both arrays are null or both have the same + * length and contain exactly the same char values. False, otherwise. + * @preconditions + * @postconditions + */ + private static boolean equals(char[] array1, char[] array2) { + return Arrays.equals(array1, array2); + } + + /** + * Check the given dates for equalitiy. This method considers both dates as + * equal, if both are null or both contain exactly the same char + * values. + * + * @param date1 The first date. + * @param date2 The second date. + * @return True, if both dates are null or both contain the same + * char values. False, otherwise. + * @preconditions + * @postconditions + */ + public static boolean equals(CK_DATE date1, CK_DATE date2) { + boolean equal = false; + + if (date1 == date2) { + equal = true; + } else if ((date1 != null) && (date2 != null)) { + equal = equals(date1.year, date2.year) + && equals(date1.month, date2.month) + && equals(date1.day, date2.day); + } else { + equal = false; + } + + return equal ; + } + + /** + * Calculate a hash code for the given byte array. + * + * @param array The byte array. + * @return A hash code for the given array. + * @preconditions + * @postconditions + */ + public static int hashCode(byte[] array) { + int hash = 0; + + if (array != null) { + for (int i = 0; (i < 4) && (i < array.length); i++) { + hash ^= (0xFF & array[i]) << ((i%4) << 3); + } + } + + return hash ; + } + + /** + * Calculate a hash code for the given char array. + * + * @param array The char array. + * @return A hash code for the given array. + * @preconditions + * @postconditions + */ + public static int hashCode(char[] array) { + int hash = 0; + + if (array != null) { + for (int i = 0; (i < 4) && (i < array.length); i++) { + hash ^= (0xFFFF & array[i]) << ((i%2) << 4); + } + } + + return hash ; + } + + /** + * Calculate a hash code for the given date object. + * + * @param date The date object. + * @return A hash code for the given date. + * @preconditions + * @postconditions + */ + public static int hashCode(CK_DATE date) { + int hash = 0; + + if (date != null) { + if (date.year.length == 4) { + hash ^= (0xFFFF & date.year[0]) << 16; + hash ^= 0xFFFF & date.year[1]; + hash ^= (0xFFFF & date.year[2]) << 16; + hash ^= 0xFFFF & date.year[3]; + } + if (date.month.length == 2) { + hash ^= (0xFFFF & date.month[0]) << 16; + hash ^= 0xFFFF & date.month[1]; + } + if (date.day.length == 2) { + hash ^= (0xFFFF & date.day[0]) << 16; + hash ^= 0xFFFF & date.day[1]; + } + } + + return hash ; + } + + private static void addMapping(Map nameMap, + Map idMap, long id, String name) { + if ((id >>> 32) != 0) { + throw new AssertionError("Id has high bits set: " + id + ", " + name); + } + Integer intId = Integer.valueOf((int)id); + if (nameMap.put(intId, name) != null) { + throw new AssertionError("Duplicate id: " + id + ", " + name); + } + if (idMap.put(name, intId) != null) { + throw new AssertionError("Duplicate name: " + id + ", " + name); + } + } + + private static void addMech(long id, String name) { + addMapping(mechNames, mechIds, id, name); + } + + private static void addKeyType(long id, String name) { + addMapping(keyNames, keyIds, id, name); + } + + private static void addAttribute(long id, String name) { + addMapping(attributeNames, attributeIds, id, name); + } + + private static void addObjectClass(long id, String name) { + addMapping(objectClassNames, objectClassIds, id, name); + } + + static { + addMech(CKM_RSA_PKCS_KEY_PAIR_GEN, "CKM_RSA_PKCS_KEY_PAIR_GEN"); + addMech(CKM_RSA_PKCS, "CKM_RSA_PKCS"); + addMech(CKM_RSA_9796, "CKM_RSA_9796"); + addMech(CKM_RSA_X_509, "CKM_RSA_X_509"); + addMech(CKM_MD2_RSA_PKCS, "CKM_MD2_RSA_PKCS"); + addMech(CKM_MD5_RSA_PKCS, "CKM_MD5_RSA_PKCS"); + addMech(CKM_SHA1_RSA_PKCS, "CKM_SHA1_RSA_PKCS"); + addMech(CKM_RIPEMD128_RSA_PKCS, "CKM_RIPEMD128_RSA_PKCS"); + addMech(CKM_RIPEMD160_RSA_PKCS, "CKM_RIPEMD160_RSA_PKCS"); + addMech(CKM_RSA_PKCS_OAEP, "CKM_RSA_PKCS_OAEP"); + addMech(CKM_RSA_X9_31_KEY_PAIR_GEN, "CKM_RSA_X9_31_KEY_PAIR_GEN"); + addMech(CKM_RSA_X9_31, "CKM_RSA_X9_31"); + addMech(CKM_SHA1_RSA_X9_31, "CKM_SHA1_RSA_X9_31"); + addMech(CKM_RSA_PKCS_PSS, "CKM_RSA_PKCS_PSS"); + addMech(CKM_SHA1_RSA_PKCS_PSS, "CKM_SHA1_RSA_PKCS_PSS"); + addMech(CKM_DSA_KEY_PAIR_GEN, "CKM_DSA_KEY_PAIR_GEN"); + addMech(CKM_DSA, "CKM_DSA"); + addMech(CKM_DSA_SHA1, "CKM_DSA_SHA1"); + addMech(CKM_DH_PKCS_KEY_PAIR_GEN, "CKM_DH_PKCS_KEY_PAIR_GEN"); + addMech(CKM_DH_PKCS_DERIVE, "CKM_DH_PKCS_DERIVE"); + addMech(CKM_X9_42_DH_KEY_PAIR_GEN, "CKM_X9_42_DH_KEY_PAIR_GEN"); + addMech(CKM_X9_42_DH_DERIVE, "CKM_X9_42_DH_DERIVE"); + addMech(CKM_X9_42_DH_HYBRID_DERIVE, "CKM_X9_42_DH_HYBRID_DERIVE"); + addMech(CKM_X9_42_MQV_DERIVE, "CKM_X9_42_MQV_DERIVE"); + addMech(CKM_SHA224_RSA_PKCS, "CKM_SHA224_RSA_PKCS"); + addMech(CKM_SHA256_RSA_PKCS, "CKM_SHA256_RSA_PKCS"); + addMech(CKM_SHA384_RSA_PKCS, "CKM_SHA384_RSA_PKCS"); + addMech(CKM_SHA512_RSA_PKCS, "CKM_SHA512_RSA_PKCS"); + addMech(CKM_RC2_KEY_GEN, "CKM_RC2_KEY_GEN"); + addMech(CKM_RC2_ECB, "CKM_RC2_ECB"); + addMech(CKM_RC2_CBC, "CKM_RC2_CBC"); + addMech(CKM_RC2_MAC, "CKM_RC2_MAC"); + addMech(CKM_RC2_MAC_GENERAL, "CKM_RC2_MAC_GENERAL"); + addMech(CKM_RC2_CBC_PAD, "CKM_RC2_CBC_PAD"); + addMech(CKM_RC4_KEY_GEN, "CKM_RC4_KEY_GEN"); + addMech(CKM_RC4, "CKM_RC4"); + addMech(CKM_DES_KEY_GEN, "CKM_DES_KEY_GEN"); + addMech(CKM_DES_ECB, "CKM_DES_ECB"); + addMech(CKM_DES_CBC, "CKM_DES_CBC"); + addMech(CKM_DES_MAC, "CKM_DES_MAC"); + addMech(CKM_DES_MAC_GENERAL, "CKM_DES_MAC_GENERAL"); + addMech(CKM_DES_CBC_PAD, "CKM_DES_CBC_PAD"); + addMech(CKM_DES2_KEY_GEN, "CKM_DES2_KEY_GEN"); + addMech(CKM_DES3_KEY_GEN, "CKM_DES3_KEY_GEN"); + addMech(CKM_DES3_ECB, "CKM_DES3_ECB"); + addMech(CKM_DES3_CBC, "CKM_DES3_CBC"); + addMech(CKM_DES3_MAC, "CKM_DES3_MAC"); + addMech(CKM_DES3_MAC_GENERAL, "CKM_DES3_MAC_GENERAL"); + addMech(CKM_DES3_CBC_PAD, "CKM_DES3_CBC_PAD"); + addMech(CKM_CDMF_KEY_GEN, "CKM_CDMF_KEY_GEN"); + addMech(CKM_CDMF_ECB, "CKM_CDMF_ECB"); + addMech(CKM_CDMF_CBC, "CKM_CDMF_CBC"); + addMech(CKM_CDMF_MAC, "CKM_CDMF_MAC"); + addMech(CKM_CDMF_MAC_GENERAL, "CKM_CDMF_MAC_GENERAL"); + addMech(CKM_CDMF_CBC_PAD, "CKM_CDMF_CBC_PAD"); + addMech(CKM_MD2, "CKM_MD2"); + addMech(CKM_MD2_HMAC, "CKM_MD2_HMAC"); + addMech(CKM_MD2_HMAC_GENERAL, "CKM_MD2_HMAC_GENERAL"); + addMech(CKM_MD5, "CKM_MD5"); + addMech(CKM_MD5_HMAC, "CKM_MD5_HMAC"); + addMech(CKM_MD5_HMAC_GENERAL, "CKM_MD5_HMAC_GENERAL"); + addMech(CKM_SHA_1, "CKM_SHA_1"); + addMech(CKM_SHA_1_HMAC, "CKM_SHA_1_HMAC"); + addMech(CKM_SHA_1_HMAC_GENERAL, "CKM_SHA_1_HMAC_GENERAL"); + addMech(CKM_RIPEMD128, "CKM_RIPEMD128"); + addMech(CKM_RIPEMD128_HMAC, "CKM_RIPEMD128_HMAC"); + addMech(CKM_RIPEMD128_HMAC_GENERAL, "CKM_RIPEMD128_HMAC_GENERAL"); + addMech(CKM_RIPEMD160, "CKM_RIPEMD160"); + addMech(CKM_RIPEMD160_HMAC, "CKM_RIPEMD160_HMAC"); + addMech(CKM_RIPEMD160_HMAC_GENERAL, "CKM_RIPEMD160_HMAC_GENERAL"); + addMech(CKM_SHA224, "CKM_SHA224"); + addMech(CKM_SHA224_HMAC, "CKM_SHA224_HMAC"); + addMech(CKM_SHA224_HMAC_GENERAL, "CKM_SHA224_HMAC_GENERAL"); + addMech(CKM_SHA256, "CKM_SHA256"); + addMech(CKM_SHA256_HMAC, "CKM_SHA256_HMAC"); + addMech(CKM_SHA256_HMAC_GENERAL, "CKM_SHA256_HMAC_GENERAL"); + addMech(CKM_SHA384, "CKM_SHA384"); + addMech(CKM_SHA384_HMAC, "CKM_SHA384_HMAC"); + addMech(CKM_SHA384_HMAC_GENERAL, "CKM_SHA384_HMAC_GENERAL"); + addMech(CKM_SHA512, "CKM_SHA512"); + addMech(CKM_SHA512_HMAC, "CKM_SHA512_HMAC"); + addMech(CKM_SHA512_HMAC_GENERAL, "CKM_SHA512_HMAC_GENERAL"); + addMech(CKM_CAST_KEY_GEN, "CKM_CAST_KEY_GEN"); + addMech(CKM_CAST_ECB, "CKM_CAST_ECB"); + addMech(CKM_CAST_CBC, "CKM_CAST_CBC"); + addMech(CKM_CAST_MAC, "CKM_CAST_MAC"); + addMech(CKM_CAST_MAC_GENERAL, "CKM_CAST_MAC_GENERAL"); + addMech(CKM_CAST_CBC_PAD, "CKM_CAST_CBC_PAD"); + addMech(CKM_CAST3_KEY_GEN, "CKM_CAST3_KEY_GEN"); + addMech(CKM_CAST3_ECB, "CKM_CAST3_ECB"); + addMech(CKM_CAST3_CBC, "CKM_CAST3_CBC"); + addMech(CKM_CAST3_MAC, "CKM_CAST3_MAC"); + addMech(CKM_CAST3_MAC_GENERAL, "CKM_CAST3_MAC_GENERAL"); + addMech(CKM_CAST3_CBC_PAD, "CKM_CAST3_CBC_PAD"); + addMech(CKM_CAST128_KEY_GEN, "CKM_CAST128_KEY_GEN"); + addMech(CKM_CAST128_ECB, "CKM_CAST128_ECB"); + addMech(CKM_CAST128_CBC, "CKM_CAST128_CBC"); + addMech(CKM_CAST128_MAC, "CKM_CAST128_MAC"); + addMech(CKM_CAST128_MAC_GENERAL, "CKM_CAST128_MAC_GENERAL"); + addMech(CKM_CAST128_CBC_PAD, "CKM_CAST128_CBC_PAD"); + addMech(CKM_RC5_KEY_GEN, "CKM_RC5_KEY_GEN"); + addMech(CKM_RC5_ECB, "CKM_RC5_ECB"); + addMech(CKM_RC5_CBC, "CKM_RC5_CBC"); + addMech(CKM_RC5_MAC, "CKM_RC5_MAC"); + addMech(CKM_RC5_MAC_GENERAL, "CKM_RC5_MAC_GENERAL"); + addMech(CKM_RC5_CBC_PAD, "CKM_RC5_CBC_PAD"); + addMech(CKM_IDEA_KEY_GEN, "CKM_IDEA_KEY_GEN"); + addMech(CKM_IDEA_ECB, "CKM_IDEA_ECB"); + addMech(CKM_IDEA_CBC, "CKM_IDEA_CBC"); + addMech(CKM_IDEA_MAC, "CKM_IDEA_MAC"); + addMech(CKM_IDEA_MAC_GENERAL, "CKM_IDEA_MAC_GENERAL"); + addMech(CKM_IDEA_CBC_PAD, "CKM_IDEA_CBC_PAD"); + addMech(CKM_GENERIC_SECRET_KEY_GEN, "CKM_GENERIC_SECRET_KEY_GEN"); + addMech(CKM_CONCATENATE_BASE_AND_KEY, "CKM_CONCATENATE_BASE_AND_KEY"); + addMech(CKM_CONCATENATE_BASE_AND_DATA, "CKM_CONCATENATE_BASE_AND_DATA"); + addMech(CKM_CONCATENATE_DATA_AND_BASE, "CKM_CONCATENATE_DATA_AND_BASE"); + addMech(CKM_XOR_BASE_AND_DATA, "CKM_XOR_BASE_AND_DATA"); + addMech(CKM_EXTRACT_KEY_FROM_KEY, "CKM_EXTRACT_KEY_FROM_KEY"); + addMech(CKM_SSL3_PRE_MASTER_KEY_GEN, "CKM_SSL3_PRE_MASTER_KEY_GEN"); + addMech(CKM_SSL3_MASTER_KEY_DERIVE, "CKM_SSL3_MASTER_KEY_DERIVE"); + addMech(CKM_SSL3_KEY_AND_MAC_DERIVE, "CKM_SSL3_KEY_AND_MAC_DERIVE"); + addMech(CKM_SSL3_MASTER_KEY_DERIVE_DH, "CKM_SSL3_MASTER_KEY_DERIVE_DH"); + addMech(CKM_TLS_PRE_MASTER_KEY_GEN, "CKM_TLS_PRE_MASTER_KEY_GEN"); + addMech(CKM_TLS_MASTER_KEY_DERIVE, "CKM_TLS_MASTER_KEY_DERIVE"); + addMech(CKM_TLS_KEY_AND_MAC_DERIVE, "CKM_TLS_KEY_AND_MAC_DERIVE"); + addMech(CKM_TLS_MASTER_KEY_DERIVE_DH, "CKM_TLS_MASTER_KEY_DERIVE_DH"); + addMech(CKM_TLS_PRF, "CKM_TLS_PRF"); + addMech(CKM_SSL3_MD5_MAC, "CKM_SSL3_MD5_MAC"); + addMech(CKM_SSL3_SHA1_MAC, "CKM_SSL3_SHA1_MAC"); + addMech(CKM_MD5_KEY_DERIVATION, "CKM_MD5_KEY_DERIVATION"); + addMech(CKM_MD2_KEY_DERIVATION, "CKM_MD2_KEY_DERIVATION"); + addMech(CKM_SHA1_KEY_DERIVATION, "CKM_SHA1_KEY_DERIVATION"); + addMech(CKM_SHA224_KEY_DERIVATION, "CKM_SHA224_KEY_DERIVATION"); + addMech(CKM_SHA256_KEY_DERIVATION, "CKM_SHA256_KEY_DERIVATION"); + addMech(CKM_SHA384_KEY_DERIVATION, "CKM_SHA384_KEY_DERIVATION"); + addMech(CKM_SHA512_KEY_DERIVATION, "CKM_SHA512_KEY_DERIVATION"); + addMech(CKM_PBE_MD2_DES_CBC, "CKM_PBE_MD2_DES_CBC"); + addMech(CKM_PBE_MD5_DES_CBC, "CKM_PBE_MD5_DES_CBC"); + addMech(CKM_PBE_MD5_CAST_CBC, "CKM_PBE_MD5_CAST_CBC"); + addMech(CKM_PBE_MD5_CAST3_CBC, "CKM_PBE_MD5_CAST3_CBC"); + addMech(CKM_PBE_MD5_CAST128_CBC, "CKM_PBE_MD5_CAST128_CBC"); + addMech(CKM_PBE_SHA1_CAST128_CBC, "CKM_PBE_SHA1_CAST128_CBC"); + addMech(CKM_PBE_SHA1_RC4_128, "CKM_PBE_SHA1_RC4_128"); + addMech(CKM_PBE_SHA1_RC4_40, "CKM_PBE_SHA1_RC4_40"); + addMech(CKM_PBE_SHA1_DES3_EDE_CBC, "CKM_PBE_SHA1_DES3_EDE_CBC"); + addMech(CKM_PBE_SHA1_DES2_EDE_CBC, "CKM_PBE_SHA1_DES2_EDE_CBC"); + addMech(CKM_PBE_SHA1_RC2_128_CBC, "CKM_PBE_SHA1_RC2_128_CBC"); + addMech(CKM_PBE_SHA1_RC2_40_CBC, "CKM_PBE_SHA1_RC2_40_CBC"); + addMech(CKM_PKCS5_PBKD2, "CKM_PKCS5_PBKD2"); + addMech(CKM_PBA_SHA1_WITH_SHA1_HMAC, "CKM_PBA_SHA1_WITH_SHA1_HMAC"); + addMech(CKM_KEY_WRAP_LYNKS, "CKM_KEY_WRAP_LYNKS"); + addMech(CKM_KEY_WRAP_SET_OAEP, "CKM_KEY_WRAP_SET_OAEP"); + addMech(CKM_SKIPJACK_KEY_GEN, "CKM_SKIPJACK_KEY_GEN"); + addMech(CKM_SKIPJACK_ECB64, "CKM_SKIPJACK_ECB64"); + addMech(CKM_SKIPJACK_CBC64, "CKM_SKIPJACK_CBC64"); + addMech(CKM_SKIPJACK_OFB64, "CKM_SKIPJACK_OFB64"); + addMech(CKM_SKIPJACK_CFB64, "CKM_SKIPJACK_CFB64"); + addMech(CKM_SKIPJACK_CFB32, "CKM_SKIPJACK_CFB32"); + addMech(CKM_SKIPJACK_CFB16, "CKM_SKIPJACK_CFB16"); + addMech(CKM_SKIPJACK_CFB8, "CKM_SKIPJACK_CFB8"); + addMech(CKM_SKIPJACK_WRAP, "CKM_SKIPJACK_WRAP"); + addMech(CKM_SKIPJACK_PRIVATE_WRAP, "CKM_SKIPJACK_PRIVATE_WRAP"); + addMech(CKM_SKIPJACK_RELAYX, "CKM_SKIPJACK_RELAYX"); + addMech(CKM_KEA_KEY_PAIR_GEN, "CKM_KEA_KEY_PAIR_GEN"); + addMech(CKM_KEA_KEY_DERIVE, "CKM_KEA_KEY_DERIVE"); + addMech(CKM_FORTEZZA_TIMESTAMP, "CKM_FORTEZZA_TIMESTAMP"); + addMech(CKM_BATON_KEY_GEN, "CKM_BATON_KEY_GEN"); + addMech(CKM_BATON_ECB128, "CKM_BATON_ECB128"); + addMech(CKM_BATON_ECB96, "CKM_BATON_ECB96"); + addMech(CKM_BATON_CBC128, "CKM_BATON_CBC128"); + addMech(CKM_BATON_COUNTER, "CKM_BATON_COUNTER"); + addMech(CKM_BATON_SHUFFLE, "CKM_BATON_SHUFFLE"); + addMech(CKM_BATON_WRAP, "CKM_BATON_WRAP"); + addMech(CKM_EC_KEY_PAIR_GEN, "CKM_EC_KEY_PAIR_GEN"); + addMech(CKM_ECDSA, "CKM_ECDSA"); + addMech(CKM_ECDSA_SHA1, "CKM_ECDSA_SHA1"); + addMech(CKM_ECDH1_DERIVE, "CKM_ECDH1_DERIVE"); + addMech(CKM_ECDH1_COFACTOR_DERIVE, "CKM_ECDH1_COFACTOR_DERIVE"); + addMech(CKM_ECMQV_DERIVE, "CKM_ECMQV_DERIVE"); + addMech(CKM_JUNIPER_KEY_GEN, "CKM_JUNIPER_KEY_GEN"); + addMech(CKM_JUNIPER_ECB128, "CKM_JUNIPER_ECB128"); + addMech(CKM_JUNIPER_CBC128, "CKM_JUNIPER_CBC128"); + addMech(CKM_JUNIPER_COUNTER, "CKM_JUNIPER_COUNTER"); + addMech(CKM_JUNIPER_SHUFFLE, "CKM_JUNIPER_SHUFFLE"); + addMech(CKM_JUNIPER_WRAP, "CKM_JUNIPER_WRAP"); + addMech(CKM_FASTHASH, "CKM_FASTHASH"); + addMech(CKM_AES_KEY_GEN, "CKM_AES_KEY_GEN"); + addMech(CKM_AES_ECB, "CKM_AES_ECB"); + addMech(CKM_AES_CBC, "CKM_AES_CBC"); + addMech(CKM_AES_MAC, "CKM_AES_MAC"); + addMech(CKM_AES_MAC_GENERAL, "CKM_AES_MAC_GENERAL"); + addMech(CKM_AES_CBC_PAD, "CKM_AES_CBC_PAD"); + addMech(CKM_BLOWFISH_KEY_GEN, "CKM_BLOWFISH_KEY_GEN"); + addMech(CKM_BLOWFISH_CBC, "CKM_BLOWFISH_CBC"); + addMech(CKM_DSA_PARAMETER_GEN, "CKM_DSA_PARAMETER_GEN"); + addMech(CKM_DH_PKCS_PARAMETER_GEN, "CKM_DH_PKCS_PARAMETER_GEN"); + addMech(CKM_X9_42_DH_PARAMETER_GEN, "CKM_X9_42_DH_PARAMETER_GEN"); + addMech(CKM_VENDOR_DEFINED, "CKM_VENDOR_DEFINED"); + + addMech(CKM_NSS_TLS_PRF_GENERAL, "CKM_NSS_TLS_PRF_GENERAL"); + + addMech(PCKM_SECURERANDOM, "SecureRandom"); + addMech(PCKM_KEYSTORE, "KeyStore"); + + addKeyType(CKK_RSA, "CKK_RSA"); + addKeyType(CKK_DSA, "CKK_DSA"); + addKeyType(CKK_DH, "CKK_DH"); + addKeyType(CKK_EC, "CKK_EC"); + addKeyType(CKK_X9_42_DH, "CKK_X9_42_DH"); + addKeyType(CKK_KEA, "CKK_KEA"); + addKeyType(CKK_GENERIC_SECRET, "CKK_GENERIC_SECRET"); + addKeyType(CKK_RC2, "CKK_RC2"); + addKeyType(CKK_RC4, "CKK_RC4"); + addKeyType(CKK_DES, "CKK_DES"); + addKeyType(CKK_DES2, "CKK_DES2"); + addKeyType(CKK_DES3, "CKK_DES3"); + addKeyType(CKK_CAST, "CKK_CAST"); + addKeyType(CKK_CAST3, "CKK_CAST3"); + addKeyType(CKK_CAST128, "CKK_CAST128"); + addKeyType(CKK_RC5, "CKK_RC5"); + addKeyType(CKK_IDEA, "CKK_IDEA"); + addKeyType(CKK_SKIPJACK, "CKK_SKIPJACK"); + addKeyType(CKK_BATON, "CKK_BATON"); + addKeyType(CKK_JUNIPER, "CKK_JUNIPER"); + addKeyType(CKK_CDMF, "CKK_CDMF"); + addKeyType(CKK_AES, "CKK_AES"); + addKeyType(CKK_BLOWFISH, "CKK_BLOWFISH"); + addKeyType(CKK_VENDOR_DEFINED, "CKK_VENDOR_DEFINED"); + + addKeyType(PCKK_ANY, "*"); + + addAttribute(CKA_CLASS, "CKA_CLASS"); + addAttribute(CKA_TOKEN, "CKA_TOKEN"); + addAttribute(CKA_PRIVATE, "CKA_PRIVATE"); + addAttribute(CKA_LABEL, "CKA_LABEL"); + addAttribute(CKA_APPLICATION, "CKA_APPLICATION"); + addAttribute(CKA_VALUE, "CKA_VALUE"); + addAttribute(CKA_OBJECT_ID, "CKA_OBJECT_ID"); + addAttribute(CKA_CERTIFICATE_TYPE, "CKA_CERTIFICATE_TYPE"); + addAttribute(CKA_ISSUER, "CKA_ISSUER"); + addAttribute(CKA_SERIAL_NUMBER, "CKA_SERIAL_NUMBER"); + addAttribute(CKA_AC_ISSUER, "CKA_AC_ISSUER"); + addAttribute(CKA_OWNER, "CKA_OWNER"); + addAttribute(CKA_ATTR_TYPES, "CKA_ATTR_TYPES"); + addAttribute(CKA_TRUSTED, "CKA_TRUSTED"); + addAttribute(CKA_KEY_TYPE, "CKA_KEY_TYPE"); + addAttribute(CKA_SUBJECT, "CKA_SUBJECT"); + addAttribute(CKA_ID, "CKA_ID"); + addAttribute(CKA_SENSITIVE, "CKA_SENSITIVE"); + addAttribute(CKA_ENCRYPT, "CKA_ENCRYPT"); + addAttribute(CKA_DECRYPT, "CKA_DECRYPT"); + addAttribute(CKA_WRAP, "CKA_WRAP"); + addAttribute(CKA_UNWRAP, "CKA_UNWRAP"); + addAttribute(CKA_SIGN, "CKA_SIGN"); + addAttribute(CKA_SIGN_RECOVER, "CKA_SIGN_RECOVER"); + addAttribute(CKA_VERIFY, "CKA_VERIFY"); + addAttribute(CKA_VERIFY_RECOVER, "CKA_VERIFY_RECOVER"); + addAttribute(CKA_DERIVE, "CKA_DERIVE"); + addAttribute(CKA_START_DATE, "CKA_START_DATE"); + addAttribute(CKA_END_DATE, "CKA_END_DATE"); + addAttribute(CKA_MODULUS, "CKA_MODULUS"); + addAttribute(CKA_MODULUS_BITS, "CKA_MODULUS_BITS"); + addAttribute(CKA_PUBLIC_EXPONENT, "CKA_PUBLIC_EXPONENT"); + addAttribute(CKA_PRIVATE_EXPONENT, "CKA_PRIVATE_EXPONENT"); + addAttribute(CKA_PRIME_1, "CKA_PRIME_1"); + addAttribute(CKA_PRIME_2, "CKA_PRIME_2"); + addAttribute(CKA_EXPONENT_1, "CKA_EXPONENT_1"); + addAttribute(CKA_EXPONENT_2, "CKA_EXPONENT_2"); + addAttribute(CKA_COEFFICIENT, "CKA_COEFFICIENT"); + addAttribute(CKA_PRIME, "CKA_PRIME"); + addAttribute(CKA_SUBPRIME, "CKA_SUBPRIME"); + addAttribute(CKA_BASE, "CKA_BASE"); + addAttribute(CKA_PRIME_BITS, "CKA_PRIME_BITS"); + addAttribute(CKA_SUB_PRIME_BITS, "CKA_SUB_PRIME_BITS"); + addAttribute(CKA_VALUE_BITS, "CKA_VALUE_BITS"); + addAttribute(CKA_VALUE_LEN, "CKA_VALUE_LEN"); + addAttribute(CKA_EXTRACTABLE, "CKA_EXTRACTABLE"); + addAttribute(CKA_LOCAL, "CKA_LOCAL"); + addAttribute(CKA_NEVER_EXTRACTABLE, "CKA_NEVER_EXTRACTABLE"); + addAttribute(CKA_ALWAYS_SENSITIVE, "CKA_ALWAYS_SENSITIVE"); + addAttribute(CKA_KEY_GEN_MECHANISM, "CKA_KEY_GEN_MECHANISM"); + addAttribute(CKA_MODIFIABLE, "CKA_MODIFIABLE"); + addAttribute(CKA_EC_PARAMS, "CKA_EC_PARAMS"); + addAttribute(CKA_EC_POINT, "CKA_EC_POINT"); + addAttribute(CKA_SECONDARY_AUTH, "CKA_SECONDARY_AUTH"); + addAttribute(CKA_AUTH_PIN_FLAGS, "CKA_AUTH_PIN_FLAGS"); + addAttribute(CKA_HW_FEATURE_TYPE, "CKA_HW_FEATURE_TYPE"); + addAttribute(CKA_RESET_ON_INIT, "CKA_RESET_ON_INIT"); + addAttribute(CKA_HAS_RESET, "CKA_HAS_RESET"); + addAttribute(CKA_VENDOR_DEFINED, "CKA_VENDOR_DEFINED"); + addAttribute(CKA_NETSCAPE_DB, "CKA_NETSCAPE_DB"); + + addAttribute(CKA_NETSCAPE_TRUST_SERVER_AUTH, "CKA_NETSCAPE_TRUST_SERVER_AUTH"); + addAttribute(CKA_NETSCAPE_TRUST_CLIENT_AUTH, "CKA_NETSCAPE_TRUST_CLIENT_AUTH"); + addAttribute(CKA_NETSCAPE_TRUST_CODE_SIGNING, "CKA_NETSCAPE_TRUST_CODE_SIGNING"); + addAttribute(CKA_NETSCAPE_TRUST_EMAIL_PROTECTION, "CKA_NETSCAPE_TRUST_EMAIL_PROTECTION"); + addAttribute(CKA_NETSCAPE_CERT_SHA1_HASH, "CKA_NETSCAPE_CERT_SHA1_HASH"); + addAttribute(CKA_NETSCAPE_CERT_MD5_HASH, "CKA_NETSCAPE_CERT_MD5_HASH"); + + addObjectClass(CKO_DATA, "CKO_DATA"); + addObjectClass(CKO_CERTIFICATE, "CKO_CERTIFICATE"); + addObjectClass(CKO_PUBLIC_KEY, "CKO_PUBLIC_KEY"); + addObjectClass(CKO_PRIVATE_KEY, "CKO_PRIVATE_KEY"); + addObjectClass(CKO_SECRET_KEY, "CKO_SECRET_KEY"); + addObjectClass(CKO_HW_FEATURE, "CKO_HW_FEATURE"); + addObjectClass(CKO_DOMAIN_PARAMETERS, "CKO_DOMAIN_PARAMETERS"); + addObjectClass(CKO_VENDOR_DEFINED, "CKO_VENDOR_DEFINED"); + + addObjectClass(PCKO_ANY, "*"); + + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/PKCS11.java 2017-01-20 09:52:52.598288418 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,1827 +0,0 @@ -/* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. - */ - -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package sun.security.pkcs11.wrapper; - -import java.io.File; -import java.io.IOException; -import java.util.*; - -import java.security.AccessController; -import java.security.PrivilegedAction; - -import sun.security.util.Debug; - -import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - -/** - * This is the default implementation of the PKCS11 interface. IT connects to - * the pkcs11wrapper.dll file, which is the native part of this library. - * The strange and awkward looking initialization was chosen to avoid calling - * loadLibrary from a static initialization block, because this would complicate - * the use in applets. - * - * @author Karl Scheibelhofer - * @author Martin Schlaeffer - * @invariants (pkcs11ModulePath_ <> null) - */ -public class PKCS11 { - - /** - * The name of the native part of the wrapper; i.e. the filename without - * the extension (e.g. ".DLL" or ".so"). - */ - private static final String PKCS11_WRAPPER = "j2pkcs11"; - - static { - // cannot use LoadLibraryAction because that would make the native - // library available to the bootclassloader, but we run in the - // extension classloader. - AccessController.doPrivileged(new PrivilegedAction() { - public Object run() { - System.loadLibrary(PKCS11_WRAPPER); - return null; - } - }); - boolean enableDebug = Debug.getInstance("sunpkcs11") != null; - initializeLibrary(enableDebug); - } - - public static void loadNative() { - // dummy method that can be called to make sure the native - // portion has been loaded. actual loading happens in the - // static initializer, hence this method is empty. - } - - /** - * The PKCS#11 module to connect to. This is the PKCS#11 driver of the token; - * e.g. pk2priv.dll. - */ - private final String pkcs11ModulePath; - - private long pNativeData; - - /** - * This method does the initialization of the native library. It is called - * exactly once for this class. - * - * @preconditions - * @postconditions - */ - private static native void initializeLibrary(boolean debug); - - // XXX - /** - * This method does the finalization of the native library. It is called - * exactly once for this class. The library uses this method for a clean-up - * of any resources. - * - * @preconditions - * @postconditions - */ - private static native void finalizeLibrary(); - - private static final Map moduleMap = - new HashMap(); - - /** - * Connects to the PKCS#11 driver given. The filename must contain the - * path, if the driver is not in the system's search path. - * - * @param pkcs11ModulePath the PKCS#11 library path - * @preconditions (pkcs11ModulePath <> null) - * @postconditions - */ - PKCS11(String pkcs11ModulePath, String functionListName) - throws IOException { - connect(pkcs11ModulePath, functionListName); - this.pkcs11ModulePath = pkcs11ModulePath; - } - - public static synchronized PKCS11 getInstance(String pkcs11ModulePath, - String functionList, CK_C_INITIALIZE_ARGS pInitArgs, - boolean omitInitialize) throws IOException, PKCS11Exception { - // we may only call C_Initialize once per native .so/.dll - // so keep a cache using the (non-canonicalized!) path - PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath); - if (pkcs11 == null) { - if ((pInitArgs != null) - && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) { - pkcs11 = new PKCS11(pkcs11ModulePath, functionList); - } else { - pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); - } - if (omitInitialize == false) { - try { - pkcs11.C_Initialize(pInitArgs); - } catch (PKCS11Exception e) { - // ignore already-initialized error code - // rethrow all other errors - if (e.getErrorCode() != CKR_CRYPTOKI_ALREADY_INITIALIZED) { - throw e; - } - } - } - moduleMap.put(pkcs11ModulePath, pkcs11); - } - return pkcs11; - } - - /** - * Connects this object to the specified PKCS#11 library. This method is for - * internal use only. - * Declared private, because incorrect handling may result in errors in the - * native part. - * - * @param pkcs11ModulePath The PKCS#11 library path. - * @preconditions (pkcs11ModulePath <> null) - * @postconditions - */ - private native void connect(String pkcs11ModulePath, String functionListName) - throws IOException; - - /** - * Disconnects the PKCS#11 library from this object. After calling this - * method, this object is no longer connected to a native PKCS#11 module - * and any subsequent calls to C_ methods will fail. This method is for - * internal use only. - * Declared private, because incorrect handling may result in errors in the - * native part. - * - * @preconditions - * @postconditions - */ - private native void disconnect(); - - - // Implementation of PKCS11 methods delegated to native pkcs11wrapper library - -/* ***************************************************************************** - * General-purpose - ******************************************************************************/ - - /** - * C_Initialize initializes the Cryptoki library. - * (General-purpose) - * - * @param pInitArgs if pInitArgs is not NULL it gets casted to - * CK_C_INITIALIZE_ARGS_PTR and dereferenced - * (PKCS#11 param: CK_VOID_PTR pInitArgs) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions - */ - native void C_Initialize(Object pInitArgs) throws PKCS11Exception; - - /** - * C_Finalize indicates that an application is done with the - * Cryptoki library - * (General-purpose) - * - * @param pReserved is reserved. Should be NULL_PTR - * (PKCS#11 param: CK_VOID_PTR pReserved) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions (pReserved == null) - * @postconditions - */ - public native void C_Finalize(Object pReserved) throws PKCS11Exception; - - - /** - * C_GetInfo returns general information about Cryptoki. - * (General-purpose) - * - * @return the information. - * (PKCS#11 param: CK_INFO_PTR pInfo) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions (result <> null) - */ - public native CK_INFO C_GetInfo() throws PKCS11Exception; - - -/* ***************************************************************************** - * Slot and token management - ******************************************************************************/ - - /** - * C_GetSlotList obtains a list of slots in the system. - * (Slot and token management) - * - * @param tokenPresent if true only Slot IDs with a token are returned - * (PKCS#11 param: CK_BBOOL tokenPresent) - * @return a long array of slot IDs and number of Slot IDs - * (PKCS#11 param: CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions (result <> null) - */ - public native long[] C_GetSlotList(boolean tokenPresent) - throws PKCS11Exception; - - - /** - * C_GetSlotInfo obtains information about a particular slot in - * the system. - * (Slot and token management) - * - * @param slotID the ID of the slot - * (PKCS#11 param: CK_SLOT_ID slotID) - * @return the slot information - * (PKCS#11 param: CK_SLOT_INFO_PTR pInfo) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions (result <> null) - */ - public native CK_SLOT_INFO C_GetSlotInfo(long slotID) throws PKCS11Exception; - - - /** - * C_GetTokenInfo obtains information about a particular token - * in the system. - * (Slot and token management) - * - * @param slotID ID of the token's slot - * (PKCS#11 param: CK_SLOT_ID slotID) - * @return the token information - * (PKCS#11 param: CK_TOKEN_INFO_PTR pInfo) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions (result <> null) - */ - public native CK_TOKEN_INFO C_GetTokenInfo(long slotID) - throws PKCS11Exception; - - - /** - * C_GetMechanismList obtains a list of mechanism types - * supported by a token. - * (Slot and token management) - * - * @param slotID ID of the token's slot - * (PKCS#11 param: CK_SLOT_ID slotID) - * @return a long array of mechanism types and number of mechanism types - * (PKCS#11 param: CK_MECHANISM_TYPE_PTR pMechanismList, - * CK_ULONG_PTR pulCount) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions (result <> null) - */ - public native long[] C_GetMechanismList(long slotID) throws PKCS11Exception; - - - /** - * C_GetMechanismInfo obtains information about a particular - * mechanism possibly supported by a token. - * (Slot and token management) - * - * @param slotID ID of the token's slot - * (PKCS#11 param: CK_SLOT_ID slotID) - * @param type type of mechanism - * (PKCS#11 param: CK_MECHANISM_TYPE type) - * @return the mechanism info - * (PKCS#11 param: CK_MECHANISM_INFO_PTR pInfo) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions (result <> null) - */ - public native CK_MECHANISM_INFO C_GetMechanismInfo(long slotID, long type) - throws PKCS11Exception; - - - /** - * C_InitToken initializes a token. - * (Slot and token management) - * - * @param slotID ID of the token's slot - * (PKCS#11 param: CK_SLOT_ID slotID) - * @param pPin the SO's initial PIN and the length in bytes of the PIN - * (PKCS#11 param: CK_CHAR_PTR pPin, CK_ULONG ulPinLen) - * @param pLabel 32-byte token label (blank padded) - * (PKCS#11 param: CK_UTF8CHAR_PTR pLabel) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions - */ -// public native void C_InitToken(long slotID, char[] pPin, char[] pLabel) -// throws PKCS11Exception; - - - /** - * C_InitPIN initializes the normal user's PIN. - * (Slot and token management) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pPin the normal user's PIN and the length in bytes of the PIN - * (PKCS#11 param: CK_CHAR_PTR pPin, CK_ULONG ulPinLen) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions - */ -// public native void C_InitPIN(long hSession, char[] pPin) -// throws PKCS11Exception; - - - /** - * C_SetPIN modifies the PIN of the user who is logged in. - * (Slot and token management) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pOldPin the old PIN and the length of the old PIN - * (PKCS#11 param: CK_CHAR_PTR pOldPin, CK_ULONG ulOldLen) - * @param pNewPin the new PIN and the length of the new PIN - * (PKCS#11 param: CK_CHAR_PTR pNewPin, CK_ULONG ulNewLen) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions - */ -// public native void C_SetPIN(long hSession, char[] pOldPin, char[] pNewPin) -// throws PKCS11Exception; - - - -/* ***************************************************************************** - * Session management - ******************************************************************************/ - - /** - * C_OpenSession opens a session between an application and a - * token. - * (Session management) - * - * @param slotID the slot's ID - * (PKCS#11 param: CK_SLOT_ID slotID) - * @param flags of CK_SESSION_INFO - * (PKCS#11 param: CK_FLAGS flags) - * @param pApplication passed to callback - * (PKCS#11 param: CK_VOID_PTR pApplication) - * @param Notify the callback function - * (PKCS#11 param: CK_NOTIFY Notify) - * @return the session handle - * (PKCS#11 param: CK_SESSION_HANDLE_PTR phSession) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions - */ - public native long C_OpenSession(long slotID, long flags, - Object pApplication, CK_NOTIFY Notify) throws PKCS11Exception; - - - /** - * C_CloseSession closes a session between an application and a - * token. - * (Session management) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions - */ - public native void C_CloseSession(long hSession) throws PKCS11Exception; - - - /** - * C_CloseAllSessions closes all sessions with a token. - * (Session management) - * - * @param slotID the ID of the token's slot - * (PKCS#11 param: CK_SLOT_ID slotID) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions - */ -// public native void C_CloseAllSessions(long slotID) throws PKCS11Exception; - - - /** - * C_GetSessionInfo obtains information about the session. - * (Session management) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @return the session info - * (PKCS#11 param: CK_SESSION_INFO_PTR pInfo) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions (result <> null) - */ - public native CK_SESSION_INFO C_GetSessionInfo(long hSession) - throws PKCS11Exception; - - - /** - * C_GetOperationState obtains the state of the cryptographic operation - * in a session. - * (Session management) - * - * @param hSession session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @return the state and the state length - * (PKCS#11 param: CK_BYTE_PTR pOperationState, - * CK_ULONG_PTR pulOperationStateLen) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions (result <> null) - */ - public native byte[] C_GetOperationState(long hSession) - throws PKCS11Exception; - - - /** - * C_SetOperationState restores the state of the cryptographic - * operation in a session. - * (Session management) - * - * @param hSession session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pOperationState the state and the state length - * (PKCS#11 param: CK_BYTE_PTR pOperationState, - * CK_ULONG ulOperationStateLen) - * @param hEncryptionKey en/decryption key - * (PKCS#11 param: CK_OBJECT_HANDLE hEncryptionKey) - * @param hAuthenticationKey sign/verify key - * (PKCS#11 param: CK_OBJECT_HANDLE hAuthenticationKey) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions - */ - public native void C_SetOperationState(long hSession, byte[] pOperationState, - long hEncryptionKey, long hAuthenticationKey) throws PKCS11Exception; - - - /** - * C_Login logs a user into a token. - * (Session management) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param userType the user type - * (PKCS#11 param: CK_USER_TYPE userType) - * @param pPin the user's PIN and the length of the PIN - * (PKCS#11 param: CK_CHAR_PTR pPin, CK_ULONG ulPinLen) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions - */ - public native void C_Login(long hSession, long userType, char[] pPin) - throws PKCS11Exception; - - - /** - * C_Logout logs a user out from a token. - * (Session management) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions - */ - public native void C_Logout(long hSession) throws PKCS11Exception; - - - -/* ***************************************************************************** - * Object management - ******************************************************************************/ - - /** - * C_CreateObject creates a new object. - * (Object management) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pTemplate the object's template and number of attributes in - * template - * (PKCS#11 param: CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) - * @return the object's handle - * (PKCS#11 param: CK_OBJECT_HANDLE_PTR phObject) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions - */ - public native long C_CreateObject(long hSession, CK_ATTRIBUTE[] pTemplate) - throws PKCS11Exception; - - - /** - * C_CopyObject copies an object, creating a new object for the - * copy. - * (Object management) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param hObject the object's handle - * (PKCS#11 param: CK_OBJECT_HANDLE hObject) - * @param pTemplate the template for the new object and number of attributes - * in template - * (PKCS#11 param: CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) - * @return the handle of the copy - * (PKCS#11 param: CK_OBJECT_HANDLE_PTR phNewObject) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions - */ - public native long C_CopyObject(long hSession, long hObject, - CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception; - - - /** - * C_DestroyObject destroys an object. - * (Object management) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param hObject the object's handle - * (PKCS#11 param: CK_OBJECT_HANDLE hObject) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions - */ - public native void C_DestroyObject(long hSession, long hObject) - throws PKCS11Exception; - - - /** - * C_GetObjectSize gets the size of an object in bytes. - * (Object management) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param hObject the object's handle - * (PKCS#11 param: CK_OBJECT_HANDLE hObject) - * @return the size of the object - * (PKCS#11 param: CK_ULONG_PTR pulSize) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions - */ -// public native long C_GetObjectSize(long hSession, long hObject) -// throws PKCS11Exception; - - - /** - * C_GetAttributeValue obtains the value of one or more object - * attributes. The template attributes also receive the values. - * (Object management) - * note: in PKCS#11 pTemplate and the result template are the same - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param hObject the object's handle - * (PKCS#11 param: CK_OBJECT_HANDLE hObject) - * @param pTemplate specifies the attributes and number of attributes to get - * The template attributes also receive the values. - * (PKCS#11 param: CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions (pTemplate <> null) - * @postconditions (result <> null) - */ - public native void C_GetAttributeValue(long hSession, long hObject, - CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception; - - - /** - * C_SetAttributeValue modifies the value of one or more object - * attributes - * (Object management) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param hObject the object's handle - * (PKCS#11 param: CK_OBJECT_HANDLE hObject) - * @param pTemplate specifies the attributes and values to get; number of - * attributes in the template - * (PKCS#11 param: CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions (pTemplate <> null) - * @postconditions - */ - public native void C_SetAttributeValue(long hSession, long hObject, - CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception; - - - /** - * C_FindObjectsInit initializes a search for token and session - * objects that match a template. - * (Object management) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pTemplate the object's attribute values to match and the number of - * attributes in search template - * (PKCS#11 param: CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions - */ - public native void C_FindObjectsInit(long hSession, CK_ATTRIBUTE[] pTemplate) - throws PKCS11Exception; - - - /** - * C_FindObjects continues a search for token and session - * objects that match a template, obtaining additional object - * handles. - * (Object management) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param ulMaxObjectCount the max. object handles to get - * (PKCS#11 param: CK_ULONG ulMaxObjectCount) - * @return the object's handles and the actual number of objects returned - * (PKCS#11 param: CK_ULONG_PTR pulObjectCount) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions (result <> null) - */ - public native long[] C_FindObjects(long hSession, long ulMaxObjectCount) - throws PKCS11Exception; - - - /** - * C_FindObjectsFinal finishes a search for token and session - * objects. - * (Object management) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions - */ - public native void C_FindObjectsFinal(long hSession) throws PKCS11Exception; - - - -/* ***************************************************************************** - * Encryption and decryption - ******************************************************************************/ - - /** - * C_EncryptInit initializes an encryption operation. - * (Encryption and decryption) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pMechanism the encryption mechanism - * (PKCS#11 param: CK_MECHANISM_PTR pMechanism) - * @param hKey the handle of the encryption key - * (PKCS#11 param: CK_OBJECT_HANDLE hKey) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions - */ - public native void C_EncryptInit(long hSession, CK_MECHANISM pMechanism, - long hKey) throws PKCS11Exception; - - - /** - * C_Encrypt encrypts single-part data. - * (Encryption and decryption) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pData the data to get encrypted and the data's length - * (PKCS#11 param: CK_BYTE_PTR pData, CK_ULONG ulDataLen) - * @return the encrypted data and the encrypted data's length - * (PKCS#11 param: CK_BYTE_PTR pEncryptedData, - * CK_ULONG_PTR pulEncryptedDataLen) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions (pData <> null) - * @postconditions (result <> null) - */ - public native int C_Encrypt(long hSession, byte[] in, int inOfs, int inLen, - byte[] out, int outOfs, int outLen) throws PKCS11Exception; - - - /** - * C_EncryptUpdate continues a multiple-part encryption - * operation. - * (Encryption and decryption) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pPart the data part to get encrypted and the data part's length - * (PKCS#11 param: CK_BYTE_PTR pPart, CK_ULONG ulPartLen) - * @return the encrypted data part and the encrypted data part's length - * (PKCS#11 param: CK_BYTE_PTR pEncryptedPart, - CK_ULONG_PTR pulEncryptedPartLen) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions (pPart <> null) - * @postconditions - */ - public native int C_EncryptUpdate(long hSession, long directIn, byte[] in, - int inOfs, int inLen, long directOut, byte[] out, int outOfs, - int outLen) throws PKCS11Exception; - - - /** - * C_EncryptFinal finishes a multiple-part encryption - * operation. - * (Encryption and decryption) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @return the last encrypted data part and the last data part's length - * (PKCS#11 param: CK_BYTE_PTR pLastEncryptedPart, - CK_ULONG_PTR pulLastEncryptedPartLen) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions (result <> null) - */ - public native int C_EncryptFinal(long hSession, long directOut, byte[] out, - int outOfs, int outLen) throws PKCS11Exception; - - - /** - * C_DecryptInit initializes a decryption operation. - * (Encryption and decryption) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pMechanism the decryption mechanism - * (PKCS#11 param: CK_MECHANISM_PTR pMechanism) - * @param hKey the handle of the decryption key - * (PKCS#11 param: CK_OBJECT_HANDLE hKey) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions - */ - public native void C_DecryptInit(long hSession, CK_MECHANISM pMechanism, - long hKey) throws PKCS11Exception; - - - /** - * C_Decrypt decrypts encrypted data in a single part. - * (Encryption and decryption) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pEncryptedData the encrypted data to get decrypted and the - * encrypted data's length - * (PKCS#11 param: CK_BYTE_PTR pEncryptedData, - * CK_ULONG ulEncryptedDataLen) - * @return the decrypted data and the data's length - * (PKCS#11 param: CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions (pEncryptedPart <> null) - * @postconditions (result <> null) - */ - public native int C_Decrypt(long hSession, byte[] in, int inOfs, int inLen, - byte[] out, int outOfs, int outLen) throws PKCS11Exception; - - - /** - * C_DecryptUpdate continues a multiple-part decryption - * operation. - * (Encryption and decryption) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pEncryptedPart the encrypted data part to get decrypted and the - * encrypted data part's length - * (PKCS#11 param: CK_BYTE_PTR pEncryptedPart, - * CK_ULONG ulEncryptedPartLen) - * @return the decrypted data part and the data part's length - * (PKCS#11 param: CK_BYTE_PTR pPart, CK_ULONG_PTR pulPartLen) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions (pEncryptedPart <> null) - * @postconditions - */ - public native int C_DecryptUpdate(long hSession, long directIn, byte[] in, - int inOfs, int inLen, long directOut, byte[] out, int outOfs, - int outLen) throws PKCS11Exception; - - - /** - * C_DecryptFinal finishes a multiple-part decryption - * operation. - * (Encryption and decryption) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @return the last decrypted data part and the last data part's length - * (PKCS#11 param: CK_BYTE_PTR pLastPart, - * CK_ULONG_PTR pulLastPartLen) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions (result <> null) - */ - public native int C_DecryptFinal(long hSession, long directOut, byte[] out, - int outOfs, int outLen) throws PKCS11Exception; - - - -/* ***************************************************************************** - * Message digesting - ******************************************************************************/ - - /** - * C_DigestInit initializes a message-digesting operation. - * (Message digesting) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pMechanism the digesting mechanism - * (PKCS#11 param: CK_MECHANISM_PTR pMechanism) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions - */ - public native void C_DigestInit(long hSession, CK_MECHANISM pMechanism) - throws PKCS11Exception; - - - // note that C_DigestSingle does not exist in PKCS#11 - // we combined the C_DigestInit and C_Digest into a single function - // to save on Java<->C transitions and save 5-10% on small digests - // this made the C_Digest method redundant, it has been removed - /** - * C_Digest digests data in a single part. - * (Message digesting) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param data the data to get digested and the data's length - * (PKCS#11 param: CK_BYTE_PTR pData, CK_ULONG ulDataLen) - * @return the message digest and the length of the message digest - * (PKCS#11 param: CK_BYTE_PTR pDigest, CK_ULONG_PTR pulDigestLen) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions (data <> null) - * @postconditions (result <> null) - */ - public native int C_DigestSingle(long hSession, CK_MECHANISM pMechanism, - byte[] in, int inOfs, int inLen, byte[] digest, int digestOfs, - int digestLen) throws PKCS11Exception; - - - /** - * C_DigestUpdate continues a multiple-part message-digesting - * operation. - * (Message digesting) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pPart the data to get digested and the data's length - * (PKCS#11 param: CK_BYTE_PTR pPart, CK_ULONG ulPartLen) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions (pPart <> null) - * @postconditions - */ - public native void C_DigestUpdate(long hSession, long directIn, byte[] in, - int inOfs, int inLen) throws PKCS11Exception; - - - /** - * C_DigestKey continues a multi-part message-digesting - * operation, by digesting the value of a secret key as part of - * the data already digested. - * (Message digesting) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param hKey the handle of the secret key to be digested - * (PKCS#11 param: CK_OBJECT_HANDLE hKey) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions - */ - public native void C_DigestKey(long hSession, long hKey) - throws PKCS11Exception; - - - /** - * C_DigestFinal finishes a multiple-part message-digesting - * operation. - * (Message digesting) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @return the message digest and the length of the message digest - * (PKCS#11 param: CK_BYTE_PTR pDigest, CK_ULONG_PTR pulDigestLen) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions (result <> null) - */ - public native int C_DigestFinal(long hSession, byte[] pDigest, int digestOfs, - int digestLen) throws PKCS11Exception; - - - -/* ***************************************************************************** - * Signing and MACing - ******************************************************************************/ - - /** - * C_SignInit initializes a signature (private key encryption) - * operation, where the signature is (will be) an appendix to - * the data, and plaintext cannot be recovered from the - * signature. - * (Signing and MACing) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pMechanism the signature mechanism - * (PKCS#11 param: CK_MECHANISM_PTR pMechanism) - * @param hKey the handle of the signature key - * (PKCS#11 param: CK_OBJECT_HANDLE hKey) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions - */ - public native void C_SignInit(long hSession, CK_MECHANISM pMechanism, - long hKey) throws PKCS11Exception; - - - /** - * C_Sign signs (encrypts with private key) data in a single - * part, where the signature is (will be) an appendix to the - * data, and plaintext cannot be recovered from the signature. - * (Signing and MACing) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pData the data to sign and the data's length - * (PKCS#11 param: CK_BYTE_PTR pData, CK_ULONG ulDataLen) - * @return the signature and the signature's length - * (PKCS#11 param: CK_BYTE_PTR pSignature, - * CK_ULONG_PTR pulSignatureLen) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions (pData <> null) - * @postconditions (result <> null) - */ - public native byte[] C_Sign(long hSession, byte[] pData) - throws PKCS11Exception; - - - /** - * C_SignUpdate continues a multiple-part signature operation, - * where the signature is (will be) an appendix to the data, - * and plaintext cannot be recovered from the signature. - * (Signing and MACing) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pPart the data part to sign and the data part's length - * (PKCS#11 param: CK_BYTE_PTR pPart, CK_ULONG ulPartLen) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions (pPart <> null) - * @postconditions - */ - public native void C_SignUpdate(long hSession, long directIn, byte[] in, - int inOfs, int inLen) throws PKCS11Exception; - - - /** - * C_SignFinal finishes a multiple-part signature operation, - * returning the signature. - * (Signing and MACing) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @return the signature and the signature's length - * (PKCS#11 param: CK_BYTE_PTR pSignature, - * CK_ULONG_PTR pulSignatureLen) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions (result <> null) - */ - public native byte[] C_SignFinal(long hSession, int expectedLen) - throws PKCS11Exception; - - - /** - * C_SignRecoverInit initializes a signature operation, where - * the data can be recovered from the signature. - * (Signing and MACing) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pMechanism the signature mechanism - * (PKCS#11 param: CK_MECHANISM_PTR pMechanism) - * @param hKey the handle of the signature key - * (PKCS#11 param: CK_OBJECT_HANDLE hKey) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions - */ - public native void C_SignRecoverInit(long hSession, CK_MECHANISM pMechanism, - long hKey) throws PKCS11Exception; - - - /** - * C_SignRecover signs data in a single operation, where the - * data can be recovered from the signature. - * (Signing and MACing) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pData the data to sign and the data's length - * (PKCS#11 param: CK_BYTE_PTR pData, CK_ULONG ulDataLen) - * @return the signature and the signature's length - * (PKCS#11 param: CK_BYTE_PTR pSignature, - * CK_ULONG_PTR pulSignatureLen) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions (pData <> null) - * @postconditions (result <> null) - */ - public native int C_SignRecover(long hSession, byte[] in, int inOfs, - int inLen, byte[] out, int outOufs, int outLen) - throws PKCS11Exception; - - - -/* ***************************************************************************** - * Verifying signatures and MACs - ******************************************************************************/ - - /** - * C_VerifyInit initializes a verification operation, where the - * signature is an appendix to the data, and plaintext cannot - * cannot be recovered from the signature (e.g. DSA). - * (Signing and MACing) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pMechanism the verification mechanism - * (PKCS#11 param: CK_MECHANISM_PTR pMechanism) - * @param hKey the handle of the verification key - * (PKCS#11 param: CK_OBJECT_HANDLE hKey) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions - */ - public native void C_VerifyInit(long hSession, CK_MECHANISM pMechanism, - long hKey) throws PKCS11Exception; - - - /** - * C_Verify verifies a signature in a single-part operation, - * where the signature is an appendix to the data, and plaintext - * cannot be recovered from the signature. - * (Signing and MACing) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pData the signed data and the signed data's length - * (PKCS#11 param: CK_BYTE_PTR pData, CK_ULONG ulDataLen) - * @param pSignature the signature to verify and the signature's length - * (PKCS#11 param: CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions (pData <> null) and (pSignature <> null) - * @postconditions - */ - public native void C_Verify(long hSession, byte[] pData, byte[] pSignature) - throws PKCS11Exception; - - - /** - * C_VerifyUpdate continues a multiple-part verification - * operation, where the signature is an appendix to the data, - * and plaintext cannot be recovered from the signature. - * (Signing and MACing) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pPart the signed data part and the signed data part's length - * (PKCS#11 param: CK_BYTE_PTR pPart, CK_ULONG ulPartLen) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions (pPart <> null) - * @postconditions - */ - public native void C_VerifyUpdate(long hSession, long directIn, byte[] in, - int inOfs, int inLen) throws PKCS11Exception; - - - /** - * C_VerifyFinal finishes a multiple-part verification - * operation, checking the signature. - * (Signing and MACing) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pSignature the signature to verify and the signature's length - * (PKCS#11 param: CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions (pSignature <> null) - * @postconditions - */ - public native void C_VerifyFinal(long hSession, byte[] pSignature) - throws PKCS11Exception; - - - /** - * C_VerifyRecoverInit initializes a signature verification - * operation, where the data is recovered from the signature. - * (Signing and MACing) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pMechanism the verification mechanism - * (PKCS#11 param: CK_MECHANISM_PTR pMechanism) - * @param hKey the handle of the verification key - * (PKCS#11 param: CK_OBJECT_HANDLE hKey) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions - */ - public native void C_VerifyRecoverInit(long hSession, - CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception; - - - /** - * C_VerifyRecover verifies a signature in a single-part - * operation, where the data is recovered from the signature. - * (Signing and MACing) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pSignature the signature to verify and the signature's length - * (PKCS#11 param: CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen) - * @return the recovered data and the recovered data's length - * (PKCS#11 param: CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions (pSignature <> null) - * @postconditions (result <> null) - */ - public native int C_VerifyRecover(long hSession, byte[] in, int inOfs, - int inLen, byte[] out, int outOufs, int outLen) - throws PKCS11Exception; - - - -/* ***************************************************************************** - * Dual-function cryptographic operations - ******************************************************************************/ - - /** - * C_DigestEncryptUpdate continues a multiple-part digesting - * and encryption operation. - * (Dual-function cryptographic operations) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pPart the data part to digest and to encrypt and the data's length - * (PKCS#11 param: CK_BYTE_PTR pPart, CK_ULONG ulPartLen) - * @return the digested and encrypted data part and the data part's length - * (PKCS#11 param: CK_BYTE_PTR pEncryptedPart, - * CK_ULONG_PTR pulEncryptedPartLen) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions (pPart <> null) - * @postconditions - */ -// public native byte[] C_DigestEncryptUpdate(long hSession, byte[] pPart) -// throws PKCS11Exception; - - - /** - * C_DecryptDigestUpdate continues a multiple-part decryption and - * digesting operation. - * (Dual-function cryptographic operations) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pEncryptedPart the encrypted data part to decrypt and to digest - * and encrypted data part's length - * (PKCS#11 param: CK_BYTE_PTR pEncryptedPart, - * CK_ULONG ulEncryptedPartLen) - * @return the decrypted and digested data part and the data part's length - * (PKCS#11 param: CK_BYTE_PTR pPart, CK_ULONG_PTR pulPartLen) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions (pEncryptedPart <> null) - * @postconditions - */ -// public native byte[] C_DecryptDigestUpdate(long hSession, -// byte[] pEncryptedPart) throws PKCS11Exception; - - - /** - * C_SignEncryptUpdate continues a multiple-part signing and - * encryption operation. - * (Dual-function cryptographic operations) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pPart the data part to sign and to encrypt and the data part's - * length - * (PKCS#11 param: CK_BYTE_PTR pPart, CK_ULONG ulPartLen) - * @return the signed and encrypted data part and the data part's length - * (PKCS#11 param: CK_BYTE_PTR pEncryptedPart, - * CK_ULONG_PTR pulEncryptedPartLen) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions (pPart <> null) - * @postconditions - */ -// public native byte[] C_SignEncryptUpdate(long hSession, byte[] pPart) -// throws PKCS11Exception; - - - /** - * C_DecryptVerifyUpdate continues a multiple-part decryption and - * verify operation. - * (Dual-function cryptographic operations) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pEncryptedPart the encrypted data part to decrypt and to verify - * and the data part's length - * (PKCS#11 param: CK_BYTE_PTR pEncryptedPart, - * CK_ULONG ulEncryptedPartLen) - * @return the decrypted and verified data part and the data part's length - * (PKCS#11 param: CK_BYTE_PTR pPart, CK_ULONG_PTR pulPartLen) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions (pEncryptedPart <> null) - * @postconditions - */ -// public native byte[] C_DecryptVerifyUpdate(long hSession, -// byte[] pEncryptedPart) throws PKCS11Exception; - - - -/* ***************************************************************************** - * Key management - ******************************************************************************/ - - /** - * C_GenerateKey generates a secret key, creating a new key - * object. - * (Key management) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pMechanism the key generation mechanism - * (PKCS#11 param: CK_MECHANISM_PTR pMechanism) - * @param pTemplate the template for the new key and the number of - * attributes in the template - * (PKCS#11 param: CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) - * @return the handle of the new key - * (PKCS#11 param: CK_OBJECT_HANDLE_PTR phKey) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions - */ - public native long C_GenerateKey(long hSession, CK_MECHANISM pMechanism, - CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception; - - - /** - * C_GenerateKeyPair generates a public-key/private-key pair, - * creating new key objects. - * (Key management) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pMechanism the key generation mechanism - * (PKCS#11 param: CK_MECHANISM_PTR pMechanism) - * @param pPublicKeyTemplate the template for the new public key and the - * number of attributes in the template - * (PKCS#11 param: CK_ATTRIBUTE_PTR pPublicKeyTemplate, - * CK_ULONG ulPublicKeyAttributeCount) - * @param pPrivateKeyTemplate the template for the new private key and the - * number of attributes in the template - * (PKCS#11 param: CK_ATTRIBUTE_PTR pPrivateKeyTemplate - * CK_ULONG ulPrivateKeyAttributeCount) - * @return a long array with exactly two elements and the public key handle - * as the first element and the private key handle as the second - * element - * (PKCS#11 param: CK_OBJECT_HANDLE_PTR phPublicKey, - * CK_OBJECT_HANDLE_PTR phPrivateKey) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions (pMechanism <> null) - * @postconditions (result <> null) and (result.length == 2) - */ - public native long[] C_GenerateKeyPair(long hSession, - CK_MECHANISM pMechanism, CK_ATTRIBUTE[] pPublicKeyTemplate, - CK_ATTRIBUTE[] pPrivateKeyTemplate) throws PKCS11Exception; - - - - /** - * C_WrapKey wraps (i.e., encrypts) a key. - * (Key management) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pMechanism the wrapping mechanism - * (PKCS#11 param: CK_MECHANISM_PTR pMechanism) - * @param hWrappingKey the handle of the wrapping key - * (PKCS#11 param: CK_OBJECT_HANDLE hWrappingKey) - * @param hKey the handle of the key to be wrapped - * (PKCS#11 param: CK_OBJECT_HANDLE hKey) - * @return the wrapped key and the length of the wrapped key - * (PKCS#11 param: CK_BYTE_PTR pWrappedKey, - * CK_ULONG_PTR pulWrappedKeyLen) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions (result <> null) - */ - public native byte[] C_WrapKey(long hSession, CK_MECHANISM pMechanism, - long hWrappingKey, long hKey) throws PKCS11Exception; - - - /** - * C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new - * key object. - * (Key management) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pMechanism the unwrapping mechanism - * (PKCS#11 param: CK_MECHANISM_PTR pMechanism) - * @param hUnwrappingKey the handle of the unwrapping key - * (PKCS#11 param: CK_OBJECT_HANDLE hUnwrappingKey) - * @param pWrappedKey the wrapped key to unwrap and the wrapped key's length - * (PKCS#11 param: CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen) - * @param pTemplate the template for the new key and the number of - * attributes in the template - * (PKCS#11 param: CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) - * @return the handle of the unwrapped key - * (PKCS#11 param: CK_OBJECT_HANDLE_PTR phKey) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions (pWrappedKey <> null) - * @postconditions - */ - public native long C_UnwrapKey(long hSession, CK_MECHANISM pMechanism, - long hUnwrappingKey, byte[] pWrappedKey, CK_ATTRIBUTE[] pTemplate) - throws PKCS11Exception; - - - /** - * C_DeriveKey derives a key from a base key, creating a new key - * object. - * (Key management) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pMechanism the key derivation mechanism - * (PKCS#11 param: CK_MECHANISM_PTR pMechanism) - * @param hBaseKey the handle of the base key - * (PKCS#11 param: CK_OBJECT_HANDLE hBaseKey) - * @param pTemplate the template for the new key and the number of - * attributes in the template - * (PKCS#11 param: CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) - * @return the handle of the derived key - * (PKCS#11 param: CK_OBJECT_HANDLE_PTR phKey) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions - */ - public native long C_DeriveKey(long hSession, CK_MECHANISM pMechanism, - long hBaseKey, CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception; - - - -/* ***************************************************************************** - * Random number generation - ******************************************************************************/ - - /** - * C_SeedRandom mixes additional seed material into the token's - * random number generator. - * (Random number generation) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param pSeed the seed material and the seed material's length - * (PKCS#11 param: CK_BYTE_PTR pSeed, CK_ULONG ulSeedLen) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions (pSeed <> null) - * @postconditions - */ - public native void C_SeedRandom(long hSession, byte[] pSeed) - throws PKCS11Exception; - - - /** - * C_GenerateRandom generates random data. - * (Random number generation) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @param RandomData receives the random data and the length of RandomData - * is the length of random data to be generated - * (PKCS#11 param: CK_BYTE_PTR pRandomData, CK_ULONG ulRandomLen) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions (randomData <> null) - * @postconditions - */ - public native void C_GenerateRandom(long hSession, byte[] randomData) - throws PKCS11Exception; - - - -/* ***************************************************************************** - * Parallel function management - ******************************************************************************/ - - /** - * C_GetFunctionStatus is a legacy function; it obtains an - * updated status of a function running in parallel with an - * application. - * (Parallel function management) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions - */ -// public native void C_GetFunctionStatus(long hSession) -// throws PKCS11Exception; - - - /** - * C_CancelFunction is a legacy function; it cancels a function - * running in parallel. - * (Parallel function management) - * - * @param hSession the session's handle - * (PKCS#11 param: CK_SESSION_HANDLE hSession) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions - * @postconditions - */ -// public native void C_CancelFunction(long hSession) throws PKCS11Exception; - - - -/* ***************************************************************************** - * Functions added in for Cryptoki Version 2.01 or later - ******************************************************************************/ - - /** - * C_WaitForSlotEvent waits for a slot event (token insertion, - * removal, etc.) to occur. - * (General-purpose) - * - * @param flags blocking/nonblocking flag - * (PKCS#11 param: CK_FLAGS flags) - * @param pReserved reserved. Should be null - * (PKCS#11 param: CK_VOID_PTR pReserved) - * @return the slot ID where the event occurred - * (PKCS#11 param: CK_SLOT_ID_PTR pSlot) - * @exception PKCS11Exception If function returns other value than CKR_OK. - * @preconditions (pRserved == null) - * @postconditions - */ -// public native long C_WaitForSlotEvent(long flags, Object pRserved) -// throws PKCS11Exception; - - /** - * Returns the string representation of this object. - * - * @return The string representation of object - */ - public String toString() { - return "Module name: " + pkcs11ModulePath; - } - - /** - * Calls disconnect() to cleanup the native part of the wrapper. Once this - * method is called, this object cannot be used any longer. Any subsequent - * call to a C_* method will result in a runtime exception. - * - * @exception Throwable If finalization fails. - */ - protected void finalize() throws Throwable { - disconnect(); - } - -// PKCS11 subclass that has all methods synchronized and delegating to the -// parent. Used for tokens that only support single threaded access -static class SynchronizedPKCS11 extends PKCS11 { - - SynchronizedPKCS11(String pkcs11ModulePath, String functionListName) - throws IOException { - super(pkcs11ModulePath, functionListName); - } - - synchronized void C_Initialize(Object pInitArgs) throws PKCS11Exception { - super.C_Initialize(pInitArgs); - } - - public synchronized void C_Finalize(Object pReserved) - throws PKCS11Exception { - super.C_Finalize(pReserved); - } - - public synchronized CK_INFO C_GetInfo() throws PKCS11Exception { - return super.C_GetInfo(); - } - - public synchronized long[] C_GetSlotList(boolean tokenPresent) - throws PKCS11Exception { - return super.C_GetSlotList(tokenPresent); - } - - public synchronized CK_SLOT_INFO C_GetSlotInfo(long slotID) - throws PKCS11Exception { - return super.C_GetSlotInfo(slotID); - } - - public synchronized CK_TOKEN_INFO C_GetTokenInfo(long slotID) - throws PKCS11Exception { - return super.C_GetTokenInfo(slotID); - } - - public synchronized long[] C_GetMechanismList(long slotID) - throws PKCS11Exception { - return super.C_GetMechanismList(slotID); - } - - public synchronized CK_MECHANISM_INFO C_GetMechanismInfo(long slotID, - long type) throws PKCS11Exception { - return super.C_GetMechanismInfo(slotID, type); - } - - public synchronized long C_OpenSession(long slotID, long flags, - Object pApplication, CK_NOTIFY Notify) throws PKCS11Exception { - return super.C_OpenSession(slotID, flags, pApplication, Notify); - } - - public synchronized void C_CloseSession(long hSession) - throws PKCS11Exception { - super.C_CloseSession(hSession); - } - - public synchronized CK_SESSION_INFO C_GetSessionInfo(long hSession) - throws PKCS11Exception { - return super.C_GetSessionInfo(hSession); - } - - public synchronized void C_Login(long hSession, long userType, char[] pPin) - throws PKCS11Exception { - super.C_Login(hSession, userType, pPin); - } - - public synchronized void C_Logout(long hSession) throws PKCS11Exception { - super.C_Logout(hSession); - } - - public synchronized long C_CreateObject(long hSession, - CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { - return super.C_CreateObject(hSession, pTemplate); - } - - public synchronized long C_CopyObject(long hSession, long hObject, - CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { - return super.C_CopyObject(hSession, hObject, pTemplate); - } - - public synchronized void C_DestroyObject(long hSession, long hObject) - throws PKCS11Exception { - super.C_DestroyObject(hSession, hObject); - } - - public synchronized void C_GetAttributeValue(long hSession, long hObject, - CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { - super.C_GetAttributeValue(hSession, hObject, pTemplate); - } - - public synchronized void C_SetAttributeValue(long hSession, long hObject, - CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { - super.C_SetAttributeValue(hSession, hObject, pTemplate); - } - - public synchronized void C_FindObjectsInit(long hSession, - CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { - super.C_FindObjectsInit(hSession, pTemplate); - } - - public synchronized long[] C_FindObjects(long hSession, - long ulMaxObjectCount) throws PKCS11Exception { - return super.C_FindObjects(hSession, ulMaxObjectCount); - } - - public synchronized void C_FindObjectsFinal(long hSession) - throws PKCS11Exception { - super.C_FindObjectsFinal(hSession); - } - - public synchronized void C_EncryptInit(long hSession, - CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception { - super.C_EncryptInit(hSession, pMechanism, hKey); - } - - public synchronized int C_Encrypt(long hSession, byte[] in, int inOfs, - int inLen, byte[] out, int outOfs, int outLen) - throws PKCS11Exception { - return super.C_Encrypt(hSession, in, inOfs, inLen, out, outOfs, outLen); - } - - public synchronized int C_EncryptUpdate(long hSession, long directIn, - byte[] in, int inOfs, int inLen, long directOut, byte[] out, - int outOfs, int outLen) throws PKCS11Exception { - return super.C_EncryptUpdate(hSession, directIn, in, inOfs, inLen, - directOut, out, outOfs, outLen); - } - - public synchronized int C_EncryptFinal(long hSession, long directOut, - byte[] out, int outOfs, int outLen) throws PKCS11Exception { - return super.C_EncryptFinal(hSession, directOut, out, outOfs, outLen); - } - - public synchronized void C_DecryptInit(long hSession, - CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception { - super.C_DecryptInit(hSession, pMechanism, hKey); - } - - public synchronized int C_Decrypt(long hSession, byte[] in, int inOfs, - int inLen, byte[] out, int outOfs, int outLen) - throws PKCS11Exception { - return super.C_Decrypt(hSession, in, inOfs, inLen, out, outOfs, outLen); - } - - public synchronized int C_DecryptUpdate(long hSession, long directIn, - byte[] in, int inOfs, int inLen, long directOut, byte[] out, - int outOfs, int outLen) throws PKCS11Exception { - return super.C_DecryptUpdate(hSession, directIn, in, inOfs, inLen, - directOut, out, outOfs, outLen); - } - - public synchronized int C_DecryptFinal(long hSession, long directOut, - byte[] out, int outOfs, int outLen) throws PKCS11Exception { - return super.C_DecryptFinal(hSession, directOut, out, outOfs, outLen); - } - - public synchronized void C_DigestInit(long hSession, CK_MECHANISM pMechanism) - throws PKCS11Exception { - super.C_DigestInit(hSession, pMechanism); - } - - public synchronized int C_DigestSingle(long hSession, - CK_MECHANISM pMechanism, byte[] in, int inOfs, int inLen, - byte[] digest, int digestOfs, int digestLen) throws PKCS11Exception { - return super.C_DigestSingle(hSession, pMechanism, in, inOfs, inLen, - digest, digestOfs, digestLen); - } - - public synchronized void C_DigestUpdate(long hSession, long directIn, - byte[] in, int inOfs, int inLen) throws PKCS11Exception { - super.C_DigestUpdate(hSession, directIn, in, inOfs, inLen); - } - - public synchronized void C_DigestKey(long hSession, long hKey) - throws PKCS11Exception { - super.C_DigestKey(hSession, hKey); - } - - public synchronized int C_DigestFinal(long hSession, byte[] pDigest, - int digestOfs, int digestLen) throws PKCS11Exception { - return super.C_DigestFinal(hSession, pDigest, digestOfs, digestLen); - } - - public synchronized void C_SignInit(long hSession, CK_MECHANISM pMechanism, - long hKey) throws PKCS11Exception { - super.C_SignInit(hSession, pMechanism, hKey); - } - - public synchronized byte[] C_Sign(long hSession, byte[] pData) - throws PKCS11Exception { - return super.C_Sign(hSession, pData); - } - - public synchronized void C_SignUpdate(long hSession, long directIn, - byte[] in, int inOfs, int inLen) throws PKCS11Exception { - super.C_SignUpdate(hSession, directIn, in, inOfs, inLen); - } - - public synchronized byte[] C_SignFinal(long hSession, int expectedLen) - throws PKCS11Exception { - return super.C_SignFinal(hSession, expectedLen); - } - - public synchronized void C_SignRecoverInit(long hSession, - CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception { - super.C_SignRecoverInit(hSession, pMechanism, hKey); - } - - public synchronized int C_SignRecover(long hSession, byte[] in, int inOfs, - int inLen, byte[] out, int outOufs, int outLen) - throws PKCS11Exception { - return super.C_SignRecover(hSession, in, inOfs, inLen, out, outOufs, - outLen); - } - - public synchronized void C_VerifyInit(long hSession, CK_MECHANISM pMechanism, - long hKey) throws PKCS11Exception { - super.C_VerifyInit(hSession, pMechanism, hKey); - } - - public synchronized void C_Verify(long hSession, byte[] pData, - byte[] pSignature) throws PKCS11Exception { - super.C_Verify(hSession, pData, pSignature); - } - - public synchronized void C_VerifyUpdate(long hSession, long directIn, - byte[] in, int inOfs, int inLen) throws PKCS11Exception { - super.C_VerifyUpdate(hSession, directIn, in, inOfs, inLen); - } - - public synchronized void C_VerifyFinal(long hSession, byte[] pSignature) - throws PKCS11Exception { - super.C_VerifyFinal(hSession, pSignature); - } - - public synchronized void C_VerifyRecoverInit(long hSession, - CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception { - super.C_VerifyRecoverInit(hSession, pMechanism, hKey); - } - - public synchronized int C_VerifyRecover(long hSession, byte[] in, int inOfs, - int inLen, byte[] out, int outOufs, int outLen) - throws PKCS11Exception { - return super.C_VerifyRecover(hSession, in, inOfs, inLen, out, outOufs, - outLen); - } - - public synchronized long C_GenerateKey(long hSession, - CK_MECHANISM pMechanism, CK_ATTRIBUTE[] pTemplate) - throws PKCS11Exception { - return super.C_GenerateKey(hSession, pMechanism, pTemplate); - } - - public synchronized long[] C_GenerateKeyPair(long hSession, - CK_MECHANISM pMechanism, CK_ATTRIBUTE[] pPublicKeyTemplate, - CK_ATTRIBUTE[] pPrivateKeyTemplate) - throws PKCS11Exception { - return super.C_GenerateKeyPair(hSession, pMechanism, pPublicKeyTemplate, - pPrivateKeyTemplate); - } - - public synchronized byte[] C_WrapKey(long hSession, CK_MECHANISM pMechanism, - long hWrappingKey, long hKey) throws PKCS11Exception { - return super.C_WrapKey(hSession, pMechanism, hWrappingKey, hKey); - } - - public synchronized long C_UnwrapKey(long hSession, CK_MECHANISM pMechanism, - long hUnwrappingKey, byte[] pWrappedKey, CK_ATTRIBUTE[] pTemplate) - throws PKCS11Exception { - return super.C_UnwrapKey(hSession, pMechanism, hUnwrappingKey, - pWrappedKey, pTemplate); - } - - public synchronized long C_DeriveKey(long hSession, CK_MECHANISM pMechanism, - long hBaseKey, CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { - return super.C_DeriveKey(hSession, pMechanism, hBaseKey, pTemplate); - } - - public synchronized void C_SeedRandom(long hSession, byte[] pSeed) - throws PKCS11Exception { - super.C_SeedRandom(hSession, pSeed); - } - - public synchronized void C_GenerateRandom(long hSession, byte[] randomData) - throws PKCS11Exception { - super.C_GenerateRandom(hSession, randomData); - } -} -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java 2017-01-20 09:52:52.374288426 -0800 @@ -0,0 +1,1827 @@ +/* + * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + */ + +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +package sun.security.pkcs11.wrapper; + +import java.io.File; +import java.io.IOException; +import java.util.*; + +import java.security.AccessController; +import java.security.PrivilegedAction; + +import sun.security.util.Debug; + +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + +/** + * This is the default implementation of the PKCS11 interface. IT connects to + * the pkcs11wrapper.dll file, which is the native part of this library. + * The strange and awkward looking initialization was chosen to avoid calling + * loadLibrary from a static initialization block, because this would complicate + * the use in applets. + * + * @author Karl Scheibelhofer + * @author Martin Schlaeffer + * @invariants (pkcs11ModulePath_ <> null) + */ +public class PKCS11 { + + /** + * The name of the native part of the wrapper; i.e. the filename without + * the extension (e.g. ".DLL" or ".so"). + */ + private static final String PKCS11_WRAPPER = "j2pkcs11"; + + static { + // cannot use LoadLibraryAction because that would make the native + // library available to the bootclassloader, but we run in the + // extension classloader. + AccessController.doPrivileged(new PrivilegedAction() { + public Object run() { + System.loadLibrary(PKCS11_WRAPPER); + return null; + } + }); + boolean enableDebug = Debug.getInstance("sunpkcs11") != null; + initializeLibrary(enableDebug); + } + + public static void loadNative() { + // dummy method that can be called to make sure the native + // portion has been loaded. actual loading happens in the + // static initializer, hence this method is empty. + } + + /** + * The PKCS#11 module to connect to. This is the PKCS#11 driver of the token; + * e.g. pk2priv.dll. + */ + private final String pkcs11ModulePath; + + private long pNativeData; + + /** + * This method does the initialization of the native library. It is called + * exactly once for this class. + * + * @preconditions + * @postconditions + */ + private static native void initializeLibrary(boolean debug); + + // XXX + /** + * This method does the finalization of the native library. It is called + * exactly once for this class. The library uses this method for a clean-up + * of any resources. + * + * @preconditions + * @postconditions + */ + private static native void finalizeLibrary(); + + private static final Map moduleMap = + new HashMap(); + + /** + * Connects to the PKCS#11 driver given. The filename must contain the + * path, if the driver is not in the system's search path. + * + * @param pkcs11ModulePath the PKCS#11 library path + * @preconditions (pkcs11ModulePath <> null) + * @postconditions + */ + PKCS11(String pkcs11ModulePath, String functionListName) + throws IOException { + connect(pkcs11ModulePath, functionListName); + this.pkcs11ModulePath = pkcs11ModulePath; + } + + public static synchronized PKCS11 getInstance(String pkcs11ModulePath, + String functionList, CK_C_INITIALIZE_ARGS pInitArgs, + boolean omitInitialize) throws IOException, PKCS11Exception { + // we may only call C_Initialize once per native .so/.dll + // so keep a cache using the (non-canonicalized!) path + PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath); + if (pkcs11 == null) { + if ((pInitArgs != null) + && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) { + pkcs11 = new PKCS11(pkcs11ModulePath, functionList); + } else { + pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); + } + if (omitInitialize == false) { + try { + pkcs11.C_Initialize(pInitArgs); + } catch (PKCS11Exception e) { + // ignore already-initialized error code + // rethrow all other errors + if (e.getErrorCode() != CKR_CRYPTOKI_ALREADY_INITIALIZED) { + throw e; + } + } + } + moduleMap.put(pkcs11ModulePath, pkcs11); + } + return pkcs11; + } + + /** + * Connects this object to the specified PKCS#11 library. This method is for + * internal use only. + * Declared private, because incorrect handling may result in errors in the + * native part. + * + * @param pkcs11ModulePath The PKCS#11 library path. + * @preconditions (pkcs11ModulePath <> null) + * @postconditions + */ + private native void connect(String pkcs11ModulePath, String functionListName) + throws IOException; + + /** + * Disconnects the PKCS#11 library from this object. After calling this + * method, this object is no longer connected to a native PKCS#11 module + * and any subsequent calls to C_ methods will fail. This method is for + * internal use only. + * Declared private, because incorrect handling may result in errors in the + * native part. + * + * @preconditions + * @postconditions + */ + private native void disconnect(); + + + // Implementation of PKCS11 methods delegated to native pkcs11wrapper library + +/* ***************************************************************************** + * General-purpose + ******************************************************************************/ + + /** + * C_Initialize initializes the Cryptoki library. + * (General-purpose) + * + * @param pInitArgs if pInitArgs is not NULL it gets casted to + * CK_C_INITIALIZE_ARGS_PTR and dereferenced + * (PKCS#11 param: CK_VOID_PTR pInitArgs) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions + */ + native void C_Initialize(Object pInitArgs) throws PKCS11Exception; + + /** + * C_Finalize indicates that an application is done with the + * Cryptoki library + * (General-purpose) + * + * @param pReserved is reserved. Should be NULL_PTR + * (PKCS#11 param: CK_VOID_PTR pReserved) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions (pReserved == null) + * @postconditions + */ + public native void C_Finalize(Object pReserved) throws PKCS11Exception; + + + /** + * C_GetInfo returns general information about Cryptoki. + * (General-purpose) + * + * @return the information. + * (PKCS#11 param: CK_INFO_PTR pInfo) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions (result <> null) + */ + public native CK_INFO C_GetInfo() throws PKCS11Exception; + + +/* ***************************************************************************** + * Slot and token management + ******************************************************************************/ + + /** + * C_GetSlotList obtains a list of slots in the system. + * (Slot and token management) + * + * @param tokenPresent if true only Slot IDs with a token are returned + * (PKCS#11 param: CK_BBOOL tokenPresent) + * @return a long array of slot IDs and number of Slot IDs + * (PKCS#11 param: CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions (result <> null) + */ + public native long[] C_GetSlotList(boolean tokenPresent) + throws PKCS11Exception; + + + /** + * C_GetSlotInfo obtains information about a particular slot in + * the system. + * (Slot and token management) + * + * @param slotID the ID of the slot + * (PKCS#11 param: CK_SLOT_ID slotID) + * @return the slot information + * (PKCS#11 param: CK_SLOT_INFO_PTR pInfo) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions (result <> null) + */ + public native CK_SLOT_INFO C_GetSlotInfo(long slotID) throws PKCS11Exception; + + + /** + * C_GetTokenInfo obtains information about a particular token + * in the system. + * (Slot and token management) + * + * @param slotID ID of the token's slot + * (PKCS#11 param: CK_SLOT_ID slotID) + * @return the token information + * (PKCS#11 param: CK_TOKEN_INFO_PTR pInfo) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions (result <> null) + */ + public native CK_TOKEN_INFO C_GetTokenInfo(long slotID) + throws PKCS11Exception; + + + /** + * C_GetMechanismList obtains a list of mechanism types + * supported by a token. + * (Slot and token management) + * + * @param slotID ID of the token's slot + * (PKCS#11 param: CK_SLOT_ID slotID) + * @return a long array of mechanism types and number of mechanism types + * (PKCS#11 param: CK_MECHANISM_TYPE_PTR pMechanismList, + * CK_ULONG_PTR pulCount) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions (result <> null) + */ + public native long[] C_GetMechanismList(long slotID) throws PKCS11Exception; + + + /** + * C_GetMechanismInfo obtains information about a particular + * mechanism possibly supported by a token. + * (Slot and token management) + * + * @param slotID ID of the token's slot + * (PKCS#11 param: CK_SLOT_ID slotID) + * @param type type of mechanism + * (PKCS#11 param: CK_MECHANISM_TYPE type) + * @return the mechanism info + * (PKCS#11 param: CK_MECHANISM_INFO_PTR pInfo) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions (result <> null) + */ + public native CK_MECHANISM_INFO C_GetMechanismInfo(long slotID, long type) + throws PKCS11Exception; + + + /** + * C_InitToken initializes a token. + * (Slot and token management) + * + * @param slotID ID of the token's slot + * (PKCS#11 param: CK_SLOT_ID slotID) + * @param pPin the SO's initial PIN and the length in bytes of the PIN + * (PKCS#11 param: CK_CHAR_PTR pPin, CK_ULONG ulPinLen) + * @param pLabel 32-byte token label (blank padded) + * (PKCS#11 param: CK_UTF8CHAR_PTR pLabel) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions + */ +// public native void C_InitToken(long slotID, char[] pPin, char[] pLabel) +// throws PKCS11Exception; + + + /** + * C_InitPIN initializes the normal user's PIN. + * (Slot and token management) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pPin the normal user's PIN and the length in bytes of the PIN + * (PKCS#11 param: CK_CHAR_PTR pPin, CK_ULONG ulPinLen) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions + */ +// public native void C_InitPIN(long hSession, char[] pPin) +// throws PKCS11Exception; + + + /** + * C_SetPIN modifies the PIN of the user who is logged in. + * (Slot and token management) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pOldPin the old PIN and the length of the old PIN + * (PKCS#11 param: CK_CHAR_PTR pOldPin, CK_ULONG ulOldLen) + * @param pNewPin the new PIN and the length of the new PIN + * (PKCS#11 param: CK_CHAR_PTR pNewPin, CK_ULONG ulNewLen) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions + */ +// public native void C_SetPIN(long hSession, char[] pOldPin, char[] pNewPin) +// throws PKCS11Exception; + + + +/* ***************************************************************************** + * Session management + ******************************************************************************/ + + /** + * C_OpenSession opens a session between an application and a + * token. + * (Session management) + * + * @param slotID the slot's ID + * (PKCS#11 param: CK_SLOT_ID slotID) + * @param flags of CK_SESSION_INFO + * (PKCS#11 param: CK_FLAGS flags) + * @param pApplication passed to callback + * (PKCS#11 param: CK_VOID_PTR pApplication) + * @param Notify the callback function + * (PKCS#11 param: CK_NOTIFY Notify) + * @return the session handle + * (PKCS#11 param: CK_SESSION_HANDLE_PTR phSession) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions + */ + public native long C_OpenSession(long slotID, long flags, + Object pApplication, CK_NOTIFY Notify) throws PKCS11Exception; + + + /** + * C_CloseSession closes a session between an application and a + * token. + * (Session management) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions + */ + public native void C_CloseSession(long hSession) throws PKCS11Exception; + + + /** + * C_CloseAllSessions closes all sessions with a token. + * (Session management) + * + * @param slotID the ID of the token's slot + * (PKCS#11 param: CK_SLOT_ID slotID) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions + */ +// public native void C_CloseAllSessions(long slotID) throws PKCS11Exception; + + + /** + * C_GetSessionInfo obtains information about the session. + * (Session management) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @return the session info + * (PKCS#11 param: CK_SESSION_INFO_PTR pInfo) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions (result <> null) + */ + public native CK_SESSION_INFO C_GetSessionInfo(long hSession) + throws PKCS11Exception; + + + /** + * C_GetOperationState obtains the state of the cryptographic operation + * in a session. + * (Session management) + * + * @param hSession session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @return the state and the state length + * (PKCS#11 param: CK_BYTE_PTR pOperationState, + * CK_ULONG_PTR pulOperationStateLen) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions (result <> null) + */ + public native byte[] C_GetOperationState(long hSession) + throws PKCS11Exception; + + + /** + * C_SetOperationState restores the state of the cryptographic + * operation in a session. + * (Session management) + * + * @param hSession session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pOperationState the state and the state length + * (PKCS#11 param: CK_BYTE_PTR pOperationState, + * CK_ULONG ulOperationStateLen) + * @param hEncryptionKey en/decryption key + * (PKCS#11 param: CK_OBJECT_HANDLE hEncryptionKey) + * @param hAuthenticationKey sign/verify key + * (PKCS#11 param: CK_OBJECT_HANDLE hAuthenticationKey) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions + */ + public native void C_SetOperationState(long hSession, byte[] pOperationState, + long hEncryptionKey, long hAuthenticationKey) throws PKCS11Exception; + + + /** + * C_Login logs a user into a token. + * (Session management) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param userType the user type + * (PKCS#11 param: CK_USER_TYPE userType) + * @param pPin the user's PIN and the length of the PIN + * (PKCS#11 param: CK_CHAR_PTR pPin, CK_ULONG ulPinLen) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions + */ + public native void C_Login(long hSession, long userType, char[] pPin) + throws PKCS11Exception; + + + /** + * C_Logout logs a user out from a token. + * (Session management) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions + */ + public native void C_Logout(long hSession) throws PKCS11Exception; + + + +/* ***************************************************************************** + * Object management + ******************************************************************************/ + + /** + * C_CreateObject creates a new object. + * (Object management) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pTemplate the object's template and number of attributes in + * template + * (PKCS#11 param: CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) + * @return the object's handle + * (PKCS#11 param: CK_OBJECT_HANDLE_PTR phObject) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions + */ + public native long C_CreateObject(long hSession, CK_ATTRIBUTE[] pTemplate) + throws PKCS11Exception; + + + /** + * C_CopyObject copies an object, creating a new object for the + * copy. + * (Object management) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param hObject the object's handle + * (PKCS#11 param: CK_OBJECT_HANDLE hObject) + * @param pTemplate the template for the new object and number of attributes + * in template + * (PKCS#11 param: CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) + * @return the handle of the copy + * (PKCS#11 param: CK_OBJECT_HANDLE_PTR phNewObject) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions + */ + public native long C_CopyObject(long hSession, long hObject, + CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception; + + + /** + * C_DestroyObject destroys an object. + * (Object management) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param hObject the object's handle + * (PKCS#11 param: CK_OBJECT_HANDLE hObject) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions + */ + public native void C_DestroyObject(long hSession, long hObject) + throws PKCS11Exception; + + + /** + * C_GetObjectSize gets the size of an object in bytes. + * (Object management) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param hObject the object's handle + * (PKCS#11 param: CK_OBJECT_HANDLE hObject) + * @return the size of the object + * (PKCS#11 param: CK_ULONG_PTR pulSize) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions + */ +// public native long C_GetObjectSize(long hSession, long hObject) +// throws PKCS11Exception; + + + /** + * C_GetAttributeValue obtains the value of one or more object + * attributes. The template attributes also receive the values. + * (Object management) + * note: in PKCS#11 pTemplate and the result template are the same + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param hObject the object's handle + * (PKCS#11 param: CK_OBJECT_HANDLE hObject) + * @param pTemplate specifies the attributes and number of attributes to get + * The template attributes also receive the values. + * (PKCS#11 param: CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions (pTemplate <> null) + * @postconditions (result <> null) + */ + public native void C_GetAttributeValue(long hSession, long hObject, + CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception; + + + /** + * C_SetAttributeValue modifies the value of one or more object + * attributes + * (Object management) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param hObject the object's handle + * (PKCS#11 param: CK_OBJECT_HANDLE hObject) + * @param pTemplate specifies the attributes and values to get; number of + * attributes in the template + * (PKCS#11 param: CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions (pTemplate <> null) + * @postconditions + */ + public native void C_SetAttributeValue(long hSession, long hObject, + CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception; + + + /** + * C_FindObjectsInit initializes a search for token and session + * objects that match a template. + * (Object management) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pTemplate the object's attribute values to match and the number of + * attributes in search template + * (PKCS#11 param: CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions + */ + public native void C_FindObjectsInit(long hSession, CK_ATTRIBUTE[] pTemplate) + throws PKCS11Exception; + + + /** + * C_FindObjects continues a search for token and session + * objects that match a template, obtaining additional object + * handles. + * (Object management) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param ulMaxObjectCount the max. object handles to get + * (PKCS#11 param: CK_ULONG ulMaxObjectCount) + * @return the object's handles and the actual number of objects returned + * (PKCS#11 param: CK_ULONG_PTR pulObjectCount) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions (result <> null) + */ + public native long[] C_FindObjects(long hSession, long ulMaxObjectCount) + throws PKCS11Exception; + + + /** + * C_FindObjectsFinal finishes a search for token and session + * objects. + * (Object management) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions + */ + public native void C_FindObjectsFinal(long hSession) throws PKCS11Exception; + + + +/* ***************************************************************************** + * Encryption and decryption + ******************************************************************************/ + + /** + * C_EncryptInit initializes an encryption operation. + * (Encryption and decryption) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pMechanism the encryption mechanism + * (PKCS#11 param: CK_MECHANISM_PTR pMechanism) + * @param hKey the handle of the encryption key + * (PKCS#11 param: CK_OBJECT_HANDLE hKey) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions + */ + public native void C_EncryptInit(long hSession, CK_MECHANISM pMechanism, + long hKey) throws PKCS11Exception; + + + /** + * C_Encrypt encrypts single-part data. + * (Encryption and decryption) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pData the data to get encrypted and the data's length + * (PKCS#11 param: CK_BYTE_PTR pData, CK_ULONG ulDataLen) + * @return the encrypted data and the encrypted data's length + * (PKCS#11 param: CK_BYTE_PTR pEncryptedData, + * CK_ULONG_PTR pulEncryptedDataLen) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions (pData <> null) + * @postconditions (result <> null) + */ + public native int C_Encrypt(long hSession, byte[] in, int inOfs, int inLen, + byte[] out, int outOfs, int outLen) throws PKCS11Exception; + + + /** + * C_EncryptUpdate continues a multiple-part encryption + * operation. + * (Encryption and decryption) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pPart the data part to get encrypted and the data part's length + * (PKCS#11 param: CK_BYTE_PTR pPart, CK_ULONG ulPartLen) + * @return the encrypted data part and the encrypted data part's length + * (PKCS#11 param: CK_BYTE_PTR pEncryptedPart, + CK_ULONG_PTR pulEncryptedPartLen) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions (pPart <> null) + * @postconditions + */ + public native int C_EncryptUpdate(long hSession, long directIn, byte[] in, + int inOfs, int inLen, long directOut, byte[] out, int outOfs, + int outLen) throws PKCS11Exception; + + + /** + * C_EncryptFinal finishes a multiple-part encryption + * operation. + * (Encryption and decryption) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @return the last encrypted data part and the last data part's length + * (PKCS#11 param: CK_BYTE_PTR pLastEncryptedPart, + CK_ULONG_PTR pulLastEncryptedPartLen) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions (result <> null) + */ + public native int C_EncryptFinal(long hSession, long directOut, byte[] out, + int outOfs, int outLen) throws PKCS11Exception; + + + /** + * C_DecryptInit initializes a decryption operation. + * (Encryption and decryption) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pMechanism the decryption mechanism + * (PKCS#11 param: CK_MECHANISM_PTR pMechanism) + * @param hKey the handle of the decryption key + * (PKCS#11 param: CK_OBJECT_HANDLE hKey) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions + */ + public native void C_DecryptInit(long hSession, CK_MECHANISM pMechanism, + long hKey) throws PKCS11Exception; + + + /** + * C_Decrypt decrypts encrypted data in a single part. + * (Encryption and decryption) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pEncryptedData the encrypted data to get decrypted and the + * encrypted data's length + * (PKCS#11 param: CK_BYTE_PTR pEncryptedData, + * CK_ULONG ulEncryptedDataLen) + * @return the decrypted data and the data's length + * (PKCS#11 param: CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions (pEncryptedPart <> null) + * @postconditions (result <> null) + */ + public native int C_Decrypt(long hSession, byte[] in, int inOfs, int inLen, + byte[] out, int outOfs, int outLen) throws PKCS11Exception; + + + /** + * C_DecryptUpdate continues a multiple-part decryption + * operation. + * (Encryption and decryption) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pEncryptedPart the encrypted data part to get decrypted and the + * encrypted data part's length + * (PKCS#11 param: CK_BYTE_PTR pEncryptedPart, + * CK_ULONG ulEncryptedPartLen) + * @return the decrypted data part and the data part's length + * (PKCS#11 param: CK_BYTE_PTR pPart, CK_ULONG_PTR pulPartLen) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions (pEncryptedPart <> null) + * @postconditions + */ + public native int C_DecryptUpdate(long hSession, long directIn, byte[] in, + int inOfs, int inLen, long directOut, byte[] out, int outOfs, + int outLen) throws PKCS11Exception; + + + /** + * C_DecryptFinal finishes a multiple-part decryption + * operation. + * (Encryption and decryption) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @return the last decrypted data part and the last data part's length + * (PKCS#11 param: CK_BYTE_PTR pLastPart, + * CK_ULONG_PTR pulLastPartLen) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions (result <> null) + */ + public native int C_DecryptFinal(long hSession, long directOut, byte[] out, + int outOfs, int outLen) throws PKCS11Exception; + + + +/* ***************************************************************************** + * Message digesting + ******************************************************************************/ + + /** + * C_DigestInit initializes a message-digesting operation. + * (Message digesting) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pMechanism the digesting mechanism + * (PKCS#11 param: CK_MECHANISM_PTR pMechanism) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions + */ + public native void C_DigestInit(long hSession, CK_MECHANISM pMechanism) + throws PKCS11Exception; + + + // note that C_DigestSingle does not exist in PKCS#11 + // we combined the C_DigestInit and C_Digest into a single function + // to save on Java<->C transitions and save 5-10% on small digests + // this made the C_Digest method redundant, it has been removed + /** + * C_Digest digests data in a single part. + * (Message digesting) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param data the data to get digested and the data's length + * (PKCS#11 param: CK_BYTE_PTR pData, CK_ULONG ulDataLen) + * @return the message digest and the length of the message digest + * (PKCS#11 param: CK_BYTE_PTR pDigest, CK_ULONG_PTR pulDigestLen) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions (data <> null) + * @postconditions (result <> null) + */ + public native int C_DigestSingle(long hSession, CK_MECHANISM pMechanism, + byte[] in, int inOfs, int inLen, byte[] digest, int digestOfs, + int digestLen) throws PKCS11Exception; + + + /** + * C_DigestUpdate continues a multiple-part message-digesting + * operation. + * (Message digesting) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pPart the data to get digested and the data's length + * (PKCS#11 param: CK_BYTE_PTR pPart, CK_ULONG ulPartLen) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions (pPart <> null) + * @postconditions + */ + public native void C_DigestUpdate(long hSession, long directIn, byte[] in, + int inOfs, int inLen) throws PKCS11Exception; + + + /** + * C_DigestKey continues a multi-part message-digesting + * operation, by digesting the value of a secret key as part of + * the data already digested. + * (Message digesting) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param hKey the handle of the secret key to be digested + * (PKCS#11 param: CK_OBJECT_HANDLE hKey) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions + */ + public native void C_DigestKey(long hSession, long hKey) + throws PKCS11Exception; + + + /** + * C_DigestFinal finishes a multiple-part message-digesting + * operation. + * (Message digesting) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @return the message digest and the length of the message digest + * (PKCS#11 param: CK_BYTE_PTR pDigest, CK_ULONG_PTR pulDigestLen) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions (result <> null) + */ + public native int C_DigestFinal(long hSession, byte[] pDigest, int digestOfs, + int digestLen) throws PKCS11Exception; + + + +/* ***************************************************************************** + * Signing and MACing + ******************************************************************************/ + + /** + * C_SignInit initializes a signature (private key encryption) + * operation, where the signature is (will be) an appendix to + * the data, and plaintext cannot be recovered from the + * signature. + * (Signing and MACing) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pMechanism the signature mechanism + * (PKCS#11 param: CK_MECHANISM_PTR pMechanism) + * @param hKey the handle of the signature key + * (PKCS#11 param: CK_OBJECT_HANDLE hKey) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions + */ + public native void C_SignInit(long hSession, CK_MECHANISM pMechanism, + long hKey) throws PKCS11Exception; + + + /** + * C_Sign signs (encrypts with private key) data in a single + * part, where the signature is (will be) an appendix to the + * data, and plaintext cannot be recovered from the signature. + * (Signing and MACing) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pData the data to sign and the data's length + * (PKCS#11 param: CK_BYTE_PTR pData, CK_ULONG ulDataLen) + * @return the signature and the signature's length + * (PKCS#11 param: CK_BYTE_PTR pSignature, + * CK_ULONG_PTR pulSignatureLen) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions (pData <> null) + * @postconditions (result <> null) + */ + public native byte[] C_Sign(long hSession, byte[] pData) + throws PKCS11Exception; + + + /** + * C_SignUpdate continues a multiple-part signature operation, + * where the signature is (will be) an appendix to the data, + * and plaintext cannot be recovered from the signature. + * (Signing and MACing) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pPart the data part to sign and the data part's length + * (PKCS#11 param: CK_BYTE_PTR pPart, CK_ULONG ulPartLen) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions (pPart <> null) + * @postconditions + */ + public native void C_SignUpdate(long hSession, long directIn, byte[] in, + int inOfs, int inLen) throws PKCS11Exception; + + + /** + * C_SignFinal finishes a multiple-part signature operation, + * returning the signature. + * (Signing and MACing) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @return the signature and the signature's length + * (PKCS#11 param: CK_BYTE_PTR pSignature, + * CK_ULONG_PTR pulSignatureLen) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions (result <> null) + */ + public native byte[] C_SignFinal(long hSession, int expectedLen) + throws PKCS11Exception; + + + /** + * C_SignRecoverInit initializes a signature operation, where + * the data can be recovered from the signature. + * (Signing and MACing) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pMechanism the signature mechanism + * (PKCS#11 param: CK_MECHANISM_PTR pMechanism) + * @param hKey the handle of the signature key + * (PKCS#11 param: CK_OBJECT_HANDLE hKey) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions + */ + public native void C_SignRecoverInit(long hSession, CK_MECHANISM pMechanism, + long hKey) throws PKCS11Exception; + + + /** + * C_SignRecover signs data in a single operation, where the + * data can be recovered from the signature. + * (Signing and MACing) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pData the data to sign and the data's length + * (PKCS#11 param: CK_BYTE_PTR pData, CK_ULONG ulDataLen) + * @return the signature and the signature's length + * (PKCS#11 param: CK_BYTE_PTR pSignature, + * CK_ULONG_PTR pulSignatureLen) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions (pData <> null) + * @postconditions (result <> null) + */ + public native int C_SignRecover(long hSession, byte[] in, int inOfs, + int inLen, byte[] out, int outOufs, int outLen) + throws PKCS11Exception; + + + +/* ***************************************************************************** + * Verifying signatures and MACs + ******************************************************************************/ + + /** + * C_VerifyInit initializes a verification operation, where the + * signature is an appendix to the data, and plaintext cannot + * cannot be recovered from the signature (e.g. DSA). + * (Signing and MACing) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pMechanism the verification mechanism + * (PKCS#11 param: CK_MECHANISM_PTR pMechanism) + * @param hKey the handle of the verification key + * (PKCS#11 param: CK_OBJECT_HANDLE hKey) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions + */ + public native void C_VerifyInit(long hSession, CK_MECHANISM pMechanism, + long hKey) throws PKCS11Exception; + + + /** + * C_Verify verifies a signature in a single-part operation, + * where the signature is an appendix to the data, and plaintext + * cannot be recovered from the signature. + * (Signing and MACing) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pData the signed data and the signed data's length + * (PKCS#11 param: CK_BYTE_PTR pData, CK_ULONG ulDataLen) + * @param pSignature the signature to verify and the signature's length + * (PKCS#11 param: CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions (pData <> null) and (pSignature <> null) + * @postconditions + */ + public native void C_Verify(long hSession, byte[] pData, byte[] pSignature) + throws PKCS11Exception; + + + /** + * C_VerifyUpdate continues a multiple-part verification + * operation, where the signature is an appendix to the data, + * and plaintext cannot be recovered from the signature. + * (Signing and MACing) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pPart the signed data part and the signed data part's length + * (PKCS#11 param: CK_BYTE_PTR pPart, CK_ULONG ulPartLen) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions (pPart <> null) + * @postconditions + */ + public native void C_VerifyUpdate(long hSession, long directIn, byte[] in, + int inOfs, int inLen) throws PKCS11Exception; + + + /** + * C_VerifyFinal finishes a multiple-part verification + * operation, checking the signature. + * (Signing and MACing) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pSignature the signature to verify and the signature's length + * (PKCS#11 param: CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions (pSignature <> null) + * @postconditions + */ + public native void C_VerifyFinal(long hSession, byte[] pSignature) + throws PKCS11Exception; + + + /** + * C_VerifyRecoverInit initializes a signature verification + * operation, where the data is recovered from the signature. + * (Signing and MACing) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pMechanism the verification mechanism + * (PKCS#11 param: CK_MECHANISM_PTR pMechanism) + * @param hKey the handle of the verification key + * (PKCS#11 param: CK_OBJECT_HANDLE hKey) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions + */ + public native void C_VerifyRecoverInit(long hSession, + CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception; + + + /** + * C_VerifyRecover verifies a signature in a single-part + * operation, where the data is recovered from the signature. + * (Signing and MACing) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pSignature the signature to verify and the signature's length + * (PKCS#11 param: CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen) + * @return the recovered data and the recovered data's length + * (PKCS#11 param: CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions (pSignature <> null) + * @postconditions (result <> null) + */ + public native int C_VerifyRecover(long hSession, byte[] in, int inOfs, + int inLen, byte[] out, int outOufs, int outLen) + throws PKCS11Exception; + + + +/* ***************************************************************************** + * Dual-function cryptographic operations + ******************************************************************************/ + + /** + * C_DigestEncryptUpdate continues a multiple-part digesting + * and encryption operation. + * (Dual-function cryptographic operations) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pPart the data part to digest and to encrypt and the data's length + * (PKCS#11 param: CK_BYTE_PTR pPart, CK_ULONG ulPartLen) + * @return the digested and encrypted data part and the data part's length + * (PKCS#11 param: CK_BYTE_PTR pEncryptedPart, + * CK_ULONG_PTR pulEncryptedPartLen) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions (pPart <> null) + * @postconditions + */ +// public native byte[] C_DigestEncryptUpdate(long hSession, byte[] pPart) +// throws PKCS11Exception; + + + /** + * C_DecryptDigestUpdate continues a multiple-part decryption and + * digesting operation. + * (Dual-function cryptographic operations) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pEncryptedPart the encrypted data part to decrypt and to digest + * and encrypted data part's length + * (PKCS#11 param: CK_BYTE_PTR pEncryptedPart, + * CK_ULONG ulEncryptedPartLen) + * @return the decrypted and digested data part and the data part's length + * (PKCS#11 param: CK_BYTE_PTR pPart, CK_ULONG_PTR pulPartLen) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions (pEncryptedPart <> null) + * @postconditions + */ +// public native byte[] C_DecryptDigestUpdate(long hSession, +// byte[] pEncryptedPart) throws PKCS11Exception; + + + /** + * C_SignEncryptUpdate continues a multiple-part signing and + * encryption operation. + * (Dual-function cryptographic operations) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pPart the data part to sign and to encrypt and the data part's + * length + * (PKCS#11 param: CK_BYTE_PTR pPart, CK_ULONG ulPartLen) + * @return the signed and encrypted data part and the data part's length + * (PKCS#11 param: CK_BYTE_PTR pEncryptedPart, + * CK_ULONG_PTR pulEncryptedPartLen) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions (pPart <> null) + * @postconditions + */ +// public native byte[] C_SignEncryptUpdate(long hSession, byte[] pPart) +// throws PKCS11Exception; + + + /** + * C_DecryptVerifyUpdate continues a multiple-part decryption and + * verify operation. + * (Dual-function cryptographic operations) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pEncryptedPart the encrypted data part to decrypt and to verify + * and the data part's length + * (PKCS#11 param: CK_BYTE_PTR pEncryptedPart, + * CK_ULONG ulEncryptedPartLen) + * @return the decrypted and verified data part and the data part's length + * (PKCS#11 param: CK_BYTE_PTR pPart, CK_ULONG_PTR pulPartLen) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions (pEncryptedPart <> null) + * @postconditions + */ +// public native byte[] C_DecryptVerifyUpdate(long hSession, +// byte[] pEncryptedPart) throws PKCS11Exception; + + + +/* ***************************************************************************** + * Key management + ******************************************************************************/ + + /** + * C_GenerateKey generates a secret key, creating a new key + * object. + * (Key management) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pMechanism the key generation mechanism + * (PKCS#11 param: CK_MECHANISM_PTR pMechanism) + * @param pTemplate the template for the new key and the number of + * attributes in the template + * (PKCS#11 param: CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) + * @return the handle of the new key + * (PKCS#11 param: CK_OBJECT_HANDLE_PTR phKey) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions + */ + public native long C_GenerateKey(long hSession, CK_MECHANISM pMechanism, + CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception; + + + /** + * C_GenerateKeyPair generates a public-key/private-key pair, + * creating new key objects. + * (Key management) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pMechanism the key generation mechanism + * (PKCS#11 param: CK_MECHANISM_PTR pMechanism) + * @param pPublicKeyTemplate the template for the new public key and the + * number of attributes in the template + * (PKCS#11 param: CK_ATTRIBUTE_PTR pPublicKeyTemplate, + * CK_ULONG ulPublicKeyAttributeCount) + * @param pPrivateKeyTemplate the template for the new private key and the + * number of attributes in the template + * (PKCS#11 param: CK_ATTRIBUTE_PTR pPrivateKeyTemplate + * CK_ULONG ulPrivateKeyAttributeCount) + * @return a long array with exactly two elements and the public key handle + * as the first element and the private key handle as the second + * element + * (PKCS#11 param: CK_OBJECT_HANDLE_PTR phPublicKey, + * CK_OBJECT_HANDLE_PTR phPrivateKey) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions (pMechanism <> null) + * @postconditions (result <> null) and (result.length == 2) + */ + public native long[] C_GenerateKeyPair(long hSession, + CK_MECHANISM pMechanism, CK_ATTRIBUTE[] pPublicKeyTemplate, + CK_ATTRIBUTE[] pPrivateKeyTemplate) throws PKCS11Exception; + + + + /** + * C_WrapKey wraps (i.e., encrypts) a key. + * (Key management) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pMechanism the wrapping mechanism + * (PKCS#11 param: CK_MECHANISM_PTR pMechanism) + * @param hWrappingKey the handle of the wrapping key + * (PKCS#11 param: CK_OBJECT_HANDLE hWrappingKey) + * @param hKey the handle of the key to be wrapped + * (PKCS#11 param: CK_OBJECT_HANDLE hKey) + * @return the wrapped key and the length of the wrapped key + * (PKCS#11 param: CK_BYTE_PTR pWrappedKey, + * CK_ULONG_PTR pulWrappedKeyLen) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions (result <> null) + */ + public native byte[] C_WrapKey(long hSession, CK_MECHANISM pMechanism, + long hWrappingKey, long hKey) throws PKCS11Exception; + + + /** + * C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new + * key object. + * (Key management) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pMechanism the unwrapping mechanism + * (PKCS#11 param: CK_MECHANISM_PTR pMechanism) + * @param hUnwrappingKey the handle of the unwrapping key + * (PKCS#11 param: CK_OBJECT_HANDLE hUnwrappingKey) + * @param pWrappedKey the wrapped key to unwrap and the wrapped key's length + * (PKCS#11 param: CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen) + * @param pTemplate the template for the new key and the number of + * attributes in the template + * (PKCS#11 param: CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) + * @return the handle of the unwrapped key + * (PKCS#11 param: CK_OBJECT_HANDLE_PTR phKey) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions (pWrappedKey <> null) + * @postconditions + */ + public native long C_UnwrapKey(long hSession, CK_MECHANISM pMechanism, + long hUnwrappingKey, byte[] pWrappedKey, CK_ATTRIBUTE[] pTemplate) + throws PKCS11Exception; + + + /** + * C_DeriveKey derives a key from a base key, creating a new key + * object. + * (Key management) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pMechanism the key derivation mechanism + * (PKCS#11 param: CK_MECHANISM_PTR pMechanism) + * @param hBaseKey the handle of the base key + * (PKCS#11 param: CK_OBJECT_HANDLE hBaseKey) + * @param pTemplate the template for the new key and the number of + * attributes in the template + * (PKCS#11 param: CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) + * @return the handle of the derived key + * (PKCS#11 param: CK_OBJECT_HANDLE_PTR phKey) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions + */ + public native long C_DeriveKey(long hSession, CK_MECHANISM pMechanism, + long hBaseKey, CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception; + + + +/* ***************************************************************************** + * Random number generation + ******************************************************************************/ + + /** + * C_SeedRandom mixes additional seed material into the token's + * random number generator. + * (Random number generation) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param pSeed the seed material and the seed material's length + * (PKCS#11 param: CK_BYTE_PTR pSeed, CK_ULONG ulSeedLen) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions (pSeed <> null) + * @postconditions + */ + public native void C_SeedRandom(long hSession, byte[] pSeed) + throws PKCS11Exception; + + + /** + * C_GenerateRandom generates random data. + * (Random number generation) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @param RandomData receives the random data and the length of RandomData + * is the length of random data to be generated + * (PKCS#11 param: CK_BYTE_PTR pRandomData, CK_ULONG ulRandomLen) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions (randomData <> null) + * @postconditions + */ + public native void C_GenerateRandom(long hSession, byte[] randomData) + throws PKCS11Exception; + + + +/* ***************************************************************************** + * Parallel function management + ******************************************************************************/ + + /** + * C_GetFunctionStatus is a legacy function; it obtains an + * updated status of a function running in parallel with an + * application. + * (Parallel function management) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions + */ +// public native void C_GetFunctionStatus(long hSession) +// throws PKCS11Exception; + + + /** + * C_CancelFunction is a legacy function; it cancels a function + * running in parallel. + * (Parallel function management) + * + * @param hSession the session's handle + * (PKCS#11 param: CK_SESSION_HANDLE hSession) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions + * @postconditions + */ +// public native void C_CancelFunction(long hSession) throws PKCS11Exception; + + + +/* ***************************************************************************** + * Functions added in for Cryptoki Version 2.01 or later + ******************************************************************************/ + + /** + * C_WaitForSlotEvent waits for a slot event (token insertion, + * removal, etc.) to occur. + * (General-purpose) + * + * @param flags blocking/nonblocking flag + * (PKCS#11 param: CK_FLAGS flags) + * @param pReserved reserved. Should be null + * (PKCS#11 param: CK_VOID_PTR pReserved) + * @return the slot ID where the event occurred + * (PKCS#11 param: CK_SLOT_ID_PTR pSlot) + * @exception PKCS11Exception If function returns other value than CKR_OK. + * @preconditions (pRserved == null) + * @postconditions + */ +// public native long C_WaitForSlotEvent(long flags, Object pRserved) +// throws PKCS11Exception; + + /** + * Returns the string representation of this object. + * + * @return The string representation of object + */ + public String toString() { + return "Module name: " + pkcs11ModulePath; + } + + /** + * Calls disconnect() to cleanup the native part of the wrapper. Once this + * method is called, this object cannot be used any longer. Any subsequent + * call to a C_* method will result in a runtime exception. + * + * @exception Throwable If finalization fails. + */ + protected void finalize() throws Throwable { + disconnect(); + } + +// PKCS11 subclass that has all methods synchronized and delegating to the +// parent. Used for tokens that only support single threaded access +static class SynchronizedPKCS11 extends PKCS11 { + + SynchronizedPKCS11(String pkcs11ModulePath, String functionListName) + throws IOException { + super(pkcs11ModulePath, functionListName); + } + + synchronized void C_Initialize(Object pInitArgs) throws PKCS11Exception { + super.C_Initialize(pInitArgs); + } + + public synchronized void C_Finalize(Object pReserved) + throws PKCS11Exception { + super.C_Finalize(pReserved); + } + + public synchronized CK_INFO C_GetInfo() throws PKCS11Exception { + return super.C_GetInfo(); + } + + public synchronized long[] C_GetSlotList(boolean tokenPresent) + throws PKCS11Exception { + return super.C_GetSlotList(tokenPresent); + } + + public synchronized CK_SLOT_INFO C_GetSlotInfo(long slotID) + throws PKCS11Exception { + return super.C_GetSlotInfo(slotID); + } + + public synchronized CK_TOKEN_INFO C_GetTokenInfo(long slotID) + throws PKCS11Exception { + return super.C_GetTokenInfo(slotID); + } + + public synchronized long[] C_GetMechanismList(long slotID) + throws PKCS11Exception { + return super.C_GetMechanismList(slotID); + } + + public synchronized CK_MECHANISM_INFO C_GetMechanismInfo(long slotID, + long type) throws PKCS11Exception { + return super.C_GetMechanismInfo(slotID, type); + } + + public synchronized long C_OpenSession(long slotID, long flags, + Object pApplication, CK_NOTIFY Notify) throws PKCS11Exception { + return super.C_OpenSession(slotID, flags, pApplication, Notify); + } + + public synchronized void C_CloseSession(long hSession) + throws PKCS11Exception { + super.C_CloseSession(hSession); + } + + public synchronized CK_SESSION_INFO C_GetSessionInfo(long hSession) + throws PKCS11Exception { + return super.C_GetSessionInfo(hSession); + } + + public synchronized void C_Login(long hSession, long userType, char[] pPin) + throws PKCS11Exception { + super.C_Login(hSession, userType, pPin); + } + + public synchronized void C_Logout(long hSession) throws PKCS11Exception { + super.C_Logout(hSession); + } + + public synchronized long C_CreateObject(long hSession, + CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { + return super.C_CreateObject(hSession, pTemplate); + } + + public synchronized long C_CopyObject(long hSession, long hObject, + CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { + return super.C_CopyObject(hSession, hObject, pTemplate); + } + + public synchronized void C_DestroyObject(long hSession, long hObject) + throws PKCS11Exception { + super.C_DestroyObject(hSession, hObject); + } + + public synchronized void C_GetAttributeValue(long hSession, long hObject, + CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { + super.C_GetAttributeValue(hSession, hObject, pTemplate); + } + + public synchronized void C_SetAttributeValue(long hSession, long hObject, + CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { + super.C_SetAttributeValue(hSession, hObject, pTemplate); + } + + public synchronized void C_FindObjectsInit(long hSession, + CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { + super.C_FindObjectsInit(hSession, pTemplate); + } + + public synchronized long[] C_FindObjects(long hSession, + long ulMaxObjectCount) throws PKCS11Exception { + return super.C_FindObjects(hSession, ulMaxObjectCount); + } + + public synchronized void C_FindObjectsFinal(long hSession) + throws PKCS11Exception { + super.C_FindObjectsFinal(hSession); + } + + public synchronized void C_EncryptInit(long hSession, + CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception { + super.C_EncryptInit(hSession, pMechanism, hKey); + } + + public synchronized int C_Encrypt(long hSession, byte[] in, int inOfs, + int inLen, byte[] out, int outOfs, int outLen) + throws PKCS11Exception { + return super.C_Encrypt(hSession, in, inOfs, inLen, out, outOfs, outLen); + } + + public synchronized int C_EncryptUpdate(long hSession, long directIn, + byte[] in, int inOfs, int inLen, long directOut, byte[] out, + int outOfs, int outLen) throws PKCS11Exception { + return super.C_EncryptUpdate(hSession, directIn, in, inOfs, inLen, + directOut, out, outOfs, outLen); + } + + public synchronized int C_EncryptFinal(long hSession, long directOut, + byte[] out, int outOfs, int outLen) throws PKCS11Exception { + return super.C_EncryptFinal(hSession, directOut, out, outOfs, outLen); + } + + public synchronized void C_DecryptInit(long hSession, + CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception { + super.C_DecryptInit(hSession, pMechanism, hKey); + } + + public synchronized int C_Decrypt(long hSession, byte[] in, int inOfs, + int inLen, byte[] out, int outOfs, int outLen) + throws PKCS11Exception { + return super.C_Decrypt(hSession, in, inOfs, inLen, out, outOfs, outLen); + } + + public synchronized int C_DecryptUpdate(long hSession, long directIn, + byte[] in, int inOfs, int inLen, long directOut, byte[] out, + int outOfs, int outLen) throws PKCS11Exception { + return super.C_DecryptUpdate(hSession, directIn, in, inOfs, inLen, + directOut, out, outOfs, outLen); + } + + public synchronized int C_DecryptFinal(long hSession, long directOut, + byte[] out, int outOfs, int outLen) throws PKCS11Exception { + return super.C_DecryptFinal(hSession, directOut, out, outOfs, outLen); + } + + public synchronized void C_DigestInit(long hSession, CK_MECHANISM pMechanism) + throws PKCS11Exception { + super.C_DigestInit(hSession, pMechanism); + } + + public synchronized int C_DigestSingle(long hSession, + CK_MECHANISM pMechanism, byte[] in, int inOfs, int inLen, + byte[] digest, int digestOfs, int digestLen) throws PKCS11Exception { + return super.C_DigestSingle(hSession, pMechanism, in, inOfs, inLen, + digest, digestOfs, digestLen); + } + + public synchronized void C_DigestUpdate(long hSession, long directIn, + byte[] in, int inOfs, int inLen) throws PKCS11Exception { + super.C_DigestUpdate(hSession, directIn, in, inOfs, inLen); + } + + public synchronized void C_DigestKey(long hSession, long hKey) + throws PKCS11Exception { + super.C_DigestKey(hSession, hKey); + } + + public synchronized int C_DigestFinal(long hSession, byte[] pDigest, + int digestOfs, int digestLen) throws PKCS11Exception { + return super.C_DigestFinal(hSession, pDigest, digestOfs, digestLen); + } + + public synchronized void C_SignInit(long hSession, CK_MECHANISM pMechanism, + long hKey) throws PKCS11Exception { + super.C_SignInit(hSession, pMechanism, hKey); + } + + public synchronized byte[] C_Sign(long hSession, byte[] pData) + throws PKCS11Exception { + return super.C_Sign(hSession, pData); + } + + public synchronized void C_SignUpdate(long hSession, long directIn, + byte[] in, int inOfs, int inLen) throws PKCS11Exception { + super.C_SignUpdate(hSession, directIn, in, inOfs, inLen); + } + + public synchronized byte[] C_SignFinal(long hSession, int expectedLen) + throws PKCS11Exception { + return super.C_SignFinal(hSession, expectedLen); + } + + public synchronized void C_SignRecoverInit(long hSession, + CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception { + super.C_SignRecoverInit(hSession, pMechanism, hKey); + } + + public synchronized int C_SignRecover(long hSession, byte[] in, int inOfs, + int inLen, byte[] out, int outOufs, int outLen) + throws PKCS11Exception { + return super.C_SignRecover(hSession, in, inOfs, inLen, out, outOufs, + outLen); + } + + public synchronized void C_VerifyInit(long hSession, CK_MECHANISM pMechanism, + long hKey) throws PKCS11Exception { + super.C_VerifyInit(hSession, pMechanism, hKey); + } + + public synchronized void C_Verify(long hSession, byte[] pData, + byte[] pSignature) throws PKCS11Exception { + super.C_Verify(hSession, pData, pSignature); + } + + public synchronized void C_VerifyUpdate(long hSession, long directIn, + byte[] in, int inOfs, int inLen) throws PKCS11Exception { + super.C_VerifyUpdate(hSession, directIn, in, inOfs, inLen); + } + + public synchronized void C_VerifyFinal(long hSession, byte[] pSignature) + throws PKCS11Exception { + super.C_VerifyFinal(hSession, pSignature); + } + + public synchronized void C_VerifyRecoverInit(long hSession, + CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception { + super.C_VerifyRecoverInit(hSession, pMechanism, hKey); + } + + public synchronized int C_VerifyRecover(long hSession, byte[] in, int inOfs, + int inLen, byte[] out, int outOufs, int outLen) + throws PKCS11Exception { + return super.C_VerifyRecover(hSession, in, inOfs, inLen, out, outOufs, + outLen); + } + + public synchronized long C_GenerateKey(long hSession, + CK_MECHANISM pMechanism, CK_ATTRIBUTE[] pTemplate) + throws PKCS11Exception { + return super.C_GenerateKey(hSession, pMechanism, pTemplate); + } + + public synchronized long[] C_GenerateKeyPair(long hSession, + CK_MECHANISM pMechanism, CK_ATTRIBUTE[] pPublicKeyTemplate, + CK_ATTRIBUTE[] pPrivateKeyTemplate) + throws PKCS11Exception { + return super.C_GenerateKeyPair(hSession, pMechanism, pPublicKeyTemplate, + pPrivateKeyTemplate); + } + + public synchronized byte[] C_WrapKey(long hSession, CK_MECHANISM pMechanism, + long hWrappingKey, long hKey) throws PKCS11Exception { + return super.C_WrapKey(hSession, pMechanism, hWrappingKey, hKey); + } + + public synchronized long C_UnwrapKey(long hSession, CK_MECHANISM pMechanism, + long hUnwrappingKey, byte[] pWrappedKey, CK_ATTRIBUTE[] pTemplate) + throws PKCS11Exception { + return super.C_UnwrapKey(hSession, pMechanism, hUnwrappingKey, + pWrappedKey, pTemplate); + } + + public synchronized long C_DeriveKey(long hSession, CK_MECHANISM pMechanism, + long hBaseKey, CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { + return super.C_DeriveKey(hSession, pMechanism, hBaseKey, pTemplate); + } + + public synchronized void C_SeedRandom(long hSession, byte[] pSeed) + throws PKCS11Exception { + super.C_SeedRandom(hSession, pSeed); + } + + public synchronized void C_GenerateRandom(long hSession, byte[] randomData) + throws PKCS11Exception { + super.C_GenerateRandom(hSession, randomData); + } +} +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java 2017-01-20 09:52:52.974288404 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,966 +0,0 @@ -/* - * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. - */ - -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package sun.security.pkcs11.wrapper; - -/** - * This interface holds constants of the PKCS#11 v2.11 standard. - * This is mainly the content of the 'pkcs11t.h' header file. - * - * Mapping of primitiv data types to Java types: - * 
- *   TRUE .......................................... true
- *   FALSE ......................................... false
- *   CK_BYTE ....................................... byte
- *   CK_CHAR ....................................... char
- *   CK_UTF8CHAR ................................... char
- *   CK_BBOOL ...................................... boolean
- *   CK_ULONG ...................................... long
- *   CK_LONG ....................................... long
- *   CK_FLAGS ...................................... long
- *   CK_NOTIFICATION ............................... long
- *   CK_SLOT_ID .................................... long
- *   CK_SESSION_HANDLE ............................. long
- *   CK_USER_TYPE .................................. long
- *   CK_SESSION_HANDLE ............................. long
- *   CK_STATE ...................................... long
- *   CK_OBJECT_HANDLE .............................. long
- *   CK_OBJECT_CLASS ............................... long
- *   CK_HW_FEATURE_TYPE ............................ long
- *   CK_KEY_TYPE ................................... long
- *   CK_CERTIFICATE_TYPE ........................... long
- *   CK_ATTRIBUTE_TYPE ............................. long
- *   CK_VOID_PTR ................................... Object[]
- *   CK_BYTE_PTR ................................... byte[]
- *   CK_CHAR_PTR ................................... char[]
- *   CK_UTF8CHAR_PTR ............................... char[]
- *   CK_MECHANISM_TYPE ............................. long
- *   CK_RV ......................................... long
- *   CK_RSA_PKCS_OAEP_MGF_TYPE ..................... long
- *   CK_RSA_PKCS_OAEP_SOURCE_TYPE .................. long
- *   CK_RC2_PARAMS ................................. long
- *   CK_MAC_GENERAL_PARAMS ......................... long
- *   CK_EXTRACT_PARAMS ............................. long
- *   CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE .... long
- *   CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE .............. long
- *   CK_EC_KDF_TYPE ................................ long
- *   CK_X9_42_DH_KDF_TYPE .......................... long
- *
- * - * @author Karl Scheibelhofer - * @invariants - */ -public interface PKCS11Constants { - - public static final boolean TRUE = true; - - public static final boolean FALSE = false; - - public static final Object NULL_PTR = null; - - /* some special values for certain CK_ULONG variables */ - - // Cryptoki defines CK_UNAVAILABLE_INFORMATION as (~0UL) - // This means it is 0xffffffff in ILP32/LLP64 but 0xffffffffffffffff in LP64. - // To avoid these differences on the Java side, the native code treats - // CK_UNAVAILABLE_INFORMATION specially and always returns (long)-1 for it. - // See ckULongSpecialToJLong() in pkcs11wrapper.h - public static final long CK_UNAVAILABLE_INFORMATION = -1; - public static final long CK_EFFECTIVELY_INFINITE = 0L; - - /* The following value is always invalid if used as a session */ - /* handle or object handle */ - public static final long CK_INVALID_HANDLE = 0L; - - /* CK_NOTIFICATION enumerates the types of notifications that - * Cryptoki provides to an application */ - /* CK_NOTIFICATION has been changed from an enum to a CK_ULONG - * for v2.0 */ - public static final long CKN_SURRENDER = 0L; - - /* flags: bit flags that provide capabilities of the slot - * Bit Flag Mask Meaning - */ - public static final long CKF_TOKEN_PRESENT = 0x00000001L; - public static final long CKF_REMOVABLE_DEVICE = 0x00000002L; - public static final long CKF_HW_SLOT = 0x00000004L; - - /* The flags parameter is defined as follows: - * Bit Flag Mask Meaning - */ - /* has random # generator */ - public static final long CKF_RNG = 0x00000001L; - - /* token is write-protected */ - public static final long CKF_WRITE_PROTECTED = 0x00000002L; - - /* user must login */ - public static final long CKF_LOGIN_REQUIRED = 0x00000004L; - - /* normal user's PIN is set */ - public static final long CKF_USER_PIN_INITIALIZED = 0x00000008L; - - /* CKF_RESTORE_KEY_NOT_NEEDED is new for v2.0. If it is set, - * that means that *every* time the state of cryptographic - * operations of a session is successfully saved, all keys - * needed to continue those operations are stored in the state */ - public static final long CKF_RESTORE_KEY_NOT_NEEDED = 0x00000020L; - - /* CKF_CLOCK_ON_TOKEN is new for v2.0. If it is set, that means - * that the token has some sort of clock. The time on that - * clock is returned in the token info structure */ - public static final long CKF_CLOCK_ON_TOKEN = 0x00000040L; - - /* CKF_PROTECTED_AUTHENTICATION_PATH is new for v2.0. If it is - * set, that means that there is some way for the user to login - * without sending a PIN through the Cryptoki library itself */ - public static final long CKF_PROTECTED_AUTHENTICATION_PATH = 0x00000100L; - - /* CKF_DUAL_CRYPTO_OPERATIONS is new for v2.0. If it is true, - * that means that a single session with the token can perform - * dual simultaneous cryptographic operations (digest and - * encrypt; decrypt and digest; sign and encrypt; and decrypt - * and sign) */ - public static final long CKF_DUAL_CRYPTO_OPERATIONS = 0x00000200L; - - /* CKF_TOKEN_INITIALIZED if new for v2.10. If it is true, the - * token has been initialized using C_InitializeToken or an - * equivalent mechanism outside the scope of PKCS #11. - * Calling C_InitializeToken when this flag is set will cause - * the token to be reinitialized. */ - public static final long CKF_TOKEN_INITIALIZED = 0x00000400L; - - /* CKF_SECONDARY_AUTHENTICATION if new for v2.10. If it is - * true, the token supports secondary authentication for - * private key objects. */ - public static final long CKF_SECONDARY_AUTHENTICATION = 0x00000800L; - - /* CKF_USER_PIN_COUNT_LOW if new for v2.10. If it is true, an - * incorrect user login PIN has been entered at least once - * since the last successful authentication. */ - public static final long CKF_USER_PIN_COUNT_LOW = 0x00010000L; - - /* CKF_USER_PIN_FINAL_TRY if new for v2.10. If it is true, - * supplying an incorrect user PIN will it to become locked. */ - public static final long CKF_USER_PIN_FINAL_TRY = 0x00020000L; - - /* CKF_USER_PIN_LOCKED if new for v2.10. If it is true, the - * user PIN has been locked. User login to the token is not - * possible. */ - public static final long CKF_USER_PIN_LOCKED = 0x00040000L; - - /* CKF_USER_PIN_TO_BE_CHANGED if new for v2.10. If it is true, - * the user PIN value is the default value set by token - * initialization or manufacturing. */ - public static final long CKF_USER_PIN_TO_BE_CHANGED = 0x00080000L; - - /* CKF_SO_PIN_COUNT_LOW if new for v2.10. If it is true, an - * incorrect SO login PIN has been entered at least once since - * the last successful authentication. */ - public static final long CKF_SO_PIN_COUNT_LOW = 0x00100000L; - - /* CKF_SO_PIN_FINAL_TRY if new for v2.10. If it is true, - * supplying an incorrect SO PIN will it to become locked. */ - public static final long CKF_SO_PIN_FINAL_TRY = 0x00200000L; - - /* CKF_SO_PIN_LOCKED if new for v2.10. If it is true, the SO - * PIN has been locked. SO login to the token is not possible. - */ - public static final long CKF_SO_PIN_LOCKED = 0x00400000L; - - /* CKF_SO_PIN_TO_BE_CHANGED if new for v2.10. If it is true, - * the SO PIN value is the default value set by token - * initialization or manufacturing. */ - public static final long CKF_SO_PIN_TO_BE_CHANGED = 0x00800000L; - - - /* CK_USER_TYPE enumerates the types of Cryptoki users */ - /* CK_USER_TYPE has been changed from an enum to a CK_ULONG for - * v2.0 */ - /* Security Officer */ - public static final long CKU_SO = 0L; - /* Normal user */ - public static final long CKU_USER = 1L; - - /* CK_STATE enumerates the session states */ - /* CK_STATE has been changed from an enum to a CK_ULONG for - * v2.0 */ - public static final long CKS_RO_PUBLIC_SESSION = 0L; - public static final long CKS_RO_USER_FUNCTIONS = 1L; - public static final long CKS_RW_PUBLIC_SESSION = 2L; - public static final long CKS_RW_USER_FUNCTIONS = 3L; - public static final long CKS_RW_SO_FUNCTIONS = 4L; - - - /* The flags are defined in the following table: - * Bit Flag Mask Meaning - */ - /* session is r/w */ - public static final long CKF_RW_SESSION = 0x00000002L; - /* no parallel */ - public static final long CKF_SERIAL_SESSION = 0x00000004L; - - - /* The following classes of objects are defined: */ - /* CKO_HW_FEATURE is new for v2.10 */ - /* CKO_DOMAIN_PARAMETERS is new for v2.11 */ - public static final long CKO_DATA = 0x00000000L; - public static final long CKO_CERTIFICATE = 0x00000001L; - public static final long CKO_PUBLIC_KEY = 0x00000002L; - public static final long CKO_PRIVATE_KEY = 0x00000003L; - public static final long CKO_SECRET_KEY = 0x00000004L; - public static final long CKO_HW_FEATURE = 0x00000005L; - public static final long CKO_DOMAIN_PARAMETERS = 0x00000006L; - public static final long CKO_VENDOR_DEFINED = 0x80000000L; - - // pseudo object class ANY (for template manager) - public static final long PCKO_ANY = 0x7FFFFF23L; - - - /* The following hardware feature types are defined */ - public static final long CKH_MONOTONIC_COUNTER = 0x00000001L; - public static final long CKH_CLOCK = 0x00000002L; - public static final long CKH_VENDOR_DEFINED = 0x80000000L; - - /* the following key types are defined: */ - public static final long CKK_RSA = 0x00000000L; - public static final long CKK_DSA = 0x00000001L; - public static final long CKK_DH = 0x00000002L; - - /* CKK_ECDSA and CKK_KEA are new for v2.0 */ - /* CKK_ECDSA is deprecated in v2.11, CKK_EC is preferred. */ - public static final long CKK_ECDSA = 0x00000003L; - public static final long CKK_EC = 0x00000003L; - public static final long CKK_X9_42_DH = 0x00000004L; - public static final long CKK_KEA = 0x00000005L; - - public static final long CKK_GENERIC_SECRET = 0x00000010L; - public static final long CKK_RC2 = 0x00000011L; - public static final long CKK_RC4 = 0x00000012L; - public static final long CKK_DES = 0x00000013L; - public static final long CKK_DES2 = 0x00000014L; - public static final long CKK_DES3 = 0x00000015L; - - /* all these key types are new for v2.0 */ - public static final long CKK_CAST = 0x00000016L; - public static final long CKK_CAST3 = 0x00000017L; - /* CKK_CAST5 is deprecated in v2.11, CKK_CAST128 is preferred. */ - public static final long CKK_CAST5 = 0x00000018L; - /* CAST128=CAST5 */ - public static final long CKK_CAST128 = 0x00000018L; - public static final long CKK_RC5 = 0x00000019L; - public static final long CKK_IDEA = 0x0000001AL; - public static final long CKK_SKIPJACK = 0x0000001BL; - public static final long CKK_BATON = 0x0000001CL; - public static final long CKK_JUNIPER = 0x0000001DL; - public static final long CKK_CDMF = 0x0000001EL; - public static final long CKK_AES = 0x0000001FL; - // v2.20 - public static final long CKK_BLOWFISH = 0x00000020L; - - public static final long CKK_VENDOR_DEFINED = 0x80000000L; - - // new for v2.20 amendment 3 - //public static final long CKK_CAMELLIA = 0x00000025L; - //public static final long CKK_ARIA = 0x00000026L; - - // pseudo key type ANY (for template manager) - public static final long PCKK_ANY = 0x7FFFFF22L; - - public static final long PCKK_HMAC = 0x7FFFFF23L; - public static final long PCKK_SSLMAC = 0x7FFFFF24L; - public static final long PCKK_TLSPREMASTER = 0x7FFFFF25L; - public static final long PCKK_TLSRSAPREMASTER = 0x7FFFFF26L; - public static final long PCKK_TLSMASTER = 0x7FFFFF27L; - - /* The following certificate types are defined: */ - /* CKC_X_509_ATTR_CERT is new for v2.10 */ - public static final long CKC_X_509 = 0x00000000L; - public static final long CKC_X_509_ATTR_CERT = 0x00000001L; - public static final long CKC_VENDOR_DEFINED = 0x80000000L; - - - /* The following attribute types are defined: */ - public static final long CKA_CLASS = 0x00000000L; - public static final long CKA_TOKEN = 0x00000001L; - public static final long CKA_PRIVATE = 0x00000002L; - public static final long CKA_LABEL = 0x00000003L; - public static final long CKA_APPLICATION = 0x00000010L; - public static final long CKA_VALUE = 0x00000011L; - - /* CKA_OBJECT_ID is new for v2.10 */ - public static final long CKA_OBJECT_ID = 0x00000012L; - - public static final long CKA_CERTIFICATE_TYPE = 0x00000080L; - public static final long CKA_ISSUER = 0x00000081L; - public static final long CKA_SERIAL_NUMBER = 0x00000082L; - - /* CKA_AC_ISSUER, CKA_OWNER, and CKA_ATTR_TYPES are new L; - * for v2.10 */ - public static final long CKA_AC_ISSUER = 0x00000083L; - public static final long CKA_OWNER = 0x00000084L; - public static final long CKA_ATTR_TYPES = 0x00000085L; - - /* CKA_TRUSTED is new for v2.11 */ - public static final long CKA_TRUSTED = 0x00000086L; - - public static final long CKA_KEY_TYPE = 0x00000100L; - public static final long CKA_SUBJECT = 0x00000101L; - public static final long CKA_ID = 0x00000102L; - public static final long CKA_SENSITIVE = 0x00000103L; - public static final long CKA_ENCRYPT = 0x00000104L; - public static final long CKA_DECRYPT = 0x00000105L; - public static final long CKA_WRAP = 0x00000106L; - public static final long CKA_UNWRAP = 0x00000107L; - public static final long CKA_SIGN = 0x00000108L; - public static final long CKA_SIGN_RECOVER = 0x00000109L; - public static final long CKA_VERIFY = 0x0000010AL; - public static final long CKA_VERIFY_RECOVER = 0x0000010BL; - public static final long CKA_DERIVE = 0x0000010CL; - public static final long CKA_START_DATE = 0x00000110L; - public static final long CKA_END_DATE = 0x00000111L; - public static final long CKA_MODULUS = 0x00000120L; - public static final long CKA_MODULUS_BITS = 0x00000121L; - public static final long CKA_PUBLIC_EXPONENT = 0x00000122L; - public static final long CKA_PRIVATE_EXPONENT = 0x00000123L; - public static final long CKA_PRIME_1 = 0x00000124L; - public static final long CKA_PRIME_2 = 0x00000125L; - public static final long CKA_EXPONENT_1 = 0x00000126L; - public static final long CKA_EXPONENT_2 = 0x00000127L; - public static final long CKA_COEFFICIENT = 0x00000128L; - public static final long CKA_PRIME = 0x00000130L; - public static final long CKA_SUBPRIME = 0x00000131L; - public static final long CKA_BASE = 0x00000132L; - - /* CKA_PRIME_BITS and CKA_SUB_PRIME_BITS are new for v2.11 */ - public static final long CKA_PRIME_BITS = 0x00000133L; - public static final long CKA_SUB_PRIME_BITS = 0x00000134L; - - public static final long CKA_VALUE_BITS = 0x00000160L; - public static final long CKA_VALUE_LEN = 0x00000161L; - - /* CKA_EXTRACTABLE, CKA_LOCAL, CKA_NEVER_EXTRACTABLE, - * CKA_ALWAYS_SENSITIVE, CKA_MODIFIABLE, CKA_ECDSA_PARAMS, - * and CKA_EC_POINT are new for v2.0 */ - public static final long CKA_EXTRACTABLE = 0x00000162L; - public static final long CKA_LOCAL = 0x00000163L; - public static final long CKA_NEVER_EXTRACTABLE = 0x00000164L; - public static final long CKA_ALWAYS_SENSITIVE = 0x00000165L; - - /* CKA_KEY_GEN_MECHANISM is new for v2.11 */ - public static final long CKA_KEY_GEN_MECHANISM = 0x00000166L; - - public static final long CKA_MODIFIABLE = 0x00000170L; - - /* CKA_ECDSA_PARAMS is deprecated in v2.11, - * CKA_EC_PARAMS is preferred. */ - public static final long CKA_ECDSA_PARAMS = 0x00000180L; - public static final long CKA_EC_PARAMS = 0x00000180L; - public static final long CKA_EC_POINT = 0x00000181L; - - /* CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS, - * CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT, and CKA_HAS_RESET - * are new for v2.10 */ - public static final long CKA_SECONDARY_AUTH = 0x00000200L; - public static final long CKA_AUTH_PIN_FLAGS = 0x00000201L; - public static final long CKA_HW_FEATURE_TYPE = 0x00000300L; - public static final long CKA_RESET_ON_INIT = 0x00000301L; - public static final long CKA_HAS_RESET = 0x00000302L; - - public static final long CKA_VENDOR_DEFINED = 0x80000000L; - - /* the following mechanism types are defined: */ - public static final long CKM_RSA_PKCS_KEY_PAIR_GEN = 0x00000000L; - public static final long CKM_RSA_PKCS = 0x00000001L; - public static final long CKM_RSA_9796 = 0x00000002L; - public static final long CKM_RSA_X_509 = 0x00000003L; - - /* CKM_MD2_RSA_PKCS, CKM_MD5_RSA_PKCS, and CKM_SHA1_RSA_PKCS - * are new for v2.0. They are mechanisms which hash and sign */ - public static final long CKM_MD2_RSA_PKCS = 0x00000004L; - public static final long CKM_MD5_RSA_PKCS = 0x00000005L; - public static final long CKM_SHA1_RSA_PKCS = 0x00000006L; - - /* CKM_RIPEMD128_RSA_PKCS, CKM_RIPEMD160_RSA_PKCS, and - * CKM_RSA_PKCS_OAEP are new for v2.10 */ - public static final long CKM_RIPEMD128_RSA_PKCS = 0x00000007L; - public static final long CKM_RIPEMD160_RSA_PKCS = 0x00000008L; - public static final long CKM_RSA_PKCS_OAEP = 0x00000009L; - - /* CKM_RSA_X9_31_KEY_PAIR_GEN, CKM_RSA_X9_31, CKM_SHA1_RSA_X9_31, - * CKM_RSA_PKCS_PSS, and CKM_SHA1_RSA_PKCS_PSS are new for v2.11 */ - public static final long CKM_RSA_X9_31_KEY_PAIR_GEN = 0x0000000AL; - public static final long CKM_RSA_X9_31 = 0x0000000BL; - public static final long CKM_SHA1_RSA_X9_31 = 0x0000000CL; - public static final long CKM_RSA_PKCS_PSS = 0x0000000DL; - public static final long CKM_SHA1_RSA_PKCS_PSS = 0x0000000EL; - - public static final long CKM_DSA_KEY_PAIR_GEN = 0x00000010L; - public static final long CKM_DSA = 0x00000011L; - public static final long CKM_DSA_SHA1 = 0x00000012L; - public static final long CKM_DH_PKCS_KEY_PAIR_GEN = 0x00000020L; - public static final long CKM_DH_PKCS_DERIVE = 0x00000021L; - - /* CKM_X9_42_DH_KEY_PAIR_GEN, CKM_X9_42_DH_DERIVE, - * CKM_X9_42_DH_HYBRID_DERIVE, and CKM_X9_42_MQV_DERIVE are new for - * v2.11 */ - public static final long CKM_X9_42_DH_KEY_PAIR_GEN = 0x00000030L; - public static final long CKM_X9_42_DH_DERIVE = 0x00000031L; - public static final long CKM_X9_42_DH_HYBRID_DERIVE = 0x00000032L; - public static final long CKM_X9_42_MQV_DERIVE = 0x00000033L; - - // v2.20 - public static final long CKM_SHA256_RSA_PKCS = 0x00000040L; - public static final long CKM_SHA384_RSA_PKCS = 0x00000041L; - public static final long CKM_SHA512_RSA_PKCS = 0x00000042L; - - public static final long CKM_RC2_KEY_GEN = 0x00000100L; - public static final long CKM_RC2_ECB = 0x00000101L; - public static final long CKM_RC2_CBC = 0x00000102L; - public static final long CKM_RC2_MAC = 0x00000103L; - - /* CKM_RC2_MAC_GENERAL and CKM_RC2_CBC_PAD are new for v2.0 */ - public static final long CKM_RC2_MAC_GENERAL = 0x00000104L; - public static final long CKM_RC2_CBC_PAD = 0x00000105L; - - public static final long CKM_RC4_KEY_GEN = 0x00000110L; - public static final long CKM_RC4 = 0x00000111L; - public static final long CKM_DES_KEY_GEN = 0x00000120L; - public static final long CKM_DES_ECB = 0x00000121L; - public static final long CKM_DES_CBC = 0x00000122L; - public static final long CKM_DES_MAC = 0x00000123L; - - /* CKM_DES_MAC_GENERAL and CKM_DES_CBC_PAD are new for v2.0 */ - public static final long CKM_DES_MAC_GENERAL = 0x00000124L; - public static final long CKM_DES_CBC_PAD = 0x00000125L; - - public static final long CKM_DES2_KEY_GEN = 0x00000130L; - public static final long CKM_DES3_KEY_GEN = 0x00000131L; - public static final long CKM_DES3_ECB = 0x00000132L; - public static final long CKM_DES3_CBC = 0x00000133L; - public static final long CKM_DES3_MAC = 0x00000134L; - - /* CKM_DES3_MAC_GENERAL, CKM_DES3_CBC_PAD, CKM_CDMF_KEY_GEN, - * CKM_CDMF_ECB, CKM_CDMF_CBC, CKM_CDMF_MAC, - * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0 */ - public static final long CKM_DES3_MAC_GENERAL = 0x00000135L; - public static final long CKM_DES3_CBC_PAD = 0x00000136L; - public static final long CKM_CDMF_KEY_GEN = 0x00000140L; - public static final long CKM_CDMF_ECB = 0x00000141L; - public static final long CKM_CDMF_CBC = 0x00000142L; - public static final long CKM_CDMF_MAC = 0x00000143L; - public static final long CKM_CDMF_MAC_GENERAL = 0x00000144L; - public static final long CKM_CDMF_CBC_PAD = 0x00000145L; - - public static final long CKM_MD2 = 0x00000200L; - - /* CKM_MD2_HMAC and CKM_MD2_HMAC_GENERAL are new for v2.0 */ - public static final long CKM_MD2_HMAC = 0x00000201L; - public static final long CKM_MD2_HMAC_GENERAL = 0x00000202L; - - public static final long CKM_MD5 = 0x00000210L; - - /* CKM_MD5_HMAC and CKM_MD5_HMAC_GENERAL are new for v2.0 */ - public static final long CKM_MD5_HMAC = 0x00000211L; - public static final long CKM_MD5_HMAC_GENERAL = 0x00000212L; - - public static final long CKM_SHA_1 = 0x00000220L; - - /* CKM_SHA_1_HMAC and CKM_SHA_1_HMAC_GENERAL are new for v2.0 */ - public static final long CKM_SHA_1_HMAC = 0x00000221L; - public static final long CKM_SHA_1_HMAC_GENERAL = 0x00000222L; - - /* CKM_RIPEMD128, CKM_RIPEMD128_HMAC, - * CKM_RIPEMD128_HMAC_GENERAL, CKM_RIPEMD160, CKM_RIPEMD160_HMAC, - * and CKM_RIPEMD160_HMAC_GENERAL are new for v2.10 */ - public static final long CKM_RIPEMD128 = 0x00000230L; - public static final long CKM_RIPEMD128_HMAC = 0x00000231L; - public static final long CKM_RIPEMD128_HMAC_GENERAL = 0x00000232L; - public static final long CKM_RIPEMD160 = 0x00000240L; - public static final long CKM_RIPEMD160_HMAC = 0x00000241L; - public static final long CKM_RIPEMD160_HMAC_GENERAL = 0x00000242L; - - // v2.20 - public static final long CKM_SHA256 = 0x00000250L; - public static final long CKM_SHA256_HMAC = 0x00000251L; - public static final long CKM_SHA256_HMAC_GENERAL = 0x00000252L; - - public static final long CKM_SHA384 = 0x00000260L; - public static final long CKM_SHA384_HMAC = 0x00000261L; - public static final long CKM_SHA384_HMAC_GENERAL = 0x00000262L; - - public static final long CKM_SHA512 = 0x00000270L; - public static final long CKM_SHA512_HMAC = 0x00000271L; - public static final long CKM_SHA512_HMAC_GENERAL = 0x00000272L; - - /* All of the following mechanisms are new for v2.0 */ - /* Note that CAST128 and CAST5 are the same algorithm */ - public static final long CKM_CAST_KEY_GEN = 0x00000300L; - public static final long CKM_CAST_ECB = 0x00000301L; - public static final long CKM_CAST_CBC = 0x00000302L; - public static final long CKM_CAST_MAC = 0x00000303L; - public static final long CKM_CAST_MAC_GENERAL = 0x00000304L; - public static final long CKM_CAST_CBC_PAD = 0x00000305L; - public static final long CKM_CAST3_KEY_GEN = 0x00000310L; - public static final long CKM_CAST3_ECB = 0x00000311L; - public static final long CKM_CAST3_CBC = 0x00000312L; - public static final long CKM_CAST3_MAC = 0x00000313L; - public static final long CKM_CAST3_MAC_GENERAL = 0x00000314L; - public static final long CKM_CAST3_CBC_PAD = 0x00000315L; - public static final long CKM_CAST5_KEY_GEN = 0x00000320L; - public static final long CKM_CAST128_KEY_GEN = 0x00000320L; - public static final long CKM_CAST5_ECB = 0x00000321L; - public static final long CKM_CAST128_ECB = 0x00000321L; - public static final long CKM_CAST5_CBC = 0x00000322L; - public static final long CKM_CAST128_CBC = 0x00000322L; - public static final long CKM_CAST5_MAC = 0x00000323L; - public static final long CKM_CAST128_MAC = 0x00000323L; - public static final long CKM_CAST5_MAC_GENERAL = 0x00000324L; - public static final long CKM_CAST128_MAC_GENERAL = 0x00000324L; - public static final long CKM_CAST5_CBC_PAD = 0x00000325L; - public static final long CKM_CAST128_CBC_PAD = 0x00000325L; - public static final long CKM_RC5_KEY_GEN = 0x00000330L; - public static final long CKM_RC5_ECB = 0x00000331L; - public static final long CKM_RC5_CBC = 0x00000332L; - public static final long CKM_RC5_MAC = 0x00000333L; - public static final long CKM_RC5_MAC_GENERAL = 0x00000334L; - public static final long CKM_RC5_CBC_PAD = 0x00000335L; - public static final long CKM_IDEA_KEY_GEN = 0x00000340L; - public static final long CKM_IDEA_ECB = 0x00000341L; - public static final long CKM_IDEA_CBC = 0x00000342L; - public static final long CKM_IDEA_MAC = 0x00000343L; - public static final long CKM_IDEA_MAC_GENERAL = 0x00000344L; - public static final long CKM_IDEA_CBC_PAD = 0x00000345L; - public static final long CKM_GENERIC_SECRET_KEY_GEN = 0x00000350L; - public static final long CKM_CONCATENATE_BASE_AND_KEY = 0x00000360L; - public static final long CKM_CONCATENATE_BASE_AND_DATA = 0x00000362L; - public static final long CKM_CONCATENATE_DATA_AND_BASE = 0x00000363L; - public static final long CKM_XOR_BASE_AND_DATA = 0x00000364L; - public static final long CKM_EXTRACT_KEY_FROM_KEY = 0x00000365L; - public static final long CKM_SSL3_PRE_MASTER_KEY_GEN = 0x00000370L; - public static final long CKM_SSL3_MASTER_KEY_DERIVE = 0x00000371L; - public static final long CKM_SSL3_KEY_AND_MAC_DERIVE = 0x00000372L; - - /* CKM_SSL3_MASTER_KEY_DERIVE_DH, CKM_TLS_PRE_MASTER_KEY_GEN, - * CKM_TLS_MASTER_KEY_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE, and - * CKM_TLS_MASTER_KEY_DERIVE_DH are new for v2.11 */ - public static final long CKM_SSL3_MASTER_KEY_DERIVE_DH = 0x00000373L; - public static final long CKM_TLS_PRE_MASTER_KEY_GEN = 0x00000374L; - public static final long CKM_TLS_MASTER_KEY_DERIVE = 0x00000375L; - public static final long CKM_TLS_KEY_AND_MAC_DERIVE = 0x00000376L; - public static final long CKM_TLS_MASTER_KEY_DERIVE_DH = 0x00000377L; - public static final long CKM_TLS_PRF = 0x00000378L; - - public static final long CKM_SSL3_MD5_MAC = 0x00000380L; - public static final long CKM_SSL3_SHA1_MAC = 0x00000381L; - public static final long CKM_MD5_KEY_DERIVATION = 0x00000390L; - public static final long CKM_MD2_KEY_DERIVATION = 0x00000391L; - public static final long CKM_SHA1_KEY_DERIVATION = 0x00000392L; - - // v2.20 - public static final long CKM_SHA256_KEY_DERIVATION = 0x00000393L; - public static final long CKM_SHA384_KEY_DERIVATION = 0x00000394L; - public static final long CKM_SHA512_KEY_DERIVATION = 0x00000395L; - - public static final long CKM_PBE_MD2_DES_CBC = 0x000003A0L; - public static final long CKM_PBE_MD5_DES_CBC = 0x000003A1L; - public static final long CKM_PBE_MD5_CAST_CBC = 0x000003A2L; - public static final long CKM_PBE_MD5_CAST3_CBC = 0x000003A3L; - public static final long CKM_PBE_MD5_CAST5_CBC = 0x000003A4L; - public static final long CKM_PBE_MD5_CAST128_CBC = 0x000003A4L; - public static final long CKM_PBE_SHA1_CAST5_CBC = 0x000003A5L; - public static final long CKM_PBE_SHA1_CAST128_CBC = 0x000003A5L; - public static final long CKM_PBE_SHA1_RC4_128 = 0x000003A6L; - public static final long CKM_PBE_SHA1_RC4_40 = 0x000003A7L; - public static final long CKM_PBE_SHA1_DES3_EDE_CBC = 0x000003A8L; - public static final long CKM_PBE_SHA1_DES2_EDE_CBC = 0x000003A9L; - public static final long CKM_PBE_SHA1_RC2_128_CBC = 0x000003AAL; - public static final long CKM_PBE_SHA1_RC2_40_CBC = 0x000003ABL; - - /* CKM_PKCS5_PBKD2 is new for v2.10 */ - public static final long CKM_PKCS5_PBKD2 = 0x000003B0L; - - public static final long CKM_PBA_SHA1_WITH_SHA1_HMAC = 0x000003C0L; - public static final long CKM_KEY_WRAP_LYNKS = 0x00000400L; - public static final long CKM_KEY_WRAP_SET_OAEP = 0x00000401L; - - /* Fortezza mechanisms */ - public static final long CKM_SKIPJACK_KEY_GEN = 0x00001000L; - public static final long CKM_SKIPJACK_ECB64 = 0x00001001L; - public static final long CKM_SKIPJACK_CBC64 = 0x00001002L; - public static final long CKM_SKIPJACK_OFB64 = 0x00001003L; - public static final long CKM_SKIPJACK_CFB64 = 0x00001004L; - public static final long CKM_SKIPJACK_CFB32 = 0x00001005L; - public static final long CKM_SKIPJACK_CFB16 = 0x00001006L; - public static final long CKM_SKIPJACK_CFB8 = 0x00001007L; - public static final long CKM_SKIPJACK_WRAP = 0x00001008L; - public static final long CKM_SKIPJACK_PRIVATE_WRAP = 0x00001009L; - public static final long CKM_SKIPJACK_RELAYX = 0x0000100AL; - public static final long CKM_KEA_KEY_PAIR_GEN = 0x00001010L; - public static final long CKM_KEA_KEY_DERIVE = 0x00001011L; - public static final long CKM_FORTEZZA_TIMESTAMP = 0x00001020L; - public static final long CKM_BATON_KEY_GEN = 0x00001030L; - public static final long CKM_BATON_ECB128 = 0x00001031L; - public static final long CKM_BATON_ECB96 = 0x00001032L; - public static final long CKM_BATON_CBC128 = 0x00001033L; - public static final long CKM_BATON_COUNTER = 0x00001034L; - public static final long CKM_BATON_SHUFFLE = 0x00001035L; - public static final long CKM_BATON_WRAP = 0x00001036L; - - /* CKM_ECDSA_KEY_PAIR_GEN is deprecated in v2.11, - * CKM_EC_KEY_PAIR_GEN is preferred */ - public static final long CKM_ECDSA_KEY_PAIR_GEN = 0x00001040L; - public static final long CKM_EC_KEY_PAIR_GEN = 0x00001040L; - - public static final long CKM_ECDSA = 0x00001041L; - public static final long CKM_ECDSA_SHA1 = 0x00001042L; - - /* CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE, and CKM_ECMQV_DERIVE - * are new for v2.11 */ - public static final long CKM_ECDH1_DERIVE = 0x00001050L; - public static final long CKM_ECDH1_COFACTOR_DERIVE = 0x00001051L; - public static final long CKM_ECMQV_DERIVE = 0x00001052L; - - public static final long CKM_JUNIPER_KEY_GEN = 0x00001060L; - public static final long CKM_JUNIPER_ECB128 = 0x00001061L; - public static final long CKM_JUNIPER_CBC128 = 0x00001062L; - public static final long CKM_JUNIPER_COUNTER = 0x00001063L; - public static final long CKM_JUNIPER_SHUFFLE = 0x00001064L; - public static final long CKM_JUNIPER_WRAP = 0x00001065L; - public static final long CKM_FASTHASH = 0x00001070L; - - /* CKM_AES_KEY_GEN, CKM_AES_ECB, CKM_AES_CBC, CKM_AES_MAC, - * CKM_AES_MAC_GENERAL, CKM_AES_CBC_PAD, CKM_DSA_PARAMETER_GEN, - * CKM_DH_PKCS_PARAMETER_GEN, and CKM_X9_42_DH_PARAMETER_GEN are - * new for v2.11 */ - public static final long CKM_AES_KEY_GEN = 0x00001080L; - public static final long CKM_AES_ECB = 0x00001081L; - public static final long CKM_AES_CBC = 0x00001082L; - public static final long CKM_AES_MAC = 0x00001083L; - public static final long CKM_AES_MAC_GENERAL = 0x00001084L; - public static final long CKM_AES_CBC_PAD = 0x00001085L; - // v2.20 - public static final long CKM_BLOWFISH_KEY_GEN = 0x00001090L; - public static final long CKM_BLOWFISH_CBC = 0x00001091L; - public static final long CKM_DSA_PARAMETER_GEN = 0x00002000L; - public static final long CKM_DH_PKCS_PARAMETER_GEN = 0x00002001L; - public static final long CKM_X9_42_DH_PARAMETER_GEN = 0x00002002L; - - public static final long CKM_VENDOR_DEFINED = 0x80000000L; - - // new for v2.20 amendment 3 - public static final long CKM_SHA224 = 0x00000255L; - public static final long CKM_SHA224_HMAC = 0x00000256L; - public static final long CKM_SHA224_HMAC_GENERAL = 0x00000257L; - public static final long CKM_SHA224_KEY_DERIVATION = 0x00000396L; - public static final long CKM_SHA224_RSA_PKCS = 0x00000046L; - public static final long CKM_SHA224_RSA_PKCS_PSS = 0x00000047L; - public static final long CKM_AES_CTR = 0x00001086L; - /* - public static final long CKM_CAMELLIA_KEY_GEN = 0x00000550L; - public static final long CKM_CAMELLIA_ECB = 0x00000551L; - public static final long CKM_CAMELLIA_CBC = 0x00000552L; - public static final long CKM_CAMELLIA_MAC = 0x00000553L; - public static final long CKM_CAMELLIA_MAC_GENERAL = 0x00000554L; - public static final long CKM_CAMELLIA_CBC_PAD = 0x00000555L; - public static final long CKM_CAMELLIA_ECB_ENCRYPT_DATA = 0x00000556L; - public static final long CKM_CAMELLIA_CBC_ENCRYPT_DATA = 0x00000557L; - public static final long CKM_CAMELLIA_CTR = 0x00000558L; - public static final long CKM_ARIA_KEY_GEN = 0x00000560L; - public static final long CKM_ARIA_ECB = 0x00000561L; - public static final long CKM_ARIA_CBC = 0x00000562L; - public static final long CKM_ARIA_MAC = 0x00000563L; - public static final long CKM_ARIA_MAC_GENERAL = 0x00000564L; - public static final long CKM_ARIA_CBC_PAD = 0x00000565L; - public static final long CKM_ARIA_ECB_ENCRYPT_DATA = 0x00000566L; - public static final long CKM_ARIA_CBC_ENCRYPT_DATA = 0x00000567L; - */ - - // NSS private - public static final long CKM_NSS_TLS_PRF_GENERAL = 0x80000373L; - - // ids for our pseudo mechanisms SecureRandom and KeyStore - public static final long PCKM_SECURERANDOM = 0x7FFFFF20L; - public static final long PCKM_KEYSTORE = 0x7FFFFF21L; - - /* The flags are defined as follows: - * Bit Flag Mask Meaning */ - /* performed by HW */ - public static final long CKF_HW = 0x00000001L; - - /* The flags CKF_ENCRYPT, CKF_DECRYPT, CKF_DIGEST, CKF_SIGN, - * CKG_SIGN_RECOVER, CKF_VERIFY, CKF_VERIFY_RECOVER, - * CKF_GENERATE, CKF_GENERATE_KEY_PAIR, CKF_WRAP, CKF_UNWRAP, - * and CKF_DERIVE are new for v2.0. They specify whether or not - * a mechanism can be used for a particular task */ - public static final long CKF_ENCRYPT = 0x00000100L; - public static final long CKF_DECRYPT = 0x00000200L; - public static final long CKF_DIGEST = 0x00000400L; - public static final long CKF_SIGN = 0x00000800L; - public static final long CKF_SIGN_RECOVER = 0x00001000L; - public static final long CKF_VERIFY = 0x00002000L; - public static final long CKF_VERIFY_RECOVER = 0x00004000L; - public static final long CKF_GENERATE = 0x00008000L; - public static final long CKF_GENERATE_KEY_PAIR = 0x00010000L; - public static final long CKF_WRAP = 0x00020000L; - public static final long CKF_UNWRAP = 0x00040000L; - public static final long CKF_DERIVE = 0x00080000L; - - /* CKF_EC_F_P, CKF_EC_F_2M, CKF_EC_ECPARAMETERS, CKF_EC_NAMEDCURVE, - * CKF_EC_UNCOMPRESS, and CKF_EC_COMPRESS are new for v2.11. They - * describe a token's EC capabilities not available in mechanism - * information. */ - public static final long CKF_EC_F_P = 0x00100000L; - public static final long CKF_EC_F_2M = 0x00200000L; - public static final long CKF_EC_ECPARAMETERS = 0x00400000L; - public static final long CKF_EC_NAMEDCURVE = 0x00800000L; - public static final long CKF_EC_UNCOMPRESS = 0x01000000L; - public static final long CKF_EC_COMPRESS = 0x02000000L; - - /* FALSE for 2.01 */ - public static final long CKF_EXTENSION = 0x80000000L; - - - /* CK_RV is a value that identifies the return value of a - * Cryptoki function */ - /* CK_RV was changed from CK_USHORT to CK_ULONG for v2.0 */ - public static final long CKR_OK = 0x00000000L; - public static final long CKR_CANCEL = 0x00000001L; - public static final long CKR_HOST_MEMORY = 0x00000002L; - public static final long CKR_SLOT_ID_INVALID = 0x00000003L; - - /* CKR_FLAGS_INVALID was removed for v2.0 */ - - /* CKR_GENERAL_ERROR and CKR_FUNCTION_FAILED are new for v2.0 */ - public static final long CKR_GENERAL_ERROR = 0x00000005L; - public static final long CKR_FUNCTION_FAILED = 0x00000006L; - - /* CKR_ARGUMENTS_BAD, CKR_NO_EVENT, CKR_NEED_TO_CREATE_THREADS, - * and CKR_CANT_LOCK are new for v2.01 */ - public static final long CKR_ARGUMENTS_BAD = 0x00000007L; - public static final long CKR_NO_EVENT = 0x00000008L; - public static final long CKR_NEED_TO_CREATE_THREADS = 0x00000009L; - public static final long CKR_CANT_LOCK = 0x0000000AL; - - public static final long CKR_ATTRIBUTE_READ_ONLY = 0x00000010L; - public static final long CKR_ATTRIBUTE_SENSITIVE = 0x00000011L; - public static final long CKR_ATTRIBUTE_TYPE_INVALID = 0x00000012L; - public static final long CKR_ATTRIBUTE_VALUE_INVALID = 0x00000013L; - public static final long CKR_DATA_INVALID = 0x00000020L; - public static final long CKR_DATA_LEN_RANGE = 0x00000021L; - public static final long CKR_DEVICE_ERROR = 0x00000030L; - public static final long CKR_DEVICE_MEMORY = 0x00000031L; - public static final long CKR_DEVICE_REMOVED = 0x00000032L; - public static final long CKR_ENCRYPTED_DATA_INVALID = 0x00000040L; - public static final long CKR_ENCRYPTED_DATA_LEN_RANGE = 0x00000041L; - public static final long CKR_FUNCTION_CANCELED = 0x00000050L; - public static final long CKR_FUNCTION_NOT_PARALLEL = 0x00000051L; - - /* CKR_FUNCTION_NOT_SUPPORTED is new for v2.0 */ - public static final long CKR_FUNCTION_NOT_SUPPORTED = 0x00000054L; - - public static final long CKR_KEY_HANDLE_INVALID = 0x00000060L; - - /* CKR_KEY_SENSITIVE was removed for v2.0 */ - - public static final long CKR_KEY_SIZE_RANGE = 0x00000062L; - public static final long CKR_KEY_TYPE_INCONSISTENT = 0x00000063L; - - /* CKR_KEY_NOT_NEEDED, CKR_KEY_CHANGED, CKR_KEY_NEEDED, - * CKR_KEY_INDIGESTIBLE, CKR_KEY_FUNCTION_NOT_PERMITTED, - * CKR_KEY_NOT_WRAPPABLE, and CKR_KEY_UNEXTRACTABLE are new for - * v2.0 */ - public static final long CKR_KEY_NOT_NEEDED = 0x00000064L; - public static final long CKR_KEY_CHANGED = 0x00000065L; - public static final long CKR_KEY_NEEDED = 0x00000066L; - public static final long CKR_KEY_INDIGESTIBLE = 0x00000067L; - public static final long CKR_KEY_FUNCTION_NOT_PERMITTED = 0x00000068L; - public static final long CKR_KEY_NOT_WRAPPABLE = 0x00000069L; - public static final long CKR_KEY_UNEXTRACTABLE = 0x0000006AL; - - public static final long CKR_MECHANISM_INVALID = 0x00000070L; - public static final long CKR_MECHANISM_PARAM_INVALID = 0x00000071L; - - /* CKR_OBJECT_CLASS_INCONSISTENT and CKR_OBJECT_CLASS_INVALID - * were removed for v2.0 */ - public static final long CKR_OBJECT_HANDLE_INVALID = 0x00000082L; - public static final long CKR_OPERATION_ACTIVE = 0x00000090L; - public static final long CKR_OPERATION_NOT_INITIALIZED = 0x00000091L; - public static final long CKR_PIN_INCORRECT = 0x000000A0L; - public static final long CKR_PIN_INVALID = 0x000000A1L; - public static final long CKR_PIN_LEN_RANGE = 0x000000A2L; - - /* CKR_PIN_EXPIRED and CKR_PIN_LOCKED are new for v2.0 */ - public static final long CKR_PIN_EXPIRED = 0x000000A3L; - public static final long CKR_PIN_LOCKED = 0x000000A4L; - - public static final long CKR_SESSION_CLOSED = 0x000000B0L; - public static final long CKR_SESSION_COUNT = 0x000000B1L; - public static final long CKR_SESSION_HANDLE_INVALID = 0x000000B3L; - public static final long CKR_SESSION_PARALLEL_NOT_SUPPORTED = 0x000000B4L; - public static final long CKR_SESSION_READ_ONLY = 0x000000B5L; - public static final long CKR_SESSION_EXISTS = 0x000000B6L; - - /* CKR_SESSION_READ_ONLY_EXISTS and - * CKR_SESSION_READ_WRITE_SO_EXISTS are new for v2.0 */ - public static final long CKR_SESSION_READ_ONLY_EXISTS = 0x000000B7L; - public static final long CKR_SESSION_READ_WRITE_SO_EXISTS = 0x000000B8L; - - public static final long CKR_SIGNATURE_INVALID = 0x000000C0L; - public static final long CKR_SIGNATURE_LEN_RANGE = 0x000000C1L; - public static final long CKR_TEMPLATE_INCOMPLETE = 0x000000D0L; - public static final long CKR_TEMPLATE_INCONSISTENT = 0x000000D1L; - public static final long CKR_TOKEN_NOT_PRESENT = 0x000000E0L; - public static final long CKR_TOKEN_NOT_RECOGNIZED = 0x000000E1L; - public static final long CKR_TOKEN_WRITE_PROTECTED = 0x000000E2L; - public static final long CKR_UNWRAPPING_KEY_HANDLE_INVALID = 0x000000F0L; - public static final long CKR_UNWRAPPING_KEY_SIZE_RANGE = 0x000000F1L; - public static final long CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT = 0x000000F2L; - public static final long CKR_USER_ALREADY_LOGGED_IN = 0x00000100L; - public static final long CKR_USER_NOT_LOGGED_IN = 0x00000101L; - public static final long CKR_USER_PIN_NOT_INITIALIZED = 0x00000102L; - public static final long CKR_USER_TYPE_INVALID = 0x00000103L; - - /* CKR_USER_ANOTHER_ALREADY_LOGGED_IN and CKR_USER_TOO_MANY_TYPES - * are new to v2.01 */ - public static final long CKR_USER_ANOTHER_ALREADY_LOGGED_IN = 0x00000104L; - public static final long CKR_USER_TOO_MANY_TYPES = 0x00000105L; - - public static final long CKR_WRAPPED_KEY_INVALID = 0x00000110L; - public static final long CKR_WRAPPED_KEY_LEN_RANGE = 0x00000112L; - public static final long CKR_WRAPPING_KEY_HANDLE_INVALID = 0x00000113L; - public static final long CKR_WRAPPING_KEY_SIZE_RANGE = 0x00000114L; - public static final long CKR_WRAPPING_KEY_TYPE_INCONSISTENT = 0x00000115L; - public static final long CKR_RANDOM_SEED_NOT_SUPPORTED = 0x00000120L; - - /* These are new to v2.0 */ - public static final long CKR_RANDOM_NO_RNG = 0x00000121L; - - /* These are new to v2.11 */ - public static final long CKR_DOMAIN_PARAMS_INVALID = 0x00000130L; - - /* These are new to v2.0 */ - public static final long CKR_BUFFER_TOO_SMALL = 0x00000150L; - public static final long CKR_SAVED_STATE_INVALID = 0x00000160L; - public static final long CKR_INFORMATION_SENSITIVE = 0x00000170L; - public static final long CKR_STATE_UNSAVEABLE = 0x00000180L; - - /* These are new to v2.01 */ - public static final long CKR_CRYPTOKI_NOT_INITIALIZED = 0x00000190L; - public static final long CKR_CRYPTOKI_ALREADY_INITIALIZED = 0x00000191L; - public static final long CKR_MUTEX_BAD = 0x000001A0L; - public static final long CKR_MUTEX_NOT_LOCKED = 0x000001A1L; - - public static final long CKR_VENDOR_DEFINED = 0x80000000L; - - - /* flags: bit flags that provide capabilities of the slot - * Bit Flag = Mask - */ - public static final long CKF_LIBRARY_CANT_CREATE_OS_THREADS = 0x00000001L; - public static final long CKF_OS_LOCKING_OK = 0x00000002L; - - - /* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */ - public static final long CKF_DONT_BLOCK = 1L; - - - /* The following MGFs are defined */ - public static final long CKG_MGF1_SHA1 = 0x00000001L; - // new for v2.20 amendment 3 - public static final long CKG_MGF1_SHA224 = 0x00000005L; - - /* The following encoding parameter sources are defined */ - public static final long CKZ_DATA_SPECIFIED = 0x00000001L; - - - /* The following PRFs are defined in PKCS #5 v2.0. */ - public static final long CKP_PKCS5_PBKD2_HMAC_SHA1 = 0x00000001L; - - - /* The following salt value sources are defined in PKCS #5 v2.0. */ - public static final long CKZ_SALT_SPECIFIED = 0x00000001L; - - /* the following EC Key Derivation Functions are defined */ - public static final long CKD_NULL = 0x00000001L; - public static final long CKD_SHA1_KDF = 0x00000002L; - - /* the following X9.42 Diffie-Hellman Key Derivation Functions are defined */ - public static final long CKD_SHA1_KDF_ASN1 = 0x00000003L; - public static final long CKD_SHA1_KDF_CONCATENATE = 0x00000004L; - - - // private NSS attribute (for DSA and DH private keys) - public static final long CKA_NETSCAPE_DB = 0xD5A0DB00L; - - // base number of NSS private attributes - public static final long CKA_NETSCAPE_BASE = 0x80000000L + 0x4E534350L; - - // object type for NSS trust - public static final long CKO_NETSCAPE_TRUST = CKA_NETSCAPE_BASE + 3; - - // base number for NSS trust attributes - public static final long CKA_NETSCAPE_TRUST_BASE = CKA_NETSCAPE_BASE + 0x2000; - - // attributes for NSS trust - public static final long CKA_NETSCAPE_TRUST_SERVER_AUTH = CKA_NETSCAPE_TRUST_BASE + 8; - public static final long CKA_NETSCAPE_TRUST_CLIENT_AUTH = CKA_NETSCAPE_TRUST_BASE + 9; - public static final long CKA_NETSCAPE_TRUST_CODE_SIGNING = CKA_NETSCAPE_TRUST_BASE + 10; - public static final long CKA_NETSCAPE_TRUST_EMAIL_PROTECTION = CKA_NETSCAPE_TRUST_BASE + 11; - public static final long CKA_NETSCAPE_CERT_SHA1_HASH = CKA_NETSCAPE_TRUST_BASE + 100; - public static final long CKA_NETSCAPE_CERT_MD5_HASH = CKA_NETSCAPE_TRUST_BASE + 101; - - // trust values for each of the NSS trust attributes - public static final long CKT_NETSCAPE_TRUSTED = CKA_NETSCAPE_BASE + 1; - public static final long CKT_NETSCAPE_TRUSTED_DELEGATOR = CKA_NETSCAPE_BASE + 2; - public static final long CKT_NETSCAPE_UNTRUSTED = CKA_NETSCAPE_BASE + 3; - public static final long CKT_NETSCAPE_MUST_VERIFY = CKA_NETSCAPE_BASE + 4; - public static final long CKT_NETSCAPE_TRUST_UNKNOWN = CKA_NETSCAPE_BASE + 5; /* default */ - public static final long CKT_NETSCAPE_VALID = CKA_NETSCAPE_BASE + 10; - public static final long CKT_NETSCAPE_VALID_DELEGATOR = CKA_NETSCAPE_BASE + 11; - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java 2017-01-20 09:52:52.750288412 -0800 @@ -0,0 +1,966 @@ +/* + * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. + */ + +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +package sun.security.pkcs11.wrapper; + +/** + * This interface holds constants of the PKCS#11 v2.11 standard. + * This is mainly the content of the 'pkcs11t.h' header file. + * + * Mapping of primitiv data types to Java types: + * 
+ *   TRUE .......................................... true
+ *   FALSE ......................................... false
+ *   CK_BYTE ....................................... byte
+ *   CK_CHAR ....................................... char
+ *   CK_UTF8CHAR ................................... char
+ *   CK_BBOOL ...................................... boolean
+ *   CK_ULONG ...................................... long
+ *   CK_LONG ....................................... long
+ *   CK_FLAGS ...................................... long
+ *   CK_NOTIFICATION ............................... long
+ *   CK_SLOT_ID .................................... long
+ *   CK_SESSION_HANDLE ............................. long
+ *   CK_USER_TYPE .................................. long
+ *   CK_SESSION_HANDLE ............................. long
+ *   CK_STATE ...................................... long
+ *   CK_OBJECT_HANDLE .............................. long
+ *   CK_OBJECT_CLASS ............................... long
+ *   CK_HW_FEATURE_TYPE ............................ long
+ *   CK_KEY_TYPE ................................... long
+ *   CK_CERTIFICATE_TYPE ........................... long
+ *   CK_ATTRIBUTE_TYPE ............................. long
+ *   CK_VOID_PTR ................................... Object[]
+ *   CK_BYTE_PTR ................................... byte[]
+ *   CK_CHAR_PTR ................................... char[]
+ *   CK_UTF8CHAR_PTR ............................... char[]
+ *   CK_MECHANISM_TYPE ............................. long
+ *   CK_RV ......................................... long
+ *   CK_RSA_PKCS_OAEP_MGF_TYPE ..................... long
+ *   CK_RSA_PKCS_OAEP_SOURCE_TYPE .................. long
+ *   CK_RC2_PARAMS ................................. long
+ *   CK_MAC_GENERAL_PARAMS ......................... long
+ *   CK_EXTRACT_PARAMS ............................. long
+ *   CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE .... long
+ *   CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE .............. long
+ *   CK_EC_KDF_TYPE ................................ long
+ *   CK_X9_42_DH_KDF_TYPE .......................... long
+ *
+ * + * @author Karl Scheibelhofer + * @invariants + */ +public interface PKCS11Constants { + + public static final boolean TRUE = true; + + public static final boolean FALSE = false; + + public static final Object NULL_PTR = null; + + /* some special values for certain CK_ULONG variables */ + + // Cryptoki defines CK_UNAVAILABLE_INFORMATION as (~0UL) + // This means it is 0xffffffff in ILP32/LLP64 but 0xffffffffffffffff in LP64. + // To avoid these differences on the Java side, the native code treats + // CK_UNAVAILABLE_INFORMATION specially and always returns (long)-1 for it. + // See ckULongSpecialToJLong() in pkcs11wrapper.h + public static final long CK_UNAVAILABLE_INFORMATION = -1; + public static final long CK_EFFECTIVELY_INFINITE = 0L; + + /* The following value is always invalid if used as a session */ + /* handle or object handle */ + public static final long CK_INVALID_HANDLE = 0L; + + /* CK_NOTIFICATION enumerates the types of notifications that + * Cryptoki provides to an application */ + /* CK_NOTIFICATION has been changed from an enum to a CK_ULONG + * for v2.0 */ + public static final long CKN_SURRENDER = 0L; + + /* flags: bit flags that provide capabilities of the slot + * Bit Flag Mask Meaning + */ + public static final long CKF_TOKEN_PRESENT = 0x00000001L; + public static final long CKF_REMOVABLE_DEVICE = 0x00000002L; + public static final long CKF_HW_SLOT = 0x00000004L; + + /* The flags parameter is defined as follows: + * Bit Flag Mask Meaning + */ + /* has random # generator */ + public static final long CKF_RNG = 0x00000001L; + + /* token is write-protected */ + public static final long CKF_WRITE_PROTECTED = 0x00000002L; + + /* user must login */ + public static final long CKF_LOGIN_REQUIRED = 0x00000004L; + + /* normal user's PIN is set */ + public static final long CKF_USER_PIN_INITIALIZED = 0x00000008L; + + /* CKF_RESTORE_KEY_NOT_NEEDED is new for v2.0. If it is set, + * that means that *every* time the state of cryptographic + * operations of a session is successfully saved, all keys + * needed to continue those operations are stored in the state */ + public static final long CKF_RESTORE_KEY_NOT_NEEDED = 0x00000020L; + + /* CKF_CLOCK_ON_TOKEN is new for v2.0. If it is set, that means + * that the token has some sort of clock. The time on that + * clock is returned in the token info structure */ + public static final long CKF_CLOCK_ON_TOKEN = 0x00000040L; + + /* CKF_PROTECTED_AUTHENTICATION_PATH is new for v2.0. If it is + * set, that means that there is some way for the user to login + * without sending a PIN through the Cryptoki library itself */ + public static final long CKF_PROTECTED_AUTHENTICATION_PATH = 0x00000100L; + + /* CKF_DUAL_CRYPTO_OPERATIONS is new for v2.0. If it is true, + * that means that a single session with the token can perform + * dual simultaneous cryptographic operations (digest and + * encrypt; decrypt and digest; sign and encrypt; and decrypt + * and sign) */ + public static final long CKF_DUAL_CRYPTO_OPERATIONS = 0x00000200L; + + /* CKF_TOKEN_INITIALIZED if new for v2.10. If it is true, the + * token has been initialized using C_InitializeToken or an + * equivalent mechanism outside the scope of PKCS #11. + * Calling C_InitializeToken when this flag is set will cause + * the token to be reinitialized. */ + public static final long CKF_TOKEN_INITIALIZED = 0x00000400L; + + /* CKF_SECONDARY_AUTHENTICATION if new for v2.10. If it is + * true, the token supports secondary authentication for + * private key objects. */ + public static final long CKF_SECONDARY_AUTHENTICATION = 0x00000800L; + + /* CKF_USER_PIN_COUNT_LOW if new for v2.10. If it is true, an + * incorrect user login PIN has been entered at least once + * since the last successful authentication. */ + public static final long CKF_USER_PIN_COUNT_LOW = 0x00010000L; + + /* CKF_USER_PIN_FINAL_TRY if new for v2.10. If it is true, + * supplying an incorrect user PIN will it to become locked. */ + public static final long CKF_USER_PIN_FINAL_TRY = 0x00020000L; + + /* CKF_USER_PIN_LOCKED if new for v2.10. If it is true, the + * user PIN has been locked. User login to the token is not + * possible. */ + public static final long CKF_USER_PIN_LOCKED = 0x00040000L; + + /* CKF_USER_PIN_TO_BE_CHANGED if new for v2.10. If it is true, + * the user PIN value is the default value set by token + * initialization or manufacturing. */ + public static final long CKF_USER_PIN_TO_BE_CHANGED = 0x00080000L; + + /* CKF_SO_PIN_COUNT_LOW if new for v2.10. If it is true, an + * incorrect SO login PIN has been entered at least once since + * the last successful authentication. */ + public static final long CKF_SO_PIN_COUNT_LOW = 0x00100000L; + + /* CKF_SO_PIN_FINAL_TRY if new for v2.10. If it is true, + * supplying an incorrect SO PIN will it to become locked. */ + public static final long CKF_SO_PIN_FINAL_TRY = 0x00200000L; + + /* CKF_SO_PIN_LOCKED if new for v2.10. If it is true, the SO + * PIN has been locked. SO login to the token is not possible. + */ + public static final long CKF_SO_PIN_LOCKED = 0x00400000L; + + /* CKF_SO_PIN_TO_BE_CHANGED if new for v2.10. If it is true, + * the SO PIN value is the default value set by token + * initialization or manufacturing. */ + public static final long CKF_SO_PIN_TO_BE_CHANGED = 0x00800000L; + + + /* CK_USER_TYPE enumerates the types of Cryptoki users */ + /* CK_USER_TYPE has been changed from an enum to a CK_ULONG for + * v2.0 */ + /* Security Officer */ + public static final long CKU_SO = 0L; + /* Normal user */ + public static final long CKU_USER = 1L; + + /* CK_STATE enumerates the session states */ + /* CK_STATE has been changed from an enum to a CK_ULONG for + * v2.0 */ + public static final long CKS_RO_PUBLIC_SESSION = 0L; + public static final long CKS_RO_USER_FUNCTIONS = 1L; + public static final long CKS_RW_PUBLIC_SESSION = 2L; + public static final long CKS_RW_USER_FUNCTIONS = 3L; + public static final long CKS_RW_SO_FUNCTIONS = 4L; + + + /* The flags are defined in the following table: + * Bit Flag Mask Meaning + */ + /* session is r/w */ + public static final long CKF_RW_SESSION = 0x00000002L; + /* no parallel */ + public static final long CKF_SERIAL_SESSION = 0x00000004L; + + + /* The following classes of objects are defined: */ + /* CKO_HW_FEATURE is new for v2.10 */ + /* CKO_DOMAIN_PARAMETERS is new for v2.11 */ + public static final long CKO_DATA = 0x00000000L; + public static final long CKO_CERTIFICATE = 0x00000001L; + public static final long CKO_PUBLIC_KEY = 0x00000002L; + public static final long CKO_PRIVATE_KEY = 0x00000003L; + public static final long CKO_SECRET_KEY = 0x00000004L; + public static final long CKO_HW_FEATURE = 0x00000005L; + public static final long CKO_DOMAIN_PARAMETERS = 0x00000006L; + public static final long CKO_VENDOR_DEFINED = 0x80000000L; + + // pseudo object class ANY (for template manager) + public static final long PCKO_ANY = 0x7FFFFF23L; + + + /* The following hardware feature types are defined */ + public static final long CKH_MONOTONIC_COUNTER = 0x00000001L; + public static final long CKH_CLOCK = 0x00000002L; + public static final long CKH_VENDOR_DEFINED = 0x80000000L; + + /* the following key types are defined: */ + public static final long CKK_RSA = 0x00000000L; + public static final long CKK_DSA = 0x00000001L; + public static final long CKK_DH = 0x00000002L; + + /* CKK_ECDSA and CKK_KEA are new for v2.0 */ + /* CKK_ECDSA is deprecated in v2.11, CKK_EC is preferred. */ + public static final long CKK_ECDSA = 0x00000003L; + public static final long CKK_EC = 0x00000003L; + public static final long CKK_X9_42_DH = 0x00000004L; + public static final long CKK_KEA = 0x00000005L; + + public static final long CKK_GENERIC_SECRET = 0x00000010L; + public static final long CKK_RC2 = 0x00000011L; + public static final long CKK_RC4 = 0x00000012L; + public static final long CKK_DES = 0x00000013L; + public static final long CKK_DES2 = 0x00000014L; + public static final long CKK_DES3 = 0x00000015L; + + /* all these key types are new for v2.0 */ + public static final long CKK_CAST = 0x00000016L; + public static final long CKK_CAST3 = 0x00000017L; + /* CKK_CAST5 is deprecated in v2.11, CKK_CAST128 is preferred. */ + public static final long CKK_CAST5 = 0x00000018L; + /* CAST128=CAST5 */ + public static final long CKK_CAST128 = 0x00000018L; + public static final long CKK_RC5 = 0x00000019L; + public static final long CKK_IDEA = 0x0000001AL; + public static final long CKK_SKIPJACK = 0x0000001BL; + public static final long CKK_BATON = 0x0000001CL; + public static final long CKK_JUNIPER = 0x0000001DL; + public static final long CKK_CDMF = 0x0000001EL; + public static final long CKK_AES = 0x0000001FL; + // v2.20 + public static final long CKK_BLOWFISH = 0x00000020L; + + public static final long CKK_VENDOR_DEFINED = 0x80000000L; + + // new for v2.20 amendment 3 + //public static final long CKK_CAMELLIA = 0x00000025L; + //public static final long CKK_ARIA = 0x00000026L; + + // pseudo key type ANY (for template manager) + public static final long PCKK_ANY = 0x7FFFFF22L; + + public static final long PCKK_HMAC = 0x7FFFFF23L; + public static final long PCKK_SSLMAC = 0x7FFFFF24L; + public static final long PCKK_TLSPREMASTER = 0x7FFFFF25L; + public static final long PCKK_TLSRSAPREMASTER = 0x7FFFFF26L; + public static final long PCKK_TLSMASTER = 0x7FFFFF27L; + + /* The following certificate types are defined: */ + /* CKC_X_509_ATTR_CERT is new for v2.10 */ + public static final long CKC_X_509 = 0x00000000L; + public static final long CKC_X_509_ATTR_CERT = 0x00000001L; + public static final long CKC_VENDOR_DEFINED = 0x80000000L; + + + /* The following attribute types are defined: */ + public static final long CKA_CLASS = 0x00000000L; + public static final long CKA_TOKEN = 0x00000001L; + public static final long CKA_PRIVATE = 0x00000002L; + public static final long CKA_LABEL = 0x00000003L; + public static final long CKA_APPLICATION = 0x00000010L; + public static final long CKA_VALUE = 0x00000011L; + + /* CKA_OBJECT_ID is new for v2.10 */ + public static final long CKA_OBJECT_ID = 0x00000012L; + + public static final long CKA_CERTIFICATE_TYPE = 0x00000080L; + public static final long CKA_ISSUER = 0x00000081L; + public static final long CKA_SERIAL_NUMBER = 0x00000082L; + + /* CKA_AC_ISSUER, CKA_OWNER, and CKA_ATTR_TYPES are new L; + * for v2.10 */ + public static final long CKA_AC_ISSUER = 0x00000083L; + public static final long CKA_OWNER = 0x00000084L; + public static final long CKA_ATTR_TYPES = 0x00000085L; + + /* CKA_TRUSTED is new for v2.11 */ + public static final long CKA_TRUSTED = 0x00000086L; + + public static final long CKA_KEY_TYPE = 0x00000100L; + public static final long CKA_SUBJECT = 0x00000101L; + public static final long CKA_ID = 0x00000102L; + public static final long CKA_SENSITIVE = 0x00000103L; + public static final long CKA_ENCRYPT = 0x00000104L; + public static final long CKA_DECRYPT = 0x00000105L; + public static final long CKA_WRAP = 0x00000106L; + public static final long CKA_UNWRAP = 0x00000107L; + public static final long CKA_SIGN = 0x00000108L; + public static final long CKA_SIGN_RECOVER = 0x00000109L; + public static final long CKA_VERIFY = 0x0000010AL; + public static final long CKA_VERIFY_RECOVER = 0x0000010BL; + public static final long CKA_DERIVE = 0x0000010CL; + public static final long CKA_START_DATE = 0x00000110L; + public static final long CKA_END_DATE = 0x00000111L; + public static final long CKA_MODULUS = 0x00000120L; + public static final long CKA_MODULUS_BITS = 0x00000121L; + public static final long CKA_PUBLIC_EXPONENT = 0x00000122L; + public static final long CKA_PRIVATE_EXPONENT = 0x00000123L; + public static final long CKA_PRIME_1 = 0x00000124L; + public static final long CKA_PRIME_2 = 0x00000125L; + public static final long CKA_EXPONENT_1 = 0x00000126L; + public static final long CKA_EXPONENT_2 = 0x00000127L; + public static final long CKA_COEFFICIENT = 0x00000128L; + public static final long CKA_PRIME = 0x00000130L; + public static final long CKA_SUBPRIME = 0x00000131L; + public static final long CKA_BASE = 0x00000132L; + + /* CKA_PRIME_BITS and CKA_SUB_PRIME_BITS are new for v2.11 */ + public static final long CKA_PRIME_BITS = 0x00000133L; + public static final long CKA_SUB_PRIME_BITS = 0x00000134L; + + public static final long CKA_VALUE_BITS = 0x00000160L; + public static final long CKA_VALUE_LEN = 0x00000161L; + + /* CKA_EXTRACTABLE, CKA_LOCAL, CKA_NEVER_EXTRACTABLE, + * CKA_ALWAYS_SENSITIVE, CKA_MODIFIABLE, CKA_ECDSA_PARAMS, + * and CKA_EC_POINT are new for v2.0 */ + public static final long CKA_EXTRACTABLE = 0x00000162L; + public static final long CKA_LOCAL = 0x00000163L; + public static final long CKA_NEVER_EXTRACTABLE = 0x00000164L; + public static final long CKA_ALWAYS_SENSITIVE = 0x00000165L; + + /* CKA_KEY_GEN_MECHANISM is new for v2.11 */ + public static final long CKA_KEY_GEN_MECHANISM = 0x00000166L; + + public static final long CKA_MODIFIABLE = 0x00000170L; + + /* CKA_ECDSA_PARAMS is deprecated in v2.11, + * CKA_EC_PARAMS is preferred. */ + public static final long CKA_ECDSA_PARAMS = 0x00000180L; + public static final long CKA_EC_PARAMS = 0x00000180L; + public static final long CKA_EC_POINT = 0x00000181L; + + /* CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS, + * CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT, and CKA_HAS_RESET + * are new for v2.10 */ + public static final long CKA_SECONDARY_AUTH = 0x00000200L; + public static final long CKA_AUTH_PIN_FLAGS = 0x00000201L; + public static final long CKA_HW_FEATURE_TYPE = 0x00000300L; + public static final long CKA_RESET_ON_INIT = 0x00000301L; + public static final long CKA_HAS_RESET = 0x00000302L; + + public static final long CKA_VENDOR_DEFINED = 0x80000000L; + + /* the following mechanism types are defined: */ + public static final long CKM_RSA_PKCS_KEY_PAIR_GEN = 0x00000000L; + public static final long CKM_RSA_PKCS = 0x00000001L; + public static final long CKM_RSA_9796 = 0x00000002L; + public static final long CKM_RSA_X_509 = 0x00000003L; + + /* CKM_MD2_RSA_PKCS, CKM_MD5_RSA_PKCS, and CKM_SHA1_RSA_PKCS + * are new for v2.0. They are mechanisms which hash and sign */ + public static final long CKM_MD2_RSA_PKCS = 0x00000004L; + public static final long CKM_MD5_RSA_PKCS = 0x00000005L; + public static final long CKM_SHA1_RSA_PKCS = 0x00000006L; + + /* CKM_RIPEMD128_RSA_PKCS, CKM_RIPEMD160_RSA_PKCS, and + * CKM_RSA_PKCS_OAEP are new for v2.10 */ + public static final long CKM_RIPEMD128_RSA_PKCS = 0x00000007L; + public static final long CKM_RIPEMD160_RSA_PKCS = 0x00000008L; + public static final long CKM_RSA_PKCS_OAEP = 0x00000009L; + + /* CKM_RSA_X9_31_KEY_PAIR_GEN, CKM_RSA_X9_31, CKM_SHA1_RSA_X9_31, + * CKM_RSA_PKCS_PSS, and CKM_SHA1_RSA_PKCS_PSS are new for v2.11 */ + public static final long CKM_RSA_X9_31_KEY_PAIR_GEN = 0x0000000AL; + public static final long CKM_RSA_X9_31 = 0x0000000BL; + public static final long CKM_SHA1_RSA_X9_31 = 0x0000000CL; + public static final long CKM_RSA_PKCS_PSS = 0x0000000DL; + public static final long CKM_SHA1_RSA_PKCS_PSS = 0x0000000EL; + + public static final long CKM_DSA_KEY_PAIR_GEN = 0x00000010L; + public static final long CKM_DSA = 0x00000011L; + public static final long CKM_DSA_SHA1 = 0x00000012L; + public static final long CKM_DH_PKCS_KEY_PAIR_GEN = 0x00000020L; + public static final long CKM_DH_PKCS_DERIVE = 0x00000021L; + + /* CKM_X9_42_DH_KEY_PAIR_GEN, CKM_X9_42_DH_DERIVE, + * CKM_X9_42_DH_HYBRID_DERIVE, and CKM_X9_42_MQV_DERIVE are new for + * v2.11 */ + public static final long CKM_X9_42_DH_KEY_PAIR_GEN = 0x00000030L; + public static final long CKM_X9_42_DH_DERIVE = 0x00000031L; + public static final long CKM_X9_42_DH_HYBRID_DERIVE = 0x00000032L; + public static final long CKM_X9_42_MQV_DERIVE = 0x00000033L; + + // v2.20 + public static final long CKM_SHA256_RSA_PKCS = 0x00000040L; + public static final long CKM_SHA384_RSA_PKCS = 0x00000041L; + public static final long CKM_SHA512_RSA_PKCS = 0x00000042L; + + public static final long CKM_RC2_KEY_GEN = 0x00000100L; + public static final long CKM_RC2_ECB = 0x00000101L; + public static final long CKM_RC2_CBC = 0x00000102L; + public static final long CKM_RC2_MAC = 0x00000103L; + + /* CKM_RC2_MAC_GENERAL and CKM_RC2_CBC_PAD are new for v2.0 */ + public static final long CKM_RC2_MAC_GENERAL = 0x00000104L; + public static final long CKM_RC2_CBC_PAD = 0x00000105L; + + public static final long CKM_RC4_KEY_GEN = 0x00000110L; + public static final long CKM_RC4 = 0x00000111L; + public static final long CKM_DES_KEY_GEN = 0x00000120L; + public static final long CKM_DES_ECB = 0x00000121L; + public static final long CKM_DES_CBC = 0x00000122L; + public static final long CKM_DES_MAC = 0x00000123L; + + /* CKM_DES_MAC_GENERAL and CKM_DES_CBC_PAD are new for v2.0 */ + public static final long CKM_DES_MAC_GENERAL = 0x00000124L; + public static final long CKM_DES_CBC_PAD = 0x00000125L; + + public static final long CKM_DES2_KEY_GEN = 0x00000130L; + public static final long CKM_DES3_KEY_GEN = 0x00000131L; + public static final long CKM_DES3_ECB = 0x00000132L; + public static final long CKM_DES3_CBC = 0x00000133L; + public static final long CKM_DES3_MAC = 0x00000134L; + + /* CKM_DES3_MAC_GENERAL, CKM_DES3_CBC_PAD, CKM_CDMF_KEY_GEN, + * CKM_CDMF_ECB, CKM_CDMF_CBC, CKM_CDMF_MAC, + * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0 */ + public static final long CKM_DES3_MAC_GENERAL = 0x00000135L; + public static final long CKM_DES3_CBC_PAD = 0x00000136L; + public static final long CKM_CDMF_KEY_GEN = 0x00000140L; + public static final long CKM_CDMF_ECB = 0x00000141L; + public static final long CKM_CDMF_CBC = 0x00000142L; + public static final long CKM_CDMF_MAC = 0x00000143L; + public static final long CKM_CDMF_MAC_GENERAL = 0x00000144L; + public static final long CKM_CDMF_CBC_PAD = 0x00000145L; + + public static final long CKM_MD2 = 0x00000200L; + + /* CKM_MD2_HMAC and CKM_MD2_HMAC_GENERAL are new for v2.0 */ + public static final long CKM_MD2_HMAC = 0x00000201L; + public static final long CKM_MD2_HMAC_GENERAL = 0x00000202L; + + public static final long CKM_MD5 = 0x00000210L; + + /* CKM_MD5_HMAC and CKM_MD5_HMAC_GENERAL are new for v2.0 */ + public static final long CKM_MD5_HMAC = 0x00000211L; + public static final long CKM_MD5_HMAC_GENERAL = 0x00000212L; + + public static final long CKM_SHA_1 = 0x00000220L; + + /* CKM_SHA_1_HMAC and CKM_SHA_1_HMAC_GENERAL are new for v2.0 */ + public static final long CKM_SHA_1_HMAC = 0x00000221L; + public static final long CKM_SHA_1_HMAC_GENERAL = 0x00000222L; + + /* CKM_RIPEMD128, CKM_RIPEMD128_HMAC, + * CKM_RIPEMD128_HMAC_GENERAL, CKM_RIPEMD160, CKM_RIPEMD160_HMAC, + * and CKM_RIPEMD160_HMAC_GENERAL are new for v2.10 */ + public static final long CKM_RIPEMD128 = 0x00000230L; + public static final long CKM_RIPEMD128_HMAC = 0x00000231L; + public static final long CKM_RIPEMD128_HMAC_GENERAL = 0x00000232L; + public static final long CKM_RIPEMD160 = 0x00000240L; + public static final long CKM_RIPEMD160_HMAC = 0x00000241L; + public static final long CKM_RIPEMD160_HMAC_GENERAL = 0x00000242L; + + // v2.20 + public static final long CKM_SHA256 = 0x00000250L; + public static final long CKM_SHA256_HMAC = 0x00000251L; + public static final long CKM_SHA256_HMAC_GENERAL = 0x00000252L; + + public static final long CKM_SHA384 = 0x00000260L; + public static final long CKM_SHA384_HMAC = 0x00000261L; + public static final long CKM_SHA384_HMAC_GENERAL = 0x00000262L; + + public static final long CKM_SHA512 = 0x00000270L; + public static final long CKM_SHA512_HMAC = 0x00000271L; + public static final long CKM_SHA512_HMAC_GENERAL = 0x00000272L; + + /* All of the following mechanisms are new for v2.0 */ + /* Note that CAST128 and CAST5 are the same algorithm */ + public static final long CKM_CAST_KEY_GEN = 0x00000300L; + public static final long CKM_CAST_ECB = 0x00000301L; + public static final long CKM_CAST_CBC = 0x00000302L; + public static final long CKM_CAST_MAC = 0x00000303L; + public static final long CKM_CAST_MAC_GENERAL = 0x00000304L; + public static final long CKM_CAST_CBC_PAD = 0x00000305L; + public static final long CKM_CAST3_KEY_GEN = 0x00000310L; + public static final long CKM_CAST3_ECB = 0x00000311L; + public static final long CKM_CAST3_CBC = 0x00000312L; + public static final long CKM_CAST3_MAC = 0x00000313L; + public static final long CKM_CAST3_MAC_GENERAL = 0x00000314L; + public static final long CKM_CAST3_CBC_PAD = 0x00000315L; + public static final long CKM_CAST5_KEY_GEN = 0x00000320L; + public static final long CKM_CAST128_KEY_GEN = 0x00000320L; + public static final long CKM_CAST5_ECB = 0x00000321L; + public static final long CKM_CAST128_ECB = 0x00000321L; + public static final long CKM_CAST5_CBC = 0x00000322L; + public static final long CKM_CAST128_CBC = 0x00000322L; + public static final long CKM_CAST5_MAC = 0x00000323L; + public static final long CKM_CAST128_MAC = 0x00000323L; + public static final long CKM_CAST5_MAC_GENERAL = 0x00000324L; + public static final long CKM_CAST128_MAC_GENERAL = 0x00000324L; + public static final long CKM_CAST5_CBC_PAD = 0x00000325L; + public static final long CKM_CAST128_CBC_PAD = 0x00000325L; + public static final long CKM_RC5_KEY_GEN = 0x00000330L; + public static final long CKM_RC5_ECB = 0x00000331L; + public static final long CKM_RC5_CBC = 0x00000332L; + public static final long CKM_RC5_MAC = 0x00000333L; + public static final long CKM_RC5_MAC_GENERAL = 0x00000334L; + public static final long CKM_RC5_CBC_PAD = 0x00000335L; + public static final long CKM_IDEA_KEY_GEN = 0x00000340L; + public static final long CKM_IDEA_ECB = 0x00000341L; + public static final long CKM_IDEA_CBC = 0x00000342L; + public static final long CKM_IDEA_MAC = 0x00000343L; + public static final long CKM_IDEA_MAC_GENERAL = 0x00000344L; + public static final long CKM_IDEA_CBC_PAD = 0x00000345L; + public static final long CKM_GENERIC_SECRET_KEY_GEN = 0x00000350L; + public static final long CKM_CONCATENATE_BASE_AND_KEY = 0x00000360L; + public static final long CKM_CONCATENATE_BASE_AND_DATA = 0x00000362L; + public static final long CKM_CONCATENATE_DATA_AND_BASE = 0x00000363L; + public static final long CKM_XOR_BASE_AND_DATA = 0x00000364L; + public static final long CKM_EXTRACT_KEY_FROM_KEY = 0x00000365L; + public static final long CKM_SSL3_PRE_MASTER_KEY_GEN = 0x00000370L; + public static final long CKM_SSL3_MASTER_KEY_DERIVE = 0x00000371L; + public static final long CKM_SSL3_KEY_AND_MAC_DERIVE = 0x00000372L; + + /* CKM_SSL3_MASTER_KEY_DERIVE_DH, CKM_TLS_PRE_MASTER_KEY_GEN, + * CKM_TLS_MASTER_KEY_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE, and + * CKM_TLS_MASTER_KEY_DERIVE_DH are new for v2.11 */ + public static final long CKM_SSL3_MASTER_KEY_DERIVE_DH = 0x00000373L; + public static final long CKM_TLS_PRE_MASTER_KEY_GEN = 0x00000374L; + public static final long CKM_TLS_MASTER_KEY_DERIVE = 0x00000375L; + public static final long CKM_TLS_KEY_AND_MAC_DERIVE = 0x00000376L; + public static final long CKM_TLS_MASTER_KEY_DERIVE_DH = 0x00000377L; + public static final long CKM_TLS_PRF = 0x00000378L; + + public static final long CKM_SSL3_MD5_MAC = 0x00000380L; + public static final long CKM_SSL3_SHA1_MAC = 0x00000381L; + public static final long CKM_MD5_KEY_DERIVATION = 0x00000390L; + public static final long CKM_MD2_KEY_DERIVATION = 0x00000391L; + public static final long CKM_SHA1_KEY_DERIVATION = 0x00000392L; + + // v2.20 + public static final long CKM_SHA256_KEY_DERIVATION = 0x00000393L; + public static final long CKM_SHA384_KEY_DERIVATION = 0x00000394L; + public static final long CKM_SHA512_KEY_DERIVATION = 0x00000395L; + + public static final long CKM_PBE_MD2_DES_CBC = 0x000003A0L; + public static final long CKM_PBE_MD5_DES_CBC = 0x000003A1L; + public static final long CKM_PBE_MD5_CAST_CBC = 0x000003A2L; + public static final long CKM_PBE_MD5_CAST3_CBC = 0x000003A3L; + public static final long CKM_PBE_MD5_CAST5_CBC = 0x000003A4L; + public static final long CKM_PBE_MD5_CAST128_CBC = 0x000003A4L; + public static final long CKM_PBE_SHA1_CAST5_CBC = 0x000003A5L; + public static final long CKM_PBE_SHA1_CAST128_CBC = 0x000003A5L; + public static final long CKM_PBE_SHA1_RC4_128 = 0x000003A6L; + public static final long CKM_PBE_SHA1_RC4_40 = 0x000003A7L; + public static final long CKM_PBE_SHA1_DES3_EDE_CBC = 0x000003A8L; + public static final long CKM_PBE_SHA1_DES2_EDE_CBC = 0x000003A9L; + public static final long CKM_PBE_SHA1_RC2_128_CBC = 0x000003AAL; + public static final long CKM_PBE_SHA1_RC2_40_CBC = 0x000003ABL; + + /* CKM_PKCS5_PBKD2 is new for v2.10 */ + public static final long CKM_PKCS5_PBKD2 = 0x000003B0L; + + public static final long CKM_PBA_SHA1_WITH_SHA1_HMAC = 0x000003C0L; + public static final long CKM_KEY_WRAP_LYNKS = 0x00000400L; + public static final long CKM_KEY_WRAP_SET_OAEP = 0x00000401L; + + /* Fortezza mechanisms */ + public static final long CKM_SKIPJACK_KEY_GEN = 0x00001000L; + public static final long CKM_SKIPJACK_ECB64 = 0x00001001L; + public static final long CKM_SKIPJACK_CBC64 = 0x00001002L; + public static final long CKM_SKIPJACK_OFB64 = 0x00001003L; + public static final long CKM_SKIPJACK_CFB64 = 0x00001004L; + public static final long CKM_SKIPJACK_CFB32 = 0x00001005L; + public static final long CKM_SKIPJACK_CFB16 = 0x00001006L; + public static final long CKM_SKIPJACK_CFB8 = 0x00001007L; + public static final long CKM_SKIPJACK_WRAP = 0x00001008L; + public static final long CKM_SKIPJACK_PRIVATE_WRAP = 0x00001009L; + public static final long CKM_SKIPJACK_RELAYX = 0x0000100AL; + public static final long CKM_KEA_KEY_PAIR_GEN = 0x00001010L; + public static final long CKM_KEA_KEY_DERIVE = 0x00001011L; + public static final long CKM_FORTEZZA_TIMESTAMP = 0x00001020L; + public static final long CKM_BATON_KEY_GEN = 0x00001030L; + public static final long CKM_BATON_ECB128 = 0x00001031L; + public static final long CKM_BATON_ECB96 = 0x00001032L; + public static final long CKM_BATON_CBC128 = 0x00001033L; + public static final long CKM_BATON_COUNTER = 0x00001034L; + public static final long CKM_BATON_SHUFFLE = 0x00001035L; + public static final long CKM_BATON_WRAP = 0x00001036L; + + /* CKM_ECDSA_KEY_PAIR_GEN is deprecated in v2.11, + * CKM_EC_KEY_PAIR_GEN is preferred */ + public static final long CKM_ECDSA_KEY_PAIR_GEN = 0x00001040L; + public static final long CKM_EC_KEY_PAIR_GEN = 0x00001040L; + + public static final long CKM_ECDSA = 0x00001041L; + public static final long CKM_ECDSA_SHA1 = 0x00001042L; + + /* CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE, and CKM_ECMQV_DERIVE + * are new for v2.11 */ + public static final long CKM_ECDH1_DERIVE = 0x00001050L; + public static final long CKM_ECDH1_COFACTOR_DERIVE = 0x00001051L; + public static final long CKM_ECMQV_DERIVE = 0x00001052L; + + public static final long CKM_JUNIPER_KEY_GEN = 0x00001060L; + public static final long CKM_JUNIPER_ECB128 = 0x00001061L; + public static final long CKM_JUNIPER_CBC128 = 0x00001062L; + public static final long CKM_JUNIPER_COUNTER = 0x00001063L; + public static final long CKM_JUNIPER_SHUFFLE = 0x00001064L; + public static final long CKM_JUNIPER_WRAP = 0x00001065L; + public static final long CKM_FASTHASH = 0x00001070L; + + /* CKM_AES_KEY_GEN, CKM_AES_ECB, CKM_AES_CBC, CKM_AES_MAC, + * CKM_AES_MAC_GENERAL, CKM_AES_CBC_PAD, CKM_DSA_PARAMETER_GEN, + * CKM_DH_PKCS_PARAMETER_GEN, and CKM_X9_42_DH_PARAMETER_GEN are + * new for v2.11 */ + public static final long CKM_AES_KEY_GEN = 0x00001080L; + public static final long CKM_AES_ECB = 0x00001081L; + public static final long CKM_AES_CBC = 0x00001082L; + public static final long CKM_AES_MAC = 0x00001083L; + public static final long CKM_AES_MAC_GENERAL = 0x00001084L; + public static final long CKM_AES_CBC_PAD = 0x00001085L; + // v2.20 + public static final long CKM_BLOWFISH_KEY_GEN = 0x00001090L; + public static final long CKM_BLOWFISH_CBC = 0x00001091L; + public static final long CKM_DSA_PARAMETER_GEN = 0x00002000L; + public static final long CKM_DH_PKCS_PARAMETER_GEN = 0x00002001L; + public static final long CKM_X9_42_DH_PARAMETER_GEN = 0x00002002L; + + public static final long CKM_VENDOR_DEFINED = 0x80000000L; + + // new for v2.20 amendment 3 + public static final long CKM_SHA224 = 0x00000255L; + public static final long CKM_SHA224_HMAC = 0x00000256L; + public static final long CKM_SHA224_HMAC_GENERAL = 0x00000257L; + public static final long CKM_SHA224_KEY_DERIVATION = 0x00000396L; + public static final long CKM_SHA224_RSA_PKCS = 0x00000046L; + public static final long CKM_SHA224_RSA_PKCS_PSS = 0x00000047L; + public static final long CKM_AES_CTR = 0x00001086L; + /* + public static final long CKM_CAMELLIA_KEY_GEN = 0x00000550L; + public static final long CKM_CAMELLIA_ECB = 0x00000551L; + public static final long CKM_CAMELLIA_CBC = 0x00000552L; + public static final long CKM_CAMELLIA_MAC = 0x00000553L; + public static final long CKM_CAMELLIA_MAC_GENERAL = 0x00000554L; + public static final long CKM_CAMELLIA_CBC_PAD = 0x00000555L; + public static final long CKM_CAMELLIA_ECB_ENCRYPT_DATA = 0x00000556L; + public static final long CKM_CAMELLIA_CBC_ENCRYPT_DATA = 0x00000557L; + public static final long CKM_CAMELLIA_CTR = 0x00000558L; + public static final long CKM_ARIA_KEY_GEN = 0x00000560L; + public static final long CKM_ARIA_ECB = 0x00000561L; + public static final long CKM_ARIA_CBC = 0x00000562L; + public static final long CKM_ARIA_MAC = 0x00000563L; + public static final long CKM_ARIA_MAC_GENERAL = 0x00000564L; + public static final long CKM_ARIA_CBC_PAD = 0x00000565L; + public static final long CKM_ARIA_ECB_ENCRYPT_DATA = 0x00000566L; + public static final long CKM_ARIA_CBC_ENCRYPT_DATA = 0x00000567L; + */ + + // NSS private + public static final long CKM_NSS_TLS_PRF_GENERAL = 0x80000373L; + + // ids for our pseudo mechanisms SecureRandom and KeyStore + public static final long PCKM_SECURERANDOM = 0x7FFFFF20L; + public static final long PCKM_KEYSTORE = 0x7FFFFF21L; + + /* The flags are defined as follows: + * Bit Flag Mask Meaning */ + /* performed by HW */ + public static final long CKF_HW = 0x00000001L; + + /* The flags CKF_ENCRYPT, CKF_DECRYPT, CKF_DIGEST, CKF_SIGN, + * CKG_SIGN_RECOVER, CKF_VERIFY, CKF_VERIFY_RECOVER, + * CKF_GENERATE, CKF_GENERATE_KEY_PAIR, CKF_WRAP, CKF_UNWRAP, + * and CKF_DERIVE are new for v2.0. They specify whether or not + * a mechanism can be used for a particular task */ + public static final long CKF_ENCRYPT = 0x00000100L; + public static final long CKF_DECRYPT = 0x00000200L; + public static final long CKF_DIGEST = 0x00000400L; + public static final long CKF_SIGN = 0x00000800L; + public static final long CKF_SIGN_RECOVER = 0x00001000L; + public static final long CKF_VERIFY = 0x00002000L; + public static final long CKF_VERIFY_RECOVER = 0x00004000L; + public static final long CKF_GENERATE = 0x00008000L; + public static final long CKF_GENERATE_KEY_PAIR = 0x00010000L; + public static final long CKF_WRAP = 0x00020000L; + public static final long CKF_UNWRAP = 0x00040000L; + public static final long CKF_DERIVE = 0x00080000L; + + /* CKF_EC_F_P, CKF_EC_F_2M, CKF_EC_ECPARAMETERS, CKF_EC_NAMEDCURVE, + * CKF_EC_UNCOMPRESS, and CKF_EC_COMPRESS are new for v2.11. They + * describe a token's EC capabilities not available in mechanism + * information. */ + public static final long CKF_EC_F_P = 0x00100000L; + public static final long CKF_EC_F_2M = 0x00200000L; + public static final long CKF_EC_ECPARAMETERS = 0x00400000L; + public static final long CKF_EC_NAMEDCURVE = 0x00800000L; + public static final long CKF_EC_UNCOMPRESS = 0x01000000L; + public static final long CKF_EC_COMPRESS = 0x02000000L; + + /* FALSE for 2.01 */ + public static final long CKF_EXTENSION = 0x80000000L; + + + /* CK_RV is a value that identifies the return value of a + * Cryptoki function */ + /* CK_RV was changed from CK_USHORT to CK_ULONG for v2.0 */ + public static final long CKR_OK = 0x00000000L; + public static final long CKR_CANCEL = 0x00000001L; + public static final long CKR_HOST_MEMORY = 0x00000002L; + public static final long CKR_SLOT_ID_INVALID = 0x00000003L; + + /* CKR_FLAGS_INVALID was removed for v2.0 */ + + /* CKR_GENERAL_ERROR and CKR_FUNCTION_FAILED are new for v2.0 */ + public static final long CKR_GENERAL_ERROR = 0x00000005L; + public static final long CKR_FUNCTION_FAILED = 0x00000006L; + + /* CKR_ARGUMENTS_BAD, CKR_NO_EVENT, CKR_NEED_TO_CREATE_THREADS, + * and CKR_CANT_LOCK are new for v2.01 */ + public static final long CKR_ARGUMENTS_BAD = 0x00000007L; + public static final long CKR_NO_EVENT = 0x00000008L; + public static final long CKR_NEED_TO_CREATE_THREADS = 0x00000009L; + public static final long CKR_CANT_LOCK = 0x0000000AL; + + public static final long CKR_ATTRIBUTE_READ_ONLY = 0x00000010L; + public static final long CKR_ATTRIBUTE_SENSITIVE = 0x00000011L; + public static final long CKR_ATTRIBUTE_TYPE_INVALID = 0x00000012L; + public static final long CKR_ATTRIBUTE_VALUE_INVALID = 0x00000013L; + public static final long CKR_DATA_INVALID = 0x00000020L; + public static final long CKR_DATA_LEN_RANGE = 0x00000021L; + public static final long CKR_DEVICE_ERROR = 0x00000030L; + public static final long CKR_DEVICE_MEMORY = 0x00000031L; + public static final long CKR_DEVICE_REMOVED = 0x00000032L; + public static final long CKR_ENCRYPTED_DATA_INVALID = 0x00000040L; + public static final long CKR_ENCRYPTED_DATA_LEN_RANGE = 0x00000041L; + public static final long CKR_FUNCTION_CANCELED = 0x00000050L; + public static final long CKR_FUNCTION_NOT_PARALLEL = 0x00000051L; + + /* CKR_FUNCTION_NOT_SUPPORTED is new for v2.0 */ + public static final long CKR_FUNCTION_NOT_SUPPORTED = 0x00000054L; + + public static final long CKR_KEY_HANDLE_INVALID = 0x00000060L; + + /* CKR_KEY_SENSITIVE was removed for v2.0 */ + + public static final long CKR_KEY_SIZE_RANGE = 0x00000062L; + public static final long CKR_KEY_TYPE_INCONSISTENT = 0x00000063L; + + /* CKR_KEY_NOT_NEEDED, CKR_KEY_CHANGED, CKR_KEY_NEEDED, + * CKR_KEY_INDIGESTIBLE, CKR_KEY_FUNCTION_NOT_PERMITTED, + * CKR_KEY_NOT_WRAPPABLE, and CKR_KEY_UNEXTRACTABLE are new for + * v2.0 */ + public static final long CKR_KEY_NOT_NEEDED = 0x00000064L; + public static final long CKR_KEY_CHANGED = 0x00000065L; + public static final long CKR_KEY_NEEDED = 0x00000066L; + public static final long CKR_KEY_INDIGESTIBLE = 0x00000067L; + public static final long CKR_KEY_FUNCTION_NOT_PERMITTED = 0x00000068L; + public static final long CKR_KEY_NOT_WRAPPABLE = 0x00000069L; + public static final long CKR_KEY_UNEXTRACTABLE = 0x0000006AL; + + public static final long CKR_MECHANISM_INVALID = 0x00000070L; + public static final long CKR_MECHANISM_PARAM_INVALID = 0x00000071L; + + /* CKR_OBJECT_CLASS_INCONSISTENT and CKR_OBJECT_CLASS_INVALID + * were removed for v2.0 */ + public static final long CKR_OBJECT_HANDLE_INVALID = 0x00000082L; + public static final long CKR_OPERATION_ACTIVE = 0x00000090L; + public static final long CKR_OPERATION_NOT_INITIALIZED = 0x00000091L; + public static final long CKR_PIN_INCORRECT = 0x000000A0L; + public static final long CKR_PIN_INVALID = 0x000000A1L; + public static final long CKR_PIN_LEN_RANGE = 0x000000A2L; + + /* CKR_PIN_EXPIRED and CKR_PIN_LOCKED are new for v2.0 */ + public static final long CKR_PIN_EXPIRED = 0x000000A3L; + public static final long CKR_PIN_LOCKED = 0x000000A4L; + + public static final long CKR_SESSION_CLOSED = 0x000000B0L; + public static final long CKR_SESSION_COUNT = 0x000000B1L; + public static final long CKR_SESSION_HANDLE_INVALID = 0x000000B3L; + public static final long CKR_SESSION_PARALLEL_NOT_SUPPORTED = 0x000000B4L; + public static final long CKR_SESSION_READ_ONLY = 0x000000B5L; + public static final long CKR_SESSION_EXISTS = 0x000000B6L; + + /* CKR_SESSION_READ_ONLY_EXISTS and + * CKR_SESSION_READ_WRITE_SO_EXISTS are new for v2.0 */ + public static final long CKR_SESSION_READ_ONLY_EXISTS = 0x000000B7L; + public static final long CKR_SESSION_READ_WRITE_SO_EXISTS = 0x000000B8L; + + public static final long CKR_SIGNATURE_INVALID = 0x000000C0L; + public static final long CKR_SIGNATURE_LEN_RANGE = 0x000000C1L; + public static final long CKR_TEMPLATE_INCOMPLETE = 0x000000D0L; + public static final long CKR_TEMPLATE_INCONSISTENT = 0x000000D1L; + public static final long CKR_TOKEN_NOT_PRESENT = 0x000000E0L; + public static final long CKR_TOKEN_NOT_RECOGNIZED = 0x000000E1L; + public static final long CKR_TOKEN_WRITE_PROTECTED = 0x000000E2L; + public static final long CKR_UNWRAPPING_KEY_HANDLE_INVALID = 0x000000F0L; + public static final long CKR_UNWRAPPING_KEY_SIZE_RANGE = 0x000000F1L; + public static final long CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT = 0x000000F2L; + public static final long CKR_USER_ALREADY_LOGGED_IN = 0x00000100L; + public static final long CKR_USER_NOT_LOGGED_IN = 0x00000101L; + public static final long CKR_USER_PIN_NOT_INITIALIZED = 0x00000102L; + public static final long CKR_USER_TYPE_INVALID = 0x00000103L; + + /* CKR_USER_ANOTHER_ALREADY_LOGGED_IN and CKR_USER_TOO_MANY_TYPES + * are new to v2.01 */ + public static final long CKR_USER_ANOTHER_ALREADY_LOGGED_IN = 0x00000104L; + public static final long CKR_USER_TOO_MANY_TYPES = 0x00000105L; + + public static final long CKR_WRAPPED_KEY_INVALID = 0x00000110L; + public static final long CKR_WRAPPED_KEY_LEN_RANGE = 0x00000112L; + public static final long CKR_WRAPPING_KEY_HANDLE_INVALID = 0x00000113L; + public static final long CKR_WRAPPING_KEY_SIZE_RANGE = 0x00000114L; + public static final long CKR_WRAPPING_KEY_TYPE_INCONSISTENT = 0x00000115L; + public static final long CKR_RANDOM_SEED_NOT_SUPPORTED = 0x00000120L; + + /* These are new to v2.0 */ + public static final long CKR_RANDOM_NO_RNG = 0x00000121L; + + /* These are new to v2.11 */ + public static final long CKR_DOMAIN_PARAMS_INVALID = 0x00000130L; + + /* These are new to v2.0 */ + public static final long CKR_BUFFER_TOO_SMALL = 0x00000150L; + public static final long CKR_SAVED_STATE_INVALID = 0x00000160L; + public static final long CKR_INFORMATION_SENSITIVE = 0x00000170L; + public static final long CKR_STATE_UNSAVEABLE = 0x00000180L; + + /* These are new to v2.01 */ + public static final long CKR_CRYPTOKI_NOT_INITIALIZED = 0x00000190L; + public static final long CKR_CRYPTOKI_ALREADY_INITIALIZED = 0x00000191L; + public static final long CKR_MUTEX_BAD = 0x000001A0L; + public static final long CKR_MUTEX_NOT_LOCKED = 0x000001A1L; + + public static final long CKR_VENDOR_DEFINED = 0x80000000L; + + + /* flags: bit flags that provide capabilities of the slot + * Bit Flag = Mask + */ + public static final long CKF_LIBRARY_CANT_CREATE_OS_THREADS = 0x00000001L; + public static final long CKF_OS_LOCKING_OK = 0x00000002L; + + + /* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */ + public static final long CKF_DONT_BLOCK = 1L; + + + /* The following MGFs are defined */ + public static final long CKG_MGF1_SHA1 = 0x00000001L; + // new for v2.20 amendment 3 + public static final long CKG_MGF1_SHA224 = 0x00000005L; + + /* The following encoding parameter sources are defined */ + public static final long CKZ_DATA_SPECIFIED = 0x00000001L; + + + /* The following PRFs are defined in PKCS #5 v2.0. */ + public static final long CKP_PKCS5_PBKD2_HMAC_SHA1 = 0x00000001L; + + + /* The following salt value sources are defined in PKCS #5 v2.0. */ + public static final long CKZ_SALT_SPECIFIED = 0x00000001L; + + /* the following EC Key Derivation Functions are defined */ + public static final long CKD_NULL = 0x00000001L; + public static final long CKD_SHA1_KDF = 0x00000002L; + + /* the following X9.42 Diffie-Hellman Key Derivation Functions are defined */ + public static final long CKD_SHA1_KDF_ASN1 = 0x00000003L; + public static final long CKD_SHA1_KDF_CONCATENATE = 0x00000004L; + + + // private NSS attribute (for DSA and DH private keys) + public static final long CKA_NETSCAPE_DB = 0xD5A0DB00L; + + // base number of NSS private attributes + public static final long CKA_NETSCAPE_BASE = 0x80000000L + 0x4E534350L; + + // object type for NSS trust + public static final long CKO_NETSCAPE_TRUST = CKA_NETSCAPE_BASE + 3; + + // base number for NSS trust attributes + public static final long CKA_NETSCAPE_TRUST_BASE = CKA_NETSCAPE_BASE + 0x2000; + + // attributes for NSS trust + public static final long CKA_NETSCAPE_TRUST_SERVER_AUTH = CKA_NETSCAPE_TRUST_BASE + 8; + public static final long CKA_NETSCAPE_TRUST_CLIENT_AUTH = CKA_NETSCAPE_TRUST_BASE + 9; + public static final long CKA_NETSCAPE_TRUST_CODE_SIGNING = CKA_NETSCAPE_TRUST_BASE + 10; + public static final long CKA_NETSCAPE_TRUST_EMAIL_PROTECTION = CKA_NETSCAPE_TRUST_BASE + 11; + public static final long CKA_NETSCAPE_CERT_SHA1_HASH = CKA_NETSCAPE_TRUST_BASE + 100; + public static final long CKA_NETSCAPE_CERT_MD5_HASH = CKA_NETSCAPE_TRUST_BASE + 101; + + // trust values for each of the NSS trust attributes + public static final long CKT_NETSCAPE_TRUSTED = CKA_NETSCAPE_BASE + 1; + public static final long CKT_NETSCAPE_TRUSTED_DELEGATOR = CKA_NETSCAPE_BASE + 2; + public static final long CKT_NETSCAPE_UNTRUSTED = CKA_NETSCAPE_BASE + 3; + public static final long CKT_NETSCAPE_MUST_VERIFY = CKA_NETSCAPE_BASE + 4; + public static final long CKT_NETSCAPE_TRUST_UNKNOWN = CKA_NETSCAPE_BASE + 5; /* default */ + public static final long CKT_NETSCAPE_VALID = CKA_NETSCAPE_BASE + 10; + public static final long CKT_NETSCAPE_VALID_DELEGATOR = CKA_NETSCAPE_BASE + 11; + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java 2017-01-20 09:52:53.374288388 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,296 +0,0 @@ -/* - * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. - */ - -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package sun.security.pkcs11.wrapper; - -import java.util.*; - - -/** - * This is the superclass of all checked exceptions used by this package. An - * exception of this class indicates that a function call to the underlying - * PKCS#11 module returned a value not equal to CKR_OK. The application can get - * the returned value by calling getErrorCode(). A return value not equal to - * CKR_OK is the only reason for such an exception to be thrown. - * PKCS#11 defines the meaning of an error-code, which may depend on the - * context in which the error occurs. - * - * @author Karl Scheibelhofer - * @invariants - */ -public class PKCS11Exception extends Exception { - private static final long serialVersionUID = 4877072363729195L; - - /** - * The code of the error which was the reason for this exception. - */ - protected long errorCode_; - - private static final Map errorMap; - - static { - int[] errorCodes = new int[] { - 0x00000000, - 0x00000001, - 0x00000002, - 0x00000003, - 0x00000005, - 0x00000006, - 0x00000007, - 0x00000008, - 0x00000009, - 0x0000000A, - 0x00000010, - 0x00000011, - 0x00000012, - 0x00000013, - 0x00000020, - 0x00000021, - 0x00000030, - 0x00000031, - 0x00000032, - 0x00000040, - 0x00000041, - 0x00000050, - 0x00000051, - 0x00000054, - 0x00000060, - 0x00000062, - 0x00000063, - 0x00000064, - 0x00000065, - 0x00000066, - 0x00000067, - 0x00000068, - 0x00000069, - 0x0000006A, - 0x00000070, - 0x00000071, - 0x00000082, - 0x00000090, - 0x00000091, - 0x000000A0, - 0x000000A1, - 0x000000A2, - 0x000000A3, - 0x000000A4, - 0x000000B0, - 0x000000B1, - 0x000000B3, - 0x000000B4, - 0x000000B5, - 0x000000B6, - 0x000000B7, - 0x000000B8, - 0x000000C0, - 0x000000C1, - 0x000000D0, - 0x000000D1, - 0x000000E0, - 0x000000E1, - 0x000000E2, - 0x000000F0, - 0x000000F1, - 0x000000F2, - 0x00000100, - 0x00000101, - 0x00000102, - 0x00000103, - 0x00000104, - 0x00000105, - 0x00000110, - 0x00000112, - 0x00000113, - 0x00000114, - 0x00000115, - 0x00000120, - 0x00000121, - 0x00000130, - 0x00000150, - 0x00000160, - 0x00000170, - 0x00000180, - 0x00000190, - 0x00000191, - 0x000001A0, - 0x000001A1, - 0x00000200, - 0x80000000, - }; - String[] errorMessages = new String[] { - "CKR_OK", - "CKR_CANCEL", - "CKR_HOST_MEMORY", - "CKR_SLOT_ID_INVALID", - "CKR_GENERAL_ERROR", - "CKR_FUNCTION_FAILED", - "CKR_ARGUMENTS_BAD", - "CKR_NO_EVENT", - "CKR_NEED_TO_CREATE_THREADS", - "CKR_CANT_LOCK", - "CKR_ATTRIBUTE_READ_ONLY", - "CKR_ATTRIBUTE_SENSITIVE", - "CKR_ATTRIBUTE_TYPE_INVALID", - "CKR_ATTRIBUTE_VALUE_INVALID", - "CKR_DATA_INVALID", - "CKR_DATA_LEN_RANGE", - "CKR_DEVICE_ERROR", - "CKR_DEVICE_MEMORY", - "CKR_DEVICE_REMOVED", - "CKR_ENCRYPTED_DATA_INVALID", - "CKR_ENCRYPTED_DATA_LEN_RANGE", - "CKR_FUNCTION_CANCELED", - "CKR_FUNCTION_NOT_PARALLEL", - "CKR_FUNCTION_NOT_SUPPORTED", - "CKR_KEY_HANDLE_INVALID", - "CKR_KEY_SIZE_RANGE", - "CKR_KEY_TYPE_INCONSISTENT", - "CKR_KEY_NOT_NEEDED", - "CKR_KEY_CHANGED", - "CKR_KEY_NEEDED", - "CKR_KEY_INDIGESTIBLE", - "CKR_KEY_FUNCTION_NOT_PERMITTED", - "CKR_KEY_NOT_WRAPPABLE", - "CKR_KEY_UNEXTRACTABLE", - "CKR_MECHANISM_INVALID", - "CKR_MECHANISM_PARAM_INVALID", - "CKR_OBJECT_HANDLE_INVALID", - "CKR_OPERATION_ACTIVE", - "CKR_OPERATION_NOT_INITIALIZED", - "CKR_PIN_INCORRECT", - "CKR_PIN_INVALID", - "CKR_PIN_LEN_RANGE", - "CKR_PIN_EXPIRED", - "CKR_PIN_LOCKED", - "CKR_SESSION_CLOSED", - "CKR_SESSION_COUNT", - "CKR_SESSION_HANDLE_INVALID", - "CKR_SESSION_PARALLEL_NOT_SUPPORTED", - "CKR_SESSION_READ_ONLY", - "CKR_SESSION_EXISTS", - "CKR_SESSION_READ_ONLY_EXISTS", - "CKR_SESSION_READ_WRITE_SO_EXISTS", - "CKR_SIGNATURE_INVALID", - "CKR_SIGNATURE_LEN_RANGE", - "CKR_TEMPLATE_INCOMPLETE", - "CKR_TEMPLATE_INCONSISTENT", - "CKR_TOKEN_NOT_PRESENT", - "CKR_TOKEN_NOT_RECOGNIZED", - "CKR_TOKEN_WRITE_PROTECTED", - "CKR_UNWRAPPING_KEY_HANDLE_INVALID", - "CKR_UNWRAPPING_KEY_SIZE_RANGE", - "CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT", - "CKR_USER_ALREADY_LOGGED_IN", - "CKR_USER_NOT_LOGGED_IN", - "CKR_USER_PIN_NOT_INITIALIZED", - "CKR_USER_TYPE_INVALID", - "CKR_USER_ANOTHER_ALREADY_LOGGED_IN", - "CKR_USER_TOO_MANY_TYPES", - "CKR_WRAPPED_KEY_INVALID", - "CKR_WRAPPED_KEY_LEN_RANGE", - "CKR_WRAPPING_KEY_HANDLE_INVALID", - "CKR_WRAPPING_KEY_SIZE_RANGE", - "CKR_WRAPPING_KEY_TYPE_INCONSISTENT", - "CKR_RANDOM_SEED_NOT_SUPPORTED", - "CKR_RANDOM_NO_RNG", - "CKR_DOMAIN_PARAMS_INVALID", - "CKR_BUFFER_TOO_SMALL", - "CKR_SAVED_STATE_INVALID", - "CKR_INFORMATION_SENSITIVE", - "CKR_STATE_UNSAVEABLE", - "CKR_CRYPTOKI_NOT_INITIALIZED", - "CKR_CRYPTOKI_ALREADY_INITIALIZED", - "CKR_MUTEX_BAD", - "CKR_MUTEX_NOT_LOCKED", - "CKR_FUNCTION_REJECTED", - "CKR_VENDOR_DEFINED", - }; - errorMap = new HashMap(); - for (int i = 0; i < errorCodes.length; i++) { - errorMap.put(Long.valueOf(errorCodes[i]), errorMessages[i]); - } - } - - - /** - * Constructor taking the error code as defined for the CKR_* constants - * in PKCS#11. - */ - public PKCS11Exception(long errorCode) { - errorCode_ = errorCode; - } - - /** - * This method gets the corresponding text error message from - * a property file. If this file is not available, it returns the error - * code as a hex-string. - * - * @return The message or the error code; e.g. "CKR_DEVICE_ERROR" or - * "0x00000030". - * @preconditions - * @postconditions (result <> null) - */ - public String getMessage() { - String message = errorMap.get(Long.valueOf(errorCode_)); - if (message == null) { - message = "0x" + Functions.toFullHexString((int)errorCode_); - } - return message; - } - - /** - * Returns the PKCS#11 error code. - * - * @return The error code; e.g. 0x00000030. - * @preconditions - * @postconditions - */ - public long getErrorCode() { - return errorCode_ ; - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java 2017-01-20 09:52:53.158288397 -0800 @@ -0,0 +1,296 @@ +/* + * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. + */ + +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +package sun.security.pkcs11.wrapper; + +import java.util.*; + + +/** + * This is the superclass of all checked exceptions used by this package. An + * exception of this class indicates that a function call to the underlying + * PKCS#11 module returned a value not equal to CKR_OK. The application can get + * the returned value by calling getErrorCode(). A return value not equal to + * CKR_OK is the only reason for such an exception to be thrown. + * PKCS#11 defines the meaning of an error-code, which may depend on the + * context in which the error occurs. + * + * @author Karl Scheibelhofer + * @invariants + */ +public class PKCS11Exception extends Exception { + private static final long serialVersionUID = 4877072363729195L; + + /** + * The code of the error which was the reason for this exception. + */ + protected long errorCode_; + + private static final Map errorMap; + + static { + int[] errorCodes = new int[] { + 0x00000000, + 0x00000001, + 0x00000002, + 0x00000003, + 0x00000005, + 0x00000006, + 0x00000007, + 0x00000008, + 0x00000009, + 0x0000000A, + 0x00000010, + 0x00000011, + 0x00000012, + 0x00000013, + 0x00000020, + 0x00000021, + 0x00000030, + 0x00000031, + 0x00000032, + 0x00000040, + 0x00000041, + 0x00000050, + 0x00000051, + 0x00000054, + 0x00000060, + 0x00000062, + 0x00000063, + 0x00000064, + 0x00000065, + 0x00000066, + 0x00000067, + 0x00000068, + 0x00000069, + 0x0000006A, + 0x00000070, + 0x00000071, + 0x00000082, + 0x00000090, + 0x00000091, + 0x000000A0, + 0x000000A1, + 0x000000A2, + 0x000000A3, + 0x000000A4, + 0x000000B0, + 0x000000B1, + 0x000000B3, + 0x000000B4, + 0x000000B5, + 0x000000B6, + 0x000000B7, + 0x000000B8, + 0x000000C0, + 0x000000C1, + 0x000000D0, + 0x000000D1, + 0x000000E0, + 0x000000E1, + 0x000000E2, + 0x000000F0, + 0x000000F1, + 0x000000F2, + 0x00000100, + 0x00000101, + 0x00000102, + 0x00000103, + 0x00000104, + 0x00000105, + 0x00000110, + 0x00000112, + 0x00000113, + 0x00000114, + 0x00000115, + 0x00000120, + 0x00000121, + 0x00000130, + 0x00000150, + 0x00000160, + 0x00000170, + 0x00000180, + 0x00000190, + 0x00000191, + 0x000001A0, + 0x000001A1, + 0x00000200, + 0x80000000, + }; + String[] errorMessages = new String[] { + "CKR_OK", + "CKR_CANCEL", + "CKR_HOST_MEMORY", + "CKR_SLOT_ID_INVALID", + "CKR_GENERAL_ERROR", + "CKR_FUNCTION_FAILED", + "CKR_ARGUMENTS_BAD", + "CKR_NO_EVENT", + "CKR_NEED_TO_CREATE_THREADS", + "CKR_CANT_LOCK", + "CKR_ATTRIBUTE_READ_ONLY", + "CKR_ATTRIBUTE_SENSITIVE", + "CKR_ATTRIBUTE_TYPE_INVALID", + "CKR_ATTRIBUTE_VALUE_INVALID", + "CKR_DATA_INVALID", + "CKR_DATA_LEN_RANGE", + "CKR_DEVICE_ERROR", + "CKR_DEVICE_MEMORY", + "CKR_DEVICE_REMOVED", + "CKR_ENCRYPTED_DATA_INVALID", + "CKR_ENCRYPTED_DATA_LEN_RANGE", + "CKR_FUNCTION_CANCELED", + "CKR_FUNCTION_NOT_PARALLEL", + "CKR_FUNCTION_NOT_SUPPORTED", + "CKR_KEY_HANDLE_INVALID", + "CKR_KEY_SIZE_RANGE", + "CKR_KEY_TYPE_INCONSISTENT", + "CKR_KEY_NOT_NEEDED", + "CKR_KEY_CHANGED", + "CKR_KEY_NEEDED", + "CKR_KEY_INDIGESTIBLE", + "CKR_KEY_FUNCTION_NOT_PERMITTED", + "CKR_KEY_NOT_WRAPPABLE", + "CKR_KEY_UNEXTRACTABLE", + "CKR_MECHANISM_INVALID", + "CKR_MECHANISM_PARAM_INVALID", + "CKR_OBJECT_HANDLE_INVALID", + "CKR_OPERATION_ACTIVE", + "CKR_OPERATION_NOT_INITIALIZED", + "CKR_PIN_INCORRECT", + "CKR_PIN_INVALID", + "CKR_PIN_LEN_RANGE", + "CKR_PIN_EXPIRED", + "CKR_PIN_LOCKED", + "CKR_SESSION_CLOSED", + "CKR_SESSION_COUNT", + "CKR_SESSION_HANDLE_INVALID", + "CKR_SESSION_PARALLEL_NOT_SUPPORTED", + "CKR_SESSION_READ_ONLY", + "CKR_SESSION_EXISTS", + "CKR_SESSION_READ_ONLY_EXISTS", + "CKR_SESSION_READ_WRITE_SO_EXISTS", + "CKR_SIGNATURE_INVALID", + "CKR_SIGNATURE_LEN_RANGE", + "CKR_TEMPLATE_INCOMPLETE", + "CKR_TEMPLATE_INCONSISTENT", + "CKR_TOKEN_NOT_PRESENT", + "CKR_TOKEN_NOT_RECOGNIZED", + "CKR_TOKEN_WRITE_PROTECTED", + "CKR_UNWRAPPING_KEY_HANDLE_INVALID", + "CKR_UNWRAPPING_KEY_SIZE_RANGE", + "CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT", + "CKR_USER_ALREADY_LOGGED_IN", + "CKR_USER_NOT_LOGGED_IN", + "CKR_USER_PIN_NOT_INITIALIZED", + "CKR_USER_TYPE_INVALID", + "CKR_USER_ANOTHER_ALREADY_LOGGED_IN", + "CKR_USER_TOO_MANY_TYPES", + "CKR_WRAPPED_KEY_INVALID", + "CKR_WRAPPED_KEY_LEN_RANGE", + "CKR_WRAPPING_KEY_HANDLE_INVALID", + "CKR_WRAPPING_KEY_SIZE_RANGE", + "CKR_WRAPPING_KEY_TYPE_INCONSISTENT", + "CKR_RANDOM_SEED_NOT_SUPPORTED", + "CKR_RANDOM_NO_RNG", + "CKR_DOMAIN_PARAMS_INVALID", + "CKR_BUFFER_TOO_SMALL", + "CKR_SAVED_STATE_INVALID", + "CKR_INFORMATION_SENSITIVE", + "CKR_STATE_UNSAVEABLE", + "CKR_CRYPTOKI_NOT_INITIALIZED", + "CKR_CRYPTOKI_ALREADY_INITIALIZED", + "CKR_MUTEX_BAD", + "CKR_MUTEX_NOT_LOCKED", + "CKR_FUNCTION_REJECTED", + "CKR_VENDOR_DEFINED", + }; + errorMap = new HashMap(); + for (int i = 0; i < errorCodes.length; i++) { + errorMap.put(Long.valueOf(errorCodes[i]), errorMessages[i]); + } + } + + + /** + * Constructor taking the error code as defined for the CKR_* constants + * in PKCS#11. + */ + public PKCS11Exception(long errorCode) { + errorCode_ = errorCode; + } + + /** + * This method gets the corresponding text error message from + * a property file. If this file is not available, it returns the error + * code as a hex-string. + * + * @return The message or the error code; e.g. "CKR_DEVICE_ERROR" or + * "0x00000030". + * @preconditions + * @postconditions (result <> null) + */ + public String getMessage() { + String message = errorMap.get(Long.valueOf(errorCode_)); + if (message == null) { + message = "0x" + Functions.toFullHexString((int)errorCode_); + } + return message; + } + + /** + * Returns the PKCS#11 error code. + * + * @return The error code; e.g. 0x00000030. + * @preconditions + * @postconditions + */ + public long getErrorCode() { + return errorCode_ ; + } + +} --- old/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/PKCS11RuntimeException.java 2017-01-20 09:52:53.726288375 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,109 +0,0 @@ -/* - * reserved comment block - * DO NOT REMOVE OR ALTER! - */ -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package sun.security.pkcs11.wrapper; - - -/** - * This is the superclass of all runtime exception used by this library. - * For instance, Runtime exceptions occur, if an internal error in the native - * part of the wrapper occurs. - * - * @author Karl Scheibelhofer - * @invariants - */ -public class PKCS11RuntimeException extends RuntimeException { - private static final long serialVersionUID = 7889842162743590564L; - - /** - * Empty constructor. - * - * @preconditions - * @postconditions - */ - public PKCS11RuntimeException() { - super(); - } - - /** - * Constructor taking a string that describes the reason of the exception - * in more detail. - * - * @param message A descrption of the reason for this exception. - * @preconditions - * @postconditions - */ - public PKCS11RuntimeException(String message) { - super(message); - } - - /** - * Constructor taking an other exception to wrap. - * - * @param encapsulatedException The other exception the wrap into this. - * @preconditions - * @postconditions - */ - public PKCS11RuntimeException(Exception encapsulatedException) { - super(encapsulatedException); - } - - /** - * Constructor taking a message for this exception and an other exception to - * wrap. - * - * @param message The message giving details about the exception to ease - * debugging. - * @param encapsulatedException The other exception the wrap into this. - * @preconditions - * @postconditions - */ - public PKCS11RuntimeException(String message, Exception encapsulatedException) { - super(message, encapsulatedException); - } - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11RuntimeException.java 2017-01-20 09:52:53.502288384 -0800 @@ -0,0 +1,109 @@ +/* + * reserved comment block + * DO NOT REMOVE OR ALTER! + */ +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +package sun.security.pkcs11.wrapper; + + +/** + * This is the superclass of all runtime exception used by this library. + * For instance, Runtime exceptions occur, if an internal error in the native + * part of the wrapper occurs. + * + * @author Karl Scheibelhofer + * @invariants + */ +public class PKCS11RuntimeException extends RuntimeException { + private static final long serialVersionUID = 7889842162743590564L; + + /** + * Empty constructor. + * + * @preconditions + * @postconditions + */ + public PKCS11RuntimeException() { + super(); + } + + /** + * Constructor taking a string that describes the reason of the exception + * in more detail. + * + * @param message A descrption of the reason for this exception. + * @preconditions + * @postconditions + */ + public PKCS11RuntimeException(String message) { + super(message); + } + + /** + * Constructor taking an other exception to wrap. + * + * @param encapsulatedException The other exception the wrap into this. + * @preconditions + * @postconditions + */ + public PKCS11RuntimeException(Exception encapsulatedException) { + super(encapsulatedException); + } + + /** + * Constructor taking a message for this exception and an other exception to + * wrap. + * + * @param message The message giving details about the exception to ease + * debugging. + * @param encapsulatedException The other exception the wrap into this. + * @preconditions + * @postconditions + */ + public PKCS11RuntimeException(String message, Exception encapsulatedException) { + super(message, encapsulatedException); + } + +} --- old/src/jdk.crypto.token/share/legal/pkcs11cryptotoken.md 2017-01-20 09:52:54.090288361 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,20 +0,0 @@ -## PKCS #11 Cryptographic Token Interface, v2.20 amendment 3 Header Files - -### PKCS #11 Cryptographic Token Interface License -
-
-License to copy and use this software is granted provided that it is
-identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
-(Cryptoki)" in all material mentioning or referencing this software.
-
-License is also granted to make and use derivative works provided that
-such works are identified as "derived from the RSA Security Inc. PKCS #11
-Cryptographic Token Interface (Cryptoki)" in all material mentioning or
-referencing the derived work.
-
-RSA Security Inc. makes no representations concerning either the
-merchantability of this software or the suitability of this software for
-any particular purpose. It is provided "as is" without express or implied
-warranty of any kind.
-
-
--- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/legal/pkcs11cryptotoken.md 2017-01-20 09:52:53.878288369 -0800 @@ -0,0 +1,20 @@ +## PKCS #11 Cryptographic Token Interface, v2.20 amendment 3 Header Files + +### PKCS #11 Cryptographic Token Interface License +
+
+License to copy and use this software is granted provided that it is
+identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
+(Cryptoki)" in all material mentioning or referencing this software.
+
+License is also granted to make and use derivative works provided that
+such works are identified as "derived from the RSA Security Inc. PKCS #11
+Cryptographic Token Interface (Cryptoki)" in all material mentioning or
+referencing the derived work.
+
+RSA Security Inc. makes no representations concerning either the
+merchantability of this software or the suitability of this software for
+any particular purpose. It is provided "as is" without express or implied
+warranty of any kind.
+
+
--- old/src/jdk.crypto.token/share/legal/pkcs11wrapper.md 2017-01-20 09:52:54.442288348 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,46 +0,0 @@ -## IAIK (Institute for Applied Information Processing and Communication) PKCS#11 wrapper files v1 - -### IAIK License -
-
-Copyright (c) 2002 Graz University of Technology. All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-1. Redistributions of source code must retain the above copyright notice, this
-   list of conditions and the following disclaimer.
-
-2. Redistributions in binary form must reproduce the above copyright notice,
-   this list of conditions and the following disclaimer in the documentation
-   and/or other materials provided with the distribution.
-
-3. The end-user documentation included with the redistribution, if any, must
-   include the following acknowledgment:
-
-   "This product includes software developed by IAIK of Graz University of
-    Technology."
-
-   Alternately, this acknowledgment may appear in the software itself, if and
-   wherever such third-party acknowledgments normally appear.
-
-4. The names "Graz University of Technology" and "IAIK of Graz University of
-   Technology" must not be used to endorse or promote products derived from this
-   software without prior written permission.
-
-5. Products derived from this software may not be called "IAIK PKCS Wrapper",
-   nor may "IAIK" appear in their name, without prior written permission of
-   Graz University of Technology.
-
-THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES,
-INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
-FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-LICENSOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
-
-
--- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/legal/pkcs11wrapper.md 2017-01-20 09:52:54.222288356 -0800 @@ -0,0 +1,46 @@ +## IAIK (Institute for Applied Information Processing and Communication) PKCS#11 wrapper files v1 + +### IAIK License +
+
+Copyright (c) 2002 Graz University of Technology. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. The end-user documentation included with the redistribution, if any, must
+   include the following acknowledgment:
+
+   "This product includes software developed by IAIK of Graz University of
+    Technology."
+
+   Alternately, this acknowledgment may appear in the software itself, if and
+   wherever such third-party acknowledgments normally appear.
+
+4. The names "Graz University of Technology" and "IAIK of Graz University of
+   Technology" must not be used to endorse or promote products derived from this
+   software without prior written permission.
+
+5. Products derived from this software may not be called "IAIK PKCS Wrapper",
+   nor may "IAIK" appear in their name, without prior written permission of
+   Graz University of Technology.
+
+THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+LICENSOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+
--- old/src/jdk.crypto.token/share/native/libj2pkcs11/j2secmod.c 2017-01-20 09:52:54.794288335 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,233 +0,0 @@ -/* - * Copyright (c) 2005, 2014, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -#include -#include -#include - -// #define SECMOD_DEBUG - -#include "j2secmod.h" -#include "jni_util.h" - - -JNIEXPORT jboolean JNICALL Java_sun_security_pkcs11_Secmod_nssVersionCheck - (JNIEnv *env, jclass thisClass, jlong jHandle, jstring jVersion) -{ - int res = 0; - FPTR_VersionCheck versionCheck; - const char *requiredVersion; - - versionCheck = (FPTR_VersionCheck)findFunction(env, jHandle, - "NSS_VersionCheck"); - if (versionCheck == NULL) { - return JNI_FALSE; - } - - requiredVersion = (*env)->GetStringUTFChars(env, jVersion, NULL); - if (requiredVersion == NULL) { - return JNI_FALSE; - } - - res = versionCheck(requiredVersion); - dprintf2("-version >=%s: %d\n", requiredVersion, res); - (*env)->ReleaseStringUTFChars(env, jVersion, requiredVersion); - - return (res == 0) ? JNI_FALSE : JNI_TRUE; -} - -/* - * Initializes NSS. - * The NSS_INIT_OPTIMIZESPACE flag is supplied by the caller. - * The NSS_Init* functions are mapped to the NSS_Initialize function. - */ -JNIEXPORT jboolean JNICALL Java_sun_security_pkcs11_Secmod_nssInitialize - (JNIEnv *env, jclass thisClass, jstring jFunctionName, jlong jHandle, jstring jConfigDir, jboolean jNssOptimizeSpace) -{ - int res = 0; - FPTR_Initialize initialize = - (FPTR_Initialize)findFunction(env, jHandle, "NSS_Initialize"); - unsigned int flags = 0x00; - const char *configDir = NULL; - const char *functionName = NULL; - - /* If we cannot initialize, exit now */ - if (initialize == NULL) { - res = 1; - goto cleanup; - } - - functionName = (*env)->GetStringUTFChars(env, jFunctionName, NULL); - if (functionName == NULL) { - res = 1; - goto cleanup; - } - - if (jConfigDir != NULL) { - configDir = (*env)->GetStringUTFChars(env, jConfigDir, NULL); - if (!configDir) { - res = 1; - goto cleanup; - } - } - - if (jNssOptimizeSpace == JNI_TRUE) { - flags = 0x20; // NSS_INIT_OPTIMIZESPACE flag - } - - /* - * If the NSS_Init function is requested then call NSS_Initialize to - * open the Cert, Key and Security Module databases, read only. - */ - if (strcmp("NSS_Init", functionName) == 0) { - flags = flags | 0x01; // NSS_INIT_READONLY flag - res = initialize(configDir, "", "", "secmod.db", flags); - - /* - * If the NSS_InitReadWrite function is requested then call - * NSS_Initialize to open the Cert, Key and Security Module databases, - * read/write. - */ - } else if (strcmp("NSS_InitReadWrite", functionName) == 0) { - res = initialize(configDir, "", "", "secmod.db", flags); - - /* - * If the NSS_NoDB_Init function is requested then call - * NSS_Initialize without creating Cert, Key or Security Module - * databases. - */ - } else if (strcmp("NSS_NoDB_Init", functionName) == 0) { - flags = flags | 0x02 // NSS_INIT_NOCERTDB flag - | 0x04 // NSS_INIT_NOMODDB flag - | 0x08 // NSS_INIT_FORCEOPEN flag - | 0x10; // NSS_INIT_NOROOTINIT flag - res = initialize("", "", "", "", flags); - - } else { - res = 2; - } - -cleanup: - if (functionName != NULL) { - (*env)->ReleaseStringUTFChars(env, jFunctionName, functionName); - } - if (configDir != NULL) { - (*env)->ReleaseStringUTFChars(env, jConfigDir, configDir); - } - dprintf1("-res: %d\n", res); - - return (res == 0) ? JNI_TRUE : JNI_FALSE; -} - -JNIEXPORT jobject JNICALL Java_sun_security_pkcs11_Secmod_nssGetModuleList - (JNIEnv *env, jclass thisClass, jlong jHandle, jstring jLibDir) -{ - FPTR_GetDBModuleList getModuleList = - (FPTR_GetDBModuleList)findFunction(env, jHandle, "SECMOD_GetDefaultModuleList"); - - SECMODModuleList *list; - SECMODModule *module; - jclass jListClass, jModuleClass; - jobject jList, jModule; - jmethodID jListConstructor, jAdd, jModuleConstructor; - jstring jCommonName, jDllName; - jboolean jFIPS; - jint i; - - if (getModuleList == NULL) { - dprintf("-getmodulelist function not found\n"); - return NULL; - } - list = getModuleList(); - if (list == NULL) { - dprintf("-module list is null\n"); - return NULL; - } - - jListClass = (*env)->FindClass(env, "java/util/ArrayList"); - if (jListClass == NULL) { - return NULL; - } - jListConstructor = (*env)->GetMethodID(env, jListClass, "", "()V"); - if (jListConstructor == NULL) { - return NULL; - } - jAdd = (*env)->GetMethodID(env, jListClass, "add", "(Ljava/lang/Object;)Z"); - if (jAdd == NULL) { - return NULL; - } - jList = (*env)->NewObject(env, jListClass, jListConstructor); - if (jList == NULL) { - return NULL; - } - jModuleClass = (*env)->FindClass(env, "sun/security/pkcs11/Secmod$Module"); - if (jModuleClass == NULL) { - return NULL; - } - jModuleConstructor = (*env)->GetMethodID(env, jModuleClass, "", - "(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;ZI)V"); - if (jModuleConstructor == NULL) { - return NULL; - } - - while (list != NULL) { - module = list->module; - // assert module != null - dprintf1("-commonname: %s\n", module->commonName); - dprintf1("-dllname: %s\n", (module->dllName != NULL) ? module->dllName : "NULL"); - dprintf1("-slots: %d\n", module->slotCount); - dprintf1("-loaded: %d\n", module->loaded); - dprintf1("-internal: %d\n", module->internal); - dprintf1("-fips: %d\n", module->isFIPS); - jCommonName = (*env)->NewStringUTF(env, module->commonName); - if (jCommonName == NULL) { - return NULL; - } - if (module->dllName == NULL) { - jDllName = NULL; - } else { - jDllName = (*env)->NewStringUTF(env, module->dllName); - if (jDllName == NULL) { - return NULL; - } - } - jFIPS = module->isFIPS; - for (i = 0; i < module->slotCount; i++ ) { - jModule = (*env)->NewObject(env, jModuleClass, jModuleConstructor, - jLibDir, jDllName, jCommonName, jFIPS, i); - if (jModule == NULL) { - return NULL; - } - (*env)->CallVoidMethod(env, jList, jAdd, jModule); - if ((*env)->ExceptionCheck(env)) { - return NULL; - } - } - list = list->next; - } - dprintf("-ok\n"); - - return jList; -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/j2secmod.c 2017-01-20 09:52:54.574288343 -0800 @@ -0,0 +1,233 @@ +/* + * Copyright (c) 2005, 2014, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +#include +#include +#include + +// #define SECMOD_DEBUG + +#include "j2secmod.h" +#include "jni_util.h" + + +JNIEXPORT jboolean JNICALL Java_sun_security_pkcs11_Secmod_nssVersionCheck + (JNIEnv *env, jclass thisClass, jlong jHandle, jstring jVersion) +{ + int res = 0; + FPTR_VersionCheck versionCheck; + const char *requiredVersion; + + versionCheck = (FPTR_VersionCheck)findFunction(env, jHandle, + "NSS_VersionCheck"); + if (versionCheck == NULL) { + return JNI_FALSE; + } + + requiredVersion = (*env)->GetStringUTFChars(env, jVersion, NULL); + if (requiredVersion == NULL) { + return JNI_FALSE; + } + + res = versionCheck(requiredVersion); + dprintf2("-version >=%s: %d\n", requiredVersion, res); + (*env)->ReleaseStringUTFChars(env, jVersion, requiredVersion); + + return (res == 0) ? JNI_FALSE : JNI_TRUE; +} + +/* + * Initializes NSS. + * The NSS_INIT_OPTIMIZESPACE flag is supplied by the caller. + * The NSS_Init* functions are mapped to the NSS_Initialize function. + */ +JNIEXPORT jboolean JNICALL Java_sun_security_pkcs11_Secmod_nssInitialize + (JNIEnv *env, jclass thisClass, jstring jFunctionName, jlong jHandle, jstring jConfigDir, jboolean jNssOptimizeSpace) +{ + int res = 0; + FPTR_Initialize initialize = + (FPTR_Initialize)findFunction(env, jHandle, "NSS_Initialize"); + unsigned int flags = 0x00; + const char *configDir = NULL; + const char *functionName = NULL; + + /* If we cannot initialize, exit now */ + if (initialize == NULL) { + res = 1; + goto cleanup; + } + + functionName = (*env)->GetStringUTFChars(env, jFunctionName, NULL); + if (functionName == NULL) { + res = 1; + goto cleanup; + } + + if (jConfigDir != NULL) { + configDir = (*env)->GetStringUTFChars(env, jConfigDir, NULL); + if (!configDir) { + res = 1; + goto cleanup; + } + } + + if (jNssOptimizeSpace == JNI_TRUE) { + flags = 0x20; // NSS_INIT_OPTIMIZESPACE flag + } + + /* + * If the NSS_Init function is requested then call NSS_Initialize to + * open the Cert, Key and Security Module databases, read only. + */ + if (strcmp("NSS_Init", functionName) == 0) { + flags = flags | 0x01; // NSS_INIT_READONLY flag + res = initialize(configDir, "", "", "secmod.db", flags); + + /* + * If the NSS_InitReadWrite function is requested then call + * NSS_Initialize to open the Cert, Key and Security Module databases, + * read/write. + */ + } else if (strcmp("NSS_InitReadWrite", functionName) == 0) { + res = initialize(configDir, "", "", "secmod.db", flags); + + /* + * If the NSS_NoDB_Init function is requested then call + * NSS_Initialize without creating Cert, Key or Security Module + * databases. + */ + } else if (strcmp("NSS_NoDB_Init", functionName) == 0) { + flags = flags | 0x02 // NSS_INIT_NOCERTDB flag + | 0x04 // NSS_INIT_NOMODDB flag + | 0x08 // NSS_INIT_FORCEOPEN flag + | 0x10; // NSS_INIT_NOROOTINIT flag + res = initialize("", "", "", "", flags); + + } else { + res = 2; + } + +cleanup: + if (functionName != NULL) { + (*env)->ReleaseStringUTFChars(env, jFunctionName, functionName); + } + if (configDir != NULL) { + (*env)->ReleaseStringUTFChars(env, jConfigDir, configDir); + } + dprintf1("-res: %d\n", res); + + return (res == 0) ? JNI_TRUE : JNI_FALSE; +} + +JNIEXPORT jobject JNICALL Java_sun_security_pkcs11_Secmod_nssGetModuleList + (JNIEnv *env, jclass thisClass, jlong jHandle, jstring jLibDir) +{ + FPTR_GetDBModuleList getModuleList = + (FPTR_GetDBModuleList)findFunction(env, jHandle, "SECMOD_GetDefaultModuleList"); + + SECMODModuleList *list; + SECMODModule *module; + jclass jListClass, jModuleClass; + jobject jList, jModule; + jmethodID jListConstructor, jAdd, jModuleConstructor; + jstring jCommonName, jDllName; + jboolean jFIPS; + jint i; + + if (getModuleList == NULL) { + dprintf("-getmodulelist function not found\n"); + return NULL; + } + list = getModuleList(); + if (list == NULL) { + dprintf("-module list is null\n"); + return NULL; + } + + jListClass = (*env)->FindClass(env, "java/util/ArrayList"); + if (jListClass == NULL) { + return NULL; + } + jListConstructor = (*env)->GetMethodID(env, jListClass, "", "()V"); + if (jListConstructor == NULL) { + return NULL; + } + jAdd = (*env)->GetMethodID(env, jListClass, "add", "(Ljava/lang/Object;)Z"); + if (jAdd == NULL) { + return NULL; + } + jList = (*env)->NewObject(env, jListClass, jListConstructor); + if (jList == NULL) { + return NULL; + } + jModuleClass = (*env)->FindClass(env, "sun/security/pkcs11/Secmod$Module"); + if (jModuleClass == NULL) { + return NULL; + } + jModuleConstructor = (*env)->GetMethodID(env, jModuleClass, "", + "(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;ZI)V"); + if (jModuleConstructor == NULL) { + return NULL; + } + + while (list != NULL) { + module = list->module; + // assert module != null + dprintf1("-commonname: %s\n", module->commonName); + dprintf1("-dllname: %s\n", (module->dllName != NULL) ? module->dllName : "NULL"); + dprintf1("-slots: %d\n", module->slotCount); + dprintf1("-loaded: %d\n", module->loaded); + dprintf1("-internal: %d\n", module->internal); + dprintf1("-fips: %d\n", module->isFIPS); + jCommonName = (*env)->NewStringUTF(env, module->commonName); + if (jCommonName == NULL) { + return NULL; + } + if (module->dllName == NULL) { + jDllName = NULL; + } else { + jDllName = (*env)->NewStringUTF(env, module->dllName); + if (jDllName == NULL) { + return NULL; + } + } + jFIPS = module->isFIPS; + for (i = 0; i < module->slotCount; i++ ) { + jModule = (*env)->NewObject(env, jModuleClass, jModuleConstructor, + jLibDir, jDllName, jCommonName, jFIPS, i); + if (jModule == NULL) { + return NULL; + } + (*env)->CallVoidMethod(env, jList, jAdd, jModule); + if ((*env)->ExceptionCheck(env)) { + return NULL; + } + } + list = list->next; + } + dprintf("-ok\n"); + + return jList; +} --- old/src/jdk.crypto.token/share/native/libj2pkcs11/j2secmod.h 2017-01-20 09:52:55.142288322 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,83 +0,0 @@ -/* - * Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -#include - -#include "sun_security_pkcs11_Secmod.h" - -// #define SECMOD_DEBUG - -#include "j2secmod_md.h" - -#include "p11_md.h" - - -void *findFunction(JNIEnv *env, jlong jHandle, const char *functionName); - -#ifdef SECMOD_DEBUG -#define dprintf(s) printf(s) -#define dprintf1(s, p1) printf(s, p1) -#define dprintf2(s, p1, p2) printf(s, p1, p2) -#define dprintf3(s, p1, p2, p3) printf(s, p1, p2, p3) -#else -#define dprintf(s) -#define dprintf1(s, p1) -#define dprintf2(s, p1, p2) -#define dprintf3(s, p1, p2, p3) -#endif - -// NSS types - -typedef int PRBool; - -typedef struct SECMODModuleStr SECMODModule; -typedef struct SECMODModuleListStr SECMODModuleList; - -struct SECMODModuleStr { - void *v1; - PRBool internal; /* true of internally linked modules, false - * for the loaded modules */ - PRBool loaded; /* Set to true if module has been loaded */ - PRBool isFIPS; /* Set to true if module is finst internal */ - char *dllName; /* name of the shared library which implements - * this module */ - char *commonName; /* name of the module to display to the user */ - void *library; /* pointer to the library. opaque. used only by - * pk11load.c */ - - void *functionList; /* The PKCS #11 function table */ - void *refLock; /* only used pk11db.c */ - int refCount; /* Module reference count */ - void **slots; /* array of slot points attached to this mod*/ - int slotCount; /* count of slot in above array */ - void *slotInfo; /* special info about slots default settings */ - int slotInfoCount; /* count */ - // incomplete, sizeof() is wrong -}; - -struct SECMODModuleListStr { - SECMODModuleList *next; - SECMODModule *module; -}; --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/j2secmod.h 2017-01-20 09:52:54.922288330 -0800 @@ -0,0 +1,83 @@ +/* + * Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +#include + +#include "sun_security_pkcs11_Secmod.h" + +// #define SECMOD_DEBUG + +#include "j2secmod_md.h" + +#include "p11_md.h" + + +void *findFunction(JNIEnv *env, jlong jHandle, const char *functionName); + +#ifdef SECMOD_DEBUG +#define dprintf(s) printf(s) +#define dprintf1(s, p1) printf(s, p1) +#define dprintf2(s, p1, p2) printf(s, p1, p2) +#define dprintf3(s, p1, p2, p3) printf(s, p1, p2, p3) +#else +#define dprintf(s) +#define dprintf1(s, p1) +#define dprintf2(s, p1, p2) +#define dprintf3(s, p1, p2, p3) +#endif + +// NSS types + +typedef int PRBool; + +typedef struct SECMODModuleStr SECMODModule; +typedef struct SECMODModuleListStr SECMODModuleList; + +struct SECMODModuleStr { + void *v1; + PRBool internal; /* true of internally linked modules, false + * for the loaded modules */ + PRBool loaded; /* Set to true if module has been loaded */ + PRBool isFIPS; /* Set to true if module is finst internal */ + char *dllName; /* name of the shared library which implements + * this module */ + char *commonName; /* name of the module to display to the user */ + void *library; /* pointer to the library. opaque. used only by + * pk11load.c */ + + void *functionList; /* The PKCS #11 function table */ + void *refLock; /* only used pk11db.c */ + int refCount; /* Module reference count */ + void **slots; /* array of slot points attached to this mod*/ + int slotCount; /* count of slot in above array */ + void *slotInfo; /* special info about slots default settings */ + int slotInfoCount; /* count */ + // incomplete, sizeof() is wrong +}; + +struct SECMODModuleListStr { + SECMODModuleList *next; + SECMODModule *module; +}; --- old/src/jdk.crypto.token/share/native/libj2pkcs11/p11_convert.c 2017-01-20 09:52:55.498288308 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,1842 +0,0 @@ -/* - * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved. - */ - -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * pkcs11wrapper.c - * 18.05.2001 - * - * This is the implementation of the native functions of the Java to PKCS#11 interface. - * All function use some helper functions to convert the JNI types to PKCS#11 types. - * - * @author Karl Scheibelhofer - * @author Martin Schlaeffer - */ - - -#include "pkcs11wrapper.h" - -#include -#include -#include -#include - -#include "sun_security_pkcs11_wrapper_PKCS11.h" - -/* declare file private functions */ - -void jMechanismParameterToCKMechanismParameterSlow(JNIEnv *env, jobject jParam, CK_VOID_PTR *ckpParamPtr, CK_ULONG *ckpLength); - - -/* - * converts a pointer to a CK_DATE structure into a Java CK_DATE Object. - * - * @param env - used to call JNI funktions to create the new Java object - * @param ckpValue - the pointer to the CK_DATE structure - * @return - the new Java CK_DATE object - */ -jobject ckDatePtrToJDateObject(JNIEnv *env, const CK_DATE *ckpDate) -{ - jclass jDateClass; - jmethodID jCtrId; - jobject jDateObject; - jcharArray jYear; - jcharArray jMonth; - jcharArray jDay; - - /* load CK_DATE class */ - jDateClass = (*env)->FindClass(env, CLASS_DATE); - if (jDateClass == NULL) { return NULL; } - - /* load CK_DATE constructor */ - jCtrId = (*env)->GetMethodID(env, jDateClass, "", "([C[C[C)V"); - if (jCtrId == NULL) { return NULL; } - - /* prep all fields */ - jYear = ckCharArrayToJCharArray(env, (CK_CHAR_PTR)(ckpDate->year), 4); - if (jYear == NULL) { return NULL; } - jMonth = ckCharArrayToJCharArray(env, (CK_CHAR_PTR)(ckpDate->month), 2); - if (jMonth == NULL) { return NULL; } - jDay = ckCharArrayToJCharArray(env, (CK_CHAR_PTR)(ckpDate->day), 2); - if (jDay == NULL) { return NULL; } - - /* create new CK_DATE object */ - jDateObject = - (*env)->NewObject(env, jDateClass, jCtrId, jYear, jMonth, jDay); - if (jDateObject == NULL) { return NULL; } - - /* free local references */ - (*env)->DeleteLocalRef(env, jDateClass); - (*env)->DeleteLocalRef(env, jYear); - (*env)->DeleteLocalRef(env, jMonth); - (*env)->DeleteLocalRef(env, jDay); - - return jDateObject ; -} - -/* - * converts a pointer to a CK_VERSION structure into a Java CK_VERSION Object. - * - * @param env - used to call JNI funktions to create the new Java object - * @param ckpVersion - the pointer to the CK_VERSION structure - * @return - the new Java CK_VERSION object - */ -jobject ckVersionPtrToJVersion(JNIEnv *env, const CK_VERSION_PTR ckpVersion) -{ - jclass jVersionClass; - jmethodID jCtrId; - jobject jVersionObject; - jint jMajor; - jint jMinor; - - /* load CK_VERSION class */ - jVersionClass = (*env)->FindClass(env, CLASS_VERSION); - if (jVersionClass == NULL) { return NULL; } - - /* load CK_VERSION constructor */ - jCtrId = (*env)->GetMethodID(env, jVersionClass, "", "(II)V"); - if (jCtrId == NULL) { return NULL; } - - /* prep both fields */ - jMajor = ckpVersion->major; - jMinor = ckpVersion->minor; - - /* create new CK_VERSION object */ - jVersionObject = - (*env)->NewObject(env, jVersionClass, jCtrId, jMajor, jMinor); - if (jVersionObject == NULL) { return NULL; } - - /* free local references */ - (*env)->DeleteLocalRef(env, jVersionClass); - - return jVersionObject ; -} - -/* - * converts a pointer to a CK_SESSION_INFO structure into a Java CK_SESSION_INFO Object. - * - * @param env - used to call JNI funktions to create the new Java object - * @param ckpSessionInfo - the pointer to the CK_SESSION_INFO structure - * @return - the new Java CK_SESSION_INFO object - */ -jobject ckSessionInfoPtrToJSessionInfo(JNIEnv *env, const CK_SESSION_INFO_PTR ckpSessionInfo) -{ - jclass jSessionInfoClass; - jmethodID jCtrId; - jobject jSessionInfoObject; - jlong jSlotID; - jlong jState; - jlong jFlags; - jlong jDeviceError; - - /* load CK_SESSION_INFO class */ - jSessionInfoClass = (*env)->FindClass(env, CLASS_SESSION_INFO); - if (jSessionInfoClass == NULL) { return NULL; } - - /* load CK_SESSION_INFO constructor */ - jCtrId = (*env)->GetMethodID(env, jSessionInfoClass, "", "(JJJJ)V"); - if (jCtrId == NULL) { return NULL; } - - /* prep all fields */ - jSlotID = ckULongToJLong(ckpSessionInfo->slotID); - jState = ckULongToJLong(ckpSessionInfo->state); - jFlags = ckULongToJLong(ckpSessionInfo->flags); - jDeviceError = ckULongToJLong(ckpSessionInfo->ulDeviceError); - - /* create new CK_SESSION_INFO object */ - jSessionInfoObject = - (*env)->NewObject(env, jSessionInfoClass, jCtrId, jSlotID, jState, - jFlags, jDeviceError); - if (jSessionInfoObject == NULL) { return NULL; } - - /* free local references */ - (*env)->DeleteLocalRef(env, jSessionInfoClass); - - return jSessionInfoObject ; -} - -/* - * converts a pointer to a CK_ATTRIBUTE structure into a Java CK_ATTRIBUTE Object. - * - * @param env - used to call JNI funktions to create the new Java object - * @param ckpAttribute - the pointer to the CK_ATTRIBUTE structure - * @return - the new Java CK_ATTRIBUTE object - */ -jobject ckAttributePtrToJAttribute(JNIEnv *env, const CK_ATTRIBUTE_PTR ckpAttribute) -{ - jclass jAttributeClass; - jmethodID jCtrId; - jobject jAttributeObject; - jlong jType; - jobject jPValue = NULL; - - jAttributeClass = (*env)->FindClass(env, CLASS_ATTRIBUTE); - if (jAttributeClass == NULL) { return NULL; } - - /* load CK_INFO constructor */ - jCtrId = (*env)->GetMethodID(env, jAttributeClass, "", "(JLjava/lang/Object;)V"); - if (jCtrId == NULL) { return NULL; } - - /* prep both fields */ - jType = ckULongToJLong(ckpAttribute->type); - jPValue = ckAttributeValueToJObject(env, ckpAttribute); - if ((*env)->ExceptionCheck(env)) { return NULL; } - - /* create new CK_ATTRIBUTE object */ - jAttributeObject = - (*env)->NewObject(env, jAttributeClass, jCtrId, jType, jPValue); - if (jAttributeObject == NULL) { return NULL; } - - /* free local references */ - (*env)->DeleteLocalRef(env, jAttributeClass); - (*env)->DeleteLocalRef(env, jPValue); - - return jAttributeObject; -} - - -/* - * converts a Java CK_VERSION object into a pointer to a CK_VERSION structure - * - * @param env - used to call JNI funktions to get the values out of the Java object - * @param jVersion - the Java CK_VERSION object to convert - * @return - the pointer to the new CK_VERSION structure - */ -CK_VERSION_PTR jVersionToCKVersionPtr(JNIEnv *env, jobject jVersion) -{ - CK_VERSION_PTR ckpVersion; - jclass jVersionClass; - jfieldID jFieldID; - jbyte jMajor, jMinor; - - if (jVersion == NULL) { - return NULL; - } - - /* get CK_VERSION class */ - jVersionClass = (*env)->GetObjectClass(env, jVersion); - if (jVersionClass == NULL) { return NULL; } - - /* get Major */ - jFieldID = (*env)->GetFieldID(env, jVersionClass, "major", "B"); - if (jFieldID == NULL) { return NULL; } - jMajor = (*env)->GetByteField(env, jVersion, jFieldID); - - /* get Minor */ - jFieldID = (*env)->GetFieldID(env, jVersionClass, "minor", "B"); - if (jFieldID == NULL) { return NULL; } - jMinor = (*env)->GetByteField(env, jVersion, jFieldID); - - /* allocate memory for CK_VERSION pointer */ - ckpVersion = (CK_VERSION_PTR) malloc(sizeof(CK_VERSION)); - if (ckpVersion == NULL) { - throwOutOfMemoryError(env, 0); - return NULL; - } - ckpVersion->major = jByteToCKByte(jMajor); - ckpVersion->minor = jByteToCKByte(jMinor); - - return ckpVersion ; -} - - -/* - * converts a Java CK_DATE object into a pointer to a CK_DATE structure - * - * @param env - used to call JNI funktions to get the values out of the Java object - * @param jVersion - the Java CK_DATE object to convert - * @return - the pointer to the new CK_DATE structure - */ -CK_DATE * jDateObjectPtrToCKDatePtr(JNIEnv *env, jobject jDate) -{ - CK_DATE * ckpDate; - CK_ULONG ckLength; - jclass jDateClass; - jfieldID jFieldID; - jobject jYear, jMonth, jDay; - jchar *jTempChars; - CK_ULONG i; - - if (jDate == NULL) { - return NULL; - } - - /* get CK_DATE class */ - jDateClass = (*env)->FindClass(env, CLASS_DATE); - if (jDateClass == NULL) { return NULL; } - - /* get Year */ - jFieldID = (*env)->GetFieldID(env, jDateClass, "year", "[C"); - if (jFieldID == NULL) { return NULL; } - jYear = (*env)->GetObjectField(env, jDate, jFieldID); - - /* get Month */ - jFieldID = (*env)->GetFieldID(env, jDateClass, "month", "[C"); - if (jFieldID == NULL) { return NULL; } - jMonth = (*env)->GetObjectField(env, jDate, jFieldID); - - /* get Day */ - jFieldID = (*env)->GetFieldID(env, jDateClass, "day", "[C"); - if (jFieldID == NULL) { return NULL; } - jDay = (*env)->GetObjectField(env, jDate, jFieldID); - - /* allocate memory for CK_DATE pointer */ - ckpDate = (CK_DATE *) malloc(sizeof(CK_DATE)); - if (ckpDate == NULL) { - throwOutOfMemoryError(env, 0); - return NULL; - } - - if (jYear == NULL) { - ckpDate->year[0] = 0; - ckpDate->year[1] = 0; - ckpDate->year[2] = 0; - ckpDate->year[3] = 0; - } else { - ckLength = (*env)->GetArrayLength(env, jYear); - jTempChars = (jchar*) malloc((ckLength) * sizeof(jchar)); - if (jTempChars == NULL) { - free(ckpDate); - throwOutOfMemoryError(env, 0); - return NULL; - } - (*env)->GetCharArrayRegion(env, jYear, 0, ckLength, jTempChars); - if ((*env)->ExceptionCheck(env)) { - free(ckpDate); - free(jTempChars); - return NULL; - } - - for (i = 0; (i < ckLength) && (i < 4) ; i++) { - ckpDate->year[i] = jCharToCKChar(jTempChars[i]); - } - free(jTempChars); - } - - if (jMonth == NULL) { - ckpDate->month[0] = 0; - ckpDate->month[1] = 0; - } else { - ckLength = (*env)->GetArrayLength(env, jMonth); - jTempChars = (jchar*) malloc((ckLength) * sizeof(jchar)); - if (jTempChars == NULL) { - free(ckpDate); - throwOutOfMemoryError(env, 0); - return NULL; - } - (*env)->GetCharArrayRegion(env, jMonth, 0, ckLength, jTempChars); - if ((*env)->ExceptionCheck(env)) { - free(ckpDate); - free(jTempChars); - return NULL; - } - - for (i = 0; (i < ckLength) && (i < 2) ; i++) { - ckpDate->month[i] = jCharToCKChar(jTempChars[i]); - } - free(jTempChars); - } - - if (jDay == NULL) { - ckpDate->day[0] = 0; - ckpDate->day[1] = 0; - } else { - ckLength = (*env)->GetArrayLength(env, jDay); - jTempChars = (jchar*) malloc((ckLength) * sizeof(jchar)); - if (jTempChars == NULL) { - free(ckpDate); - throwOutOfMemoryError(env, 0); - return NULL; - } - (*env)->GetCharArrayRegion(env, jDay, 0, ckLength, jTempChars); - if ((*env)->ExceptionCheck(env)) { - free(ckpDate); - free(jTempChars); - return NULL; - } - - for (i = 0; (i < ckLength) && (i < 2) ; i++) { - ckpDate->day[i] = jCharToCKChar(jTempChars[i]); - } - free(jTempChars); - } - - return ckpDate ; -} - - -/* - * converts a Java CK_ATTRIBUTE object into a CK_ATTRIBUTE structure - * - * @param env - used to call JNI funktions to get the values out of the Java object - * @param jAttribute - the Java CK_ATTRIBUTE object to convert - * @return - the new CK_ATTRIBUTE structure - */ -CK_ATTRIBUTE jAttributeToCKAttribute(JNIEnv *env, jobject jAttribute) -{ - CK_ATTRIBUTE ckAttribute; - jclass jAttributeClass; - jfieldID jFieldID; - jlong jType; - jobject jPValue; - memset(&ckAttribute, 0, sizeof(CK_ATTRIBUTE)); - - // TBD: what if jAttribute == NULL?! - - TRACE0("\nDEBUG: jAttributeToCKAttribute"); - /* get CK_ATTRIBUTE class */ - TRACE0(", getting attribute object class"); - jAttributeClass = (*env)->GetObjectClass(env, jAttribute); - if (jAttributeClass == NULL) { return ckAttribute; } - - /* get type */ - TRACE0(", getting type field"); - jFieldID = (*env)->GetFieldID(env, jAttributeClass, "type", "J"); - if (jFieldID == NULL) { return ckAttribute; } - jType = (*env)->GetLongField(env, jAttribute, jFieldID); - TRACE1(", type=0x%X", jType); - - /* get pValue */ - TRACE0(", getting pValue field"); - jFieldID = (*env)->GetFieldID(env, jAttributeClass, "pValue", "Ljava/lang/Object;"); - if (jFieldID == NULL) { return ckAttribute; } - jPValue = (*env)->GetObjectField(env, jAttribute, jFieldID); - TRACE1(", pValue=%p", jPValue); - - ckAttribute.type = jLongToCKULong(jType); - TRACE0(", converting pValue to primitive object"); - - /* convert the Java pValue object to a CK-type pValue pointer */ - jObjectToPrimitiveCKObjectPtrPtr(env, jPValue, &(ckAttribute.pValue), &(ckAttribute.ulValueLen)); - - TRACE0("\nFINISHED\n"); - - return ckAttribute ; -} - -/* - * converts the Java CK_SSL3_MASTER_KEY_DERIVE_PARAMS object to a - * CK_SSL3_MASTER_KEY_DERIVE_PARAMS structure - * - * @param env - used to call JNI funktions to get the Java classes and objects - * @param jParam - the Java CK_SSL3_MASTER_KEY_DERIVE_PARAMS object to convert - * @return - the new CK_SSL3_MASTER_KEY_DERIVE_PARAMS structure - */ -CK_SSL3_MASTER_KEY_DERIVE_PARAMS jSsl3MasterKeyDeriveParamToCKSsl3MasterKeyDeriveParam(JNIEnv *env, jobject jParam) -{ - // XXX don't return structs - // XXX prefetch class and field ids - jclass jSsl3MasterKeyDeriveParamsClass; - CK_SSL3_MASTER_KEY_DERIVE_PARAMS ckParam; - jfieldID fieldID; - jclass jSsl3RandomDataClass; - jobject jRandomInfo, jRIClientRandom, jRIServerRandom, jVersion; - memset(&ckParam, 0, sizeof(CK_SSL3_MASTER_KEY_DERIVE_PARAMS)); - - /* get RandomInfo */ - jSsl3MasterKeyDeriveParamsClass = (*env)->FindClass(env, CLASS_SSL3_MASTER_KEY_DERIVE_PARAMS); - if (jSsl3MasterKeyDeriveParamsClass == NULL) { return ckParam; } - fieldID = (*env)->GetFieldID(env, jSsl3MasterKeyDeriveParamsClass, "RandomInfo", "Lsun/security/pkcs11/wrapper/CK_SSL3_RANDOM_DATA;"); - if (fieldID == NULL) { return ckParam; } - jRandomInfo = (*env)->GetObjectField(env, jParam, fieldID); - - /* get pClientRandom and ulClientRandomLength out of RandomInfo */ - jSsl3RandomDataClass = (*env)->FindClass(env, CLASS_SSL3_RANDOM_DATA); - if (jSsl3RandomDataClass == NULL) { return ckParam; } - fieldID = (*env)->GetFieldID(env, jSsl3RandomDataClass, "pClientRandom", "[B"); - if (fieldID == NULL) { return ckParam; } - jRIClientRandom = (*env)->GetObjectField(env, jRandomInfo, fieldID); - - /* get pServerRandom and ulServerRandomLength out of RandomInfo */ - fieldID = (*env)->GetFieldID(env, jSsl3RandomDataClass, "pServerRandom", "[B"); - if (fieldID == NULL) { return ckParam; } - jRIServerRandom = (*env)->GetObjectField(env, jRandomInfo, fieldID); - - /* get pVersion */ - fieldID = (*env)->GetFieldID(env, jSsl3MasterKeyDeriveParamsClass, "pVersion", "Lsun/security/pkcs11/wrapper/CK_VERSION;"); - if (fieldID == NULL) { return ckParam; } - jVersion = (*env)->GetObjectField(env, jParam, fieldID); - - /* populate java values */ - ckParam.pVersion = jVersionToCKVersionPtr(env, jVersion); - if ((*env)->ExceptionCheck(env)) { return ckParam; } - jByteArrayToCKByteArray(env, jRIClientRandom, &(ckParam.RandomInfo.pClientRandom), &(ckParam.RandomInfo.ulClientRandomLen)); - if ((*env)->ExceptionCheck(env)) { - free(ckParam.pVersion); - return ckParam; - } - jByteArrayToCKByteArray(env, jRIServerRandom, &(ckParam.RandomInfo.pServerRandom), &(ckParam.RandomInfo.ulServerRandomLen)); - if ((*env)->ExceptionCheck(env)) { - free(ckParam.pVersion); - free(ckParam.RandomInfo.pClientRandom); - return ckParam; - } - - return ckParam ; -} - - -/* - * converts the Java CK_TLS_PRF_PARAMS object to a CK_TLS_PRF_PARAMS structure - */ -CK_TLS_PRF_PARAMS jTlsPrfParamsToCKTlsPrfParam(JNIEnv *env, jobject jParam) -{ - jclass jTlsPrfParamsClass; - CK_TLS_PRF_PARAMS ckParam; - jfieldID fieldID; - jobject jSeed, jLabel, jOutput; - memset(&ckParam, 0, sizeof(CK_TLS_PRF_PARAMS)); - - // TBD: what if jParam == NULL?! - - /* get pSeed */ - jTlsPrfParamsClass = (*env)->FindClass(env, CLASS_TLS_PRF_PARAMS); - if (jTlsPrfParamsClass == NULL) { return ckParam; } - fieldID = (*env)->GetFieldID(env, jTlsPrfParamsClass, "pSeed", "[B"); - if (fieldID == NULL) { return ckParam; } - jSeed = (*env)->GetObjectField(env, jParam, fieldID); - - /* get pLabel */ - fieldID = (*env)->GetFieldID(env, jTlsPrfParamsClass, "pLabel", "[B"); - if (fieldID == NULL) { return ckParam; } - jLabel = (*env)->GetObjectField(env, jParam, fieldID); - - /* get pOutput */ - fieldID = (*env)->GetFieldID(env, jTlsPrfParamsClass, "pOutput", "[B"); - if (fieldID == NULL) { return ckParam; } - jOutput = (*env)->GetObjectField(env, jParam, fieldID); - - /* populate java values */ - jByteArrayToCKByteArray(env, jSeed, &(ckParam.pSeed), &(ckParam.ulSeedLen)); - if ((*env)->ExceptionCheck(env)) { return ckParam; } - jByteArrayToCKByteArray(env, jLabel, &(ckParam.pLabel), &(ckParam.ulLabelLen)); - if ((*env)->ExceptionCheck(env)) { - free(ckParam.pSeed); - return ckParam; - } - ckParam.pulOutputLen = malloc(sizeof(CK_ULONG)); - if (ckParam.pulOutputLen == NULL) { - free(ckParam.pSeed); - free(ckParam.pLabel); - throwOutOfMemoryError(env, 0); - return ckParam; - } - jByteArrayToCKByteArray(env, jOutput, &(ckParam.pOutput), ckParam.pulOutputLen); - if ((*env)->ExceptionCheck(env)) { - free(ckParam.pSeed); - free(ckParam.pLabel); - free(ckParam.pulOutputLen); - return ckParam; - } - - return ckParam ; -} - -/* - * converts the Java CK_SSL3_KEY_MAT_PARAMS object to a CK_SSL3_KEY_MAT_PARAMS structure - * - * @param env - used to call JNI funktions to get the Java classes and objects - * @param jParam - the Java CK_SSL3_KEY_MAT_PARAMS object to convert - * @return - the new CK_SSL3_KEY_MAT_PARAMS structure - */ -CK_SSL3_KEY_MAT_PARAMS jSsl3KeyMatParamToCKSsl3KeyMatParam(JNIEnv *env, jobject jParam) -{ - // XXX don't return structs - // XXX prefetch class and field ids - jclass jSsl3KeyMatParamsClass, jSsl3RandomDataClass, jSsl3KeyMatOutClass; - CK_SSL3_KEY_MAT_PARAMS ckParam; - jfieldID fieldID; - jlong jMacSizeInBits, jKeySizeInBits, jIVSizeInBits; - jboolean jIsExport; - jobject jRandomInfo, jRIClientRandom, jRIServerRandom; - jobject jReturnedKeyMaterial, jRMIvClient, jRMIvServer; - CK_ULONG ckTemp; - memset(&ckParam, 0, sizeof(CK_SSL3_KEY_MAT_PARAMS)); - - /* get ulMacSizeInBits */ - jSsl3KeyMatParamsClass = (*env)->FindClass(env, CLASS_SSL3_KEY_MAT_PARAMS); - if (jSsl3KeyMatParamsClass == NULL) { return ckParam; } - fieldID = (*env)->GetFieldID(env, jSsl3KeyMatParamsClass, "ulMacSizeInBits", "J"); - if (fieldID == NULL) { return ckParam; } - jMacSizeInBits = (*env)->GetLongField(env, jParam, fieldID); - - /* get ulKeySizeInBits */ - fieldID = (*env)->GetFieldID(env, jSsl3KeyMatParamsClass, "ulKeySizeInBits", "J"); - if (fieldID == NULL) { return ckParam; } - jKeySizeInBits = (*env)->GetLongField(env, jParam, fieldID); - - /* get ulIVSizeInBits */ - fieldID = (*env)->GetFieldID(env, jSsl3KeyMatParamsClass, "ulIVSizeInBits", "J"); - if (fieldID == NULL) { return ckParam; } - jIVSizeInBits = (*env)->GetLongField(env, jParam, fieldID); - - /* get bIsExport */ - fieldID = (*env)->GetFieldID(env, jSsl3KeyMatParamsClass, "bIsExport", "Z"); - if (fieldID == NULL) { return ckParam; } - jIsExport = (*env)->GetBooleanField(env, jParam, fieldID); - - /* get RandomInfo */ - jSsl3RandomDataClass = (*env)->FindClass(env, CLASS_SSL3_RANDOM_DATA); - if (jSsl3RandomDataClass == NULL) { return ckParam; } - fieldID = (*env)->GetFieldID(env, jSsl3KeyMatParamsClass, "RandomInfo", "Lsun/security/pkcs11/wrapper/CK_SSL3_RANDOM_DATA;"); - if (fieldID == NULL) { return ckParam; } - jRandomInfo = (*env)->GetObjectField(env, jParam, fieldID); - - /* get pClientRandom and ulClientRandomLength out of RandomInfo */ - fieldID = (*env)->GetFieldID(env, jSsl3RandomDataClass, "pClientRandom", "[B"); - if (fieldID == NULL) { return ckParam; } - jRIClientRandom = (*env)->GetObjectField(env, jRandomInfo, fieldID); - - /* get pServerRandom and ulServerRandomLength out of RandomInfo */ - fieldID = (*env)->GetFieldID(env, jSsl3RandomDataClass, "pServerRandom", "[B"); - if (fieldID == NULL) { return ckParam; } - jRIServerRandom = (*env)->GetObjectField(env, jRandomInfo, fieldID); - - /* get pReturnedKeyMaterial */ - jSsl3KeyMatOutClass = (*env)->FindClass(env, CLASS_SSL3_KEY_MAT_OUT); - if (jSsl3KeyMatOutClass == NULL) { return ckParam; } - fieldID = (*env)->GetFieldID(env, jSsl3KeyMatParamsClass, "pReturnedKeyMaterial", "Lsun/security/pkcs11/wrapper/CK_SSL3_KEY_MAT_OUT;"); - if (fieldID == NULL) { return ckParam; } - jReturnedKeyMaterial = (*env)->GetObjectField(env, jParam, fieldID); - - /* get pIVClient out of pReturnedKeyMaterial */ - fieldID = (*env)->GetFieldID(env, jSsl3KeyMatOutClass, "pIVClient", "[B"); - if (fieldID == NULL) { return ckParam; } - jRMIvClient = (*env)->GetObjectField(env, jReturnedKeyMaterial, fieldID); - - /* get pIVServer out of pReturnedKeyMaterial */ - fieldID = (*env)->GetFieldID(env, jSsl3KeyMatOutClass, "pIVServer", "[B"); - if (fieldID == NULL) { return ckParam; } - jRMIvServer = (*env)->GetObjectField(env, jReturnedKeyMaterial, fieldID); - - /* populate java values */ - ckParam.ulMacSizeInBits = jLongToCKULong(jMacSizeInBits); - ckParam.ulKeySizeInBits = jLongToCKULong(jKeySizeInBits); - ckParam.ulIVSizeInBits = jLongToCKULong(jIVSizeInBits); - ckParam.bIsExport = jBooleanToCKBBool(jIsExport); - jByteArrayToCKByteArray(env, jRIClientRandom, &(ckParam.RandomInfo.pClientRandom), &(ckParam.RandomInfo.ulClientRandomLen)); - if ((*env)->ExceptionCheck(env)) { return ckParam; } - jByteArrayToCKByteArray(env, jRIServerRandom, &(ckParam.RandomInfo.pServerRandom), &(ckParam.RandomInfo.ulServerRandomLen)); - if ((*env)->ExceptionCheck(env)) { - free(ckParam.RandomInfo.pClientRandom); - return ckParam; - } - /* allocate memory for pRetrunedKeyMaterial */ - ckParam.pReturnedKeyMaterial = (CK_SSL3_KEY_MAT_OUT_PTR) malloc(sizeof(CK_SSL3_KEY_MAT_OUT)); - if (ckParam.pReturnedKeyMaterial == NULL) { - free(ckParam.RandomInfo.pClientRandom); - free(ckParam.RandomInfo.pServerRandom); - throwOutOfMemoryError(env, 0); - return ckParam; - } - - // the handles are output params only, no need to fetch them from Java - ckParam.pReturnedKeyMaterial->hClientMacSecret = 0; - ckParam.pReturnedKeyMaterial->hServerMacSecret = 0; - ckParam.pReturnedKeyMaterial->hClientKey = 0; - ckParam.pReturnedKeyMaterial->hServerKey = 0; - - jByteArrayToCKByteArray(env, jRMIvClient, &(ckParam.pReturnedKeyMaterial->pIVClient), &ckTemp); - if ((*env)->ExceptionCheck(env)) { - free(ckParam.RandomInfo.pClientRandom); - free(ckParam.RandomInfo.pServerRandom); - free(ckParam.pReturnedKeyMaterial); - return ckParam; - } - jByteArrayToCKByteArray(env, jRMIvServer, &(ckParam.pReturnedKeyMaterial->pIVServer), &ckTemp); - if ((*env)->ExceptionCheck(env)) { - free(ckParam.RandomInfo.pClientRandom); - free(ckParam.RandomInfo.pServerRandom); - free(ckParam.pReturnedKeyMaterial->pIVClient); - free(ckParam.pReturnedKeyMaterial); - return ckParam; - } - - return ckParam ; -} - -/* - * converts the Java CK_AES_CTR_PARAMS object to a CK_AES_CTR_PARAMS structure - * - * @param env - used to call JNI funktions to get the Java classes and objects - * @param jParam - the Java CK_AES_CTR_PARAMS object to convert - * @param ckpParam - pointer to the new CK_AES_CTR_PARAMS structure - */ -void jAesCtrParamsToCKAesCtrParam(JNIEnv *env, jobject jParam, - CK_AES_CTR_PARAMS_PTR ckpParam) { - jclass jAesCtrParamsClass; - jfieldID fieldID; - jlong jCounterBits; - jobject jCb; - CK_BYTE_PTR ckBytes; - CK_ULONG ckTemp; - - /* get ulCounterBits */ - jAesCtrParamsClass = (*env)->FindClass(env, CLASS_AES_CTR_PARAMS); - if (jAesCtrParamsClass == NULL) { return; } - fieldID = (*env)->GetFieldID(env, jAesCtrParamsClass, "ulCounterBits", "J"); - if (fieldID == NULL) { return; } - jCounterBits = (*env)->GetLongField(env, jParam, fieldID); - - /* get cb */ - fieldID = (*env)->GetFieldID(env, jAesCtrParamsClass, "cb", "[B"); - if (fieldID == NULL) { return; } - jCb = (*env)->GetObjectField(env, jParam, fieldID); - - /* populate java values */ - ckpParam->ulCounterBits = jLongToCKULong(jCounterBits); - jByteArrayToCKByteArray(env, jCb, &ckBytes, &ckTemp); - if ((*env)->ExceptionCheck(env)) { return; } - if (ckTemp != 16) { - TRACE1("ERROR: WRONG CTR IV LENGTH %d", ckTemp); - } else { - memcpy(ckpParam->cb, ckBytes, ckTemp); - free(ckBytes); - } -} - -/* - * converts a Java CK_MECHANISM object into a CK_MECHANISM structure - * - * @param env - used to call JNI funktions to get the values out of the Java object - * @param jMechanism - the Java CK_MECHANISM object to convert - * @return - the new CK_MECHANISM structure - */ -void jMechanismToCKMechanism(JNIEnv *env, jobject jMechanism, CK_MECHANISM_PTR ckMechanismPtr) -{ - jlong jMechanismType = (*env)->GetLongField(env, jMechanism, mech_mechanismID); - jobject jParameter = (*env)->GetObjectField(env, jMechanism, mech_pParameterID); - - (*ckMechanismPtr).mechanism = jLongToCKULong(jMechanismType); - - /* convert the specific Java mechanism parameter object to a pointer to a CK-type mechanism - * structure - */ - if (jParameter == NULL) { - (*ckMechanismPtr).pParameter = NULL; - (*ckMechanismPtr).ulParameterLen = 0; - } else { - jMechanismParameterToCKMechanismParameter(env, jParameter, &(*ckMechanismPtr).pParameter, &(*ckMechanismPtr).ulParameterLen); - } -} - -/* - * the following functions convert Attribute and Mechanism value pointers - * - * jobject ckAttributeValueToJObject(JNIEnv *env, - * const CK_ATTRIBUTE_PTR ckpAttribute); - * - * void jObjectToPrimitiveCKObjectPtrPtr(JNIEnv *env, - * jobject jObject, - * CK_VOID_PTR *ckpObjectPtr, - * CK_ULONG *pLength); - * - * void jMechanismParameterToCKMechanismParameter(JNIEnv *env, - * jobject jParam, - * CK_VOID_PTR *ckpParamPtr, - * CK_ULONG *ckpLength); - * - * These functions are used if a PKCS#11 mechanism or attribute structure gets - * convertet to a Java attribute or mechanism object or vice versa. - * - * ckAttributeValueToJObject converts a PKCS#11 attribute value pointer to a Java - * object depending on the type of the Attribute. A PKCS#11 attribute value can - * be a CK_ULONG, CK_BYTE[], CK_CHAR[], big integer, CK_BBOOL, CK_UTF8CHAR[], - * CK_DATE or CK_FLAGS that gets converted to a corresponding Java object. - * - * jObjectToPrimitiveCKObjectPtrPtr is used by jAttributeToCKAttributePtr for - * converting the Java attribute value to a PKCS#11 attribute value pointer. - * For now only primitive datatypes and arrays of primitive datatypes can get - * converted. Otherwise this function throws a PKCS#11Exception with the - * errorcode CKR_VENDOR_DEFINED. - * - * jMechanismParameterToCKMechanismParameter converts a Java mechanism parameter - * to a PKCS#11 mechanism parameter. First this function determines what mechanism - * parameter the Java object is, then it allocates the memory for the new PKCS#11 - * structure and calls the corresponding function to convert the Java object to - * a PKCS#11 mechanism parameter structure. - */ - -/* - * converts the pValue of a CK_ATTRIBUTE structure into a Java Object by checking the type - * of the attribute. - * - * @param env - used to call JNI funktions to create the new Java object - * @param ckpAttribute - the pointer to the CK_ATTRIBUTE structure that contains the type - * and the pValue to convert - * @return - the new Java object of the CK-type pValue - */ -jobject ckAttributeValueToJObject(JNIEnv *env, const CK_ATTRIBUTE_PTR ckpAttribute) -{ - jint jValueLength; - jobject jValueObject = NULL; - - jValueLength = ckULongToJInt(ckpAttribute->ulValueLen); - - if ((jValueLength <= 0) || (ckpAttribute->pValue == NULL)) { - return NULL ; - } - - switch(ckpAttribute->type) { - case CKA_CLASS: - /* value CK_OBJECT_CLASS, defacto a CK_ULONG */ - case CKA_KEY_TYPE: - /* value CK_KEY_TYPE, defacto a CK_ULONG */ - case CKA_CERTIFICATE_TYPE: - /* value CK_CERTIFICATE_TYPE, defacto a CK_ULONG */ - case CKA_HW_FEATURE_TYPE: - /* value CK_HW_FEATURE_TYPE, defacto a CK_ULONG */ - case CKA_MODULUS_BITS: - case CKA_VALUE_BITS: - case CKA_VALUE_LEN: - case CKA_KEY_GEN_MECHANISM: - case CKA_PRIME_BITS: - case CKA_SUB_PRIME_BITS: - /* value CK_ULONG */ - jValueObject = ckULongPtrToJLongObject(env, (CK_ULONG*) ckpAttribute->pValue); - break; - - /* can be CK_BYTE[],CK_CHAR[] or big integer; defacto always CK_BYTE[] */ - case CKA_VALUE: - case CKA_OBJECT_ID: - case CKA_SUBJECT: - case CKA_ID: - case CKA_ISSUER: - case CKA_SERIAL_NUMBER: - case CKA_OWNER: - case CKA_AC_ISSUER: - case CKA_ATTR_TYPES: - case CKA_ECDSA_PARAMS: - /* CKA_EC_PARAMS is the same, these two are equivalent */ - case CKA_EC_POINT: - case CKA_PRIVATE_EXPONENT: - case CKA_PRIME_1: - case CKA_PRIME_2: - case CKA_EXPONENT_1: - case CKA_EXPONENT_2: - case CKA_COEFFICIENT: - /* value CK_BYTE[] */ - jValueObject = ckByteArrayToJByteArray(env, (CK_BYTE*) ckpAttribute->pValue, jValueLength); - break; - - case CKA_RESET_ON_INIT: - case CKA_HAS_RESET: - case CKA_TOKEN: - case CKA_PRIVATE: - case CKA_MODIFIABLE: - case CKA_DERIVE: - case CKA_LOCAL: - case CKA_ENCRYPT: - case CKA_VERIFY: - case CKA_VERIFY_RECOVER: - case CKA_WRAP: - case CKA_SENSITIVE: - case CKA_SECONDARY_AUTH: - case CKA_DECRYPT: - case CKA_SIGN: - case CKA_SIGN_RECOVER: - case CKA_UNWRAP: - case CKA_EXTRACTABLE: - case CKA_ALWAYS_SENSITIVE: - case CKA_NEVER_EXTRACTABLE: - case CKA_TRUSTED: - /* value CK_BBOOL */ - jValueObject = ckBBoolPtrToJBooleanObject(env, (CK_BBOOL*) ckpAttribute->pValue); - break; - - case CKA_LABEL: - case CKA_APPLICATION: - /* value RFC 2279 (UTF-8) string */ - jValueObject = ckUTF8CharArrayToJCharArray(env, (CK_UTF8CHAR*) ckpAttribute->pValue, jValueLength); - break; - - case CKA_START_DATE: - case CKA_END_DATE: - /* value CK_DATE */ - jValueObject = ckDatePtrToJDateObject(env, (CK_DATE*) ckpAttribute->pValue); - break; - - case CKA_MODULUS: - case CKA_PUBLIC_EXPONENT: - case CKA_PRIME: - case CKA_SUBPRIME: - case CKA_BASE: - /* value big integer, i.e. CK_BYTE[] */ - jValueObject = ckByteArrayToJByteArray(env, (CK_BYTE*) ckpAttribute->pValue, jValueLength); - break; - - case CKA_AUTH_PIN_FLAGS: - jValueObject = ckULongPtrToJLongObject(env, (CK_ULONG*) ckpAttribute->pValue); - /* value FLAGS, defacto a CK_ULONG */ - break; - - case CKA_VENDOR_DEFINED: - /* we make a CK_BYTE[] out of this */ - jValueObject = ckByteArrayToJByteArray(env, (CK_BYTE*) ckpAttribute->pValue, jValueLength); - break; - - // Netscape trust attributes - case CKA_NETSCAPE_TRUST_SERVER_AUTH: - case CKA_NETSCAPE_TRUST_CLIENT_AUTH: - case CKA_NETSCAPE_TRUST_CODE_SIGNING: - case CKA_NETSCAPE_TRUST_EMAIL_PROTECTION: - /* value CK_ULONG */ - jValueObject = ckULongPtrToJLongObject(env, (CK_ULONG*) ckpAttribute->pValue); - break; - - default: - /* we make a CK_BYTE[] out of this */ - jValueObject = ckByteArrayToJByteArray(env, (CK_BYTE*) ckpAttribute->pValue, jValueLength); - break; - } - - return jValueObject ; -} - -/* - * the following functions convert a Java mechanism parameter object to a PKCS#11 - * mechanism parameter structure - * - * CK__PARAMS jParamToCKParam(JNIEnv *env, - * jobject jParam); - * - * These functions get a Java object, that must be the right Java mechanism - * object and they return the new PKCS#11 mechanism parameter structure. - * Every field of the Java object is retrieved, gets converted to a corresponding - * PKCS#11 type and is set in the new PKCS#11 structure. - */ - -/* - * converts the given Java mechanism parameter to a CK mechanism parameter structure - * and store the length in bytes in the length variable. - * The memory of *ckpParamPtr has to be freed after use! - * - * @param env - used to call JNI funktions to get the Java classes and objects - * @param jParam - the Java mechanism parameter object to convert - * @param ckpParamPtr - the reference of the new pointer to the new CK mechanism parameter - * structure - * @param ckpLength - the reference of the length in bytes of the new CK mechanism parameter - * structure - */ -void jMechanismParameterToCKMechanismParameter(JNIEnv *env, jobject jParam, CK_VOID_PTR *ckpParamPtr, CK_ULONG *ckpLength) -{ - if (jParam == NULL) { - *ckpParamPtr = NULL; - *ckpLength = 0; - } else if ((*env)->IsInstanceOf(env, jParam, jByteArrayClass)) { - jByteArrayToCKByteArray(env, jParam, (CK_BYTE_PTR *)ckpParamPtr, ckpLength); - } else if ((*env)->IsInstanceOf(env, jParam, jLongClass)) { - *ckpParamPtr = jLongObjectToCKULongPtr(env, jParam); - *ckpLength = sizeof(CK_ULONG); - } else { - TRACE0("\nSLOW PATH jMechanismParameterToCKMechanismParameter\n"); - jMechanismParameterToCKMechanismParameterSlow(env, jParam, ckpParamPtr, ckpLength); - } -} - -void jMechanismParameterToCKMechanismParameterSlow(JNIEnv *env, jobject jParam, CK_VOID_PTR *ckpParamPtr, CK_ULONG *ckpLength) -{ - /* get all Java mechanism parameter classes */ - jclass jVersionClass, jSsl3MasterKeyDeriveParamsClass, jSsl3KeyMatParamsClass; - jclass jTlsPrfParamsClass, jAesCtrParamsClass, jRsaPkcsOaepParamsClass; - jclass jPbeParamsClass, jPkcs5Pbkd2ParamsClass, jRsaPkcsPssParamsClass; - jclass jEcdh1DeriveParamsClass, jEcdh2DeriveParamsClass; - jclass jX942Dh1DeriveParamsClass, jX942Dh2DeriveParamsClass; - TRACE0("\nDEBUG: jMechanismParameterToCKMechanismParameter"); - - /* most common cases, i.e. NULL/byte[]/long, are already handled by - * jMechanismParameterToCKMechanismParameter before calling this method. - */ - jVersionClass = (*env)->FindClass(env, CLASS_VERSION); - if (jVersionClass == NULL) { return; } - if ((*env)->IsInstanceOf(env, jParam, jVersionClass)) { - /* - * CK_VERSION used by CKM_SSL3_PRE_MASTER_KEY_GEN - */ - CK_VERSION_PTR ckpParam; - - /* convert jParameter to CKParameter */ - ckpParam = jVersionToCKVersionPtr(env, jParam); - - /* get length and pointer of parameter */ - *ckpLength = sizeof(CK_VERSION); - *ckpParamPtr = ckpParam; - return; - } - - jSsl3MasterKeyDeriveParamsClass = (*env)->FindClass(env, CLASS_SSL3_MASTER_KEY_DERIVE_PARAMS); - if (jSsl3MasterKeyDeriveParamsClass == NULL) { return; } - if ((*env)->IsInstanceOf(env, jParam, jSsl3MasterKeyDeriveParamsClass)) { - /* - * CK_SSL3_MASTER_KEY_DERIVE_PARAMS - */ - CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR ckpParam; - - ckpParam = (CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR) malloc(sizeof(CK_SSL3_MASTER_KEY_DERIVE_PARAMS)); - if (ckpParam == NULL) { - throwOutOfMemoryError(env, 0); - return; - } - - /* convert jParameter to CKParameter */ - *ckpParam = jSsl3MasterKeyDeriveParamToCKSsl3MasterKeyDeriveParam(env, jParam); - if ((*env)->ExceptionCheck(env)) { - free(ckpParam); - return; - } - - /* get length and pointer of parameter */ - *ckpLength = sizeof(CK_SSL3_MASTER_KEY_DERIVE_PARAMS); - *ckpParamPtr = ckpParam; - return; - } - - jSsl3KeyMatParamsClass = (*env)->FindClass(env, CLASS_SSL3_KEY_MAT_PARAMS); - if (jSsl3KeyMatParamsClass == NULL) { return; } - if ((*env)->IsInstanceOf(env, jParam, jSsl3KeyMatParamsClass)) { - /* - * CK_SSL3_KEY_MAT_PARAMS - */ - CK_SSL3_KEY_MAT_PARAMS_PTR ckpParam; - - ckpParam = (CK_SSL3_KEY_MAT_PARAMS_PTR) malloc(sizeof(CK_SSL3_KEY_MAT_PARAMS)); - if (ckpParam == NULL) { - throwOutOfMemoryError(env, 0); - return; - } - - /* convert jParameter to CKParameter */ - *ckpParam = jSsl3KeyMatParamToCKSsl3KeyMatParam(env, jParam); - if ((*env)->ExceptionCheck(env)) { - free(ckpParam); - return; - } - - /* get length and pointer of parameter */ - *ckpLength = sizeof(CK_SSL3_KEY_MAT_PARAMS); - *ckpParamPtr = ckpParam; - return; - } - - jTlsPrfParamsClass = (*env)->FindClass(env, CLASS_TLS_PRF_PARAMS); - if (jTlsPrfParamsClass == NULL) { return; } - if ((*env)->IsInstanceOf(env, jParam, jTlsPrfParamsClass)) { - /* - * CK_TLS_PRF_PARAMS - */ - CK_TLS_PRF_PARAMS_PTR ckpParam; - - ckpParam = (CK_TLS_PRF_PARAMS_PTR) malloc(sizeof(CK_TLS_PRF_PARAMS)); - if (ckpParam == NULL) { - throwOutOfMemoryError(env, 0); - return; - } - - /* convert jParameter to CKParameter */ - *ckpParam = jTlsPrfParamsToCKTlsPrfParam(env, jParam); - if ((*env)->ExceptionCheck(env)) { - free(ckpParam); - return; - } - - /* get length and pointer of parameter */ - *ckpLength = sizeof(CK_TLS_PRF_PARAMS); - *ckpParamPtr = ckpParam; - return; - } - - jAesCtrParamsClass = (*env)->FindClass(env, CLASS_AES_CTR_PARAMS); - if (jAesCtrParamsClass == NULL) { return; } - if ((*env)->IsInstanceOf(env, jParam, jAesCtrParamsClass)) { - /* - * CK_AES_CTR_PARAMS - */ - CK_AES_CTR_PARAMS_PTR ckpParam; - - ckpParam = (CK_AES_CTR_PARAMS_PTR) malloc(sizeof(CK_AES_CTR_PARAMS)); - if (ckpParam == NULL) { - throwOutOfMemoryError(env, 0); - return; - } - - /* convert jParameter to CKParameter */ - jAesCtrParamsToCKAesCtrParam(env, jParam, ckpParam); - if ((*env)->ExceptionCheck(env)) { - free(ckpParam); - return; - } - - /* get length and pointer of parameter */ - *ckpLength = sizeof(CK_AES_CTR_PARAMS); - *ckpParamPtr = ckpParam; - return; - } - - jRsaPkcsOaepParamsClass = (*env)->FindClass(env, CLASS_RSA_PKCS_OAEP_PARAMS); - if (jRsaPkcsOaepParamsClass == NULL) { return; } - if ((*env)->IsInstanceOf(env, jParam, jRsaPkcsOaepParamsClass)) { - /* - * CK_RSA_PKCS_OAEP_PARAMS - */ - CK_RSA_PKCS_OAEP_PARAMS_PTR ckpParam; - - ckpParam = (CK_RSA_PKCS_OAEP_PARAMS_PTR) malloc(sizeof(CK_RSA_PKCS_OAEP_PARAMS)); - if (ckpParam == NULL) { - throwOutOfMemoryError(env, 0); - return; - } - - /* convert jParameter to CKParameter */ - *ckpParam = jRsaPkcsOaepParamToCKRsaPkcsOaepParam(env, jParam); - if ((*env)->ExceptionCheck(env)) { - free(ckpParam); - return; - } - - /* get length and pointer of parameter */ - *ckpLength = sizeof(CK_RSA_PKCS_OAEP_PARAMS); - *ckpParamPtr = ckpParam; - return; - } - - jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS); - if (jPbeParamsClass == NULL) { return; } - if ((*env)->IsInstanceOf(env, jParam, jPbeParamsClass)) { - /* - * CK_PBE_PARAMS - */ - CK_PBE_PARAMS_PTR ckpParam; - - ckpParam = (CK_PBE_PARAMS_PTR) malloc(sizeof(CK_PBE_PARAMS)); - if (ckpParam == NULL) { - throwOutOfMemoryError(env, 0); - return; - } - - /* convert jParameter to CKParameter */ - *ckpParam = jPbeParamToCKPbeParam(env, jParam); - if ((*env)->ExceptionCheck(env)) { - free(ckpParam); - return; - } - - /* get length and pointer of parameter */ - *ckpLength = sizeof(CK_PBE_PARAMS); - *ckpParamPtr = ckpParam; - return; - } - - jPkcs5Pbkd2ParamsClass = (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS); - if (jPkcs5Pbkd2ParamsClass == NULL) { return; } - if ((*env)->IsInstanceOf(env, jParam, jPkcs5Pbkd2ParamsClass)) { - /* - * CK_PKCS5_PBKD2_PARAMS - */ - CK_PKCS5_PBKD2_PARAMS_PTR ckpParam; - - ckpParam = (CK_PKCS5_PBKD2_PARAMS_PTR) malloc(sizeof(CK_PKCS5_PBKD2_PARAMS)); - if (ckpParam == NULL) { - throwOutOfMemoryError(env, 0); - return; - } - - /* convert jParameter to CKParameter */ - *ckpParam = jPkcs5Pbkd2ParamToCKPkcs5Pbkd2Param(env, jParam); - if ((*env)->ExceptionCheck(env)) { - free(ckpParam); - return; - } - - /* get length and pointer of parameter */ - *ckpLength = sizeof(CK_PKCS5_PBKD2_PARAMS); - *ckpParamPtr = ckpParam; - return; - } - - jRsaPkcsPssParamsClass = (*env)->FindClass(env, CLASS_RSA_PKCS_PSS_PARAMS); - if (jRsaPkcsPssParamsClass == NULL) { return; } - if ((*env)->IsInstanceOf(env, jParam, jRsaPkcsPssParamsClass)) { - /* - * CK_RSA_PKCS_PSS_PARAMS - */ - CK_RSA_PKCS_PSS_PARAMS_PTR ckpParam; - - ckpParam = (CK_RSA_PKCS_PSS_PARAMS_PTR) malloc(sizeof(CK_RSA_PKCS_PSS_PARAMS)); - if (ckpParam == NULL) { - throwOutOfMemoryError(env, 0); - return; - } - - /* convert jParameter to CKParameter */ - *ckpParam = jRsaPkcsPssParamToCKRsaPkcsPssParam(env, jParam); - if ((*env)->ExceptionCheck(env)) { - free(ckpParam); - return; - } - - /* get length and pointer of parameter */ - *ckpLength = sizeof(CK_RSA_PKCS_PSS_PARAMS); - *ckpParamPtr = ckpParam; - return; - } - - jEcdh1DeriveParamsClass = (*env)->FindClass(env, CLASS_ECDH1_DERIVE_PARAMS); - if (jEcdh1DeriveParamsClass == NULL) { return; } - if ((*env)->IsInstanceOf(env, jParam, jEcdh1DeriveParamsClass)) { - /* - * CK_ECDH1_DERIVE_PARAMS - */ - CK_ECDH1_DERIVE_PARAMS_PTR ckpParam; - - ckpParam = (CK_ECDH1_DERIVE_PARAMS_PTR) malloc(sizeof(CK_ECDH1_DERIVE_PARAMS)); - if (ckpParam == NULL) { - throwOutOfMemoryError(env, 0); - return; - } - - /* convert jParameter to CKParameter */ - *ckpParam = jEcdh1DeriveParamToCKEcdh1DeriveParam(env, jParam); - if ((*env)->ExceptionCheck(env)) { - free(ckpParam); - return; - } - - /* get length and pointer of parameter */ - *ckpLength = sizeof(CK_ECDH1_DERIVE_PARAMS); - *ckpParamPtr = ckpParam; - return; - } - - jEcdh2DeriveParamsClass = (*env)->FindClass(env, CLASS_ECDH2_DERIVE_PARAMS); - if (jEcdh2DeriveParamsClass == NULL) { return; } - if ((*env)->IsInstanceOf(env, jParam, jEcdh2DeriveParamsClass)) { - /* - * CK_ECDH2_DERIVE_PARAMS - */ - CK_ECDH2_DERIVE_PARAMS_PTR ckpParam; - - ckpParam = (CK_ECDH2_DERIVE_PARAMS_PTR) malloc(sizeof(CK_ECDH2_DERIVE_PARAMS)); - if (ckpParam == NULL) { - throwOutOfMemoryError(env, 0); - return; - } - - /* convert jParameter to CKParameter */ - *ckpParam = jEcdh2DeriveParamToCKEcdh2DeriveParam(env, jParam); - if ((*env)->ExceptionCheck(env)) { - free(ckpParam); - return; - } - - /* get length and pointer of parameter */ - *ckpLength = sizeof(CK_ECDH2_DERIVE_PARAMS); - *ckpParamPtr = ckpParam; - return; - } - - jX942Dh1DeriveParamsClass = (*env)->FindClass(env, CLASS_X9_42_DH1_DERIVE_PARAMS); - if (jX942Dh1DeriveParamsClass == NULL) { return; } - if ((*env)->IsInstanceOf(env, jParam, jX942Dh1DeriveParamsClass)) { - /* - * CK_X9_42_DH1_DERIVE_PARAMS - */ - CK_X9_42_DH1_DERIVE_PARAMS_PTR ckpParam; - - ckpParam = (CK_X9_42_DH1_DERIVE_PARAMS_PTR) malloc(sizeof(CK_X9_42_DH1_DERIVE_PARAMS)); - if (ckpParam == NULL) { - throwOutOfMemoryError(env, 0); - return; - } - - /* convert jParameter to CKParameter */ - *ckpParam = jX942Dh1DeriveParamToCKX942Dh1DeriveParam(env, jParam); - if ((*env)->ExceptionCheck(env)) { - free(ckpParam); - return; - } - - /* get length and pointer of parameter */ - *ckpLength = sizeof(CK_X9_42_DH1_DERIVE_PARAMS); - *ckpParamPtr = ckpParam; - return; - } - - jX942Dh2DeriveParamsClass = (*env)->FindClass(env, CLASS_X9_42_DH2_DERIVE_PARAMS); - if (jX942Dh2DeriveParamsClass == NULL) { return; } - if ((*env)->IsInstanceOf(env, jParam, jX942Dh2DeriveParamsClass)) { - /* - * CK_X9_42_DH2_DERIVE_PARAMS - */ - CK_X9_42_DH2_DERIVE_PARAMS_PTR ckpParam; - - ckpParam = (CK_X9_42_DH2_DERIVE_PARAMS_PTR) malloc(sizeof(CK_X9_42_DH2_DERIVE_PARAMS)); - if (ckpParam == NULL) { - throwOutOfMemoryError(env, 0); - return; - } - - /* convert jParameter to CKParameter */ - *ckpParam = jX942Dh2DeriveParamToCKX942Dh2DeriveParam(env, jParam); - if ((*env)->ExceptionCheck(env)) { - free(ckpParam); - return; - } - - /* get length and pointer of parameter */ - *ckpLength = sizeof(CK_X9_42_DH2_DERIVE_PARAMS); - *ckpParamPtr = ckpParam; - return; - } - - /* if everything faild up to here */ - /* try if the parameter is a primitive Java type */ - jObjectToPrimitiveCKObjectPtrPtr(env, jParam, ckpParamPtr, ckpLength); - /* *ckpParamPtr = jObjectToCKVoidPtr(jParam); */ - /* *ckpLength = 1; */ - - TRACE0("FINISHED\n"); -} - - -/* the mechanism parameter convertion functions: */ - -/* - * converts the Java CK_RSA_PKCS_OAEP_PARAMS object to a CK_RSA_PKCS_OAEP_PARAMS structure - * - * @param env - used to call JNI funktions to get the Java classes and objects - * @param jParam - the Java CK_RSA_PKCS_OAEP_PARAMS object to convert - * @return - the new CK_RSA_PKCS_OAEP_PARAMS structure - */ -CK_RSA_PKCS_OAEP_PARAMS jRsaPkcsOaepParamToCKRsaPkcsOaepParam(JNIEnv *env, jobject jParam) -{ - jclass jRsaPkcsOaepParamsClass; - CK_RSA_PKCS_OAEP_PARAMS ckParam; - jfieldID fieldID; - jlong jHashAlg, jMgf, jSource; - jobject jSourceData; - CK_BYTE_PTR ckpByte; - memset(&ckParam, 0, sizeof(CK_RSA_PKCS_OAEP_PARAMS)); - - /* get hashAlg */ - jRsaPkcsOaepParamsClass = (*env)->FindClass(env, CLASS_RSA_PKCS_OAEP_PARAMS); - if (jRsaPkcsOaepParamsClass == NULL) { return ckParam; } - fieldID = (*env)->GetFieldID(env, jRsaPkcsOaepParamsClass, "hashAlg", "J"); - if (fieldID == NULL) { return ckParam; } - jHashAlg = (*env)->GetLongField(env, jParam, fieldID); - - /* get mgf */ - fieldID = (*env)->GetFieldID(env, jRsaPkcsOaepParamsClass, "mgf", "J"); - if (fieldID == NULL) { return ckParam; } - jMgf = (*env)->GetLongField(env, jParam, fieldID); - - /* get source */ - fieldID = (*env)->GetFieldID(env, jRsaPkcsOaepParamsClass, "source", "J"); - if (fieldID == NULL) { return ckParam; } - jSource = (*env)->GetLongField(env, jParam, fieldID); - - /* get sourceData and sourceDataLength */ - fieldID = (*env)->GetFieldID(env, jRsaPkcsOaepParamsClass, "pSourceData", "[B"); - if (fieldID == NULL) { return ckParam; } - jSourceData = (*env)->GetObjectField(env, jParam, fieldID); - - /* populate java values */ - ckParam.hashAlg = jLongToCKULong(jHashAlg); - ckParam.mgf = jLongToCKULong(jMgf); - ckParam.source = jLongToCKULong(jSource); - jByteArrayToCKByteArray(env, jSourceData, & ckpByte, &(ckParam.ulSourceDataLen)); - if ((*env)->ExceptionCheck(env)) { return ckParam; } - ckParam.pSourceData = (CK_VOID_PTR) ckpByte; - - return ckParam ; -} - -/* - * converts the Java CK_PBE_PARAMS object to a CK_PBE_PARAMS structure - * - * @param env - used to call JNI funktions to get the Java classes and objects - * @param jParam - the Java CK_PBE_PARAMS object to convert - * @return - the new CK_PBE_PARAMS structure - */ -CK_PBE_PARAMS jPbeParamToCKPbeParam(JNIEnv *env, jobject jParam) -{ - jclass jPbeParamsClass; - CK_PBE_PARAMS ckParam; - jfieldID fieldID; - jlong jIteration; - jobject jInitVector, jPassword, jSalt; - CK_ULONG ckTemp; - memset(&ckParam, 0, sizeof(CK_PBE_PARAMS)); - - /* get pInitVector */ - jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS); - if (jPbeParamsClass == NULL) { return ckParam; } - fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pInitVector", "[C"); - if (fieldID == NULL) { return ckParam; } - jInitVector = (*env)->GetObjectField(env, jParam, fieldID); - - /* get pPassword and ulPasswordLength */ - fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pPassword", "[C"); - if (fieldID == NULL) { return ckParam; } - jPassword = (*env)->GetObjectField(env, jParam, fieldID); - - /* get pSalt and ulSaltLength */ - fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pSalt", "[C"); - if (fieldID == NULL) { return ckParam; } - jSalt = (*env)->GetObjectField(env, jParam, fieldID); - - /* get ulIteration */ - fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "ulIteration", "J"); - if (fieldID == NULL) { return ckParam; } - jIteration = (*env)->GetLongField(env, jParam, fieldID); - - /* populate java values */ - ckParam.ulIteration = jLongToCKULong(jIteration); - jCharArrayToCKCharArray(env, jInitVector, &(ckParam.pInitVector), &ckTemp); - if ((*env)->ExceptionCheck(env)) { return ckParam; } - jCharArrayToCKCharArray(env, jPassword, &(ckParam.pPassword), &(ckParam.ulPasswordLen)); - if ((*env)->ExceptionCheck(env)) { - free(ckParam.pInitVector); - return ckParam; - } - jCharArrayToCKCharArray(env, jSalt, &(ckParam.pSalt), &(ckParam.ulSaltLen)); - if ((*env)->ExceptionCheck(env)) { - free(ckParam.pInitVector); - free(ckParam.pPassword); - return ckParam; - } - - return ckParam ; -} - -/* - * Copy back the initialization vector from the native structure to the - * Java object. This is only used for CKM_PBE_* mechanisms and their - * CK_PBE_PARAMS parameters. - * - */ -void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism) -{ - jclass jMechanismClass, jPbeParamsClass; - CK_PBE_PARAMS *ckParam; - jfieldID fieldID; - CK_MECHANISM_TYPE ckMechanismType; - jlong jMechanismType; - jobject jParameter; - jobject jInitVector; - jint jInitVectorLength; - CK_CHAR_PTR initVector; - int i; - jchar* jInitVectorChars; - - /* get mechanism */ - jMechanismClass = (*env)->FindClass(env, CLASS_MECHANISM); - if (jMechanismClass == NULL) { return; } - fieldID = (*env)->GetFieldID(env, jMechanismClass, "mechanism", "J"); - if (fieldID == NULL) { return; } - jMechanismType = (*env)->GetLongField(env, jMechanism, fieldID); - ckMechanismType = jLongToCKULong(jMechanismType); - if (ckMechanismType != ckMechanism->mechanism) { - /* we do not have maching types, this should not occur */ - return; - } - - jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS); - if (jPbeParamsClass == NULL) { return; } - ckParam = (CK_PBE_PARAMS *) ckMechanism->pParameter; - if (ckParam != NULL_PTR) { - initVector = ckParam->pInitVector; - if (initVector != NULL_PTR) { - /* get pParameter */ - fieldID = (*env)->GetFieldID(env, jMechanismClass, "pParameter", "Ljava/lang/Object;"); - if (fieldID == NULL) { return; } - jParameter = (*env)->GetObjectField(env, jMechanism, fieldID); - fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pInitVektor", "[C"); - if (fieldID == NULL) { return; } - jInitVector = (*env)->GetObjectField(env, jParameter, fieldID); - - if (jInitVector != NULL) { - jInitVectorLength = (*env)->GetArrayLength(env, jInitVector); - jInitVectorChars = (*env)->GetCharArrayElements(env, jInitVector, NULL); - if (jInitVectorChars == NULL) { return; } - - /* copy the chars to the Java buffer */ - for (i=0; i < jInitVectorLength; i++) { - jInitVectorChars[i] = ckCharToJChar(initVector[i]); - } - /* copy back the Java buffer to the object */ - (*env)->ReleaseCharArrayElements(env, jInitVector, jInitVectorChars, 0); - } - } - } -} - -/* - * converts the Java CK_PKCS5_PBKD2_PARAMS object to a CK_PKCS5_PBKD2_PARAMS structure - * - * @param env - used to call JNI funktions to get the Java classes and objects - * @param jParam - the Java CK_PKCS5_PBKD2_PARAMS object to convert - * @return - the new CK_PKCS5_PBKD2_PARAMS structure - */ -CK_PKCS5_PBKD2_PARAMS jPkcs5Pbkd2ParamToCKPkcs5Pbkd2Param(JNIEnv *env, jobject jParam) -{ - jclass jPkcs5Pbkd2ParamsClass; - CK_PKCS5_PBKD2_PARAMS ckParam; - jfieldID fieldID; - jlong jSaltSource, jIteration, jPrf; - jobject jSaltSourceData, jPrfData; - memset(&ckParam, 0, sizeof(CK_PKCS5_PBKD2_PARAMS)); - - /* get saltSource */ - jPkcs5Pbkd2ParamsClass = (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS); - if (jPkcs5Pbkd2ParamsClass == NULL) { return ckParam; } - fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "saltSource", "J"); - if (fieldID == NULL) { return ckParam; } - jSaltSource = (*env)->GetLongField(env, jParam, fieldID); - - /* get pSaltSourceData */ - fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pSaltSourceData", "[B"); - if (fieldID == NULL) { return ckParam; } - jSaltSourceData = (*env)->GetObjectField(env, jParam, fieldID); - - /* get iterations */ - fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "iterations", "J"); - if (fieldID == NULL) { return ckParam; } - jIteration = (*env)->GetLongField(env, jParam, fieldID); - - /* get prf */ - fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "prf", "J"); - if (fieldID == NULL) { return ckParam; } - jPrf = (*env)->GetLongField(env, jParam, fieldID); - - /* get pPrfData and ulPrfDataLength in byte */ - fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pPrfData", "[B"); - if (fieldID == NULL) { return ckParam; } - jPrfData = (*env)->GetObjectField(env, jParam, fieldID); - - /* populate java values */ - ckParam.saltSource = jLongToCKULong(jSaltSource); - jByteArrayToCKByteArray(env, jSaltSourceData, (CK_BYTE_PTR *) &(ckParam.pSaltSourceData), &(ckParam.ulSaltSourceDataLen)); - if ((*env)->ExceptionCheck(env)) { return ckParam; } - ckParam.iterations = jLongToCKULong(jIteration); - ckParam.prf = jLongToCKULong(jPrf); - jByteArrayToCKByteArray(env, jPrfData, (CK_BYTE_PTR *) &(ckParam.pPrfData), &(ckParam.ulPrfDataLen)); - if ((*env)->ExceptionCheck(env)) { - free(ckParam.pSaltSourceData); - return ckParam; - } - - return ckParam ; -} - -/* - * converts the Java CK_RSA_PKCS_PSS_PARAMS object to a CK_RSA_PKCS_PSS_PARAMS structure - * - * @param env - used to call JNI funktions to get the Java classes and objects - * @param jParam - the Java CK_RSA_PKCS_PSS_PARAMS object to convert - * @return - the new CK_RSA_PKCS_PSS_PARAMS structure - */ -CK_RSA_PKCS_PSS_PARAMS jRsaPkcsPssParamToCKRsaPkcsPssParam(JNIEnv *env, jobject jParam) -{ - jclass jRsaPkcsPssParamsClass; - CK_RSA_PKCS_PSS_PARAMS ckParam; - jfieldID fieldID; - jlong jHashAlg, jMgf, jSLen; - memset(&ckParam, 0, sizeof(CK_RSA_PKCS_PSS_PARAMS)); - - /* get hashAlg */ - jRsaPkcsPssParamsClass = (*env)->FindClass(env, CLASS_RSA_PKCS_PSS_PARAMS); - if (jRsaPkcsPssParamsClass == NULL) { return ckParam; } - fieldID = (*env)->GetFieldID(env, jRsaPkcsPssParamsClass, "hashAlg", "J"); - if (fieldID == NULL) { return ckParam; } - jHashAlg = (*env)->GetLongField(env, jParam, fieldID); - - /* get mgf */ - fieldID = (*env)->GetFieldID(env, jRsaPkcsPssParamsClass, "mgf", "J"); - if (fieldID == NULL) { return ckParam; } - jMgf = (*env)->GetLongField(env, jParam, fieldID); - - /* get sLen */ - fieldID = (*env)->GetFieldID(env, jRsaPkcsPssParamsClass, "sLen", "J"); - if (fieldID == NULL) { return ckParam; } - jSLen = (*env)->GetLongField(env, jParam, fieldID); - - /* populate java values */ - ckParam.hashAlg = jLongToCKULong(jHashAlg); - ckParam.mgf = jLongToCKULong(jMgf); - ckParam.sLen = jLongToCKULong(jSLen); - - return ckParam ; -} - -/* - * converts the Java CK_ECDH1_DERIVE_PARAMS object to a CK_ECDH1_DERIVE_PARAMS structure - * - * @param env - used to call JNI funktions to get the Java classes and objects - * @param jParam - the Java CK_ECDH1_DERIVE_PARAMS object to convert - * @return - the new CK_ECDH1_DERIVE_PARAMS structure - */ -CK_ECDH1_DERIVE_PARAMS jEcdh1DeriveParamToCKEcdh1DeriveParam(JNIEnv *env, jobject jParam) -{ - jclass jEcdh1DeriveParamsClass; - CK_ECDH1_DERIVE_PARAMS ckParam; - jfieldID fieldID; - jlong jLong; - jobject jSharedData, jPublicData; - memset(&ckParam, 0, sizeof(CK_ECDH1_DERIVE_PARAMS)); - - /* get kdf */ - jEcdh1DeriveParamsClass = (*env)->FindClass(env, CLASS_ECDH1_DERIVE_PARAMS); - if (jEcdh1DeriveParamsClass == NULL) { return ckParam; } - fieldID = (*env)->GetFieldID(env, jEcdh1DeriveParamsClass, "kdf", "J"); - if (fieldID == NULL) { return ckParam; } - jLong = (*env)->GetLongField(env, jParam, fieldID); - ckParam.kdf = jLongToCKULong(jLong); - - /* get pSharedData and ulSharedDataLen */ - fieldID = (*env)->GetFieldID(env, jEcdh1DeriveParamsClass, "pSharedData", "[B"); - if (fieldID == NULL) { return ckParam; } - jSharedData = (*env)->GetObjectField(env, jParam, fieldID); - - /* get pPublicData and ulPublicDataLen */ - fieldID = (*env)->GetFieldID(env, jEcdh1DeriveParamsClass, "pPublicData", "[B"); - if (fieldID == NULL) { return ckParam; } - jPublicData = (*env)->GetObjectField(env, jParam, fieldID); - - /* populate java values */ - ckParam.kdf = jLongToCKULong(jLong); - jByteArrayToCKByteArray(env, jSharedData, &(ckParam.pSharedData), &(ckParam.ulSharedDataLen)); - if ((*env)->ExceptionCheck(env)) { return ckParam; } - jByteArrayToCKByteArray(env, jPublicData, &(ckParam.pPublicData), &(ckParam.ulPublicDataLen)); - if ((*env)->ExceptionCheck(env)) { - free(ckParam.pSharedData); - return ckParam; - } - - return ckParam ; -} - -/* - * converts the Java CK_ECDH2_DERIVE_PARAMS object to a CK_ECDH2_DERIVE_PARAMS structure - * - * @param env - used to call JNI funktions to get the Java classes and objects - * @param jParam - the Java CK_ECDH2_DERIVE_PARAMS object to convert - * @return - the new CK_ECDH2_DERIVE_PARAMS structure - */ -CK_ECDH2_DERIVE_PARAMS jEcdh2DeriveParamToCKEcdh2DeriveParam(JNIEnv *env, jobject jParam) -{ - jclass jEcdh2DeriveParamsClass; - CK_ECDH2_DERIVE_PARAMS ckParam; - jfieldID fieldID; - jlong jKdf, jPrivateDataLen, jPrivateData; - jobject jSharedData, jPublicData, jPublicData2; - memset(&ckParam, 0, sizeof(CK_ECDH2_DERIVE_PARAMS)); - - /* get kdf */ - jEcdh2DeriveParamsClass = (*env)->FindClass(env, CLASS_ECDH2_DERIVE_PARAMS); - if (jEcdh2DeriveParamsClass == NULL) { return ckParam; } - fieldID = (*env)->GetFieldID(env, jEcdh2DeriveParamsClass, "kdf", "J"); - if (fieldID == NULL) { return ckParam; } - jKdf = (*env)->GetLongField(env, jParam, fieldID); - - /* get pSharedData and ulSharedDataLen */ - fieldID = (*env)->GetFieldID(env, jEcdh2DeriveParamsClass, "pSharedData", "[B"); - if (fieldID == NULL) { return ckParam; } - jSharedData = (*env)->GetObjectField(env, jParam, fieldID); - - /* get pPublicData and ulPublicDataLen */ - fieldID = (*env)->GetFieldID(env, jEcdh2DeriveParamsClass, "pPublicData", "[B"); - if (fieldID == NULL) { return ckParam; } - jPublicData = (*env)->GetObjectField(env, jParam, fieldID); - - /* get ulPrivateDataLen */ - fieldID = (*env)->GetFieldID(env, jEcdh2DeriveParamsClass, "ulPrivateDataLen", "J"); - if (fieldID == NULL) { return ckParam; } - jPrivateDataLen = (*env)->GetLongField(env, jParam, fieldID); - - /* get hPrivateData */ - fieldID = (*env)->GetFieldID(env, jEcdh2DeriveParamsClass, "hPrivateData", "J"); - if (fieldID == NULL) { return ckParam; } - jPrivateData = (*env)->GetLongField(env, jParam, fieldID); - - /* get pPublicData2 and ulPublicDataLen2 */ - fieldID = (*env)->GetFieldID(env, jEcdh2DeriveParamsClass, "pPublicData2", "[B"); - if (fieldID == NULL) { return ckParam; } - jPublicData2 = (*env)->GetObjectField(env, jParam, fieldID); - - /* populate java values */ - ckParam.kdf = jLongToCKULong(jKdf); - jByteArrayToCKByteArray(env, jSharedData, &(ckParam.pSharedData), &(ckParam.ulSharedDataLen)); - if ((*env)->ExceptionCheck(env)) { return ckParam; } - jByteArrayToCKByteArray(env, jPublicData, &(ckParam.pPublicData), &(ckParam.ulPublicDataLen)); - if ((*env)->ExceptionCheck(env)) { - free(ckParam.pSharedData); - return ckParam; - } - ckParam.ulPrivateDataLen = jLongToCKULong(jPrivateDataLen); - ckParam.hPrivateData = jLongToCKULong(jPrivateData); - jByteArrayToCKByteArray(env, jPublicData2, &(ckParam.pPublicData2), &(ckParam.ulPublicDataLen2)); - if ((*env)->ExceptionCheck(env)) { - free(ckParam.pSharedData); - free(ckParam.pPublicData); - return ckParam; - } - return ckParam ; -} - -/* - * converts the Java CK_X9_42_DH1_DERIVE_PARAMS object to a CK_X9_42_DH1_DERIVE_PARAMS structure - * - * @param env - used to call JNI funktions to get the Java classes and objects - * @param jParam - the Java CK_X9_42_DH1_DERIVE_PARAMS object to convert - * @return - the new CK_X9_42_DH1_DERIVE_PARAMS structure - */ -CK_X9_42_DH1_DERIVE_PARAMS jX942Dh1DeriveParamToCKX942Dh1DeriveParam(JNIEnv *env, jobject jParam) -{ - jclass jX942Dh1DeriveParamsClass; - CK_X9_42_DH1_DERIVE_PARAMS ckParam; - jfieldID fieldID; - jlong jKdf; - jobject jOtherInfo, jPublicData; - memset(&ckParam, 0, sizeof(CK_X9_42_DH1_DERIVE_PARAMS)); - - /* get kdf */ - jX942Dh1DeriveParamsClass = (*env)->FindClass(env, CLASS_X9_42_DH1_DERIVE_PARAMS); - if (jX942Dh1DeriveParamsClass == NULL) { return ckParam; } - fieldID = (*env)->GetFieldID(env, jX942Dh1DeriveParamsClass, "kdf", "J"); - if (fieldID == NULL) { return ckParam; } - jKdf = (*env)->GetLongField(env, jParam, fieldID); - - /* get pOtherInfo and ulOtherInfoLen */ - fieldID = (*env)->GetFieldID(env, jX942Dh1DeriveParamsClass, "pOtherInfo", "[B"); - if (fieldID == NULL) { return ckParam; } - jOtherInfo = (*env)->GetObjectField(env, jParam, fieldID); - - /* get pPublicData and ulPublicDataLen */ - fieldID = (*env)->GetFieldID(env, jX942Dh1DeriveParamsClass, "pPublicData", "[B"); - if (fieldID == NULL) { return ckParam; } - jPublicData = (*env)->GetObjectField(env, jParam, fieldID); - - /* populate java values */ - ckParam.kdf = jLongToCKULong(jKdf); - jByteArrayToCKByteArray(env, jOtherInfo, &(ckParam.pOtherInfo), &(ckParam.ulOtherInfoLen)); - if ((*env)->ExceptionCheck(env)) { return ckParam; } - jByteArrayToCKByteArray(env, jPublicData, &(ckParam.pPublicData), &(ckParam.ulPublicDataLen)); - if ((*env)->ExceptionCheck(env)) { - free(ckParam.pOtherInfo); - return ckParam; - } - - return ckParam ; -} - -/* - * converts the Java CK_X9_42_DH2_DERIVE_PARAMS object to a CK_X9_42_DH2_DERIVE_PARAMS structure - * - * @param env - used to call JNI funktions to get the Java classes and objects - * @param jParam - the Java CK_X9_42_DH2_DERIVE_PARAMS object to convert - * @return - the new CK_X9_42_DH2_DERIVE_PARAMS structure - */ -CK_X9_42_DH2_DERIVE_PARAMS jX942Dh2DeriveParamToCKX942Dh2DeriveParam(JNIEnv *env, jobject jParam) -{ - jclass jX942Dh2DeriveParamsClass; - CK_X9_42_DH2_DERIVE_PARAMS ckParam; - jfieldID fieldID; - jlong jKdf, jPrivateDataLen, jPrivateData; - jobject jOtherInfo, jPublicData, jPublicData2; - memset(&ckParam, 0, sizeof(CK_X9_42_DH2_DERIVE_PARAMS)); - - /* get kdf */ - jX942Dh2DeriveParamsClass = (*env)->FindClass(env, CLASS_X9_42_DH2_DERIVE_PARAMS); - if (jX942Dh2DeriveParamsClass == NULL) { return ckParam; } - fieldID = (*env)->GetFieldID(env, jX942Dh2DeriveParamsClass, "kdf", "J"); - if (fieldID == NULL) { return ckParam; } - jKdf = (*env)->GetLongField(env, jParam, fieldID); - - /* get pOtherInfo and ulOtherInfoLen */ - fieldID = (*env)->GetFieldID(env, jX942Dh2DeriveParamsClass, "pOtherInfo", "[B"); - if (fieldID == NULL) { return ckParam; } - jOtherInfo = (*env)->GetObjectField(env, jParam, fieldID); - - /* get pPublicData and ulPublicDataLen */ - fieldID = (*env)->GetFieldID(env, jX942Dh2DeriveParamsClass, "pPublicData", "[B"); - if (fieldID == NULL) { return ckParam; } - jPublicData = (*env)->GetObjectField(env, jParam, fieldID); - - /* get ulPrivateDataLen */ - fieldID = (*env)->GetFieldID(env, jX942Dh2DeriveParamsClass, "ulPrivateDataLen", "J"); - if (fieldID == NULL) { return ckParam; } - jPrivateDataLen = (*env)->GetLongField(env, jParam, fieldID); - - /* get hPrivateData */ - fieldID = (*env)->GetFieldID(env, jX942Dh2DeriveParamsClass, "hPrivateData", "J"); - if (fieldID == NULL) { return ckParam; } - jPrivateData = (*env)->GetLongField(env, jParam, fieldID); - - /* get pPublicData2 and ulPublicDataLen2 */ - fieldID = (*env)->GetFieldID(env, jX942Dh2DeriveParamsClass, "pPublicData2", "[B"); - if (fieldID == NULL) { return ckParam; } - jPublicData2 = (*env)->GetObjectField(env, jParam, fieldID); - - /* populate java values */ - ckParam.kdf = jLongToCKULong(jKdf); - jByteArrayToCKByteArray(env, jOtherInfo, &(ckParam.pOtherInfo), &(ckParam.ulOtherInfoLen)); - if ((*env)->ExceptionCheck(env)) { return ckParam; } - jByteArrayToCKByteArray(env, jPublicData, &(ckParam.pPublicData), &(ckParam.ulPublicDataLen)); - if ((*env)->ExceptionCheck(env)) { - free(ckParam.pOtherInfo); - return ckParam; - } - ckParam.ulPrivateDataLen = jLongToCKULong(jPrivateDataLen); - ckParam.hPrivateData = jLongToCKULong(jPrivateData); - jByteArrayToCKByteArray(env, jPublicData2, &(ckParam.pPublicData2), &(ckParam.ulPublicDataLen2)); - if ((*env)->ExceptionCheck(env)) { - free(ckParam.pOtherInfo); - free(ckParam.pPublicData); - return ckParam; - } - - return ckParam ; -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c 2017-01-20 09:52:55.274288317 -0800 @@ -0,0 +1,1842 @@ +/* + * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved. + */ + +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * pkcs11wrapper.c + * 18.05.2001 + * + * This is the implementation of the native functions of the Java to PKCS#11 interface. + * All function use some helper functions to convert the JNI types to PKCS#11 types. + * + * @author Karl Scheibelhofer + * @author Martin Schlaeffer + */ + + +#include "pkcs11wrapper.h" + +#include +#include +#include +#include + +#include "sun_security_pkcs11_wrapper_PKCS11.h" + +/* declare file private functions */ + +void jMechanismParameterToCKMechanismParameterSlow(JNIEnv *env, jobject jParam, CK_VOID_PTR *ckpParamPtr, CK_ULONG *ckpLength); + + +/* + * converts a pointer to a CK_DATE structure into a Java CK_DATE Object. + * + * @param env - used to call JNI funktions to create the new Java object + * @param ckpValue - the pointer to the CK_DATE structure + * @return - the new Java CK_DATE object + */ +jobject ckDatePtrToJDateObject(JNIEnv *env, const CK_DATE *ckpDate) +{ + jclass jDateClass; + jmethodID jCtrId; + jobject jDateObject; + jcharArray jYear; + jcharArray jMonth; + jcharArray jDay; + + /* load CK_DATE class */ + jDateClass = (*env)->FindClass(env, CLASS_DATE); + if (jDateClass == NULL) { return NULL; } + + /* load CK_DATE constructor */ + jCtrId = (*env)->GetMethodID(env, jDateClass, "", "([C[C[C)V"); + if (jCtrId == NULL) { return NULL; } + + /* prep all fields */ + jYear = ckCharArrayToJCharArray(env, (CK_CHAR_PTR)(ckpDate->year), 4); + if (jYear == NULL) { return NULL; } + jMonth = ckCharArrayToJCharArray(env, (CK_CHAR_PTR)(ckpDate->month), 2); + if (jMonth == NULL) { return NULL; } + jDay = ckCharArrayToJCharArray(env, (CK_CHAR_PTR)(ckpDate->day), 2); + if (jDay == NULL) { return NULL; } + + /* create new CK_DATE object */ + jDateObject = + (*env)->NewObject(env, jDateClass, jCtrId, jYear, jMonth, jDay); + if (jDateObject == NULL) { return NULL; } + + /* free local references */ + (*env)->DeleteLocalRef(env, jDateClass); + (*env)->DeleteLocalRef(env, jYear); + (*env)->DeleteLocalRef(env, jMonth); + (*env)->DeleteLocalRef(env, jDay); + + return jDateObject ; +} + +/* + * converts a pointer to a CK_VERSION structure into a Java CK_VERSION Object. + * + * @param env - used to call JNI funktions to create the new Java object + * @param ckpVersion - the pointer to the CK_VERSION structure + * @return - the new Java CK_VERSION object + */ +jobject ckVersionPtrToJVersion(JNIEnv *env, const CK_VERSION_PTR ckpVersion) +{ + jclass jVersionClass; + jmethodID jCtrId; + jobject jVersionObject; + jint jMajor; + jint jMinor; + + /* load CK_VERSION class */ + jVersionClass = (*env)->FindClass(env, CLASS_VERSION); + if (jVersionClass == NULL) { return NULL; } + + /* load CK_VERSION constructor */ + jCtrId = (*env)->GetMethodID(env, jVersionClass, "", "(II)V"); + if (jCtrId == NULL) { return NULL; } + + /* prep both fields */ + jMajor = ckpVersion->major; + jMinor = ckpVersion->minor; + + /* create new CK_VERSION object */ + jVersionObject = + (*env)->NewObject(env, jVersionClass, jCtrId, jMajor, jMinor); + if (jVersionObject == NULL) { return NULL; } + + /* free local references */ + (*env)->DeleteLocalRef(env, jVersionClass); + + return jVersionObject ; +} + +/* + * converts a pointer to a CK_SESSION_INFO structure into a Java CK_SESSION_INFO Object. + * + * @param env - used to call JNI funktions to create the new Java object + * @param ckpSessionInfo - the pointer to the CK_SESSION_INFO structure + * @return - the new Java CK_SESSION_INFO object + */ +jobject ckSessionInfoPtrToJSessionInfo(JNIEnv *env, const CK_SESSION_INFO_PTR ckpSessionInfo) +{ + jclass jSessionInfoClass; + jmethodID jCtrId; + jobject jSessionInfoObject; + jlong jSlotID; + jlong jState; + jlong jFlags; + jlong jDeviceError; + + /* load CK_SESSION_INFO class */ + jSessionInfoClass = (*env)->FindClass(env, CLASS_SESSION_INFO); + if (jSessionInfoClass == NULL) { return NULL; } + + /* load CK_SESSION_INFO constructor */ + jCtrId = (*env)->GetMethodID(env, jSessionInfoClass, "", "(JJJJ)V"); + if (jCtrId == NULL) { return NULL; } + + /* prep all fields */ + jSlotID = ckULongToJLong(ckpSessionInfo->slotID); + jState = ckULongToJLong(ckpSessionInfo->state); + jFlags = ckULongToJLong(ckpSessionInfo->flags); + jDeviceError = ckULongToJLong(ckpSessionInfo->ulDeviceError); + + /* create new CK_SESSION_INFO object */ + jSessionInfoObject = + (*env)->NewObject(env, jSessionInfoClass, jCtrId, jSlotID, jState, + jFlags, jDeviceError); + if (jSessionInfoObject == NULL) { return NULL; } + + /* free local references */ + (*env)->DeleteLocalRef(env, jSessionInfoClass); + + return jSessionInfoObject ; +} + +/* + * converts a pointer to a CK_ATTRIBUTE structure into a Java CK_ATTRIBUTE Object. + * + * @param env - used to call JNI funktions to create the new Java object + * @param ckpAttribute - the pointer to the CK_ATTRIBUTE structure + * @return - the new Java CK_ATTRIBUTE object + */ +jobject ckAttributePtrToJAttribute(JNIEnv *env, const CK_ATTRIBUTE_PTR ckpAttribute) +{ + jclass jAttributeClass; + jmethodID jCtrId; + jobject jAttributeObject; + jlong jType; + jobject jPValue = NULL; + + jAttributeClass = (*env)->FindClass(env, CLASS_ATTRIBUTE); + if (jAttributeClass == NULL) { return NULL; } + + /* load CK_INFO constructor */ + jCtrId = (*env)->GetMethodID(env, jAttributeClass, "", "(JLjava/lang/Object;)V"); + if (jCtrId == NULL) { return NULL; } + + /* prep both fields */ + jType = ckULongToJLong(ckpAttribute->type); + jPValue = ckAttributeValueToJObject(env, ckpAttribute); + if ((*env)->ExceptionCheck(env)) { return NULL; } + + /* create new CK_ATTRIBUTE object */ + jAttributeObject = + (*env)->NewObject(env, jAttributeClass, jCtrId, jType, jPValue); + if (jAttributeObject == NULL) { return NULL; } + + /* free local references */ + (*env)->DeleteLocalRef(env, jAttributeClass); + (*env)->DeleteLocalRef(env, jPValue); + + return jAttributeObject; +} + + +/* + * converts a Java CK_VERSION object into a pointer to a CK_VERSION structure + * + * @param env - used to call JNI funktions to get the values out of the Java object + * @param jVersion - the Java CK_VERSION object to convert + * @return - the pointer to the new CK_VERSION structure + */ +CK_VERSION_PTR jVersionToCKVersionPtr(JNIEnv *env, jobject jVersion) +{ + CK_VERSION_PTR ckpVersion; + jclass jVersionClass; + jfieldID jFieldID; + jbyte jMajor, jMinor; + + if (jVersion == NULL) { + return NULL; + } + + /* get CK_VERSION class */ + jVersionClass = (*env)->GetObjectClass(env, jVersion); + if (jVersionClass == NULL) { return NULL; } + + /* get Major */ + jFieldID = (*env)->GetFieldID(env, jVersionClass, "major", "B"); + if (jFieldID == NULL) { return NULL; } + jMajor = (*env)->GetByteField(env, jVersion, jFieldID); + + /* get Minor */ + jFieldID = (*env)->GetFieldID(env, jVersionClass, "minor", "B"); + if (jFieldID == NULL) { return NULL; } + jMinor = (*env)->GetByteField(env, jVersion, jFieldID); + + /* allocate memory for CK_VERSION pointer */ + ckpVersion = (CK_VERSION_PTR) malloc(sizeof(CK_VERSION)); + if (ckpVersion == NULL) { + throwOutOfMemoryError(env, 0); + return NULL; + } + ckpVersion->major = jByteToCKByte(jMajor); + ckpVersion->minor = jByteToCKByte(jMinor); + + return ckpVersion ; +} + + +/* + * converts a Java CK_DATE object into a pointer to a CK_DATE structure + * + * @param env - used to call JNI funktions to get the values out of the Java object + * @param jVersion - the Java CK_DATE object to convert + * @return - the pointer to the new CK_DATE structure + */ +CK_DATE * jDateObjectPtrToCKDatePtr(JNIEnv *env, jobject jDate) +{ + CK_DATE * ckpDate; + CK_ULONG ckLength; + jclass jDateClass; + jfieldID jFieldID; + jobject jYear, jMonth, jDay; + jchar *jTempChars; + CK_ULONG i; + + if (jDate == NULL) { + return NULL; + } + + /* get CK_DATE class */ + jDateClass = (*env)->FindClass(env, CLASS_DATE); + if (jDateClass == NULL) { return NULL; } + + /* get Year */ + jFieldID = (*env)->GetFieldID(env, jDateClass, "year", "[C"); + if (jFieldID == NULL) { return NULL; } + jYear = (*env)->GetObjectField(env, jDate, jFieldID); + + /* get Month */ + jFieldID = (*env)->GetFieldID(env, jDateClass, "month", "[C"); + if (jFieldID == NULL) { return NULL; } + jMonth = (*env)->GetObjectField(env, jDate, jFieldID); + + /* get Day */ + jFieldID = (*env)->GetFieldID(env, jDateClass, "day", "[C"); + if (jFieldID == NULL) { return NULL; } + jDay = (*env)->GetObjectField(env, jDate, jFieldID); + + /* allocate memory for CK_DATE pointer */ + ckpDate = (CK_DATE *) malloc(sizeof(CK_DATE)); + if (ckpDate == NULL) { + throwOutOfMemoryError(env, 0); + return NULL; + } + + if (jYear == NULL) { + ckpDate->year[0] = 0; + ckpDate->year[1] = 0; + ckpDate->year[2] = 0; + ckpDate->year[3] = 0; + } else { + ckLength = (*env)->GetArrayLength(env, jYear); + jTempChars = (jchar*) malloc((ckLength) * sizeof(jchar)); + if (jTempChars == NULL) { + free(ckpDate); + throwOutOfMemoryError(env, 0); + return NULL; + } + (*env)->GetCharArrayRegion(env, jYear, 0, ckLength, jTempChars); + if ((*env)->ExceptionCheck(env)) { + free(ckpDate); + free(jTempChars); + return NULL; + } + + for (i = 0; (i < ckLength) && (i < 4) ; i++) { + ckpDate->year[i] = jCharToCKChar(jTempChars[i]); + } + free(jTempChars); + } + + if (jMonth == NULL) { + ckpDate->month[0] = 0; + ckpDate->month[1] = 0; + } else { + ckLength = (*env)->GetArrayLength(env, jMonth); + jTempChars = (jchar*) malloc((ckLength) * sizeof(jchar)); + if (jTempChars == NULL) { + free(ckpDate); + throwOutOfMemoryError(env, 0); + return NULL; + } + (*env)->GetCharArrayRegion(env, jMonth, 0, ckLength, jTempChars); + if ((*env)->ExceptionCheck(env)) { + free(ckpDate); + free(jTempChars); + return NULL; + } + + for (i = 0; (i < ckLength) && (i < 2) ; i++) { + ckpDate->month[i] = jCharToCKChar(jTempChars[i]); + } + free(jTempChars); + } + + if (jDay == NULL) { + ckpDate->day[0] = 0; + ckpDate->day[1] = 0; + } else { + ckLength = (*env)->GetArrayLength(env, jDay); + jTempChars = (jchar*) malloc((ckLength) * sizeof(jchar)); + if (jTempChars == NULL) { + free(ckpDate); + throwOutOfMemoryError(env, 0); + return NULL; + } + (*env)->GetCharArrayRegion(env, jDay, 0, ckLength, jTempChars); + if ((*env)->ExceptionCheck(env)) { + free(ckpDate); + free(jTempChars); + return NULL; + } + + for (i = 0; (i < ckLength) && (i < 2) ; i++) { + ckpDate->day[i] = jCharToCKChar(jTempChars[i]); + } + free(jTempChars); + } + + return ckpDate ; +} + + +/* + * converts a Java CK_ATTRIBUTE object into a CK_ATTRIBUTE structure + * + * @param env - used to call JNI funktions to get the values out of the Java object + * @param jAttribute - the Java CK_ATTRIBUTE object to convert + * @return - the new CK_ATTRIBUTE structure + */ +CK_ATTRIBUTE jAttributeToCKAttribute(JNIEnv *env, jobject jAttribute) +{ + CK_ATTRIBUTE ckAttribute; + jclass jAttributeClass; + jfieldID jFieldID; + jlong jType; + jobject jPValue; + memset(&ckAttribute, 0, sizeof(CK_ATTRIBUTE)); + + // TBD: what if jAttribute == NULL?! + + TRACE0("\nDEBUG: jAttributeToCKAttribute"); + /* get CK_ATTRIBUTE class */ + TRACE0(", getting attribute object class"); + jAttributeClass = (*env)->GetObjectClass(env, jAttribute); + if (jAttributeClass == NULL) { return ckAttribute; } + + /* get type */ + TRACE0(", getting type field"); + jFieldID = (*env)->GetFieldID(env, jAttributeClass, "type", "J"); + if (jFieldID == NULL) { return ckAttribute; } + jType = (*env)->GetLongField(env, jAttribute, jFieldID); + TRACE1(", type=0x%X", jType); + + /* get pValue */ + TRACE0(", getting pValue field"); + jFieldID = (*env)->GetFieldID(env, jAttributeClass, "pValue", "Ljava/lang/Object;"); + if (jFieldID == NULL) { return ckAttribute; } + jPValue = (*env)->GetObjectField(env, jAttribute, jFieldID); + TRACE1(", pValue=%p", jPValue); + + ckAttribute.type = jLongToCKULong(jType); + TRACE0(", converting pValue to primitive object"); + + /* convert the Java pValue object to a CK-type pValue pointer */ + jObjectToPrimitiveCKObjectPtrPtr(env, jPValue, &(ckAttribute.pValue), &(ckAttribute.ulValueLen)); + + TRACE0("\nFINISHED\n"); + + return ckAttribute ; +} + +/* + * converts the Java CK_SSL3_MASTER_KEY_DERIVE_PARAMS object to a + * CK_SSL3_MASTER_KEY_DERIVE_PARAMS structure + * + * @param env - used to call JNI funktions to get the Java classes and objects + * @param jParam - the Java CK_SSL3_MASTER_KEY_DERIVE_PARAMS object to convert + * @return - the new CK_SSL3_MASTER_KEY_DERIVE_PARAMS structure + */ +CK_SSL3_MASTER_KEY_DERIVE_PARAMS jSsl3MasterKeyDeriveParamToCKSsl3MasterKeyDeriveParam(JNIEnv *env, jobject jParam) +{ + // XXX don't return structs + // XXX prefetch class and field ids + jclass jSsl3MasterKeyDeriveParamsClass; + CK_SSL3_MASTER_KEY_DERIVE_PARAMS ckParam; + jfieldID fieldID; + jclass jSsl3RandomDataClass; + jobject jRandomInfo, jRIClientRandom, jRIServerRandom, jVersion; + memset(&ckParam, 0, sizeof(CK_SSL3_MASTER_KEY_DERIVE_PARAMS)); + + /* get RandomInfo */ + jSsl3MasterKeyDeriveParamsClass = (*env)->FindClass(env, CLASS_SSL3_MASTER_KEY_DERIVE_PARAMS); + if (jSsl3MasterKeyDeriveParamsClass == NULL) { return ckParam; } + fieldID = (*env)->GetFieldID(env, jSsl3MasterKeyDeriveParamsClass, "RandomInfo", "Lsun/security/pkcs11/wrapper/CK_SSL3_RANDOM_DATA;"); + if (fieldID == NULL) { return ckParam; } + jRandomInfo = (*env)->GetObjectField(env, jParam, fieldID); + + /* get pClientRandom and ulClientRandomLength out of RandomInfo */ + jSsl3RandomDataClass = (*env)->FindClass(env, CLASS_SSL3_RANDOM_DATA); + if (jSsl3RandomDataClass == NULL) { return ckParam; } + fieldID = (*env)->GetFieldID(env, jSsl3RandomDataClass, "pClientRandom", "[B"); + if (fieldID == NULL) { return ckParam; } + jRIClientRandom = (*env)->GetObjectField(env, jRandomInfo, fieldID); + + /* get pServerRandom and ulServerRandomLength out of RandomInfo */ + fieldID = (*env)->GetFieldID(env, jSsl3RandomDataClass, "pServerRandom", "[B"); + if (fieldID == NULL) { return ckParam; } + jRIServerRandom = (*env)->GetObjectField(env, jRandomInfo, fieldID); + + /* get pVersion */ + fieldID = (*env)->GetFieldID(env, jSsl3MasterKeyDeriveParamsClass, "pVersion", "Lsun/security/pkcs11/wrapper/CK_VERSION;"); + if (fieldID == NULL) { return ckParam; } + jVersion = (*env)->GetObjectField(env, jParam, fieldID); + + /* populate java values */ + ckParam.pVersion = jVersionToCKVersionPtr(env, jVersion); + if ((*env)->ExceptionCheck(env)) { return ckParam; } + jByteArrayToCKByteArray(env, jRIClientRandom, &(ckParam.RandomInfo.pClientRandom), &(ckParam.RandomInfo.ulClientRandomLen)); + if ((*env)->ExceptionCheck(env)) { + free(ckParam.pVersion); + return ckParam; + } + jByteArrayToCKByteArray(env, jRIServerRandom, &(ckParam.RandomInfo.pServerRandom), &(ckParam.RandomInfo.ulServerRandomLen)); + if ((*env)->ExceptionCheck(env)) { + free(ckParam.pVersion); + free(ckParam.RandomInfo.pClientRandom); + return ckParam; + } + + return ckParam ; +} + + +/* + * converts the Java CK_TLS_PRF_PARAMS object to a CK_TLS_PRF_PARAMS structure + */ +CK_TLS_PRF_PARAMS jTlsPrfParamsToCKTlsPrfParam(JNIEnv *env, jobject jParam) +{ + jclass jTlsPrfParamsClass; + CK_TLS_PRF_PARAMS ckParam; + jfieldID fieldID; + jobject jSeed, jLabel, jOutput; + memset(&ckParam, 0, sizeof(CK_TLS_PRF_PARAMS)); + + // TBD: what if jParam == NULL?! + + /* get pSeed */ + jTlsPrfParamsClass = (*env)->FindClass(env, CLASS_TLS_PRF_PARAMS); + if (jTlsPrfParamsClass == NULL) { return ckParam; } + fieldID = (*env)->GetFieldID(env, jTlsPrfParamsClass, "pSeed", "[B"); + if (fieldID == NULL) { return ckParam; } + jSeed = (*env)->GetObjectField(env, jParam, fieldID); + + /* get pLabel */ + fieldID = (*env)->GetFieldID(env, jTlsPrfParamsClass, "pLabel", "[B"); + if (fieldID == NULL) { return ckParam; } + jLabel = (*env)->GetObjectField(env, jParam, fieldID); + + /* get pOutput */ + fieldID = (*env)->GetFieldID(env, jTlsPrfParamsClass, "pOutput", "[B"); + if (fieldID == NULL) { return ckParam; } + jOutput = (*env)->GetObjectField(env, jParam, fieldID); + + /* populate java values */ + jByteArrayToCKByteArray(env, jSeed, &(ckParam.pSeed), &(ckParam.ulSeedLen)); + if ((*env)->ExceptionCheck(env)) { return ckParam; } + jByteArrayToCKByteArray(env, jLabel, &(ckParam.pLabel), &(ckParam.ulLabelLen)); + if ((*env)->ExceptionCheck(env)) { + free(ckParam.pSeed); + return ckParam; + } + ckParam.pulOutputLen = malloc(sizeof(CK_ULONG)); + if (ckParam.pulOutputLen == NULL) { + free(ckParam.pSeed); + free(ckParam.pLabel); + throwOutOfMemoryError(env, 0); + return ckParam; + } + jByteArrayToCKByteArray(env, jOutput, &(ckParam.pOutput), ckParam.pulOutputLen); + if ((*env)->ExceptionCheck(env)) { + free(ckParam.pSeed); + free(ckParam.pLabel); + free(ckParam.pulOutputLen); + return ckParam; + } + + return ckParam ; +} + +/* + * converts the Java CK_SSL3_KEY_MAT_PARAMS object to a CK_SSL3_KEY_MAT_PARAMS structure + * + * @param env - used to call JNI funktions to get the Java classes and objects + * @param jParam - the Java CK_SSL3_KEY_MAT_PARAMS object to convert + * @return - the new CK_SSL3_KEY_MAT_PARAMS structure + */ +CK_SSL3_KEY_MAT_PARAMS jSsl3KeyMatParamToCKSsl3KeyMatParam(JNIEnv *env, jobject jParam) +{ + // XXX don't return structs + // XXX prefetch class and field ids + jclass jSsl3KeyMatParamsClass, jSsl3RandomDataClass, jSsl3KeyMatOutClass; + CK_SSL3_KEY_MAT_PARAMS ckParam; + jfieldID fieldID; + jlong jMacSizeInBits, jKeySizeInBits, jIVSizeInBits; + jboolean jIsExport; + jobject jRandomInfo, jRIClientRandom, jRIServerRandom; + jobject jReturnedKeyMaterial, jRMIvClient, jRMIvServer; + CK_ULONG ckTemp; + memset(&ckParam, 0, sizeof(CK_SSL3_KEY_MAT_PARAMS)); + + /* get ulMacSizeInBits */ + jSsl3KeyMatParamsClass = (*env)->FindClass(env, CLASS_SSL3_KEY_MAT_PARAMS); + if (jSsl3KeyMatParamsClass == NULL) { return ckParam; } + fieldID = (*env)->GetFieldID(env, jSsl3KeyMatParamsClass, "ulMacSizeInBits", "J"); + if (fieldID == NULL) { return ckParam; } + jMacSizeInBits = (*env)->GetLongField(env, jParam, fieldID); + + /* get ulKeySizeInBits */ + fieldID = (*env)->GetFieldID(env, jSsl3KeyMatParamsClass, "ulKeySizeInBits", "J"); + if (fieldID == NULL) { return ckParam; } + jKeySizeInBits = (*env)->GetLongField(env, jParam, fieldID); + + /* get ulIVSizeInBits */ + fieldID = (*env)->GetFieldID(env, jSsl3KeyMatParamsClass, "ulIVSizeInBits", "J"); + if (fieldID == NULL) { return ckParam; } + jIVSizeInBits = (*env)->GetLongField(env, jParam, fieldID); + + /* get bIsExport */ + fieldID = (*env)->GetFieldID(env, jSsl3KeyMatParamsClass, "bIsExport", "Z"); + if (fieldID == NULL) { return ckParam; } + jIsExport = (*env)->GetBooleanField(env, jParam, fieldID); + + /* get RandomInfo */ + jSsl3RandomDataClass = (*env)->FindClass(env, CLASS_SSL3_RANDOM_DATA); + if (jSsl3RandomDataClass == NULL) { return ckParam; } + fieldID = (*env)->GetFieldID(env, jSsl3KeyMatParamsClass, "RandomInfo", "Lsun/security/pkcs11/wrapper/CK_SSL3_RANDOM_DATA;"); + if (fieldID == NULL) { return ckParam; } + jRandomInfo = (*env)->GetObjectField(env, jParam, fieldID); + + /* get pClientRandom and ulClientRandomLength out of RandomInfo */ + fieldID = (*env)->GetFieldID(env, jSsl3RandomDataClass, "pClientRandom", "[B"); + if (fieldID == NULL) { return ckParam; } + jRIClientRandom = (*env)->GetObjectField(env, jRandomInfo, fieldID); + + /* get pServerRandom and ulServerRandomLength out of RandomInfo */ + fieldID = (*env)->GetFieldID(env, jSsl3RandomDataClass, "pServerRandom", "[B"); + if (fieldID == NULL) { return ckParam; } + jRIServerRandom = (*env)->GetObjectField(env, jRandomInfo, fieldID); + + /* get pReturnedKeyMaterial */ + jSsl3KeyMatOutClass = (*env)->FindClass(env, CLASS_SSL3_KEY_MAT_OUT); + if (jSsl3KeyMatOutClass == NULL) { return ckParam; } + fieldID = (*env)->GetFieldID(env, jSsl3KeyMatParamsClass, "pReturnedKeyMaterial", "Lsun/security/pkcs11/wrapper/CK_SSL3_KEY_MAT_OUT;"); + if (fieldID == NULL) { return ckParam; } + jReturnedKeyMaterial = (*env)->GetObjectField(env, jParam, fieldID); + + /* get pIVClient out of pReturnedKeyMaterial */ + fieldID = (*env)->GetFieldID(env, jSsl3KeyMatOutClass, "pIVClient", "[B"); + if (fieldID == NULL) { return ckParam; } + jRMIvClient = (*env)->GetObjectField(env, jReturnedKeyMaterial, fieldID); + + /* get pIVServer out of pReturnedKeyMaterial */ + fieldID = (*env)->GetFieldID(env, jSsl3KeyMatOutClass, "pIVServer", "[B"); + if (fieldID == NULL) { return ckParam; } + jRMIvServer = (*env)->GetObjectField(env, jReturnedKeyMaterial, fieldID); + + /* populate java values */ + ckParam.ulMacSizeInBits = jLongToCKULong(jMacSizeInBits); + ckParam.ulKeySizeInBits = jLongToCKULong(jKeySizeInBits); + ckParam.ulIVSizeInBits = jLongToCKULong(jIVSizeInBits); + ckParam.bIsExport = jBooleanToCKBBool(jIsExport); + jByteArrayToCKByteArray(env, jRIClientRandom, &(ckParam.RandomInfo.pClientRandom), &(ckParam.RandomInfo.ulClientRandomLen)); + if ((*env)->ExceptionCheck(env)) { return ckParam; } + jByteArrayToCKByteArray(env, jRIServerRandom, &(ckParam.RandomInfo.pServerRandom), &(ckParam.RandomInfo.ulServerRandomLen)); + if ((*env)->ExceptionCheck(env)) { + free(ckParam.RandomInfo.pClientRandom); + return ckParam; + } + /* allocate memory for pRetrunedKeyMaterial */ + ckParam.pReturnedKeyMaterial = (CK_SSL3_KEY_MAT_OUT_PTR) malloc(sizeof(CK_SSL3_KEY_MAT_OUT)); + if (ckParam.pReturnedKeyMaterial == NULL) { + free(ckParam.RandomInfo.pClientRandom); + free(ckParam.RandomInfo.pServerRandom); + throwOutOfMemoryError(env, 0); + return ckParam; + } + + // the handles are output params only, no need to fetch them from Java + ckParam.pReturnedKeyMaterial->hClientMacSecret = 0; + ckParam.pReturnedKeyMaterial->hServerMacSecret = 0; + ckParam.pReturnedKeyMaterial->hClientKey = 0; + ckParam.pReturnedKeyMaterial->hServerKey = 0; + + jByteArrayToCKByteArray(env, jRMIvClient, &(ckParam.pReturnedKeyMaterial->pIVClient), &ckTemp); + if ((*env)->ExceptionCheck(env)) { + free(ckParam.RandomInfo.pClientRandom); + free(ckParam.RandomInfo.pServerRandom); + free(ckParam.pReturnedKeyMaterial); + return ckParam; + } + jByteArrayToCKByteArray(env, jRMIvServer, &(ckParam.pReturnedKeyMaterial->pIVServer), &ckTemp); + if ((*env)->ExceptionCheck(env)) { + free(ckParam.RandomInfo.pClientRandom); + free(ckParam.RandomInfo.pServerRandom); + free(ckParam.pReturnedKeyMaterial->pIVClient); + free(ckParam.pReturnedKeyMaterial); + return ckParam; + } + + return ckParam ; +} + +/* + * converts the Java CK_AES_CTR_PARAMS object to a CK_AES_CTR_PARAMS structure + * + * @param env - used to call JNI funktions to get the Java classes and objects + * @param jParam - the Java CK_AES_CTR_PARAMS object to convert + * @param ckpParam - pointer to the new CK_AES_CTR_PARAMS structure + */ +void jAesCtrParamsToCKAesCtrParam(JNIEnv *env, jobject jParam, + CK_AES_CTR_PARAMS_PTR ckpParam) { + jclass jAesCtrParamsClass; + jfieldID fieldID; + jlong jCounterBits; + jobject jCb; + CK_BYTE_PTR ckBytes; + CK_ULONG ckTemp; + + /* get ulCounterBits */ + jAesCtrParamsClass = (*env)->FindClass(env, CLASS_AES_CTR_PARAMS); + if (jAesCtrParamsClass == NULL) { return; } + fieldID = (*env)->GetFieldID(env, jAesCtrParamsClass, "ulCounterBits", "J"); + if (fieldID == NULL) { return; } + jCounterBits = (*env)->GetLongField(env, jParam, fieldID); + + /* get cb */ + fieldID = (*env)->GetFieldID(env, jAesCtrParamsClass, "cb", "[B"); + if (fieldID == NULL) { return; } + jCb = (*env)->GetObjectField(env, jParam, fieldID); + + /* populate java values */ + ckpParam->ulCounterBits = jLongToCKULong(jCounterBits); + jByteArrayToCKByteArray(env, jCb, &ckBytes, &ckTemp); + if ((*env)->ExceptionCheck(env)) { return; } + if (ckTemp != 16) { + TRACE1("ERROR: WRONG CTR IV LENGTH %d", ckTemp); + } else { + memcpy(ckpParam->cb, ckBytes, ckTemp); + free(ckBytes); + } +} + +/* + * converts a Java CK_MECHANISM object into a CK_MECHANISM structure + * + * @param env - used to call JNI funktions to get the values out of the Java object + * @param jMechanism - the Java CK_MECHANISM object to convert + * @return - the new CK_MECHANISM structure + */ +void jMechanismToCKMechanism(JNIEnv *env, jobject jMechanism, CK_MECHANISM_PTR ckMechanismPtr) +{ + jlong jMechanismType = (*env)->GetLongField(env, jMechanism, mech_mechanismID); + jobject jParameter = (*env)->GetObjectField(env, jMechanism, mech_pParameterID); + + (*ckMechanismPtr).mechanism = jLongToCKULong(jMechanismType); + + /* convert the specific Java mechanism parameter object to a pointer to a CK-type mechanism + * structure + */ + if (jParameter == NULL) { + (*ckMechanismPtr).pParameter = NULL; + (*ckMechanismPtr).ulParameterLen = 0; + } else { + jMechanismParameterToCKMechanismParameter(env, jParameter, &(*ckMechanismPtr).pParameter, &(*ckMechanismPtr).ulParameterLen); + } +} + +/* + * the following functions convert Attribute and Mechanism value pointers + * + * jobject ckAttributeValueToJObject(JNIEnv *env, + * const CK_ATTRIBUTE_PTR ckpAttribute); + * + * void jObjectToPrimitiveCKObjectPtrPtr(JNIEnv *env, + * jobject jObject, + * CK_VOID_PTR *ckpObjectPtr, + * CK_ULONG *pLength); + * + * void jMechanismParameterToCKMechanismParameter(JNIEnv *env, + * jobject jParam, + * CK_VOID_PTR *ckpParamPtr, + * CK_ULONG *ckpLength); + * + * These functions are used if a PKCS#11 mechanism or attribute structure gets + * convertet to a Java attribute or mechanism object or vice versa. + * + * ckAttributeValueToJObject converts a PKCS#11 attribute value pointer to a Java + * object depending on the type of the Attribute. A PKCS#11 attribute value can + * be a CK_ULONG, CK_BYTE[], CK_CHAR[], big integer, CK_BBOOL, CK_UTF8CHAR[], + * CK_DATE or CK_FLAGS that gets converted to a corresponding Java object. + * + * jObjectToPrimitiveCKObjectPtrPtr is used by jAttributeToCKAttributePtr for + * converting the Java attribute value to a PKCS#11 attribute value pointer. + * For now only primitive datatypes and arrays of primitive datatypes can get + * converted. Otherwise this function throws a PKCS#11Exception with the + * errorcode CKR_VENDOR_DEFINED. + * + * jMechanismParameterToCKMechanismParameter converts a Java mechanism parameter + * to a PKCS#11 mechanism parameter. First this function determines what mechanism + * parameter the Java object is, then it allocates the memory for the new PKCS#11 + * structure and calls the corresponding function to convert the Java object to + * a PKCS#11 mechanism parameter structure. + */ + +/* + * converts the pValue of a CK_ATTRIBUTE structure into a Java Object by checking the type + * of the attribute. + * + * @param env - used to call JNI funktions to create the new Java object + * @param ckpAttribute - the pointer to the CK_ATTRIBUTE structure that contains the type + * and the pValue to convert + * @return - the new Java object of the CK-type pValue + */ +jobject ckAttributeValueToJObject(JNIEnv *env, const CK_ATTRIBUTE_PTR ckpAttribute) +{ + jint jValueLength; + jobject jValueObject = NULL; + + jValueLength = ckULongToJInt(ckpAttribute->ulValueLen); + + if ((jValueLength <= 0) || (ckpAttribute->pValue == NULL)) { + return NULL ; + } + + switch(ckpAttribute->type) { + case CKA_CLASS: + /* value CK_OBJECT_CLASS, defacto a CK_ULONG */ + case CKA_KEY_TYPE: + /* value CK_KEY_TYPE, defacto a CK_ULONG */ + case CKA_CERTIFICATE_TYPE: + /* value CK_CERTIFICATE_TYPE, defacto a CK_ULONG */ + case CKA_HW_FEATURE_TYPE: + /* value CK_HW_FEATURE_TYPE, defacto a CK_ULONG */ + case CKA_MODULUS_BITS: + case CKA_VALUE_BITS: + case CKA_VALUE_LEN: + case CKA_KEY_GEN_MECHANISM: + case CKA_PRIME_BITS: + case CKA_SUB_PRIME_BITS: + /* value CK_ULONG */ + jValueObject = ckULongPtrToJLongObject(env, (CK_ULONG*) ckpAttribute->pValue); + break; + + /* can be CK_BYTE[],CK_CHAR[] or big integer; defacto always CK_BYTE[] */ + case CKA_VALUE: + case CKA_OBJECT_ID: + case CKA_SUBJECT: + case CKA_ID: + case CKA_ISSUER: + case CKA_SERIAL_NUMBER: + case CKA_OWNER: + case CKA_AC_ISSUER: + case CKA_ATTR_TYPES: + case CKA_ECDSA_PARAMS: + /* CKA_EC_PARAMS is the same, these two are equivalent */ + case CKA_EC_POINT: + case CKA_PRIVATE_EXPONENT: + case CKA_PRIME_1: + case CKA_PRIME_2: + case CKA_EXPONENT_1: + case CKA_EXPONENT_2: + case CKA_COEFFICIENT: + /* value CK_BYTE[] */ + jValueObject = ckByteArrayToJByteArray(env, (CK_BYTE*) ckpAttribute->pValue, jValueLength); + break; + + case CKA_RESET_ON_INIT: + case CKA_HAS_RESET: + case CKA_TOKEN: + case CKA_PRIVATE: + case CKA_MODIFIABLE: + case CKA_DERIVE: + case CKA_LOCAL: + case CKA_ENCRYPT: + case CKA_VERIFY: + case CKA_VERIFY_RECOVER: + case CKA_WRAP: + case CKA_SENSITIVE: + case CKA_SECONDARY_AUTH: + case CKA_DECRYPT: + case CKA_SIGN: + case CKA_SIGN_RECOVER: + case CKA_UNWRAP: + case CKA_EXTRACTABLE: + case CKA_ALWAYS_SENSITIVE: + case CKA_NEVER_EXTRACTABLE: + case CKA_TRUSTED: + /* value CK_BBOOL */ + jValueObject = ckBBoolPtrToJBooleanObject(env, (CK_BBOOL*) ckpAttribute->pValue); + break; + + case CKA_LABEL: + case CKA_APPLICATION: + /* value RFC 2279 (UTF-8) string */ + jValueObject = ckUTF8CharArrayToJCharArray(env, (CK_UTF8CHAR*) ckpAttribute->pValue, jValueLength); + break; + + case CKA_START_DATE: + case CKA_END_DATE: + /* value CK_DATE */ + jValueObject = ckDatePtrToJDateObject(env, (CK_DATE*) ckpAttribute->pValue); + break; + + case CKA_MODULUS: + case CKA_PUBLIC_EXPONENT: + case CKA_PRIME: + case CKA_SUBPRIME: + case CKA_BASE: + /* value big integer, i.e. CK_BYTE[] */ + jValueObject = ckByteArrayToJByteArray(env, (CK_BYTE*) ckpAttribute->pValue, jValueLength); + break; + + case CKA_AUTH_PIN_FLAGS: + jValueObject = ckULongPtrToJLongObject(env, (CK_ULONG*) ckpAttribute->pValue); + /* value FLAGS, defacto a CK_ULONG */ + break; + + case CKA_VENDOR_DEFINED: + /* we make a CK_BYTE[] out of this */ + jValueObject = ckByteArrayToJByteArray(env, (CK_BYTE*) ckpAttribute->pValue, jValueLength); + break; + + // Netscape trust attributes + case CKA_NETSCAPE_TRUST_SERVER_AUTH: + case CKA_NETSCAPE_TRUST_CLIENT_AUTH: + case CKA_NETSCAPE_TRUST_CODE_SIGNING: + case CKA_NETSCAPE_TRUST_EMAIL_PROTECTION: + /* value CK_ULONG */ + jValueObject = ckULongPtrToJLongObject(env, (CK_ULONG*) ckpAttribute->pValue); + break; + + default: + /* we make a CK_BYTE[] out of this */ + jValueObject = ckByteArrayToJByteArray(env, (CK_BYTE*) ckpAttribute->pValue, jValueLength); + break; + } + + return jValueObject ; +} + +/* + * the following functions convert a Java mechanism parameter object to a PKCS#11 + * mechanism parameter structure + * + * CK__PARAMS jParamToCKParam(JNIEnv *env, + * jobject jParam); + * + * These functions get a Java object, that must be the right Java mechanism + * object and they return the new PKCS#11 mechanism parameter structure. + * Every field of the Java object is retrieved, gets converted to a corresponding + * PKCS#11 type and is set in the new PKCS#11 structure. + */ + +/* + * converts the given Java mechanism parameter to a CK mechanism parameter structure + * and store the length in bytes in the length variable. + * The memory of *ckpParamPtr has to be freed after use! + * + * @param env - used to call JNI funktions to get the Java classes and objects + * @param jParam - the Java mechanism parameter object to convert + * @param ckpParamPtr - the reference of the new pointer to the new CK mechanism parameter + * structure + * @param ckpLength - the reference of the length in bytes of the new CK mechanism parameter + * structure + */ +void jMechanismParameterToCKMechanismParameter(JNIEnv *env, jobject jParam, CK_VOID_PTR *ckpParamPtr, CK_ULONG *ckpLength) +{ + if (jParam == NULL) { + *ckpParamPtr = NULL; + *ckpLength = 0; + } else if ((*env)->IsInstanceOf(env, jParam, jByteArrayClass)) { + jByteArrayToCKByteArray(env, jParam, (CK_BYTE_PTR *)ckpParamPtr, ckpLength); + } else if ((*env)->IsInstanceOf(env, jParam, jLongClass)) { + *ckpParamPtr = jLongObjectToCKULongPtr(env, jParam); + *ckpLength = sizeof(CK_ULONG); + } else { + TRACE0("\nSLOW PATH jMechanismParameterToCKMechanismParameter\n"); + jMechanismParameterToCKMechanismParameterSlow(env, jParam, ckpParamPtr, ckpLength); + } +} + +void jMechanismParameterToCKMechanismParameterSlow(JNIEnv *env, jobject jParam, CK_VOID_PTR *ckpParamPtr, CK_ULONG *ckpLength) +{ + /* get all Java mechanism parameter classes */ + jclass jVersionClass, jSsl3MasterKeyDeriveParamsClass, jSsl3KeyMatParamsClass; + jclass jTlsPrfParamsClass, jAesCtrParamsClass, jRsaPkcsOaepParamsClass; + jclass jPbeParamsClass, jPkcs5Pbkd2ParamsClass, jRsaPkcsPssParamsClass; + jclass jEcdh1DeriveParamsClass, jEcdh2DeriveParamsClass; + jclass jX942Dh1DeriveParamsClass, jX942Dh2DeriveParamsClass; + TRACE0("\nDEBUG: jMechanismParameterToCKMechanismParameter"); + + /* most common cases, i.e. NULL/byte[]/long, are already handled by + * jMechanismParameterToCKMechanismParameter before calling this method. + */ + jVersionClass = (*env)->FindClass(env, CLASS_VERSION); + if (jVersionClass == NULL) { return; } + if ((*env)->IsInstanceOf(env, jParam, jVersionClass)) { + /* + * CK_VERSION used by CKM_SSL3_PRE_MASTER_KEY_GEN + */ + CK_VERSION_PTR ckpParam; + + /* convert jParameter to CKParameter */ + ckpParam = jVersionToCKVersionPtr(env, jParam); + + /* get length and pointer of parameter */ + *ckpLength = sizeof(CK_VERSION); + *ckpParamPtr = ckpParam; + return; + } + + jSsl3MasterKeyDeriveParamsClass = (*env)->FindClass(env, CLASS_SSL3_MASTER_KEY_DERIVE_PARAMS); + if (jSsl3MasterKeyDeriveParamsClass == NULL) { return; } + if ((*env)->IsInstanceOf(env, jParam, jSsl3MasterKeyDeriveParamsClass)) { + /* + * CK_SSL3_MASTER_KEY_DERIVE_PARAMS + */ + CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR ckpParam; + + ckpParam = (CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR) malloc(sizeof(CK_SSL3_MASTER_KEY_DERIVE_PARAMS)); + if (ckpParam == NULL) { + throwOutOfMemoryError(env, 0); + return; + } + + /* convert jParameter to CKParameter */ + *ckpParam = jSsl3MasterKeyDeriveParamToCKSsl3MasterKeyDeriveParam(env, jParam); + if ((*env)->ExceptionCheck(env)) { + free(ckpParam); + return; + } + + /* get length and pointer of parameter */ + *ckpLength = sizeof(CK_SSL3_MASTER_KEY_DERIVE_PARAMS); + *ckpParamPtr = ckpParam; + return; + } + + jSsl3KeyMatParamsClass = (*env)->FindClass(env, CLASS_SSL3_KEY_MAT_PARAMS); + if (jSsl3KeyMatParamsClass == NULL) { return; } + if ((*env)->IsInstanceOf(env, jParam, jSsl3KeyMatParamsClass)) { + /* + * CK_SSL3_KEY_MAT_PARAMS + */ + CK_SSL3_KEY_MAT_PARAMS_PTR ckpParam; + + ckpParam = (CK_SSL3_KEY_MAT_PARAMS_PTR) malloc(sizeof(CK_SSL3_KEY_MAT_PARAMS)); + if (ckpParam == NULL) { + throwOutOfMemoryError(env, 0); + return; + } + + /* convert jParameter to CKParameter */ + *ckpParam = jSsl3KeyMatParamToCKSsl3KeyMatParam(env, jParam); + if ((*env)->ExceptionCheck(env)) { + free(ckpParam); + return; + } + + /* get length and pointer of parameter */ + *ckpLength = sizeof(CK_SSL3_KEY_MAT_PARAMS); + *ckpParamPtr = ckpParam; + return; + } + + jTlsPrfParamsClass = (*env)->FindClass(env, CLASS_TLS_PRF_PARAMS); + if (jTlsPrfParamsClass == NULL) { return; } + if ((*env)->IsInstanceOf(env, jParam, jTlsPrfParamsClass)) { + /* + * CK_TLS_PRF_PARAMS + */ + CK_TLS_PRF_PARAMS_PTR ckpParam; + + ckpParam = (CK_TLS_PRF_PARAMS_PTR) malloc(sizeof(CK_TLS_PRF_PARAMS)); + if (ckpParam == NULL) { + throwOutOfMemoryError(env, 0); + return; + } + + /* convert jParameter to CKParameter */ + *ckpParam = jTlsPrfParamsToCKTlsPrfParam(env, jParam); + if ((*env)->ExceptionCheck(env)) { + free(ckpParam); + return; + } + + /* get length and pointer of parameter */ + *ckpLength = sizeof(CK_TLS_PRF_PARAMS); + *ckpParamPtr = ckpParam; + return; + } + + jAesCtrParamsClass = (*env)->FindClass(env, CLASS_AES_CTR_PARAMS); + if (jAesCtrParamsClass == NULL) { return; } + if ((*env)->IsInstanceOf(env, jParam, jAesCtrParamsClass)) { + /* + * CK_AES_CTR_PARAMS + */ + CK_AES_CTR_PARAMS_PTR ckpParam; + + ckpParam = (CK_AES_CTR_PARAMS_PTR) malloc(sizeof(CK_AES_CTR_PARAMS)); + if (ckpParam == NULL) { + throwOutOfMemoryError(env, 0); + return; + } + + /* convert jParameter to CKParameter */ + jAesCtrParamsToCKAesCtrParam(env, jParam, ckpParam); + if ((*env)->ExceptionCheck(env)) { + free(ckpParam); + return; + } + + /* get length and pointer of parameter */ + *ckpLength = sizeof(CK_AES_CTR_PARAMS); + *ckpParamPtr = ckpParam; + return; + } + + jRsaPkcsOaepParamsClass = (*env)->FindClass(env, CLASS_RSA_PKCS_OAEP_PARAMS); + if (jRsaPkcsOaepParamsClass == NULL) { return; } + if ((*env)->IsInstanceOf(env, jParam, jRsaPkcsOaepParamsClass)) { + /* + * CK_RSA_PKCS_OAEP_PARAMS + */ + CK_RSA_PKCS_OAEP_PARAMS_PTR ckpParam; + + ckpParam = (CK_RSA_PKCS_OAEP_PARAMS_PTR) malloc(sizeof(CK_RSA_PKCS_OAEP_PARAMS)); + if (ckpParam == NULL) { + throwOutOfMemoryError(env, 0); + return; + } + + /* convert jParameter to CKParameter */ + *ckpParam = jRsaPkcsOaepParamToCKRsaPkcsOaepParam(env, jParam); + if ((*env)->ExceptionCheck(env)) { + free(ckpParam); + return; + } + + /* get length and pointer of parameter */ + *ckpLength = sizeof(CK_RSA_PKCS_OAEP_PARAMS); + *ckpParamPtr = ckpParam; + return; + } + + jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS); + if (jPbeParamsClass == NULL) { return; } + if ((*env)->IsInstanceOf(env, jParam, jPbeParamsClass)) { + /* + * CK_PBE_PARAMS + */ + CK_PBE_PARAMS_PTR ckpParam; + + ckpParam = (CK_PBE_PARAMS_PTR) malloc(sizeof(CK_PBE_PARAMS)); + if (ckpParam == NULL) { + throwOutOfMemoryError(env, 0); + return; + } + + /* convert jParameter to CKParameter */ + *ckpParam = jPbeParamToCKPbeParam(env, jParam); + if ((*env)->ExceptionCheck(env)) { + free(ckpParam); + return; + } + + /* get length and pointer of parameter */ + *ckpLength = sizeof(CK_PBE_PARAMS); + *ckpParamPtr = ckpParam; + return; + } + + jPkcs5Pbkd2ParamsClass = (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS); + if (jPkcs5Pbkd2ParamsClass == NULL) { return; } + if ((*env)->IsInstanceOf(env, jParam, jPkcs5Pbkd2ParamsClass)) { + /* + * CK_PKCS5_PBKD2_PARAMS + */ + CK_PKCS5_PBKD2_PARAMS_PTR ckpParam; + + ckpParam = (CK_PKCS5_PBKD2_PARAMS_PTR) malloc(sizeof(CK_PKCS5_PBKD2_PARAMS)); + if (ckpParam == NULL) { + throwOutOfMemoryError(env, 0); + return; + } + + /* convert jParameter to CKParameter */ + *ckpParam = jPkcs5Pbkd2ParamToCKPkcs5Pbkd2Param(env, jParam); + if ((*env)->ExceptionCheck(env)) { + free(ckpParam); + return; + } + + /* get length and pointer of parameter */ + *ckpLength = sizeof(CK_PKCS5_PBKD2_PARAMS); + *ckpParamPtr = ckpParam; + return; + } + + jRsaPkcsPssParamsClass = (*env)->FindClass(env, CLASS_RSA_PKCS_PSS_PARAMS); + if (jRsaPkcsPssParamsClass == NULL) { return; } + if ((*env)->IsInstanceOf(env, jParam, jRsaPkcsPssParamsClass)) { + /* + * CK_RSA_PKCS_PSS_PARAMS + */ + CK_RSA_PKCS_PSS_PARAMS_PTR ckpParam; + + ckpParam = (CK_RSA_PKCS_PSS_PARAMS_PTR) malloc(sizeof(CK_RSA_PKCS_PSS_PARAMS)); + if (ckpParam == NULL) { + throwOutOfMemoryError(env, 0); + return; + } + + /* convert jParameter to CKParameter */ + *ckpParam = jRsaPkcsPssParamToCKRsaPkcsPssParam(env, jParam); + if ((*env)->ExceptionCheck(env)) { + free(ckpParam); + return; + } + + /* get length and pointer of parameter */ + *ckpLength = sizeof(CK_RSA_PKCS_PSS_PARAMS); + *ckpParamPtr = ckpParam; + return; + } + + jEcdh1DeriveParamsClass = (*env)->FindClass(env, CLASS_ECDH1_DERIVE_PARAMS); + if (jEcdh1DeriveParamsClass == NULL) { return; } + if ((*env)->IsInstanceOf(env, jParam, jEcdh1DeriveParamsClass)) { + /* + * CK_ECDH1_DERIVE_PARAMS + */ + CK_ECDH1_DERIVE_PARAMS_PTR ckpParam; + + ckpParam = (CK_ECDH1_DERIVE_PARAMS_PTR) malloc(sizeof(CK_ECDH1_DERIVE_PARAMS)); + if (ckpParam == NULL) { + throwOutOfMemoryError(env, 0); + return; + } + + /* convert jParameter to CKParameter */ + *ckpParam = jEcdh1DeriveParamToCKEcdh1DeriveParam(env, jParam); + if ((*env)->ExceptionCheck(env)) { + free(ckpParam); + return; + } + + /* get length and pointer of parameter */ + *ckpLength = sizeof(CK_ECDH1_DERIVE_PARAMS); + *ckpParamPtr = ckpParam; + return; + } + + jEcdh2DeriveParamsClass = (*env)->FindClass(env, CLASS_ECDH2_DERIVE_PARAMS); + if (jEcdh2DeriveParamsClass == NULL) { return; } + if ((*env)->IsInstanceOf(env, jParam, jEcdh2DeriveParamsClass)) { + /* + * CK_ECDH2_DERIVE_PARAMS + */ + CK_ECDH2_DERIVE_PARAMS_PTR ckpParam; + + ckpParam = (CK_ECDH2_DERIVE_PARAMS_PTR) malloc(sizeof(CK_ECDH2_DERIVE_PARAMS)); + if (ckpParam == NULL) { + throwOutOfMemoryError(env, 0); + return; + } + + /* convert jParameter to CKParameter */ + *ckpParam = jEcdh2DeriveParamToCKEcdh2DeriveParam(env, jParam); + if ((*env)->ExceptionCheck(env)) { + free(ckpParam); + return; + } + + /* get length and pointer of parameter */ + *ckpLength = sizeof(CK_ECDH2_DERIVE_PARAMS); + *ckpParamPtr = ckpParam; + return; + } + + jX942Dh1DeriveParamsClass = (*env)->FindClass(env, CLASS_X9_42_DH1_DERIVE_PARAMS); + if (jX942Dh1DeriveParamsClass == NULL) { return; } + if ((*env)->IsInstanceOf(env, jParam, jX942Dh1DeriveParamsClass)) { + /* + * CK_X9_42_DH1_DERIVE_PARAMS + */ + CK_X9_42_DH1_DERIVE_PARAMS_PTR ckpParam; + + ckpParam = (CK_X9_42_DH1_DERIVE_PARAMS_PTR) malloc(sizeof(CK_X9_42_DH1_DERIVE_PARAMS)); + if (ckpParam == NULL) { + throwOutOfMemoryError(env, 0); + return; + } + + /* convert jParameter to CKParameter */ + *ckpParam = jX942Dh1DeriveParamToCKX942Dh1DeriveParam(env, jParam); + if ((*env)->ExceptionCheck(env)) { + free(ckpParam); + return; + } + + /* get length and pointer of parameter */ + *ckpLength = sizeof(CK_X9_42_DH1_DERIVE_PARAMS); + *ckpParamPtr = ckpParam; + return; + } + + jX942Dh2DeriveParamsClass = (*env)->FindClass(env, CLASS_X9_42_DH2_DERIVE_PARAMS); + if (jX942Dh2DeriveParamsClass == NULL) { return; } + if ((*env)->IsInstanceOf(env, jParam, jX942Dh2DeriveParamsClass)) { + /* + * CK_X9_42_DH2_DERIVE_PARAMS + */ + CK_X9_42_DH2_DERIVE_PARAMS_PTR ckpParam; + + ckpParam = (CK_X9_42_DH2_DERIVE_PARAMS_PTR) malloc(sizeof(CK_X9_42_DH2_DERIVE_PARAMS)); + if (ckpParam == NULL) { + throwOutOfMemoryError(env, 0); + return; + } + + /* convert jParameter to CKParameter */ + *ckpParam = jX942Dh2DeriveParamToCKX942Dh2DeriveParam(env, jParam); + if ((*env)->ExceptionCheck(env)) { + free(ckpParam); + return; + } + + /* get length and pointer of parameter */ + *ckpLength = sizeof(CK_X9_42_DH2_DERIVE_PARAMS); + *ckpParamPtr = ckpParam; + return; + } + + /* if everything faild up to here */ + /* try if the parameter is a primitive Java type */ + jObjectToPrimitiveCKObjectPtrPtr(env, jParam, ckpParamPtr, ckpLength); + /* *ckpParamPtr = jObjectToCKVoidPtr(jParam); */ + /* *ckpLength = 1; */ + + TRACE0("FINISHED\n"); +} + + +/* the mechanism parameter convertion functions: */ + +/* + * converts the Java CK_RSA_PKCS_OAEP_PARAMS object to a CK_RSA_PKCS_OAEP_PARAMS structure + * + * @param env - used to call JNI funktions to get the Java classes and objects + * @param jParam - the Java CK_RSA_PKCS_OAEP_PARAMS object to convert + * @return - the new CK_RSA_PKCS_OAEP_PARAMS structure + */ +CK_RSA_PKCS_OAEP_PARAMS jRsaPkcsOaepParamToCKRsaPkcsOaepParam(JNIEnv *env, jobject jParam) +{ + jclass jRsaPkcsOaepParamsClass; + CK_RSA_PKCS_OAEP_PARAMS ckParam; + jfieldID fieldID; + jlong jHashAlg, jMgf, jSource; + jobject jSourceData; + CK_BYTE_PTR ckpByte; + memset(&ckParam, 0, sizeof(CK_RSA_PKCS_OAEP_PARAMS)); + + /* get hashAlg */ + jRsaPkcsOaepParamsClass = (*env)->FindClass(env, CLASS_RSA_PKCS_OAEP_PARAMS); + if (jRsaPkcsOaepParamsClass == NULL) { return ckParam; } + fieldID = (*env)->GetFieldID(env, jRsaPkcsOaepParamsClass, "hashAlg", "J"); + if (fieldID == NULL) { return ckParam; } + jHashAlg = (*env)->GetLongField(env, jParam, fieldID); + + /* get mgf */ + fieldID = (*env)->GetFieldID(env, jRsaPkcsOaepParamsClass, "mgf", "J"); + if (fieldID == NULL) { return ckParam; } + jMgf = (*env)->GetLongField(env, jParam, fieldID); + + /* get source */ + fieldID = (*env)->GetFieldID(env, jRsaPkcsOaepParamsClass, "source", "J"); + if (fieldID == NULL) { return ckParam; } + jSource = (*env)->GetLongField(env, jParam, fieldID); + + /* get sourceData and sourceDataLength */ + fieldID = (*env)->GetFieldID(env, jRsaPkcsOaepParamsClass, "pSourceData", "[B"); + if (fieldID == NULL) { return ckParam; } + jSourceData = (*env)->GetObjectField(env, jParam, fieldID); + + /* populate java values */ + ckParam.hashAlg = jLongToCKULong(jHashAlg); + ckParam.mgf = jLongToCKULong(jMgf); + ckParam.source = jLongToCKULong(jSource); + jByteArrayToCKByteArray(env, jSourceData, & ckpByte, &(ckParam.ulSourceDataLen)); + if ((*env)->ExceptionCheck(env)) { return ckParam; } + ckParam.pSourceData = (CK_VOID_PTR) ckpByte; + + return ckParam ; +} + +/* + * converts the Java CK_PBE_PARAMS object to a CK_PBE_PARAMS structure + * + * @param env - used to call JNI funktions to get the Java classes and objects + * @param jParam - the Java CK_PBE_PARAMS object to convert + * @return - the new CK_PBE_PARAMS structure + */ +CK_PBE_PARAMS jPbeParamToCKPbeParam(JNIEnv *env, jobject jParam) +{ + jclass jPbeParamsClass; + CK_PBE_PARAMS ckParam; + jfieldID fieldID; + jlong jIteration; + jobject jInitVector, jPassword, jSalt; + CK_ULONG ckTemp; + memset(&ckParam, 0, sizeof(CK_PBE_PARAMS)); + + /* get pInitVector */ + jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS); + if (jPbeParamsClass == NULL) { return ckParam; } + fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pInitVector", "[C"); + if (fieldID == NULL) { return ckParam; } + jInitVector = (*env)->GetObjectField(env, jParam, fieldID); + + /* get pPassword and ulPasswordLength */ + fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pPassword", "[C"); + if (fieldID == NULL) { return ckParam; } + jPassword = (*env)->GetObjectField(env, jParam, fieldID); + + /* get pSalt and ulSaltLength */ + fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pSalt", "[C"); + if (fieldID == NULL) { return ckParam; } + jSalt = (*env)->GetObjectField(env, jParam, fieldID); + + /* get ulIteration */ + fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "ulIteration", "J"); + if (fieldID == NULL) { return ckParam; } + jIteration = (*env)->GetLongField(env, jParam, fieldID); + + /* populate java values */ + ckParam.ulIteration = jLongToCKULong(jIteration); + jCharArrayToCKCharArray(env, jInitVector, &(ckParam.pInitVector), &ckTemp); + if ((*env)->ExceptionCheck(env)) { return ckParam; } + jCharArrayToCKCharArray(env, jPassword, &(ckParam.pPassword), &(ckParam.ulPasswordLen)); + if ((*env)->ExceptionCheck(env)) { + free(ckParam.pInitVector); + return ckParam; + } + jCharArrayToCKCharArray(env, jSalt, &(ckParam.pSalt), &(ckParam.ulSaltLen)); + if ((*env)->ExceptionCheck(env)) { + free(ckParam.pInitVector); + free(ckParam.pPassword); + return ckParam; + } + + return ckParam ; +} + +/* + * Copy back the initialization vector from the native structure to the + * Java object. This is only used for CKM_PBE_* mechanisms and their + * CK_PBE_PARAMS parameters. + * + */ +void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism) +{ + jclass jMechanismClass, jPbeParamsClass; + CK_PBE_PARAMS *ckParam; + jfieldID fieldID; + CK_MECHANISM_TYPE ckMechanismType; + jlong jMechanismType; + jobject jParameter; + jobject jInitVector; + jint jInitVectorLength; + CK_CHAR_PTR initVector; + int i; + jchar* jInitVectorChars; + + /* get mechanism */ + jMechanismClass = (*env)->FindClass(env, CLASS_MECHANISM); + if (jMechanismClass == NULL) { return; } + fieldID = (*env)->GetFieldID(env, jMechanismClass, "mechanism", "J"); + if (fieldID == NULL) { return; } + jMechanismType = (*env)->GetLongField(env, jMechanism, fieldID); + ckMechanismType = jLongToCKULong(jMechanismType); + if (ckMechanismType != ckMechanism->mechanism) { + /* we do not have maching types, this should not occur */ + return; + } + + jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS); + if (jPbeParamsClass == NULL) { return; } + ckParam = (CK_PBE_PARAMS *) ckMechanism->pParameter; + if (ckParam != NULL_PTR) { + initVector = ckParam->pInitVector; + if (initVector != NULL_PTR) { + /* get pParameter */ + fieldID = (*env)->GetFieldID(env, jMechanismClass, "pParameter", "Ljava/lang/Object;"); + if (fieldID == NULL) { return; } + jParameter = (*env)->GetObjectField(env, jMechanism, fieldID); + fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pInitVektor", "[C"); + if (fieldID == NULL) { return; } + jInitVector = (*env)->GetObjectField(env, jParameter, fieldID); + + if (jInitVector != NULL) { + jInitVectorLength = (*env)->GetArrayLength(env, jInitVector); + jInitVectorChars = (*env)->GetCharArrayElements(env, jInitVector, NULL); + if (jInitVectorChars == NULL) { return; } + + /* copy the chars to the Java buffer */ + for (i=0; i < jInitVectorLength; i++) { + jInitVectorChars[i] = ckCharToJChar(initVector[i]); + } + /* copy back the Java buffer to the object */ + (*env)->ReleaseCharArrayElements(env, jInitVector, jInitVectorChars, 0); + } + } + } +} + +/* + * converts the Java CK_PKCS5_PBKD2_PARAMS object to a CK_PKCS5_PBKD2_PARAMS structure + * + * @param env - used to call JNI funktions to get the Java classes and objects + * @param jParam - the Java CK_PKCS5_PBKD2_PARAMS object to convert + * @return - the new CK_PKCS5_PBKD2_PARAMS structure + */ +CK_PKCS5_PBKD2_PARAMS jPkcs5Pbkd2ParamToCKPkcs5Pbkd2Param(JNIEnv *env, jobject jParam) +{ + jclass jPkcs5Pbkd2ParamsClass; + CK_PKCS5_PBKD2_PARAMS ckParam; + jfieldID fieldID; + jlong jSaltSource, jIteration, jPrf; + jobject jSaltSourceData, jPrfData; + memset(&ckParam, 0, sizeof(CK_PKCS5_PBKD2_PARAMS)); + + /* get saltSource */ + jPkcs5Pbkd2ParamsClass = (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS); + if (jPkcs5Pbkd2ParamsClass == NULL) { return ckParam; } + fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "saltSource", "J"); + if (fieldID == NULL) { return ckParam; } + jSaltSource = (*env)->GetLongField(env, jParam, fieldID); + + /* get pSaltSourceData */ + fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pSaltSourceData", "[B"); + if (fieldID == NULL) { return ckParam; } + jSaltSourceData = (*env)->GetObjectField(env, jParam, fieldID); + + /* get iterations */ + fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "iterations", "J"); + if (fieldID == NULL) { return ckParam; } + jIteration = (*env)->GetLongField(env, jParam, fieldID); + + /* get prf */ + fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "prf", "J"); + if (fieldID == NULL) { return ckParam; } + jPrf = (*env)->GetLongField(env, jParam, fieldID); + + /* get pPrfData and ulPrfDataLength in byte */ + fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pPrfData", "[B"); + if (fieldID == NULL) { return ckParam; } + jPrfData = (*env)->GetObjectField(env, jParam, fieldID); + + /* populate java values */ + ckParam.saltSource = jLongToCKULong(jSaltSource); + jByteArrayToCKByteArray(env, jSaltSourceData, (CK_BYTE_PTR *) &(ckParam.pSaltSourceData), &(ckParam.ulSaltSourceDataLen)); + if ((*env)->ExceptionCheck(env)) { return ckParam; } + ckParam.iterations = jLongToCKULong(jIteration); + ckParam.prf = jLongToCKULong(jPrf); + jByteArrayToCKByteArray(env, jPrfData, (CK_BYTE_PTR *) &(ckParam.pPrfData), &(ckParam.ulPrfDataLen)); + if ((*env)->ExceptionCheck(env)) { + free(ckParam.pSaltSourceData); + return ckParam; + } + + return ckParam ; +} + +/* + * converts the Java CK_RSA_PKCS_PSS_PARAMS object to a CK_RSA_PKCS_PSS_PARAMS structure + * + * @param env - used to call JNI funktions to get the Java classes and objects + * @param jParam - the Java CK_RSA_PKCS_PSS_PARAMS object to convert + * @return - the new CK_RSA_PKCS_PSS_PARAMS structure + */ +CK_RSA_PKCS_PSS_PARAMS jRsaPkcsPssParamToCKRsaPkcsPssParam(JNIEnv *env, jobject jParam) +{ + jclass jRsaPkcsPssParamsClass; + CK_RSA_PKCS_PSS_PARAMS ckParam; + jfieldID fieldID; + jlong jHashAlg, jMgf, jSLen; + memset(&ckParam, 0, sizeof(CK_RSA_PKCS_PSS_PARAMS)); + + /* get hashAlg */ + jRsaPkcsPssParamsClass = (*env)->FindClass(env, CLASS_RSA_PKCS_PSS_PARAMS); + if (jRsaPkcsPssParamsClass == NULL) { return ckParam; } + fieldID = (*env)->GetFieldID(env, jRsaPkcsPssParamsClass, "hashAlg", "J"); + if (fieldID == NULL) { return ckParam; } + jHashAlg = (*env)->GetLongField(env, jParam, fieldID); + + /* get mgf */ + fieldID = (*env)->GetFieldID(env, jRsaPkcsPssParamsClass, "mgf", "J"); + if (fieldID == NULL) { return ckParam; } + jMgf = (*env)->GetLongField(env, jParam, fieldID); + + /* get sLen */ + fieldID = (*env)->GetFieldID(env, jRsaPkcsPssParamsClass, "sLen", "J"); + if (fieldID == NULL) { return ckParam; } + jSLen = (*env)->GetLongField(env, jParam, fieldID); + + /* populate java values */ + ckParam.hashAlg = jLongToCKULong(jHashAlg); + ckParam.mgf = jLongToCKULong(jMgf); + ckParam.sLen = jLongToCKULong(jSLen); + + return ckParam ; +} + +/* + * converts the Java CK_ECDH1_DERIVE_PARAMS object to a CK_ECDH1_DERIVE_PARAMS structure + * + * @param env - used to call JNI funktions to get the Java classes and objects + * @param jParam - the Java CK_ECDH1_DERIVE_PARAMS object to convert + * @return - the new CK_ECDH1_DERIVE_PARAMS structure + */ +CK_ECDH1_DERIVE_PARAMS jEcdh1DeriveParamToCKEcdh1DeriveParam(JNIEnv *env, jobject jParam) +{ + jclass jEcdh1DeriveParamsClass; + CK_ECDH1_DERIVE_PARAMS ckParam; + jfieldID fieldID; + jlong jLong; + jobject jSharedData, jPublicData; + memset(&ckParam, 0, sizeof(CK_ECDH1_DERIVE_PARAMS)); + + /* get kdf */ + jEcdh1DeriveParamsClass = (*env)->FindClass(env, CLASS_ECDH1_DERIVE_PARAMS); + if (jEcdh1DeriveParamsClass == NULL) { return ckParam; } + fieldID = (*env)->GetFieldID(env, jEcdh1DeriveParamsClass, "kdf", "J"); + if (fieldID == NULL) { return ckParam; } + jLong = (*env)->GetLongField(env, jParam, fieldID); + ckParam.kdf = jLongToCKULong(jLong); + + /* get pSharedData and ulSharedDataLen */ + fieldID = (*env)->GetFieldID(env, jEcdh1DeriveParamsClass, "pSharedData", "[B"); + if (fieldID == NULL) { return ckParam; } + jSharedData = (*env)->GetObjectField(env, jParam, fieldID); + + /* get pPublicData and ulPublicDataLen */ + fieldID = (*env)->GetFieldID(env, jEcdh1DeriveParamsClass, "pPublicData", "[B"); + if (fieldID == NULL) { return ckParam; } + jPublicData = (*env)->GetObjectField(env, jParam, fieldID); + + /* populate java values */ + ckParam.kdf = jLongToCKULong(jLong); + jByteArrayToCKByteArray(env, jSharedData, &(ckParam.pSharedData), &(ckParam.ulSharedDataLen)); + if ((*env)->ExceptionCheck(env)) { return ckParam; } + jByteArrayToCKByteArray(env, jPublicData, &(ckParam.pPublicData), &(ckParam.ulPublicDataLen)); + if ((*env)->ExceptionCheck(env)) { + free(ckParam.pSharedData); + return ckParam; + } + + return ckParam ; +} + +/* + * converts the Java CK_ECDH2_DERIVE_PARAMS object to a CK_ECDH2_DERIVE_PARAMS structure + * + * @param env - used to call JNI funktions to get the Java classes and objects + * @param jParam - the Java CK_ECDH2_DERIVE_PARAMS object to convert + * @return - the new CK_ECDH2_DERIVE_PARAMS structure + */ +CK_ECDH2_DERIVE_PARAMS jEcdh2DeriveParamToCKEcdh2DeriveParam(JNIEnv *env, jobject jParam) +{ + jclass jEcdh2DeriveParamsClass; + CK_ECDH2_DERIVE_PARAMS ckParam; + jfieldID fieldID; + jlong jKdf, jPrivateDataLen, jPrivateData; + jobject jSharedData, jPublicData, jPublicData2; + memset(&ckParam, 0, sizeof(CK_ECDH2_DERIVE_PARAMS)); + + /* get kdf */ + jEcdh2DeriveParamsClass = (*env)->FindClass(env, CLASS_ECDH2_DERIVE_PARAMS); + if (jEcdh2DeriveParamsClass == NULL) { return ckParam; } + fieldID = (*env)->GetFieldID(env, jEcdh2DeriveParamsClass, "kdf", "J"); + if (fieldID == NULL) { return ckParam; } + jKdf = (*env)->GetLongField(env, jParam, fieldID); + + /* get pSharedData and ulSharedDataLen */ + fieldID = (*env)->GetFieldID(env, jEcdh2DeriveParamsClass, "pSharedData", "[B"); + if (fieldID == NULL) { return ckParam; } + jSharedData = (*env)->GetObjectField(env, jParam, fieldID); + + /* get pPublicData and ulPublicDataLen */ + fieldID = (*env)->GetFieldID(env, jEcdh2DeriveParamsClass, "pPublicData", "[B"); + if (fieldID == NULL) { return ckParam; } + jPublicData = (*env)->GetObjectField(env, jParam, fieldID); + + /* get ulPrivateDataLen */ + fieldID = (*env)->GetFieldID(env, jEcdh2DeriveParamsClass, "ulPrivateDataLen", "J"); + if (fieldID == NULL) { return ckParam; } + jPrivateDataLen = (*env)->GetLongField(env, jParam, fieldID); + + /* get hPrivateData */ + fieldID = (*env)->GetFieldID(env, jEcdh2DeriveParamsClass, "hPrivateData", "J"); + if (fieldID == NULL) { return ckParam; } + jPrivateData = (*env)->GetLongField(env, jParam, fieldID); + + /* get pPublicData2 and ulPublicDataLen2 */ + fieldID = (*env)->GetFieldID(env, jEcdh2DeriveParamsClass, "pPublicData2", "[B"); + if (fieldID == NULL) { return ckParam; } + jPublicData2 = (*env)->GetObjectField(env, jParam, fieldID); + + /* populate java values */ + ckParam.kdf = jLongToCKULong(jKdf); + jByteArrayToCKByteArray(env, jSharedData, &(ckParam.pSharedData), &(ckParam.ulSharedDataLen)); + if ((*env)->ExceptionCheck(env)) { return ckParam; } + jByteArrayToCKByteArray(env, jPublicData, &(ckParam.pPublicData), &(ckParam.ulPublicDataLen)); + if ((*env)->ExceptionCheck(env)) { + free(ckParam.pSharedData); + return ckParam; + } + ckParam.ulPrivateDataLen = jLongToCKULong(jPrivateDataLen); + ckParam.hPrivateData = jLongToCKULong(jPrivateData); + jByteArrayToCKByteArray(env, jPublicData2, &(ckParam.pPublicData2), &(ckParam.ulPublicDataLen2)); + if ((*env)->ExceptionCheck(env)) { + free(ckParam.pSharedData); + free(ckParam.pPublicData); + return ckParam; + } + return ckParam ; +} + +/* + * converts the Java CK_X9_42_DH1_DERIVE_PARAMS object to a CK_X9_42_DH1_DERIVE_PARAMS structure + * + * @param env - used to call JNI funktions to get the Java classes and objects + * @param jParam - the Java CK_X9_42_DH1_DERIVE_PARAMS object to convert + * @return - the new CK_X9_42_DH1_DERIVE_PARAMS structure + */ +CK_X9_42_DH1_DERIVE_PARAMS jX942Dh1DeriveParamToCKX942Dh1DeriveParam(JNIEnv *env, jobject jParam) +{ + jclass jX942Dh1DeriveParamsClass; + CK_X9_42_DH1_DERIVE_PARAMS ckParam; + jfieldID fieldID; + jlong jKdf; + jobject jOtherInfo, jPublicData; + memset(&ckParam, 0, sizeof(CK_X9_42_DH1_DERIVE_PARAMS)); + + /* get kdf */ + jX942Dh1DeriveParamsClass = (*env)->FindClass(env, CLASS_X9_42_DH1_DERIVE_PARAMS); + if (jX942Dh1DeriveParamsClass == NULL) { return ckParam; } + fieldID = (*env)->GetFieldID(env, jX942Dh1DeriveParamsClass, "kdf", "J"); + if (fieldID == NULL) { return ckParam; } + jKdf = (*env)->GetLongField(env, jParam, fieldID); + + /* get pOtherInfo and ulOtherInfoLen */ + fieldID = (*env)->GetFieldID(env, jX942Dh1DeriveParamsClass, "pOtherInfo", "[B"); + if (fieldID == NULL) { return ckParam; } + jOtherInfo = (*env)->GetObjectField(env, jParam, fieldID); + + /* get pPublicData and ulPublicDataLen */ + fieldID = (*env)->GetFieldID(env, jX942Dh1DeriveParamsClass, "pPublicData", "[B"); + if (fieldID == NULL) { return ckParam; } + jPublicData = (*env)->GetObjectField(env, jParam, fieldID); + + /* populate java values */ + ckParam.kdf = jLongToCKULong(jKdf); + jByteArrayToCKByteArray(env, jOtherInfo, &(ckParam.pOtherInfo), &(ckParam.ulOtherInfoLen)); + if ((*env)->ExceptionCheck(env)) { return ckParam; } + jByteArrayToCKByteArray(env, jPublicData, &(ckParam.pPublicData), &(ckParam.ulPublicDataLen)); + if ((*env)->ExceptionCheck(env)) { + free(ckParam.pOtherInfo); + return ckParam; + } + + return ckParam ; +} + +/* + * converts the Java CK_X9_42_DH2_DERIVE_PARAMS object to a CK_X9_42_DH2_DERIVE_PARAMS structure + * + * @param env - used to call JNI funktions to get the Java classes and objects + * @param jParam - the Java CK_X9_42_DH2_DERIVE_PARAMS object to convert + * @return - the new CK_X9_42_DH2_DERIVE_PARAMS structure + */ +CK_X9_42_DH2_DERIVE_PARAMS jX942Dh2DeriveParamToCKX942Dh2DeriveParam(JNIEnv *env, jobject jParam) +{ + jclass jX942Dh2DeriveParamsClass; + CK_X9_42_DH2_DERIVE_PARAMS ckParam; + jfieldID fieldID; + jlong jKdf, jPrivateDataLen, jPrivateData; + jobject jOtherInfo, jPublicData, jPublicData2; + memset(&ckParam, 0, sizeof(CK_X9_42_DH2_DERIVE_PARAMS)); + + /* get kdf */ + jX942Dh2DeriveParamsClass = (*env)->FindClass(env, CLASS_X9_42_DH2_DERIVE_PARAMS); + if (jX942Dh2DeriveParamsClass == NULL) { return ckParam; } + fieldID = (*env)->GetFieldID(env, jX942Dh2DeriveParamsClass, "kdf", "J"); + if (fieldID == NULL) { return ckParam; } + jKdf = (*env)->GetLongField(env, jParam, fieldID); + + /* get pOtherInfo and ulOtherInfoLen */ + fieldID = (*env)->GetFieldID(env, jX942Dh2DeriveParamsClass, "pOtherInfo", "[B"); + if (fieldID == NULL) { return ckParam; } + jOtherInfo = (*env)->GetObjectField(env, jParam, fieldID); + + /* get pPublicData and ulPublicDataLen */ + fieldID = (*env)->GetFieldID(env, jX942Dh2DeriveParamsClass, "pPublicData", "[B"); + if (fieldID == NULL) { return ckParam; } + jPublicData = (*env)->GetObjectField(env, jParam, fieldID); + + /* get ulPrivateDataLen */ + fieldID = (*env)->GetFieldID(env, jX942Dh2DeriveParamsClass, "ulPrivateDataLen", "J"); + if (fieldID == NULL) { return ckParam; } + jPrivateDataLen = (*env)->GetLongField(env, jParam, fieldID); + + /* get hPrivateData */ + fieldID = (*env)->GetFieldID(env, jX942Dh2DeriveParamsClass, "hPrivateData", "J"); + if (fieldID == NULL) { return ckParam; } + jPrivateData = (*env)->GetLongField(env, jParam, fieldID); + + /* get pPublicData2 and ulPublicDataLen2 */ + fieldID = (*env)->GetFieldID(env, jX942Dh2DeriveParamsClass, "pPublicData2", "[B"); + if (fieldID == NULL) { return ckParam; } + jPublicData2 = (*env)->GetObjectField(env, jParam, fieldID); + + /* populate java values */ + ckParam.kdf = jLongToCKULong(jKdf); + jByteArrayToCKByteArray(env, jOtherInfo, &(ckParam.pOtherInfo), &(ckParam.ulOtherInfoLen)); + if ((*env)->ExceptionCheck(env)) { return ckParam; } + jByteArrayToCKByteArray(env, jPublicData, &(ckParam.pPublicData), &(ckParam.ulPublicDataLen)); + if ((*env)->ExceptionCheck(env)) { + free(ckParam.pOtherInfo); + return ckParam; + } + ckParam.ulPrivateDataLen = jLongToCKULong(jPrivateDataLen); + ckParam.hPrivateData = jLongToCKULong(jPrivateData); + jByteArrayToCKByteArray(env, jPublicData2, &(ckParam.pPublicData2), &(ckParam.ulPublicDataLen2)); + if ((*env)->ExceptionCheck(env)) { + free(ckParam.pOtherInfo); + free(ckParam.pPublicData); + return ckParam; + } + + return ckParam ; +} --- old/src/jdk.crypto.token/share/native/libj2pkcs11/p11_crypt.c 2017-01-20 09:52:55.846288295 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,489 +0,0 @@ -/* - * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. - */ - -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - * =========================================================================== - */ - -#include "pkcs11wrapper.h" - -#include -#include -#include -#include - -#include "sun_security_pkcs11_wrapper_PKCS11.h" - -#ifdef P11_ENABLE_C_ENCRYPTINIT -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_EncryptInit - * Signature: (JLsun/security/pkcs11/wrapper/CK_MECHANISM;J)V - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jobject jMechanism CK_MECHANISM_PTR pMechanism - * @param jlong jKeyHandle CK_OBJECT_HANDLE hKey - */ -JNIEXPORT void JNICALL -Java_sun_security_pkcs11_wrapper_PKCS11_C_1EncryptInit -(JNIEnv *env, jobject obj, jlong jSessionHandle, - jobject jMechanism, jlong jKeyHandle) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_MECHANISM ckMechanism; - CK_OBJECT_HANDLE ckKeyHandle; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - ckKeyHandle = jLongToCKULong(jKeyHandle); - jMechanismToCKMechanism(env, jMechanism, &ckMechanism); - if ((*env)->ExceptionCheck(env)) { return; } - - rv = (*ckpFunctions->C_EncryptInit)(ckSessionHandle, &ckMechanism, - ckKeyHandle); - - if (ckMechanism.pParameter != NULL_PTR) { - free(ckMechanism.pParameter); - } - - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -} -#endif - -#ifdef P11_ENABLE_C_ENCRYPT -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_Encrypt - * Signature: (J[BII[BII)I - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jbyteArray jData CK_BYTE_PTR pData - * CK_ULONG ulDataLen - * @return jbyteArray jEncryptedData CK_BYTE_PTR pEncryptedData - * CK_ULONG_PTR pulEncryptedDataLen - */ -JNIEXPORT jint JNICALL -Java_sun_security_pkcs11_wrapper_PKCS11_C_1Encrypt -(JNIEnv *env, jobject obj, jlong jSessionHandle, - jbyteArray jIn, jint jInOfs, jint jInLen, - jbyteArray jOut, jint jOutOfs, jint jOutLen) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_RV rv; - - CK_BYTE_PTR inBufP; - CK_BYTE_PTR outBufP; - CK_ULONG ckEncryptedPartLen; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return 0; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - - inBufP = (*env)->GetPrimitiveArrayCritical(env, jIn, NULL); - if (inBufP == NULL) { return 0; } - - outBufP = (*env)->GetPrimitiveArrayCritical(env, jOut, NULL); - if (outBufP == NULL) { - // Make sure to release inBufP - (*env)->ReleasePrimitiveArrayCritical(env, jIn, inBufP, JNI_ABORT); - return 0; - } - - ckEncryptedPartLen = jOutLen; - - rv = (*ckpFunctions->C_Encrypt)(ckSessionHandle, - (CK_BYTE_PTR)(inBufP + jInOfs), jInLen, - (CK_BYTE_PTR)(outBufP + jOutOfs), - &ckEncryptedPartLen); - - (*env)->ReleasePrimitiveArrayCritical(env, jIn, inBufP, JNI_ABORT); - (*env)->ReleasePrimitiveArrayCritical(env, jOut, outBufP, JNI_COMMIT); - - ckAssertReturnValueOK(env, rv); - return ckEncryptedPartLen; -} -#endif - -#ifdef P11_ENABLE_C_ENCRYPTUPDATE -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_EncryptUpdate - * Signature: (J[BII[BII)I - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jbyteArray jPart CK_BYTE_PTR pPart - * CK_ULONG ulPartLen - * @return jbyteArray jEncryptedPart CK_BYTE_PTR pEncryptedPart - * CK_ULONG_PTR pulEncryptedPartLen - */ -JNIEXPORT jint JNICALL -Java_sun_security_pkcs11_wrapper_PKCS11_C_1EncryptUpdate -(JNIEnv *env, jobject obj, jlong jSessionHandle, - jlong directIn, jbyteArray jIn, jint jInOfs, jint jInLen, - jlong directOut, jbyteArray jOut, jint jOutOfs, jint jOutLen) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_RV rv; - - CK_BYTE_PTR inBufP; - CK_BYTE_PTR outBufP; - CK_ULONG ckEncryptedPartLen; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return 0; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - - if (directIn != 0) { - inBufP = (CK_BYTE_PTR) jlong_to_ptr(directIn); - } else { - inBufP = (*env)->GetPrimitiveArrayCritical(env, jIn, NULL); - if (inBufP == NULL) { return 0; } - } - - if (directOut != 0) { - outBufP = (CK_BYTE_PTR) jlong_to_ptr(directOut); - } else { - outBufP = (*env)->GetPrimitiveArrayCritical(env, jOut, NULL); - if (outBufP == NULL) { - // Make sure to release inBufP - (*env)->ReleasePrimitiveArrayCritical(env, jIn, inBufP, JNI_ABORT); - return 0; - } - } - - ckEncryptedPartLen = jOutLen; - - //printf("EU: inBufP=%i, jInOfs=%i, jInLen=%i, outBufP=%i\n", - // inBufP, jInOfs, jInLen, outBufP); - - rv = (*ckpFunctions->C_EncryptUpdate)(ckSessionHandle, - (CK_BYTE_PTR)(inBufP + jInOfs), jInLen, - (CK_BYTE_PTR)(outBufP + jOutOfs), - &ckEncryptedPartLen); - - //printf("EU: ckEncryptedPartLen=%i\n", ckEncryptedPartLen); - - if (directIn == 0) { - (*env)->ReleasePrimitiveArrayCritical(env, jIn, inBufP, JNI_ABORT); - } - - if (directOut == 0) { - (*env)->ReleasePrimitiveArrayCritical(env, jOut, outBufP, JNI_COMMIT); - } - - ckAssertReturnValueOK(env, rv); - - return ckEncryptedPartLen; -} -#endif - -#ifdef P11_ENABLE_C_ENCRYPTFINAL -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_EncryptFinal - * Signature: (J[BII)I - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @return jbyteArray jLastEncryptedPart CK_BYTE_PTR pLastEncryptedDataPart - * CK_ULONG_PTR pulLastEncryptedDataPartLen - */ -JNIEXPORT jint JNICALL -Java_sun_security_pkcs11_wrapper_PKCS11_C_1EncryptFinal -(JNIEnv *env, jobject obj, jlong jSessionHandle, - jlong directOut, jbyteArray jOut, jint jOutOfs, jint jOutLen) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_RV rv; - CK_BYTE_PTR outBufP; - CK_ULONG ckLastEncryptedPartLen; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return 0; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - - if (directOut != 0) { - outBufP = (CK_BYTE_PTR) jlong_to_ptr(directOut); - } else { - outBufP = (*env)->GetPrimitiveArrayCritical(env, jOut, NULL); - if (outBufP == NULL) { return 0; } - } - - ckLastEncryptedPartLen = jOutLen; - - //printf("EF: outBufP=%i\n", outBufP); - - rv = (*ckpFunctions->C_EncryptFinal)(ckSessionHandle, - (CK_BYTE_PTR)(outBufP + jOutOfs), - &ckLastEncryptedPartLen); - - //printf("EF: ckLastEncryptedPartLen=%i", ckLastEncryptedPartLen); - - if (directOut == 0) { - (*env)->ReleasePrimitiveArrayCritical(env, jOut, outBufP, JNI_COMMIT); - } - - ckAssertReturnValueOK(env, rv); - - return ckLastEncryptedPartLen; -} -#endif - -#ifdef P11_ENABLE_C_DECRYPTINIT -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_DecryptInit - * Signature: (JLsun/security/pkcs11/wrapper/CK_MECHANISM;J)V - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jobject jMechanism CK_MECHANISM_PTR pMechanism - * @param jlong jKeyHandle CK_OBJECT_HANDLE hKey - */ -JNIEXPORT void JNICALL -Java_sun_security_pkcs11_wrapper_PKCS11_C_1DecryptInit -(JNIEnv *env, jobject obj, jlong jSessionHandle, - jobject jMechanism, jlong jKeyHandle) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_MECHANISM ckMechanism; - CK_OBJECT_HANDLE ckKeyHandle; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - ckKeyHandle = jLongToCKULong(jKeyHandle); - jMechanismToCKMechanism(env, jMechanism, &ckMechanism); - if ((*env)->ExceptionCheck(env)) { return; } - - rv = (*ckpFunctions->C_DecryptInit)(ckSessionHandle, &ckMechanism, - ckKeyHandle); - - if (ckMechanism.pParameter != NULL_PTR) { - free(ckMechanism.pParameter); - } - - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -} -#endif - -#ifdef P11_ENABLE_C_DECRYPT -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_Decrypt - * Signature: (J[BII[BII)I - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jbyteArray jEncryptedData CK_BYTE_PTR pEncryptedData - * CK_ULONG ulEncryptedDataLen - * @return jbyteArray jData CK_BYTE_PTR pData - * CK_ULONG_PTR pulDataLen - */ -JNIEXPORT jint JNICALL -Java_sun_security_pkcs11_wrapper_PKCS11_C_1Decrypt -(JNIEnv *env, jobject obj, jlong jSessionHandle, - jbyteArray jIn, jint jInOfs, jint jInLen, - jbyteArray jOut, jint jOutOfs, jint jOutLen) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_RV rv; - - CK_BYTE_PTR inBufP; - CK_BYTE_PTR outBufP; - CK_ULONG ckPartLen; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return 0; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - - inBufP = (*env)->GetPrimitiveArrayCritical(env, jIn, NULL); - if (inBufP == NULL) { return 0; } - - outBufP = (*env)->GetPrimitiveArrayCritical(env, jOut, NULL); - if (outBufP == NULL) { - // Make sure to release inBufP - (*env)->ReleasePrimitiveArrayCritical(env, jIn, inBufP, JNI_ABORT); - return 0; - } - - ckPartLen = jOutLen; - - rv = (*ckpFunctions->C_Decrypt)(ckSessionHandle, - (CK_BYTE_PTR)(inBufP + jInOfs), jInLen, - (CK_BYTE_PTR)(outBufP + jOutOfs), - &ckPartLen); - - (*env)->ReleasePrimitiveArrayCritical(env, jIn, inBufP, JNI_ABORT); - (*env)->ReleasePrimitiveArrayCritical(env, jOut, outBufP, JNI_COMMIT); - - ckAssertReturnValueOK(env, rv); - - return ckPartLen; -} -#endif - -#ifdef P11_ENABLE_C_DECRYPTUPDATE -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_DecryptUpdate - * Signature: (J[BII[BII)I - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jbyteArray jEncryptedPart CK_BYTE_PTR pEncryptedPart - * CK_ULONG ulEncryptedPartLen - * @return jbyteArray jPart CK_BYTE_PTR pPart - * CK_ULONG_PTR pulPartLen - */ -JNIEXPORT jint JNICALL -Java_sun_security_pkcs11_wrapper_PKCS11_C_1DecryptUpdate -(JNIEnv *env, jobject obj, jlong jSessionHandle, - jlong directIn, jbyteArray jIn, jint jInOfs, jint jInLen, - jlong directOut, jbyteArray jOut, jint jOutOfs, jint jOutLen) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_RV rv; - - CK_BYTE_PTR inBufP; - CK_BYTE_PTR outBufP; - CK_ULONG ckDecryptedPartLen; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return 0; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - - if (directIn != 0) { - inBufP = (CK_BYTE_PTR) jlong_to_ptr(directIn); - } else { - inBufP = (*env)->GetPrimitiveArrayCritical(env, jIn, NULL); - if (inBufP == NULL) { return 0; } - } - - if (directOut != 0) { - outBufP = (CK_BYTE_PTR) jlong_to_ptr(directOut); - } else { - outBufP = (*env)->GetPrimitiveArrayCritical(env, jOut, NULL); - if (outBufP == NULL) { - // Make sure to release inBufP - (*env)->ReleasePrimitiveArrayCritical(env, jIn, inBufP, JNI_ABORT); - return 0; - } - } - - ckDecryptedPartLen = jOutLen; - - rv = (*ckpFunctions->C_DecryptUpdate)(ckSessionHandle, - (CK_BYTE_PTR)(inBufP + jInOfs), jInLen, - (CK_BYTE_PTR)(outBufP + jOutOfs), - &ckDecryptedPartLen); - if (directIn == 0) { - (*env)->ReleasePrimitiveArrayCritical(env, jIn, inBufP, JNI_ABORT); - } - - if (directOut == 0) { - (*env)->ReleasePrimitiveArrayCritical(env, jOut, outBufP, JNI_COMMIT); - } - - ckAssertReturnValueOK(env, rv); - - return ckDecryptedPartLen; -} - -#endif - -#ifdef P11_ENABLE_C_DECRYPTFINAL -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_DecryptFinal - * Signature: (J[BII)I - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @return jbyteArray jLastPart CK_BYTE_PTR pLastPart - * CK_ULONG_PTR pulLastPartLen - */ -JNIEXPORT jint JNICALL -Java_sun_security_pkcs11_wrapper_PKCS11_C_1DecryptFinal -(JNIEnv *env, jobject obj, jlong jSessionHandle, - jlong directOut, jbyteArray jOut, jint jOutOfs, jint jOutLen) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_RV rv; - CK_BYTE_PTR outBufP; - CK_ULONG ckLastPartLen; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return 0; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - - if (directOut != 0) { - outBufP = (CK_BYTE_PTR) jlong_to_ptr(directOut); - } else { - outBufP = (*env)->GetPrimitiveArrayCritical(env, jOut, NULL); - if (outBufP == NULL) { return 0; } - } - - ckLastPartLen = jOutLen; - - rv = (*ckpFunctions->C_DecryptFinal)(ckSessionHandle, - (CK_BYTE_PTR)(outBufP + jOutOfs), - &ckLastPartLen); - - if (directOut == 0) { - (*env)->ReleasePrimitiveArrayCritical(env, jOut, outBufP, JNI_COMMIT); - - } - - ckAssertReturnValueOK(env, rv); - - return ckLastPartLen; -} -#endif --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_crypt.c 2017-01-20 09:52:55.630288303 -0800 @@ -0,0 +1,489 @@ +/* + * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. + */ + +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * =========================================================================== + */ + +#include "pkcs11wrapper.h" + +#include +#include +#include +#include + +#include "sun_security_pkcs11_wrapper_PKCS11.h" + +#ifdef P11_ENABLE_C_ENCRYPTINIT +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_EncryptInit + * Signature: (JLsun/security/pkcs11/wrapper/CK_MECHANISM;J)V + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jobject jMechanism CK_MECHANISM_PTR pMechanism + * @param jlong jKeyHandle CK_OBJECT_HANDLE hKey + */ +JNIEXPORT void JNICALL +Java_sun_security_pkcs11_wrapper_PKCS11_C_1EncryptInit +(JNIEnv *env, jobject obj, jlong jSessionHandle, + jobject jMechanism, jlong jKeyHandle) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_MECHANISM ckMechanism; + CK_OBJECT_HANDLE ckKeyHandle; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + ckKeyHandle = jLongToCKULong(jKeyHandle); + jMechanismToCKMechanism(env, jMechanism, &ckMechanism); + if ((*env)->ExceptionCheck(env)) { return; } + + rv = (*ckpFunctions->C_EncryptInit)(ckSessionHandle, &ckMechanism, + ckKeyHandle); + + if (ckMechanism.pParameter != NULL_PTR) { + free(ckMechanism.pParameter); + } + + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } +} +#endif + +#ifdef P11_ENABLE_C_ENCRYPT +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_Encrypt + * Signature: (J[BII[BII)I + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jbyteArray jData CK_BYTE_PTR pData + * CK_ULONG ulDataLen + * @return jbyteArray jEncryptedData CK_BYTE_PTR pEncryptedData + * CK_ULONG_PTR pulEncryptedDataLen + */ +JNIEXPORT jint JNICALL +Java_sun_security_pkcs11_wrapper_PKCS11_C_1Encrypt +(JNIEnv *env, jobject obj, jlong jSessionHandle, + jbyteArray jIn, jint jInOfs, jint jInLen, + jbyteArray jOut, jint jOutOfs, jint jOutLen) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_RV rv; + + CK_BYTE_PTR inBufP; + CK_BYTE_PTR outBufP; + CK_ULONG ckEncryptedPartLen; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return 0; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + + inBufP = (*env)->GetPrimitiveArrayCritical(env, jIn, NULL); + if (inBufP == NULL) { return 0; } + + outBufP = (*env)->GetPrimitiveArrayCritical(env, jOut, NULL); + if (outBufP == NULL) { + // Make sure to release inBufP + (*env)->ReleasePrimitiveArrayCritical(env, jIn, inBufP, JNI_ABORT); + return 0; + } + + ckEncryptedPartLen = jOutLen; + + rv = (*ckpFunctions->C_Encrypt)(ckSessionHandle, + (CK_BYTE_PTR)(inBufP + jInOfs), jInLen, + (CK_BYTE_PTR)(outBufP + jOutOfs), + &ckEncryptedPartLen); + + (*env)->ReleasePrimitiveArrayCritical(env, jIn, inBufP, JNI_ABORT); + (*env)->ReleasePrimitiveArrayCritical(env, jOut, outBufP, JNI_COMMIT); + + ckAssertReturnValueOK(env, rv); + return ckEncryptedPartLen; +} +#endif + +#ifdef P11_ENABLE_C_ENCRYPTUPDATE +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_EncryptUpdate + * Signature: (J[BII[BII)I + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jbyteArray jPart CK_BYTE_PTR pPart + * CK_ULONG ulPartLen + * @return jbyteArray jEncryptedPart CK_BYTE_PTR pEncryptedPart + * CK_ULONG_PTR pulEncryptedPartLen + */ +JNIEXPORT jint JNICALL +Java_sun_security_pkcs11_wrapper_PKCS11_C_1EncryptUpdate +(JNIEnv *env, jobject obj, jlong jSessionHandle, + jlong directIn, jbyteArray jIn, jint jInOfs, jint jInLen, + jlong directOut, jbyteArray jOut, jint jOutOfs, jint jOutLen) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_RV rv; + + CK_BYTE_PTR inBufP; + CK_BYTE_PTR outBufP; + CK_ULONG ckEncryptedPartLen; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return 0; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + + if (directIn != 0) { + inBufP = (CK_BYTE_PTR) jlong_to_ptr(directIn); + } else { + inBufP = (*env)->GetPrimitiveArrayCritical(env, jIn, NULL); + if (inBufP == NULL) { return 0; } + } + + if (directOut != 0) { + outBufP = (CK_BYTE_PTR) jlong_to_ptr(directOut); + } else { + outBufP = (*env)->GetPrimitiveArrayCritical(env, jOut, NULL); + if (outBufP == NULL) { + // Make sure to release inBufP + (*env)->ReleasePrimitiveArrayCritical(env, jIn, inBufP, JNI_ABORT); + return 0; + } + } + + ckEncryptedPartLen = jOutLen; + + //printf("EU: inBufP=%i, jInOfs=%i, jInLen=%i, outBufP=%i\n", + // inBufP, jInOfs, jInLen, outBufP); + + rv = (*ckpFunctions->C_EncryptUpdate)(ckSessionHandle, + (CK_BYTE_PTR)(inBufP + jInOfs), jInLen, + (CK_BYTE_PTR)(outBufP + jOutOfs), + &ckEncryptedPartLen); + + //printf("EU: ckEncryptedPartLen=%i\n", ckEncryptedPartLen); + + if (directIn == 0) { + (*env)->ReleasePrimitiveArrayCritical(env, jIn, inBufP, JNI_ABORT); + } + + if (directOut == 0) { + (*env)->ReleasePrimitiveArrayCritical(env, jOut, outBufP, JNI_COMMIT); + } + + ckAssertReturnValueOK(env, rv); + + return ckEncryptedPartLen; +} +#endif + +#ifdef P11_ENABLE_C_ENCRYPTFINAL +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_EncryptFinal + * Signature: (J[BII)I + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @return jbyteArray jLastEncryptedPart CK_BYTE_PTR pLastEncryptedDataPart + * CK_ULONG_PTR pulLastEncryptedDataPartLen + */ +JNIEXPORT jint JNICALL +Java_sun_security_pkcs11_wrapper_PKCS11_C_1EncryptFinal +(JNIEnv *env, jobject obj, jlong jSessionHandle, + jlong directOut, jbyteArray jOut, jint jOutOfs, jint jOutLen) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_RV rv; + CK_BYTE_PTR outBufP; + CK_ULONG ckLastEncryptedPartLen; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return 0; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + + if (directOut != 0) { + outBufP = (CK_BYTE_PTR) jlong_to_ptr(directOut); + } else { + outBufP = (*env)->GetPrimitiveArrayCritical(env, jOut, NULL); + if (outBufP == NULL) { return 0; } + } + + ckLastEncryptedPartLen = jOutLen; + + //printf("EF: outBufP=%i\n", outBufP); + + rv = (*ckpFunctions->C_EncryptFinal)(ckSessionHandle, + (CK_BYTE_PTR)(outBufP + jOutOfs), + &ckLastEncryptedPartLen); + + //printf("EF: ckLastEncryptedPartLen=%i", ckLastEncryptedPartLen); + + if (directOut == 0) { + (*env)->ReleasePrimitiveArrayCritical(env, jOut, outBufP, JNI_COMMIT); + } + + ckAssertReturnValueOK(env, rv); + + return ckLastEncryptedPartLen; +} +#endif + +#ifdef P11_ENABLE_C_DECRYPTINIT +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_DecryptInit + * Signature: (JLsun/security/pkcs11/wrapper/CK_MECHANISM;J)V + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jobject jMechanism CK_MECHANISM_PTR pMechanism + * @param jlong jKeyHandle CK_OBJECT_HANDLE hKey + */ +JNIEXPORT void JNICALL +Java_sun_security_pkcs11_wrapper_PKCS11_C_1DecryptInit +(JNIEnv *env, jobject obj, jlong jSessionHandle, + jobject jMechanism, jlong jKeyHandle) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_MECHANISM ckMechanism; + CK_OBJECT_HANDLE ckKeyHandle; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + ckKeyHandle = jLongToCKULong(jKeyHandle); + jMechanismToCKMechanism(env, jMechanism, &ckMechanism); + if ((*env)->ExceptionCheck(env)) { return; } + + rv = (*ckpFunctions->C_DecryptInit)(ckSessionHandle, &ckMechanism, + ckKeyHandle); + + if (ckMechanism.pParameter != NULL_PTR) { + free(ckMechanism.pParameter); + } + + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } +} +#endif + +#ifdef P11_ENABLE_C_DECRYPT +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_Decrypt + * Signature: (J[BII[BII)I + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jbyteArray jEncryptedData CK_BYTE_PTR pEncryptedData + * CK_ULONG ulEncryptedDataLen + * @return jbyteArray jData CK_BYTE_PTR pData + * CK_ULONG_PTR pulDataLen + */ +JNIEXPORT jint JNICALL +Java_sun_security_pkcs11_wrapper_PKCS11_C_1Decrypt +(JNIEnv *env, jobject obj, jlong jSessionHandle, + jbyteArray jIn, jint jInOfs, jint jInLen, + jbyteArray jOut, jint jOutOfs, jint jOutLen) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_RV rv; + + CK_BYTE_PTR inBufP; + CK_BYTE_PTR outBufP; + CK_ULONG ckPartLen; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return 0; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + + inBufP = (*env)->GetPrimitiveArrayCritical(env, jIn, NULL); + if (inBufP == NULL) { return 0; } + + outBufP = (*env)->GetPrimitiveArrayCritical(env, jOut, NULL); + if (outBufP == NULL) { + // Make sure to release inBufP + (*env)->ReleasePrimitiveArrayCritical(env, jIn, inBufP, JNI_ABORT); + return 0; + } + + ckPartLen = jOutLen; + + rv = (*ckpFunctions->C_Decrypt)(ckSessionHandle, + (CK_BYTE_PTR)(inBufP + jInOfs), jInLen, + (CK_BYTE_PTR)(outBufP + jOutOfs), + &ckPartLen); + + (*env)->ReleasePrimitiveArrayCritical(env, jIn, inBufP, JNI_ABORT); + (*env)->ReleasePrimitiveArrayCritical(env, jOut, outBufP, JNI_COMMIT); + + ckAssertReturnValueOK(env, rv); + + return ckPartLen; +} +#endif + +#ifdef P11_ENABLE_C_DECRYPTUPDATE +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_DecryptUpdate + * Signature: (J[BII[BII)I + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jbyteArray jEncryptedPart CK_BYTE_PTR pEncryptedPart + * CK_ULONG ulEncryptedPartLen + * @return jbyteArray jPart CK_BYTE_PTR pPart + * CK_ULONG_PTR pulPartLen + */ +JNIEXPORT jint JNICALL +Java_sun_security_pkcs11_wrapper_PKCS11_C_1DecryptUpdate +(JNIEnv *env, jobject obj, jlong jSessionHandle, + jlong directIn, jbyteArray jIn, jint jInOfs, jint jInLen, + jlong directOut, jbyteArray jOut, jint jOutOfs, jint jOutLen) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_RV rv; + + CK_BYTE_PTR inBufP; + CK_BYTE_PTR outBufP; + CK_ULONG ckDecryptedPartLen; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return 0; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + + if (directIn != 0) { + inBufP = (CK_BYTE_PTR) jlong_to_ptr(directIn); + } else { + inBufP = (*env)->GetPrimitiveArrayCritical(env, jIn, NULL); + if (inBufP == NULL) { return 0; } + } + + if (directOut != 0) { + outBufP = (CK_BYTE_PTR) jlong_to_ptr(directOut); + } else { + outBufP = (*env)->GetPrimitiveArrayCritical(env, jOut, NULL); + if (outBufP == NULL) { + // Make sure to release inBufP + (*env)->ReleasePrimitiveArrayCritical(env, jIn, inBufP, JNI_ABORT); + return 0; + } + } + + ckDecryptedPartLen = jOutLen; + + rv = (*ckpFunctions->C_DecryptUpdate)(ckSessionHandle, + (CK_BYTE_PTR)(inBufP + jInOfs), jInLen, + (CK_BYTE_PTR)(outBufP + jOutOfs), + &ckDecryptedPartLen); + if (directIn == 0) { + (*env)->ReleasePrimitiveArrayCritical(env, jIn, inBufP, JNI_ABORT); + } + + if (directOut == 0) { + (*env)->ReleasePrimitiveArrayCritical(env, jOut, outBufP, JNI_COMMIT); + } + + ckAssertReturnValueOK(env, rv); + + return ckDecryptedPartLen; +} + +#endif + +#ifdef P11_ENABLE_C_DECRYPTFINAL +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_DecryptFinal + * Signature: (J[BII)I + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @return jbyteArray jLastPart CK_BYTE_PTR pLastPart + * CK_ULONG_PTR pulLastPartLen + */ +JNIEXPORT jint JNICALL +Java_sun_security_pkcs11_wrapper_PKCS11_C_1DecryptFinal +(JNIEnv *env, jobject obj, jlong jSessionHandle, + jlong directOut, jbyteArray jOut, jint jOutOfs, jint jOutLen) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_RV rv; + CK_BYTE_PTR outBufP; + CK_ULONG ckLastPartLen; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return 0; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + + if (directOut != 0) { + outBufP = (CK_BYTE_PTR) jlong_to_ptr(directOut); + } else { + outBufP = (*env)->GetPrimitiveArrayCritical(env, jOut, NULL); + if (outBufP == NULL) { return 0; } + } + + ckLastPartLen = jOutLen; + + rv = (*ckpFunctions->C_DecryptFinal)(ckSessionHandle, + (CK_BYTE_PTR)(outBufP + jOutOfs), + &ckLastPartLen); + + if (directOut == 0) { + (*env)->ReleasePrimitiveArrayCritical(env, jOut, outBufP, JNI_COMMIT); + + } + + ckAssertReturnValueOK(env, rv); + + return ckLastPartLen; +} +#endif --- old/src/jdk.crypto.token/share/native/libj2pkcs11/p11_digest.c 2017-01-20 09:52:56.194288282 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,348 +0,0 @@ -/* - * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. - */ - -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include "pkcs11wrapper.h" - -#include -#include -#include -#include -#include "jlong.h" - -#include "sun_security_pkcs11_wrapper_PKCS11.h" - -#ifdef P11_ENABLE_C_DIGESTINIT -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_DigestInit - * Signature: (JLsun/security/pkcs11/wrapper/CK_MECHANISM;)V - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jobject jMechanism CK_MECHANISM_PTR pMechanism - */ -JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1DigestInit - (JNIEnv *env, jobject obj, jlong jSessionHandle, jobject jMechanism) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_MECHANISM ckMechanism; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jMechanismToCKMechanism(env, jMechanism, &ckMechanism); - if ((*env)->ExceptionCheck(env)) { return; } - - rv = (*ckpFunctions->C_DigestInit)(ckSessionHandle, &ckMechanism); - - if (ckMechanism.pParameter != NULL_PTR) { - free(ckMechanism.pParameter); - } - - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -} -#endif - -#ifdef P11_ENABLE_C_DIGEST -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_Digest - * Signature: (J[BII[BII)I - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jbyteArray jData CK_BYTE_PTR pData - * CK_ULONG ulDataLen - * @return jbyteArray jDigest CK_BYTE_PTR pDigest - * CK_ULONG_PTR pulDigestLen - */ -JNIEXPORT jint JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1DigestSingle - (JNIEnv *env, jobject obj, jlong jSessionHandle, jobject jMechanism, jbyteArray jIn, jint jInOfs, jint jInLen, jbyteArray jDigest, jint jDigestOfs, jint jDigestLen) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_RV rv; - CK_BYTE_PTR bufP; - CK_BYTE BUF[MAX_STACK_BUFFER_LEN]; - CK_BYTE DIGESTBUF[MAX_DIGEST_LEN]; - CK_ULONG ckDigestLength = min(MAX_DIGEST_LEN, jDigestLen); - CK_MECHANISM ckMechanism; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return 0; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jMechanismToCKMechanism(env, jMechanism, &ckMechanism); - if ((*env)->ExceptionCheck(env)) { return 0; } - - rv = (*ckpFunctions->C_DigestInit)(ckSessionHandle, &ckMechanism); - - if (ckMechanism.pParameter != NULL_PTR) { - free(ckMechanism.pParameter); - } - - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return 0; } - - if (jInLen <= MAX_STACK_BUFFER_LEN) { - bufP = BUF; - } else { - /* always use single part op, even for large data */ - bufP = (CK_BYTE_PTR) malloc((size_t)jInLen); - if (bufP == NULL) { - throwOutOfMemoryError(env, 0); - return 0; - } - } - - (*env)->GetByteArrayRegion(env, jIn, jInOfs, jInLen, (jbyte *)bufP); - if ((*env)->ExceptionCheck(env)) { - if (bufP != BUF) { free(bufP); } - return 0; - } - - rv = (*ckpFunctions->C_Digest)(ckSessionHandle, bufP, jInLen, DIGESTBUF, &ckDigestLength); - if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { - (*env)->SetByteArrayRegion(env, jDigest, jDigestOfs, ckDigestLength, (jbyte *)DIGESTBUF); - } - - if (bufP != BUF) { free(bufP); } - - return ckDigestLength; -} -#endif - -#ifdef P11_ENABLE_C_DIGESTUPDATE -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_DigestUpdate - * Signature: (J[B)V - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jbyteArray jData CK_BYTE_PTR pData - * CK_ULONG ulDataLen - */ -JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1DigestUpdate - (JNIEnv *env, jobject obj, jlong jSessionHandle, jlong directIn, jbyteArray jIn, jint jInOfs, jint jInLen) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_RV rv; - CK_BYTE_PTR bufP; - CK_BYTE BUF[MAX_STACK_BUFFER_LEN]; - jsize bufLen; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - - if (directIn != 0) { - rv = (*ckpFunctions->C_DigestUpdate)(ckSessionHandle, (CK_BYTE_PTR)jlong_to_ptr(directIn), jInLen); - ckAssertReturnValueOK(env, rv); - return; - } - - if (jInLen <= MAX_STACK_BUFFER_LEN) { - bufLen = MAX_STACK_BUFFER_LEN; - bufP = BUF; - } else { - bufLen = min(MAX_HEAP_BUFFER_LEN, jInLen); - bufP = (CK_BYTE_PTR) malloc((size_t)bufLen); - if (bufP == NULL) { - throwOutOfMemoryError(env, 0); - return; - } - } - - while (jInLen > 0) { - jsize chunkLen = min(bufLen, jInLen); - (*env)->GetByteArrayRegion(env, jIn, jInOfs, chunkLen, (jbyte *)bufP); - if ((*env)->ExceptionCheck(env)) { - if (bufP != BUF) { free(bufP); } - return; - } - rv = (*ckpFunctions->C_DigestUpdate)(ckSessionHandle, bufP, chunkLen); - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { - if (bufP != BUF) { free(bufP); } - return; - } - jInOfs += chunkLen; - jInLen -= chunkLen; - } - - if (bufP != BUF) { - free(bufP); - } -} -#endif - -#ifdef P11_ENABLE_C_DIGESTKEY -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_DigestKey - * Signature: (JJ)V - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jlong jKeyHandle CK_OBJECT_HANDLE hKey - */ -JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1DigestKey - (JNIEnv *env, jobject obj, jlong jSessionHandle, jlong jKeyHandle) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_ULONG ckKeyHandle; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - ckKeyHandle = jLongToCKULong(jKeyHandle); - - rv = (*ckpFunctions->C_DigestKey)(ckSessionHandle, ckKeyHandle); - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -} -#endif - -#ifdef P11_ENABLE_C_DIGESTFINAL -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_DigestFinal - * Signature: (J[BII)I - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @return jbyteArray jDigest CK_BYTE_PTR pDigest - * CK_ULONG_PTR pulDigestLen - */ -JNIEXPORT jint JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1DigestFinal - (JNIEnv *env, jobject obj, jlong jSessionHandle, jbyteArray jDigest, jint jDigestOfs, jint jDigestLen) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_RV rv; - CK_BYTE BUF[MAX_DIGEST_LEN]; - CK_ULONG ckDigestLength = min(MAX_DIGEST_LEN, jDigestLen); - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return 0; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - - rv = (*ckpFunctions->C_DigestFinal)(ckSessionHandle, BUF, &ckDigestLength); - if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { - (*env)->SetByteArrayRegion(env, jDigest, jDigestOfs, ckDigestLength, (jbyte *)BUF); - } - return ckDigestLength; -} -#endif - -#ifdef P11_ENABLE_C_SEEDRANDOM -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_SeedRandom - * Signature: (J[B)V - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jbyteArray jSeed CK_BYTE_PTR pSeed - * CK_ULONG ulSeedLen - */ -JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1SeedRandom - (JNIEnv *env, jobject obj, jlong jSessionHandle, jbyteArray jSeed) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_BYTE_PTR ckpSeed = NULL_PTR; - CK_ULONG ckSeedLength; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jByteArrayToCKByteArray(env, jSeed, &ckpSeed, &ckSeedLength); - if ((*env)->ExceptionCheck(env)) { return; } - - rv = (*ckpFunctions->C_SeedRandom)(ckSessionHandle, ckpSeed, ckSeedLength); - - free(ckpSeed); - - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -} -#endif - -#ifdef P11_ENABLE_C_GENERATERANDOM -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_GenerateRandom - * Signature: (J[B)V - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jbyteArray jRandomData CK_BYTE_PTR pRandomData - * CK_ULONG ulRandomDataLen - */ -JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1GenerateRandom - (JNIEnv *env, jobject obj, jlong jSessionHandle, jbyteArray jRandomData) -{ - CK_SESSION_HANDLE ckSessionHandle; - jbyte *jRandomBuffer; - jlong jRandomBufferLength; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - - jRandomBufferLength = (*env)->GetArrayLength(env, jRandomData); - jRandomBuffer = (*env)->GetByteArrayElements(env, jRandomData, NULL); - if (jRandomBuffer == NULL) { return; } - - rv = (*ckpFunctions->C_GenerateRandom)(ckSessionHandle, - (CK_BYTE_PTR) jRandomBuffer, - jLongToCKULong(jRandomBufferLength)); - - /* copy back generated bytes */ - (*env)->ReleaseByteArrayElements(env, jRandomData, jRandomBuffer, 0); - - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -} -#endif --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_digest.c 2017-01-20 09:52:55.974288290 -0800 @@ -0,0 +1,348 @@ +/* + * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. + */ + +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "pkcs11wrapper.h" + +#include +#include +#include +#include +#include "jlong.h" + +#include "sun_security_pkcs11_wrapper_PKCS11.h" + +#ifdef P11_ENABLE_C_DIGESTINIT +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_DigestInit + * Signature: (JLsun/security/pkcs11/wrapper/CK_MECHANISM;)V + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jobject jMechanism CK_MECHANISM_PTR pMechanism + */ +JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1DigestInit + (JNIEnv *env, jobject obj, jlong jSessionHandle, jobject jMechanism) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_MECHANISM ckMechanism; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + jMechanismToCKMechanism(env, jMechanism, &ckMechanism); + if ((*env)->ExceptionCheck(env)) { return; } + + rv = (*ckpFunctions->C_DigestInit)(ckSessionHandle, &ckMechanism); + + if (ckMechanism.pParameter != NULL_PTR) { + free(ckMechanism.pParameter); + } + + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } +} +#endif + +#ifdef P11_ENABLE_C_DIGEST +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_Digest + * Signature: (J[BII[BII)I + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jbyteArray jData CK_BYTE_PTR pData + * CK_ULONG ulDataLen + * @return jbyteArray jDigest CK_BYTE_PTR pDigest + * CK_ULONG_PTR pulDigestLen + */ +JNIEXPORT jint JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1DigestSingle + (JNIEnv *env, jobject obj, jlong jSessionHandle, jobject jMechanism, jbyteArray jIn, jint jInOfs, jint jInLen, jbyteArray jDigest, jint jDigestOfs, jint jDigestLen) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_RV rv; + CK_BYTE_PTR bufP; + CK_BYTE BUF[MAX_STACK_BUFFER_LEN]; + CK_BYTE DIGESTBUF[MAX_DIGEST_LEN]; + CK_ULONG ckDigestLength = min(MAX_DIGEST_LEN, jDigestLen); + CK_MECHANISM ckMechanism; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return 0; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + jMechanismToCKMechanism(env, jMechanism, &ckMechanism); + if ((*env)->ExceptionCheck(env)) { return 0; } + + rv = (*ckpFunctions->C_DigestInit)(ckSessionHandle, &ckMechanism); + + if (ckMechanism.pParameter != NULL_PTR) { + free(ckMechanism.pParameter); + } + + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return 0; } + + if (jInLen <= MAX_STACK_BUFFER_LEN) { + bufP = BUF; + } else { + /* always use single part op, even for large data */ + bufP = (CK_BYTE_PTR) malloc((size_t)jInLen); + if (bufP == NULL) { + throwOutOfMemoryError(env, 0); + return 0; + } + } + + (*env)->GetByteArrayRegion(env, jIn, jInOfs, jInLen, (jbyte *)bufP); + if ((*env)->ExceptionCheck(env)) { + if (bufP != BUF) { free(bufP); } + return 0; + } + + rv = (*ckpFunctions->C_Digest)(ckSessionHandle, bufP, jInLen, DIGESTBUF, &ckDigestLength); + if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { + (*env)->SetByteArrayRegion(env, jDigest, jDigestOfs, ckDigestLength, (jbyte *)DIGESTBUF); + } + + if (bufP != BUF) { free(bufP); } + + return ckDigestLength; +} +#endif + +#ifdef P11_ENABLE_C_DIGESTUPDATE +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_DigestUpdate + * Signature: (J[B)V + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jbyteArray jData CK_BYTE_PTR pData + * CK_ULONG ulDataLen + */ +JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1DigestUpdate + (JNIEnv *env, jobject obj, jlong jSessionHandle, jlong directIn, jbyteArray jIn, jint jInOfs, jint jInLen) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_RV rv; + CK_BYTE_PTR bufP; + CK_BYTE BUF[MAX_STACK_BUFFER_LEN]; + jsize bufLen; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + + if (directIn != 0) { + rv = (*ckpFunctions->C_DigestUpdate)(ckSessionHandle, (CK_BYTE_PTR)jlong_to_ptr(directIn), jInLen); + ckAssertReturnValueOK(env, rv); + return; + } + + if (jInLen <= MAX_STACK_BUFFER_LEN) { + bufLen = MAX_STACK_BUFFER_LEN; + bufP = BUF; + } else { + bufLen = min(MAX_HEAP_BUFFER_LEN, jInLen); + bufP = (CK_BYTE_PTR) malloc((size_t)bufLen); + if (bufP == NULL) { + throwOutOfMemoryError(env, 0); + return; + } + } + + while (jInLen > 0) { + jsize chunkLen = min(bufLen, jInLen); + (*env)->GetByteArrayRegion(env, jIn, jInOfs, chunkLen, (jbyte *)bufP); + if ((*env)->ExceptionCheck(env)) { + if (bufP != BUF) { free(bufP); } + return; + } + rv = (*ckpFunctions->C_DigestUpdate)(ckSessionHandle, bufP, chunkLen); + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { + if (bufP != BUF) { free(bufP); } + return; + } + jInOfs += chunkLen; + jInLen -= chunkLen; + } + + if (bufP != BUF) { + free(bufP); + } +} +#endif + +#ifdef P11_ENABLE_C_DIGESTKEY +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_DigestKey + * Signature: (JJ)V + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jlong jKeyHandle CK_OBJECT_HANDLE hKey + */ +JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1DigestKey + (JNIEnv *env, jobject obj, jlong jSessionHandle, jlong jKeyHandle) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_ULONG ckKeyHandle; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + ckKeyHandle = jLongToCKULong(jKeyHandle); + + rv = (*ckpFunctions->C_DigestKey)(ckSessionHandle, ckKeyHandle); + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } +} +#endif + +#ifdef P11_ENABLE_C_DIGESTFINAL +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_DigestFinal + * Signature: (J[BII)I + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @return jbyteArray jDigest CK_BYTE_PTR pDigest + * CK_ULONG_PTR pulDigestLen + */ +JNIEXPORT jint JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1DigestFinal + (JNIEnv *env, jobject obj, jlong jSessionHandle, jbyteArray jDigest, jint jDigestOfs, jint jDigestLen) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_RV rv; + CK_BYTE BUF[MAX_DIGEST_LEN]; + CK_ULONG ckDigestLength = min(MAX_DIGEST_LEN, jDigestLen); + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return 0; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + + rv = (*ckpFunctions->C_DigestFinal)(ckSessionHandle, BUF, &ckDigestLength); + if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { + (*env)->SetByteArrayRegion(env, jDigest, jDigestOfs, ckDigestLength, (jbyte *)BUF); + } + return ckDigestLength; +} +#endif + +#ifdef P11_ENABLE_C_SEEDRANDOM +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_SeedRandom + * Signature: (J[B)V + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jbyteArray jSeed CK_BYTE_PTR pSeed + * CK_ULONG ulSeedLen + */ +JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1SeedRandom + (JNIEnv *env, jobject obj, jlong jSessionHandle, jbyteArray jSeed) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_BYTE_PTR ckpSeed = NULL_PTR; + CK_ULONG ckSeedLength; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + jByteArrayToCKByteArray(env, jSeed, &ckpSeed, &ckSeedLength); + if ((*env)->ExceptionCheck(env)) { return; } + + rv = (*ckpFunctions->C_SeedRandom)(ckSessionHandle, ckpSeed, ckSeedLength); + + free(ckpSeed); + + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } +} +#endif + +#ifdef P11_ENABLE_C_GENERATERANDOM +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_GenerateRandom + * Signature: (J[B)V + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jbyteArray jRandomData CK_BYTE_PTR pRandomData + * CK_ULONG ulRandomDataLen + */ +JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1GenerateRandom + (JNIEnv *env, jobject obj, jlong jSessionHandle, jbyteArray jRandomData) +{ + CK_SESSION_HANDLE ckSessionHandle; + jbyte *jRandomBuffer; + jlong jRandomBufferLength; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + + jRandomBufferLength = (*env)->GetArrayLength(env, jRandomData); + jRandomBuffer = (*env)->GetByteArrayElements(env, jRandomData, NULL); + if (jRandomBuffer == NULL) { return; } + + rv = (*ckpFunctions->C_GenerateRandom)(ckSessionHandle, + (CK_BYTE_PTR) jRandomBuffer, + jLongToCKULong(jRandomBufferLength)); + + /* copy back generated bytes */ + (*env)->ReleaseByteArrayElements(env, jRandomData, jRandomBuffer, 0); + + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } +} +#endif --- old/src/jdk.crypto.token/share/native/libj2pkcs11/p11_dual.c 2017-01-20 09:52:56.542288269 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,315 +0,0 @@ -/* - * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. - */ - -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - * =========================================================================== - */ - -#include "pkcs11wrapper.h" - -#include -#include -#include -#include - -#include "sun_security_pkcs11_wrapper_PKCS11.h" - -#ifdef P11_ENABLE_C_DIGESTENCRYPTUPDATE -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_DigestEncryptUpdate - * Signature: (J[B)[B - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jbyteArray jPart CK_BYTE_PTR pPart - * CK_ULONG ulPartLen - * @return jbyteArray jEncryptedPart CK_BYTE_PTR pEncryptedPart - * CK_ULONG_PTR pulEncryptedPartLen - */ -JNIEXPORT jbyteArray JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1DigestEncryptUpdate - (JNIEnv *env, jobject obj, jlong jSessionHandle, jbyteArray jPart) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_BYTE_PTR ckpPart = NULL_PTR, ckpEncryptedPart; - CK_ULONG ckPartLength, ckEncryptedPartLength = 0; - jbyteArray jEncryptedPart = NULL; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return NULL; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jByteArrayToCKByteArray(env, jPart, &ckpPart, &ckPartLength); - if ((*env)->ExceptionCheck(env)) { return NULL; } - - rv = (*ckpFunctions->C_DigestEncryptUpdate)(ckSessionHandle, ckpPart, ckPartLength, NULL_PTR, &ckEncryptedPartLength); - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { - free(ckpPart); - return NULL; - } - - ckpEncryptedPart = (CK_BYTE_PTR) malloc(ckEncryptedPartLength * sizeof(CK_BYTE)); - if (ckpEncryptedPart == NULL) { - free(ckpPart); - throwOutOfMemoryError(env, 0); - return NULL; - } - - rv = (*ckpFunctions->C_DigestEncryptUpdate)(ckSessionHandle, ckpPart, ckPartLength, ckpEncryptedPart, &ckEncryptedPartLength); - if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { - jEncryptedPart = ckByteArrayToJByteArray(env, ckpEncryptedPart, ckEncryptedPartLength); - } - free(ckpPart); - free(ckpEncryptedPart); - - return jEncryptedPart ; -} -#endif - -#ifdef P11_ENABLE_C_DECRYPTDIGESTUPDATE -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_DecryptDigestUpdate - * Signature: (J[B)[B - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jbyteArray jEncryptedPart CK_BYTE_PTR pEncryptedPart - * CK_ULONG ulEncryptedPartLen - * @return jbyteArray jPart CK_BYTE_PTR pPart - * CK_ULONG_PTR pulPartLen - */ -JNIEXPORT jbyteArray JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1DecryptDigestUpdate - (JNIEnv *env, jobject obj, jlong jSessionHandle, jbyteArray jEncryptedPart) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_BYTE_PTR ckpPart, ckpEncryptedPart = NULL_PTR; - CK_ULONG ckPartLength = 0, ckEncryptedPartLength; - jbyteArray jPart = NULL; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return NULL; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jByteArrayToCKByteArray(env, jEncryptedPart, &ckpEncryptedPart, &ckEncryptedPartLength); - if ((*env)->ExceptionCheck(env)) { return NULL; } - - rv = (*ckpFunctions->C_DecryptDigestUpdate)(ckSessionHandle, ckpEncryptedPart, ckEncryptedPartLength, NULL_PTR, &ckPartLength); - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { - free(ckpEncryptedPart); - return NULL; - } - - ckpPart = (CK_BYTE_PTR) malloc(ckPartLength * sizeof(CK_BYTE)); - if (ckpPart == NULL) { - free(ckpEncryptedPart); - throwOutOfMemoryError(env, 0); - return NULL; - } - - rv = (*ckpFunctions->C_DecryptDigestUpdate)(ckSessionHandle, ckpEncryptedPart, ckEncryptedPartLength, ckpPart, &ckPartLength); - if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { - jPart = ckByteArrayToJByteArray(env, ckpPart, ckPartLength); - } - free(ckpEncryptedPart); - free(ckpPart); - - return jPart ; -} -#endif - -#ifdef P11_ENABLE_C_SIGNENCRYPTUPDATE -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_SignEncryptUpdate - * Signature: (J[B)[B - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jbyteArray jPart CK_BYTE_PTR pPart - * CK_ULONG ulPartLen - * @return jbyteArray jEncryptedPart CK_BYTE_PTR pEncryptedPart - * CK_ULONG_PTR pulEncryptedPartLen - */ -JNIEXPORT jbyteArray JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1SignEncryptUpdate - (JNIEnv *env, jobject obj, jlong jSessionHandle, jbyteArray jPart) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_BYTE_PTR ckpPart = NULL_PTR, ckpEncryptedPart; - CK_ULONG ckPartLength, ckEncryptedPartLength = 0; - jbyteArray jEncryptedPart = NULL; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return NULL; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jByteArrayToCKByteArray(env, jPart, &ckpPart, &ckPartLength); - if ((*env)->ExceptionCheck(env)) { return NULL; } - - rv = (*ckpFunctions->C_SignEncryptUpdate)(ckSessionHandle, ckpPart, ckPartLength, NULL_PTR, &ckEncryptedPartLength); - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { - free(ckpPart); - return NULL; - } - - ckpEncryptedPart = (CK_BYTE_PTR) malloc(ckEncryptedPartLength * sizeof(CK_BYTE)); - if (ckpEncryptedPart == NULL) { - free(ckpPart); - throwOutOfMemoryError(env, 0); - return NULL; - } - - rv = (*ckpFunctions->C_SignEncryptUpdate)(ckSessionHandle, ckpPart, ckPartLength, ckpEncryptedPart, &ckEncryptedPartLength); - if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { - jEncryptedPart = ckByteArrayToJByteArray(env, ckpEncryptedPart, ckEncryptedPartLength); - } - free(ckpPart); - free(ckpEncryptedPart); - - return jEncryptedPart ; -} -#endif - -#ifdef P11_ENABLE_C_DECRYPTVERIFYUPDATE -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_DecryptVerifyUpdate - * Signature: (J[B)[B - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jbyteArray jEncryptedPart CK_BYTE_PTR pEncryptedPart - * CK_ULONG ulEncryptedPartLen - * @return jbyteArray jPart CK_BYTE_PTR pPart - * CK_ULONG_PTR pulPartLen - */ -JNIEXPORT jbyteArray JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1DecryptVerifyUpdate - (JNIEnv *env, jobject obj, jlong jSessionHandle, jbyteArray jEncryptedPart) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_BYTE_PTR ckpPart, ckpEncryptedPart = NULL_PTR; - CK_ULONG ckPartLength = 0, ckEncryptedPartLength; - jbyteArray jPart = NULL; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return NULL; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jByteArrayToCKByteArray(env, jEncryptedPart, &ckpEncryptedPart, &ckEncryptedPartLength); - if ((*env)->ExceptionCheck(env)) { return NULL; } - - rv = (*ckpFunctions->C_DecryptVerifyUpdate)(ckSessionHandle, ckpEncryptedPart, ckEncryptedPartLength, NULL_PTR, &ckPartLength); - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { - free(ckpEncryptedPart); - return NULL; - } - - ckpPart = (CK_BYTE_PTR) malloc(ckPartLength * sizeof(CK_BYTE)); - if (ckpPart == NULL) { - free(ckpEncryptedPart); - throwOutOfMemoryError(env, 0); - return NULL; - } - - rv = (*ckpFunctions->C_DecryptVerifyUpdate)(ckSessionHandle, ckpEncryptedPart, ckEncryptedPartLength, ckpPart, &ckPartLength); - - if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { - jPart = ckByteArrayToJByteArray(env, ckpPart, ckPartLength); - } - free(ckpEncryptedPart); - free(ckpPart); - - return jPart ; -} -#endif - -#ifdef P11_ENABLE_C_GETFUNCTIONSTATUS -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_GetFunctionStatus - * Signature: (J)V - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - */ -JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetFunctionStatus - (JNIEnv *env, jobject obj, jlong jSessionHandle) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - - /* C_GetFunctionStatus should always return CKR_FUNCTION_NOT_PARALLEL */ - rv = (*ckpFunctions->C_GetFunctionStatus)(ckSessionHandle); - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -} -#endif - -#ifdef P11_ENABLE_C_CANCELFUNCTION -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_CancelFunction - * Signature: (J)V - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - */ -JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1CancelFunction - (JNIEnv *env, jobject obj, jlong jSessionHandle) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - - /* C_GetFunctionStatus should always return CKR_FUNCTION_NOT_PARALLEL */ - rv = (*ckpFunctions->C_CancelFunction)(ckSessionHandle); - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -} -#endif --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_dual.c 2017-01-20 09:52:56.326288277 -0800 @@ -0,0 +1,315 @@ +/* + * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. + */ + +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * =========================================================================== + */ + +#include "pkcs11wrapper.h" + +#include +#include +#include +#include + +#include "sun_security_pkcs11_wrapper_PKCS11.h" + +#ifdef P11_ENABLE_C_DIGESTENCRYPTUPDATE +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_DigestEncryptUpdate + * Signature: (J[B)[B + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jbyteArray jPart CK_BYTE_PTR pPart + * CK_ULONG ulPartLen + * @return jbyteArray jEncryptedPart CK_BYTE_PTR pEncryptedPart + * CK_ULONG_PTR pulEncryptedPartLen + */ +JNIEXPORT jbyteArray JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1DigestEncryptUpdate + (JNIEnv *env, jobject obj, jlong jSessionHandle, jbyteArray jPart) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_BYTE_PTR ckpPart = NULL_PTR, ckpEncryptedPart; + CK_ULONG ckPartLength, ckEncryptedPartLength = 0; + jbyteArray jEncryptedPart = NULL; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return NULL; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + jByteArrayToCKByteArray(env, jPart, &ckpPart, &ckPartLength); + if ((*env)->ExceptionCheck(env)) { return NULL; } + + rv = (*ckpFunctions->C_DigestEncryptUpdate)(ckSessionHandle, ckpPart, ckPartLength, NULL_PTR, &ckEncryptedPartLength); + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { + free(ckpPart); + return NULL; + } + + ckpEncryptedPart = (CK_BYTE_PTR) malloc(ckEncryptedPartLength * sizeof(CK_BYTE)); + if (ckpEncryptedPart == NULL) { + free(ckpPart); + throwOutOfMemoryError(env, 0); + return NULL; + } + + rv = (*ckpFunctions->C_DigestEncryptUpdate)(ckSessionHandle, ckpPart, ckPartLength, ckpEncryptedPart, &ckEncryptedPartLength); + if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { + jEncryptedPart = ckByteArrayToJByteArray(env, ckpEncryptedPart, ckEncryptedPartLength); + } + free(ckpPart); + free(ckpEncryptedPart); + + return jEncryptedPart ; +} +#endif + +#ifdef P11_ENABLE_C_DECRYPTDIGESTUPDATE +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_DecryptDigestUpdate + * Signature: (J[B)[B + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jbyteArray jEncryptedPart CK_BYTE_PTR pEncryptedPart + * CK_ULONG ulEncryptedPartLen + * @return jbyteArray jPart CK_BYTE_PTR pPart + * CK_ULONG_PTR pulPartLen + */ +JNIEXPORT jbyteArray JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1DecryptDigestUpdate + (JNIEnv *env, jobject obj, jlong jSessionHandle, jbyteArray jEncryptedPart) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_BYTE_PTR ckpPart, ckpEncryptedPart = NULL_PTR; + CK_ULONG ckPartLength = 0, ckEncryptedPartLength; + jbyteArray jPart = NULL; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return NULL; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + jByteArrayToCKByteArray(env, jEncryptedPart, &ckpEncryptedPart, &ckEncryptedPartLength); + if ((*env)->ExceptionCheck(env)) { return NULL; } + + rv = (*ckpFunctions->C_DecryptDigestUpdate)(ckSessionHandle, ckpEncryptedPart, ckEncryptedPartLength, NULL_PTR, &ckPartLength); + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { + free(ckpEncryptedPart); + return NULL; + } + + ckpPart = (CK_BYTE_PTR) malloc(ckPartLength * sizeof(CK_BYTE)); + if (ckpPart == NULL) { + free(ckpEncryptedPart); + throwOutOfMemoryError(env, 0); + return NULL; + } + + rv = (*ckpFunctions->C_DecryptDigestUpdate)(ckSessionHandle, ckpEncryptedPart, ckEncryptedPartLength, ckpPart, &ckPartLength); + if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { + jPart = ckByteArrayToJByteArray(env, ckpPart, ckPartLength); + } + free(ckpEncryptedPart); + free(ckpPart); + + return jPart ; +} +#endif + +#ifdef P11_ENABLE_C_SIGNENCRYPTUPDATE +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_SignEncryptUpdate + * Signature: (J[B)[B + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jbyteArray jPart CK_BYTE_PTR pPart + * CK_ULONG ulPartLen + * @return jbyteArray jEncryptedPart CK_BYTE_PTR pEncryptedPart + * CK_ULONG_PTR pulEncryptedPartLen + */ +JNIEXPORT jbyteArray JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1SignEncryptUpdate + (JNIEnv *env, jobject obj, jlong jSessionHandle, jbyteArray jPart) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_BYTE_PTR ckpPart = NULL_PTR, ckpEncryptedPart; + CK_ULONG ckPartLength, ckEncryptedPartLength = 0; + jbyteArray jEncryptedPart = NULL; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return NULL; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + jByteArrayToCKByteArray(env, jPart, &ckpPart, &ckPartLength); + if ((*env)->ExceptionCheck(env)) { return NULL; } + + rv = (*ckpFunctions->C_SignEncryptUpdate)(ckSessionHandle, ckpPart, ckPartLength, NULL_PTR, &ckEncryptedPartLength); + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { + free(ckpPart); + return NULL; + } + + ckpEncryptedPart = (CK_BYTE_PTR) malloc(ckEncryptedPartLength * sizeof(CK_BYTE)); + if (ckpEncryptedPart == NULL) { + free(ckpPart); + throwOutOfMemoryError(env, 0); + return NULL; + } + + rv = (*ckpFunctions->C_SignEncryptUpdate)(ckSessionHandle, ckpPart, ckPartLength, ckpEncryptedPart, &ckEncryptedPartLength); + if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { + jEncryptedPart = ckByteArrayToJByteArray(env, ckpEncryptedPart, ckEncryptedPartLength); + } + free(ckpPart); + free(ckpEncryptedPart); + + return jEncryptedPart ; +} +#endif + +#ifdef P11_ENABLE_C_DECRYPTVERIFYUPDATE +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_DecryptVerifyUpdate + * Signature: (J[B)[B + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jbyteArray jEncryptedPart CK_BYTE_PTR pEncryptedPart + * CK_ULONG ulEncryptedPartLen + * @return jbyteArray jPart CK_BYTE_PTR pPart + * CK_ULONG_PTR pulPartLen + */ +JNIEXPORT jbyteArray JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1DecryptVerifyUpdate + (JNIEnv *env, jobject obj, jlong jSessionHandle, jbyteArray jEncryptedPart) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_BYTE_PTR ckpPart, ckpEncryptedPart = NULL_PTR; + CK_ULONG ckPartLength = 0, ckEncryptedPartLength; + jbyteArray jPart = NULL; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return NULL; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + jByteArrayToCKByteArray(env, jEncryptedPart, &ckpEncryptedPart, &ckEncryptedPartLength); + if ((*env)->ExceptionCheck(env)) { return NULL; } + + rv = (*ckpFunctions->C_DecryptVerifyUpdate)(ckSessionHandle, ckpEncryptedPart, ckEncryptedPartLength, NULL_PTR, &ckPartLength); + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { + free(ckpEncryptedPart); + return NULL; + } + + ckpPart = (CK_BYTE_PTR) malloc(ckPartLength * sizeof(CK_BYTE)); + if (ckpPart == NULL) { + free(ckpEncryptedPart); + throwOutOfMemoryError(env, 0); + return NULL; + } + + rv = (*ckpFunctions->C_DecryptVerifyUpdate)(ckSessionHandle, ckpEncryptedPart, ckEncryptedPartLength, ckpPart, &ckPartLength); + + if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { + jPart = ckByteArrayToJByteArray(env, ckpPart, ckPartLength); + } + free(ckpEncryptedPart); + free(ckpPart); + + return jPart ; +} +#endif + +#ifdef P11_ENABLE_C_GETFUNCTIONSTATUS +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_GetFunctionStatus + * Signature: (J)V + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + */ +JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetFunctionStatus + (JNIEnv *env, jobject obj, jlong jSessionHandle) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + + /* C_GetFunctionStatus should always return CKR_FUNCTION_NOT_PARALLEL */ + rv = (*ckpFunctions->C_GetFunctionStatus)(ckSessionHandle); + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } +} +#endif + +#ifdef P11_ENABLE_C_CANCELFUNCTION +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_CancelFunction + * Signature: (J)V + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + */ +JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1CancelFunction + (JNIEnv *env, jobject obj, jlong jSessionHandle) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + + /* C_GetFunctionStatus should always return CKR_FUNCTION_NOT_PARALLEL */ + rv = (*ckpFunctions->C_CancelFunction)(ckSessionHandle); + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } +} +#endif --- old/src/jdk.crypto.token/share/native/libj2pkcs11/p11_general.c 2017-01-20 09:52:56.890288256 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,881 +0,0 @@ -/* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. - */ - -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include "pkcs11wrapper.h" - -#include -#include -#include -#include - -#include "sun_security_pkcs11_wrapper_PKCS11.h" - -/* declare file private functions */ - -void prefetchFields(JNIEnv *env, jclass thisClass); -jobject ckInfoPtrToJInfo(JNIEnv *env, const CK_INFO_PTR ckpInfo); -jobject ckSlotInfoPtrToJSlotInfo(JNIEnv *env, const CK_SLOT_INFO_PTR ckpSlotInfo); -jobject ckTokenInfoPtrToJTokenInfo(JNIEnv *env, const CK_TOKEN_INFO_PTR ckpTokenInfo); -jobject ckMechanismInfoPtrToJMechanismInfo(JNIEnv *env, const CK_MECHANISM_INFO_PTR ckpMechanismInfo); - -/* define variables */ - -jfieldID pNativeDataID; -jfieldID mech_mechanismID; -jfieldID mech_pParameterID; - -jclass jByteArrayClass; -jclass jLongClass; - -JavaVM* jvm = NULL; - -jboolean debug = 0; - -JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) { - jvm = vm; - return JNI_VERSION_1_4; -} - -/* ************************************************************************** */ -/* The native implementation of the methods of the PKCS11Implementation class */ -/* ************************************************************************** */ - -/* - * This method is used to do static initialization. This method is static and - * synchronized. Summary: use this method like a static initialization block. - * - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: initializeLibrary - * Signature: ()V - */ -JNIEXPORT void JNICALL -Java_sun_security_pkcs11_wrapper_PKCS11_initializeLibrary -(JNIEnv *env, jclass thisClass, jboolean enableDebug) -{ -#ifndef NO_CALLBACKS - if (notifyListLock == NULL) { - notifyListLock = createLockObject(env); - } -#endif - - prefetchFields(env, thisClass); - debug = enableDebug; -} - -jclass fetchClass(JNIEnv *env, const char *name) { - jclass tmpClass = (*env)->FindClass(env, name); - if (tmpClass == NULL) { return NULL; } - return (*env)->NewGlobalRef(env, tmpClass); -} - -void prefetchFields(JNIEnv *env, jclass thisClass) { - jclass tmpClass; - - /* PKCS11 */ - pNativeDataID = (*env)->GetFieldID(env, thisClass, "pNativeData", "J"); - if (pNativeDataID == NULL) { return; } - - /* CK_MECHANISM */ - tmpClass = (*env)->FindClass(env, CLASS_MECHANISM); - if (tmpClass == NULL) { return; } - mech_mechanismID = (*env)->GetFieldID(env, tmpClass, "mechanism", "J"); - if (mech_mechanismID == NULL) { return; } - mech_pParameterID = (*env)->GetFieldID(env, tmpClass, "pParameter", - "Ljava/lang/Object;"); - if (mech_pParameterID == NULL) { return; } - jByteArrayClass = fetchClass(env, "[B"); - if (jByteArrayClass == NULL) { return; } - jLongClass = fetchClass(env, "java/lang/Long"); -} - -/* This method is designed to do a clean-up. It releases all global resources - * of this library. By now, this function is not called. Calling from - * JNI_OnUnload would be an option, but some VMs do not support JNI_OnUnload. - * - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: finalizeLibrary - * Signature: ()V - */ -JNIEXPORT void JNICALL -Java_sun_security_pkcs11_wrapper_PKCS11_finalizeLibrary -(JNIEnv *env, jclass thisClass) -{ -/* XXX - * remove all left lists and release the resources and the lock - * objects that synchroniz access to these lists. - * - removeAllModuleEntries(env); - if (moduleListHead == NULL) { * check, if we removed the last active module * - * remove also the moduleListLock, it is no longer used * - if (moduleListLock != NULL) { - destroyLockObject(env, moduleListLock); - moduleListLock = NULL; - } -#ifndef NO_CALLBACKS - * remove all left notify callback entries * - while (removeFirstNotifyEntry(env)); - * remove also the notifyListLock, it is no longer used * - if (notifyListLock != NULL) { - destroyLockObject(env, notifyListLock); - notifyListLock = NULL; - } - if (jInitArgsObject != NULL) { - (*env)->DeleteGlobalRef(env, jInitArgsObject); - } - if (ckpGlobalInitArgs != NULL_PTR) { - free(ckpGlobalInitArgs); - } -#endif * NO_CALLBACKS * - } -*/ -} - -#ifdef P11_ENABLE_C_INITIALIZE -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_Initialize - * Signature: (Ljava/lang/Object;)V - * Parametermapping: *PKCS11* - * @param jobject jInitArgs CK_VOID_PTR pInitArgs - */ -JNIEXPORT void JNICALL -Java_sun_security_pkcs11_wrapper_PKCS11_C_1Initialize -(JNIEnv *env, jobject obj, jobject jInitArgs) -{ - /* - * Initalize Cryptoki - */ - CK_C_INITIALIZE_ARGS_PTR ckpInitArgs; - CK_RV rv; - CK_FUNCTION_LIST_PTR ckpFunctions; - - TRACE0("DEBUG: initializing module... "); - - ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { - TRACE0("failed getting module entry"); - return; - } - - ckpInitArgs = (jInitArgs != NULL) - ? makeCKInitArgsAdapter(env, jInitArgs) - : NULL_PTR; - - rv = (*ckpFunctions->C_Initialize)(ckpInitArgs); - - free(ckpInitArgs); - - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } - - TRACE0("FINISHED\n"); -} -#endif - -#ifdef P11_ENABLE_C_FINALIZE -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_Finalize - * Signature: (Ljava/lang/Object;)V - * Parametermapping: *PKCS11* - * @param jobject jReserved CK_VOID_PTR pReserved - */ -JNIEXPORT void JNICALL -Java_sun_security_pkcs11_wrapper_PKCS11_C_1Finalize -(JNIEnv *env, jobject obj, jobject jReserved) -{ - /* - * Finalize Cryptoki - */ - CK_VOID_PTR ckpReserved; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return; } - - ckpReserved = jObjectToCKVoidPtr(jReserved); - - rv = (*ckpFunctions->C_Finalize)(ckpReserved); - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -} -#endif - -#ifdef P11_ENABLE_C_GETINFO -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_GetInfo - * Signature: ()Lsun/security/pkcs11/wrapper/CK_INFO; - * Parametermapping: *PKCS11* - * @return jobject jInfoObject CK_INFO_PTR pInfo - */ -JNIEXPORT jobject JNICALL -Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetInfo -(JNIEnv *env, jobject obj) -{ - CK_INFO ckLibInfo; - jobject jInfoObject=NULL; - CK_RV rv; - CK_FUNCTION_LIST_PTR ckpFunctions; - memset(&ckLibInfo, 0, sizeof(CK_INFO)); - - ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return NULL; } - - rv = (*ckpFunctions->C_GetInfo)(&ckLibInfo); - if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { - jInfoObject = ckInfoPtrToJInfo(env, &ckLibInfo); - } - return jInfoObject ; -} - -/* - * converts a pointer to a CK_INFO structure into a Java CK_INFO Object. - * - * @param env - used to call JNI funktions to create the new Java object - * @param ckpInfo - the pointer to the CK_INFO structure - * @return - the new Java CK_INFO object - */ -jobject ckInfoPtrToJInfo(JNIEnv *env, const CK_INFO_PTR ckpInfo) -{ - jclass jInfoClass; - jmethodID jCtrId; - jobject jInfoObject; - jobject jCryptokiVer; - jcharArray jVendor; - jlong jFlags; - jcharArray jLibraryDesc; - jobject jLibraryVer; - - /* load CK_INFO class */ - jInfoClass = (*env)->FindClass(env, CLASS_INFO); - if (jInfoClass == NULL) { return NULL; }; - - /* load CK_INFO constructor */ - jCtrId = (*env)->GetMethodID - (env, jInfoClass, "", - "(Lsun/security/pkcs11/wrapper/CK_VERSION;[CJ[CLsun/security/pkcs11/wrapper/CK_VERSION;)V"); - if (jCtrId == NULL) { return NULL; } - - /* prep all fields */ - jCryptokiVer = ckVersionPtrToJVersion(env, &(ckpInfo->cryptokiVersion)); - if (jCryptokiVer == NULL) { return NULL; } - jVendor = - ckUTF8CharArrayToJCharArray(env, &(ckpInfo->manufacturerID[0]), 32); - if (jVendor == NULL) { return NULL; } - jFlags = ckULongToJLong(ckpInfo->flags); - jLibraryDesc = - ckUTF8CharArrayToJCharArray(env, &(ckpInfo->libraryDescription[0]), 32); - if (jLibraryDesc == NULL) { return NULL; } - jLibraryVer = ckVersionPtrToJVersion(env, &(ckpInfo->libraryVersion)); - if (jLibraryVer == NULL) { return NULL; } - - /* create new CK_INFO object */ - jInfoObject = (*env)->NewObject(env, jInfoClass, jCtrId, jCryptokiVer, - jVendor, jFlags, jLibraryDesc, jLibraryVer); - if (jInfoObject == NULL) { return NULL; } - - /* free local references */ - (*env)->DeleteLocalRef(env, jInfoClass); - (*env)->DeleteLocalRef(env, jCryptokiVer); - (*env)->DeleteLocalRef(env, jVendor); - (*env)->DeleteLocalRef(env, jLibraryDesc); - (*env)->DeleteLocalRef(env, jLibraryVer); - - return jInfoObject ; -} -#endif - -#ifdef P11_ENABLE_C_GETSLOTLIST -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_GetSlotList - * Signature: (Z)[J - * Parametermapping: *PKCS11* - * @param jboolean jTokenPresent CK_BBOOL tokenPresent - * @return jlongArray jSlotList CK_SLOT_ID_PTR pSlotList - * CK_ULONG_PTR pulCount - */ -JNIEXPORT jlongArray JNICALL -Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetSlotList -(JNIEnv *env, jobject obj, jboolean jTokenPresent) -{ - CK_ULONG ckTokenNumber; - CK_SLOT_ID_PTR ckpSlotList; - CK_BBOOL ckTokenPresent; - jlongArray jSlotList = NULL; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return NULL; } - - ckTokenPresent = jBooleanToCKBBool(jTokenPresent); - - rv = (*ckpFunctions->C_GetSlotList)(ckTokenPresent, NULL_PTR, - &ckTokenNumber); - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; } - - ckpSlotList = (CK_SLOT_ID_PTR) malloc(ckTokenNumber * sizeof(CK_SLOT_ID)); - if (ckpSlotList == NULL) { - throwOutOfMemoryError(env, 0); - return NULL; - } - - rv = (*ckpFunctions->C_GetSlotList)(ckTokenPresent, ckpSlotList, - &ckTokenNumber); - if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { - jSlotList = ckULongArrayToJLongArray(env, ckpSlotList, ckTokenNumber); - } - free(ckpSlotList); - - return jSlotList ; -} -#endif - -#ifdef P11_ENABLE_C_GETSLOTINFO -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_GetSlotInfo - * Signature: (J)Lsun/security/pkcs11/wrapper/CK_SLOT_INFO; - * Parametermapping: *PKCS11* - * @param jlong jSlotID CK_SLOT_ID slotID - * @return jobject jSlotInfoObject CK_SLOT_INFO_PTR pInfo - */ -JNIEXPORT jobject JNICALL -Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetSlotInfo -(JNIEnv *env, jobject obj, jlong jSlotID) -{ - CK_SLOT_ID ckSlotID; - CK_SLOT_INFO ckSlotInfo; - jobject jSlotInfoObject=NULL; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return NULL; } - - ckSlotID = jLongToCKULong(jSlotID); - - rv = (*ckpFunctions->C_GetSlotInfo)(ckSlotID, &ckSlotInfo); - if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { - jSlotInfoObject = ckSlotInfoPtrToJSlotInfo(env, &ckSlotInfo); - } - return jSlotInfoObject; -} - -/* - * converts a pointer to a CK_SLOT_INFO structure into a Java CK_SLOT_INFO - * Object. - * - * @param env - used to call JNI funktions to create the new Java object - * @param ckpSlotInfo - the pointer to the CK_SLOT_INFO structure - * @return - the new Java CK_SLOT_INFO object - */ -jobject -ckSlotInfoPtrToJSlotInfo -(JNIEnv *env, const CK_SLOT_INFO_PTR ckpSlotInfo) -{ - jclass jSlotInfoClass; - jmethodID jCtrId; - jobject jSlotInfoObject; - jcharArray jSlotDesc; - jcharArray jVendor; - jlong jFlags; - jobject jHardwareVer; - jobject jFirmwareVer; - - /* load CK_SLOT_INFO class */ - jSlotInfoClass = (*env)->FindClass(env, CLASS_SLOT_INFO); - if (jSlotInfoClass == NULL) { return NULL; }; - - /* load CK_SLOT_INFO constructor */ - jCtrId = (*env)->GetMethodID - (env, jSlotInfoClass, "", - "([C[CJLsun/security/pkcs11/wrapper/CK_VERSION;Lsun/security/pkcs11/wrapper/CK_VERSION;)V"); - if (jCtrId == NULL) { return NULL; } - - /* prep all fields */ - jSlotDesc = - ckUTF8CharArrayToJCharArray(env, &(ckpSlotInfo->slotDescription[0]), 64); - if (jSlotDesc == NULL) { return NULL; } - jVendor = - ckUTF8CharArrayToJCharArray(env, &(ckpSlotInfo->manufacturerID[0]), 32); - if (jVendor == NULL) { return NULL; } - jFlags = ckULongToJLong(ckpSlotInfo->flags); - jHardwareVer = ckVersionPtrToJVersion(env, &(ckpSlotInfo->hardwareVersion)); - if (jHardwareVer == NULL) { return NULL; } - jFirmwareVer = ckVersionPtrToJVersion(env, &(ckpSlotInfo->firmwareVersion)); - if (jFirmwareVer == NULL) { return NULL; } - - /* create new CK_SLOT_INFO object */ - jSlotInfoObject = (*env)->NewObject - (env, jSlotInfoClass, jCtrId, jSlotDesc, jVendor, jFlags, - jHardwareVer, jFirmwareVer); - if (jSlotInfoObject == NULL) { return NULL; } - - /* free local references */ - (*env)->DeleteLocalRef(env, jSlotInfoClass); - (*env)->DeleteLocalRef(env, jSlotDesc); - (*env)->DeleteLocalRef(env, jVendor); - (*env)->DeleteLocalRef(env, jHardwareVer); - (*env)->DeleteLocalRef(env, jFirmwareVer); - - return jSlotInfoObject ; -} - -#endif - -#ifdef P11_ENABLE_C_GETTOKENINFO -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_GetTokenInfo - * Signature: (J)Lsun/security/pkcs11/wrapper/CK_TOKEN_INFO; - * Parametermapping: *PKCS11* - * @param jlong jSlotID CK_SLOT_ID slotID - * @return jobject jInfoTokenObject CK_TOKEN_INFO_PTR pInfo - */ -JNIEXPORT jobject JNICALL -Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetTokenInfo -(JNIEnv *env, jobject obj, jlong jSlotID) -{ - CK_SLOT_ID ckSlotID; - CK_TOKEN_INFO ckTokenInfo; - jobject jInfoTokenObject = NULL; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return NULL; } - - ckSlotID = jLongToCKULong(jSlotID); - - rv = (*ckpFunctions->C_GetTokenInfo)(ckSlotID, &ckTokenInfo); - if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { - jInfoTokenObject = ckTokenInfoPtrToJTokenInfo(env, &ckTokenInfo); - } - return jInfoTokenObject ; -} - -/* - * converts a pointer to a CK_TOKEN_INFO structure into a Java CK_TOKEN_INFO - * Object. - * - * @param env - used to call JNI funktions to create the new Java object - * @param ckpTokenInfo - the pointer to the CK_TOKEN_INFO structure - * @return - the new Java CK_TOKEN_INFO object - */ -jobject -ckTokenInfoPtrToJTokenInfo -(JNIEnv *env, const CK_TOKEN_INFO_PTR ckpTokenInfo) -{ - jclass jTokenInfoClass; - jmethodID jCtrId; - jobject jTokenInfoObject; - jcharArray jLabel; - jcharArray jVendor; - jcharArray jModel; - jcharArray jSerialNo; - jlong jFlags; - jlong jMaxSnCnt; - jlong jSnCnt; - jlong jMaxRwSnCnt; - jlong jRwSnCnt; - jlong jMaxPinLen; - jlong jMinPinLen; - jlong jTotalPubMem; - jlong jFreePubMem; - jlong jTotalPrivMem; - jlong jFreePrivMem; - jobject jHardwareVer; - jobject jFirmwareVer; - jcharArray jUtcTime; - - /* load CK_TOKEN_INFO class */ - jTokenInfoClass = (*env)->FindClass(env, CLASS_TOKEN_INFO); - if (jTokenInfoClass == NULL) { return NULL; }; - - /* load CK_TOKEN_INFO constructor */ - jCtrId = (*env)->GetMethodID - (env, jTokenInfoClass, "", - "([C[C[C[CJJJJJJJJJJJLsun/security/pkcs11/wrapper/CK_VERSION;Lsun/security/pkcs11/wrapper/CK_VERSION;[C)V"); - if (jCtrId == NULL) { return NULL; }; - - /* prep all fields */ - jLabel = ckUTF8CharArrayToJCharArray(env, &(ckpTokenInfo->label[0]), 32); - if (jLabel == NULL) { return NULL; }; - jVendor = - ckUTF8CharArrayToJCharArray(env, &(ckpTokenInfo->manufacturerID[0]), 32); - if (jVendor == NULL) { return NULL; }; - jModel = ckUTF8CharArrayToJCharArray(env, &(ckpTokenInfo->model[0]), 16); - if (jModel == NULL) { return NULL; }; - jSerialNo = - ckUTF8CharArrayToJCharArray(env, &(ckpTokenInfo->serialNumber[0]), 16); - if (jSerialNo == NULL) { return NULL; }; - jFlags = ckULongToJLong(ckpTokenInfo->flags); - jMaxSnCnt = ckULongSpecialToJLong(ckpTokenInfo->ulMaxSessionCount); - jSnCnt = ckULongSpecialToJLong(ckpTokenInfo->ulSessionCount); - jMaxRwSnCnt = ckULongSpecialToJLong(ckpTokenInfo->ulMaxRwSessionCount); - jRwSnCnt = ckULongSpecialToJLong(ckpTokenInfo->ulRwSessionCount); - jMaxPinLen = ckULongToJLong(ckpTokenInfo->ulMaxPinLen); - jMinPinLen = ckULongToJLong(ckpTokenInfo->ulMinPinLen); - jTotalPubMem = ckULongSpecialToJLong(ckpTokenInfo->ulTotalPublicMemory); - jFreePubMem = ckULongSpecialToJLong(ckpTokenInfo->ulFreePublicMemory); - jTotalPrivMem = ckULongSpecialToJLong(ckpTokenInfo->ulTotalPrivateMemory); - jFreePrivMem = ckULongSpecialToJLong(ckpTokenInfo->ulFreePrivateMemory); - jHardwareVer = - ckVersionPtrToJVersion(env, &(ckpTokenInfo->hardwareVersion)); - if (jHardwareVer == NULL) { return NULL; } - jFirmwareVer = - ckVersionPtrToJVersion(env, &(ckpTokenInfo->firmwareVersion)); - if (jFirmwareVer == NULL) { return NULL; } - jUtcTime = - ckUTF8CharArrayToJCharArray(env, &(ckpTokenInfo->utcTime[0]), 16); - if (jUtcTime == NULL) { return NULL; } - - /* create new CK_TOKEN_INFO object */ - jTokenInfoObject = - (*env)->NewObject(env, jTokenInfoClass, jCtrId, jLabel, jVendor, jModel, - jSerialNo, jFlags, - jMaxSnCnt, jSnCnt, jMaxRwSnCnt, jRwSnCnt, - jMaxPinLen, jMinPinLen, - jTotalPubMem, jFreePubMem, jTotalPrivMem, jFreePrivMem, - jHardwareVer, jFirmwareVer, jUtcTime); - if (jTokenInfoObject == NULL) { return NULL; } - - /* free local references */ - (*env)->DeleteLocalRef(env, jTokenInfoClass); - (*env)->DeleteLocalRef(env, jLabel); - (*env)->DeleteLocalRef(env, jVendor); - (*env)->DeleteLocalRef(env, jModel); - (*env)->DeleteLocalRef(env, jSerialNo); - (*env)->DeleteLocalRef(env, jHardwareVer); - (*env)->DeleteLocalRef(env, jFirmwareVer); - - return jTokenInfoObject ; -} -#endif - -#ifdef P11_ENABLE_C_WAITFORSLOTEVENT -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_WaitForSlotEvent - * Signature: (JLjava/lang/Object;)J - * Parametermapping: *PKCS11* - * @param jlong jFlags CK_FLAGS flags - * @param jobject jReserved CK_VOID_PTR pReserved - * @return jlong jSlotID CK_SLOT_ID_PTR pSlot - */ -JNIEXPORT jlong JNICALL -Java_sun_security_pkcs11_wrapper_PKCS11_C_1WaitForSlotEvent -(JNIEnv *env, jobject obj, jlong jFlags, jobject jReserved) -{ - CK_FLAGS ckFlags; - CK_SLOT_ID ckSlotID; - jlong jSlotID = 0L; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return 0L; } - - ckFlags = jLongToCKULong(jFlags); - - rv = (*ckpFunctions->C_WaitForSlotEvent)(ckFlags, &ckSlotID, NULL_PTR); - if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { - jSlotID = ckULongToJLong(ckSlotID); - } - - return jSlotID ; -} -#endif - -#ifdef P11_ENABLE_C_GETMECHANISMLIST -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_GetMechanismList - * Signature: (J)[J - * Parametermapping: *PKCS11* - * @param jlong jSlotID CK_SLOT_ID slotID - * @return jlongArray jMechanismList CK_MECHANISM_TYPE_PTR pMechanismList - * CK_ULONG_PTR pulCount - */ -JNIEXPORT jlongArray JNICALL -Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetMechanismList -(JNIEnv *env, jobject obj, jlong jSlotID) -{ - CK_SLOT_ID ckSlotID; - CK_ULONG ckMechanismNumber; - CK_MECHANISM_TYPE_PTR ckpMechanismList; - jlongArray jMechanismList = NULL; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return NULL; } - - ckSlotID = jLongToCKULong(jSlotID); - - rv = (*ckpFunctions->C_GetMechanismList)(ckSlotID, NULL_PTR, - &ckMechanismNumber); - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; } - - ckpMechanismList = (CK_MECHANISM_TYPE_PTR) - malloc(ckMechanismNumber * sizeof(CK_MECHANISM_TYPE)); - if (ckpMechanismList == NULL) { - throwOutOfMemoryError(env, 0); - return NULL; - } - - rv = (*ckpFunctions->C_GetMechanismList)(ckSlotID, ckpMechanismList, - &ckMechanismNumber); - if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { - jMechanismList = ckULongArrayToJLongArray(env, ckpMechanismList, - ckMechanismNumber); - } - free(ckpMechanismList); - - return jMechanismList ; -} -#endif - -#ifdef P11_ENABLE_C_GETMECHANISMINFO -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_GetMechanismInfo - * Signature: (JJ)Lsun/security/pkcs11/wrapper/CK_MECHANISM_INFO; - * Parametermapping: *PKCS11* - * @param jlong jSlotID CK_SLOT_ID slotID - * @param jlong jType CK_MECHANISM_TYPE type - * @return jobject jMechanismInfo CK_MECHANISM_INFO_PTR pInfo - */ -JNIEXPORT jobject JNICALL -Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetMechanismInfo -(JNIEnv *env, jobject obj, jlong jSlotID, jlong jType) -{ - CK_SLOT_ID ckSlotID; - CK_MECHANISM_TYPE ckMechanismType; - CK_MECHANISM_INFO ckMechanismInfo; - jobject jMechanismInfo = NULL; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return NULL; } - - ckSlotID = jLongToCKULong(jSlotID); - ckMechanismType = jLongToCKULong(jType); - - rv = (*ckpFunctions->C_GetMechanismInfo)(ckSlotID, ckMechanismType, - &ckMechanismInfo); - if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { - jMechanismInfo = ckMechanismInfoPtrToJMechanismInfo(env, &ckMechanismInfo); - } - return jMechanismInfo ; -} - -/* - * converts a pointer to a CK_MECHANISM_INFO structure into a Java - * CK_MECHANISM_INFO Object. - * - * @param env - used to call JNI funktions to create the new Java object - * @param ckpMechanismInfo - the pointer to the CK_MECHANISM_INFO structure - * @return - the new Java CK_MECHANISM_INFO object - */ -jobject -ckMechanismInfoPtrToJMechanismInfo -(JNIEnv *env, const CK_MECHANISM_INFO_PTR ckpMechanismInfo) -{ - - jclass jMechanismInfoClass; - jmethodID jCtrId; - jobject jMechanismInfoObject; - jlong jMinKeySize; - jlong jMaxKeySize; - jlong jFlags; - - /* load CK_MECHANISM_INFO class */ - jMechanismInfoClass = (*env)->FindClass(env, CLASS_MECHANISM_INFO); - if (jMechanismInfoClass == NULL) { return NULL; }; - - /* load CK_MECHANISM_INFO constructor */ - jCtrId = (*env)->GetMethodID(env, jMechanismInfoClass, "", "(JJJ)V"); - if (jCtrId == NULL) { return NULL; }; - - /* prep all fields */ - jMinKeySize = ckULongToJLong(ckpMechanismInfo->ulMinKeySize); - jMaxKeySize = ckULongToJLong(ckpMechanismInfo->ulMaxKeySize); - jFlags = ckULongToJLong(ckpMechanismInfo->flags); - - /* create new CK_MECHANISM_INFO object */ - jMechanismInfoObject = (*env)->NewObject(env, jMechanismInfoClass, jCtrId, - jMinKeySize, jMaxKeySize, jFlags); - if (jMechanismInfoObject == NULL) { return NULL; }; - - /* free local references */ - (*env)->DeleteLocalRef(env, jMechanismInfoClass); - - return jMechanismInfoObject ; -} -#endif - -#ifdef P11_ENABLE_C_INITTOKEN -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_InitToken - * Signature: (J[C[C)V - * Parametermapping: *PKCS11* - * @param jlong jSlotID CK_SLOT_ID slotID - * @param jcharArray jPin CK_CHAR_PTR pPin - * CK_ULONG ulPinLen - * @param jcharArray jLabel CK_UTF8CHAR_PTR pLabel - */ -JNIEXPORT void JNICALL -Java_sun_security_pkcs11_wrapper_PKCS11_C_1InitToken -(JNIEnv *env, jobject obj, jlong jSlotID, jcharArray jPin, jcharArray jLabel) -{ - CK_SLOT_ID ckSlotID; - CK_CHAR_PTR ckpPin = NULL_PTR; - CK_UTF8CHAR_PTR ckpLabel = NULL_PTR; - CK_ULONG ckPinLength; - CK_ULONG ckLabelLength; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return; } - - ckSlotID = jLongToCKULong(jSlotID); - jCharArrayToCKCharArray(env, jPin, &ckpPin, &ckPinLength); - if ((*env)->ExceptionCheck(env)) { return; } - /* ckLabelLength <= 32 !!! */ - jCharArrayToCKUTF8CharArray(env, jLabel, &ckpLabel, &ckLabelLength); - if ((*env)->ExceptionCheck(env)) { - free(ckpPin); - return; - } - - rv = (*ckpFunctions->C_InitToken)(ckSlotID, ckpPin, ckPinLength, ckpLabel); - TRACE1("InitToken return code: %d", rv); - - free(ckpPin); - free(ckpLabel); - - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -} -#endif - -#ifdef P11_ENABLE_C_INITPIN -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_InitPIN - * Signature: (J[C)V - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE - * @param jcharArray jPin CK_CHAR_PTR pPin - * CK_ULONG ulPinLen - */ -JNIEXPORT void JNICALL -Java_sun_security_pkcs11_wrapper_PKCS11_C_1InitPIN -(JNIEnv *env, jobject obj, jlong jSessionHandle, jcharArray jPin) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_CHAR_PTR ckpPin = NULL_PTR; - CK_ULONG ckPinLength; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jCharArrayToCKCharArray(env, jPin, &ckpPin, &ckPinLength); - if ((*env)->ExceptionCheck(env)) { return; } - - rv = (*ckpFunctions->C_InitPIN)(ckSessionHandle, ckpPin, ckPinLength); - - free(ckpPin); - - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -} -#endif - -#ifdef P11_ENABLE_C_SETPIN -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_SetPIN - * Signature: (J[C[C)V - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jcharArray jOldPin CK_CHAR_PTR pOldPin - * CK_ULONG ulOldLen - * @param jcharArray jNewPin CK_CHAR_PTR pNewPin - * CK_ULONG ulNewLen - */ -JNIEXPORT void JNICALL -Java_sun_security_pkcs11_wrapper_PKCS11_C_1SetPIN -(JNIEnv *env, jobject obj, jlong jSessionHandle, jcharArray jOldPin, -jcharArray jNewPin) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_CHAR_PTR ckpOldPin = NULL_PTR; - CK_CHAR_PTR ckpNewPin = NULL_PTR; - CK_ULONG ckOldPinLength; - CK_ULONG ckNewPinLength; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jCharArrayToCKCharArray(env, jOldPin, &ckpOldPin, &ckOldPinLength); - if ((*env)->ExceptionCheck(env)) { return; } - jCharArrayToCKCharArray(env, jNewPin, &ckpNewPin, &ckNewPinLength); - if ((*env)->ExceptionCheck(env)) { - free(ckpOldPin); - return; - } - - rv = (*ckpFunctions->C_SetPIN)(ckSessionHandle, ckpOldPin, ckOldPinLength, - ckpNewPin, ckNewPinLength); - - free(ckpOldPin); - free(ckpNewPin); - - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -} -#endif --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_general.c 2017-01-20 09:52:56.670288264 -0800 @@ -0,0 +1,881 @@ +/* + * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + */ + +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "pkcs11wrapper.h" + +#include +#include +#include +#include + +#include "sun_security_pkcs11_wrapper_PKCS11.h" + +/* declare file private functions */ + +void prefetchFields(JNIEnv *env, jclass thisClass); +jobject ckInfoPtrToJInfo(JNIEnv *env, const CK_INFO_PTR ckpInfo); +jobject ckSlotInfoPtrToJSlotInfo(JNIEnv *env, const CK_SLOT_INFO_PTR ckpSlotInfo); +jobject ckTokenInfoPtrToJTokenInfo(JNIEnv *env, const CK_TOKEN_INFO_PTR ckpTokenInfo); +jobject ckMechanismInfoPtrToJMechanismInfo(JNIEnv *env, const CK_MECHANISM_INFO_PTR ckpMechanismInfo); + +/* define variables */ + +jfieldID pNativeDataID; +jfieldID mech_mechanismID; +jfieldID mech_pParameterID; + +jclass jByteArrayClass; +jclass jLongClass; + +JavaVM* jvm = NULL; + +jboolean debug = 0; + +JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) { + jvm = vm; + return JNI_VERSION_1_4; +} + +/* ************************************************************************** */ +/* The native implementation of the methods of the PKCS11Implementation class */ +/* ************************************************************************** */ + +/* + * This method is used to do static initialization. This method is static and + * synchronized. Summary: use this method like a static initialization block. + * + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: initializeLibrary + * Signature: ()V + */ +JNIEXPORT void JNICALL +Java_sun_security_pkcs11_wrapper_PKCS11_initializeLibrary +(JNIEnv *env, jclass thisClass, jboolean enableDebug) +{ +#ifndef NO_CALLBACKS + if (notifyListLock == NULL) { + notifyListLock = createLockObject(env); + } +#endif + + prefetchFields(env, thisClass); + debug = enableDebug; +} + +jclass fetchClass(JNIEnv *env, const char *name) { + jclass tmpClass = (*env)->FindClass(env, name); + if (tmpClass == NULL) { return NULL; } + return (*env)->NewGlobalRef(env, tmpClass); +} + +void prefetchFields(JNIEnv *env, jclass thisClass) { + jclass tmpClass; + + /* PKCS11 */ + pNativeDataID = (*env)->GetFieldID(env, thisClass, "pNativeData", "J"); + if (pNativeDataID == NULL) { return; } + + /* CK_MECHANISM */ + tmpClass = (*env)->FindClass(env, CLASS_MECHANISM); + if (tmpClass == NULL) { return; } + mech_mechanismID = (*env)->GetFieldID(env, tmpClass, "mechanism", "J"); + if (mech_mechanismID == NULL) { return; } + mech_pParameterID = (*env)->GetFieldID(env, tmpClass, "pParameter", + "Ljava/lang/Object;"); + if (mech_pParameterID == NULL) { return; } + jByteArrayClass = fetchClass(env, "[B"); + if (jByteArrayClass == NULL) { return; } + jLongClass = fetchClass(env, "java/lang/Long"); +} + +/* This method is designed to do a clean-up. It releases all global resources + * of this library. By now, this function is not called. Calling from + * JNI_OnUnload would be an option, but some VMs do not support JNI_OnUnload. + * + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: finalizeLibrary + * Signature: ()V + */ +JNIEXPORT void JNICALL +Java_sun_security_pkcs11_wrapper_PKCS11_finalizeLibrary +(JNIEnv *env, jclass thisClass) +{ +/* XXX + * remove all left lists and release the resources and the lock + * objects that synchroniz access to these lists. + * + removeAllModuleEntries(env); + if (moduleListHead == NULL) { * check, if we removed the last active module * + * remove also the moduleListLock, it is no longer used * + if (moduleListLock != NULL) { + destroyLockObject(env, moduleListLock); + moduleListLock = NULL; + } +#ifndef NO_CALLBACKS + * remove all left notify callback entries * + while (removeFirstNotifyEntry(env)); + * remove also the notifyListLock, it is no longer used * + if (notifyListLock != NULL) { + destroyLockObject(env, notifyListLock); + notifyListLock = NULL; + } + if (jInitArgsObject != NULL) { + (*env)->DeleteGlobalRef(env, jInitArgsObject); + } + if (ckpGlobalInitArgs != NULL_PTR) { + free(ckpGlobalInitArgs); + } +#endif * NO_CALLBACKS * + } +*/ +} + +#ifdef P11_ENABLE_C_INITIALIZE +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_Initialize + * Signature: (Ljava/lang/Object;)V + * Parametermapping: *PKCS11* + * @param jobject jInitArgs CK_VOID_PTR pInitArgs + */ +JNIEXPORT void JNICALL +Java_sun_security_pkcs11_wrapper_PKCS11_C_1Initialize +(JNIEnv *env, jobject obj, jobject jInitArgs) +{ + /* + * Initalize Cryptoki + */ + CK_C_INITIALIZE_ARGS_PTR ckpInitArgs; + CK_RV rv; + CK_FUNCTION_LIST_PTR ckpFunctions; + + TRACE0("DEBUG: initializing module... "); + + ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { + TRACE0("failed getting module entry"); + return; + } + + ckpInitArgs = (jInitArgs != NULL) + ? makeCKInitArgsAdapter(env, jInitArgs) + : NULL_PTR; + + rv = (*ckpFunctions->C_Initialize)(ckpInitArgs); + + free(ckpInitArgs); + + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } + + TRACE0("FINISHED\n"); +} +#endif + +#ifdef P11_ENABLE_C_FINALIZE +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_Finalize + * Signature: (Ljava/lang/Object;)V + * Parametermapping: *PKCS11* + * @param jobject jReserved CK_VOID_PTR pReserved + */ +JNIEXPORT void JNICALL +Java_sun_security_pkcs11_wrapper_PKCS11_C_1Finalize +(JNIEnv *env, jobject obj, jobject jReserved) +{ + /* + * Finalize Cryptoki + */ + CK_VOID_PTR ckpReserved; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return; } + + ckpReserved = jObjectToCKVoidPtr(jReserved); + + rv = (*ckpFunctions->C_Finalize)(ckpReserved); + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } +} +#endif + +#ifdef P11_ENABLE_C_GETINFO +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_GetInfo + * Signature: ()Lsun/security/pkcs11/wrapper/CK_INFO; + * Parametermapping: *PKCS11* + * @return jobject jInfoObject CK_INFO_PTR pInfo + */ +JNIEXPORT jobject JNICALL +Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetInfo +(JNIEnv *env, jobject obj) +{ + CK_INFO ckLibInfo; + jobject jInfoObject=NULL; + CK_RV rv; + CK_FUNCTION_LIST_PTR ckpFunctions; + memset(&ckLibInfo, 0, sizeof(CK_INFO)); + + ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return NULL; } + + rv = (*ckpFunctions->C_GetInfo)(&ckLibInfo); + if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { + jInfoObject = ckInfoPtrToJInfo(env, &ckLibInfo); + } + return jInfoObject ; +} + +/* + * converts a pointer to a CK_INFO structure into a Java CK_INFO Object. + * + * @param env - used to call JNI funktions to create the new Java object + * @param ckpInfo - the pointer to the CK_INFO structure + * @return - the new Java CK_INFO object + */ +jobject ckInfoPtrToJInfo(JNIEnv *env, const CK_INFO_PTR ckpInfo) +{ + jclass jInfoClass; + jmethodID jCtrId; + jobject jInfoObject; + jobject jCryptokiVer; + jcharArray jVendor; + jlong jFlags; + jcharArray jLibraryDesc; + jobject jLibraryVer; + + /* load CK_INFO class */ + jInfoClass = (*env)->FindClass(env, CLASS_INFO); + if (jInfoClass == NULL) { return NULL; }; + + /* load CK_INFO constructor */ + jCtrId = (*env)->GetMethodID + (env, jInfoClass, "", + "(Lsun/security/pkcs11/wrapper/CK_VERSION;[CJ[CLsun/security/pkcs11/wrapper/CK_VERSION;)V"); + if (jCtrId == NULL) { return NULL; } + + /* prep all fields */ + jCryptokiVer = ckVersionPtrToJVersion(env, &(ckpInfo->cryptokiVersion)); + if (jCryptokiVer == NULL) { return NULL; } + jVendor = + ckUTF8CharArrayToJCharArray(env, &(ckpInfo->manufacturerID[0]), 32); + if (jVendor == NULL) { return NULL; } + jFlags = ckULongToJLong(ckpInfo->flags); + jLibraryDesc = + ckUTF8CharArrayToJCharArray(env, &(ckpInfo->libraryDescription[0]), 32); + if (jLibraryDesc == NULL) { return NULL; } + jLibraryVer = ckVersionPtrToJVersion(env, &(ckpInfo->libraryVersion)); + if (jLibraryVer == NULL) { return NULL; } + + /* create new CK_INFO object */ + jInfoObject = (*env)->NewObject(env, jInfoClass, jCtrId, jCryptokiVer, + jVendor, jFlags, jLibraryDesc, jLibraryVer); + if (jInfoObject == NULL) { return NULL; } + + /* free local references */ + (*env)->DeleteLocalRef(env, jInfoClass); + (*env)->DeleteLocalRef(env, jCryptokiVer); + (*env)->DeleteLocalRef(env, jVendor); + (*env)->DeleteLocalRef(env, jLibraryDesc); + (*env)->DeleteLocalRef(env, jLibraryVer); + + return jInfoObject ; +} +#endif + +#ifdef P11_ENABLE_C_GETSLOTLIST +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_GetSlotList + * Signature: (Z)[J + * Parametermapping: *PKCS11* + * @param jboolean jTokenPresent CK_BBOOL tokenPresent + * @return jlongArray jSlotList CK_SLOT_ID_PTR pSlotList + * CK_ULONG_PTR pulCount + */ +JNIEXPORT jlongArray JNICALL +Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetSlotList +(JNIEnv *env, jobject obj, jboolean jTokenPresent) +{ + CK_ULONG ckTokenNumber; + CK_SLOT_ID_PTR ckpSlotList; + CK_BBOOL ckTokenPresent; + jlongArray jSlotList = NULL; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return NULL; } + + ckTokenPresent = jBooleanToCKBBool(jTokenPresent); + + rv = (*ckpFunctions->C_GetSlotList)(ckTokenPresent, NULL_PTR, + &ckTokenNumber); + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; } + + ckpSlotList = (CK_SLOT_ID_PTR) malloc(ckTokenNumber * sizeof(CK_SLOT_ID)); + if (ckpSlotList == NULL) { + throwOutOfMemoryError(env, 0); + return NULL; + } + + rv = (*ckpFunctions->C_GetSlotList)(ckTokenPresent, ckpSlotList, + &ckTokenNumber); + if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { + jSlotList = ckULongArrayToJLongArray(env, ckpSlotList, ckTokenNumber); + } + free(ckpSlotList); + + return jSlotList ; +} +#endif + +#ifdef P11_ENABLE_C_GETSLOTINFO +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_GetSlotInfo + * Signature: (J)Lsun/security/pkcs11/wrapper/CK_SLOT_INFO; + * Parametermapping: *PKCS11* + * @param jlong jSlotID CK_SLOT_ID slotID + * @return jobject jSlotInfoObject CK_SLOT_INFO_PTR pInfo + */ +JNIEXPORT jobject JNICALL +Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetSlotInfo +(JNIEnv *env, jobject obj, jlong jSlotID) +{ + CK_SLOT_ID ckSlotID; + CK_SLOT_INFO ckSlotInfo; + jobject jSlotInfoObject=NULL; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return NULL; } + + ckSlotID = jLongToCKULong(jSlotID); + + rv = (*ckpFunctions->C_GetSlotInfo)(ckSlotID, &ckSlotInfo); + if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { + jSlotInfoObject = ckSlotInfoPtrToJSlotInfo(env, &ckSlotInfo); + } + return jSlotInfoObject; +} + +/* + * converts a pointer to a CK_SLOT_INFO structure into a Java CK_SLOT_INFO + * Object. + * + * @param env - used to call JNI funktions to create the new Java object + * @param ckpSlotInfo - the pointer to the CK_SLOT_INFO structure + * @return - the new Java CK_SLOT_INFO object + */ +jobject +ckSlotInfoPtrToJSlotInfo +(JNIEnv *env, const CK_SLOT_INFO_PTR ckpSlotInfo) +{ + jclass jSlotInfoClass; + jmethodID jCtrId; + jobject jSlotInfoObject; + jcharArray jSlotDesc; + jcharArray jVendor; + jlong jFlags; + jobject jHardwareVer; + jobject jFirmwareVer; + + /* load CK_SLOT_INFO class */ + jSlotInfoClass = (*env)->FindClass(env, CLASS_SLOT_INFO); + if (jSlotInfoClass == NULL) { return NULL; }; + + /* load CK_SLOT_INFO constructor */ + jCtrId = (*env)->GetMethodID + (env, jSlotInfoClass, "", + "([C[CJLsun/security/pkcs11/wrapper/CK_VERSION;Lsun/security/pkcs11/wrapper/CK_VERSION;)V"); + if (jCtrId == NULL) { return NULL; } + + /* prep all fields */ + jSlotDesc = + ckUTF8CharArrayToJCharArray(env, &(ckpSlotInfo->slotDescription[0]), 64); + if (jSlotDesc == NULL) { return NULL; } + jVendor = + ckUTF8CharArrayToJCharArray(env, &(ckpSlotInfo->manufacturerID[0]), 32); + if (jVendor == NULL) { return NULL; } + jFlags = ckULongToJLong(ckpSlotInfo->flags); + jHardwareVer = ckVersionPtrToJVersion(env, &(ckpSlotInfo->hardwareVersion)); + if (jHardwareVer == NULL) { return NULL; } + jFirmwareVer = ckVersionPtrToJVersion(env, &(ckpSlotInfo->firmwareVersion)); + if (jFirmwareVer == NULL) { return NULL; } + + /* create new CK_SLOT_INFO object */ + jSlotInfoObject = (*env)->NewObject + (env, jSlotInfoClass, jCtrId, jSlotDesc, jVendor, jFlags, + jHardwareVer, jFirmwareVer); + if (jSlotInfoObject == NULL) { return NULL; } + + /* free local references */ + (*env)->DeleteLocalRef(env, jSlotInfoClass); + (*env)->DeleteLocalRef(env, jSlotDesc); + (*env)->DeleteLocalRef(env, jVendor); + (*env)->DeleteLocalRef(env, jHardwareVer); + (*env)->DeleteLocalRef(env, jFirmwareVer); + + return jSlotInfoObject ; +} + +#endif + +#ifdef P11_ENABLE_C_GETTOKENINFO +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_GetTokenInfo + * Signature: (J)Lsun/security/pkcs11/wrapper/CK_TOKEN_INFO; + * Parametermapping: *PKCS11* + * @param jlong jSlotID CK_SLOT_ID slotID + * @return jobject jInfoTokenObject CK_TOKEN_INFO_PTR pInfo + */ +JNIEXPORT jobject JNICALL +Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetTokenInfo +(JNIEnv *env, jobject obj, jlong jSlotID) +{ + CK_SLOT_ID ckSlotID; + CK_TOKEN_INFO ckTokenInfo; + jobject jInfoTokenObject = NULL; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return NULL; } + + ckSlotID = jLongToCKULong(jSlotID); + + rv = (*ckpFunctions->C_GetTokenInfo)(ckSlotID, &ckTokenInfo); + if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { + jInfoTokenObject = ckTokenInfoPtrToJTokenInfo(env, &ckTokenInfo); + } + return jInfoTokenObject ; +} + +/* + * converts a pointer to a CK_TOKEN_INFO structure into a Java CK_TOKEN_INFO + * Object. + * + * @param env - used to call JNI funktions to create the new Java object + * @param ckpTokenInfo - the pointer to the CK_TOKEN_INFO structure + * @return - the new Java CK_TOKEN_INFO object + */ +jobject +ckTokenInfoPtrToJTokenInfo +(JNIEnv *env, const CK_TOKEN_INFO_PTR ckpTokenInfo) +{ + jclass jTokenInfoClass; + jmethodID jCtrId; + jobject jTokenInfoObject; + jcharArray jLabel; + jcharArray jVendor; + jcharArray jModel; + jcharArray jSerialNo; + jlong jFlags; + jlong jMaxSnCnt; + jlong jSnCnt; + jlong jMaxRwSnCnt; + jlong jRwSnCnt; + jlong jMaxPinLen; + jlong jMinPinLen; + jlong jTotalPubMem; + jlong jFreePubMem; + jlong jTotalPrivMem; + jlong jFreePrivMem; + jobject jHardwareVer; + jobject jFirmwareVer; + jcharArray jUtcTime; + + /* load CK_TOKEN_INFO class */ + jTokenInfoClass = (*env)->FindClass(env, CLASS_TOKEN_INFO); + if (jTokenInfoClass == NULL) { return NULL; }; + + /* load CK_TOKEN_INFO constructor */ + jCtrId = (*env)->GetMethodID + (env, jTokenInfoClass, "", + "([C[C[C[CJJJJJJJJJJJLsun/security/pkcs11/wrapper/CK_VERSION;Lsun/security/pkcs11/wrapper/CK_VERSION;[C)V"); + if (jCtrId == NULL) { return NULL; }; + + /* prep all fields */ + jLabel = ckUTF8CharArrayToJCharArray(env, &(ckpTokenInfo->label[0]), 32); + if (jLabel == NULL) { return NULL; }; + jVendor = + ckUTF8CharArrayToJCharArray(env, &(ckpTokenInfo->manufacturerID[0]), 32); + if (jVendor == NULL) { return NULL; }; + jModel = ckUTF8CharArrayToJCharArray(env, &(ckpTokenInfo->model[0]), 16); + if (jModel == NULL) { return NULL; }; + jSerialNo = + ckUTF8CharArrayToJCharArray(env, &(ckpTokenInfo->serialNumber[0]), 16); + if (jSerialNo == NULL) { return NULL; }; + jFlags = ckULongToJLong(ckpTokenInfo->flags); + jMaxSnCnt = ckULongSpecialToJLong(ckpTokenInfo->ulMaxSessionCount); + jSnCnt = ckULongSpecialToJLong(ckpTokenInfo->ulSessionCount); + jMaxRwSnCnt = ckULongSpecialToJLong(ckpTokenInfo->ulMaxRwSessionCount); + jRwSnCnt = ckULongSpecialToJLong(ckpTokenInfo->ulRwSessionCount); + jMaxPinLen = ckULongToJLong(ckpTokenInfo->ulMaxPinLen); + jMinPinLen = ckULongToJLong(ckpTokenInfo->ulMinPinLen); + jTotalPubMem = ckULongSpecialToJLong(ckpTokenInfo->ulTotalPublicMemory); + jFreePubMem = ckULongSpecialToJLong(ckpTokenInfo->ulFreePublicMemory); + jTotalPrivMem = ckULongSpecialToJLong(ckpTokenInfo->ulTotalPrivateMemory); + jFreePrivMem = ckULongSpecialToJLong(ckpTokenInfo->ulFreePrivateMemory); + jHardwareVer = + ckVersionPtrToJVersion(env, &(ckpTokenInfo->hardwareVersion)); + if (jHardwareVer == NULL) { return NULL; } + jFirmwareVer = + ckVersionPtrToJVersion(env, &(ckpTokenInfo->firmwareVersion)); + if (jFirmwareVer == NULL) { return NULL; } + jUtcTime = + ckUTF8CharArrayToJCharArray(env, &(ckpTokenInfo->utcTime[0]), 16); + if (jUtcTime == NULL) { return NULL; } + + /* create new CK_TOKEN_INFO object */ + jTokenInfoObject = + (*env)->NewObject(env, jTokenInfoClass, jCtrId, jLabel, jVendor, jModel, + jSerialNo, jFlags, + jMaxSnCnt, jSnCnt, jMaxRwSnCnt, jRwSnCnt, + jMaxPinLen, jMinPinLen, + jTotalPubMem, jFreePubMem, jTotalPrivMem, jFreePrivMem, + jHardwareVer, jFirmwareVer, jUtcTime); + if (jTokenInfoObject == NULL) { return NULL; } + + /* free local references */ + (*env)->DeleteLocalRef(env, jTokenInfoClass); + (*env)->DeleteLocalRef(env, jLabel); + (*env)->DeleteLocalRef(env, jVendor); + (*env)->DeleteLocalRef(env, jModel); + (*env)->DeleteLocalRef(env, jSerialNo); + (*env)->DeleteLocalRef(env, jHardwareVer); + (*env)->DeleteLocalRef(env, jFirmwareVer); + + return jTokenInfoObject ; +} +#endif + +#ifdef P11_ENABLE_C_WAITFORSLOTEVENT +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_WaitForSlotEvent + * Signature: (JLjava/lang/Object;)J + * Parametermapping: *PKCS11* + * @param jlong jFlags CK_FLAGS flags + * @param jobject jReserved CK_VOID_PTR pReserved + * @return jlong jSlotID CK_SLOT_ID_PTR pSlot + */ +JNIEXPORT jlong JNICALL +Java_sun_security_pkcs11_wrapper_PKCS11_C_1WaitForSlotEvent +(JNIEnv *env, jobject obj, jlong jFlags, jobject jReserved) +{ + CK_FLAGS ckFlags; + CK_SLOT_ID ckSlotID; + jlong jSlotID = 0L; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return 0L; } + + ckFlags = jLongToCKULong(jFlags); + + rv = (*ckpFunctions->C_WaitForSlotEvent)(ckFlags, &ckSlotID, NULL_PTR); + if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { + jSlotID = ckULongToJLong(ckSlotID); + } + + return jSlotID ; +} +#endif + +#ifdef P11_ENABLE_C_GETMECHANISMLIST +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_GetMechanismList + * Signature: (J)[J + * Parametermapping: *PKCS11* + * @param jlong jSlotID CK_SLOT_ID slotID + * @return jlongArray jMechanismList CK_MECHANISM_TYPE_PTR pMechanismList + * CK_ULONG_PTR pulCount + */ +JNIEXPORT jlongArray JNICALL +Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetMechanismList +(JNIEnv *env, jobject obj, jlong jSlotID) +{ + CK_SLOT_ID ckSlotID; + CK_ULONG ckMechanismNumber; + CK_MECHANISM_TYPE_PTR ckpMechanismList; + jlongArray jMechanismList = NULL; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return NULL; } + + ckSlotID = jLongToCKULong(jSlotID); + + rv = (*ckpFunctions->C_GetMechanismList)(ckSlotID, NULL_PTR, + &ckMechanismNumber); + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; } + + ckpMechanismList = (CK_MECHANISM_TYPE_PTR) + malloc(ckMechanismNumber * sizeof(CK_MECHANISM_TYPE)); + if (ckpMechanismList == NULL) { + throwOutOfMemoryError(env, 0); + return NULL; + } + + rv = (*ckpFunctions->C_GetMechanismList)(ckSlotID, ckpMechanismList, + &ckMechanismNumber); + if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { + jMechanismList = ckULongArrayToJLongArray(env, ckpMechanismList, + ckMechanismNumber); + } + free(ckpMechanismList); + + return jMechanismList ; +} +#endif + +#ifdef P11_ENABLE_C_GETMECHANISMINFO +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_GetMechanismInfo + * Signature: (JJ)Lsun/security/pkcs11/wrapper/CK_MECHANISM_INFO; + * Parametermapping: *PKCS11* + * @param jlong jSlotID CK_SLOT_ID slotID + * @param jlong jType CK_MECHANISM_TYPE type + * @return jobject jMechanismInfo CK_MECHANISM_INFO_PTR pInfo + */ +JNIEXPORT jobject JNICALL +Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetMechanismInfo +(JNIEnv *env, jobject obj, jlong jSlotID, jlong jType) +{ + CK_SLOT_ID ckSlotID; + CK_MECHANISM_TYPE ckMechanismType; + CK_MECHANISM_INFO ckMechanismInfo; + jobject jMechanismInfo = NULL; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return NULL; } + + ckSlotID = jLongToCKULong(jSlotID); + ckMechanismType = jLongToCKULong(jType); + + rv = (*ckpFunctions->C_GetMechanismInfo)(ckSlotID, ckMechanismType, + &ckMechanismInfo); + if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { + jMechanismInfo = ckMechanismInfoPtrToJMechanismInfo(env, &ckMechanismInfo); + } + return jMechanismInfo ; +} + +/* + * converts a pointer to a CK_MECHANISM_INFO structure into a Java + * CK_MECHANISM_INFO Object. + * + * @param env - used to call JNI funktions to create the new Java object + * @param ckpMechanismInfo - the pointer to the CK_MECHANISM_INFO structure + * @return - the new Java CK_MECHANISM_INFO object + */ +jobject +ckMechanismInfoPtrToJMechanismInfo +(JNIEnv *env, const CK_MECHANISM_INFO_PTR ckpMechanismInfo) +{ + + jclass jMechanismInfoClass; + jmethodID jCtrId; + jobject jMechanismInfoObject; + jlong jMinKeySize; + jlong jMaxKeySize; + jlong jFlags; + + /* load CK_MECHANISM_INFO class */ + jMechanismInfoClass = (*env)->FindClass(env, CLASS_MECHANISM_INFO); + if (jMechanismInfoClass == NULL) { return NULL; }; + + /* load CK_MECHANISM_INFO constructor */ + jCtrId = (*env)->GetMethodID(env, jMechanismInfoClass, "", "(JJJ)V"); + if (jCtrId == NULL) { return NULL; }; + + /* prep all fields */ + jMinKeySize = ckULongToJLong(ckpMechanismInfo->ulMinKeySize); + jMaxKeySize = ckULongToJLong(ckpMechanismInfo->ulMaxKeySize); + jFlags = ckULongToJLong(ckpMechanismInfo->flags); + + /* create new CK_MECHANISM_INFO object */ + jMechanismInfoObject = (*env)->NewObject(env, jMechanismInfoClass, jCtrId, + jMinKeySize, jMaxKeySize, jFlags); + if (jMechanismInfoObject == NULL) { return NULL; }; + + /* free local references */ + (*env)->DeleteLocalRef(env, jMechanismInfoClass); + + return jMechanismInfoObject ; +} +#endif + +#ifdef P11_ENABLE_C_INITTOKEN +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_InitToken + * Signature: (J[C[C)V + * Parametermapping: *PKCS11* + * @param jlong jSlotID CK_SLOT_ID slotID + * @param jcharArray jPin CK_CHAR_PTR pPin + * CK_ULONG ulPinLen + * @param jcharArray jLabel CK_UTF8CHAR_PTR pLabel + */ +JNIEXPORT void JNICALL +Java_sun_security_pkcs11_wrapper_PKCS11_C_1InitToken +(JNIEnv *env, jobject obj, jlong jSlotID, jcharArray jPin, jcharArray jLabel) +{ + CK_SLOT_ID ckSlotID; + CK_CHAR_PTR ckpPin = NULL_PTR; + CK_UTF8CHAR_PTR ckpLabel = NULL_PTR; + CK_ULONG ckPinLength; + CK_ULONG ckLabelLength; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return; } + + ckSlotID = jLongToCKULong(jSlotID); + jCharArrayToCKCharArray(env, jPin, &ckpPin, &ckPinLength); + if ((*env)->ExceptionCheck(env)) { return; } + /* ckLabelLength <= 32 !!! */ + jCharArrayToCKUTF8CharArray(env, jLabel, &ckpLabel, &ckLabelLength); + if ((*env)->ExceptionCheck(env)) { + free(ckpPin); + return; + } + + rv = (*ckpFunctions->C_InitToken)(ckSlotID, ckpPin, ckPinLength, ckpLabel); + TRACE1("InitToken return code: %d", rv); + + free(ckpPin); + free(ckpLabel); + + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } +} +#endif + +#ifdef P11_ENABLE_C_INITPIN +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_InitPIN + * Signature: (J[C)V + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE + * @param jcharArray jPin CK_CHAR_PTR pPin + * CK_ULONG ulPinLen + */ +JNIEXPORT void JNICALL +Java_sun_security_pkcs11_wrapper_PKCS11_C_1InitPIN +(JNIEnv *env, jobject obj, jlong jSessionHandle, jcharArray jPin) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_CHAR_PTR ckpPin = NULL_PTR; + CK_ULONG ckPinLength; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + jCharArrayToCKCharArray(env, jPin, &ckpPin, &ckPinLength); + if ((*env)->ExceptionCheck(env)) { return; } + + rv = (*ckpFunctions->C_InitPIN)(ckSessionHandle, ckpPin, ckPinLength); + + free(ckpPin); + + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } +} +#endif + +#ifdef P11_ENABLE_C_SETPIN +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_SetPIN + * Signature: (J[C[C)V + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jcharArray jOldPin CK_CHAR_PTR pOldPin + * CK_ULONG ulOldLen + * @param jcharArray jNewPin CK_CHAR_PTR pNewPin + * CK_ULONG ulNewLen + */ +JNIEXPORT void JNICALL +Java_sun_security_pkcs11_wrapper_PKCS11_C_1SetPIN +(JNIEnv *env, jobject obj, jlong jSessionHandle, jcharArray jOldPin, +jcharArray jNewPin) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_CHAR_PTR ckpOldPin = NULL_PTR; + CK_CHAR_PTR ckpNewPin = NULL_PTR; + CK_ULONG ckOldPinLength; + CK_ULONG ckNewPinLength; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + jCharArrayToCKCharArray(env, jOldPin, &ckpOldPin, &ckOldPinLength); + if ((*env)->ExceptionCheck(env)) { return; } + jCharArrayToCKCharArray(env, jNewPin, &ckpNewPin, &ckNewPinLength); + if ((*env)->ExceptionCheck(env)) { + free(ckpOldPin); + return; + } + + rv = (*ckpFunctions->C_SetPIN)(ckSessionHandle, ckpOldPin, ckOldPinLength, + ckpNewPin, ckNewPinLength); + + free(ckpOldPin); + free(ckpNewPin); + + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } +} +#endif --- old/src/jdk.crypto.token/share/native/libj2pkcs11/p11_keymgmt.c 2017-01-20 09:52:57.246288242 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,773 +0,0 @@ -/* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. - */ - -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include "pkcs11wrapper.h" - -#include -#include -#include -#include - -#include "sun_security_pkcs11_wrapper_PKCS11.h" - -#ifdef P11_ENABLE_C_GENERATEKEY -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_GenerateKey - * Signature: (JLsun/security/pkcs11/wrapper/CK_MECHANISM;[Lsun/security/pkcs11/wrapper/CK_ATTRIBUTE;)J - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jobject jMechanism CK_MECHANISM_PTR pMechanism - * @param jobjectArray jTemplate CK_ATTRIBUTE_PTR pTemplate - * CK_ULONG ulCount - * @return jlong jKeyHandle CK_OBJECT_HANDLE_PTR phKey - */ -JNIEXPORT jlong JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1GenerateKey - (JNIEnv *env, jobject obj, jlong jSessionHandle, jobject jMechanism, jobjectArray jTemplate) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_MECHANISM ckMechanism; - CK_ATTRIBUTE_PTR ckpAttributes = NULL_PTR; - CK_ULONG ckAttributesLength; - CK_OBJECT_HANDLE ckKeyHandle = 0; - jlong jKeyHandle = 0L; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return 0L; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jMechanismToCKMechanism(env, jMechanism, &ckMechanism); - if ((*env)->ExceptionCheck(env)) { return 0L ; } - - jAttributeArrayToCKAttributeArray(env, jTemplate, &ckpAttributes, &ckAttributesLength); - if ((*env)->ExceptionCheck(env)) { - if (ckMechanism.pParameter != NULL_PTR) { - free(ckMechanism.pParameter); - } - return 0L; - } - - rv = (*ckpFunctions->C_GenerateKey)(ckSessionHandle, &ckMechanism, ckpAttributes, ckAttributesLength, &ckKeyHandle); - - if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { - jKeyHandle = ckULongToJLong(ckKeyHandle); - - /* cheack, if we must give a initialization vector back to Java */ - switch (ckMechanism.mechanism) { - case CKM_PBE_MD2_DES_CBC: - case CKM_PBE_MD5_DES_CBC: - case CKM_PBE_MD5_CAST_CBC: - case CKM_PBE_MD5_CAST3_CBC: - case CKM_PBE_MD5_CAST128_CBC: - /* case CKM_PBE_MD5_CAST5_CBC: the same as CKM_PBE_MD5_CAST128_CBC */ - case CKM_PBE_SHA1_CAST128_CBC: - /* case CKM_PBE_SHA1_CAST5_CBC: the same as CKM_PBE_SHA1_CAST128_CBC */ - /* we must copy back the initialization vector to the jMechanism object */ - copyBackPBEInitializationVector(env, &ckMechanism, jMechanism); - break; - } - } - - if (ckMechanism.pParameter != NULL_PTR) { - free(ckMechanism.pParameter); - } - freeCKAttributeArray(ckpAttributes, ckAttributesLength); - - return jKeyHandle ; -} -#endif - -#ifdef P11_ENABLE_C_GENERATEKEYPAIR -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_GenerateKeyPair - * Signature: (JLsun/security/pkcs11/wrapper/CK_MECHANISM;[Lsun/security/pkcs11/wrapper/CK_ATTRIBUTE;[Lsun/security/pkcs11/wrapper/CK_ATTRIBUTE;)[J - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jobject jMechanism CK_MECHANISM_PTR pMechanism - * @param jobjectArray jPublicKeyTemplate CK_ATTRIBUTE_PTR pPublicKeyTemplate - * CK_ULONG ulPublicKeyAttributeCount - * @param jobjectArray jPrivateKeyTemplate CK_ATTRIBUTE_PTR pPrivateKeyTemplate - * CK_ULONG ulPrivateKeyAttributeCount - * @return jlongArray jKeyHandles CK_OBJECT_HANDLE_PTR phPublicKey - * CK_OBJECT_HANDLE_PTR phPublicKey - */ -JNIEXPORT jlongArray JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1GenerateKeyPair - (JNIEnv *env, jobject obj, jlong jSessionHandle, jobject jMechanism, - jobjectArray jPublicKeyTemplate, jobjectArray jPrivateKeyTemplate) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_MECHANISM ckMechanism; - CK_ATTRIBUTE_PTR ckpPublicKeyAttributes = NULL_PTR; - CK_ATTRIBUTE_PTR ckpPrivateKeyAttributes = NULL_PTR; - CK_ULONG ckPublicKeyAttributesLength; - CK_ULONG ckPrivateKeyAttributesLength; - CK_OBJECT_HANDLE_PTR ckpPublicKeyHandle; /* pointer to Public Key */ - CK_OBJECT_HANDLE_PTR ckpPrivateKeyHandle; /* pointer to Private Key */ - CK_OBJECT_HANDLE_PTR ckpKeyHandles; /* pointer to array with Public and Private Key */ - jlongArray jKeyHandles = NULL; - CK_RV rv; - int attempts; - const int MAX_ATTEMPTS = 3; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return NULL; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jMechanismToCKMechanism(env, jMechanism, &ckMechanism); - if ((*env)->ExceptionCheck(env)) { return NULL; } - - ckpKeyHandles = (CK_OBJECT_HANDLE_PTR) malloc(2 * sizeof(CK_OBJECT_HANDLE)); - if (ckpKeyHandles == NULL) { - if (ckMechanism.pParameter != NULL_PTR) { - free(ckMechanism.pParameter); - } - throwOutOfMemoryError(env, 0); - return NULL; - } - ckpPublicKeyHandle = ckpKeyHandles; /* first element of array is Public Key */ - ckpPrivateKeyHandle = (ckpKeyHandles + 1); /* second element of array is Private Key */ - - jAttributeArrayToCKAttributeArray(env, jPublicKeyTemplate, &ckpPublicKeyAttributes, &ckPublicKeyAttributesLength); - if ((*env)->ExceptionCheck(env)) { - if (ckMechanism.pParameter != NULL_PTR) { - free(ckMechanism.pParameter); - } - free(ckpKeyHandles); - return NULL; - } - - jAttributeArrayToCKAttributeArray(env, jPrivateKeyTemplate, &ckpPrivateKeyAttributes, &ckPrivateKeyAttributesLength); - if ((*env)->ExceptionCheck(env)) { - if (ckMechanism.pParameter != NULL_PTR) { - free(ckMechanism.pParameter); - } - free(ckpKeyHandles); - freeCKAttributeArray(ckpPublicKeyAttributes, ckPublicKeyAttributesLength); - return NULL; - } - - /* - * Workaround for NSS bug 1012786: - * - * Key generation may fail with CKR_FUNCTION_FAILED error - * if there is insufficient entropy to generate a random key. - * - * PKCS11 spec says the following about CKR_FUNCTION_FAILED error - * (see section 11.1.1): - * - * ... In any event, although the function call failed, the situation - * is not necessarily totally hopeless, as it is likely to be - * when CKR_GENERAL_ERROR is returned. Depending on what the root cause of - * the error actually was, it is possible that an attempt - * to make the exact same function call again would succeed. - * - * Call C_GenerateKeyPair() several times if CKR_FUNCTION_FAILED occurs. - */ - for (attempts = 0; attempts < MAX_ATTEMPTS; attempts++) { - rv = (*ckpFunctions->C_GenerateKeyPair)(ckSessionHandle, &ckMechanism, - ckpPublicKeyAttributes, ckPublicKeyAttributesLength, - ckpPrivateKeyAttributes, ckPrivateKeyAttributesLength, - ckpPublicKeyHandle, ckpPrivateKeyHandle); - if (rv == CKR_FUNCTION_FAILED) { - printDebug("C_1GenerateKeyPair(): C_GenerateKeyPair() failed \ - with CKR_FUNCTION_FAILED error, try again\n"); - } else { - break; - } - } - - if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { - jKeyHandles = ckULongArrayToJLongArray(env, ckpKeyHandles, 2); - } - - if(ckMechanism.pParameter != NULL_PTR) { - free(ckMechanism.pParameter); - } - free(ckpKeyHandles); - freeCKAttributeArray(ckpPublicKeyAttributes, ckPublicKeyAttributesLength); - freeCKAttributeArray(ckpPrivateKeyAttributes, ckPrivateKeyAttributesLength); - - return jKeyHandles ; -} -#endif - -#ifdef P11_ENABLE_C_WRAPKEY -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_WrapKey - * Signature: (JLsun/security/pkcs11/wrapper/CK_MECHANISM;JJ)[B - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jobject jMechanism CK_MECHANISM_PTR pMechanism - * @param jlong jWrappingKeyHandle CK_OBJECT_HANDLE hWrappingKey - * @param jlong jKeyHandle CK_OBJECT_HANDLE hKey - * @return jbyteArray jWrappedKey CK_BYTE_PTR pWrappedKey - * CK_ULONG_PTR pulWrappedKeyLen - */ -JNIEXPORT jbyteArray JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1WrapKey - (JNIEnv *env, jobject obj, jlong jSessionHandle, jobject jMechanism, jlong jWrappingKeyHandle, jlong jKeyHandle) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_MECHANISM ckMechanism; - CK_OBJECT_HANDLE ckWrappingKeyHandle; - CK_OBJECT_HANDLE ckKeyHandle; - jbyteArray jWrappedKey = NULL; - CK_RV rv; - CK_BYTE BUF[MAX_STACK_BUFFER_LEN]; - CK_BYTE_PTR ckpWrappedKey = BUF; - CK_ULONG ckWrappedKeyLength = MAX_STACK_BUFFER_LEN; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return NULL; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jMechanismToCKMechanism(env, jMechanism, &ckMechanism); - if ((*env)->ExceptionCheck(env)) { return NULL; } - - ckWrappingKeyHandle = jLongToCKULong(jWrappingKeyHandle); - ckKeyHandle = jLongToCKULong(jKeyHandle); - - rv = (*ckpFunctions->C_WrapKey)(ckSessionHandle, &ckMechanism, ckWrappingKeyHandle, ckKeyHandle, ckpWrappedKey, &ckWrappedKeyLength); - if (rv == CKR_BUFFER_TOO_SMALL) { - ckpWrappedKey = (CK_BYTE_PTR) malloc(ckWrappedKeyLength); - if (ckpWrappedKey == NULL) { - if (ckMechanism.pParameter != NULL_PTR) { - free(ckMechanism.pParameter); - } - throwOutOfMemoryError(env, 0); - return NULL; - } - - rv = (*ckpFunctions->C_WrapKey)(ckSessionHandle, &ckMechanism, ckWrappingKeyHandle, ckKeyHandle, ckpWrappedKey, &ckWrappedKeyLength); - } - if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { - jWrappedKey = ckByteArrayToJByteArray(env, ckpWrappedKey, ckWrappedKeyLength); - } - - if (ckpWrappedKey != BUF) { free(ckpWrappedKey); } - if (ckMechanism.pParameter != NULL_PTR) { - free(ckMechanism.pParameter); - } - return jWrappedKey ; -} -#endif - -#ifdef P11_ENABLE_C_UNWRAPKEY -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_UnwrapKey - * Signature: (JLsun/security/pkcs11/wrapper/CK_MECHANISM;J[B[Lsun/security/pkcs11/wrapper/CK_ATTRIBUTE;)J - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jobject jMechanism CK_MECHANISM_PTR pMechanism - * @param jlong jUnwrappingKeyHandle CK_OBJECT_HANDLE hUnwrappingKey - * @param jbyteArray jWrappedKey CK_BYTE_PTR pWrappedKey - * CK_ULONG_PTR pulWrappedKeyLen - * @param jobjectArray jTemplate CK_ATTRIBUTE_PTR pTemplate - * CK_ULONG ulCount - * @return jlong jKeyHandle CK_OBJECT_HANDLE_PTR phKey - */ -JNIEXPORT jlong JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1UnwrapKey - (JNIEnv *env, jobject obj, jlong jSessionHandle, jobject jMechanism, jlong jUnwrappingKeyHandle, - jbyteArray jWrappedKey, jobjectArray jTemplate) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_MECHANISM ckMechanism; - CK_OBJECT_HANDLE ckUnwrappingKeyHandle; - CK_BYTE_PTR ckpWrappedKey = NULL_PTR; - CK_ULONG ckWrappedKeyLength; - CK_ATTRIBUTE_PTR ckpAttributes = NULL_PTR; - CK_ULONG ckAttributesLength; - CK_OBJECT_HANDLE ckKeyHandle = 0; - jlong jKeyHandle = 0L; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return 0L; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jMechanismToCKMechanism(env, jMechanism, &ckMechanism); - if ((*env)->ExceptionCheck(env)) { return 0L; } - - ckUnwrappingKeyHandle = jLongToCKULong(jUnwrappingKeyHandle); - jByteArrayToCKByteArray(env, jWrappedKey, &ckpWrappedKey, &ckWrappedKeyLength); - if ((*env)->ExceptionCheck(env)) { - if (ckMechanism.pParameter != NULL_PTR) { - free(ckMechanism.pParameter); - } - return 0L; - } - - jAttributeArrayToCKAttributeArray(env, jTemplate, &ckpAttributes, &ckAttributesLength); - if ((*env)->ExceptionCheck(env)) { - if (ckMechanism.pParameter != NULL_PTR) { - free(ckMechanism.pParameter); - } - free(ckpWrappedKey); - return 0L; - } - - - rv = (*ckpFunctions->C_UnwrapKey)(ckSessionHandle, &ckMechanism, ckUnwrappingKeyHandle, - ckpWrappedKey, ckWrappedKeyLength, - ckpAttributes, ckAttributesLength, &ckKeyHandle); - - if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { - jKeyHandle = ckLongToJLong(ckKeyHandle); - -#if 0 - /* cheack, if we must give a initialization vector back to Java */ - if (ckMechanism.mechanism == CKM_KEY_WRAP_SET_OAEP) { - /* we must copy back the unwrapped key info to the jMechanism object */ - copyBackSetUnwrappedKey(env, &ckMechanism, jMechanism); - } -#endif - } - - if (ckMechanism.pParameter != NULL_PTR) { - free(ckMechanism.pParameter); - } - freeCKAttributeArray(ckpAttributes, ckAttributesLength); - free(ckpWrappedKey); - - return jKeyHandle ; -} -#endif - -#ifdef P11_ENABLE_C_DERIVEKEY - -void freeMasterKeyDeriveParams(CK_MECHANISM_PTR ckMechanism) { - CK_SSL3_MASTER_KEY_DERIVE_PARAMS *params = (CK_SSL3_MASTER_KEY_DERIVE_PARAMS *) ckMechanism->pParameter; - if (params == NULL) { - return; - } - - if (params->RandomInfo.pClientRandom != NULL) { - free(params->RandomInfo.pClientRandom); - } - if (params->RandomInfo.pServerRandom != NULL) { - free(params->RandomInfo.pServerRandom); - } - if (params->pVersion != NULL) { - free(params->pVersion); - } -} - -void freeEcdh1DeriveParams(CK_MECHANISM_PTR ckMechanism) { - CK_ECDH1_DERIVE_PARAMS *params = (CK_ECDH1_DERIVE_PARAMS *) ckMechanism->pParameter; - if (params == NULL) { - return; - } - - if (params->pSharedData != NULL) { - free(params->pSharedData); - } - if (params->pPublicData != NULL) { - free(params->pPublicData); - } -} - -/* - * Copy back the PRF output to Java. - */ -void copyBackTLSPrfParams(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism) -{ - jclass jMechanismClass, jTLSPrfParamsClass; - CK_TLS_PRF_PARAMS *ckTLSPrfParams; - jobject jTLSPrfParams; - jfieldID fieldID; - CK_MECHANISM_TYPE ckMechanismType; - jlong jMechanismType; - CK_BYTE_PTR output; - jobject jOutput; - jint jLength; - jbyte* jBytes; - int i; - - /* get mechanism */ - jMechanismClass = (*env)->FindClass(env, CLASS_MECHANISM); - if (jMechanismClass == NULL) { return; } - fieldID = (*env)->GetFieldID(env, jMechanismClass, "mechanism", "J"); - if (fieldID == NULL) { return; } - jMechanismType = (*env)->GetLongField(env, jMechanism, fieldID); - ckMechanismType = jLongToCKULong(jMechanismType); - if (ckMechanismType != ckMechanism->mechanism) { - /* we do not have maching types, this should not occur */ - return; - } - - /* get the native CK_TLS_PRF_PARAMS */ - ckTLSPrfParams = (CK_TLS_PRF_PARAMS *) ckMechanism->pParameter; - if (ckTLSPrfParams != NULL_PTR) { - /* get the Java CK_TLS_PRF_PARAMS object (pParameter) */ - fieldID = (*env)->GetFieldID(env, jMechanismClass, "pParameter", "Ljava/lang/Object;"); - if (fieldID == NULL) { return; } - jTLSPrfParams = (*env)->GetObjectField(env, jMechanism, fieldID); - - /* copy back the client IV */ - jTLSPrfParamsClass = (*env)->FindClass(env, CLASS_TLS_PRF_PARAMS); - if (jTLSPrfParamsClass == NULL) { return; } - fieldID = (*env)->GetFieldID(env, jTLSPrfParamsClass, "pOutput", "[B"); - if (fieldID == NULL) { return; } - jOutput = (*env)->GetObjectField(env, jTLSPrfParams, fieldID); - output = ckTLSPrfParams->pOutput; - - // Note: we assume that the token returned exactly as many bytes as we - // requested. Anything else would not make sense. - if (jOutput != NULL) { - jLength = (*env)->GetArrayLength(env, jOutput); - jBytes = (*env)->GetByteArrayElements(env, jOutput, NULL); - if (jBytes == NULL) { return; } - - /* copy the bytes to the Java buffer */ - for (i=0; i < jLength; i++) { - jBytes[i] = ckByteToJByte(output[i]); - } - /* copy back the Java buffer to the object */ - (*env)->ReleaseByteArrayElements(env, jOutput, jBytes, 0); - } - - // free malloc'd data - free(ckTLSPrfParams->pSeed); - free(ckTLSPrfParams->pLabel); - free(ckTLSPrfParams->pulOutputLen); - free(ckTLSPrfParams->pOutput); - } -} - -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_DeriveKey - * Signature: (JLsun/security/pkcs11/wrapper/CK_MECHANISM;J[Lsun/security/pkcs11/wrapper/CK_ATTRIBUTE;)J - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jobject jMechanism CK_MECHANISM_PTR pMechanism - * @param jlong jBaseKeyHandle CK_OBJECT_HANDLE hBaseKey - * @param jobjectArray jTemplate CK_ATTRIBUTE_PTR pTemplate - * CK_ULONG ulCount - * @return jlong jKeyHandle CK_OBJECT_HANDLE_PTR phKey - */ -JNIEXPORT jlong JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1DeriveKey - (JNIEnv *env, jobject obj, jlong jSessionHandle, jobject jMechanism, jlong jBaseKeyHandle, jobjectArray jTemplate) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_MECHANISM ckMechanism; - CK_OBJECT_HANDLE ckBaseKeyHandle; - CK_ATTRIBUTE_PTR ckpAttributes = NULL_PTR; - CK_ULONG ckAttributesLength; - CK_OBJECT_HANDLE ckKeyHandle = 0; - jlong jKeyHandle = 0L; - CK_RV rv; - CK_OBJECT_HANDLE_PTR phKey = &ckKeyHandle; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return 0L; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jMechanismToCKMechanism(env, jMechanism, &ckMechanism); - if ((*env)->ExceptionCheck(env)) { return 0L; } - - ckBaseKeyHandle = jLongToCKULong(jBaseKeyHandle); - jAttributeArrayToCKAttributeArray(env, jTemplate, &ckpAttributes, &ckAttributesLength); - if ((*env)->ExceptionCheck(env)) { - if (ckMechanism.pParameter != NULL_PTR) { - free(ckMechanism.pParameter); - } - return 0L; - } - - switch (ckMechanism.mechanism) { - case CKM_SSL3_KEY_AND_MAC_DERIVE: - case CKM_TLS_KEY_AND_MAC_DERIVE: - case CKM_TLS_PRF: - // these mechanism do not return a key handle via phKey - // set to NULL in case pedantic implementations check for it - phKey = NULL; - break; - default: - // empty - break; - } - - rv = (*ckpFunctions->C_DeriveKey)(ckSessionHandle, &ckMechanism, ckBaseKeyHandle, - ckpAttributes, ckAttributesLength, phKey); - - jKeyHandle = ckLongToJLong(ckKeyHandle); - - freeCKAttributeArray(ckpAttributes, ckAttributesLength); - - switch (ckMechanism.mechanism) { - case CKM_SSL3_MASTER_KEY_DERIVE: - case CKM_TLS_MASTER_KEY_DERIVE: - /* we must copy back the client version */ - copyBackClientVersion(env, &ckMechanism, jMechanism); - freeMasterKeyDeriveParams(&ckMechanism); - break; - case CKM_SSL3_MASTER_KEY_DERIVE_DH: - case CKM_TLS_MASTER_KEY_DERIVE_DH: - freeMasterKeyDeriveParams(&ckMechanism); - break; - case CKM_SSL3_KEY_AND_MAC_DERIVE: - case CKM_TLS_KEY_AND_MAC_DERIVE: - /* we must copy back the unwrapped key info to the jMechanism object */ - copyBackSSLKeyMatParams(env, &ckMechanism, jMechanism); - break; - case CKM_TLS_PRF: - copyBackTLSPrfParams(env, &ckMechanism, jMechanism); - break; - case CKM_ECDH1_DERIVE: - freeEcdh1DeriveParams(&ckMechanism); - break; - default: - // empty - break; - } - - if (ckMechanism.pParameter != NULL_PTR) { - free(ckMechanism.pParameter); - } - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return 0L ; } - - return jKeyHandle ; -} - -/* - * Copy back the client version information from the native - * structure to the Java object. This is only used for the - * CKM_SSL3_MASTER_KEY_DERIVE mechanism when used for deriving a key. - * - */ -void copyBackClientVersion(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism) -{ - jclass jMechanismClass, jSSL3MasterKeyDeriveParamsClass, jVersionClass; - CK_SSL3_MASTER_KEY_DERIVE_PARAMS *ckSSL3MasterKeyDeriveParams; - CK_VERSION *ckVersion; - jfieldID fieldID; - CK_MECHANISM_TYPE ckMechanismType; - jlong jMechanismType; - jobject jSSL3MasterKeyDeriveParams; - jobject jVersion; - - /* get mechanism */ - jMechanismClass = (*env)->FindClass(env, CLASS_MECHANISM); - if (jMechanismClass == NULL) { return; } - fieldID = (*env)->GetFieldID(env, jMechanismClass, "mechanism", "J"); - if (fieldID == NULL) { return; } - jMechanismType = (*env)->GetLongField(env, jMechanism, fieldID); - ckMechanismType = jLongToCKULong(jMechanismType); - if (ckMechanismType != ckMechanism->mechanism) { - /* we do not have maching types, this should not occur */ - return; - } - - /* get the native CK_SSL3_MASTER_KEY_DERIVE_PARAMS */ - ckSSL3MasterKeyDeriveParams = (CK_SSL3_MASTER_KEY_DERIVE_PARAMS *) ckMechanism->pParameter; - if (ckSSL3MasterKeyDeriveParams != NULL_PTR) { - /* get the native CK_VERSION */ - ckVersion = ckSSL3MasterKeyDeriveParams->pVersion; - if (ckVersion != NULL_PTR) { - /* get the Java CK_SSL3_MASTER_KEY_DERIVE_PARAMS (pParameter) */ - fieldID = (*env)->GetFieldID(env, jMechanismClass, "pParameter", "Ljava/lang/Object;"); - if (fieldID == NULL) { return; } - - jSSL3MasterKeyDeriveParams = (*env)->GetObjectField(env, jMechanism, fieldID); - - /* get the Java CK_VERSION */ - jSSL3MasterKeyDeriveParamsClass = (*env)->FindClass(env, CLASS_SSL3_MASTER_KEY_DERIVE_PARAMS); - if (jSSL3MasterKeyDeriveParamsClass == NULL) { return; } - fieldID = (*env)->GetFieldID(env, jSSL3MasterKeyDeriveParamsClass, "pVersion", "L"CLASS_VERSION";"); - if (fieldID == NULL) { return; } - jVersion = (*env)->GetObjectField(env, jSSL3MasterKeyDeriveParams, fieldID); - - /* now copy back the version from the native structure to the Java structure */ - - /* copy back the major version */ - jVersionClass = (*env)->FindClass(env, CLASS_VERSION); - if (jVersionClass == NULL) { return; } - fieldID = (*env)->GetFieldID(env, jVersionClass, "major", "B"); - if (fieldID == NULL) { return; } - (*env)->SetByteField(env, jVersion, fieldID, ckByteToJByte(ckVersion->major)); - - /* copy back the minor version */ - fieldID = (*env)->GetFieldID(env, jVersionClass, "minor", "B"); - if (fieldID == NULL) { return; } - (*env)->SetByteField(env, jVersion, fieldID, ckByteToJByte(ckVersion->minor)); - } - } -} - - -/* - * Copy back the derived keys and initialization vectors from the native - * structure to the Java object. This is only used for the - * CKM_SSL3_KEY_AND_MAC_DERIVE mechanism when used for deriving a key. - * - */ -void copyBackSSLKeyMatParams(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism) -{ - jclass jMechanismClass, jSSL3KeyMatParamsClass, jSSL3KeyMatOutClass; - CK_SSL3_KEY_MAT_PARAMS *ckSSL3KeyMatParam; - CK_SSL3_KEY_MAT_OUT *ckSSL3KeyMatOut; - jfieldID fieldID; - CK_MECHANISM_TYPE ckMechanismType; - jlong jMechanismType; - CK_BYTE_PTR iv; - jobject jSSL3KeyMatParam; - jobject jSSL3KeyMatOut; - jobject jIV; - jint jLength; - jbyte* jBytes; - int i; - - /* get mechanism */ - jMechanismClass= (*env)->FindClass(env, CLASS_MECHANISM); - if (jMechanismClass == NULL) { return; } - fieldID = (*env)->GetFieldID(env, jMechanismClass, "mechanism", "J"); - if (fieldID == NULL) { return; } - jMechanismType = (*env)->GetLongField(env, jMechanism, fieldID); - ckMechanismType = jLongToCKULong(jMechanismType); - if (ckMechanismType != ckMechanism->mechanism) { - /* we do not have maching types, this should not occur */ - return; - } - - /* get the native CK_SSL3_KEY_MAT_PARAMS */ - ckSSL3KeyMatParam = (CK_SSL3_KEY_MAT_PARAMS *) ckMechanism->pParameter; - if (ckSSL3KeyMatParam != NULL_PTR) { - // free malloc'd data - if (ckSSL3KeyMatParam->RandomInfo.pClientRandom != NULL) { - free(ckSSL3KeyMatParam->RandomInfo.pClientRandom); - } - if (ckSSL3KeyMatParam->RandomInfo.pServerRandom != NULL) { - free(ckSSL3KeyMatParam->RandomInfo.pServerRandom); - } - - /* get the native CK_SSL3_KEY_MAT_OUT */ - ckSSL3KeyMatOut = ckSSL3KeyMatParam->pReturnedKeyMaterial; - if (ckSSL3KeyMatOut != NULL_PTR) { - /* get the Java CK_SSL3_KEY_MAT_PARAMS (pParameter) */ - fieldID = (*env)->GetFieldID(env, jMechanismClass, "pParameter", "Ljava/lang/Object;"); - if (fieldID == NULL) { return; } - jSSL3KeyMatParam = (*env)->GetObjectField(env, jMechanism, fieldID); - - /* get the Java CK_SSL3_KEY_MAT_OUT */ - jSSL3KeyMatParamsClass = (*env)->FindClass(env, CLASS_SSL3_KEY_MAT_PARAMS); - if (jSSL3KeyMatParamsClass == NULL) { return; } - fieldID = (*env)->GetFieldID(env, jSSL3KeyMatParamsClass, "pReturnedKeyMaterial", "L"CLASS_SSL3_KEY_MAT_OUT";"); - if (fieldID == NULL) { return; } - jSSL3KeyMatOut = (*env)->GetObjectField(env, jSSL3KeyMatParam, fieldID); - - /* now copy back all the key handles and the initialization vectors */ - /* copy back client MAC secret handle */ - jSSL3KeyMatOutClass = (*env)->FindClass(env, CLASS_SSL3_KEY_MAT_OUT); - if (jSSL3KeyMatOutClass == NULL) { return; } - fieldID = (*env)->GetFieldID(env, jSSL3KeyMatOutClass, "hClientMacSecret", "J"); - if (fieldID == NULL) { return; } - (*env)->SetLongField(env, jSSL3KeyMatOut, fieldID, ckULongToJLong(ckSSL3KeyMatOut->hClientMacSecret)); - - /* copy back server MAC secret handle */ - fieldID = (*env)->GetFieldID(env, jSSL3KeyMatOutClass, "hServerMacSecret", "J"); - if (fieldID == NULL) { return; } - (*env)->SetLongField(env, jSSL3KeyMatOut, fieldID, ckULongToJLong(ckSSL3KeyMatOut->hServerMacSecret)); - - /* copy back client secret key handle */ - fieldID = (*env)->GetFieldID(env, jSSL3KeyMatOutClass, "hClientKey", "J"); - if (fieldID == NULL) { return; } - (*env)->SetLongField(env, jSSL3KeyMatOut, fieldID, ckULongToJLong(ckSSL3KeyMatOut->hClientKey)); - - /* copy back server secret key handle */ - fieldID = (*env)->GetFieldID(env, jSSL3KeyMatOutClass, "hServerKey", "J"); - if (fieldID == NULL) { return; } - (*env)->SetLongField(env, jSSL3KeyMatOut, fieldID, ckULongToJLong(ckSSL3KeyMatOut->hServerKey)); - - /* copy back the client IV */ - fieldID = (*env)->GetFieldID(env, jSSL3KeyMatOutClass, "pIVClient", "[B"); - if (fieldID == NULL) { return; } - jIV = (*env)->GetObjectField(env, jSSL3KeyMatOut, fieldID); - iv = ckSSL3KeyMatOut->pIVClient; - - if (jIV != NULL) { - jLength = (*env)->GetArrayLength(env, jIV); - jBytes = (*env)->GetByteArrayElements(env, jIV, NULL); - if (jBytes == NULL) { return; } - /* copy the bytes to the Java buffer */ - for (i=0; i < jLength; i++) { - jBytes[i] = ckByteToJByte(iv[i]); - } - /* copy back the Java buffer to the object */ - (*env)->ReleaseByteArrayElements(env, jIV, jBytes, 0); - } - // free malloc'd data - free(ckSSL3KeyMatOut->pIVClient); - - /* copy back the server IV */ - fieldID = (*env)->GetFieldID(env, jSSL3KeyMatOutClass, "pIVServer", "[B"); - if (fieldID == NULL) { return; } - jIV = (*env)->GetObjectField(env, jSSL3KeyMatOut, fieldID); - iv = ckSSL3KeyMatOut->pIVServer; - - if (jIV != NULL) { - jLength = (*env)->GetArrayLength(env, jIV); - jBytes = (*env)->GetByteArrayElements(env, jIV, NULL); - if (jBytes == NULL) { return; } - /* copy the bytes to the Java buffer */ - for (i=0; i < jLength; i++) { - jBytes[i] = ckByteToJByte(iv[i]); - } - /* copy back the Java buffer to the object */ - (*env)->ReleaseByteArrayElements(env, jIV, jBytes, 0); - } - // free malloc'd data - free(ckSSL3KeyMatOut->pIVServer); - free(ckSSL3KeyMatOut); - } - } -} - -#endif --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_keymgmt.c 2017-01-20 09:52:57.022288251 -0800 @@ -0,0 +1,773 @@ +/* + * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + */ + +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "pkcs11wrapper.h" + +#include +#include +#include +#include + +#include "sun_security_pkcs11_wrapper_PKCS11.h" + +#ifdef P11_ENABLE_C_GENERATEKEY +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_GenerateKey + * Signature: (JLsun/security/pkcs11/wrapper/CK_MECHANISM;[Lsun/security/pkcs11/wrapper/CK_ATTRIBUTE;)J + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jobject jMechanism CK_MECHANISM_PTR pMechanism + * @param jobjectArray jTemplate CK_ATTRIBUTE_PTR pTemplate + * CK_ULONG ulCount + * @return jlong jKeyHandle CK_OBJECT_HANDLE_PTR phKey + */ +JNIEXPORT jlong JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1GenerateKey + (JNIEnv *env, jobject obj, jlong jSessionHandle, jobject jMechanism, jobjectArray jTemplate) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_MECHANISM ckMechanism; + CK_ATTRIBUTE_PTR ckpAttributes = NULL_PTR; + CK_ULONG ckAttributesLength; + CK_OBJECT_HANDLE ckKeyHandle = 0; + jlong jKeyHandle = 0L; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return 0L; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + jMechanismToCKMechanism(env, jMechanism, &ckMechanism); + if ((*env)->ExceptionCheck(env)) { return 0L ; } + + jAttributeArrayToCKAttributeArray(env, jTemplate, &ckpAttributes, &ckAttributesLength); + if ((*env)->ExceptionCheck(env)) { + if (ckMechanism.pParameter != NULL_PTR) { + free(ckMechanism.pParameter); + } + return 0L; + } + + rv = (*ckpFunctions->C_GenerateKey)(ckSessionHandle, &ckMechanism, ckpAttributes, ckAttributesLength, &ckKeyHandle); + + if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { + jKeyHandle = ckULongToJLong(ckKeyHandle); + + /* cheack, if we must give a initialization vector back to Java */ + switch (ckMechanism.mechanism) { + case CKM_PBE_MD2_DES_CBC: + case CKM_PBE_MD5_DES_CBC: + case CKM_PBE_MD5_CAST_CBC: + case CKM_PBE_MD5_CAST3_CBC: + case CKM_PBE_MD5_CAST128_CBC: + /* case CKM_PBE_MD5_CAST5_CBC: the same as CKM_PBE_MD5_CAST128_CBC */ + case CKM_PBE_SHA1_CAST128_CBC: + /* case CKM_PBE_SHA1_CAST5_CBC: the same as CKM_PBE_SHA1_CAST128_CBC */ + /* we must copy back the initialization vector to the jMechanism object */ + copyBackPBEInitializationVector(env, &ckMechanism, jMechanism); + break; + } + } + + if (ckMechanism.pParameter != NULL_PTR) { + free(ckMechanism.pParameter); + } + freeCKAttributeArray(ckpAttributes, ckAttributesLength); + + return jKeyHandle ; +} +#endif + +#ifdef P11_ENABLE_C_GENERATEKEYPAIR +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_GenerateKeyPair + * Signature: (JLsun/security/pkcs11/wrapper/CK_MECHANISM;[Lsun/security/pkcs11/wrapper/CK_ATTRIBUTE;[Lsun/security/pkcs11/wrapper/CK_ATTRIBUTE;)[J + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jobject jMechanism CK_MECHANISM_PTR pMechanism + * @param jobjectArray jPublicKeyTemplate CK_ATTRIBUTE_PTR pPublicKeyTemplate + * CK_ULONG ulPublicKeyAttributeCount + * @param jobjectArray jPrivateKeyTemplate CK_ATTRIBUTE_PTR pPrivateKeyTemplate + * CK_ULONG ulPrivateKeyAttributeCount + * @return jlongArray jKeyHandles CK_OBJECT_HANDLE_PTR phPublicKey + * CK_OBJECT_HANDLE_PTR phPublicKey + */ +JNIEXPORT jlongArray JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1GenerateKeyPair + (JNIEnv *env, jobject obj, jlong jSessionHandle, jobject jMechanism, + jobjectArray jPublicKeyTemplate, jobjectArray jPrivateKeyTemplate) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_MECHANISM ckMechanism; + CK_ATTRIBUTE_PTR ckpPublicKeyAttributes = NULL_PTR; + CK_ATTRIBUTE_PTR ckpPrivateKeyAttributes = NULL_PTR; + CK_ULONG ckPublicKeyAttributesLength; + CK_ULONG ckPrivateKeyAttributesLength; + CK_OBJECT_HANDLE_PTR ckpPublicKeyHandle; /* pointer to Public Key */ + CK_OBJECT_HANDLE_PTR ckpPrivateKeyHandle; /* pointer to Private Key */ + CK_OBJECT_HANDLE_PTR ckpKeyHandles; /* pointer to array with Public and Private Key */ + jlongArray jKeyHandles = NULL; + CK_RV rv; + int attempts; + const int MAX_ATTEMPTS = 3; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return NULL; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + jMechanismToCKMechanism(env, jMechanism, &ckMechanism); + if ((*env)->ExceptionCheck(env)) { return NULL; } + + ckpKeyHandles = (CK_OBJECT_HANDLE_PTR) malloc(2 * sizeof(CK_OBJECT_HANDLE)); + if (ckpKeyHandles == NULL) { + if (ckMechanism.pParameter != NULL_PTR) { + free(ckMechanism.pParameter); + } + throwOutOfMemoryError(env, 0); + return NULL; + } + ckpPublicKeyHandle = ckpKeyHandles; /* first element of array is Public Key */ + ckpPrivateKeyHandle = (ckpKeyHandles + 1); /* second element of array is Private Key */ + + jAttributeArrayToCKAttributeArray(env, jPublicKeyTemplate, &ckpPublicKeyAttributes, &ckPublicKeyAttributesLength); + if ((*env)->ExceptionCheck(env)) { + if (ckMechanism.pParameter != NULL_PTR) { + free(ckMechanism.pParameter); + } + free(ckpKeyHandles); + return NULL; + } + + jAttributeArrayToCKAttributeArray(env, jPrivateKeyTemplate, &ckpPrivateKeyAttributes, &ckPrivateKeyAttributesLength); + if ((*env)->ExceptionCheck(env)) { + if (ckMechanism.pParameter != NULL_PTR) { + free(ckMechanism.pParameter); + } + free(ckpKeyHandles); + freeCKAttributeArray(ckpPublicKeyAttributes, ckPublicKeyAttributesLength); + return NULL; + } + + /* + * Workaround for NSS bug 1012786: + * + * Key generation may fail with CKR_FUNCTION_FAILED error + * if there is insufficient entropy to generate a random key. + * + * PKCS11 spec says the following about CKR_FUNCTION_FAILED error + * (see section 11.1.1): + * + * ... In any event, although the function call failed, the situation + * is not necessarily totally hopeless, as it is likely to be + * when CKR_GENERAL_ERROR is returned. Depending on what the root cause of + * the error actually was, it is possible that an attempt + * to make the exact same function call again would succeed. + * + * Call C_GenerateKeyPair() several times if CKR_FUNCTION_FAILED occurs. + */ + for (attempts = 0; attempts < MAX_ATTEMPTS; attempts++) { + rv = (*ckpFunctions->C_GenerateKeyPair)(ckSessionHandle, &ckMechanism, + ckpPublicKeyAttributes, ckPublicKeyAttributesLength, + ckpPrivateKeyAttributes, ckPrivateKeyAttributesLength, + ckpPublicKeyHandle, ckpPrivateKeyHandle); + if (rv == CKR_FUNCTION_FAILED) { + printDebug("C_1GenerateKeyPair(): C_GenerateKeyPair() failed \ + with CKR_FUNCTION_FAILED error, try again\n"); + } else { + break; + } + } + + if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { + jKeyHandles = ckULongArrayToJLongArray(env, ckpKeyHandles, 2); + } + + if(ckMechanism.pParameter != NULL_PTR) { + free(ckMechanism.pParameter); + } + free(ckpKeyHandles); + freeCKAttributeArray(ckpPublicKeyAttributes, ckPublicKeyAttributesLength); + freeCKAttributeArray(ckpPrivateKeyAttributes, ckPrivateKeyAttributesLength); + + return jKeyHandles ; +} +#endif + +#ifdef P11_ENABLE_C_WRAPKEY +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_WrapKey + * Signature: (JLsun/security/pkcs11/wrapper/CK_MECHANISM;JJ)[B + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jobject jMechanism CK_MECHANISM_PTR pMechanism + * @param jlong jWrappingKeyHandle CK_OBJECT_HANDLE hWrappingKey + * @param jlong jKeyHandle CK_OBJECT_HANDLE hKey + * @return jbyteArray jWrappedKey CK_BYTE_PTR pWrappedKey + * CK_ULONG_PTR pulWrappedKeyLen + */ +JNIEXPORT jbyteArray JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1WrapKey + (JNIEnv *env, jobject obj, jlong jSessionHandle, jobject jMechanism, jlong jWrappingKeyHandle, jlong jKeyHandle) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_MECHANISM ckMechanism; + CK_OBJECT_HANDLE ckWrappingKeyHandle; + CK_OBJECT_HANDLE ckKeyHandle; + jbyteArray jWrappedKey = NULL; + CK_RV rv; + CK_BYTE BUF[MAX_STACK_BUFFER_LEN]; + CK_BYTE_PTR ckpWrappedKey = BUF; + CK_ULONG ckWrappedKeyLength = MAX_STACK_BUFFER_LEN; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return NULL; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + jMechanismToCKMechanism(env, jMechanism, &ckMechanism); + if ((*env)->ExceptionCheck(env)) { return NULL; } + + ckWrappingKeyHandle = jLongToCKULong(jWrappingKeyHandle); + ckKeyHandle = jLongToCKULong(jKeyHandle); + + rv = (*ckpFunctions->C_WrapKey)(ckSessionHandle, &ckMechanism, ckWrappingKeyHandle, ckKeyHandle, ckpWrappedKey, &ckWrappedKeyLength); + if (rv == CKR_BUFFER_TOO_SMALL) { + ckpWrappedKey = (CK_BYTE_PTR) malloc(ckWrappedKeyLength); + if (ckpWrappedKey == NULL) { + if (ckMechanism.pParameter != NULL_PTR) { + free(ckMechanism.pParameter); + } + throwOutOfMemoryError(env, 0); + return NULL; + } + + rv = (*ckpFunctions->C_WrapKey)(ckSessionHandle, &ckMechanism, ckWrappingKeyHandle, ckKeyHandle, ckpWrappedKey, &ckWrappedKeyLength); + } + if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { + jWrappedKey = ckByteArrayToJByteArray(env, ckpWrappedKey, ckWrappedKeyLength); + } + + if (ckpWrappedKey != BUF) { free(ckpWrappedKey); } + if (ckMechanism.pParameter != NULL_PTR) { + free(ckMechanism.pParameter); + } + return jWrappedKey ; +} +#endif + +#ifdef P11_ENABLE_C_UNWRAPKEY +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_UnwrapKey + * Signature: (JLsun/security/pkcs11/wrapper/CK_MECHANISM;J[B[Lsun/security/pkcs11/wrapper/CK_ATTRIBUTE;)J + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jobject jMechanism CK_MECHANISM_PTR pMechanism + * @param jlong jUnwrappingKeyHandle CK_OBJECT_HANDLE hUnwrappingKey + * @param jbyteArray jWrappedKey CK_BYTE_PTR pWrappedKey + * CK_ULONG_PTR pulWrappedKeyLen + * @param jobjectArray jTemplate CK_ATTRIBUTE_PTR pTemplate + * CK_ULONG ulCount + * @return jlong jKeyHandle CK_OBJECT_HANDLE_PTR phKey + */ +JNIEXPORT jlong JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1UnwrapKey + (JNIEnv *env, jobject obj, jlong jSessionHandle, jobject jMechanism, jlong jUnwrappingKeyHandle, + jbyteArray jWrappedKey, jobjectArray jTemplate) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_MECHANISM ckMechanism; + CK_OBJECT_HANDLE ckUnwrappingKeyHandle; + CK_BYTE_PTR ckpWrappedKey = NULL_PTR; + CK_ULONG ckWrappedKeyLength; + CK_ATTRIBUTE_PTR ckpAttributes = NULL_PTR; + CK_ULONG ckAttributesLength; + CK_OBJECT_HANDLE ckKeyHandle = 0; + jlong jKeyHandle = 0L; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return 0L; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + jMechanismToCKMechanism(env, jMechanism, &ckMechanism); + if ((*env)->ExceptionCheck(env)) { return 0L; } + + ckUnwrappingKeyHandle = jLongToCKULong(jUnwrappingKeyHandle); + jByteArrayToCKByteArray(env, jWrappedKey, &ckpWrappedKey, &ckWrappedKeyLength); + if ((*env)->ExceptionCheck(env)) { + if (ckMechanism.pParameter != NULL_PTR) { + free(ckMechanism.pParameter); + } + return 0L; + } + + jAttributeArrayToCKAttributeArray(env, jTemplate, &ckpAttributes, &ckAttributesLength); + if ((*env)->ExceptionCheck(env)) { + if (ckMechanism.pParameter != NULL_PTR) { + free(ckMechanism.pParameter); + } + free(ckpWrappedKey); + return 0L; + } + + + rv = (*ckpFunctions->C_UnwrapKey)(ckSessionHandle, &ckMechanism, ckUnwrappingKeyHandle, + ckpWrappedKey, ckWrappedKeyLength, + ckpAttributes, ckAttributesLength, &ckKeyHandle); + + if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { + jKeyHandle = ckLongToJLong(ckKeyHandle); + +#if 0 + /* cheack, if we must give a initialization vector back to Java */ + if (ckMechanism.mechanism == CKM_KEY_WRAP_SET_OAEP) { + /* we must copy back the unwrapped key info to the jMechanism object */ + copyBackSetUnwrappedKey(env, &ckMechanism, jMechanism); + } +#endif + } + + if (ckMechanism.pParameter != NULL_PTR) { + free(ckMechanism.pParameter); + } + freeCKAttributeArray(ckpAttributes, ckAttributesLength); + free(ckpWrappedKey); + + return jKeyHandle ; +} +#endif + +#ifdef P11_ENABLE_C_DERIVEKEY + +void freeMasterKeyDeriveParams(CK_MECHANISM_PTR ckMechanism) { + CK_SSL3_MASTER_KEY_DERIVE_PARAMS *params = (CK_SSL3_MASTER_KEY_DERIVE_PARAMS *) ckMechanism->pParameter; + if (params == NULL) { + return; + } + + if (params->RandomInfo.pClientRandom != NULL) { + free(params->RandomInfo.pClientRandom); + } + if (params->RandomInfo.pServerRandom != NULL) { + free(params->RandomInfo.pServerRandom); + } + if (params->pVersion != NULL) { + free(params->pVersion); + } +} + +void freeEcdh1DeriveParams(CK_MECHANISM_PTR ckMechanism) { + CK_ECDH1_DERIVE_PARAMS *params = (CK_ECDH1_DERIVE_PARAMS *) ckMechanism->pParameter; + if (params == NULL) { + return; + } + + if (params->pSharedData != NULL) { + free(params->pSharedData); + } + if (params->pPublicData != NULL) { + free(params->pPublicData); + } +} + +/* + * Copy back the PRF output to Java. + */ +void copyBackTLSPrfParams(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism) +{ + jclass jMechanismClass, jTLSPrfParamsClass; + CK_TLS_PRF_PARAMS *ckTLSPrfParams; + jobject jTLSPrfParams; + jfieldID fieldID; + CK_MECHANISM_TYPE ckMechanismType; + jlong jMechanismType; + CK_BYTE_PTR output; + jobject jOutput; + jint jLength; + jbyte* jBytes; + int i; + + /* get mechanism */ + jMechanismClass = (*env)->FindClass(env, CLASS_MECHANISM); + if (jMechanismClass == NULL) { return; } + fieldID = (*env)->GetFieldID(env, jMechanismClass, "mechanism", "J"); + if (fieldID == NULL) { return; } + jMechanismType = (*env)->GetLongField(env, jMechanism, fieldID); + ckMechanismType = jLongToCKULong(jMechanismType); + if (ckMechanismType != ckMechanism->mechanism) { + /* we do not have maching types, this should not occur */ + return; + } + + /* get the native CK_TLS_PRF_PARAMS */ + ckTLSPrfParams = (CK_TLS_PRF_PARAMS *) ckMechanism->pParameter; + if (ckTLSPrfParams != NULL_PTR) { + /* get the Java CK_TLS_PRF_PARAMS object (pParameter) */ + fieldID = (*env)->GetFieldID(env, jMechanismClass, "pParameter", "Ljava/lang/Object;"); + if (fieldID == NULL) { return; } + jTLSPrfParams = (*env)->GetObjectField(env, jMechanism, fieldID); + + /* copy back the client IV */ + jTLSPrfParamsClass = (*env)->FindClass(env, CLASS_TLS_PRF_PARAMS); + if (jTLSPrfParamsClass == NULL) { return; } + fieldID = (*env)->GetFieldID(env, jTLSPrfParamsClass, "pOutput", "[B"); + if (fieldID == NULL) { return; } + jOutput = (*env)->GetObjectField(env, jTLSPrfParams, fieldID); + output = ckTLSPrfParams->pOutput; + + // Note: we assume that the token returned exactly as many bytes as we + // requested. Anything else would not make sense. + if (jOutput != NULL) { + jLength = (*env)->GetArrayLength(env, jOutput); + jBytes = (*env)->GetByteArrayElements(env, jOutput, NULL); + if (jBytes == NULL) { return; } + + /* copy the bytes to the Java buffer */ + for (i=0; i < jLength; i++) { + jBytes[i] = ckByteToJByte(output[i]); + } + /* copy back the Java buffer to the object */ + (*env)->ReleaseByteArrayElements(env, jOutput, jBytes, 0); + } + + // free malloc'd data + free(ckTLSPrfParams->pSeed); + free(ckTLSPrfParams->pLabel); + free(ckTLSPrfParams->pulOutputLen); + free(ckTLSPrfParams->pOutput); + } +} + +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_DeriveKey + * Signature: (JLsun/security/pkcs11/wrapper/CK_MECHANISM;J[Lsun/security/pkcs11/wrapper/CK_ATTRIBUTE;)J + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jobject jMechanism CK_MECHANISM_PTR pMechanism + * @param jlong jBaseKeyHandle CK_OBJECT_HANDLE hBaseKey + * @param jobjectArray jTemplate CK_ATTRIBUTE_PTR pTemplate + * CK_ULONG ulCount + * @return jlong jKeyHandle CK_OBJECT_HANDLE_PTR phKey + */ +JNIEXPORT jlong JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1DeriveKey + (JNIEnv *env, jobject obj, jlong jSessionHandle, jobject jMechanism, jlong jBaseKeyHandle, jobjectArray jTemplate) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_MECHANISM ckMechanism; + CK_OBJECT_HANDLE ckBaseKeyHandle; + CK_ATTRIBUTE_PTR ckpAttributes = NULL_PTR; + CK_ULONG ckAttributesLength; + CK_OBJECT_HANDLE ckKeyHandle = 0; + jlong jKeyHandle = 0L; + CK_RV rv; + CK_OBJECT_HANDLE_PTR phKey = &ckKeyHandle; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return 0L; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + jMechanismToCKMechanism(env, jMechanism, &ckMechanism); + if ((*env)->ExceptionCheck(env)) { return 0L; } + + ckBaseKeyHandle = jLongToCKULong(jBaseKeyHandle); + jAttributeArrayToCKAttributeArray(env, jTemplate, &ckpAttributes, &ckAttributesLength); + if ((*env)->ExceptionCheck(env)) { + if (ckMechanism.pParameter != NULL_PTR) { + free(ckMechanism.pParameter); + } + return 0L; + } + + switch (ckMechanism.mechanism) { + case CKM_SSL3_KEY_AND_MAC_DERIVE: + case CKM_TLS_KEY_AND_MAC_DERIVE: + case CKM_TLS_PRF: + // these mechanism do not return a key handle via phKey + // set to NULL in case pedantic implementations check for it + phKey = NULL; + break; + default: + // empty + break; + } + + rv = (*ckpFunctions->C_DeriveKey)(ckSessionHandle, &ckMechanism, ckBaseKeyHandle, + ckpAttributes, ckAttributesLength, phKey); + + jKeyHandle = ckLongToJLong(ckKeyHandle); + + freeCKAttributeArray(ckpAttributes, ckAttributesLength); + + switch (ckMechanism.mechanism) { + case CKM_SSL3_MASTER_KEY_DERIVE: + case CKM_TLS_MASTER_KEY_DERIVE: + /* we must copy back the client version */ + copyBackClientVersion(env, &ckMechanism, jMechanism); + freeMasterKeyDeriveParams(&ckMechanism); + break; + case CKM_SSL3_MASTER_KEY_DERIVE_DH: + case CKM_TLS_MASTER_KEY_DERIVE_DH: + freeMasterKeyDeriveParams(&ckMechanism); + break; + case CKM_SSL3_KEY_AND_MAC_DERIVE: + case CKM_TLS_KEY_AND_MAC_DERIVE: + /* we must copy back the unwrapped key info to the jMechanism object */ + copyBackSSLKeyMatParams(env, &ckMechanism, jMechanism); + break; + case CKM_TLS_PRF: + copyBackTLSPrfParams(env, &ckMechanism, jMechanism); + break; + case CKM_ECDH1_DERIVE: + freeEcdh1DeriveParams(&ckMechanism); + break; + default: + // empty + break; + } + + if (ckMechanism.pParameter != NULL_PTR) { + free(ckMechanism.pParameter); + } + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return 0L ; } + + return jKeyHandle ; +} + +/* + * Copy back the client version information from the native + * structure to the Java object. This is only used for the + * CKM_SSL3_MASTER_KEY_DERIVE mechanism when used for deriving a key. + * + */ +void copyBackClientVersion(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism) +{ + jclass jMechanismClass, jSSL3MasterKeyDeriveParamsClass, jVersionClass; + CK_SSL3_MASTER_KEY_DERIVE_PARAMS *ckSSL3MasterKeyDeriveParams; + CK_VERSION *ckVersion; + jfieldID fieldID; + CK_MECHANISM_TYPE ckMechanismType; + jlong jMechanismType; + jobject jSSL3MasterKeyDeriveParams; + jobject jVersion; + + /* get mechanism */ + jMechanismClass = (*env)->FindClass(env, CLASS_MECHANISM); + if (jMechanismClass == NULL) { return; } + fieldID = (*env)->GetFieldID(env, jMechanismClass, "mechanism", "J"); + if (fieldID == NULL) { return; } + jMechanismType = (*env)->GetLongField(env, jMechanism, fieldID); + ckMechanismType = jLongToCKULong(jMechanismType); + if (ckMechanismType != ckMechanism->mechanism) { + /* we do not have maching types, this should not occur */ + return; + } + + /* get the native CK_SSL3_MASTER_KEY_DERIVE_PARAMS */ + ckSSL3MasterKeyDeriveParams = (CK_SSL3_MASTER_KEY_DERIVE_PARAMS *) ckMechanism->pParameter; + if (ckSSL3MasterKeyDeriveParams != NULL_PTR) { + /* get the native CK_VERSION */ + ckVersion = ckSSL3MasterKeyDeriveParams->pVersion; + if (ckVersion != NULL_PTR) { + /* get the Java CK_SSL3_MASTER_KEY_DERIVE_PARAMS (pParameter) */ + fieldID = (*env)->GetFieldID(env, jMechanismClass, "pParameter", "Ljava/lang/Object;"); + if (fieldID == NULL) { return; } + + jSSL3MasterKeyDeriveParams = (*env)->GetObjectField(env, jMechanism, fieldID); + + /* get the Java CK_VERSION */ + jSSL3MasterKeyDeriveParamsClass = (*env)->FindClass(env, CLASS_SSL3_MASTER_KEY_DERIVE_PARAMS); + if (jSSL3MasterKeyDeriveParamsClass == NULL) { return; } + fieldID = (*env)->GetFieldID(env, jSSL3MasterKeyDeriveParamsClass, "pVersion", "L"CLASS_VERSION";"); + if (fieldID == NULL) { return; } + jVersion = (*env)->GetObjectField(env, jSSL3MasterKeyDeriveParams, fieldID); + + /* now copy back the version from the native structure to the Java structure */ + + /* copy back the major version */ + jVersionClass = (*env)->FindClass(env, CLASS_VERSION); + if (jVersionClass == NULL) { return; } + fieldID = (*env)->GetFieldID(env, jVersionClass, "major", "B"); + if (fieldID == NULL) { return; } + (*env)->SetByteField(env, jVersion, fieldID, ckByteToJByte(ckVersion->major)); + + /* copy back the minor version */ + fieldID = (*env)->GetFieldID(env, jVersionClass, "minor", "B"); + if (fieldID == NULL) { return; } + (*env)->SetByteField(env, jVersion, fieldID, ckByteToJByte(ckVersion->minor)); + } + } +} + + +/* + * Copy back the derived keys and initialization vectors from the native + * structure to the Java object. This is only used for the + * CKM_SSL3_KEY_AND_MAC_DERIVE mechanism when used for deriving a key. + * + */ +void copyBackSSLKeyMatParams(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism) +{ + jclass jMechanismClass, jSSL3KeyMatParamsClass, jSSL3KeyMatOutClass; + CK_SSL3_KEY_MAT_PARAMS *ckSSL3KeyMatParam; + CK_SSL3_KEY_MAT_OUT *ckSSL3KeyMatOut; + jfieldID fieldID; + CK_MECHANISM_TYPE ckMechanismType; + jlong jMechanismType; + CK_BYTE_PTR iv; + jobject jSSL3KeyMatParam; + jobject jSSL3KeyMatOut; + jobject jIV; + jint jLength; + jbyte* jBytes; + int i; + + /* get mechanism */ + jMechanismClass= (*env)->FindClass(env, CLASS_MECHANISM); + if (jMechanismClass == NULL) { return; } + fieldID = (*env)->GetFieldID(env, jMechanismClass, "mechanism", "J"); + if (fieldID == NULL) { return; } + jMechanismType = (*env)->GetLongField(env, jMechanism, fieldID); + ckMechanismType = jLongToCKULong(jMechanismType); + if (ckMechanismType != ckMechanism->mechanism) { + /* we do not have maching types, this should not occur */ + return; + } + + /* get the native CK_SSL3_KEY_MAT_PARAMS */ + ckSSL3KeyMatParam = (CK_SSL3_KEY_MAT_PARAMS *) ckMechanism->pParameter; + if (ckSSL3KeyMatParam != NULL_PTR) { + // free malloc'd data + if (ckSSL3KeyMatParam->RandomInfo.pClientRandom != NULL) { + free(ckSSL3KeyMatParam->RandomInfo.pClientRandom); + } + if (ckSSL3KeyMatParam->RandomInfo.pServerRandom != NULL) { + free(ckSSL3KeyMatParam->RandomInfo.pServerRandom); + } + + /* get the native CK_SSL3_KEY_MAT_OUT */ + ckSSL3KeyMatOut = ckSSL3KeyMatParam->pReturnedKeyMaterial; + if (ckSSL3KeyMatOut != NULL_PTR) { + /* get the Java CK_SSL3_KEY_MAT_PARAMS (pParameter) */ + fieldID = (*env)->GetFieldID(env, jMechanismClass, "pParameter", "Ljava/lang/Object;"); + if (fieldID == NULL) { return; } + jSSL3KeyMatParam = (*env)->GetObjectField(env, jMechanism, fieldID); + + /* get the Java CK_SSL3_KEY_MAT_OUT */ + jSSL3KeyMatParamsClass = (*env)->FindClass(env, CLASS_SSL3_KEY_MAT_PARAMS); + if (jSSL3KeyMatParamsClass == NULL) { return; } + fieldID = (*env)->GetFieldID(env, jSSL3KeyMatParamsClass, "pReturnedKeyMaterial", "L"CLASS_SSL3_KEY_MAT_OUT";"); + if (fieldID == NULL) { return; } + jSSL3KeyMatOut = (*env)->GetObjectField(env, jSSL3KeyMatParam, fieldID); + + /* now copy back all the key handles and the initialization vectors */ + /* copy back client MAC secret handle */ + jSSL3KeyMatOutClass = (*env)->FindClass(env, CLASS_SSL3_KEY_MAT_OUT); + if (jSSL3KeyMatOutClass == NULL) { return; } + fieldID = (*env)->GetFieldID(env, jSSL3KeyMatOutClass, "hClientMacSecret", "J"); + if (fieldID == NULL) { return; } + (*env)->SetLongField(env, jSSL3KeyMatOut, fieldID, ckULongToJLong(ckSSL3KeyMatOut->hClientMacSecret)); + + /* copy back server MAC secret handle */ + fieldID = (*env)->GetFieldID(env, jSSL3KeyMatOutClass, "hServerMacSecret", "J"); + if (fieldID == NULL) { return; } + (*env)->SetLongField(env, jSSL3KeyMatOut, fieldID, ckULongToJLong(ckSSL3KeyMatOut->hServerMacSecret)); + + /* copy back client secret key handle */ + fieldID = (*env)->GetFieldID(env, jSSL3KeyMatOutClass, "hClientKey", "J"); + if (fieldID == NULL) { return; } + (*env)->SetLongField(env, jSSL3KeyMatOut, fieldID, ckULongToJLong(ckSSL3KeyMatOut->hClientKey)); + + /* copy back server secret key handle */ + fieldID = (*env)->GetFieldID(env, jSSL3KeyMatOutClass, "hServerKey", "J"); + if (fieldID == NULL) { return; } + (*env)->SetLongField(env, jSSL3KeyMatOut, fieldID, ckULongToJLong(ckSSL3KeyMatOut->hServerKey)); + + /* copy back the client IV */ + fieldID = (*env)->GetFieldID(env, jSSL3KeyMatOutClass, "pIVClient", "[B"); + if (fieldID == NULL) { return; } + jIV = (*env)->GetObjectField(env, jSSL3KeyMatOut, fieldID); + iv = ckSSL3KeyMatOut->pIVClient; + + if (jIV != NULL) { + jLength = (*env)->GetArrayLength(env, jIV); + jBytes = (*env)->GetByteArrayElements(env, jIV, NULL); + if (jBytes == NULL) { return; } + /* copy the bytes to the Java buffer */ + for (i=0; i < jLength; i++) { + jBytes[i] = ckByteToJByte(iv[i]); + } + /* copy back the Java buffer to the object */ + (*env)->ReleaseByteArrayElements(env, jIV, jBytes, 0); + } + // free malloc'd data + free(ckSSL3KeyMatOut->pIVClient); + + /* copy back the server IV */ + fieldID = (*env)->GetFieldID(env, jSSL3KeyMatOutClass, "pIVServer", "[B"); + if (fieldID == NULL) { return; } + jIV = (*env)->GetObjectField(env, jSSL3KeyMatOut, fieldID); + iv = ckSSL3KeyMatOut->pIVServer; + + if (jIV != NULL) { + jLength = (*env)->GetArrayLength(env, jIV); + jBytes = (*env)->GetByteArrayElements(env, jIV, NULL); + if (jBytes == NULL) { return; } + /* copy the bytes to the Java buffer */ + for (i=0; i < jLength; i++) { + jBytes[i] = ckByteToJByte(iv[i]); + } + /* copy back the Java buffer to the object */ + (*env)->ReleaseByteArrayElements(env, jIV, jBytes, 0); + } + // free malloc'd data + free(ckSSL3KeyMatOut->pIVServer); + free(ckSSL3KeyMatOut); + } + } +} + +#endif --- old/src/jdk.crypto.token/share/native/libj2pkcs11/p11_mutex.c 2017-01-20 09:52:57.594288229 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,552 +0,0 @@ -/* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. - */ - -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include "pkcs11wrapper.h" - -#include -#include -#include -#include - -#include "sun_security_pkcs11_wrapper_PKCS11.h" - -/* The initArgs that enable the application to do custom mutex-handling */ -#ifndef NO_CALLBACKS -jobject jInitArgsObject; -CK_C_INITIALIZE_ARGS_PTR ckpGlobalInitArgs; -#endif /* NO_CALLBACKS */ - -/* ************************************************************************** */ -/* Now come the functions for mutex handling and notification callbacks */ -/* ************************************************************************** */ - -/* - * converts the InitArgs object to a CK_C_INITIALIZE_ARGS structure and sets the functions - * that will call the right Java mutex functions - * - * @param env - used to call JNI funktions to get the Java classes, objects, methods and fields - * @param pInitArgs - the InitArgs object with the Java mutex functions to call - * @return - the pointer to the CK_C_INITIALIZE_ARGS structure with the functions that will call - * the corresponding Java functions - */ -CK_C_INITIALIZE_ARGS_PTR makeCKInitArgsAdapter(JNIEnv *env, jobject jInitArgs) -{ - CK_C_INITIALIZE_ARGS_PTR ckpInitArgs; - jclass jInitArgsClass; - jfieldID fieldID; - jlong jFlags; - jobject jReserved; - CK_ULONG ckReservedLength; -#ifndef NO_CALLBACKS - jobject jMutexHandler; -#endif /* NO_CALLBACKS */ - - if(jInitArgs == NULL) { - return NULL_PTR; - } - - /* convert the Java InitArgs object to a pointer to a CK_C_INITIALIZE_ARGS structure */ - ckpInitArgs = (CK_C_INITIALIZE_ARGS_PTR) malloc(sizeof(CK_C_INITIALIZE_ARGS)); - if (ckpInitArgs == NULL) { - throwOutOfMemoryError(env, 0); - return NULL_PTR; - } - ckpInitArgs->flags = (CK_FLAGS)0; - ckpInitArgs->pReserved = (CK_VOID_PTR)NULL; - - /* Set the mutex functions that will call the Java mutex functions, but - * only set it, if the field is not null. - */ - jInitArgsClass = (*env)->FindClass(env, CLASS_C_INITIALIZE_ARGS); - if (jInitArgsClass == NULL) { - free(ckpInitArgs); - return NULL; - } - -#ifdef NO_CALLBACKS - ckpInitArgs->CreateMutex = NULL_PTR; - ckpInitArgs->DestroyMutex = NULL_PTR; - ckpInitArgs->LockMutex = NULL_PTR; - ckpInitArgs->UnlockMutex = NULL_PTR; -#else - fieldID = (*env)->GetFieldID(env, jInitArgsClass, "CreateMutex", "Lsun/security/pkcs11/wrapper/CK_CREATEMUTEX;"); - if (fieldID == NULL) { - free(ckpInitArgs); - return NULL; - } - jMutexHandler = (*env)->GetObjectField(env, jInitArgs, fieldID); - ckpInitArgs->CreateMutex = (jMutexHandler != NULL) ? &callJCreateMutex : NULL_PTR; - - fieldID = (*env)->GetFieldID(env, jInitArgsClass, "DestroyMutex", "Lsun/security/pkcs11/wrapper/CK_DESTROYMUTEX;"); - if (fieldID == NULL) { - free(ckpInitArgs); - return NULL; - } - jMutexHandler = (*env)->GetObjectField(env, jInitArgs, fieldID); - ckpInitArgs->DestroyMutex = (jMutexHandler != NULL) ? &callJDestroyMutex : NULL_PTR; - - fieldID = (*env)->GetFieldID(env, jInitArgsClass, "LockMutex", "Lsun/security/pkcs11/wrapper/CK_LOCKMUTEX;"); - if (fieldID == NULL) { - free(ckpInitArgs); - return NULL; - } - jMutexHandler = (*env)->GetObjectField(env, jInitArgs, fieldID); - ckpInitArgs->LockMutex = (jMutexHandler != NULL) ? &callJLockMutex : NULL_PTR; - - fieldID = (*env)->GetFieldID(env, jInitArgsClass, "UnlockMutex", "Lsun/security/pkcs11/wrapper/CK_UNLOCKMUTEX;"); - if (fieldID == NULL) { - free(ckpInitArgs); - return NULL; - } - jMutexHandler = (*env)->GetObjectField(env, jInitArgs, fieldID); - ckpInitArgs->UnlockMutex = (jMutexHandler != NULL) ? &callJUnlockMutex : NULL_PTR; - - if ((ckpInitArgs->CreateMutex != NULL_PTR) - || (ckpInitArgs->DestroyMutex != NULL_PTR) - || (ckpInitArgs->LockMutex != NULL_PTR) - || (ckpInitArgs->UnlockMutex != NULL_PTR)) { - /* we only need to keep a global copy, if we need callbacks */ - /* set the global object jInitArgs so that the right Java mutex functions will be called */ - jInitArgsObject = (*env)->NewGlobalRef(env, jInitArgs); - ckpGlobalInitArgs = (CK_C_INITIALIZE_ARGS_PTR) malloc(sizeof(CK_C_INITIALIZE_ARGS)); - if (ckpGlobalInitArgs == NULL) { - free(ckpInitArgs); - throwOutOfMemoryError(env, 0); - return NULL_PTR; - } - - memcpy(ckpGlobalInitArgs, ckpInitArgs, sizeof(CK_C_INITIALIZE_ARGS)); - } -#endif /* NO_CALLBACKS */ - - /* convert and set the flags field */ - fieldID = (*env)->GetFieldID(env, jInitArgsClass, "flags", "J"); - if (fieldID == NULL) { - free(ckpInitArgs); - return NULL; - } - jFlags = (*env)->GetLongField(env, jInitArgs, fieldID); - ckpInitArgs->flags = jLongToCKULong(jFlags); - - /* pReserved should be NULL_PTR in this version */ - fieldID = (*env)->GetFieldID(env, jInitArgsClass, "pReserved", "Ljava/lang/Object;"); - if (fieldID == NULL) { - free(ckpInitArgs); - return NULL; - } - jReserved = (*env)->GetObjectField(env, jInitArgs, fieldID); - - /* we try to convert the reserved parameter also */ - jObjectToPrimitiveCKObjectPtrPtr(env, jReserved, &(ckpInitArgs->pReserved), &ckReservedLength); - - return ckpInitArgs ; -} - -#ifndef NO_CALLBACKS - -/* - * is the function that gets called by PKCS#11 to create a mutex and calls the Java - * CreateMutex function - * - * @param env - used to call JNI funktions to get the Java classes, objects, methods and fields - * @param ppMutex - the new created mutex - * @return - should return CKR_OK if the mutex creation was ok - */ -CK_RV callJCreateMutex(CK_VOID_PTR_PTR ppMutex) -{ - extern JavaVM *jvm; - JNIEnv *env; - jint returnValue; - jthrowable pkcs11Exception; - jclass pkcs11ExceptionClass; - jlong errorCode; - CK_RV rv = CKR_OK; - int wasAttached = 1; - jclass jCreateMutexClass; - jclass jInitArgsClass; - jmethodID methodID; - jfieldID fieldID; - jobject jCreateMutex; - jobject jMutex; - - - /* Get the currently running Java VM */ - if (jvm == NULL) { return rv ;} /* there is no VM running */ - - /* Determine, if current thread is already attached */ - returnValue = (*jvm)->GetEnv(jvm, (void **) &env, JNI_VERSION_1_2); - if (returnValue == JNI_EDETACHED) { - /* thread detached, so attach it */ - wasAttached = 0; - returnValue = (*jvm)->AttachCurrentThread(jvm, (void **) &env, NULL); - } else if (returnValue == JNI_EVERSION) { - /* this version of JNI is not supported, so just try to attach */ - /* we assume it was attached to ensure that this thread is not detached - * afterwards even though it should not - */ - wasAttached = 1; - returnValue = (*jvm)->AttachCurrentThread(jvm, (void **) &env, NULL); - } else { - /* attached */ - wasAttached = 1; - } - - jCreateMutexClass = (*env)->FindClass(env, CLASS_CREATEMUTEX); - if (jCreateMutexClass == NULL) { return rv; } - jInitArgsClass = (*env)->FindClass(env, CLASS_C_INITIALIZE_ARGS); - if (jInitArgsClass == NULL) { return rv; } - - /* get the CreateMutex object out of the jInitArgs object */ - fieldID = (*env)->GetFieldID(env, jInitArgsClass, "CreateMutex", "Lsun/security/pkcs11/wrapper/CK_CREATEMUTEX;"); - if (fieldID == NULL) { return rv; } - jCreateMutex = (*env)->GetObjectField(env, jInitArgsObject, fieldID); - assert(jCreateMutex != 0); - - /* call the CK_CREATEMUTEX function of the CreateMutex object */ - /* and get the new Java mutex object */ - methodID = (*env)->GetMethodID(env, jCreateMutexClass, "CK_CREATEMUTEX", "()Ljava/lang/Object;"); - if (methodID == NULL) { return rv; } - jMutex = (*env)->CallObjectMethod(env, jCreateMutex, methodID); - - /* set a global reference on the Java mutex */ - jMutex = (*env)->NewGlobalRef(env, jMutex); - /* convert the Java mutex to a CK mutex */ - *ppMutex = jObjectToCKVoidPtr(jMutex); - - - /* check, if callback threw an exception */ - pkcs11Exception = (*env)->ExceptionOccurred(env); - - if (pkcs11Exception != NULL) { - /* TBD: clear the pending exception with ExceptionClear? */ - /* The was an exception thrown, now we get the error-code from it */ - pkcs11ExceptionClass = (*env)->FindClass(env, CLASS_PKCS11EXCEPTION); - if (pkcs11ExceptionClass == NULL) { return rv; } - methodID = (*env)->GetMethodID(env, pkcs11ExceptionClass, "getErrorCode", "()J"); - if (methodID == NULL) { return rv; } - - errorCode = (*env)->CallLongMethod(env, pkcs11Exception, methodID); - rv = jLongToCKULong(errorCode); - } - - /* if we attached this thread to the VM just for callback, we detach it now */ - if (wasAttached) { - returnValue = (*jvm)->DetachCurrentThread(jvm); - } - - return rv ; -} - -/* - * is the function that gets called by PKCS#11 to destroy a mutex and calls the Java - * DestroyMutex function - * - * @param env - used to call JNI funktions to get the Java classes, objects, methods and fields - * @param pMutex - the mutex to destroy - * @return - should return CKR_OK if the mutex was destroyed - */ -CK_RV callJDestroyMutex(CK_VOID_PTR pMutex) -{ - extern JavaVM *jvm; - JNIEnv *env; - jint returnValue; - jthrowable pkcs11Exception; - jclass pkcs11ExceptionClass; - jlong errorCode; - CK_RV rv = CKR_OK; - int wasAttached = 1; - jclass jDestroyMutexClass; - jclass jInitArgsClass; - jmethodID methodID; - jfieldID fieldID; - jobject jDestroyMutex; - jobject jMutex; - - - /* Get the currently running Java VM */ - if (jvm == NULL) { return rv ; } /* there is no VM running */ - - /* Determine, if current thread is already attached */ - returnValue = (*jvm)->GetEnv(jvm, (void **) &env, JNI_VERSION_1_2); - if (returnValue == JNI_EDETACHED) { - /* thread detached, so attach it */ - wasAttached = 0; - returnValue = (*jvm)->AttachCurrentThread(jvm, (void **) &env, NULL); - } else if (returnValue == JNI_EVERSION) { - /* this version of JNI is not supported, so just try to attach */ - /* we assume it was attached to ensure that this thread is not detached - * afterwards even though it should not - */ - wasAttached = 1; - returnValue = (*jvm)->AttachCurrentThread(jvm, (void **) &env, NULL); - } else { - /* attached */ - wasAttached = 1; - } - - jDestroyMutexClass = (*env)->FindClass(env, CLASS_DESTROYMUTEX); - if (jDestroyMutexClass == NULL) { return rv; } - jInitArgsClass = (*env)->FindClass(env, CLASS_C_INITIALIZE_ARGS); - if (jInitArgsClass == NULL) { return rv; } - - /* convert the CK mutex to a Java mutex */ - jMutex = ckVoidPtrToJObject(pMutex); - - /* get the DestroyMutex object out of the jInitArgs object */ - fieldID = (*env)->GetFieldID(env, jInitArgsClass, "DestroyMutex", "Lsun/security/pkcs11/wrapper/CK_DESTROYMUTEX;"); - if (fieldID == NULL) { return rv; } - jDestroyMutex = (*env)->GetObjectField(env, jInitArgsObject, fieldID); - assert(jDestroyMutex != 0); - - /* call the CK_DESTROYMUTEX method of the DestroyMutex object */ - methodID = (*env)->GetMethodID(env, jDestroyMutexClass, "CK_DESTROYMUTEX", "(Ljava/lang/Object;)V"); - if (methodID == NULL) { return rv; } - (*env)->CallVoidMethod(env, jDestroyMutex, methodID, jMutex); - - /* delete the global reference on the Java mutex */ - (*env)->DeleteGlobalRef(env, jMutex); - - - /* check, if callback threw an exception */ - pkcs11Exception = (*env)->ExceptionOccurred(env); - - if (pkcs11Exception != NULL) { - /* TBD: clear the pending exception with ExceptionClear? */ - /* The was an exception thrown, now we get the error-code from it */ - pkcs11ExceptionClass = (*env)->FindClass(env, CLASS_PKCS11EXCEPTION); - if (pkcs11ExceptionClass == NULL) { return rv; } - methodID = (*env)->GetMethodID(env, pkcs11ExceptionClass, "getErrorCode", "()J"); - if (methodID == NULL) { return rv; } - errorCode = (*env)->CallLongMethod(env, pkcs11Exception, methodID); - rv = jLongToCKULong(errorCode); - } - - /* if we attached this thread to the VM just for callback, we detach it now */ - if (wasAttached) { - returnValue = (*jvm)->DetachCurrentThread(jvm); - } - - return rv ; -} - -/* - * is the function that gets called by PKCS#11 to lock a mutex and calls the Java - * LockMutex function - * - * @param env - used to call JNI funktions to get the Java classes, objects, methods and fields - * @param pMutex - the mutex to lock - * @return - should return CKR_OK if the mutex was not locked already - */ -CK_RV callJLockMutex(CK_VOID_PTR pMutex) -{ - extern JavaVM *jvm; - JNIEnv *env; - jint returnValue; - jthrowable pkcs11Exception; - jclass pkcs11ExceptionClass; - jlong errorCode; - CK_RV rv = CKR_OK; - int wasAttached = 1; - jclass jLockMutexClass; - jclass jInitArgsClass; - jmethodID methodID; - jfieldID fieldID; - jobject jLockMutex; - jobject jMutex; - - - /* Get the currently running Java VM */ - if (jvm == NULL) { return rv ; } /* there is no VM running */ - - /* Determine, if current thread is already attached */ - returnValue = (*jvm)->GetEnv(jvm, (void **) &env, JNI_VERSION_1_2); - if (returnValue == JNI_EDETACHED) { - /* thread detached, so attach it */ - wasAttached = 0; - returnValue = (*jvm)->AttachCurrentThread(jvm, (void **) &env, NULL); - } else if (returnValue == JNI_EVERSION) { - /* this version of JNI is not supported, so just try to attach */ - /* we assume it was attached to ensure that this thread is not detached - * afterwards even though it should not - */ - wasAttached = 1; - returnValue = (*jvm)->AttachCurrentThread(jvm, (void **) &env, NULL); - } else { - /* attached */ - wasAttached = 1; - } - - jLockMutexClass = (*env)->FindClass(env, CLASS_LOCKMUTEX); - if (jLockMutexClass == NULL) { return rv; } - jInitArgsClass = (*env)->FindClass(env, CLASS_C_INITIALIZE_ARGS); - if (jInitArgsClass == NULL) { return rv; } - - /* convert the CK mutex to a Java mutex */ - jMutex = ckVoidPtrToJObject(pMutex); - - /* get the LockMutex object out of the jInitArgs object */ - fieldID = (*env)->GetFieldID(env, jInitArgsClass, "LockMutex", "Lsun/security/pkcs11/wrapper/CK_LOCKMUTEX;"); - if (fieldID == NULL) { return rv; } - jLockMutex = (*env)->GetObjectField(env, jInitArgsObject, fieldID); - assert(jLockMutex != 0); - - /* call the CK_LOCKMUTEX method of the LockMutex object */ - methodID = (*env)->GetMethodID(env, jLockMutexClass, "CK_LOCKMUTEX", "(Ljava/lang/Object;)V"); - if (methodID == NULL) { return rv; } - (*env)->CallVoidMethod(env, jLockMutex, methodID, jMutex); - - /* check, if callback threw an exception */ - pkcs11Exception = (*env)->ExceptionOccurred(env); - - if (pkcs11Exception != NULL) { - /* TBD: clear the pending exception with ExceptionClear? */ - /* The was an exception thrown, now we get the error-code from it */ - pkcs11ExceptionClass = (*env)->FindClass(env, CLASS_PKCS11EXCEPTION); - if (pkcs11ExceptionClass == NULL) { return rv; } - methodID = (*env)->GetMethodID(env, pkcs11ExceptionClass, "getErrorCode", "()J"); - if (methodID == NULL) { return rv; } - errorCode = (*env)->CallLongMethod(env, pkcs11Exception, methodID); - rv = jLongToCKULong(errorCode); - } - - /* if we attached this thread to the VM just for callback, we detach it now */ - if (wasAttached) { - returnValue = (*jvm)->DetachCurrentThread(jvm); - } - - return rv ; -} - -/* - * is the function that gets called by PKCS#11 to unlock a mutex and calls the Java - * UnlockMutex function - * - * @param env - used to call JNI funktions to get the Java classes, objects, methods and fields - * @param pMutex - the mutex to unlock - * @return - should return CKR_OK if the mutex was not unlocked already - */ -CK_RV callJUnlockMutex(CK_VOID_PTR pMutex) -{ - extern JavaVM *jvm; - JNIEnv *env; - jint returnValue; - jthrowable pkcs11Exception; - jclass pkcs11ExceptionClass; - jlong errorCode; - CK_RV rv = CKR_OK; - int wasAttached = 1; - jclass jUnlockMutexClass; - jclass jInitArgsClass; - jmethodID methodID; - jfieldID fieldID; - jobject jUnlockMutex; - jobject jMutex; - - - /* Get the currently running Java VM */ - if (jvm == NULL) { return rv ; } /* there is no VM running */ - - /* Determine, if current thread is already attached */ - returnValue = (*jvm)->GetEnv(jvm, (void **) &env, JNI_VERSION_1_2); - if (returnValue == JNI_EDETACHED) { - /* thread detached, so attach it */ - wasAttached = 0; - returnValue = (*jvm)->AttachCurrentThread(jvm, (void **) &env, NULL); - } else if (returnValue == JNI_EVERSION) { - /* this version of JNI is not supported, so just try to attach */ - /* we assume it was attached to ensure that this thread is not detached - * afterwards even though it should not - */ - wasAttached = 1; - returnValue = (*jvm)->AttachCurrentThread(jvm, (void **) &env, NULL); - } else { - /* attached */ - wasAttached = 1; - } - - jUnlockMutexClass = (*env)->FindClass(env, CLASS_UNLOCKMUTEX); - if (jUnlockMutexClass == NULL) { return rv; } - jInitArgsClass = (*env)->FindClass(env, CLASS_C_INITIALIZE_ARGS); - if (jInitArgsClass == NULL) { return rv; } - - /* convert the CK-type mutex to a Java mutex */ - jMutex = ckVoidPtrToJObject(pMutex); - - /* get the UnlockMutex object out of the jInitArgs object */ - fieldID = (*env)->GetFieldID(env, jInitArgsClass, "UnlockMutex", "Lsun/security/pkcs11/wrapper/CK_UNLOCKMUTEX;"); - if (fieldID == NULL) { return rv; } - jUnlockMutex = (*env)->GetObjectField(env, jInitArgsObject, fieldID); - assert(jUnlockMutex != 0); - - /* call the CK_UNLOCKMUTEX method of the UnLockMutex object */ - methodID = (*env)->GetMethodID(env, jUnlockMutexClass, "CK_UNLOCKMUTEX", "(Ljava/lang/Object;)V"); - if (methodID == NULL) { return rv; } - (*env)->CallVoidMethod(env, jUnlockMutex, methodID, jMutex); - - /* check, if callback threw an exception */ - pkcs11Exception = (*env)->ExceptionOccurred(env); - - if (pkcs11Exception != NULL) { - /* TBD: clear the pending exception with ExceptionClear? */ - /* The was an exception thrown, now we get the error-code from it */ - pkcs11ExceptionClass = (*env)->FindClass(env, CLASS_PKCS11EXCEPTION); - if (pkcs11ExceptionClass == NULL) { return rv; } - methodID = (*env)->GetMethodID(env, pkcs11ExceptionClass, "getErrorCode", "()J"); - if (methodID == NULL) { return rv; } - errorCode = (*env)->CallLongMethod(env, pkcs11Exception, methodID); - rv = jLongToCKULong(errorCode); - } - - /* if we attached this thread to the VM just for callback, we detach it now */ - if (wasAttached) { - returnValue = (*jvm)->DetachCurrentThread(jvm); - } - - return rv ; -} - -#endif /* NO_CALLBACKS */ --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_mutex.c 2017-01-20 09:52:57.374288237 -0800 @@ -0,0 +1,552 @@ +/* + * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + */ + +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "pkcs11wrapper.h" + +#include +#include +#include +#include + +#include "sun_security_pkcs11_wrapper_PKCS11.h" + +/* The initArgs that enable the application to do custom mutex-handling */ +#ifndef NO_CALLBACKS +jobject jInitArgsObject; +CK_C_INITIALIZE_ARGS_PTR ckpGlobalInitArgs; +#endif /* NO_CALLBACKS */ + +/* ************************************************************************** */ +/* Now come the functions for mutex handling and notification callbacks */ +/* ************************************************************************** */ + +/* + * converts the InitArgs object to a CK_C_INITIALIZE_ARGS structure and sets the functions + * that will call the right Java mutex functions + * + * @param env - used to call JNI funktions to get the Java classes, objects, methods and fields + * @param pInitArgs - the InitArgs object with the Java mutex functions to call + * @return - the pointer to the CK_C_INITIALIZE_ARGS structure with the functions that will call + * the corresponding Java functions + */ +CK_C_INITIALIZE_ARGS_PTR makeCKInitArgsAdapter(JNIEnv *env, jobject jInitArgs) +{ + CK_C_INITIALIZE_ARGS_PTR ckpInitArgs; + jclass jInitArgsClass; + jfieldID fieldID; + jlong jFlags; + jobject jReserved; + CK_ULONG ckReservedLength; +#ifndef NO_CALLBACKS + jobject jMutexHandler; +#endif /* NO_CALLBACKS */ + + if(jInitArgs == NULL) { + return NULL_PTR; + } + + /* convert the Java InitArgs object to a pointer to a CK_C_INITIALIZE_ARGS structure */ + ckpInitArgs = (CK_C_INITIALIZE_ARGS_PTR) malloc(sizeof(CK_C_INITIALIZE_ARGS)); + if (ckpInitArgs == NULL) { + throwOutOfMemoryError(env, 0); + return NULL_PTR; + } + ckpInitArgs->flags = (CK_FLAGS)0; + ckpInitArgs->pReserved = (CK_VOID_PTR)NULL; + + /* Set the mutex functions that will call the Java mutex functions, but + * only set it, if the field is not null. + */ + jInitArgsClass = (*env)->FindClass(env, CLASS_C_INITIALIZE_ARGS); + if (jInitArgsClass == NULL) { + free(ckpInitArgs); + return NULL; + } + +#ifdef NO_CALLBACKS + ckpInitArgs->CreateMutex = NULL_PTR; + ckpInitArgs->DestroyMutex = NULL_PTR; + ckpInitArgs->LockMutex = NULL_PTR; + ckpInitArgs->UnlockMutex = NULL_PTR; +#else + fieldID = (*env)->GetFieldID(env, jInitArgsClass, "CreateMutex", "Lsun/security/pkcs11/wrapper/CK_CREATEMUTEX;"); + if (fieldID == NULL) { + free(ckpInitArgs); + return NULL; + } + jMutexHandler = (*env)->GetObjectField(env, jInitArgs, fieldID); + ckpInitArgs->CreateMutex = (jMutexHandler != NULL) ? &callJCreateMutex : NULL_PTR; + + fieldID = (*env)->GetFieldID(env, jInitArgsClass, "DestroyMutex", "Lsun/security/pkcs11/wrapper/CK_DESTROYMUTEX;"); + if (fieldID == NULL) { + free(ckpInitArgs); + return NULL; + } + jMutexHandler = (*env)->GetObjectField(env, jInitArgs, fieldID); + ckpInitArgs->DestroyMutex = (jMutexHandler != NULL) ? &callJDestroyMutex : NULL_PTR; + + fieldID = (*env)->GetFieldID(env, jInitArgsClass, "LockMutex", "Lsun/security/pkcs11/wrapper/CK_LOCKMUTEX;"); + if (fieldID == NULL) { + free(ckpInitArgs); + return NULL; + } + jMutexHandler = (*env)->GetObjectField(env, jInitArgs, fieldID); + ckpInitArgs->LockMutex = (jMutexHandler != NULL) ? &callJLockMutex : NULL_PTR; + + fieldID = (*env)->GetFieldID(env, jInitArgsClass, "UnlockMutex", "Lsun/security/pkcs11/wrapper/CK_UNLOCKMUTEX;"); + if (fieldID == NULL) { + free(ckpInitArgs); + return NULL; + } + jMutexHandler = (*env)->GetObjectField(env, jInitArgs, fieldID); + ckpInitArgs->UnlockMutex = (jMutexHandler != NULL) ? &callJUnlockMutex : NULL_PTR; + + if ((ckpInitArgs->CreateMutex != NULL_PTR) + || (ckpInitArgs->DestroyMutex != NULL_PTR) + || (ckpInitArgs->LockMutex != NULL_PTR) + || (ckpInitArgs->UnlockMutex != NULL_PTR)) { + /* we only need to keep a global copy, if we need callbacks */ + /* set the global object jInitArgs so that the right Java mutex functions will be called */ + jInitArgsObject = (*env)->NewGlobalRef(env, jInitArgs); + ckpGlobalInitArgs = (CK_C_INITIALIZE_ARGS_PTR) malloc(sizeof(CK_C_INITIALIZE_ARGS)); + if (ckpGlobalInitArgs == NULL) { + free(ckpInitArgs); + throwOutOfMemoryError(env, 0); + return NULL_PTR; + } + + memcpy(ckpGlobalInitArgs, ckpInitArgs, sizeof(CK_C_INITIALIZE_ARGS)); + } +#endif /* NO_CALLBACKS */ + + /* convert and set the flags field */ + fieldID = (*env)->GetFieldID(env, jInitArgsClass, "flags", "J"); + if (fieldID == NULL) { + free(ckpInitArgs); + return NULL; + } + jFlags = (*env)->GetLongField(env, jInitArgs, fieldID); + ckpInitArgs->flags = jLongToCKULong(jFlags); + + /* pReserved should be NULL_PTR in this version */ + fieldID = (*env)->GetFieldID(env, jInitArgsClass, "pReserved", "Ljava/lang/Object;"); + if (fieldID == NULL) { + free(ckpInitArgs); + return NULL; + } + jReserved = (*env)->GetObjectField(env, jInitArgs, fieldID); + + /* we try to convert the reserved parameter also */ + jObjectToPrimitiveCKObjectPtrPtr(env, jReserved, &(ckpInitArgs->pReserved), &ckReservedLength); + + return ckpInitArgs ; +} + +#ifndef NO_CALLBACKS + +/* + * is the function that gets called by PKCS#11 to create a mutex and calls the Java + * CreateMutex function + * + * @param env - used to call JNI funktions to get the Java classes, objects, methods and fields + * @param ppMutex - the new created mutex + * @return - should return CKR_OK if the mutex creation was ok + */ +CK_RV callJCreateMutex(CK_VOID_PTR_PTR ppMutex) +{ + extern JavaVM *jvm; + JNIEnv *env; + jint returnValue; + jthrowable pkcs11Exception; + jclass pkcs11ExceptionClass; + jlong errorCode; + CK_RV rv = CKR_OK; + int wasAttached = 1; + jclass jCreateMutexClass; + jclass jInitArgsClass; + jmethodID methodID; + jfieldID fieldID; + jobject jCreateMutex; + jobject jMutex; + + + /* Get the currently running Java VM */ + if (jvm == NULL) { return rv ;} /* there is no VM running */ + + /* Determine, if current thread is already attached */ + returnValue = (*jvm)->GetEnv(jvm, (void **) &env, JNI_VERSION_1_2); + if (returnValue == JNI_EDETACHED) { + /* thread detached, so attach it */ + wasAttached = 0; + returnValue = (*jvm)->AttachCurrentThread(jvm, (void **) &env, NULL); + } else if (returnValue == JNI_EVERSION) { + /* this version of JNI is not supported, so just try to attach */ + /* we assume it was attached to ensure that this thread is not detached + * afterwards even though it should not + */ + wasAttached = 1; + returnValue = (*jvm)->AttachCurrentThread(jvm, (void **) &env, NULL); + } else { + /* attached */ + wasAttached = 1; + } + + jCreateMutexClass = (*env)->FindClass(env, CLASS_CREATEMUTEX); + if (jCreateMutexClass == NULL) { return rv; } + jInitArgsClass = (*env)->FindClass(env, CLASS_C_INITIALIZE_ARGS); + if (jInitArgsClass == NULL) { return rv; } + + /* get the CreateMutex object out of the jInitArgs object */ + fieldID = (*env)->GetFieldID(env, jInitArgsClass, "CreateMutex", "Lsun/security/pkcs11/wrapper/CK_CREATEMUTEX;"); + if (fieldID == NULL) { return rv; } + jCreateMutex = (*env)->GetObjectField(env, jInitArgsObject, fieldID); + assert(jCreateMutex != 0); + + /* call the CK_CREATEMUTEX function of the CreateMutex object */ + /* and get the new Java mutex object */ + methodID = (*env)->GetMethodID(env, jCreateMutexClass, "CK_CREATEMUTEX", "()Ljava/lang/Object;"); + if (methodID == NULL) { return rv; } + jMutex = (*env)->CallObjectMethod(env, jCreateMutex, methodID); + + /* set a global reference on the Java mutex */ + jMutex = (*env)->NewGlobalRef(env, jMutex); + /* convert the Java mutex to a CK mutex */ + *ppMutex = jObjectToCKVoidPtr(jMutex); + + + /* check, if callback threw an exception */ + pkcs11Exception = (*env)->ExceptionOccurred(env); + + if (pkcs11Exception != NULL) { + /* TBD: clear the pending exception with ExceptionClear? */ + /* The was an exception thrown, now we get the error-code from it */ + pkcs11ExceptionClass = (*env)->FindClass(env, CLASS_PKCS11EXCEPTION); + if (pkcs11ExceptionClass == NULL) { return rv; } + methodID = (*env)->GetMethodID(env, pkcs11ExceptionClass, "getErrorCode", "()J"); + if (methodID == NULL) { return rv; } + + errorCode = (*env)->CallLongMethod(env, pkcs11Exception, methodID); + rv = jLongToCKULong(errorCode); + } + + /* if we attached this thread to the VM just for callback, we detach it now */ + if (wasAttached) { + returnValue = (*jvm)->DetachCurrentThread(jvm); + } + + return rv ; +} + +/* + * is the function that gets called by PKCS#11 to destroy a mutex and calls the Java + * DestroyMutex function + * + * @param env - used to call JNI funktions to get the Java classes, objects, methods and fields + * @param pMutex - the mutex to destroy + * @return - should return CKR_OK if the mutex was destroyed + */ +CK_RV callJDestroyMutex(CK_VOID_PTR pMutex) +{ + extern JavaVM *jvm; + JNIEnv *env; + jint returnValue; + jthrowable pkcs11Exception; + jclass pkcs11ExceptionClass; + jlong errorCode; + CK_RV rv = CKR_OK; + int wasAttached = 1; + jclass jDestroyMutexClass; + jclass jInitArgsClass; + jmethodID methodID; + jfieldID fieldID; + jobject jDestroyMutex; + jobject jMutex; + + + /* Get the currently running Java VM */ + if (jvm == NULL) { return rv ; } /* there is no VM running */ + + /* Determine, if current thread is already attached */ + returnValue = (*jvm)->GetEnv(jvm, (void **) &env, JNI_VERSION_1_2); + if (returnValue == JNI_EDETACHED) { + /* thread detached, so attach it */ + wasAttached = 0; + returnValue = (*jvm)->AttachCurrentThread(jvm, (void **) &env, NULL); + } else if (returnValue == JNI_EVERSION) { + /* this version of JNI is not supported, so just try to attach */ + /* we assume it was attached to ensure that this thread is not detached + * afterwards even though it should not + */ + wasAttached = 1; + returnValue = (*jvm)->AttachCurrentThread(jvm, (void **) &env, NULL); + } else { + /* attached */ + wasAttached = 1; + } + + jDestroyMutexClass = (*env)->FindClass(env, CLASS_DESTROYMUTEX); + if (jDestroyMutexClass == NULL) { return rv; } + jInitArgsClass = (*env)->FindClass(env, CLASS_C_INITIALIZE_ARGS); + if (jInitArgsClass == NULL) { return rv; } + + /* convert the CK mutex to a Java mutex */ + jMutex = ckVoidPtrToJObject(pMutex); + + /* get the DestroyMutex object out of the jInitArgs object */ + fieldID = (*env)->GetFieldID(env, jInitArgsClass, "DestroyMutex", "Lsun/security/pkcs11/wrapper/CK_DESTROYMUTEX;"); + if (fieldID == NULL) { return rv; } + jDestroyMutex = (*env)->GetObjectField(env, jInitArgsObject, fieldID); + assert(jDestroyMutex != 0); + + /* call the CK_DESTROYMUTEX method of the DestroyMutex object */ + methodID = (*env)->GetMethodID(env, jDestroyMutexClass, "CK_DESTROYMUTEX", "(Ljava/lang/Object;)V"); + if (methodID == NULL) { return rv; } + (*env)->CallVoidMethod(env, jDestroyMutex, methodID, jMutex); + + /* delete the global reference on the Java mutex */ + (*env)->DeleteGlobalRef(env, jMutex); + + + /* check, if callback threw an exception */ + pkcs11Exception = (*env)->ExceptionOccurred(env); + + if (pkcs11Exception != NULL) { + /* TBD: clear the pending exception with ExceptionClear? */ + /* The was an exception thrown, now we get the error-code from it */ + pkcs11ExceptionClass = (*env)->FindClass(env, CLASS_PKCS11EXCEPTION); + if (pkcs11ExceptionClass == NULL) { return rv; } + methodID = (*env)->GetMethodID(env, pkcs11ExceptionClass, "getErrorCode", "()J"); + if (methodID == NULL) { return rv; } + errorCode = (*env)->CallLongMethod(env, pkcs11Exception, methodID); + rv = jLongToCKULong(errorCode); + } + + /* if we attached this thread to the VM just for callback, we detach it now */ + if (wasAttached) { + returnValue = (*jvm)->DetachCurrentThread(jvm); + } + + return rv ; +} + +/* + * is the function that gets called by PKCS#11 to lock a mutex and calls the Java + * LockMutex function + * + * @param env - used to call JNI funktions to get the Java classes, objects, methods and fields + * @param pMutex - the mutex to lock + * @return - should return CKR_OK if the mutex was not locked already + */ +CK_RV callJLockMutex(CK_VOID_PTR pMutex) +{ + extern JavaVM *jvm; + JNIEnv *env; + jint returnValue; + jthrowable pkcs11Exception; + jclass pkcs11ExceptionClass; + jlong errorCode; + CK_RV rv = CKR_OK; + int wasAttached = 1; + jclass jLockMutexClass; + jclass jInitArgsClass; + jmethodID methodID; + jfieldID fieldID; + jobject jLockMutex; + jobject jMutex; + + + /* Get the currently running Java VM */ + if (jvm == NULL) { return rv ; } /* there is no VM running */ + + /* Determine, if current thread is already attached */ + returnValue = (*jvm)->GetEnv(jvm, (void **) &env, JNI_VERSION_1_2); + if (returnValue == JNI_EDETACHED) { + /* thread detached, so attach it */ + wasAttached = 0; + returnValue = (*jvm)->AttachCurrentThread(jvm, (void **) &env, NULL); + } else if (returnValue == JNI_EVERSION) { + /* this version of JNI is not supported, so just try to attach */ + /* we assume it was attached to ensure that this thread is not detached + * afterwards even though it should not + */ + wasAttached = 1; + returnValue = (*jvm)->AttachCurrentThread(jvm, (void **) &env, NULL); + } else { + /* attached */ + wasAttached = 1; + } + + jLockMutexClass = (*env)->FindClass(env, CLASS_LOCKMUTEX); + if (jLockMutexClass == NULL) { return rv; } + jInitArgsClass = (*env)->FindClass(env, CLASS_C_INITIALIZE_ARGS); + if (jInitArgsClass == NULL) { return rv; } + + /* convert the CK mutex to a Java mutex */ + jMutex = ckVoidPtrToJObject(pMutex); + + /* get the LockMutex object out of the jInitArgs object */ + fieldID = (*env)->GetFieldID(env, jInitArgsClass, "LockMutex", "Lsun/security/pkcs11/wrapper/CK_LOCKMUTEX;"); + if (fieldID == NULL) { return rv; } + jLockMutex = (*env)->GetObjectField(env, jInitArgsObject, fieldID); + assert(jLockMutex != 0); + + /* call the CK_LOCKMUTEX method of the LockMutex object */ + methodID = (*env)->GetMethodID(env, jLockMutexClass, "CK_LOCKMUTEX", "(Ljava/lang/Object;)V"); + if (methodID == NULL) { return rv; } + (*env)->CallVoidMethod(env, jLockMutex, methodID, jMutex); + + /* check, if callback threw an exception */ + pkcs11Exception = (*env)->ExceptionOccurred(env); + + if (pkcs11Exception != NULL) { + /* TBD: clear the pending exception with ExceptionClear? */ + /* The was an exception thrown, now we get the error-code from it */ + pkcs11ExceptionClass = (*env)->FindClass(env, CLASS_PKCS11EXCEPTION); + if (pkcs11ExceptionClass == NULL) { return rv; } + methodID = (*env)->GetMethodID(env, pkcs11ExceptionClass, "getErrorCode", "()J"); + if (methodID == NULL) { return rv; } + errorCode = (*env)->CallLongMethod(env, pkcs11Exception, methodID); + rv = jLongToCKULong(errorCode); + } + + /* if we attached this thread to the VM just for callback, we detach it now */ + if (wasAttached) { + returnValue = (*jvm)->DetachCurrentThread(jvm); + } + + return rv ; +} + +/* + * is the function that gets called by PKCS#11 to unlock a mutex and calls the Java + * UnlockMutex function + * + * @param env - used to call JNI funktions to get the Java classes, objects, methods and fields + * @param pMutex - the mutex to unlock + * @return - should return CKR_OK if the mutex was not unlocked already + */ +CK_RV callJUnlockMutex(CK_VOID_PTR pMutex) +{ + extern JavaVM *jvm; + JNIEnv *env; + jint returnValue; + jthrowable pkcs11Exception; + jclass pkcs11ExceptionClass; + jlong errorCode; + CK_RV rv = CKR_OK; + int wasAttached = 1; + jclass jUnlockMutexClass; + jclass jInitArgsClass; + jmethodID methodID; + jfieldID fieldID; + jobject jUnlockMutex; + jobject jMutex; + + + /* Get the currently running Java VM */ + if (jvm == NULL) { return rv ; } /* there is no VM running */ + + /* Determine, if current thread is already attached */ + returnValue = (*jvm)->GetEnv(jvm, (void **) &env, JNI_VERSION_1_2); + if (returnValue == JNI_EDETACHED) { + /* thread detached, so attach it */ + wasAttached = 0; + returnValue = (*jvm)->AttachCurrentThread(jvm, (void **) &env, NULL); + } else if (returnValue == JNI_EVERSION) { + /* this version of JNI is not supported, so just try to attach */ + /* we assume it was attached to ensure that this thread is not detached + * afterwards even though it should not + */ + wasAttached = 1; + returnValue = (*jvm)->AttachCurrentThread(jvm, (void **) &env, NULL); + } else { + /* attached */ + wasAttached = 1; + } + + jUnlockMutexClass = (*env)->FindClass(env, CLASS_UNLOCKMUTEX); + if (jUnlockMutexClass == NULL) { return rv; } + jInitArgsClass = (*env)->FindClass(env, CLASS_C_INITIALIZE_ARGS); + if (jInitArgsClass == NULL) { return rv; } + + /* convert the CK-type mutex to a Java mutex */ + jMutex = ckVoidPtrToJObject(pMutex); + + /* get the UnlockMutex object out of the jInitArgs object */ + fieldID = (*env)->GetFieldID(env, jInitArgsClass, "UnlockMutex", "Lsun/security/pkcs11/wrapper/CK_UNLOCKMUTEX;"); + if (fieldID == NULL) { return rv; } + jUnlockMutex = (*env)->GetObjectField(env, jInitArgsObject, fieldID); + assert(jUnlockMutex != 0); + + /* call the CK_UNLOCKMUTEX method of the UnLockMutex object */ + methodID = (*env)->GetMethodID(env, jUnlockMutexClass, "CK_UNLOCKMUTEX", "(Ljava/lang/Object;)V"); + if (methodID == NULL) { return rv; } + (*env)->CallVoidMethod(env, jUnlockMutex, methodID, jMutex); + + /* check, if callback threw an exception */ + pkcs11Exception = (*env)->ExceptionOccurred(env); + + if (pkcs11Exception != NULL) { + /* TBD: clear the pending exception with ExceptionClear? */ + /* The was an exception thrown, now we get the error-code from it */ + pkcs11ExceptionClass = (*env)->FindClass(env, CLASS_PKCS11EXCEPTION); + if (pkcs11ExceptionClass == NULL) { return rv; } + methodID = (*env)->GetMethodID(env, pkcs11ExceptionClass, "getErrorCode", "()J"); + if (methodID == NULL) { return rv; } + errorCode = (*env)->CallLongMethod(env, pkcs11Exception, methodID); + rv = jLongToCKULong(errorCode); + } + + /* if we attached this thread to the VM just for callback, we detach it now */ + if (wasAttached) { + returnValue = (*jvm)->DetachCurrentThread(jvm); + } + + return rv ; +} + +#endif /* NO_CALLBACKS */ --- old/src/jdk.crypto.token/share/native/libj2pkcs11/p11_objmgmt.c 2017-01-20 09:52:57.942288216 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,429 +0,0 @@ -/* - * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. - */ - -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include "pkcs11wrapper.h" - -#include -#include -#include -#include - -#include "sun_security_pkcs11_wrapper_PKCS11.h" - -#ifdef P11_ENABLE_C_CREATEOBJECT -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_CreateObject - * Signature: (J[Lsun/security/pkcs11/wrapper/CK_ATTRIBUTE;)J - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jobjectArray jTemplate CK_ATTRIBUTE_PTR pTemplate - * CK_ULONG ulCount - * @return jlong jObjectHandle CK_OBJECT_HANDLE_PTR phObject - */ -JNIEXPORT jlong JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1CreateObject - (JNIEnv *env, jobject obj, jlong jSessionHandle, jobjectArray jTemplate) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_OBJECT_HANDLE ckObjectHandle; - CK_ATTRIBUTE_PTR ckpAttributes = NULL_PTR; - CK_ULONG ckAttributesLength; - jlong jObjectHandle = 0L; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return 0L; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jAttributeArrayToCKAttributeArray(env, jTemplate, &ckpAttributes, &ckAttributesLength); - if ((*env)->ExceptionCheck(env)) { return 0L; } - - rv = (*ckpFunctions->C_CreateObject)(ckSessionHandle, ckpAttributes, ckAttributesLength, &ckObjectHandle); - - jObjectHandle = ckULongToJLong(ckObjectHandle); - freeCKAttributeArray(ckpAttributes, ckAttributesLength); - - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return 0L ; } - - return jObjectHandle ; -} -#endif - -#ifdef P11_ENABLE_C_COPYOBJECT -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_CopyObject - * Signature: (JJ[Lsun/security/pkcs11/wrapper/CK_ATTRIBUTE;)J - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jlong jObjectHandle CK_OBJECT_HANDLE hObject - * @param jobjectArray jTemplate CK_ATTRIBUTE_PTR pTemplate - * CK_ULONG ulCount - * @return jlong jNewObjectHandle CK_OBJECT_HANDLE_PTR phNewObject - */ -JNIEXPORT jlong JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1CopyObject - (JNIEnv *env, jobject obj, jlong jSessionHandle, jlong jObjectHandle, jobjectArray jTemplate) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_OBJECT_HANDLE ckObjectHandle; - CK_OBJECT_HANDLE ckNewObjectHandle; - CK_ATTRIBUTE_PTR ckpAttributes = NULL_PTR; - CK_ULONG ckAttributesLength; - jlong jNewObjectHandle = 0L; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return 0L; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - ckObjectHandle = jLongToCKULong(jObjectHandle); - jAttributeArrayToCKAttributeArray(env, jTemplate, &ckpAttributes, &ckAttributesLength); - if ((*env)->ExceptionCheck(env)) { return 0L; } - - rv = (*ckpFunctions->C_CopyObject)(ckSessionHandle, ckObjectHandle, ckpAttributes, ckAttributesLength, &ckNewObjectHandle); - - jNewObjectHandle = ckULongToJLong(ckNewObjectHandle); - freeCKAttributeArray(ckpAttributes, ckAttributesLength); - - if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return 0L ; } - - return jNewObjectHandle ; -} -#endif - -#ifdef P11_ENABLE_C_DESTROYOBJECT -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_DestroyObject - * Signature: (JJ)V - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jlong jObjectHandle CK_OBJECT_HANDLE hObject - */ -JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1DestroyObject - (JNIEnv *env, jobject obj, jlong jSessionHandle, jlong jObjectHandle) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_OBJECT_HANDLE ckObjectHandle; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - ckObjectHandle = jLongToCKULong(jObjectHandle); - - rv = (*ckpFunctions->C_DestroyObject)(ckSessionHandle, ckObjectHandle); - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -} -#endif - -#ifdef P11_ENABLE_C_GETOBJECTSIZE -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_GetObjectSize - * Signature: (JJ)J - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jlong jObjectHandle CK_OBJECT_HANDLE hObject - * @return jlong jObjectSize CK_ULONG_PTR pulSize - */ -JNIEXPORT jlong JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetObjectSize - (JNIEnv *env, jobject obj, jlong jSessionHandle, jlong jObjectHandle) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_OBJECT_HANDLE ckObjectHandle; - CK_ULONG ckObjectSize; - jlong jObjectSize = 0L; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return 0L; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - ckObjectHandle = jLongToCKULong(jObjectHandle); - - rv = (*ckpFunctions->C_GetObjectSize)(ckSessionHandle, ckObjectHandle, &ckObjectSize); - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return 0L ; } - - jObjectSize = ckULongToJLong(ckObjectSize); - - return jObjectSize ; -} -#endif - -#ifdef P11_ENABLE_C_GETATTRIBUTEVALUE -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_GetAttributeValue - * Signature: (JJ[Lsun/security/pkcs11/wrapper/CK_ATTRIBUTE;)[Lsun/security/pkcs11/wrapper/CK_ATTRIBUTE; - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jlong jObjectHandle CK_OBJECT_HANDLE hObject - * @param jobjectArray jTemplate CK_ATTRIBUTE_PTR pTemplate - * CK_ULONG ulCount - */ -JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetAttributeValue - (JNIEnv *env, jobject obj, jlong jSessionHandle, jlong jObjectHandle, jobjectArray jTemplate) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_OBJECT_HANDLE ckObjectHandle; - CK_ATTRIBUTE_PTR ckpAttributes = NULL_PTR; - CK_ULONG ckAttributesLength; - CK_ULONG ckBufferLength; - CK_ULONG i; - jobject jAttribute; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return; } - - TRACE0("DEBUG: C_GetAttributeValue"); - TRACE1(", hSession=%u", jSessionHandle); - TRACE1(", hObject=%u", jObjectHandle); - TRACE1(", pTemplate=%p", jTemplate); - TRACE0(" ... "); - - ckSessionHandle = jLongToCKULong(jSessionHandle); - ckObjectHandle = jLongToCKULong(jObjectHandle); - TRACE1("jAttributeArrayToCKAttributeArray now with jTemplate = %d", jTemplate); - jAttributeArrayToCKAttributeArray(env, jTemplate, &ckpAttributes, &ckAttributesLength); - if ((*env)->ExceptionCheck(env)) { return; } - - TRACE2("DEBUG: jAttributeArrayToCKAttributeArray finished with ckpAttribute = %d, Length = %d\n", ckpAttributes, ckAttributesLength); - - /* first set all pValue to NULL, to get the needed buffer length */ - for(i = 0; i < ckAttributesLength; i++) { - if (ckpAttributes[i].pValue != NULL_PTR) { - free(ckpAttributes[i].pValue); - ckpAttributes[i].pValue = NULL_PTR; - } - } - - rv = (*ckpFunctions->C_GetAttributeValue)(ckSessionHandle, ckObjectHandle, ckpAttributes, ckAttributesLength); - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { - free(ckpAttributes); - return ; - } - - /* now, the ulValueLength field of each attribute should hold the exact buffer length needed - * allocate the needed buffers accordingly - */ - for (i = 0; i < ckAttributesLength; i++) { - ckBufferLength = sizeof(CK_BYTE) * ckpAttributes[i].ulValueLen; - ckpAttributes[i].pValue = (void *) malloc(ckBufferLength); - if (ckpAttributes[i].pValue == NULL) { - freeCKAttributeArray(ckpAttributes, i); - throwOutOfMemoryError(env, 0); - return; - } - ckpAttributes[i].ulValueLen = ckBufferLength; - } - - /* now get the attributes with all values */ - rv = (*ckpFunctions->C_GetAttributeValue)(ckSessionHandle, ckObjectHandle, ckpAttributes, ckAttributesLength); - - if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { - /* copy back the values to the Java attributes */ - for (i = 0; i < ckAttributesLength; i++) { - jAttribute = ckAttributePtrToJAttribute(env, &(ckpAttributes[i])); - if (jAttribute == NULL) { - freeCKAttributeArray(ckpAttributes, ckAttributesLength); - return; - } - (*env)->SetObjectArrayElement(env, jTemplate, i, jAttribute); - if ((*env)->ExceptionCheck(env)) { - freeCKAttributeArray(ckpAttributes, ckAttributesLength); - return; - } - } - } - freeCKAttributeArray(ckpAttributes, ckAttributesLength); - TRACE0("FINISHED\n"); -} -#endif - -#ifdef P11_ENABLE_C_SETATTRIBUTEVALUE -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_SetAttributeValue - * Signature: (JJ[Lsun/security/pkcs11/wrapper/CK_ATTRIBUTE;)V - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jlong jObjectHandle CK_OBJECT_HANDLE hObject - * @param jobjectArray jTemplate CK_ATTRIBUTE_PTR pTemplate - * CK_ULONG ulCount - */ -JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1SetAttributeValue - (JNIEnv *env, jobject obj, jlong jSessionHandle, jlong jObjectHandle, jobjectArray jTemplate) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_OBJECT_HANDLE ckObjectHandle; - CK_ATTRIBUTE_PTR ckpAttributes = NULL_PTR; - CK_ULONG ckAttributesLength; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - ckObjectHandle = jLongToCKULong(jObjectHandle); - jAttributeArrayToCKAttributeArray(env, jTemplate, &ckpAttributes, &ckAttributesLength); - if ((*env)->ExceptionCheck(env)) { return; } - - rv = (*ckpFunctions->C_SetAttributeValue)(ckSessionHandle, ckObjectHandle, ckpAttributes, ckAttributesLength); - - freeCKAttributeArray(ckpAttributes, ckAttributesLength); - - if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -} -#endif - -#ifdef P11_ENABLE_C_FINDOBJECTSINIT -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_FindObjectsInit - * Signature: (J[Lsun/security/pkcs11/wrapper/CK_ATTRIBUTE;)V - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jobjectArray jTemplate CK_ATTRIBUTE_PTR pTemplate - * CK_ULONG ulCount - */ -JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1FindObjectsInit - (JNIEnv *env, jobject obj, jlong jSessionHandle, jobjectArray jTemplate) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_ATTRIBUTE_PTR ckpAttributes = NULL_PTR; - CK_ULONG ckAttributesLength; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return; } - - TRACE0("DEBUG: C_FindObjectsInit"); - TRACE1(", hSession=%u", jSessionHandle); - TRACE1(", pTemplate=%p", jTemplate); - TRACE0(" ... "); - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jAttributeArrayToCKAttributeArray(env, jTemplate, &ckpAttributes, &ckAttributesLength); - if ((*env)->ExceptionCheck(env)) { return; } - - rv = (*ckpFunctions->C_FindObjectsInit)(ckSessionHandle, ckpAttributes, ckAttributesLength); - - freeCKAttributeArray(ckpAttributes, ckAttributesLength); - TRACE0("FINISHED\n"); - - if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -} -#endif - -#ifdef P11_ENABLE_C_FINDOBJECTS -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_FindObjects - * Signature: (JJ)[J - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jlong jMaxObjectCount CK_ULONG ulMaxObjectCount - * @return jlongArray jObjectHandleArray CK_OBJECT_HANDLE_PTR phObject - * CK_ULONG_PTR pulObjectCount - */ -JNIEXPORT jlongArray JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1FindObjects - (JNIEnv *env, jobject obj, jlong jSessionHandle, jlong jMaxObjectCount) -{ - CK_RV rv; - CK_SESSION_HANDLE ckSessionHandle; - CK_ULONG ckMaxObjectLength; - CK_OBJECT_HANDLE_PTR ckpObjectHandleArray; - CK_ULONG ckActualObjectCount; - jlongArray jObjectHandleArray = NULL; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return NULL; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - ckMaxObjectLength = jLongToCKULong(jMaxObjectCount); - ckpObjectHandleArray = (CK_OBJECT_HANDLE_PTR) malloc(sizeof(CK_OBJECT_HANDLE) * ckMaxObjectLength); - if (ckpObjectHandleArray == NULL) { - throwOutOfMemoryError(env, 0); - return NULL; - } - - rv = (*ckpFunctions->C_FindObjects)(ckSessionHandle, ckpObjectHandleArray, ckMaxObjectLength, &ckActualObjectCount); - if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { - jObjectHandleArray = ckULongArrayToJLongArray(env, ckpObjectHandleArray, ckActualObjectCount); - } - - free(ckpObjectHandleArray); - - return jObjectHandleArray ; -} -#endif - -#ifdef P11_ENABLE_C_FINDOBJECTSFINAL -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_FindObjectsFinal - * Signature: (J)V - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - */ -JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1FindObjectsFinal - (JNIEnv *env, jobject obj, jlong jSessionHandle) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - rv = (*ckpFunctions->C_FindObjectsFinal)(ckSessionHandle); - if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -} -#endif --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_objmgmt.c 2017-01-20 09:52:57.722288224 -0800 @@ -0,0 +1,429 @@ +/* + * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. + */ + +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "pkcs11wrapper.h" + +#include +#include +#include +#include + +#include "sun_security_pkcs11_wrapper_PKCS11.h" + +#ifdef P11_ENABLE_C_CREATEOBJECT +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_CreateObject + * Signature: (J[Lsun/security/pkcs11/wrapper/CK_ATTRIBUTE;)J + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jobjectArray jTemplate CK_ATTRIBUTE_PTR pTemplate + * CK_ULONG ulCount + * @return jlong jObjectHandle CK_OBJECT_HANDLE_PTR phObject + */ +JNIEXPORT jlong JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1CreateObject + (JNIEnv *env, jobject obj, jlong jSessionHandle, jobjectArray jTemplate) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_OBJECT_HANDLE ckObjectHandle; + CK_ATTRIBUTE_PTR ckpAttributes = NULL_PTR; + CK_ULONG ckAttributesLength; + jlong jObjectHandle = 0L; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return 0L; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + jAttributeArrayToCKAttributeArray(env, jTemplate, &ckpAttributes, &ckAttributesLength); + if ((*env)->ExceptionCheck(env)) { return 0L; } + + rv = (*ckpFunctions->C_CreateObject)(ckSessionHandle, ckpAttributes, ckAttributesLength, &ckObjectHandle); + + jObjectHandle = ckULongToJLong(ckObjectHandle); + freeCKAttributeArray(ckpAttributes, ckAttributesLength); + + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return 0L ; } + + return jObjectHandle ; +} +#endif + +#ifdef P11_ENABLE_C_COPYOBJECT +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_CopyObject + * Signature: (JJ[Lsun/security/pkcs11/wrapper/CK_ATTRIBUTE;)J + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jlong jObjectHandle CK_OBJECT_HANDLE hObject + * @param jobjectArray jTemplate CK_ATTRIBUTE_PTR pTemplate + * CK_ULONG ulCount + * @return jlong jNewObjectHandle CK_OBJECT_HANDLE_PTR phNewObject + */ +JNIEXPORT jlong JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1CopyObject + (JNIEnv *env, jobject obj, jlong jSessionHandle, jlong jObjectHandle, jobjectArray jTemplate) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_OBJECT_HANDLE ckObjectHandle; + CK_OBJECT_HANDLE ckNewObjectHandle; + CK_ATTRIBUTE_PTR ckpAttributes = NULL_PTR; + CK_ULONG ckAttributesLength; + jlong jNewObjectHandle = 0L; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return 0L; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + ckObjectHandle = jLongToCKULong(jObjectHandle); + jAttributeArrayToCKAttributeArray(env, jTemplate, &ckpAttributes, &ckAttributesLength); + if ((*env)->ExceptionCheck(env)) { return 0L; } + + rv = (*ckpFunctions->C_CopyObject)(ckSessionHandle, ckObjectHandle, ckpAttributes, ckAttributesLength, &ckNewObjectHandle); + + jNewObjectHandle = ckULongToJLong(ckNewObjectHandle); + freeCKAttributeArray(ckpAttributes, ckAttributesLength); + + if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return 0L ; } + + return jNewObjectHandle ; +} +#endif + +#ifdef P11_ENABLE_C_DESTROYOBJECT +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_DestroyObject + * Signature: (JJ)V + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jlong jObjectHandle CK_OBJECT_HANDLE hObject + */ +JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1DestroyObject + (JNIEnv *env, jobject obj, jlong jSessionHandle, jlong jObjectHandle) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_OBJECT_HANDLE ckObjectHandle; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + ckObjectHandle = jLongToCKULong(jObjectHandle); + + rv = (*ckpFunctions->C_DestroyObject)(ckSessionHandle, ckObjectHandle); + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } +} +#endif + +#ifdef P11_ENABLE_C_GETOBJECTSIZE +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_GetObjectSize + * Signature: (JJ)J + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jlong jObjectHandle CK_OBJECT_HANDLE hObject + * @return jlong jObjectSize CK_ULONG_PTR pulSize + */ +JNIEXPORT jlong JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetObjectSize + (JNIEnv *env, jobject obj, jlong jSessionHandle, jlong jObjectHandle) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_OBJECT_HANDLE ckObjectHandle; + CK_ULONG ckObjectSize; + jlong jObjectSize = 0L; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return 0L; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + ckObjectHandle = jLongToCKULong(jObjectHandle); + + rv = (*ckpFunctions->C_GetObjectSize)(ckSessionHandle, ckObjectHandle, &ckObjectSize); + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return 0L ; } + + jObjectSize = ckULongToJLong(ckObjectSize); + + return jObjectSize ; +} +#endif + +#ifdef P11_ENABLE_C_GETATTRIBUTEVALUE +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_GetAttributeValue + * Signature: (JJ[Lsun/security/pkcs11/wrapper/CK_ATTRIBUTE;)[Lsun/security/pkcs11/wrapper/CK_ATTRIBUTE; + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jlong jObjectHandle CK_OBJECT_HANDLE hObject + * @param jobjectArray jTemplate CK_ATTRIBUTE_PTR pTemplate + * CK_ULONG ulCount + */ +JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetAttributeValue + (JNIEnv *env, jobject obj, jlong jSessionHandle, jlong jObjectHandle, jobjectArray jTemplate) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_OBJECT_HANDLE ckObjectHandle; + CK_ATTRIBUTE_PTR ckpAttributes = NULL_PTR; + CK_ULONG ckAttributesLength; + CK_ULONG ckBufferLength; + CK_ULONG i; + jobject jAttribute; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return; } + + TRACE0("DEBUG: C_GetAttributeValue"); + TRACE1(", hSession=%u", jSessionHandle); + TRACE1(", hObject=%u", jObjectHandle); + TRACE1(", pTemplate=%p", jTemplate); + TRACE0(" ... "); + + ckSessionHandle = jLongToCKULong(jSessionHandle); + ckObjectHandle = jLongToCKULong(jObjectHandle); + TRACE1("jAttributeArrayToCKAttributeArray now with jTemplate = %d", jTemplate); + jAttributeArrayToCKAttributeArray(env, jTemplate, &ckpAttributes, &ckAttributesLength); + if ((*env)->ExceptionCheck(env)) { return; } + + TRACE2("DEBUG: jAttributeArrayToCKAttributeArray finished with ckpAttribute = %d, Length = %d\n", ckpAttributes, ckAttributesLength); + + /* first set all pValue to NULL, to get the needed buffer length */ + for(i = 0; i < ckAttributesLength; i++) { + if (ckpAttributes[i].pValue != NULL_PTR) { + free(ckpAttributes[i].pValue); + ckpAttributes[i].pValue = NULL_PTR; + } + } + + rv = (*ckpFunctions->C_GetAttributeValue)(ckSessionHandle, ckObjectHandle, ckpAttributes, ckAttributesLength); + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { + free(ckpAttributes); + return ; + } + + /* now, the ulValueLength field of each attribute should hold the exact buffer length needed + * allocate the needed buffers accordingly + */ + for (i = 0; i < ckAttributesLength; i++) { + ckBufferLength = sizeof(CK_BYTE) * ckpAttributes[i].ulValueLen; + ckpAttributes[i].pValue = (void *) malloc(ckBufferLength); + if (ckpAttributes[i].pValue == NULL) { + freeCKAttributeArray(ckpAttributes, i); + throwOutOfMemoryError(env, 0); + return; + } + ckpAttributes[i].ulValueLen = ckBufferLength; + } + + /* now get the attributes with all values */ + rv = (*ckpFunctions->C_GetAttributeValue)(ckSessionHandle, ckObjectHandle, ckpAttributes, ckAttributesLength); + + if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { + /* copy back the values to the Java attributes */ + for (i = 0; i < ckAttributesLength; i++) { + jAttribute = ckAttributePtrToJAttribute(env, &(ckpAttributes[i])); + if (jAttribute == NULL) { + freeCKAttributeArray(ckpAttributes, ckAttributesLength); + return; + } + (*env)->SetObjectArrayElement(env, jTemplate, i, jAttribute); + if ((*env)->ExceptionCheck(env)) { + freeCKAttributeArray(ckpAttributes, ckAttributesLength); + return; + } + } + } + freeCKAttributeArray(ckpAttributes, ckAttributesLength); + TRACE0("FINISHED\n"); +} +#endif + +#ifdef P11_ENABLE_C_SETATTRIBUTEVALUE +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_SetAttributeValue + * Signature: (JJ[Lsun/security/pkcs11/wrapper/CK_ATTRIBUTE;)V + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jlong jObjectHandle CK_OBJECT_HANDLE hObject + * @param jobjectArray jTemplate CK_ATTRIBUTE_PTR pTemplate + * CK_ULONG ulCount + */ +JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1SetAttributeValue + (JNIEnv *env, jobject obj, jlong jSessionHandle, jlong jObjectHandle, jobjectArray jTemplate) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_OBJECT_HANDLE ckObjectHandle; + CK_ATTRIBUTE_PTR ckpAttributes = NULL_PTR; + CK_ULONG ckAttributesLength; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + ckObjectHandle = jLongToCKULong(jObjectHandle); + jAttributeArrayToCKAttributeArray(env, jTemplate, &ckpAttributes, &ckAttributesLength); + if ((*env)->ExceptionCheck(env)) { return; } + + rv = (*ckpFunctions->C_SetAttributeValue)(ckSessionHandle, ckObjectHandle, ckpAttributes, ckAttributesLength); + + freeCKAttributeArray(ckpAttributes, ckAttributesLength); + + if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } +} +#endif + +#ifdef P11_ENABLE_C_FINDOBJECTSINIT +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_FindObjectsInit + * Signature: (J[Lsun/security/pkcs11/wrapper/CK_ATTRIBUTE;)V + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jobjectArray jTemplate CK_ATTRIBUTE_PTR pTemplate + * CK_ULONG ulCount + */ +JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1FindObjectsInit + (JNIEnv *env, jobject obj, jlong jSessionHandle, jobjectArray jTemplate) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_ATTRIBUTE_PTR ckpAttributes = NULL_PTR; + CK_ULONG ckAttributesLength; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return; } + + TRACE0("DEBUG: C_FindObjectsInit"); + TRACE1(", hSession=%u", jSessionHandle); + TRACE1(", pTemplate=%p", jTemplate); + TRACE0(" ... "); + + ckSessionHandle = jLongToCKULong(jSessionHandle); + jAttributeArrayToCKAttributeArray(env, jTemplate, &ckpAttributes, &ckAttributesLength); + if ((*env)->ExceptionCheck(env)) { return; } + + rv = (*ckpFunctions->C_FindObjectsInit)(ckSessionHandle, ckpAttributes, ckAttributesLength); + + freeCKAttributeArray(ckpAttributes, ckAttributesLength); + TRACE0("FINISHED\n"); + + if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } +} +#endif + +#ifdef P11_ENABLE_C_FINDOBJECTS +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_FindObjects + * Signature: (JJ)[J + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jlong jMaxObjectCount CK_ULONG ulMaxObjectCount + * @return jlongArray jObjectHandleArray CK_OBJECT_HANDLE_PTR phObject + * CK_ULONG_PTR pulObjectCount + */ +JNIEXPORT jlongArray JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1FindObjects + (JNIEnv *env, jobject obj, jlong jSessionHandle, jlong jMaxObjectCount) +{ + CK_RV rv; + CK_SESSION_HANDLE ckSessionHandle; + CK_ULONG ckMaxObjectLength; + CK_OBJECT_HANDLE_PTR ckpObjectHandleArray; + CK_ULONG ckActualObjectCount; + jlongArray jObjectHandleArray = NULL; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return NULL; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + ckMaxObjectLength = jLongToCKULong(jMaxObjectCount); + ckpObjectHandleArray = (CK_OBJECT_HANDLE_PTR) malloc(sizeof(CK_OBJECT_HANDLE) * ckMaxObjectLength); + if (ckpObjectHandleArray == NULL) { + throwOutOfMemoryError(env, 0); + return NULL; + } + + rv = (*ckpFunctions->C_FindObjects)(ckSessionHandle, ckpObjectHandleArray, ckMaxObjectLength, &ckActualObjectCount); + if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { + jObjectHandleArray = ckULongArrayToJLongArray(env, ckpObjectHandleArray, ckActualObjectCount); + } + + free(ckpObjectHandleArray); + + return jObjectHandleArray ; +} +#endif + +#ifdef P11_ENABLE_C_FINDOBJECTSFINAL +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_FindObjectsFinal + * Signature: (J)V + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + */ +JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1FindObjectsFinal + (JNIEnv *env, jobject obj, jlong jSessionHandle) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + rv = (*ckpFunctions->C_FindObjectsFinal)(ckSessionHandle); + if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } +} +#endif --- old/src/jdk.crypto.token/share/native/libj2pkcs11/p11_sessmgmt.c 2017-01-20 09:52:58.342288201 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,634 +0,0 @@ -/* - * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. - */ - -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include "pkcs11wrapper.h" - -#include -#include -#include -#include - -#include "sun_security_pkcs11_wrapper_PKCS11.h" - -/* The list of notify callback handles that are currently active and waiting - * for callbacks from their sessions. - */ -#ifndef NO_CALLBACKS -NotifyListNode *notifyListHead = NULL; -jobject notifyListLock = NULL; -#endif /* NO_CALLBACKS */ - -#ifdef P11_ENABLE_C_OPENSESSION -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_OpenSession - * Signature: (JJLjava/lang/Object;Lsun/security/pkcs11/wrapper/CK_NOTIFY;)J - * Parametermapping: *PKCS11* - * @param jlong jSlotID CK_SLOT_ID slotID - * @param jlong jFlags CK_FLAGS flags - * @param jobject jApplication CK_VOID_PTR pApplication - * @param jobject jNotify CK_NOTIFY Notify - * @return jlong jSessionHandle CK_SESSION_HANDLE_PTR phSession - */ -JNIEXPORT jlong JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1OpenSession - (JNIEnv *env, jobject obj, jlong jSlotID, jlong jFlags, jobject jApplication, jobject jNotify) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_SLOT_ID ckSlotID; - CK_FLAGS ckFlags; - CK_VOID_PTR ckpApplication; - CK_NOTIFY ckNotify; - jlong jSessionHandle; - CK_RV rv; -#ifndef NO_CALLBACKS - NotifyEncapsulation *notifyEncapsulation = NULL; -#endif /* NO_CALLBACKS */ - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return 0L; } - - ckSlotID = jLongToCKULong(jSlotID); - ckFlags = jLongToCKULong(jFlags); - -#ifndef NO_CALLBACKS - if (jNotify != NULL) { - notifyEncapsulation = (NotifyEncapsulation *) malloc(sizeof(NotifyEncapsulation)); - if (notifyEncapsulation == NULL) { - throwOutOfMemoryError(env, 0); - return 0L; - } - notifyEncapsulation->jApplicationData = (jApplication != NULL) - ? (*env)->NewGlobalRef(env, jApplication) - : NULL; - notifyEncapsulation->jNotifyObject = (*env)->NewGlobalRef(env, jNotify); - ckpApplication = notifyEncapsulation; - ckNotify = (CK_NOTIFY) ¬ifyCallback; - } else { - ckpApplication = NULL_PTR; - ckNotify = NULL_PTR; - } -#else - ckpApplication = NULL_PTR; - ckNotify = NULL_PTR; -#endif /* NO_CALLBACKS */ - - TRACE0("DEBUG: C_OpenSession"); - TRACE1(", slotID=%u", ckSlotID); - TRACE1(", flags=%x", ckFlags); - TRACE0(" ... "); - - rv = (*ckpFunctions->C_OpenSession)(ckSlotID, ckFlags, ckpApplication, ckNotify, &ckSessionHandle); - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { -#ifndef NO_CALLBACKS - if (notifyEncapsulation != NULL) { - if (notifyEncapsulation->jApplicationData != NULL) { - (*env)->DeleteGlobalRef(env, jApplication); - } - (*env)->DeleteGlobalRef(env, jNotify); - free(notifyEncapsulation); - } -#endif /* NO_CALLBACKS */ - return 0L; - } - - TRACE0("got session"); - TRACE1(", SessionHandle=%u", ckSessionHandle); - TRACE0(" ... "); - - jSessionHandle = ckULongToJLong(ckSessionHandle); - -#ifndef NO_CALLBACKS - if (notifyEncapsulation != NULL) { - /* store the notifyEncapsulation to enable later cleanup */ - putNotifyEntry(env, ckSessionHandle, notifyEncapsulation); - } -#endif /* NO_CALLBACKS */ - - TRACE0("FINISHED\n"); - - return jSessionHandle ; -} -#endif - -#ifdef P11_ENABLE_C_CLOSESESSION -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_CloseSession - * Signature: (J)V - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - */ -JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1CloseSession - (JNIEnv *env, jobject obj, jlong jSessionHandle) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_RV rv; -#ifndef NO_CALLBACKS - NotifyEncapsulation *notifyEncapsulation; - jobject jApplicationData; -#endif /* NO_CALLBACKS */ - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - - rv = (*ckpFunctions->C_CloseSession)(ckSessionHandle); - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } - -#ifndef NO_CALLBACKS - notifyEncapsulation = removeNotifyEntry(env, ckSessionHandle); - - if (notifyEncapsulation != NULL) { - /* there was a notify object used with this session, now dump the - * encapsulation object - */ - (*env)->DeleteGlobalRef(env, notifyEncapsulation->jNotifyObject); - jApplicationData = notifyEncapsulation->jApplicationData; - if (jApplicationData != NULL) { - (*env)->DeleteGlobalRef(env, jApplicationData); - } - free(notifyEncapsulation); - } -#endif /* NO_CALLBACKS */ - -} -#endif - -#ifdef P11_ENABLE_C_CLOSEALLSESSIONS -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_CloseAllSessions - * Signature: (J)V - * Parametermapping: *PKCS11* - * @param jlong jSlotID CK_SLOT_ID slotID - */ -JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1CloseAllSessions - (JNIEnv *env, jobject obj, jlong jSlotID) -{ - CK_SLOT_ID ckSlotID; - CK_RV rv; -#ifndef NO_CALLBACKS - NotifyEncapsulation *notifyEncapsulation; - jobject jApplicationData; -#endif /* NO_CALLBACKS */ - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return; } - - ckSlotID = jLongToCKULong(jSlotID); - - rv = (*ckpFunctions->C_CloseAllSessions)(ckSlotID); - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } - -#ifndef NO_CALLBACKS - /* Remove all notify callback helper objects. */ - while ((notifyEncapsulation = removeFirstNotifyEntry(env)) != NULL) { - /* there was a notify object used with this session, now dump the - * encapsulation object - */ - (*env)->DeleteGlobalRef(env, notifyEncapsulation->jNotifyObject); - jApplicationData = notifyEncapsulation->jApplicationData; - if (jApplicationData != NULL) { - (*env)->DeleteGlobalRef(env, jApplicationData); - } - free(notifyEncapsulation); - } -#endif /* NO_CALLBACKS */ -} -#endif - -#ifdef P11_ENABLE_C_GETSESSIONINFO -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_GetSessionInfo - * Signature: (J)Lsun/security/pkcs11/wrapper/CK_SESSION_INFO; - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @return jobject jSessionInfo CK_SESSION_INFO_PTR pInfo - */ -JNIEXPORT jobject JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetSessionInfo - (JNIEnv *env, jobject obj, jlong jSessionHandle) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_SESSION_INFO ckSessionInfo; - jobject jSessionInfo=NULL; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return NULL; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - - rv = (*ckpFunctions->C_GetSessionInfo)(ckSessionHandle, &ckSessionInfo); - if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { - jSessionInfo = ckSessionInfoPtrToJSessionInfo(env, &ckSessionInfo); - } - return jSessionInfo ; -} -#endif - -#ifdef P11_ENABLE_C_GETOPERATIONSTATE -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_GetOperationState - * Signature: (J)[B - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @return jbyteArray jState CK_BYTE_PTR pOperationState - * CK_ULONG_PTR pulOperationStateLen - */ -JNIEXPORT jbyteArray JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetOperationState - (JNIEnv *env, jobject obj, jlong jSessionHandle) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_BYTE_PTR ckpState; - CK_ULONG ckStateLength; - jbyteArray jState = NULL; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return NULL; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - - rv = (*ckpFunctions->C_GetOperationState)(ckSessionHandle, NULL_PTR, &ckStateLength); - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; } - - ckpState = (CK_BYTE_PTR) malloc(ckStateLength); - if (ckpState == NULL) { - throwOutOfMemoryError(env, 0); - return NULL; - } - - rv = (*ckpFunctions->C_GetOperationState)(ckSessionHandle, ckpState, &ckStateLength); - if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { - jState = ckByteArrayToJByteArray(env, ckpState, ckStateLength); - } - free(ckpState); - - return jState ; -} -#endif - -#ifdef P11_ENABLE_C_SETOPERATIONSTATE -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_SetOperationState - * Signature: (J[BJJ)V - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jbyteArray jOperationState CK_BYTE_PTR pOperationState - * CK_ULONG ulOperationStateLen - * @param jlong jEncryptionKeyHandle CK_OBJECT_HANDLE hEncryptionKey - * @param jlong jAuthenticationKeyHandle CK_OBJECT_HANDLE hAuthenticationKey - */ -JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1SetOperationState - (JNIEnv *env, jobject obj, jlong jSessionHandle, jbyteArray jOperationState, jlong jEncryptionKeyHandle, jlong jAuthenticationKeyHandle) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_BYTE_PTR ckpState = NULL_PTR; - CK_ULONG ckStateLength; - CK_OBJECT_HANDLE ckEncryptionKeyHandle; - CK_OBJECT_HANDLE ckAuthenticationKeyHandle; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jByteArrayToCKByteArray(env, jOperationState, &ckpState, &ckStateLength); - if ((*env)->ExceptionCheck(env)) { return; } - - ckEncryptionKeyHandle = jLongToCKULong(jEncryptionKeyHandle); - ckAuthenticationKeyHandle = jLongToCKULong(jAuthenticationKeyHandle); - - rv = (*ckpFunctions->C_SetOperationState)(ckSessionHandle, ckpState, ckStateLength, ckEncryptionKeyHandle, ckAuthenticationKeyHandle); - - free(ckpState); - - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -} -#endif - -#ifdef P11_ENABLE_C_LOGIN -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_Login - * Signature: (JJ[C)V - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jlong jUserType CK_USER_TYPE userType - * @param jcharArray jPin CK_CHAR_PTR pPin - * CK_ULONG ulPinLen - */ -JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1Login - (JNIEnv *env, jobject obj, jlong jSessionHandle, jlong jUserType, jcharArray jPin) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_USER_TYPE ckUserType; - CK_CHAR_PTR ckpPinArray = NULL_PTR; - CK_ULONG ckPinLength; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - ckUserType = jLongToCKULong(jUserType); - jCharArrayToCKCharArray(env, jPin, &ckpPinArray, &ckPinLength); - if ((*env)->ExceptionCheck(env)) { return; } - - rv = (*ckpFunctions->C_Login)(ckSessionHandle, ckUserType, ckpPinArray, ckPinLength); - - free(ckpPinArray); - - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -} -#endif - -#ifdef P11_ENABLE_C_LOGOUT -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_Logout - * Signature: (J)V - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - */ -JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1Logout - (JNIEnv *env, jobject obj, jlong jSessionHandle) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - - rv = (*ckpFunctions->C_Logout)(ckSessionHandle); - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -} -#endif - -/* ************************************************************************** */ -/* Functions for keeping track of notify callbacks */ -/* ************************************************************************** */ - -#ifndef NO_CALLBACKS - -/* - * Add the given notify encapsulation object to the list of active notify - * objects. - * If notifyEncapsulation is NULL, this function does nothing. - */ -void putNotifyEntry(JNIEnv *env, CK_SESSION_HANDLE hSession, NotifyEncapsulation *notifyEncapsulation) { - NotifyListNode *currentNode, *newNode; - - if (notifyEncapsulation == NULL) { - return; - } - - newNode = (NotifyListNode *) malloc(sizeof(NotifyListNode)); - if (newNode == NULL) { - throwOutOfMemoryError(env, 0); - return; - } - newNode->hSession = hSession; - newNode->notifyEncapsulation = notifyEncapsulation; - newNode->next = NULL; - - (*env)->MonitorEnter(env, notifyListLock); /* synchronize access to list */ - - if (notifyListHead == NULL) { - /* this is the first entry */ - notifyListHead = newNode; - } else { - /* go to the last entry; i.e. the first node which's 'next' is NULL. - */ - currentNode = notifyListHead; - while (currentNode->next != NULL) { - currentNode = currentNode->next; - } - currentNode->next = newNode; - } - - (*env)->MonitorExit(env, notifyListLock); /* synchronize access to list */ -} - -/* - * Removes the active notifyEncapsulation object used with the given session and - * returns it. If there is no notifyEncapsulation active for this session, this - * function returns NULL. - */ -NotifyEncapsulation * removeNotifyEntry(JNIEnv *env, CK_SESSION_HANDLE hSession) { - NotifyEncapsulation *notifyEncapsulation; - NotifyListNode *currentNode, *previousNode; - - (*env)->MonitorEnter(env, notifyListLock); /* synchronize access to list */ - - if (notifyListHead == NULL) { - /* this is the first entry */ - notifyEncapsulation = NULL; - } else { - /* Find the node with the wanted session handle. Also stop, when we reach - * the last entry; i.e. the first node which's 'next' is NULL. - */ - currentNode = notifyListHead; - previousNode = NULL; - - while ((currentNode->hSession != hSession) && (currentNode->next != NULL)) { - previousNode = currentNode; - currentNode = currentNode->next; - } - - if (currentNode->hSession == hSession) { - /* We found a entry for the wanted session, now remove it. */ - if (previousNode == NULL) { - /* it's the first node */ - notifyListHead = currentNode->next; - } else { - previousNode->next = currentNode->next; - } - notifyEncapsulation = currentNode->notifyEncapsulation; - free(currentNode); - } else { - /* We did not find a entry for this session */ - notifyEncapsulation = NULL; - } - } - - (*env)->MonitorExit(env, notifyListLock); /* synchronize access to list */ - - return notifyEncapsulation ; -} - -/* - - * Removes the first notifyEncapsulation object. If there is no notifyEncapsulation, - * this function returns NULL. - */ -NotifyEncapsulation * removeFirstNotifyEntry(JNIEnv *env) { - NotifyEncapsulation *notifyEncapsulation; - NotifyListNode *currentNode; - - (*env)->MonitorEnter(env, notifyListLock); /* synchronize access to list */ - - if (notifyListHead == NULL) { - /* this is the first entry */ - notifyEncapsulation = NULL; - } else { - /* Remove the first entry. */ - currentNode = notifyListHead; - notifyListHead = notifyListHead->next; - notifyEncapsulation = currentNode->notifyEncapsulation; - free(currentNode); - } - - (*env)->MonitorExit(env, notifyListLock); /* synchronize access to list */ - - return notifyEncapsulation ; -} - -#endif /* NO_CALLBACKS */ - -#ifndef NO_CALLBACKS - -/* - * The function handling notify callbacks. It casts the pApplication parameter - * back to a NotifyEncapsulation structure and retrieves the Notify object and - * the application data from it. - * - * @param hSession The session, this callback is comming from. - * @param event The type of event that occurred. - * @param pApplication The application data as passed in upon OpenSession. In - this wrapper we always pass in a NotifyEncapsulation - object, which holds necessary information for delegating - the callback to the Java VM. - * @return - */ -CK_RV notifyCallback( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_NOTIFICATION event, - CK_VOID_PTR pApplication /* passed to C_OpenSession */ -) -{ - NotifyEncapsulation *notifyEncapsulation; - extern JavaVM *jvm; - JNIEnv *env; - jint returnValue; - jlong jSessionHandle; - jlong jEvent; - jclass ckNotifyClass; - jmethodID jmethod; - jthrowable pkcs11Exception; - jclass pkcs11ExceptionClass; - jlong errorCode; - CK_RV rv = CKR_OK; - int wasAttached = 1; - - if (pApplication == NULL) { return rv ; } /* This should not occur in this wrapper. */ - - notifyEncapsulation = (NotifyEncapsulation *) pApplication; - - /* Get the currently running Java VM */ - if (jvm == NULL) { return rv ; } /* there is no VM running */ - - /* Determine, if current thread is already attached */ - returnValue = (*jvm)->GetEnv(jvm, (void **) &env, JNI_VERSION_1_2); - if (returnValue == JNI_EDETACHED) { - /* thread detached, so attach it */ - wasAttached = 0; - returnValue = (*jvm)->AttachCurrentThread(jvm, (void **) &env, NULL); - } else if (returnValue == JNI_EVERSION) { - /* this version of JNI is not supported, so just try to attach */ - /* we assume it was attached to ensure that this thread is not detached - * afterwards even though it should not - */ - wasAttached = 1; - returnValue = (*jvm)->AttachCurrentThread(jvm, (void **) &env, NULL); - } else { - /* attached */ - wasAttached = 1; - } - - jSessionHandle = ckULongToJLong(hSession); - jEvent = ckULongToJLong(event); - - ckNotifyClass = (*env)->FindClass(env, CLASS_NOTIFY); - if (ckNotifyClass == NULL) { return rv; } - jmethod = (*env)->GetMethodID(env, ckNotifyClass, "CK_NOTIFY", "(JJLjava/lang/Object;)V"); - if (jmethod == NULL) { return rv; } - - (*env)->CallVoidMethod(env, notifyEncapsulation->jNotifyObject, jmethod, - jSessionHandle, jEvent, notifyEncapsulation->jApplicationData); - - /* check, if callback threw an exception */ - pkcs11Exception = (*env)->ExceptionOccurred(env); - - if (pkcs11Exception != NULL) { - /* TBD: clear the pending exception with ExceptionClear? */ - /* The was an exception thrown, now we get the error-code from it */ - pkcs11ExceptionClass = (*env)->FindClass(env, CLASS_PKCS11EXCEPTION); - if (pkcs11ExceptionClass == NULL) { return rv; } - - jmethod = (*env)->GetMethodID(env, pkcs11ExceptionClass, "getErrorCode", "()J"); - if (jmethod == NULL) { return rv; } - - errorCode = (*env)->CallLongMethod(env, pkcs11Exception, jmethod); - rv = jLongToCKULong(errorCode); - } - - /* if we attached this thread to the VM just for callback, we detach it now */ - if (wasAttached) { - returnValue = (*jvm)->DetachCurrentThread(jvm); - } - - return rv ; -} - -#endif /* NO_CALLBACKS */ --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_sessmgmt.c 2017-01-20 09:52:58.070288211 -0800 @@ -0,0 +1,634 @@ +/* + * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. + */ + +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "pkcs11wrapper.h" + +#include +#include +#include +#include + +#include "sun_security_pkcs11_wrapper_PKCS11.h" + +/* The list of notify callback handles that are currently active and waiting + * for callbacks from their sessions. + */ +#ifndef NO_CALLBACKS +NotifyListNode *notifyListHead = NULL; +jobject notifyListLock = NULL; +#endif /* NO_CALLBACKS */ + +#ifdef P11_ENABLE_C_OPENSESSION +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_OpenSession + * Signature: (JJLjava/lang/Object;Lsun/security/pkcs11/wrapper/CK_NOTIFY;)J + * Parametermapping: *PKCS11* + * @param jlong jSlotID CK_SLOT_ID slotID + * @param jlong jFlags CK_FLAGS flags + * @param jobject jApplication CK_VOID_PTR pApplication + * @param jobject jNotify CK_NOTIFY Notify + * @return jlong jSessionHandle CK_SESSION_HANDLE_PTR phSession + */ +JNIEXPORT jlong JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1OpenSession + (JNIEnv *env, jobject obj, jlong jSlotID, jlong jFlags, jobject jApplication, jobject jNotify) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_SLOT_ID ckSlotID; + CK_FLAGS ckFlags; + CK_VOID_PTR ckpApplication; + CK_NOTIFY ckNotify; + jlong jSessionHandle; + CK_RV rv; +#ifndef NO_CALLBACKS + NotifyEncapsulation *notifyEncapsulation = NULL; +#endif /* NO_CALLBACKS */ + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return 0L; } + + ckSlotID = jLongToCKULong(jSlotID); + ckFlags = jLongToCKULong(jFlags); + +#ifndef NO_CALLBACKS + if (jNotify != NULL) { + notifyEncapsulation = (NotifyEncapsulation *) malloc(sizeof(NotifyEncapsulation)); + if (notifyEncapsulation == NULL) { + throwOutOfMemoryError(env, 0); + return 0L; + } + notifyEncapsulation->jApplicationData = (jApplication != NULL) + ? (*env)->NewGlobalRef(env, jApplication) + : NULL; + notifyEncapsulation->jNotifyObject = (*env)->NewGlobalRef(env, jNotify); + ckpApplication = notifyEncapsulation; + ckNotify = (CK_NOTIFY) ¬ifyCallback; + } else { + ckpApplication = NULL_PTR; + ckNotify = NULL_PTR; + } +#else + ckpApplication = NULL_PTR; + ckNotify = NULL_PTR; +#endif /* NO_CALLBACKS */ + + TRACE0("DEBUG: C_OpenSession"); + TRACE1(", slotID=%u", ckSlotID); + TRACE1(", flags=%x", ckFlags); + TRACE0(" ... "); + + rv = (*ckpFunctions->C_OpenSession)(ckSlotID, ckFlags, ckpApplication, ckNotify, &ckSessionHandle); + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { +#ifndef NO_CALLBACKS + if (notifyEncapsulation != NULL) { + if (notifyEncapsulation->jApplicationData != NULL) { + (*env)->DeleteGlobalRef(env, jApplication); + } + (*env)->DeleteGlobalRef(env, jNotify); + free(notifyEncapsulation); + } +#endif /* NO_CALLBACKS */ + return 0L; + } + + TRACE0("got session"); + TRACE1(", SessionHandle=%u", ckSessionHandle); + TRACE0(" ... "); + + jSessionHandle = ckULongToJLong(ckSessionHandle); + +#ifndef NO_CALLBACKS + if (notifyEncapsulation != NULL) { + /* store the notifyEncapsulation to enable later cleanup */ + putNotifyEntry(env, ckSessionHandle, notifyEncapsulation); + } +#endif /* NO_CALLBACKS */ + + TRACE0("FINISHED\n"); + + return jSessionHandle ; +} +#endif + +#ifdef P11_ENABLE_C_CLOSESESSION +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_CloseSession + * Signature: (J)V + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + */ +JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1CloseSession + (JNIEnv *env, jobject obj, jlong jSessionHandle) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_RV rv; +#ifndef NO_CALLBACKS + NotifyEncapsulation *notifyEncapsulation; + jobject jApplicationData; +#endif /* NO_CALLBACKS */ + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + + rv = (*ckpFunctions->C_CloseSession)(ckSessionHandle); + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } + +#ifndef NO_CALLBACKS + notifyEncapsulation = removeNotifyEntry(env, ckSessionHandle); + + if (notifyEncapsulation != NULL) { + /* there was a notify object used with this session, now dump the + * encapsulation object + */ + (*env)->DeleteGlobalRef(env, notifyEncapsulation->jNotifyObject); + jApplicationData = notifyEncapsulation->jApplicationData; + if (jApplicationData != NULL) { + (*env)->DeleteGlobalRef(env, jApplicationData); + } + free(notifyEncapsulation); + } +#endif /* NO_CALLBACKS */ + +} +#endif + +#ifdef P11_ENABLE_C_CLOSEALLSESSIONS +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_CloseAllSessions + * Signature: (J)V + * Parametermapping: *PKCS11* + * @param jlong jSlotID CK_SLOT_ID slotID + */ +JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1CloseAllSessions + (JNIEnv *env, jobject obj, jlong jSlotID) +{ + CK_SLOT_ID ckSlotID; + CK_RV rv; +#ifndef NO_CALLBACKS + NotifyEncapsulation *notifyEncapsulation; + jobject jApplicationData; +#endif /* NO_CALLBACKS */ + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return; } + + ckSlotID = jLongToCKULong(jSlotID); + + rv = (*ckpFunctions->C_CloseAllSessions)(ckSlotID); + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } + +#ifndef NO_CALLBACKS + /* Remove all notify callback helper objects. */ + while ((notifyEncapsulation = removeFirstNotifyEntry(env)) != NULL) { + /* there was a notify object used with this session, now dump the + * encapsulation object + */ + (*env)->DeleteGlobalRef(env, notifyEncapsulation->jNotifyObject); + jApplicationData = notifyEncapsulation->jApplicationData; + if (jApplicationData != NULL) { + (*env)->DeleteGlobalRef(env, jApplicationData); + } + free(notifyEncapsulation); + } +#endif /* NO_CALLBACKS */ +} +#endif + +#ifdef P11_ENABLE_C_GETSESSIONINFO +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_GetSessionInfo + * Signature: (J)Lsun/security/pkcs11/wrapper/CK_SESSION_INFO; + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @return jobject jSessionInfo CK_SESSION_INFO_PTR pInfo + */ +JNIEXPORT jobject JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetSessionInfo + (JNIEnv *env, jobject obj, jlong jSessionHandle) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_SESSION_INFO ckSessionInfo; + jobject jSessionInfo=NULL; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return NULL; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + + rv = (*ckpFunctions->C_GetSessionInfo)(ckSessionHandle, &ckSessionInfo); + if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { + jSessionInfo = ckSessionInfoPtrToJSessionInfo(env, &ckSessionInfo); + } + return jSessionInfo ; +} +#endif + +#ifdef P11_ENABLE_C_GETOPERATIONSTATE +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_GetOperationState + * Signature: (J)[B + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @return jbyteArray jState CK_BYTE_PTR pOperationState + * CK_ULONG_PTR pulOperationStateLen + */ +JNIEXPORT jbyteArray JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetOperationState + (JNIEnv *env, jobject obj, jlong jSessionHandle) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_BYTE_PTR ckpState; + CK_ULONG ckStateLength; + jbyteArray jState = NULL; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return NULL; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + + rv = (*ckpFunctions->C_GetOperationState)(ckSessionHandle, NULL_PTR, &ckStateLength); + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; } + + ckpState = (CK_BYTE_PTR) malloc(ckStateLength); + if (ckpState == NULL) { + throwOutOfMemoryError(env, 0); + return NULL; + } + + rv = (*ckpFunctions->C_GetOperationState)(ckSessionHandle, ckpState, &ckStateLength); + if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { + jState = ckByteArrayToJByteArray(env, ckpState, ckStateLength); + } + free(ckpState); + + return jState ; +} +#endif + +#ifdef P11_ENABLE_C_SETOPERATIONSTATE +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_SetOperationState + * Signature: (J[BJJ)V + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jbyteArray jOperationState CK_BYTE_PTR pOperationState + * CK_ULONG ulOperationStateLen + * @param jlong jEncryptionKeyHandle CK_OBJECT_HANDLE hEncryptionKey + * @param jlong jAuthenticationKeyHandle CK_OBJECT_HANDLE hAuthenticationKey + */ +JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1SetOperationState + (JNIEnv *env, jobject obj, jlong jSessionHandle, jbyteArray jOperationState, jlong jEncryptionKeyHandle, jlong jAuthenticationKeyHandle) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_BYTE_PTR ckpState = NULL_PTR; + CK_ULONG ckStateLength; + CK_OBJECT_HANDLE ckEncryptionKeyHandle; + CK_OBJECT_HANDLE ckAuthenticationKeyHandle; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + jByteArrayToCKByteArray(env, jOperationState, &ckpState, &ckStateLength); + if ((*env)->ExceptionCheck(env)) { return; } + + ckEncryptionKeyHandle = jLongToCKULong(jEncryptionKeyHandle); + ckAuthenticationKeyHandle = jLongToCKULong(jAuthenticationKeyHandle); + + rv = (*ckpFunctions->C_SetOperationState)(ckSessionHandle, ckpState, ckStateLength, ckEncryptionKeyHandle, ckAuthenticationKeyHandle); + + free(ckpState); + + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } +} +#endif + +#ifdef P11_ENABLE_C_LOGIN +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_Login + * Signature: (JJ[C)V + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jlong jUserType CK_USER_TYPE userType + * @param jcharArray jPin CK_CHAR_PTR pPin + * CK_ULONG ulPinLen + */ +JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1Login + (JNIEnv *env, jobject obj, jlong jSessionHandle, jlong jUserType, jcharArray jPin) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_USER_TYPE ckUserType; + CK_CHAR_PTR ckpPinArray = NULL_PTR; + CK_ULONG ckPinLength; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + ckUserType = jLongToCKULong(jUserType); + jCharArrayToCKCharArray(env, jPin, &ckpPinArray, &ckPinLength); + if ((*env)->ExceptionCheck(env)) { return; } + + rv = (*ckpFunctions->C_Login)(ckSessionHandle, ckUserType, ckpPinArray, ckPinLength); + + free(ckpPinArray); + + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } +} +#endif + +#ifdef P11_ENABLE_C_LOGOUT +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_Logout + * Signature: (J)V + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + */ +JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1Logout + (JNIEnv *env, jobject obj, jlong jSessionHandle) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + + rv = (*ckpFunctions->C_Logout)(ckSessionHandle); + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } +} +#endif + +/* ************************************************************************** */ +/* Functions for keeping track of notify callbacks */ +/* ************************************************************************** */ + +#ifndef NO_CALLBACKS + +/* + * Add the given notify encapsulation object to the list of active notify + * objects. + * If notifyEncapsulation is NULL, this function does nothing. + */ +void putNotifyEntry(JNIEnv *env, CK_SESSION_HANDLE hSession, NotifyEncapsulation *notifyEncapsulation) { + NotifyListNode *currentNode, *newNode; + + if (notifyEncapsulation == NULL) { + return; + } + + newNode = (NotifyListNode *) malloc(sizeof(NotifyListNode)); + if (newNode == NULL) { + throwOutOfMemoryError(env, 0); + return; + } + newNode->hSession = hSession; + newNode->notifyEncapsulation = notifyEncapsulation; + newNode->next = NULL; + + (*env)->MonitorEnter(env, notifyListLock); /* synchronize access to list */ + + if (notifyListHead == NULL) { + /* this is the first entry */ + notifyListHead = newNode; + } else { + /* go to the last entry; i.e. the first node which's 'next' is NULL. + */ + currentNode = notifyListHead; + while (currentNode->next != NULL) { + currentNode = currentNode->next; + } + currentNode->next = newNode; + } + + (*env)->MonitorExit(env, notifyListLock); /* synchronize access to list */ +} + +/* + * Removes the active notifyEncapsulation object used with the given session and + * returns it. If there is no notifyEncapsulation active for this session, this + * function returns NULL. + */ +NotifyEncapsulation * removeNotifyEntry(JNIEnv *env, CK_SESSION_HANDLE hSession) { + NotifyEncapsulation *notifyEncapsulation; + NotifyListNode *currentNode, *previousNode; + + (*env)->MonitorEnter(env, notifyListLock); /* synchronize access to list */ + + if (notifyListHead == NULL) { + /* this is the first entry */ + notifyEncapsulation = NULL; + } else { + /* Find the node with the wanted session handle. Also stop, when we reach + * the last entry; i.e. the first node which's 'next' is NULL. + */ + currentNode = notifyListHead; + previousNode = NULL; + + while ((currentNode->hSession != hSession) && (currentNode->next != NULL)) { + previousNode = currentNode; + currentNode = currentNode->next; + } + + if (currentNode->hSession == hSession) { + /* We found a entry for the wanted session, now remove it. */ + if (previousNode == NULL) { + /* it's the first node */ + notifyListHead = currentNode->next; + } else { + previousNode->next = currentNode->next; + } + notifyEncapsulation = currentNode->notifyEncapsulation; + free(currentNode); + } else { + /* We did not find a entry for this session */ + notifyEncapsulation = NULL; + } + } + + (*env)->MonitorExit(env, notifyListLock); /* synchronize access to list */ + + return notifyEncapsulation ; +} + +/* + + * Removes the first notifyEncapsulation object. If there is no notifyEncapsulation, + * this function returns NULL. + */ +NotifyEncapsulation * removeFirstNotifyEntry(JNIEnv *env) { + NotifyEncapsulation *notifyEncapsulation; + NotifyListNode *currentNode; + + (*env)->MonitorEnter(env, notifyListLock); /* synchronize access to list */ + + if (notifyListHead == NULL) { + /* this is the first entry */ + notifyEncapsulation = NULL; + } else { + /* Remove the first entry. */ + currentNode = notifyListHead; + notifyListHead = notifyListHead->next; + notifyEncapsulation = currentNode->notifyEncapsulation; + free(currentNode); + } + + (*env)->MonitorExit(env, notifyListLock); /* synchronize access to list */ + + return notifyEncapsulation ; +} + +#endif /* NO_CALLBACKS */ + +#ifndef NO_CALLBACKS + +/* + * The function handling notify callbacks. It casts the pApplication parameter + * back to a NotifyEncapsulation structure and retrieves the Notify object and + * the application data from it. + * + * @param hSession The session, this callback is comming from. + * @param event The type of event that occurred. + * @param pApplication The application data as passed in upon OpenSession. In + this wrapper we always pass in a NotifyEncapsulation + object, which holds necessary information for delegating + the callback to the Java VM. + * @return + */ +CK_RV notifyCallback( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_NOTIFICATION event, + CK_VOID_PTR pApplication /* passed to C_OpenSession */ +) +{ + NotifyEncapsulation *notifyEncapsulation; + extern JavaVM *jvm; + JNIEnv *env; + jint returnValue; + jlong jSessionHandle; + jlong jEvent; + jclass ckNotifyClass; + jmethodID jmethod; + jthrowable pkcs11Exception; + jclass pkcs11ExceptionClass; + jlong errorCode; + CK_RV rv = CKR_OK; + int wasAttached = 1; + + if (pApplication == NULL) { return rv ; } /* This should not occur in this wrapper. */ + + notifyEncapsulation = (NotifyEncapsulation *) pApplication; + + /* Get the currently running Java VM */ + if (jvm == NULL) { return rv ; } /* there is no VM running */ + + /* Determine, if current thread is already attached */ + returnValue = (*jvm)->GetEnv(jvm, (void **) &env, JNI_VERSION_1_2); + if (returnValue == JNI_EDETACHED) { + /* thread detached, so attach it */ + wasAttached = 0; + returnValue = (*jvm)->AttachCurrentThread(jvm, (void **) &env, NULL); + } else if (returnValue == JNI_EVERSION) { + /* this version of JNI is not supported, so just try to attach */ + /* we assume it was attached to ensure that this thread is not detached + * afterwards even though it should not + */ + wasAttached = 1; + returnValue = (*jvm)->AttachCurrentThread(jvm, (void **) &env, NULL); + } else { + /* attached */ + wasAttached = 1; + } + + jSessionHandle = ckULongToJLong(hSession); + jEvent = ckULongToJLong(event); + + ckNotifyClass = (*env)->FindClass(env, CLASS_NOTIFY); + if (ckNotifyClass == NULL) { return rv; } + jmethod = (*env)->GetMethodID(env, ckNotifyClass, "CK_NOTIFY", "(JJLjava/lang/Object;)V"); + if (jmethod == NULL) { return rv; } + + (*env)->CallVoidMethod(env, notifyEncapsulation->jNotifyObject, jmethod, + jSessionHandle, jEvent, notifyEncapsulation->jApplicationData); + + /* check, if callback threw an exception */ + pkcs11Exception = (*env)->ExceptionOccurred(env); + + if (pkcs11Exception != NULL) { + /* TBD: clear the pending exception with ExceptionClear? */ + /* The was an exception thrown, now we get the error-code from it */ + pkcs11ExceptionClass = (*env)->FindClass(env, CLASS_PKCS11EXCEPTION); + if (pkcs11ExceptionClass == NULL) { return rv; } + + jmethod = (*env)->GetMethodID(env, pkcs11ExceptionClass, "getErrorCode", "()J"); + if (jmethod == NULL) { return rv; } + + errorCode = (*env)->CallLongMethod(env, pkcs11Exception, jmethod); + rv = jLongToCKULong(errorCode); + } + + /* if we attached this thread to the VM just for callback, we detach it now */ + if (wasAttached) { + returnValue = (*jvm)->DetachCurrentThread(jvm); + } + + return rv ; +} + +#endif /* NO_CALLBACKS */ --- old/src/jdk.crypto.token/share/native/libj2pkcs11/p11_sign.c 2017-01-20 09:52:58.686288188 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,674 +0,0 @@ -/* - * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. - */ - -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include "pkcs11wrapper.h" - -#include -#include -#include -#include -#include "jlong.h" - -#include "sun_security_pkcs11_wrapper_PKCS11.h" - -#ifdef P11_ENABLE_C_SIGNINIT -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_SignInit - * Signature: (JLsun/security/pkcs11/wrapper/CK_MECHANISM;J)V - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jobject jMechanism CK_MECHANISM_PTR pMechanism - * @return jlong jKeyHandle CK_OBJECT_HANDLE hKey - */ -JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1SignInit - (JNIEnv *env, jobject obj, jlong jSessionHandle, jobject jMechanism, jlong jKeyHandle) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_MECHANISM ckMechanism; - CK_OBJECT_HANDLE ckKeyHandle; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jMechanismToCKMechanism(env, jMechanism, &ckMechanism); - if ((*env)->ExceptionCheck(env)) { return; } - ckKeyHandle = jLongToCKULong(jKeyHandle); - - rv = (*ckpFunctions->C_SignInit)(ckSessionHandle, &ckMechanism, ckKeyHandle); - - if (ckMechanism.pParameter != NULL_PTR) { - free(ckMechanism.pParameter); - } - - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -} -#endif - -#ifdef P11_ENABLE_C_SIGN -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_Sign - * Signature: (J[B)[B - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jbyteArray jData CK_BYTE_PTR pData - * CK_ULONG ulDataLen - * @return jbyteArray jSignature CK_BYTE_PTR pSignature - * CK_ULONG_PTR pulSignatureLen - */ -JNIEXPORT jbyteArray JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1Sign - (JNIEnv *env, jobject obj, jlong jSessionHandle, jbyteArray jData) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_BYTE_PTR ckpData = NULL_PTR; - CK_BYTE_PTR ckpSignature; - CK_ULONG ckDataLength; - CK_ULONG ckSignatureLength = 0; - jbyteArray jSignature = NULL; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return NULL; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jByteArrayToCKByteArray(env, jData, &ckpData, &ckDataLength); - if ((*env)->ExceptionCheck(env)) { return NULL; } - - /* START standard code */ - - /* first determine the length of the signature */ - rv = (*ckpFunctions->C_Sign)(ckSessionHandle, ckpData, ckDataLength, NULL_PTR, &ckSignatureLength); - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { - free(ckpData); - return NULL; - } - - ckpSignature = (CK_BYTE_PTR) malloc(ckSignatureLength * sizeof(CK_BYTE)); - if (ckpSignature == NULL) { - free(ckpData); - throwOutOfMemoryError(env, 0); - return NULL; - } - - /* now get the signature */ - rv = (*ckpFunctions->C_Sign)(ckSessionHandle, ckpData, ckDataLength, ckpSignature, &ckSignatureLength); - /* END standard code */ - - - /* START workaround code for operation abort bug in pkcs#11 of Datakey and iButton */ -/* - ckpSignature = (CK_BYTE_PTR) malloc(256 * sizeof(CK_BYTE)); - if (ckpSignature == NULL) { - free(ckpData); - throwOutOfMemoryError(env, 0); - return NULL; - } - rv = (*ckpFunctions->C_Sign)(ckSessionHandle, ckpData, ckDataLength, ckpSignature, &ckSignatureLength); - - if (rv == CKR_BUFFER_TOO_SMALL) { - free(ckpSignature); - ckpSignature = (CK_BYTE_PTR) malloc(ckSignatureLength * sizeof(CK_BYTE)); - if (ckpSignature == NULL) { - free(ckpData); - throwOutOfMemoryError(env, 0); - return NULL; - } - rv = (*ckpFunctions->C_Sign)(ckSessionHandle, ckpData, ckDataLength, ckpSignature, &ckSignatureLength); - } - */ - /* END workaround code */ - if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { - jSignature = ckByteArrayToJByteArray(env, ckpSignature, ckSignatureLength); - } - free(ckpData); - free(ckpSignature); - - return jSignature ; -} -#endif - -#ifdef P11_ENABLE_C_SIGNUPDATE -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_SignUpdate - * Signature: (J[BII)V - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jbyteArray jPart CK_BYTE_PTR pPart - * CK_ULONG ulPartLen - */ -JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1SignUpdate - (JNIEnv *env, jobject obj, jlong jSessionHandle, jlong directIn, jbyteArray jIn, jint jInOfs, jint jInLen) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_RV rv; - CK_BYTE_PTR bufP; - CK_BYTE BUF[MAX_STACK_BUFFER_LEN]; - jsize bufLen; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - - if (directIn != 0) { - rv = (*ckpFunctions->C_SignUpdate)(ckSessionHandle, (CK_BYTE_PTR) jlong_to_ptr(directIn), jInLen); - ckAssertReturnValueOK(env, rv); - return; - } - - if (jInLen <= MAX_STACK_BUFFER_LEN) { - bufLen = MAX_STACK_BUFFER_LEN; - bufP = BUF; - } else { - bufLen = min(MAX_HEAP_BUFFER_LEN, jInLen); - bufP = (CK_BYTE_PTR) malloc((size_t)bufLen); - if (bufP == NULL) { - throwOutOfMemoryError(env, 0); - return; - } - } - - while (jInLen > 0) { - jsize chunkLen = min(bufLen, jInLen); - (*env)->GetByteArrayRegion(env, jIn, jInOfs, chunkLen, (jbyte *)bufP); - if ((*env)->ExceptionCheck(env)) { - if (bufP != BUF) { free(bufP); } - return; - } - rv = (*ckpFunctions->C_SignUpdate)(ckSessionHandle, bufP, chunkLen); - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { - if (bufP != BUF) { - free(bufP); - } - return; - } - jInOfs += chunkLen; - jInLen -= chunkLen; - } - - if (bufP != BUF) { free(bufP); } -} -#endif - -#ifdef P11_ENABLE_C_SIGNFINAL -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_SignFinal - * Signature: (J)[B - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @return jbyteArray jSignature CK_BYTE_PTR pSignature - * CK_ULONG_PTR pulSignatureLen - */ -JNIEXPORT jbyteArray JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1SignFinal - (JNIEnv *env, jobject obj, jlong jSessionHandle, jint jExpectedLength) -{ - CK_SESSION_HANDLE ckSessionHandle; - jbyteArray jSignature = NULL; - CK_RV rv; - CK_BYTE BUF[MAX_STACK_BUFFER_LEN]; - CK_BYTE_PTR bufP = BUF; - CK_ULONG ckSignatureLength = MAX_STACK_BUFFER_LEN; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return NULL; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - - if ((jExpectedLength > 0) && ((CK_ULONG)jExpectedLength < ckSignatureLength)) { - ckSignatureLength = jExpectedLength; - } - - rv = (*ckpFunctions->C_SignFinal)(ckSessionHandle, bufP, &ckSignatureLength); - if (rv == CKR_BUFFER_TOO_SMALL) { - bufP = (CK_BYTE_PTR) malloc(ckSignatureLength); - if (bufP == NULL) { - throwOutOfMemoryError(env, 0); - return NULL; - } - rv = (*ckpFunctions->C_SignFinal)(ckSessionHandle, bufP, &ckSignatureLength); - } - if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { - jSignature = ckByteArrayToJByteArray(env, bufP, ckSignatureLength); - } - - if (bufP != BUF) { free(bufP); } - - return jSignature; -} -#endif - -#ifdef P11_ENABLE_C_SIGNRECOVERINIT -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_SignRecoverInit - * Signature: (JLsun/security/pkcs11/wrapper/CK_MECHANISM;J)V - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jobject jMechanism CK_MECHANISM_PTR pMechanism - * @return jlong jKeyHandle CK_OBJECT_HANDLE hKey - */ -JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1SignRecoverInit - (JNIEnv *env, jobject obj, jlong jSessionHandle, jobject jMechanism, jlong jKeyHandle) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_MECHANISM ckMechanism; - CK_OBJECT_HANDLE ckKeyHandle; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jMechanismToCKMechanism(env, jMechanism, &ckMechanism); - if ((*env)->ExceptionCheck(env)) { return; } - - ckKeyHandle = jLongToCKULong(jKeyHandle); - - rv = (*ckpFunctions->C_SignRecoverInit)(ckSessionHandle, &ckMechanism, ckKeyHandle); - - if (ckMechanism.pParameter != NULL_PTR) { - free(ckMechanism.pParameter); - } - - if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -} -#endif - -#ifdef P11_ENABLE_C_SIGNRECOVER -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_SignRecover - * Signature: (J[BII[BII)I - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jbyteArray jData CK_BYTE_PTR pData - * CK_ULONG ulDataLen - * @return jbyteArray jSignature CK_BYTE_PTR pSignature - * CK_ULONG_PTR pulSignatureLen - */ -JNIEXPORT jint JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1SignRecover - (JNIEnv *env, jobject obj, jlong jSessionHandle, jbyteArray jIn, jint jInOfs, jint jInLen, jbyteArray jOut, jint jOutOfs, jint jOutLen) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_RV rv; - CK_BYTE INBUF[MAX_STACK_BUFFER_LEN]; - CK_BYTE OUTBUF[MAX_STACK_BUFFER_LEN]; - CK_BYTE_PTR inBufP; - CK_BYTE_PTR outBufP = OUTBUF; - CK_ULONG ckSignatureLength = MAX_STACK_BUFFER_LEN; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return 0; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - - if (jInLen <= MAX_STACK_BUFFER_LEN) { - inBufP = INBUF; - } else { - inBufP = (CK_BYTE_PTR) malloc((size_t)jInLen); - if (inBufP == NULL) { - throwOutOfMemoryError(env, 0); - return 0; - } - } - - (*env)->GetByteArrayRegion(env, jIn, jInOfs, jInLen, (jbyte *)inBufP); - if ((*env)->ExceptionCheck(env)) { - if (inBufP != INBUF) { free(inBufP); } - return 0; - } - rv = (*ckpFunctions->C_SignRecover)(ckSessionHandle, inBufP, jInLen, outBufP, &ckSignatureLength); - /* re-alloc larger buffer if it fits into our Java buffer */ - if ((rv == CKR_BUFFER_TOO_SMALL) && (ckSignatureLength <= jIntToCKULong(jOutLen))) { - outBufP = (CK_BYTE_PTR) malloc(ckSignatureLength); - if (outBufP == NULL) { - if (inBufP != INBUF) { - free(inBufP); - } - throwOutOfMemoryError(env, 0); - return 0; - } - rv = (*ckpFunctions->C_SignRecover)(ckSessionHandle, inBufP, jInLen, outBufP, &ckSignatureLength); - } - if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { - (*env)->SetByteArrayRegion(env, jOut, jOutOfs, ckSignatureLength, (jbyte *)outBufP); - } - - if (inBufP != INBUF) { free(inBufP); } - if (outBufP != OUTBUF) { free(outBufP); } - - return ckSignatureLength; -} -#endif - -#ifdef P11_ENABLE_C_VERIFYINIT -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_VerifyInit - * Signature: (JLsun/security/pkcs11/wrapper/CK_MECHANISM;J)V - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jobject jMechanism CK_MECHANISM_PTR pMechanism - * @return jlong jKeyHandle CK_OBJECT_HANDLE hKey - */ -JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1VerifyInit - (JNIEnv *env, jobject obj, jlong jSessionHandle, jobject jMechanism, jlong jKeyHandle) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_MECHANISM ckMechanism; - CK_OBJECT_HANDLE ckKeyHandle; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jMechanismToCKMechanism(env, jMechanism, &ckMechanism); - if ((*env)->ExceptionCheck(env)) { return; } - - ckKeyHandle = jLongToCKULong(jKeyHandle); - - rv = (*ckpFunctions->C_VerifyInit)(ckSessionHandle, &ckMechanism, ckKeyHandle); - - if(ckMechanism.pParameter != NULL_PTR) { - free(ckMechanism.pParameter); - } - - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -} -#endif - -#ifdef P11_ENABLE_C_VERIFY -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_Verify - * Signature: (J[B[B)V - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jbyteArray jData CK_BYTE_PTR pData - * CK_ULONG ulDataLen - * @param jbyteArray jSignature CK_BYTE_PTR pSignature - * CK_ULONG_PTR pulSignatureLen - */ -JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1Verify - (JNIEnv *env, jobject obj, jlong jSessionHandle, jbyteArray jData, jbyteArray jSignature) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_BYTE_PTR ckpData = NULL_PTR; - CK_BYTE_PTR ckpSignature = NULL_PTR; - CK_ULONG ckDataLength; - CK_ULONG ckSignatureLength; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jByteArrayToCKByteArray(env, jData, &ckpData, &ckDataLength); - if ((*env)->ExceptionCheck(env)) { return; } - - jByteArrayToCKByteArray(env, jSignature, &ckpSignature, &ckSignatureLength); - if ((*env)->ExceptionCheck(env)) { - free(ckpData); - return; - } - - /* verify the signature */ - rv = (*ckpFunctions->C_Verify)(ckSessionHandle, ckpData, ckDataLength, ckpSignature, ckSignatureLength); - - free(ckpData); - free(ckpSignature); - - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -} -#endif - -#ifdef P11_ENABLE_C_VERIFYUPDATE -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_VerifyUpdate - * Signature: (J[BII)V - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jbyteArray jPart CK_BYTE_PTR pPart - * CK_ULONG ulPartLen - */ -JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1VerifyUpdate - (JNIEnv *env, jobject obj, jlong jSessionHandle, jlong directIn, jbyteArray jIn, jint jInOfs, jint jInLen) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_RV rv; - CK_BYTE_PTR bufP; - CK_BYTE BUF[MAX_STACK_BUFFER_LEN]; - jsize bufLen; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - - if (directIn != 0) { - rv = (*ckpFunctions->C_VerifyUpdate)(ckSessionHandle, (CK_BYTE_PTR)jlong_to_ptr(directIn), jInLen); - ckAssertReturnValueOK(env, rv); - return; - } - - if (jInLen <= MAX_STACK_BUFFER_LEN) { - bufLen = MAX_STACK_BUFFER_LEN; - bufP = BUF; - } else { - bufLen = min(MAX_HEAP_BUFFER_LEN, jInLen); - bufP = (CK_BYTE_PTR) malloc((size_t)bufLen); - if (bufP == NULL) { - throwOutOfMemoryError(env, 0); - return; - } - } - - while (jInLen > 0) { - jsize chunkLen = min(bufLen, jInLen); - (*env)->GetByteArrayRegion(env, jIn, jInOfs, chunkLen, (jbyte *)bufP); - if ((*env)->ExceptionCheck(env)) { - if (bufP != BUF) { free(bufP); } - return; - } - - rv = (*ckpFunctions->C_VerifyUpdate)(ckSessionHandle, bufP, chunkLen); - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { - if (bufP != BUF) { free(bufP); } - return; - } - jInOfs += chunkLen; - jInLen -= chunkLen; - } - - if (bufP != BUF) { free(bufP); } -} -#endif - -#ifdef P11_ENABLE_C_VERIFYFINAL -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_VerifyFinal - * Signature: (J[B)V - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jbyteArray jSignature CK_BYTE_PTR pSignature - * CK_ULONG ulSignatureLen - */ -JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1VerifyFinal - (JNIEnv *env, jobject obj, jlong jSessionHandle, jbyteArray jSignature) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_BYTE_PTR ckpSignature = NULL_PTR; - CK_ULONG ckSignatureLength; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jByteArrayToCKByteArray(env, jSignature, &ckpSignature, &ckSignatureLength); - if ((*env)->ExceptionCheck(env)) { return; } - - /* verify the signature */ - rv = (*ckpFunctions->C_VerifyFinal)(ckSessionHandle, ckpSignature, ckSignatureLength); - - free(ckpSignature); - - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -} -#endif - -#ifdef P11_ENABLE_C_VERIFYRECOVERINIT -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_VerifyRecoverInit - * Signature: (JLsun/security/pkcs11/wrapper/CK_MECHANISM;J)V - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jobject jMechanism CK_MECHANISM_PTR pMechanism - * @return jlong jKeyHandle CK_OBJECT_HANDLE hKey - */ -JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1VerifyRecoverInit - (JNIEnv *env, jobject obj, jlong jSessionHandle, jobject jMechanism, jlong jKeyHandle) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_MECHANISM ckMechanism; - CK_OBJECT_HANDLE ckKeyHandle; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jMechanismToCKMechanism(env, jMechanism, &ckMechanism); - if ((*env)->ExceptionCheck(env)) { return; } - - ckKeyHandle = jLongToCKULong(jKeyHandle); - - rv = (*ckpFunctions->C_VerifyRecoverInit)(ckSessionHandle, &ckMechanism, ckKeyHandle); - - if (ckMechanism.pParameter != NULL_PTR) { - free(ckMechanism.pParameter); - } - - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -} -#endif - -#ifdef P11_ENABLE_C_VERIFYRECOVER -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: C_VerifyRecover - * Signature: (J[BII[BII)I - * Parametermapping: *PKCS11* - * @param jlong jSessionHandle CK_SESSION_HANDLE hSession - * @param jbyteArray jSignature CK_BYTE_PTR pSignature - * CK_ULONG ulSignatureLen - * @return jbyteArray jData CK_BYTE_PTR pData - * CK_ULONG_PTR pulDataLen - */ -JNIEXPORT jint JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1VerifyRecover - (JNIEnv *env, jobject obj, jlong jSessionHandle, jbyteArray jIn, jint jInOfs, jint jInLen, jbyteArray jOut, jint jOutOfs, jint jOutLen) -{ - CK_SESSION_HANDLE ckSessionHandle; - CK_RV rv; - CK_BYTE INBUF[MAX_STACK_BUFFER_LEN]; - CK_BYTE OUTBUF[MAX_STACK_BUFFER_LEN]; - CK_BYTE_PTR inBufP; - CK_BYTE_PTR outBufP = OUTBUF; - CK_ULONG ckDataLength = MAX_STACK_BUFFER_LEN; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); - if (ckpFunctions == NULL) { return 0; } - - ckSessionHandle = jLongToCKULong(jSessionHandle); - - if (jInLen <= MAX_STACK_BUFFER_LEN) { - inBufP = INBUF; - } else { - inBufP = (CK_BYTE_PTR) malloc((size_t)jInLen); - if (inBufP == NULL) { - throwOutOfMemoryError(env, 0); - return 0; - } - } - - (*env)->GetByteArrayRegion(env, jIn, jInOfs, jInLen, (jbyte *)inBufP); - if ((*env)->ExceptionCheck(env)) { - if (inBufP != INBUF) { free(inBufP); } - return 0; - } - - rv = (*ckpFunctions->C_VerifyRecover)(ckSessionHandle, inBufP, jInLen, outBufP, &ckDataLength); - - /* re-alloc larger buffer if it fits into our Java buffer */ - if ((rv == CKR_BUFFER_TOO_SMALL) && (ckDataLength <= jIntToCKULong(jOutLen))) { - outBufP = (CK_BYTE_PTR) malloc(ckDataLength); - if (outBufP == NULL) { - if (inBufP != INBUF) { free(inBufP); } - throwOutOfMemoryError(env, 0); - return 0; - } - rv = (*ckpFunctions->C_VerifyRecover)(ckSessionHandle, inBufP, jInLen, outBufP, &ckDataLength); - } - if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { - (*env)->SetByteArrayRegion(env, jOut, jOutOfs, ckDataLength, (jbyte *)outBufP); - } - - if (inBufP != INBUF) { free(inBufP); } - if (outBufP != OUTBUF) { free(outBufP); } - - return ckDataLength; -} -#endif --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_sign.c 2017-01-20 09:52:58.466288196 -0800 @@ -0,0 +1,674 @@ +/* + * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. + */ + +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "pkcs11wrapper.h" + +#include +#include +#include +#include +#include "jlong.h" + +#include "sun_security_pkcs11_wrapper_PKCS11.h" + +#ifdef P11_ENABLE_C_SIGNINIT +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_SignInit + * Signature: (JLsun/security/pkcs11/wrapper/CK_MECHANISM;J)V + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jobject jMechanism CK_MECHANISM_PTR pMechanism + * @return jlong jKeyHandle CK_OBJECT_HANDLE hKey + */ +JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1SignInit + (JNIEnv *env, jobject obj, jlong jSessionHandle, jobject jMechanism, jlong jKeyHandle) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_MECHANISM ckMechanism; + CK_OBJECT_HANDLE ckKeyHandle; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + jMechanismToCKMechanism(env, jMechanism, &ckMechanism); + if ((*env)->ExceptionCheck(env)) { return; } + ckKeyHandle = jLongToCKULong(jKeyHandle); + + rv = (*ckpFunctions->C_SignInit)(ckSessionHandle, &ckMechanism, ckKeyHandle); + + if (ckMechanism.pParameter != NULL_PTR) { + free(ckMechanism.pParameter); + } + + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } +} +#endif + +#ifdef P11_ENABLE_C_SIGN +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_Sign + * Signature: (J[B)[B + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jbyteArray jData CK_BYTE_PTR pData + * CK_ULONG ulDataLen + * @return jbyteArray jSignature CK_BYTE_PTR pSignature + * CK_ULONG_PTR pulSignatureLen + */ +JNIEXPORT jbyteArray JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1Sign + (JNIEnv *env, jobject obj, jlong jSessionHandle, jbyteArray jData) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_BYTE_PTR ckpData = NULL_PTR; + CK_BYTE_PTR ckpSignature; + CK_ULONG ckDataLength; + CK_ULONG ckSignatureLength = 0; + jbyteArray jSignature = NULL; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return NULL; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + jByteArrayToCKByteArray(env, jData, &ckpData, &ckDataLength); + if ((*env)->ExceptionCheck(env)) { return NULL; } + + /* START standard code */ + + /* first determine the length of the signature */ + rv = (*ckpFunctions->C_Sign)(ckSessionHandle, ckpData, ckDataLength, NULL_PTR, &ckSignatureLength); + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { + free(ckpData); + return NULL; + } + + ckpSignature = (CK_BYTE_PTR) malloc(ckSignatureLength * sizeof(CK_BYTE)); + if (ckpSignature == NULL) { + free(ckpData); + throwOutOfMemoryError(env, 0); + return NULL; + } + + /* now get the signature */ + rv = (*ckpFunctions->C_Sign)(ckSessionHandle, ckpData, ckDataLength, ckpSignature, &ckSignatureLength); + /* END standard code */ + + + /* START workaround code for operation abort bug in pkcs#11 of Datakey and iButton */ +/* + ckpSignature = (CK_BYTE_PTR) malloc(256 * sizeof(CK_BYTE)); + if (ckpSignature == NULL) { + free(ckpData); + throwOutOfMemoryError(env, 0); + return NULL; + } + rv = (*ckpFunctions->C_Sign)(ckSessionHandle, ckpData, ckDataLength, ckpSignature, &ckSignatureLength); + + if (rv == CKR_BUFFER_TOO_SMALL) { + free(ckpSignature); + ckpSignature = (CK_BYTE_PTR) malloc(ckSignatureLength * sizeof(CK_BYTE)); + if (ckpSignature == NULL) { + free(ckpData); + throwOutOfMemoryError(env, 0); + return NULL; + } + rv = (*ckpFunctions->C_Sign)(ckSessionHandle, ckpData, ckDataLength, ckpSignature, &ckSignatureLength); + } + */ + /* END workaround code */ + if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { + jSignature = ckByteArrayToJByteArray(env, ckpSignature, ckSignatureLength); + } + free(ckpData); + free(ckpSignature); + + return jSignature ; +} +#endif + +#ifdef P11_ENABLE_C_SIGNUPDATE +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_SignUpdate + * Signature: (J[BII)V + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jbyteArray jPart CK_BYTE_PTR pPart + * CK_ULONG ulPartLen + */ +JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1SignUpdate + (JNIEnv *env, jobject obj, jlong jSessionHandle, jlong directIn, jbyteArray jIn, jint jInOfs, jint jInLen) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_RV rv; + CK_BYTE_PTR bufP; + CK_BYTE BUF[MAX_STACK_BUFFER_LEN]; + jsize bufLen; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + + if (directIn != 0) { + rv = (*ckpFunctions->C_SignUpdate)(ckSessionHandle, (CK_BYTE_PTR) jlong_to_ptr(directIn), jInLen); + ckAssertReturnValueOK(env, rv); + return; + } + + if (jInLen <= MAX_STACK_BUFFER_LEN) { + bufLen = MAX_STACK_BUFFER_LEN; + bufP = BUF; + } else { + bufLen = min(MAX_HEAP_BUFFER_LEN, jInLen); + bufP = (CK_BYTE_PTR) malloc((size_t)bufLen); + if (bufP == NULL) { + throwOutOfMemoryError(env, 0); + return; + } + } + + while (jInLen > 0) { + jsize chunkLen = min(bufLen, jInLen); + (*env)->GetByteArrayRegion(env, jIn, jInOfs, chunkLen, (jbyte *)bufP); + if ((*env)->ExceptionCheck(env)) { + if (bufP != BUF) { free(bufP); } + return; + } + rv = (*ckpFunctions->C_SignUpdate)(ckSessionHandle, bufP, chunkLen); + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { + if (bufP != BUF) { + free(bufP); + } + return; + } + jInOfs += chunkLen; + jInLen -= chunkLen; + } + + if (bufP != BUF) { free(bufP); } +} +#endif + +#ifdef P11_ENABLE_C_SIGNFINAL +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_SignFinal + * Signature: (J)[B + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @return jbyteArray jSignature CK_BYTE_PTR pSignature + * CK_ULONG_PTR pulSignatureLen + */ +JNIEXPORT jbyteArray JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1SignFinal + (JNIEnv *env, jobject obj, jlong jSessionHandle, jint jExpectedLength) +{ + CK_SESSION_HANDLE ckSessionHandle; + jbyteArray jSignature = NULL; + CK_RV rv; + CK_BYTE BUF[MAX_STACK_BUFFER_LEN]; + CK_BYTE_PTR bufP = BUF; + CK_ULONG ckSignatureLength = MAX_STACK_BUFFER_LEN; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return NULL; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + + if ((jExpectedLength > 0) && ((CK_ULONG)jExpectedLength < ckSignatureLength)) { + ckSignatureLength = jExpectedLength; + } + + rv = (*ckpFunctions->C_SignFinal)(ckSessionHandle, bufP, &ckSignatureLength); + if (rv == CKR_BUFFER_TOO_SMALL) { + bufP = (CK_BYTE_PTR) malloc(ckSignatureLength); + if (bufP == NULL) { + throwOutOfMemoryError(env, 0); + return NULL; + } + rv = (*ckpFunctions->C_SignFinal)(ckSessionHandle, bufP, &ckSignatureLength); + } + if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { + jSignature = ckByteArrayToJByteArray(env, bufP, ckSignatureLength); + } + + if (bufP != BUF) { free(bufP); } + + return jSignature; +} +#endif + +#ifdef P11_ENABLE_C_SIGNRECOVERINIT +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_SignRecoverInit + * Signature: (JLsun/security/pkcs11/wrapper/CK_MECHANISM;J)V + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jobject jMechanism CK_MECHANISM_PTR pMechanism + * @return jlong jKeyHandle CK_OBJECT_HANDLE hKey + */ +JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1SignRecoverInit + (JNIEnv *env, jobject obj, jlong jSessionHandle, jobject jMechanism, jlong jKeyHandle) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_MECHANISM ckMechanism; + CK_OBJECT_HANDLE ckKeyHandle; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + jMechanismToCKMechanism(env, jMechanism, &ckMechanism); + if ((*env)->ExceptionCheck(env)) { return; } + + ckKeyHandle = jLongToCKULong(jKeyHandle); + + rv = (*ckpFunctions->C_SignRecoverInit)(ckSessionHandle, &ckMechanism, ckKeyHandle); + + if (ckMechanism.pParameter != NULL_PTR) { + free(ckMechanism.pParameter); + } + + if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } +} +#endif + +#ifdef P11_ENABLE_C_SIGNRECOVER +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_SignRecover + * Signature: (J[BII[BII)I + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jbyteArray jData CK_BYTE_PTR pData + * CK_ULONG ulDataLen + * @return jbyteArray jSignature CK_BYTE_PTR pSignature + * CK_ULONG_PTR pulSignatureLen + */ +JNIEXPORT jint JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1SignRecover + (JNIEnv *env, jobject obj, jlong jSessionHandle, jbyteArray jIn, jint jInOfs, jint jInLen, jbyteArray jOut, jint jOutOfs, jint jOutLen) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_RV rv; + CK_BYTE INBUF[MAX_STACK_BUFFER_LEN]; + CK_BYTE OUTBUF[MAX_STACK_BUFFER_LEN]; + CK_BYTE_PTR inBufP; + CK_BYTE_PTR outBufP = OUTBUF; + CK_ULONG ckSignatureLength = MAX_STACK_BUFFER_LEN; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return 0; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + + if (jInLen <= MAX_STACK_BUFFER_LEN) { + inBufP = INBUF; + } else { + inBufP = (CK_BYTE_PTR) malloc((size_t)jInLen); + if (inBufP == NULL) { + throwOutOfMemoryError(env, 0); + return 0; + } + } + + (*env)->GetByteArrayRegion(env, jIn, jInOfs, jInLen, (jbyte *)inBufP); + if ((*env)->ExceptionCheck(env)) { + if (inBufP != INBUF) { free(inBufP); } + return 0; + } + rv = (*ckpFunctions->C_SignRecover)(ckSessionHandle, inBufP, jInLen, outBufP, &ckSignatureLength); + /* re-alloc larger buffer if it fits into our Java buffer */ + if ((rv == CKR_BUFFER_TOO_SMALL) && (ckSignatureLength <= jIntToCKULong(jOutLen))) { + outBufP = (CK_BYTE_PTR) malloc(ckSignatureLength); + if (outBufP == NULL) { + if (inBufP != INBUF) { + free(inBufP); + } + throwOutOfMemoryError(env, 0); + return 0; + } + rv = (*ckpFunctions->C_SignRecover)(ckSessionHandle, inBufP, jInLen, outBufP, &ckSignatureLength); + } + if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { + (*env)->SetByteArrayRegion(env, jOut, jOutOfs, ckSignatureLength, (jbyte *)outBufP); + } + + if (inBufP != INBUF) { free(inBufP); } + if (outBufP != OUTBUF) { free(outBufP); } + + return ckSignatureLength; +} +#endif + +#ifdef P11_ENABLE_C_VERIFYINIT +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_VerifyInit + * Signature: (JLsun/security/pkcs11/wrapper/CK_MECHANISM;J)V + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jobject jMechanism CK_MECHANISM_PTR pMechanism + * @return jlong jKeyHandle CK_OBJECT_HANDLE hKey + */ +JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1VerifyInit + (JNIEnv *env, jobject obj, jlong jSessionHandle, jobject jMechanism, jlong jKeyHandle) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_MECHANISM ckMechanism; + CK_OBJECT_HANDLE ckKeyHandle; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + jMechanismToCKMechanism(env, jMechanism, &ckMechanism); + if ((*env)->ExceptionCheck(env)) { return; } + + ckKeyHandle = jLongToCKULong(jKeyHandle); + + rv = (*ckpFunctions->C_VerifyInit)(ckSessionHandle, &ckMechanism, ckKeyHandle); + + if(ckMechanism.pParameter != NULL_PTR) { + free(ckMechanism.pParameter); + } + + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } +} +#endif + +#ifdef P11_ENABLE_C_VERIFY +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_Verify + * Signature: (J[B[B)V + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jbyteArray jData CK_BYTE_PTR pData + * CK_ULONG ulDataLen + * @param jbyteArray jSignature CK_BYTE_PTR pSignature + * CK_ULONG_PTR pulSignatureLen + */ +JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1Verify + (JNIEnv *env, jobject obj, jlong jSessionHandle, jbyteArray jData, jbyteArray jSignature) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_BYTE_PTR ckpData = NULL_PTR; + CK_BYTE_PTR ckpSignature = NULL_PTR; + CK_ULONG ckDataLength; + CK_ULONG ckSignatureLength; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + jByteArrayToCKByteArray(env, jData, &ckpData, &ckDataLength); + if ((*env)->ExceptionCheck(env)) { return; } + + jByteArrayToCKByteArray(env, jSignature, &ckpSignature, &ckSignatureLength); + if ((*env)->ExceptionCheck(env)) { + free(ckpData); + return; + } + + /* verify the signature */ + rv = (*ckpFunctions->C_Verify)(ckSessionHandle, ckpData, ckDataLength, ckpSignature, ckSignatureLength); + + free(ckpData); + free(ckpSignature); + + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } +} +#endif + +#ifdef P11_ENABLE_C_VERIFYUPDATE +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_VerifyUpdate + * Signature: (J[BII)V + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jbyteArray jPart CK_BYTE_PTR pPart + * CK_ULONG ulPartLen + */ +JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1VerifyUpdate + (JNIEnv *env, jobject obj, jlong jSessionHandle, jlong directIn, jbyteArray jIn, jint jInOfs, jint jInLen) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_RV rv; + CK_BYTE_PTR bufP; + CK_BYTE BUF[MAX_STACK_BUFFER_LEN]; + jsize bufLen; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + + if (directIn != 0) { + rv = (*ckpFunctions->C_VerifyUpdate)(ckSessionHandle, (CK_BYTE_PTR)jlong_to_ptr(directIn), jInLen); + ckAssertReturnValueOK(env, rv); + return; + } + + if (jInLen <= MAX_STACK_BUFFER_LEN) { + bufLen = MAX_STACK_BUFFER_LEN; + bufP = BUF; + } else { + bufLen = min(MAX_HEAP_BUFFER_LEN, jInLen); + bufP = (CK_BYTE_PTR) malloc((size_t)bufLen); + if (bufP == NULL) { + throwOutOfMemoryError(env, 0); + return; + } + } + + while (jInLen > 0) { + jsize chunkLen = min(bufLen, jInLen); + (*env)->GetByteArrayRegion(env, jIn, jInOfs, chunkLen, (jbyte *)bufP); + if ((*env)->ExceptionCheck(env)) { + if (bufP != BUF) { free(bufP); } + return; + } + + rv = (*ckpFunctions->C_VerifyUpdate)(ckSessionHandle, bufP, chunkLen); + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { + if (bufP != BUF) { free(bufP); } + return; + } + jInOfs += chunkLen; + jInLen -= chunkLen; + } + + if (bufP != BUF) { free(bufP); } +} +#endif + +#ifdef P11_ENABLE_C_VERIFYFINAL +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_VerifyFinal + * Signature: (J[B)V + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jbyteArray jSignature CK_BYTE_PTR pSignature + * CK_ULONG ulSignatureLen + */ +JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1VerifyFinal + (JNIEnv *env, jobject obj, jlong jSessionHandle, jbyteArray jSignature) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_BYTE_PTR ckpSignature = NULL_PTR; + CK_ULONG ckSignatureLength; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + jByteArrayToCKByteArray(env, jSignature, &ckpSignature, &ckSignatureLength); + if ((*env)->ExceptionCheck(env)) { return; } + + /* verify the signature */ + rv = (*ckpFunctions->C_VerifyFinal)(ckSessionHandle, ckpSignature, ckSignatureLength); + + free(ckpSignature); + + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } +} +#endif + +#ifdef P11_ENABLE_C_VERIFYRECOVERINIT +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_VerifyRecoverInit + * Signature: (JLsun/security/pkcs11/wrapper/CK_MECHANISM;J)V + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jobject jMechanism CK_MECHANISM_PTR pMechanism + * @return jlong jKeyHandle CK_OBJECT_HANDLE hKey + */ +JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1VerifyRecoverInit + (JNIEnv *env, jobject obj, jlong jSessionHandle, jobject jMechanism, jlong jKeyHandle) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_MECHANISM ckMechanism; + CK_OBJECT_HANDLE ckKeyHandle; + CK_RV rv; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + jMechanismToCKMechanism(env, jMechanism, &ckMechanism); + if ((*env)->ExceptionCheck(env)) { return; } + + ckKeyHandle = jLongToCKULong(jKeyHandle); + + rv = (*ckpFunctions->C_VerifyRecoverInit)(ckSessionHandle, &ckMechanism, ckKeyHandle); + + if (ckMechanism.pParameter != NULL_PTR) { + free(ckMechanism.pParameter); + } + + if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } +} +#endif + +#ifdef P11_ENABLE_C_VERIFYRECOVER +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: C_VerifyRecover + * Signature: (J[BII[BII)I + * Parametermapping: *PKCS11* + * @param jlong jSessionHandle CK_SESSION_HANDLE hSession + * @param jbyteArray jSignature CK_BYTE_PTR pSignature + * CK_ULONG ulSignatureLen + * @return jbyteArray jData CK_BYTE_PTR pData + * CK_ULONG_PTR pulDataLen + */ +JNIEXPORT jint JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1VerifyRecover + (JNIEnv *env, jobject obj, jlong jSessionHandle, jbyteArray jIn, jint jInOfs, jint jInLen, jbyteArray jOut, jint jOutOfs, jint jOutLen) +{ + CK_SESSION_HANDLE ckSessionHandle; + CK_RV rv; + CK_BYTE INBUF[MAX_STACK_BUFFER_LEN]; + CK_BYTE OUTBUF[MAX_STACK_BUFFER_LEN]; + CK_BYTE_PTR inBufP; + CK_BYTE_PTR outBufP = OUTBUF; + CK_ULONG ckDataLength = MAX_STACK_BUFFER_LEN; + + CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); + if (ckpFunctions == NULL) { return 0; } + + ckSessionHandle = jLongToCKULong(jSessionHandle); + + if (jInLen <= MAX_STACK_BUFFER_LEN) { + inBufP = INBUF; + } else { + inBufP = (CK_BYTE_PTR) malloc((size_t)jInLen); + if (inBufP == NULL) { + throwOutOfMemoryError(env, 0); + return 0; + } + } + + (*env)->GetByteArrayRegion(env, jIn, jInOfs, jInLen, (jbyte *)inBufP); + if ((*env)->ExceptionCheck(env)) { + if (inBufP != INBUF) { free(inBufP); } + return 0; + } + + rv = (*ckpFunctions->C_VerifyRecover)(ckSessionHandle, inBufP, jInLen, outBufP, &ckDataLength); + + /* re-alloc larger buffer if it fits into our Java buffer */ + if ((rv == CKR_BUFFER_TOO_SMALL) && (ckDataLength <= jIntToCKULong(jOutLen))) { + outBufP = (CK_BYTE_PTR) malloc(ckDataLength); + if (outBufP == NULL) { + if (inBufP != INBUF) { free(inBufP); } + throwOutOfMemoryError(env, 0); + return 0; + } + rv = (*ckpFunctions->C_VerifyRecover)(ckSessionHandle, inBufP, jInLen, outBufP, &ckDataLength); + } + if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { + (*env)->SetByteArrayRegion(env, jOut, jOutOfs, ckDataLength, (jbyte *)outBufP); + } + + if (inBufP != INBUF) { free(inBufP); } + if (outBufP != OUTBUF) { free(outBufP); } + + return ckDataLength; +} +#endif --- old/src/jdk.crypto.token/share/native/libj2pkcs11/p11_util.c 2017-01-20 09:52:59.030288175 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,1157 +0,0 @@ -/* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. - */ - -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include "pkcs11wrapper.h" - -#include -#include -#include -#include - -/* declare file private functions */ - -ModuleData * getModuleEntry(JNIEnv *env, jobject pkcs11Implementation); -int isModulePresent(JNIEnv *env, jobject pkcs11Implementation); -void removeAllModuleEntries(JNIEnv *env); - - -/* ************************************************************************** */ -/* Functions for keeping track of currently active and loaded modules */ -/* ************************************************************************** */ - - -/* - * Create a new object for locking. - */ -jobject createLockObject(JNIEnv *env) { - jclass jObjectClass; - jobject jLockObject; - jmethodID jConstructor; - - jObjectClass = (*env)->FindClass(env, "java/lang/Object"); - if (jObjectClass == NULL) { return NULL; } - jConstructor = (*env)->GetMethodID(env, jObjectClass, "", "()V"); - if (jConstructor == NULL) { return NULL; } - jLockObject = (*env)->NewObject(env, jObjectClass, jConstructor); - if (jLockObject == NULL) { return NULL; } - jLockObject = (*env)->NewGlobalRef(env, jLockObject); - - return jLockObject ; -} - -/* - * Create a new object for locking. - */ -void destroyLockObject(JNIEnv *env, jobject jLockObject) { - if (jLockObject != NULL) { - (*env)->DeleteGlobalRef(env, jLockObject); - } -} - -/* - * Add the given pkcs11Implementation object to the list of present modules. - * Attach the given data to the entry. If the given pkcs11Implementation is - * already in the lsit, just override its old module data with the new one. - * None of the arguments can be NULL. If one of the arguments is NULL, this - * function does nothing. - */ -void putModuleEntry(JNIEnv *env, jobject pkcs11Implementation, ModuleData *moduleData) { - if (pkcs11Implementation == NULL_PTR) { - return ; - } - if (moduleData == NULL) { - return ; - } - (*env)->SetLongField(env, pkcs11Implementation, pNativeDataID, ptr_to_jlong(moduleData)); -} - - -/* - * Get the module data of the entry for the given pkcs11Implementation. Returns - * NULL, if the pkcs11Implementation is not in the list. - */ -ModuleData * getModuleEntry(JNIEnv *env, jobject pkcs11Implementation) { - jlong jData; - if (pkcs11Implementation == NULL) { - return NULL; - } - jData = (*env)->GetLongField(env, pkcs11Implementation, pNativeDataID); - return (ModuleData*)jlong_to_ptr(jData); -} - -CK_FUNCTION_LIST_PTR getFunctionList(JNIEnv *env, jobject pkcs11Implementation) { - ModuleData *moduleData; - CK_FUNCTION_LIST_PTR ckpFunctions; - - moduleData = getModuleEntry(env, pkcs11Implementation); - if (moduleData == NULL) { - throwDisconnectedRuntimeException(env); - return NULL; - } - ckpFunctions = moduleData->ckFunctionListPtr; - return ckpFunctions; -} - - -/* - * Returns 1, if the given pkcs11Implementation is in the list. - * 0, otherwise. - */ -int isModulePresent(JNIEnv *env, jobject pkcs11Implementation) { - int present; - - ModuleData *moduleData = getModuleEntry(env, pkcs11Implementation); - - present = (moduleData != NULL) ? 1 : 0; - - return present ; -} - - -/* - * Removes the entry for the given pkcs11Implementation from the list. Returns - * the module's data, after the node was removed. If this function returns NULL - * the pkcs11Implementation was not in the list. - */ -ModuleData * removeModuleEntry(JNIEnv *env, jobject pkcs11Implementation) { - ModuleData *moduleData = getModuleEntry(env, pkcs11Implementation); - if (moduleData == NULL) { - return NULL; - } - (*env)->SetLongField(env, pkcs11Implementation, pNativeDataID, 0); - return moduleData; -} - -/* - * Removes all present entries from the list of modules and frees all - * associated resources. This function is used for clean-up. - */ -void removeAllModuleEntries(JNIEnv *env) { - /* XXX empty */ -} - -/* ************************************************************************** */ -/* Below there follow the helper functions to support conversions between */ -/* Java and Cryptoki types */ -/* ************************************************************************** */ - -/* - * function to convert a PKCS#11 return value into a PKCS#11Exception - * - * This function generates a PKCS#11Exception with the returnValue as the errorcode - * if the returnValue is not CKR_OK. The functin returns 0, if the returnValue is - * CKR_OK. Otherwise, it returns the returnValue as a jLong. - * - * @param env - used to call JNI funktions and to get the Exception class - * @param returnValue - of the PKCS#11 function - */ -jlong ckAssertReturnValueOK(JNIEnv *env, CK_RV returnValue) -{ - jclass jPKCS11ExceptionClass; - jmethodID jConstructor; - jthrowable jPKCS11Exception; - jlong jErrorCode = 0L; - - if (returnValue != CKR_OK) { - jErrorCode = ckULongToJLong(returnValue); - jPKCS11ExceptionClass = (*env)->FindClass(env, CLASS_PKCS11EXCEPTION); - if (jPKCS11ExceptionClass != NULL) { - jConstructor = (*env)->GetMethodID(env, jPKCS11ExceptionClass, "", "(J)V"); - if (jConstructor != NULL) { - jPKCS11Exception = (jthrowable) (*env)->NewObject(env, jPKCS11ExceptionClass, jConstructor, jErrorCode); - if (jPKCS11Exception != NULL) { - (*env)->Throw(env, jPKCS11Exception); - } - } - } - (*env)->DeleteLocalRef(env, jPKCS11ExceptionClass); - } - return jErrorCode ; -} - - -/* - * Throws a Java Exception by name - */ -void throwByName(JNIEnv *env, const char *name, const char *msg) -{ - jclass cls = (*env)->FindClass(env, name); - - if (cls != 0) /* Otherwise an exception has already been thrown */ - (*env)->ThrowNew(env, cls, msg); -} - -/* - * Throws java.lang.OutOfMemoryError - */ -void throwOutOfMemoryError(JNIEnv *env, const char *msg) -{ - throwByName(env, "java/lang/OutOfMemoryError", msg); -} - -/* - * Throws java.lang.NullPointerException - */ -void throwNullPointerException(JNIEnv *env, const char *msg) -{ - throwByName(env, "java/lang/NullPointerException", msg); -} - -/* - * Throws java.io.IOException - */ -void throwIOException(JNIEnv *env, const char *msg) -{ - throwByName(env, "java/io/IOException", msg); -} - -/* - * This function simply throws a PKCS#11RuntimeException with the given - * string as its message. - * - * @param env Used to call JNI funktions and to get the Exception class. - * @param jmessage The message string of the Exception object. - */ -void throwPKCS11RuntimeException(JNIEnv *env, const char *message) -{ - throwByName(env, CLASS_PKCS11RUNTIMEEXCEPTION, message); -} - -/* - * This function simply throws a PKCS#11RuntimeException. The message says that - * the object is not connected to the module. - * - * @param env Used to call JNI funktions and to get the Exception class. - */ -void throwDisconnectedRuntimeException(JNIEnv *env) -{ - throwPKCS11RuntimeException(env, "This object is not connected to a module."); -} - -/* This function frees the specified CK_ATTRIBUTE array. - * - * @param attrPtr pointer to the to-be-freed CK_ATTRIBUTE array. - * @param len the length of the array - */ -void freeCKAttributeArray(CK_ATTRIBUTE_PTR attrPtr, int len) -{ - int i; - - for (i=0; iArrayToCKArray(JNIEnv *env, - * const jArray jArray, - * CK__PTR *ckpArray, - * CK_ULONG_PTR ckLength); - * - * jArray ckArrayToJArray(JNIEnv *env, - * const CK__PTR ckpArray, - * CK_ULONG ckLength); - * - * PKCS#11 arrays consist always of a pointer to the beginning of the array and - * the array length whereas Java arrays carry their array length. - * - * The Functions to convert a Java array to a PKCS#11 array are void functions. - * Their arguments are the Java array object to convert, the reference to the - * array pointer, where the new PKCS#11 array should be stored and the reference - * to the array length where the PKCS#11 array length should be stored. These two - * references must not be NULL_PTR. - * - * The functions first obtain the array length of the Java array and then allocate - * the memory for the PKCS#11 array and set the array length. Then each element - * gets converted depending on their type. After use the allocated memory of the - * PKCS#11 array has to be explicitly freed. - * - * The Functions to convert a PKCS#11 array to a Java array get the PKCS#11 array - * pointer and the array length and they return the new Java array object. The - * Java array does not need to get freed after use. - */ - -/* - * converts a jbooleanArray to a CK_BBOOL array. The allocated memory has to be freed after use! - * - * @param env - used to call JNI funktions to get the array informtaion - * @param jArray - the Java array to convert - * @param ckpArray - the reference, where the pointer to the new CK_BBOOL array will be stored - * @param ckpLength - the reference, where the array length will be stored - */ -void jBooleanArrayToCKBBoolArray(JNIEnv *env, const jbooleanArray jArray, CK_BBOOL **ckpArray, CK_ULONG_PTR ckpLength) -{ - jboolean* jpTemp; - CK_ULONG i; - - if(jArray == NULL) { - *ckpArray = NULL_PTR; - *ckpLength = 0L; - return; - } - *ckpLength = (*env)->GetArrayLength(env, jArray); - jpTemp = (jboolean*) malloc((*ckpLength) * sizeof(jboolean)); - if (jpTemp == NULL) { - throwOutOfMemoryError(env, 0); - return; - } - (*env)->GetBooleanArrayRegion(env, jArray, 0, *ckpLength, jpTemp); - if ((*env)->ExceptionCheck(env)) { - free(jpTemp); - return; - } - - *ckpArray = (CK_BBOOL*) malloc ((*ckpLength) * sizeof(CK_BBOOL)); - if (*ckpArray == NULL) { - free(jpTemp); - throwOutOfMemoryError(env, 0); - return; - } - for (i=0; i<(*ckpLength); i++) { - (*ckpArray)[i] = jBooleanToCKBBool(jpTemp[i]); - } - free(jpTemp); -} - -/* - * converts a jbyteArray to a CK_BYTE array. The allocated memory has to be freed after use! - * - * @param env - used to call JNI funktions to get the array informtaion - * @param jArray - the Java array to convert - * @param ckpArray - the reference, where the pointer to the new CK_BYTE array will be stored - * @param ckpLength - the reference, where the array length will be stored - */ -void jByteArrayToCKByteArray(JNIEnv *env, const jbyteArray jArray, CK_BYTE_PTR *ckpArray, CK_ULONG_PTR ckpLength) -{ - jbyte* jpTemp; - CK_ULONG i; - - if(jArray == NULL) { - *ckpArray = NULL_PTR; - *ckpLength = 0L; - return; - } - *ckpLength = (*env)->GetArrayLength(env, jArray); - jpTemp = (jbyte*) malloc((*ckpLength) * sizeof(jbyte)); - if (jpTemp == NULL) { - throwOutOfMemoryError(env, 0); - return; - } - (*env)->GetByteArrayRegion(env, jArray, 0, *ckpLength, jpTemp); - if ((*env)->ExceptionCheck(env)) { - free(jpTemp); - return; - } - - /* if CK_BYTE is the same size as jbyte, we save an additional copy */ - if (sizeof(CK_BYTE) == sizeof(jbyte)) { - *ckpArray = (CK_BYTE_PTR) jpTemp; - } else { - *ckpArray = (CK_BYTE_PTR) malloc ((*ckpLength) * sizeof(CK_BYTE)); - if (*ckpArray == NULL) { - free(jpTemp); - throwOutOfMemoryError(env, 0); - return; - } - for (i=0; i<(*ckpLength); i++) { - (*ckpArray)[i] = jByteToCKByte(jpTemp[i]); - } - free(jpTemp); - } -} - -/* - * converts a jlongArray to a CK_ULONG array. The allocated memory has to be freed after use! - * - * @param env - used to call JNI funktions to get the array informtaion - * @param jArray - the Java array to convert - * @param ckpArray - the reference, where the pointer to the new CK_ULONG array will be stored - * @param ckpLength - the reference, where the array length will be stored - */ -void jLongArrayToCKULongArray(JNIEnv *env, const jlongArray jArray, CK_ULONG_PTR *ckpArray, CK_ULONG_PTR ckpLength) -{ - jlong* jTemp; - CK_ULONG i; - - if(jArray == NULL) { - *ckpArray = NULL_PTR; - *ckpLength = 0L; - return; - } - *ckpLength = (*env)->GetArrayLength(env, jArray); - jTemp = (jlong*) malloc((*ckpLength) * sizeof(jlong)); - if (jTemp == NULL) { - throwOutOfMemoryError(env, 0); - return; - } - (*env)->GetLongArrayRegion(env, jArray, 0, *ckpLength, jTemp); - if ((*env)->ExceptionCheck(env)) { - free(jTemp); - return; - } - - *ckpArray = (CK_ULONG_PTR) malloc (*ckpLength * sizeof(CK_ULONG)); - if (*ckpArray == NULL) { - free(jTemp); - throwOutOfMemoryError(env, 0); - return; - } - for (i=0; i<(*ckpLength); i++) { - (*ckpArray)[i] = jLongToCKULong(jTemp[i]); - } - free(jTemp); -} - -/* - * converts a jcharArray to a CK_CHAR array. The allocated memory has to be freed after use! - * - * @param env - used to call JNI funktions to get the array informtaion - * @param jArray - the Java array to convert - * @param ckpArray - the reference, where the pointer to the new CK_CHAR array will be stored - * @param ckpLength - the reference, where the array length will be stored - */ -void jCharArrayToCKCharArray(JNIEnv *env, const jcharArray jArray, CK_CHAR_PTR *ckpArray, CK_ULONG_PTR ckpLength) -{ - jchar* jpTemp; - CK_ULONG i; - - if(jArray == NULL) { - *ckpArray = NULL_PTR; - *ckpLength = 0L; - return; - } - *ckpLength = (*env)->GetArrayLength(env, jArray); - jpTemp = (jchar*) malloc((*ckpLength) * sizeof(jchar)); - if (jpTemp == NULL) { - throwOutOfMemoryError(env, 0); - return; - } - (*env)->GetCharArrayRegion(env, jArray, 0, *ckpLength, jpTemp); - if ((*env)->ExceptionCheck(env)) { - free(jpTemp); - return; - } - - *ckpArray = (CK_CHAR_PTR) malloc (*ckpLength * sizeof(CK_CHAR)); - if (*ckpArray == NULL) { - free(jpTemp); - throwOutOfMemoryError(env, 0); - return; - } - for (i=0; i<(*ckpLength); i++) { - (*ckpArray)[i] = jCharToCKChar(jpTemp[i]); - } - free(jpTemp); -} - -/* - * converts a jcharArray to a CK_UTF8CHAR array. The allocated memory has to be freed after use! - * - * @param env - used to call JNI funktions to get the array informtaion - * @param jArray - the Java array to convert - * @param ckpArray - the reference, where the pointer to the new CK_UTF8CHAR array will be stored - * @param ckpLength - the reference, where the array length will be stored - */ -void jCharArrayToCKUTF8CharArray(JNIEnv *env, const jcharArray jArray, CK_UTF8CHAR_PTR *ckpArray, CK_ULONG_PTR ckpLength) -{ - jchar* jTemp; - CK_ULONG i; - - if(jArray == NULL) { - *ckpArray = NULL_PTR; - *ckpLength = 0L; - return; - } - *ckpLength = (*env)->GetArrayLength(env, jArray); - jTemp = (jchar*) malloc((*ckpLength) * sizeof(jchar)); - if (jTemp == NULL) { - throwOutOfMemoryError(env, 0); - return; - } - (*env)->GetCharArrayRegion(env, jArray, 0, *ckpLength, jTemp); - if ((*env)->ExceptionCheck(env)) { - free(jTemp); - return; - } - - *ckpArray = (CK_UTF8CHAR_PTR) malloc (*ckpLength * sizeof(CK_UTF8CHAR)); - if (*ckpArray == NULL) { - free(jTemp); - throwOutOfMemoryError(env, 0); - return; - } - for (i=0; i<(*ckpLength); i++) { - (*ckpArray)[i] = jCharToCKUTF8Char(jTemp[i]); - } - free(jTemp); -} - -/* - * converts a jstring to a CK_CHAR array. The allocated memory has to be freed after use! - * - * @param env - used to call JNI funktions to get the array informtaion - * @param jArray - the Java array to convert - * @param ckpArray - the reference, where the pointer to the new CK_CHAR array will be stored - * @param ckpLength - the reference, where the array length will be stored - */ -void jStringToCKUTF8CharArray(JNIEnv *env, const jstring jArray, CK_UTF8CHAR_PTR *ckpArray, CK_ULONG_PTR ckpLength) -{ - const char* pCharArray; - jboolean isCopy; - - if(jArray == NULL) { - *ckpArray = NULL_PTR; - *ckpLength = 0L; - return; - } - - pCharArray = (*env)->GetStringUTFChars(env, jArray, &isCopy); - if (pCharArray == NULL) { return; } - - *ckpLength = (CK_ULONG) strlen(pCharArray); - *ckpArray = (CK_UTF8CHAR_PTR) malloc((*ckpLength + 1) * sizeof(CK_UTF8CHAR)); - if (*ckpArray == NULL) { - (*env)->ReleaseStringUTFChars(env, (jstring) jArray, pCharArray); - throwOutOfMemoryError(env, 0); - return; - } - strcpy((char*)*ckpArray, pCharArray); - (*env)->ReleaseStringUTFChars(env, (jstring) jArray, pCharArray); -} - -/* - * converts a jobjectArray with Java Attributes to a CK_ATTRIBUTE array. The allocated memory - * has to be freed after use! - * - * @param env - used to call JNI funktions to get the array informtaion - * @param jArray - the Java Attribute array (template) to convert - * @param ckpArray - the reference, where the pointer to the new CK_ATTRIBUTE array will be - * stored - * @param ckpLength - the reference, where the array length will be stored - */ -void jAttributeArrayToCKAttributeArray(JNIEnv *env, jobjectArray jArray, CK_ATTRIBUTE_PTR *ckpArray, CK_ULONG_PTR ckpLength) -{ - CK_ULONG i; - jlong jLength; - jobject jAttribute; - - TRACE0("\nDEBUG: jAttributeArrayToCKAttributeArray"); - if (jArray == NULL) { - *ckpArray = NULL_PTR; - *ckpLength = 0L; - return; - } - jLength = (*env)->GetArrayLength(env, jArray); - *ckpLength = jLongToCKULong(jLength); - *ckpArray = (CK_ATTRIBUTE_PTR) malloc(*ckpLength * sizeof(CK_ATTRIBUTE)); - if (*ckpArray == NULL) { - throwOutOfMemoryError(env, 0); - return; - } - TRACE1(", converting %d attributes", jLength); - for (i=0; i<(*ckpLength); i++) { - TRACE1(", getting %d. attribute", i); - jAttribute = (*env)->GetObjectArrayElement(env, jArray, i); - if ((*env)->ExceptionCheck(env)) { - freeCKAttributeArray(*ckpArray, i); - return; - } - TRACE1(", jAttribute = %d", jAttribute); - TRACE1(", converting %d. attribute", i); - (*ckpArray)[i] = jAttributeToCKAttribute(env, jAttribute); - if ((*env)->ExceptionCheck(env)) { - freeCKAttributeArray(*ckpArray, i); - return; - } - } - TRACE0("FINISHED\n"); -} - -/* - * converts a CK_BYTE array and its length to a jbyteArray. - * - * @param env - used to call JNI funktions to create the new Java array - * @param ckpArray - the pointer to the CK_BYTE array to convert - * @param ckpLength - the length of the array to convert - * @return - the new Java byte array or NULL if error occurred - */ -jbyteArray ckByteArrayToJByteArray(JNIEnv *env, const CK_BYTE_PTR ckpArray, CK_ULONG ckLength) -{ - CK_ULONG i; - jbyte* jpTemp; - jbyteArray jArray; - - /* if CK_BYTE is the same size as jbyte, we save an additional copy */ - if (sizeof(CK_BYTE) == sizeof(jbyte)) { - jpTemp = (jbyte*) ckpArray; - } else { - jpTemp = (jbyte*) malloc((ckLength) * sizeof(jbyte)); - if (jpTemp == NULL) { - throwOutOfMemoryError(env, 0); - return NULL; - } - for (i=0; iNewByteArray(env, ckULongToJSize(ckLength)); - if (jArray != NULL) { - (*env)->SetByteArrayRegion(env, jArray, 0, ckULongToJSize(ckLength), jpTemp); - } - - if (sizeof(CK_BYTE) != sizeof(jbyte)) { free(jpTemp); } - - return jArray ; -} - -/* - * converts a CK_ULONG array and its length to a jlongArray. - * - * @param env - used to call JNI funktions to create the new Java array - * @param ckpArray - the pointer to the CK_ULONG array to convert - * @param ckpLength - the length of the array to convert - * @return - the new Java long array - */ -jlongArray ckULongArrayToJLongArray(JNIEnv *env, const CK_ULONG_PTR ckpArray, CK_ULONG ckLength) -{ - CK_ULONG i; - jlong* jpTemp; - jlongArray jArray; - - jpTemp = (jlong*) malloc((ckLength) * sizeof(jlong)); - if (jpTemp == NULL) { - throwOutOfMemoryError(env, 0); - return NULL; - } - for (i=0; iNewLongArray(env, ckULongToJSize(ckLength)); - if (jArray != NULL) { - (*env)->SetLongArrayRegion(env, jArray, 0, ckULongToJSize(ckLength), jpTemp); - } - free(jpTemp); - - return jArray ; -} - -/* - * converts a CK_CHAR array and its length to a jcharArray. - * - * @param env - used to call JNI funktions to create the new Java array - * @param ckpArray - the pointer to the CK_CHAR array to convert - * @param ckpLength - the length of the array to convert - * @return - the new Java char array - */ -jcharArray ckCharArrayToJCharArray(JNIEnv *env, const CK_CHAR_PTR ckpArray, CK_ULONG ckLength) -{ - CK_ULONG i; - jchar* jpTemp; - jcharArray jArray; - - jpTemp = (jchar*) malloc(ckLength * sizeof(jchar)); - if (jpTemp == NULL) { - throwOutOfMemoryError(env, 0); - return NULL; - } - for (i=0; iNewCharArray(env, ckULongToJSize(ckLength)); - if (jArray != NULL) { - (*env)->SetCharArrayRegion(env, jArray, 0, ckULongToJSize(ckLength), jpTemp); - } - free(jpTemp); - - return jArray ; -} - -/* - * converts a CK_UTF8CHAR array and its length to a jcharArray. - * - * @param env - used to call JNI funktions to create the new Java array - * @param ckpArray - the pointer to the CK_UTF8CHAR array to convert - * @param ckpLength - the length of the array to convert - * @return - the new Java char array - */ -jcharArray ckUTF8CharArrayToJCharArray(JNIEnv *env, const CK_UTF8CHAR_PTR ckpArray, CK_ULONG ckLength) -{ - CK_ULONG i; - jchar* jpTemp; - jcharArray jArray; - - jpTemp = (jchar*) malloc(ckLength * sizeof(jchar)); - if (jpTemp == NULL) { - throwOutOfMemoryError(env, 0); - return NULL; - } - for (i=0; iNewCharArray(env, ckULongToJSize(ckLength)); - if (jArray != NULL) { - (*env)->SetCharArrayRegion(env, jArray, 0, ckULongToJSize(ckLength), jpTemp); - } - free(jpTemp); - - return jArray ; -} - -/* - * the following functions convert Java objects to PKCS#11 pointers and the - * length in bytes and vice versa - * - * CK__PTR jToCKPtr(JNIEnv *env, jobject jObject); - * - * jobject ckPtrToJ(JNIEnv *env, const CK__PTR ckpValue); - * - * The functions that convert a Java object to a PKCS#11 pointer first allocate - * the memory for the PKCS#11 pointer. Then they set each element corresponding - * to the fields in the Java object to convert. After use the allocated memory of - * the PKCS#11 pointer has to be explicitly freed. - * - * The functions to convert a PKCS#11 pointer to a Java object create a new Java - * object first and than they set all fields in the object depending on the values - * of the type or structure where the PKCS#11 pointer points to. - */ - -/* - * converts a CK_BBOOL pointer to a Java boolean Object. - * - * @param env - used to call JNI funktions to create the new Java object - * @param ckpValue - the pointer to the CK_BBOOL value - * @return - the new Java boolean object with the boolean value - */ -jobject ckBBoolPtrToJBooleanObject(JNIEnv *env, const CK_BBOOL *ckpValue) -{ - jclass jValueObjectClass; - jmethodID jConstructor; - jobject jValueObject; - jboolean jValue; - - jValueObjectClass = (*env)->FindClass(env, "java/lang/Boolean"); - if (jValueObjectClass == NULL) { return NULL; } - jConstructor = (*env)->GetMethodID(env, jValueObjectClass, "", "(Z)V"); - if (jConstructor == NULL) { return NULL; } - jValue = ckBBoolToJBoolean(*ckpValue); - jValueObject = (*env)->NewObject(env, jValueObjectClass, jConstructor, jValue); - - return jValueObject ; -} - -/* - * converts a CK_ULONG pointer to a Java long Object. - * - * @param env - used to call JNI funktions to create the new Java object - * @param ckpValue - the pointer to the CK_ULONG value - * @return - the new Java long object with the long value - */ -jobject ckULongPtrToJLongObject(JNIEnv *env, const CK_ULONG_PTR ckpValue) -{ - jclass jValueObjectClass; - jmethodID jConstructor; - jobject jValueObject; - jlong jValue; - - jValueObjectClass = (*env)->FindClass(env, "java/lang/Long"); - if (jValueObjectClass == NULL) { return NULL; } - jConstructor = (*env)->GetMethodID(env, jValueObjectClass, "", "(J)V"); - if (jConstructor == NULL) { return NULL; } - jValue = ckULongToJLong(*ckpValue); - jValueObject = (*env)->NewObject(env, jValueObjectClass, jConstructor, jValue); - - return jValueObject ; -} - -/* - * converts a Java boolean object into a pointer to a CK_BBOOL value. The memory has to be - * freed after use! - * - * @param env - used to call JNI funktions to get the value out of the Java object - * @param jObject - the "java/lang/Boolean" object to convert - * @return - the pointer to the new CK_BBOOL value - */ -CK_BBOOL* jBooleanObjectToCKBBoolPtr(JNIEnv *env, jobject jObject) -{ - jclass jObjectClass; - jmethodID jValueMethod; - jboolean jValue; - CK_BBOOL *ckpValue; - - jObjectClass = (*env)->FindClass(env, "java/lang/Boolean"); - if (jObjectClass == NULL) { return NULL; } - jValueMethod = (*env)->GetMethodID(env, jObjectClass, "booleanValue", "()Z"); - if (jValueMethod == NULL) { return NULL; } - jValue = (*env)->CallBooleanMethod(env, jObject, jValueMethod); - ckpValue = (CK_BBOOL *) malloc(sizeof(CK_BBOOL)); - if (ckpValue == NULL) { - throwOutOfMemoryError(env, 0); - return NULL; - } - *ckpValue = jBooleanToCKBBool(jValue); - - return ckpValue ; -} - -/* - * converts a Java byte object into a pointer to a CK_BYTE value. The memory has to be - * freed after use! - * - * @param env - used to call JNI funktions to get the value out of the Java object - * @param jObject - the "java/lang/Byte" object to convert - * @return - the pointer to the new CK_BYTE value - */ -CK_BYTE_PTR jByteObjectToCKBytePtr(JNIEnv *env, jobject jObject) -{ - jclass jObjectClass; - jmethodID jValueMethod; - jbyte jValue; - CK_BYTE_PTR ckpValue; - - jObjectClass = (*env)->FindClass(env, "java/lang/Byte"); - if (jObjectClass == NULL) { return NULL; } - jValueMethod = (*env)->GetMethodID(env, jObjectClass, "byteValue", "()B"); - if (jValueMethod == NULL) { return NULL; } - jValue = (*env)->CallByteMethod(env, jObject, jValueMethod); - ckpValue = (CK_BYTE_PTR) malloc(sizeof(CK_BYTE)); - if (ckpValue == NULL) { - throwOutOfMemoryError(env, 0); - return NULL; - } - *ckpValue = jByteToCKByte(jValue); - return ckpValue ; -} - -/* - * converts a Java integer object into a pointer to a CK_ULONG value. The memory has to be - * freed after use! - * - * @param env - used to call JNI funktions to get the value out of the Java object - * @param jObject - the "java/lang/Integer" object to convert - * @return - the pointer to the new CK_ULONG value - */ -CK_ULONG* jIntegerObjectToCKULongPtr(JNIEnv *env, jobject jObject) -{ - jclass jObjectClass; - jmethodID jValueMethod; - jint jValue; - CK_ULONG *ckpValue; - - jObjectClass = (*env)->FindClass(env, "java/lang/Integer"); - if (jObjectClass == NULL) { return NULL; } - jValueMethod = (*env)->GetMethodID(env, jObjectClass, "intValue", "()I"); - if (jValueMethod == NULL) { return NULL; } - jValue = (*env)->CallIntMethod(env, jObject, jValueMethod); - ckpValue = (CK_ULONG *) malloc(sizeof(CK_ULONG)); - if (ckpValue == NULL) { - throwOutOfMemoryError(env, 0); - return NULL; - } - *ckpValue = jLongToCKLong(jValue); - return ckpValue ; -} - -/* - * converts a Java long object into a pointer to a CK_ULONG value. The memory has to be - * freed after use! - * - * @param env - used to call JNI funktions to get the value out of the Java object - * @param jObject - the "java/lang/Long" object to convert - * @return - the pointer to the new CK_ULONG value - */ -CK_ULONG* jLongObjectToCKULongPtr(JNIEnv *env, jobject jObject) -{ - jclass jObjectClass; - jmethodID jValueMethod; - jlong jValue; - CK_ULONG *ckpValue; - - jObjectClass = (*env)->FindClass(env, "java/lang/Long"); - if (jObjectClass == NULL) { return NULL; } - jValueMethod = (*env)->GetMethodID(env, jObjectClass, "longValue", "()J"); - if (jValueMethod == NULL) { return NULL; } - jValue = (*env)->CallLongMethod(env, jObject, jValueMethod); - ckpValue = (CK_ULONG *) malloc(sizeof(CK_ULONG)); - if (ckpValue == NULL) { - throwOutOfMemoryError(env, 0); - return NULL; - } - *ckpValue = jLongToCKULong(jValue); - - return ckpValue ; -} - -/* - * converts a Java char object into a pointer to a CK_CHAR value. The memory has to be - * freed after use! - * - * @param env - used to call JNI funktions to get the value out of the Java object - * @param jObject - the "java/lang/Char" object to convert - * @return - the pointer to the new CK_CHAR value - */ -CK_CHAR_PTR jCharObjectToCKCharPtr(JNIEnv *env, jobject jObject) -{ - jclass jObjectClass; - jmethodID jValueMethod; - jchar jValue; - CK_CHAR_PTR ckpValue; - - jObjectClass = (*env)->FindClass(env, "java/lang/Char"); - if (jObjectClass == NULL) { return NULL; } - jValueMethod = (*env)->GetMethodID(env, jObjectClass, "charValue", "()C"); - if (jValueMethod == NULL) { return NULL; } - jValue = (*env)->CallCharMethod(env, jObject, jValueMethod); - ckpValue = (CK_CHAR_PTR) malloc(sizeof(CK_CHAR)); - if (ckpValue == NULL) { - throwOutOfMemoryError(env, 0); - return NULL; - } - *ckpValue = jCharToCKChar(jValue); - - return ckpValue ; -} - -/* - * converts a Java object into a pointer to CK-type or a CK-structure with the length in Bytes. - * The memory of *ckpObjectPtr to be freed after use! This function is only used by - * jAttributeToCKAttribute by now. - * - * @param env - used to call JNI funktions to get the Java classes and objects - * @param jObject - the Java object to convert - * @param ckpObjectPtr - the reference of the new pointer to the new CK-value or CK-structure - * @param ckpLength - the reference of the length in bytes of the new CK-value or CK-structure - */ -void jObjectToPrimitiveCKObjectPtrPtr(JNIEnv *env, jobject jObject, CK_VOID_PTR *ckpObjectPtr, CK_ULONG *ckpLength) -{ - jclass jLongClass, jBooleanClass, jByteArrayClass, jCharArrayClass; - jclass jByteClass, jDateClass, jCharacterClass, jIntegerClass; - jclass jBooleanArrayClass, jIntArrayClass, jLongArrayClass; - jclass jStringClass; - jclass jObjectClass, jClassClass; - CK_VOID_PTR ckpVoid = *ckpObjectPtr; - jmethodID jMethod; - jobject jClassObject; - jstring jClassNameString; - char *classNameString, *exceptionMsgPrefix, *exceptionMsg; - - TRACE0("\nDEBUG: jObjectToPrimitiveCKObjectPtrPtr"); - if (jObject == NULL) { - *ckpObjectPtr = NULL; - *ckpLength = 0; - return; - } - - jLongClass = (*env)->FindClass(env, "java/lang/Long"); - if (jLongClass == NULL) { return; } - if ((*env)->IsInstanceOf(env, jObject, jLongClass)) { - *ckpObjectPtr = jLongObjectToCKULongPtr(env, jObject); - *ckpLength = sizeof(CK_ULONG); - TRACE1("", *((CK_ULONG *) *ckpObjectPtr)); - return; - } - - jBooleanClass = (*env)->FindClass(env, "java/lang/Boolean"); - if (jBooleanClass == NULL) { return; } - if ((*env)->IsInstanceOf(env, jObject, jBooleanClass)) { - *ckpObjectPtr = jBooleanObjectToCKBBoolPtr(env, jObject); - *ckpLength = sizeof(CK_BBOOL); - TRACE0(" " : "FALSE>"); - return; - } - - jByteArrayClass = (*env)->FindClass(env, "[B"); - if (jByteArrayClass == NULL) { return; } - if ((*env)->IsInstanceOf(env, jObject, jByteArrayClass)) { - jByteArrayToCKByteArray(env, jObject, (CK_BYTE_PTR*)ckpObjectPtr, ckpLength); - return; - } - - jCharArrayClass = (*env)->FindClass(env, "[C"); - if (jCharArrayClass == NULL) { return; } - if ((*env)->IsInstanceOf(env, jObject, jCharArrayClass)) { - jCharArrayToCKUTF8CharArray(env, jObject, (CK_UTF8CHAR_PTR*)ckpObjectPtr, ckpLength); - return; - } - - jByteClass = (*env)->FindClass(env, "java/lang/Byte"); - if (jByteClass == NULL) { return; } - if ((*env)->IsInstanceOf(env, jObject, jByteClass)) { - *ckpObjectPtr = jByteObjectToCKBytePtr(env, jObject); - *ckpLength = sizeof(CK_BYTE); - TRACE1("", *((CK_BYTE *) *ckpObjectPtr)); - return; - } - - jDateClass = (*env)->FindClass(env, CLASS_DATE); - if (jDateClass == NULL) { return; } - if ((*env)->IsInstanceOf(env, jObject, jDateClass)) { - *ckpObjectPtr = jDateObjectPtrToCKDatePtr(env, jObject); - *ckpLength = sizeof(CK_DATE); - TRACE3("", (*((CK_DATE *) *ckpObjectPtr)).year, (*((CK_DATE *) *ckpObjectPtr)).month, (*((CK_DATE *) *ckpObjectPtr)).day); - return; - } - - jCharacterClass = (*env)->FindClass(env, "java/lang/Character"); - if (jCharacterClass == NULL) { return; } - if ((*env)->IsInstanceOf(env, jObject, jCharacterClass)) { - *ckpObjectPtr = jCharObjectToCKCharPtr(env, jObject); - *ckpLength = sizeof(CK_UTF8CHAR); - TRACE1("", *((CK_CHAR *) *ckpObjectPtr)); - return; - } - - jIntegerClass = (*env)->FindClass(env, "java/lang/Integer"); - if (jIntegerClass == NULL) { return; } - if ((*env)->IsInstanceOf(env, jObject, jIntegerClass)) { - *ckpObjectPtr = jIntegerObjectToCKULongPtr(env, jObject); - *ckpLength = sizeof(CK_ULONG); - TRACE1("", *((CK_ULONG *) *ckpObjectPtr)); - return; - } - - jBooleanArrayClass = (*env)->FindClass(env, "[Z"); - if (jBooleanArrayClass == NULL) { return; } - if ((*env)->IsInstanceOf(env, jObject, jBooleanArrayClass)) { - jBooleanArrayToCKBBoolArray(env, jObject, (CK_BBOOL**)ckpObjectPtr, ckpLength); - return; - } - - jIntArrayClass = (*env)->FindClass(env, "[I"); - if (jIntArrayClass == NULL) { return; } - if ((*env)->IsInstanceOf(env, jObject, jIntArrayClass)) { - jLongArrayToCKULongArray(env, jObject, (CK_ULONG_PTR*)ckpObjectPtr, ckpLength); - return; - } - - jLongArrayClass = (*env)->FindClass(env, "[J"); - if (jLongArrayClass == NULL) { return; } - if ((*env)->IsInstanceOf(env, jObject, jLongArrayClass)) { - jLongArrayToCKULongArray(env, jObject, (CK_ULONG_PTR*)ckpObjectPtr, ckpLength); - return; - } - - jStringClass = (*env)->FindClass(env, "java/lang/String"); - if (jStringClass == NULL) { return; } - if ((*env)->IsInstanceOf(env, jObject, jStringClass)) { - jStringToCKUTF8CharArray(env, jObject, (CK_UTF8CHAR_PTR*)ckpObjectPtr, ckpLength); - return; - } - - /* type of jObject unknown, throw PKCS11RuntimeException */ - jObjectClass = (*env)->FindClass(env, "java/lang/Object"); - if (jObjectClass == NULL) { return; } - jMethod = (*env)->GetMethodID(env, jObjectClass, "getClass", "()Ljava/lang/Class;"); - if (jMethod == NULL) { return; } - jClassObject = (*env)->CallObjectMethod(env, jObject, jMethod); - assert(jClassObject != 0); - jClassClass = (*env)->FindClass(env, "java/lang/Class"); - if (jClassClass == NULL) { return; } - jMethod = (*env)->GetMethodID(env, jClassClass, "getName", "()Ljava/lang/String;"); - if (jMethod == NULL) { return; } - jClassNameString = (jstring) - (*env)->CallObjectMethod(env, jClassObject, jMethod); - assert(jClassNameString != 0); - classNameString = (char*) - (*env)->GetStringUTFChars(env, jClassNameString, NULL); - if (classNameString == NULL) { return; } - exceptionMsgPrefix = "Java object of this class cannot be converted to native PKCS#11 type: "; - exceptionMsg = (char *) - malloc((strlen(exceptionMsgPrefix) + strlen(classNameString) + 1)); - if (exceptionMsg == NULL) { - (*env)->ReleaseStringUTFChars(env, jClassNameString, classNameString); - throwOutOfMemoryError(env, 0); - return; - } - strcpy(exceptionMsg, exceptionMsgPrefix); - strcat(exceptionMsg, classNameString); - (*env)->ReleaseStringUTFChars(env, jClassNameString, classNameString); - throwPKCS11RuntimeException(env, exceptionMsg); - free(exceptionMsg); - *ckpObjectPtr = NULL; - *ckpLength = 0; - - TRACE0("FINISHED\n"); -} - -#ifdef P11_MEMORYDEBUG - -#undef malloc -#undef free - -void *p11malloc(size_t c, char *file, int line) { - void *p = malloc(c); - printf("malloc\t%08x\t%d\t%s:%d\n", p, c, file, line); fflush(stdout); - return p; -} - -void p11free(void *p, char *file, int line) { - printf("free\t%08x\t\t%s:%d\n", p, file, line); fflush(stdout); - free(p); -} - -#endif - -// prints a message to stdout if debug output is enabled -void printDebug(const char *format, ...) { - if (debug == JNI_TRUE) { - va_list args; - fprintf(stdout, "sunpkcs11: "); - va_start(args, format); - vfprintf(stdout, format, args); - va_end(args); - fflush(stdout); - } -} - --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c 2017-01-20 09:52:58.814288183 -0800 @@ -0,0 +1,1157 @@ +/* + * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + */ + +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "pkcs11wrapper.h" + +#include +#include +#include +#include + +/* declare file private functions */ + +ModuleData * getModuleEntry(JNIEnv *env, jobject pkcs11Implementation); +int isModulePresent(JNIEnv *env, jobject pkcs11Implementation); +void removeAllModuleEntries(JNIEnv *env); + + +/* ************************************************************************** */ +/* Functions for keeping track of currently active and loaded modules */ +/* ************************************************************************** */ + + +/* + * Create a new object for locking. + */ +jobject createLockObject(JNIEnv *env) { + jclass jObjectClass; + jobject jLockObject; + jmethodID jConstructor; + + jObjectClass = (*env)->FindClass(env, "java/lang/Object"); + if (jObjectClass == NULL) { return NULL; } + jConstructor = (*env)->GetMethodID(env, jObjectClass, "", "()V"); + if (jConstructor == NULL) { return NULL; } + jLockObject = (*env)->NewObject(env, jObjectClass, jConstructor); + if (jLockObject == NULL) { return NULL; } + jLockObject = (*env)->NewGlobalRef(env, jLockObject); + + return jLockObject ; +} + +/* + * Create a new object for locking. + */ +void destroyLockObject(JNIEnv *env, jobject jLockObject) { + if (jLockObject != NULL) { + (*env)->DeleteGlobalRef(env, jLockObject); + } +} + +/* + * Add the given pkcs11Implementation object to the list of present modules. + * Attach the given data to the entry. If the given pkcs11Implementation is + * already in the lsit, just override its old module data with the new one. + * None of the arguments can be NULL. If one of the arguments is NULL, this + * function does nothing. + */ +void putModuleEntry(JNIEnv *env, jobject pkcs11Implementation, ModuleData *moduleData) { + if (pkcs11Implementation == NULL_PTR) { + return ; + } + if (moduleData == NULL) { + return ; + } + (*env)->SetLongField(env, pkcs11Implementation, pNativeDataID, ptr_to_jlong(moduleData)); +} + + +/* + * Get the module data of the entry for the given pkcs11Implementation. Returns + * NULL, if the pkcs11Implementation is not in the list. + */ +ModuleData * getModuleEntry(JNIEnv *env, jobject pkcs11Implementation) { + jlong jData; + if (pkcs11Implementation == NULL) { + return NULL; + } + jData = (*env)->GetLongField(env, pkcs11Implementation, pNativeDataID); + return (ModuleData*)jlong_to_ptr(jData); +} + +CK_FUNCTION_LIST_PTR getFunctionList(JNIEnv *env, jobject pkcs11Implementation) { + ModuleData *moduleData; + CK_FUNCTION_LIST_PTR ckpFunctions; + + moduleData = getModuleEntry(env, pkcs11Implementation); + if (moduleData == NULL) { + throwDisconnectedRuntimeException(env); + return NULL; + } + ckpFunctions = moduleData->ckFunctionListPtr; + return ckpFunctions; +} + + +/* + * Returns 1, if the given pkcs11Implementation is in the list. + * 0, otherwise. + */ +int isModulePresent(JNIEnv *env, jobject pkcs11Implementation) { + int present; + + ModuleData *moduleData = getModuleEntry(env, pkcs11Implementation); + + present = (moduleData != NULL) ? 1 : 0; + + return present ; +} + + +/* + * Removes the entry for the given pkcs11Implementation from the list. Returns + * the module's data, after the node was removed. If this function returns NULL + * the pkcs11Implementation was not in the list. + */ +ModuleData * removeModuleEntry(JNIEnv *env, jobject pkcs11Implementation) { + ModuleData *moduleData = getModuleEntry(env, pkcs11Implementation); + if (moduleData == NULL) { + return NULL; + } + (*env)->SetLongField(env, pkcs11Implementation, pNativeDataID, 0); + return moduleData; +} + +/* + * Removes all present entries from the list of modules and frees all + * associated resources. This function is used for clean-up. + */ +void removeAllModuleEntries(JNIEnv *env) { + /* XXX empty */ +} + +/* ************************************************************************** */ +/* Below there follow the helper functions to support conversions between */ +/* Java and Cryptoki types */ +/* ************************************************************************** */ + +/* + * function to convert a PKCS#11 return value into a PKCS#11Exception + * + * This function generates a PKCS#11Exception with the returnValue as the errorcode + * if the returnValue is not CKR_OK. The functin returns 0, if the returnValue is + * CKR_OK. Otherwise, it returns the returnValue as a jLong. + * + * @param env - used to call JNI funktions and to get the Exception class + * @param returnValue - of the PKCS#11 function + */ +jlong ckAssertReturnValueOK(JNIEnv *env, CK_RV returnValue) +{ + jclass jPKCS11ExceptionClass; + jmethodID jConstructor; + jthrowable jPKCS11Exception; + jlong jErrorCode = 0L; + + if (returnValue != CKR_OK) { + jErrorCode = ckULongToJLong(returnValue); + jPKCS11ExceptionClass = (*env)->FindClass(env, CLASS_PKCS11EXCEPTION); + if (jPKCS11ExceptionClass != NULL) { + jConstructor = (*env)->GetMethodID(env, jPKCS11ExceptionClass, "", "(J)V"); + if (jConstructor != NULL) { + jPKCS11Exception = (jthrowable) (*env)->NewObject(env, jPKCS11ExceptionClass, jConstructor, jErrorCode); + if (jPKCS11Exception != NULL) { + (*env)->Throw(env, jPKCS11Exception); + } + } + } + (*env)->DeleteLocalRef(env, jPKCS11ExceptionClass); + } + return jErrorCode ; +} + + +/* + * Throws a Java Exception by name + */ +void throwByName(JNIEnv *env, const char *name, const char *msg) +{ + jclass cls = (*env)->FindClass(env, name); + + if (cls != 0) /* Otherwise an exception has already been thrown */ + (*env)->ThrowNew(env, cls, msg); +} + +/* + * Throws java.lang.OutOfMemoryError + */ +void throwOutOfMemoryError(JNIEnv *env, const char *msg) +{ + throwByName(env, "java/lang/OutOfMemoryError", msg); +} + +/* + * Throws java.lang.NullPointerException + */ +void throwNullPointerException(JNIEnv *env, const char *msg) +{ + throwByName(env, "java/lang/NullPointerException", msg); +} + +/* + * Throws java.io.IOException + */ +void throwIOException(JNIEnv *env, const char *msg) +{ + throwByName(env, "java/io/IOException", msg); +} + +/* + * This function simply throws a PKCS#11RuntimeException with the given + * string as its message. + * + * @param env Used to call JNI funktions and to get the Exception class. + * @param jmessage The message string of the Exception object. + */ +void throwPKCS11RuntimeException(JNIEnv *env, const char *message) +{ + throwByName(env, CLASS_PKCS11RUNTIMEEXCEPTION, message); +} + +/* + * This function simply throws a PKCS#11RuntimeException. The message says that + * the object is not connected to the module. + * + * @param env Used to call JNI funktions and to get the Exception class. + */ +void throwDisconnectedRuntimeException(JNIEnv *env) +{ + throwPKCS11RuntimeException(env, "This object is not connected to a module."); +} + +/* This function frees the specified CK_ATTRIBUTE array. + * + * @param attrPtr pointer to the to-be-freed CK_ATTRIBUTE array. + * @param len the length of the array + */ +void freeCKAttributeArray(CK_ATTRIBUTE_PTR attrPtr, int len) +{ + int i; + + for (i=0; iArrayToCKArray(JNIEnv *env, + * const jArray jArray, + * CK__PTR *ckpArray, + * CK_ULONG_PTR ckLength); + * + * jArray ckArrayToJArray(JNIEnv *env, + * const CK__PTR ckpArray, + * CK_ULONG ckLength); + * + * PKCS#11 arrays consist always of a pointer to the beginning of the array and + * the array length whereas Java arrays carry their array length. + * + * The Functions to convert a Java array to a PKCS#11 array are void functions. + * Their arguments are the Java array object to convert, the reference to the + * array pointer, where the new PKCS#11 array should be stored and the reference + * to the array length where the PKCS#11 array length should be stored. These two + * references must not be NULL_PTR. + * + * The functions first obtain the array length of the Java array and then allocate + * the memory for the PKCS#11 array and set the array length. Then each element + * gets converted depending on their type. After use the allocated memory of the + * PKCS#11 array has to be explicitly freed. + * + * The Functions to convert a PKCS#11 array to a Java array get the PKCS#11 array + * pointer and the array length and they return the new Java array object. The + * Java array does not need to get freed after use. + */ + +/* + * converts a jbooleanArray to a CK_BBOOL array. The allocated memory has to be freed after use! + * + * @param env - used to call JNI funktions to get the array informtaion + * @param jArray - the Java array to convert + * @param ckpArray - the reference, where the pointer to the new CK_BBOOL array will be stored + * @param ckpLength - the reference, where the array length will be stored + */ +void jBooleanArrayToCKBBoolArray(JNIEnv *env, const jbooleanArray jArray, CK_BBOOL **ckpArray, CK_ULONG_PTR ckpLength) +{ + jboolean* jpTemp; + CK_ULONG i; + + if(jArray == NULL) { + *ckpArray = NULL_PTR; + *ckpLength = 0L; + return; + } + *ckpLength = (*env)->GetArrayLength(env, jArray); + jpTemp = (jboolean*) malloc((*ckpLength) * sizeof(jboolean)); + if (jpTemp == NULL) { + throwOutOfMemoryError(env, 0); + return; + } + (*env)->GetBooleanArrayRegion(env, jArray, 0, *ckpLength, jpTemp); + if ((*env)->ExceptionCheck(env)) { + free(jpTemp); + return; + } + + *ckpArray = (CK_BBOOL*) malloc ((*ckpLength) * sizeof(CK_BBOOL)); + if (*ckpArray == NULL) { + free(jpTemp); + throwOutOfMemoryError(env, 0); + return; + } + for (i=0; i<(*ckpLength); i++) { + (*ckpArray)[i] = jBooleanToCKBBool(jpTemp[i]); + } + free(jpTemp); +} + +/* + * converts a jbyteArray to a CK_BYTE array. The allocated memory has to be freed after use! + * + * @param env - used to call JNI funktions to get the array informtaion + * @param jArray - the Java array to convert + * @param ckpArray - the reference, where the pointer to the new CK_BYTE array will be stored + * @param ckpLength - the reference, where the array length will be stored + */ +void jByteArrayToCKByteArray(JNIEnv *env, const jbyteArray jArray, CK_BYTE_PTR *ckpArray, CK_ULONG_PTR ckpLength) +{ + jbyte* jpTemp; + CK_ULONG i; + + if(jArray == NULL) { + *ckpArray = NULL_PTR; + *ckpLength = 0L; + return; + } + *ckpLength = (*env)->GetArrayLength(env, jArray); + jpTemp = (jbyte*) malloc((*ckpLength) * sizeof(jbyte)); + if (jpTemp == NULL) { + throwOutOfMemoryError(env, 0); + return; + } + (*env)->GetByteArrayRegion(env, jArray, 0, *ckpLength, jpTemp); + if ((*env)->ExceptionCheck(env)) { + free(jpTemp); + return; + } + + /* if CK_BYTE is the same size as jbyte, we save an additional copy */ + if (sizeof(CK_BYTE) == sizeof(jbyte)) { + *ckpArray = (CK_BYTE_PTR) jpTemp; + } else { + *ckpArray = (CK_BYTE_PTR) malloc ((*ckpLength) * sizeof(CK_BYTE)); + if (*ckpArray == NULL) { + free(jpTemp); + throwOutOfMemoryError(env, 0); + return; + } + for (i=0; i<(*ckpLength); i++) { + (*ckpArray)[i] = jByteToCKByte(jpTemp[i]); + } + free(jpTemp); + } +} + +/* + * converts a jlongArray to a CK_ULONG array. The allocated memory has to be freed after use! + * + * @param env - used to call JNI funktions to get the array informtaion + * @param jArray - the Java array to convert + * @param ckpArray - the reference, where the pointer to the new CK_ULONG array will be stored + * @param ckpLength - the reference, where the array length will be stored + */ +void jLongArrayToCKULongArray(JNIEnv *env, const jlongArray jArray, CK_ULONG_PTR *ckpArray, CK_ULONG_PTR ckpLength) +{ + jlong* jTemp; + CK_ULONG i; + + if(jArray == NULL) { + *ckpArray = NULL_PTR; + *ckpLength = 0L; + return; + } + *ckpLength = (*env)->GetArrayLength(env, jArray); + jTemp = (jlong*) malloc((*ckpLength) * sizeof(jlong)); + if (jTemp == NULL) { + throwOutOfMemoryError(env, 0); + return; + } + (*env)->GetLongArrayRegion(env, jArray, 0, *ckpLength, jTemp); + if ((*env)->ExceptionCheck(env)) { + free(jTemp); + return; + } + + *ckpArray = (CK_ULONG_PTR) malloc (*ckpLength * sizeof(CK_ULONG)); + if (*ckpArray == NULL) { + free(jTemp); + throwOutOfMemoryError(env, 0); + return; + } + for (i=0; i<(*ckpLength); i++) { + (*ckpArray)[i] = jLongToCKULong(jTemp[i]); + } + free(jTemp); +} + +/* + * converts a jcharArray to a CK_CHAR array. The allocated memory has to be freed after use! + * + * @param env - used to call JNI funktions to get the array informtaion + * @param jArray - the Java array to convert + * @param ckpArray - the reference, where the pointer to the new CK_CHAR array will be stored + * @param ckpLength - the reference, where the array length will be stored + */ +void jCharArrayToCKCharArray(JNIEnv *env, const jcharArray jArray, CK_CHAR_PTR *ckpArray, CK_ULONG_PTR ckpLength) +{ + jchar* jpTemp; + CK_ULONG i; + + if(jArray == NULL) { + *ckpArray = NULL_PTR; + *ckpLength = 0L; + return; + } + *ckpLength = (*env)->GetArrayLength(env, jArray); + jpTemp = (jchar*) malloc((*ckpLength) * sizeof(jchar)); + if (jpTemp == NULL) { + throwOutOfMemoryError(env, 0); + return; + } + (*env)->GetCharArrayRegion(env, jArray, 0, *ckpLength, jpTemp); + if ((*env)->ExceptionCheck(env)) { + free(jpTemp); + return; + } + + *ckpArray = (CK_CHAR_PTR) malloc (*ckpLength * sizeof(CK_CHAR)); + if (*ckpArray == NULL) { + free(jpTemp); + throwOutOfMemoryError(env, 0); + return; + } + for (i=0; i<(*ckpLength); i++) { + (*ckpArray)[i] = jCharToCKChar(jpTemp[i]); + } + free(jpTemp); +} + +/* + * converts a jcharArray to a CK_UTF8CHAR array. The allocated memory has to be freed after use! + * + * @param env - used to call JNI funktions to get the array informtaion + * @param jArray - the Java array to convert + * @param ckpArray - the reference, where the pointer to the new CK_UTF8CHAR array will be stored + * @param ckpLength - the reference, where the array length will be stored + */ +void jCharArrayToCKUTF8CharArray(JNIEnv *env, const jcharArray jArray, CK_UTF8CHAR_PTR *ckpArray, CK_ULONG_PTR ckpLength) +{ + jchar* jTemp; + CK_ULONG i; + + if(jArray == NULL) { + *ckpArray = NULL_PTR; + *ckpLength = 0L; + return; + } + *ckpLength = (*env)->GetArrayLength(env, jArray); + jTemp = (jchar*) malloc((*ckpLength) * sizeof(jchar)); + if (jTemp == NULL) { + throwOutOfMemoryError(env, 0); + return; + } + (*env)->GetCharArrayRegion(env, jArray, 0, *ckpLength, jTemp); + if ((*env)->ExceptionCheck(env)) { + free(jTemp); + return; + } + + *ckpArray = (CK_UTF8CHAR_PTR) malloc (*ckpLength * sizeof(CK_UTF8CHAR)); + if (*ckpArray == NULL) { + free(jTemp); + throwOutOfMemoryError(env, 0); + return; + } + for (i=0; i<(*ckpLength); i++) { + (*ckpArray)[i] = jCharToCKUTF8Char(jTemp[i]); + } + free(jTemp); +} + +/* + * converts a jstring to a CK_CHAR array. The allocated memory has to be freed after use! + * + * @param env - used to call JNI funktions to get the array informtaion + * @param jArray - the Java array to convert + * @param ckpArray - the reference, where the pointer to the new CK_CHAR array will be stored + * @param ckpLength - the reference, where the array length will be stored + */ +void jStringToCKUTF8CharArray(JNIEnv *env, const jstring jArray, CK_UTF8CHAR_PTR *ckpArray, CK_ULONG_PTR ckpLength) +{ + const char* pCharArray; + jboolean isCopy; + + if(jArray == NULL) { + *ckpArray = NULL_PTR; + *ckpLength = 0L; + return; + } + + pCharArray = (*env)->GetStringUTFChars(env, jArray, &isCopy); + if (pCharArray == NULL) { return; } + + *ckpLength = (CK_ULONG) strlen(pCharArray); + *ckpArray = (CK_UTF8CHAR_PTR) malloc((*ckpLength + 1) * sizeof(CK_UTF8CHAR)); + if (*ckpArray == NULL) { + (*env)->ReleaseStringUTFChars(env, (jstring) jArray, pCharArray); + throwOutOfMemoryError(env, 0); + return; + } + strcpy((char*)*ckpArray, pCharArray); + (*env)->ReleaseStringUTFChars(env, (jstring) jArray, pCharArray); +} + +/* + * converts a jobjectArray with Java Attributes to a CK_ATTRIBUTE array. The allocated memory + * has to be freed after use! + * + * @param env - used to call JNI funktions to get the array informtaion + * @param jArray - the Java Attribute array (template) to convert + * @param ckpArray - the reference, where the pointer to the new CK_ATTRIBUTE array will be + * stored + * @param ckpLength - the reference, where the array length will be stored + */ +void jAttributeArrayToCKAttributeArray(JNIEnv *env, jobjectArray jArray, CK_ATTRIBUTE_PTR *ckpArray, CK_ULONG_PTR ckpLength) +{ + CK_ULONG i; + jlong jLength; + jobject jAttribute; + + TRACE0("\nDEBUG: jAttributeArrayToCKAttributeArray"); + if (jArray == NULL) { + *ckpArray = NULL_PTR; + *ckpLength = 0L; + return; + } + jLength = (*env)->GetArrayLength(env, jArray); + *ckpLength = jLongToCKULong(jLength); + *ckpArray = (CK_ATTRIBUTE_PTR) malloc(*ckpLength * sizeof(CK_ATTRIBUTE)); + if (*ckpArray == NULL) { + throwOutOfMemoryError(env, 0); + return; + } + TRACE1(", converting %d attributes", jLength); + for (i=0; i<(*ckpLength); i++) { + TRACE1(", getting %d. attribute", i); + jAttribute = (*env)->GetObjectArrayElement(env, jArray, i); + if ((*env)->ExceptionCheck(env)) { + freeCKAttributeArray(*ckpArray, i); + return; + } + TRACE1(", jAttribute = %d", jAttribute); + TRACE1(", converting %d. attribute", i); + (*ckpArray)[i] = jAttributeToCKAttribute(env, jAttribute); + if ((*env)->ExceptionCheck(env)) { + freeCKAttributeArray(*ckpArray, i); + return; + } + } + TRACE0("FINISHED\n"); +} + +/* + * converts a CK_BYTE array and its length to a jbyteArray. + * + * @param env - used to call JNI funktions to create the new Java array + * @param ckpArray - the pointer to the CK_BYTE array to convert + * @param ckpLength - the length of the array to convert + * @return - the new Java byte array or NULL if error occurred + */ +jbyteArray ckByteArrayToJByteArray(JNIEnv *env, const CK_BYTE_PTR ckpArray, CK_ULONG ckLength) +{ + CK_ULONG i; + jbyte* jpTemp; + jbyteArray jArray; + + /* if CK_BYTE is the same size as jbyte, we save an additional copy */ + if (sizeof(CK_BYTE) == sizeof(jbyte)) { + jpTemp = (jbyte*) ckpArray; + } else { + jpTemp = (jbyte*) malloc((ckLength) * sizeof(jbyte)); + if (jpTemp == NULL) { + throwOutOfMemoryError(env, 0); + return NULL; + } + for (i=0; iNewByteArray(env, ckULongToJSize(ckLength)); + if (jArray != NULL) { + (*env)->SetByteArrayRegion(env, jArray, 0, ckULongToJSize(ckLength), jpTemp); + } + + if (sizeof(CK_BYTE) != sizeof(jbyte)) { free(jpTemp); } + + return jArray ; +} + +/* + * converts a CK_ULONG array and its length to a jlongArray. + * + * @param env - used to call JNI funktions to create the new Java array + * @param ckpArray - the pointer to the CK_ULONG array to convert + * @param ckpLength - the length of the array to convert + * @return - the new Java long array + */ +jlongArray ckULongArrayToJLongArray(JNIEnv *env, const CK_ULONG_PTR ckpArray, CK_ULONG ckLength) +{ + CK_ULONG i; + jlong* jpTemp; + jlongArray jArray; + + jpTemp = (jlong*) malloc((ckLength) * sizeof(jlong)); + if (jpTemp == NULL) { + throwOutOfMemoryError(env, 0); + return NULL; + } + for (i=0; iNewLongArray(env, ckULongToJSize(ckLength)); + if (jArray != NULL) { + (*env)->SetLongArrayRegion(env, jArray, 0, ckULongToJSize(ckLength), jpTemp); + } + free(jpTemp); + + return jArray ; +} + +/* + * converts a CK_CHAR array and its length to a jcharArray. + * + * @param env - used to call JNI funktions to create the new Java array + * @param ckpArray - the pointer to the CK_CHAR array to convert + * @param ckpLength - the length of the array to convert + * @return - the new Java char array + */ +jcharArray ckCharArrayToJCharArray(JNIEnv *env, const CK_CHAR_PTR ckpArray, CK_ULONG ckLength) +{ + CK_ULONG i; + jchar* jpTemp; + jcharArray jArray; + + jpTemp = (jchar*) malloc(ckLength * sizeof(jchar)); + if (jpTemp == NULL) { + throwOutOfMemoryError(env, 0); + return NULL; + } + for (i=0; iNewCharArray(env, ckULongToJSize(ckLength)); + if (jArray != NULL) { + (*env)->SetCharArrayRegion(env, jArray, 0, ckULongToJSize(ckLength), jpTemp); + } + free(jpTemp); + + return jArray ; +} + +/* + * converts a CK_UTF8CHAR array and its length to a jcharArray. + * + * @param env - used to call JNI funktions to create the new Java array + * @param ckpArray - the pointer to the CK_UTF8CHAR array to convert + * @param ckpLength - the length of the array to convert + * @return - the new Java char array + */ +jcharArray ckUTF8CharArrayToJCharArray(JNIEnv *env, const CK_UTF8CHAR_PTR ckpArray, CK_ULONG ckLength) +{ + CK_ULONG i; + jchar* jpTemp; + jcharArray jArray; + + jpTemp = (jchar*) malloc(ckLength * sizeof(jchar)); + if (jpTemp == NULL) { + throwOutOfMemoryError(env, 0); + return NULL; + } + for (i=0; iNewCharArray(env, ckULongToJSize(ckLength)); + if (jArray != NULL) { + (*env)->SetCharArrayRegion(env, jArray, 0, ckULongToJSize(ckLength), jpTemp); + } + free(jpTemp); + + return jArray ; +} + +/* + * the following functions convert Java objects to PKCS#11 pointers and the + * length in bytes and vice versa + * + * CK__PTR jToCKPtr(JNIEnv *env, jobject jObject); + * + * jobject ckPtrToJ(JNIEnv *env, const CK__PTR ckpValue); + * + * The functions that convert a Java object to a PKCS#11 pointer first allocate + * the memory for the PKCS#11 pointer. Then they set each element corresponding + * to the fields in the Java object to convert. After use the allocated memory of + * the PKCS#11 pointer has to be explicitly freed. + * + * The functions to convert a PKCS#11 pointer to a Java object create a new Java + * object first and than they set all fields in the object depending on the values + * of the type or structure where the PKCS#11 pointer points to. + */ + +/* + * converts a CK_BBOOL pointer to a Java boolean Object. + * + * @param env - used to call JNI funktions to create the new Java object + * @param ckpValue - the pointer to the CK_BBOOL value + * @return - the new Java boolean object with the boolean value + */ +jobject ckBBoolPtrToJBooleanObject(JNIEnv *env, const CK_BBOOL *ckpValue) +{ + jclass jValueObjectClass; + jmethodID jConstructor; + jobject jValueObject; + jboolean jValue; + + jValueObjectClass = (*env)->FindClass(env, "java/lang/Boolean"); + if (jValueObjectClass == NULL) { return NULL; } + jConstructor = (*env)->GetMethodID(env, jValueObjectClass, "", "(Z)V"); + if (jConstructor == NULL) { return NULL; } + jValue = ckBBoolToJBoolean(*ckpValue); + jValueObject = (*env)->NewObject(env, jValueObjectClass, jConstructor, jValue); + + return jValueObject ; +} + +/* + * converts a CK_ULONG pointer to a Java long Object. + * + * @param env - used to call JNI funktions to create the new Java object + * @param ckpValue - the pointer to the CK_ULONG value + * @return - the new Java long object with the long value + */ +jobject ckULongPtrToJLongObject(JNIEnv *env, const CK_ULONG_PTR ckpValue) +{ + jclass jValueObjectClass; + jmethodID jConstructor; + jobject jValueObject; + jlong jValue; + + jValueObjectClass = (*env)->FindClass(env, "java/lang/Long"); + if (jValueObjectClass == NULL) { return NULL; } + jConstructor = (*env)->GetMethodID(env, jValueObjectClass, "", "(J)V"); + if (jConstructor == NULL) { return NULL; } + jValue = ckULongToJLong(*ckpValue); + jValueObject = (*env)->NewObject(env, jValueObjectClass, jConstructor, jValue); + + return jValueObject ; +} + +/* + * converts a Java boolean object into a pointer to a CK_BBOOL value. The memory has to be + * freed after use! + * + * @param env - used to call JNI funktions to get the value out of the Java object + * @param jObject - the "java/lang/Boolean" object to convert + * @return - the pointer to the new CK_BBOOL value + */ +CK_BBOOL* jBooleanObjectToCKBBoolPtr(JNIEnv *env, jobject jObject) +{ + jclass jObjectClass; + jmethodID jValueMethod; + jboolean jValue; + CK_BBOOL *ckpValue; + + jObjectClass = (*env)->FindClass(env, "java/lang/Boolean"); + if (jObjectClass == NULL) { return NULL; } + jValueMethod = (*env)->GetMethodID(env, jObjectClass, "booleanValue", "()Z"); + if (jValueMethod == NULL) { return NULL; } + jValue = (*env)->CallBooleanMethod(env, jObject, jValueMethod); + ckpValue = (CK_BBOOL *) malloc(sizeof(CK_BBOOL)); + if (ckpValue == NULL) { + throwOutOfMemoryError(env, 0); + return NULL; + } + *ckpValue = jBooleanToCKBBool(jValue); + + return ckpValue ; +} + +/* + * converts a Java byte object into a pointer to a CK_BYTE value. The memory has to be + * freed after use! + * + * @param env - used to call JNI funktions to get the value out of the Java object + * @param jObject - the "java/lang/Byte" object to convert + * @return - the pointer to the new CK_BYTE value + */ +CK_BYTE_PTR jByteObjectToCKBytePtr(JNIEnv *env, jobject jObject) +{ + jclass jObjectClass; + jmethodID jValueMethod; + jbyte jValue; + CK_BYTE_PTR ckpValue; + + jObjectClass = (*env)->FindClass(env, "java/lang/Byte"); + if (jObjectClass == NULL) { return NULL; } + jValueMethod = (*env)->GetMethodID(env, jObjectClass, "byteValue", "()B"); + if (jValueMethod == NULL) { return NULL; } + jValue = (*env)->CallByteMethod(env, jObject, jValueMethod); + ckpValue = (CK_BYTE_PTR) malloc(sizeof(CK_BYTE)); + if (ckpValue == NULL) { + throwOutOfMemoryError(env, 0); + return NULL; + } + *ckpValue = jByteToCKByte(jValue); + return ckpValue ; +} + +/* + * converts a Java integer object into a pointer to a CK_ULONG value. The memory has to be + * freed after use! + * + * @param env - used to call JNI funktions to get the value out of the Java object + * @param jObject - the "java/lang/Integer" object to convert + * @return - the pointer to the new CK_ULONG value + */ +CK_ULONG* jIntegerObjectToCKULongPtr(JNIEnv *env, jobject jObject) +{ + jclass jObjectClass; + jmethodID jValueMethod; + jint jValue; + CK_ULONG *ckpValue; + + jObjectClass = (*env)->FindClass(env, "java/lang/Integer"); + if (jObjectClass == NULL) { return NULL; } + jValueMethod = (*env)->GetMethodID(env, jObjectClass, "intValue", "()I"); + if (jValueMethod == NULL) { return NULL; } + jValue = (*env)->CallIntMethod(env, jObject, jValueMethod); + ckpValue = (CK_ULONG *) malloc(sizeof(CK_ULONG)); + if (ckpValue == NULL) { + throwOutOfMemoryError(env, 0); + return NULL; + } + *ckpValue = jLongToCKLong(jValue); + return ckpValue ; +} + +/* + * converts a Java long object into a pointer to a CK_ULONG value. The memory has to be + * freed after use! + * + * @param env - used to call JNI funktions to get the value out of the Java object + * @param jObject - the "java/lang/Long" object to convert + * @return - the pointer to the new CK_ULONG value + */ +CK_ULONG* jLongObjectToCKULongPtr(JNIEnv *env, jobject jObject) +{ + jclass jObjectClass; + jmethodID jValueMethod; + jlong jValue; + CK_ULONG *ckpValue; + + jObjectClass = (*env)->FindClass(env, "java/lang/Long"); + if (jObjectClass == NULL) { return NULL; } + jValueMethod = (*env)->GetMethodID(env, jObjectClass, "longValue", "()J"); + if (jValueMethod == NULL) { return NULL; } + jValue = (*env)->CallLongMethod(env, jObject, jValueMethod); + ckpValue = (CK_ULONG *) malloc(sizeof(CK_ULONG)); + if (ckpValue == NULL) { + throwOutOfMemoryError(env, 0); + return NULL; + } + *ckpValue = jLongToCKULong(jValue); + + return ckpValue ; +} + +/* + * converts a Java char object into a pointer to a CK_CHAR value. The memory has to be + * freed after use! + * + * @param env - used to call JNI funktions to get the value out of the Java object + * @param jObject - the "java/lang/Char" object to convert + * @return - the pointer to the new CK_CHAR value + */ +CK_CHAR_PTR jCharObjectToCKCharPtr(JNIEnv *env, jobject jObject) +{ + jclass jObjectClass; + jmethodID jValueMethod; + jchar jValue; + CK_CHAR_PTR ckpValue; + + jObjectClass = (*env)->FindClass(env, "java/lang/Char"); + if (jObjectClass == NULL) { return NULL; } + jValueMethod = (*env)->GetMethodID(env, jObjectClass, "charValue", "()C"); + if (jValueMethod == NULL) { return NULL; } + jValue = (*env)->CallCharMethod(env, jObject, jValueMethod); + ckpValue = (CK_CHAR_PTR) malloc(sizeof(CK_CHAR)); + if (ckpValue == NULL) { + throwOutOfMemoryError(env, 0); + return NULL; + } + *ckpValue = jCharToCKChar(jValue); + + return ckpValue ; +} + +/* + * converts a Java object into a pointer to CK-type or a CK-structure with the length in Bytes. + * The memory of *ckpObjectPtr to be freed after use! This function is only used by + * jAttributeToCKAttribute by now. + * + * @param env - used to call JNI funktions to get the Java classes and objects + * @param jObject - the Java object to convert + * @param ckpObjectPtr - the reference of the new pointer to the new CK-value or CK-structure + * @param ckpLength - the reference of the length in bytes of the new CK-value or CK-structure + */ +void jObjectToPrimitiveCKObjectPtrPtr(JNIEnv *env, jobject jObject, CK_VOID_PTR *ckpObjectPtr, CK_ULONG *ckpLength) +{ + jclass jLongClass, jBooleanClass, jByteArrayClass, jCharArrayClass; + jclass jByteClass, jDateClass, jCharacterClass, jIntegerClass; + jclass jBooleanArrayClass, jIntArrayClass, jLongArrayClass; + jclass jStringClass; + jclass jObjectClass, jClassClass; + CK_VOID_PTR ckpVoid = *ckpObjectPtr; + jmethodID jMethod; + jobject jClassObject; + jstring jClassNameString; + char *classNameString, *exceptionMsgPrefix, *exceptionMsg; + + TRACE0("\nDEBUG: jObjectToPrimitiveCKObjectPtrPtr"); + if (jObject == NULL) { + *ckpObjectPtr = NULL; + *ckpLength = 0; + return; + } + + jLongClass = (*env)->FindClass(env, "java/lang/Long"); + if (jLongClass == NULL) { return; } + if ((*env)->IsInstanceOf(env, jObject, jLongClass)) { + *ckpObjectPtr = jLongObjectToCKULongPtr(env, jObject); + *ckpLength = sizeof(CK_ULONG); + TRACE1("", *((CK_ULONG *) *ckpObjectPtr)); + return; + } + + jBooleanClass = (*env)->FindClass(env, "java/lang/Boolean"); + if (jBooleanClass == NULL) { return; } + if ((*env)->IsInstanceOf(env, jObject, jBooleanClass)) { + *ckpObjectPtr = jBooleanObjectToCKBBoolPtr(env, jObject); + *ckpLength = sizeof(CK_BBOOL); + TRACE0(" " : "FALSE>"); + return; + } + + jByteArrayClass = (*env)->FindClass(env, "[B"); + if (jByteArrayClass == NULL) { return; } + if ((*env)->IsInstanceOf(env, jObject, jByteArrayClass)) { + jByteArrayToCKByteArray(env, jObject, (CK_BYTE_PTR*)ckpObjectPtr, ckpLength); + return; + } + + jCharArrayClass = (*env)->FindClass(env, "[C"); + if (jCharArrayClass == NULL) { return; } + if ((*env)->IsInstanceOf(env, jObject, jCharArrayClass)) { + jCharArrayToCKUTF8CharArray(env, jObject, (CK_UTF8CHAR_PTR*)ckpObjectPtr, ckpLength); + return; + } + + jByteClass = (*env)->FindClass(env, "java/lang/Byte"); + if (jByteClass == NULL) { return; } + if ((*env)->IsInstanceOf(env, jObject, jByteClass)) { + *ckpObjectPtr = jByteObjectToCKBytePtr(env, jObject); + *ckpLength = sizeof(CK_BYTE); + TRACE1("", *((CK_BYTE *) *ckpObjectPtr)); + return; + } + + jDateClass = (*env)->FindClass(env, CLASS_DATE); + if (jDateClass == NULL) { return; } + if ((*env)->IsInstanceOf(env, jObject, jDateClass)) { + *ckpObjectPtr = jDateObjectPtrToCKDatePtr(env, jObject); + *ckpLength = sizeof(CK_DATE); + TRACE3("", (*((CK_DATE *) *ckpObjectPtr)).year, (*((CK_DATE *) *ckpObjectPtr)).month, (*((CK_DATE *) *ckpObjectPtr)).day); + return; + } + + jCharacterClass = (*env)->FindClass(env, "java/lang/Character"); + if (jCharacterClass == NULL) { return; } + if ((*env)->IsInstanceOf(env, jObject, jCharacterClass)) { + *ckpObjectPtr = jCharObjectToCKCharPtr(env, jObject); + *ckpLength = sizeof(CK_UTF8CHAR); + TRACE1("", *((CK_CHAR *) *ckpObjectPtr)); + return; + } + + jIntegerClass = (*env)->FindClass(env, "java/lang/Integer"); + if (jIntegerClass == NULL) { return; } + if ((*env)->IsInstanceOf(env, jObject, jIntegerClass)) { + *ckpObjectPtr = jIntegerObjectToCKULongPtr(env, jObject); + *ckpLength = sizeof(CK_ULONG); + TRACE1("", *((CK_ULONG *) *ckpObjectPtr)); + return; + } + + jBooleanArrayClass = (*env)->FindClass(env, "[Z"); + if (jBooleanArrayClass == NULL) { return; } + if ((*env)->IsInstanceOf(env, jObject, jBooleanArrayClass)) { + jBooleanArrayToCKBBoolArray(env, jObject, (CK_BBOOL**)ckpObjectPtr, ckpLength); + return; + } + + jIntArrayClass = (*env)->FindClass(env, "[I"); + if (jIntArrayClass == NULL) { return; } + if ((*env)->IsInstanceOf(env, jObject, jIntArrayClass)) { + jLongArrayToCKULongArray(env, jObject, (CK_ULONG_PTR*)ckpObjectPtr, ckpLength); + return; + } + + jLongArrayClass = (*env)->FindClass(env, "[J"); + if (jLongArrayClass == NULL) { return; } + if ((*env)->IsInstanceOf(env, jObject, jLongArrayClass)) { + jLongArrayToCKULongArray(env, jObject, (CK_ULONG_PTR*)ckpObjectPtr, ckpLength); + return; + } + + jStringClass = (*env)->FindClass(env, "java/lang/String"); + if (jStringClass == NULL) { return; } + if ((*env)->IsInstanceOf(env, jObject, jStringClass)) { + jStringToCKUTF8CharArray(env, jObject, (CK_UTF8CHAR_PTR*)ckpObjectPtr, ckpLength); + return; + } + + /* type of jObject unknown, throw PKCS11RuntimeException */ + jObjectClass = (*env)->FindClass(env, "java/lang/Object"); + if (jObjectClass == NULL) { return; } + jMethod = (*env)->GetMethodID(env, jObjectClass, "getClass", "()Ljava/lang/Class;"); + if (jMethod == NULL) { return; } + jClassObject = (*env)->CallObjectMethod(env, jObject, jMethod); + assert(jClassObject != 0); + jClassClass = (*env)->FindClass(env, "java/lang/Class"); + if (jClassClass == NULL) { return; } + jMethod = (*env)->GetMethodID(env, jClassClass, "getName", "()Ljava/lang/String;"); + if (jMethod == NULL) { return; } + jClassNameString = (jstring) + (*env)->CallObjectMethod(env, jClassObject, jMethod); + assert(jClassNameString != 0); + classNameString = (char*) + (*env)->GetStringUTFChars(env, jClassNameString, NULL); + if (classNameString == NULL) { return; } + exceptionMsgPrefix = "Java object of this class cannot be converted to native PKCS#11 type: "; + exceptionMsg = (char *) + malloc((strlen(exceptionMsgPrefix) + strlen(classNameString) + 1)); + if (exceptionMsg == NULL) { + (*env)->ReleaseStringUTFChars(env, jClassNameString, classNameString); + throwOutOfMemoryError(env, 0); + return; + } + strcpy(exceptionMsg, exceptionMsgPrefix); + strcat(exceptionMsg, classNameString); + (*env)->ReleaseStringUTFChars(env, jClassNameString, classNameString); + throwPKCS11RuntimeException(env, exceptionMsg); + free(exceptionMsg); + *ckpObjectPtr = NULL; + *ckpLength = 0; + + TRACE0("FINISHED\n"); +} + +#ifdef P11_MEMORYDEBUG + +#undef malloc +#undef free + +void *p11malloc(size_t c, char *file, int line) { + void *p = malloc(c); + printf("malloc\t%08x\t%d\t%s:%d\n", p, c, file, line); fflush(stdout); + return p; +} + +void p11free(void *p, char *file, int line) { + printf("free\t%08x\t\t%s:%d\n", p, file, line); fflush(stdout); + free(p); +} + +#endif + +// prints a message to stdout if debug output is enabled +void printDebug(const char *format, ...) { + if (debug == JNI_TRUE) { + va_list args; + fprintf(stdout, "sunpkcs11: "); + va_start(args, format); + vfprintf(stdout, format, args); + va_end(args); + fflush(stdout); + } +} + --- old/src/jdk.crypto.token/share/native/libj2pkcs11/pkcs-11v2-20a3.h 2017-01-20 09:52:59.382288162 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,124 +0,0 @@ -/* pkcs-11v2-20a3.h include file for the PKCS #11 Version 2.20 Amendment 3 - document. */ - -/* $Revision: 1.4 $ */ - -/* License to copy and use this software is granted provided that it is - * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface - * (Cryptoki) Version 2.20 Amendment 3" in all material mentioning or - * referencing this software. - - * RSA Security Inc. makes no representations concerning either the - * merchantability of this software or the suitability of this software for - * any particular purpose. It is provided "as is" without express or implied - * warranty of any kind. - */ - -/* This file is preferably included after inclusion of pkcs11.h */ - -#ifndef _PKCS_11V2_20A3_H_ -#define _PKCS_11V2_20A3_H_ 1 - -/* Are the definitions of this file already included in pkcs11t.h ? */ -#ifndef CKK_CAMELLIA - -#ifdef __cplusplus -extern "C" { -#endif - -/* Key types */ - -/* Camellia is new for PKCS #11 v2.20 amendment 3 */ -#define CKK_CAMELLIA 0x00000025 -/* ARIA is new for PKCS #11 v2.20 amendment 3 */ -#define CKK_ARIA 0x00000026 - - -/* Mask-generating functions */ - -/* SHA-224 is new for PKCS #11 v2.20 amendment 3 */ -#define CKG_MGF1_SHA224 0x00000005 - - -/* Mechanism Identifiers */ - -/* SHA-224 is new for PKCS #11 v2.20 amendment 3 */ -#define CKM_SHA224 0x00000255 -#define CKM_SHA224_HMAC 0x00000256 -#define CKM_SHA224_HMAC_GENERAL 0x00000257 - -/* SHA-224 key derivation is new for PKCS #11 v2.20 amendment 3 */ -#define CKM_SHA224_KEY_DERIVATION 0x00000396 - -/* SHA-224 RSA mechanisms are new for PKCS #11 v2.20 amendment 3 */ -#define CKM_SHA224_RSA_PKCS 0x00000046 -#define CKM_SHA224_RSA_PKCS_PSS 0x00000047 - -/* AES counter mode is new for PKCS #11 v2.20 amendment 3 */ -#define CKM_AES_CTR 0x00001086 - -/* Camellia is new for PKCS #11 v2.20 amendment 3 */ -#define CKM_CAMELLIA_KEY_GEN 0x00000550 -#define CKM_CAMELLIA_ECB 0x00000551 -#define CKM_CAMELLIA_CBC 0x00000552 -#define CKM_CAMELLIA_MAC 0x00000553 -#define CKM_CAMELLIA_MAC_GENERAL 0x00000554 -#define CKM_CAMELLIA_CBC_PAD 0x00000555 -#define CKM_CAMELLIA_ECB_ENCRYPT_DATA 0x00000556 -#define CKM_CAMELLIA_CBC_ENCRYPT_DATA 0x00000557 -#define CKM_CAMELLIA_CTR 0x00000558 - -/* ARIA is new for PKCS #11 v2.20 amendment 3 */ -#define CKM_ARIA_KEY_GEN 0x00000560 -#define CKM_ARIA_ECB 0x00000561 -#define CKM_ARIA_CBC 0x00000562 -#define CKM_ARIA_MAC 0x00000563 -#define CKM_ARIA_MAC_GENERAL 0x00000564 -#define CKM_ARIA_CBC_PAD 0x00000565 -#define CKM_ARIA_ECB_ENCRYPT_DATA 0x00000566 -#define CKM_ARIA_CBC_ENCRYPT_DATA 0x00000567 - - -/* Mechanism parameters */ - -/* CK_AES_CTR_PARAMS is new for PKCS #11 v2.20 amendment 3 */ -typedef struct CK_AES_CTR_PARAMS { - CK_ULONG ulCounterBits; - CK_BYTE cb[16]; -} CK_AES_CTR_PARAMS; - -typedef CK_AES_CTR_PARAMS CK_PTR CK_AES_CTR_PARAMS_PTR; - -/* CK_CAMELLIA_CTR_PARAMS is new for PKCS #11 v2.20 amendment 3 */ -typedef struct CK_CAMELLIA_CTR_PARAMS { - CK_ULONG ulCounterBits; - CK_BYTE cb[16]; -} CK_CAMELLIA_CTR_PARAMS; - -typedef CK_CAMELLIA_CTR_PARAMS CK_PTR CK_CAMELLIA_CTR_PARAMS_PTR; - -/* CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS is new for PKCS #11 v2.20 amendment 3 */ -typedef struct CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS { - CK_BYTE iv[16]; - CK_BYTE_PTR pData; - CK_ULONG length; -} CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS; - -typedef CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS_PTR; - -/* CK_ARIA_CBC_ENCRYPT_DATA_PARAMS is new for PKCS #11 v2.20 amendment 3 */ -typedef struct CK_ARIA_CBC_ENCRYPT_DATA_PARAMS { - CK_BYTE iv[16]; - CK_BYTE_PTR pData; - CK_ULONG length; -} CK_ARIA_CBC_ENCRYPT_DATA_PARAMS; - -typedef CK_ARIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_ARIA_CBC_ENCRYPT_DATA_PARAMS_PTR; - -#ifdef __cplusplus -} -#endif - -#endif - -#endif --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs-11v2-20a3.h 2017-01-20 09:52:59.162288170 -0800 @@ -0,0 +1,124 @@ +/* pkcs-11v2-20a3.h include file for the PKCS #11 Version 2.20 Amendment 3 + document. */ + +/* $Revision: 1.4 $ */ + +/* License to copy and use this software is granted provided that it is + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface + * (Cryptoki) Version 2.20 Amendment 3" in all material mentioning or + * referencing this software. + + * RSA Security Inc. makes no representations concerning either the + * merchantability of this software or the suitability of this software for + * any particular purpose. It is provided "as is" without express or implied + * warranty of any kind. + */ + +/* This file is preferably included after inclusion of pkcs11.h */ + +#ifndef _PKCS_11V2_20A3_H_ +#define _PKCS_11V2_20A3_H_ 1 + +/* Are the definitions of this file already included in pkcs11t.h ? */ +#ifndef CKK_CAMELLIA + +#ifdef __cplusplus +extern "C" { +#endif + +/* Key types */ + +/* Camellia is new for PKCS #11 v2.20 amendment 3 */ +#define CKK_CAMELLIA 0x00000025 +/* ARIA is new for PKCS #11 v2.20 amendment 3 */ +#define CKK_ARIA 0x00000026 + + +/* Mask-generating functions */ + +/* SHA-224 is new for PKCS #11 v2.20 amendment 3 */ +#define CKG_MGF1_SHA224 0x00000005 + + +/* Mechanism Identifiers */ + +/* SHA-224 is new for PKCS #11 v2.20 amendment 3 */ +#define CKM_SHA224 0x00000255 +#define CKM_SHA224_HMAC 0x00000256 +#define CKM_SHA224_HMAC_GENERAL 0x00000257 + +/* SHA-224 key derivation is new for PKCS #11 v2.20 amendment 3 */ +#define CKM_SHA224_KEY_DERIVATION 0x00000396 + +/* SHA-224 RSA mechanisms are new for PKCS #11 v2.20 amendment 3 */ +#define CKM_SHA224_RSA_PKCS 0x00000046 +#define CKM_SHA224_RSA_PKCS_PSS 0x00000047 + +/* AES counter mode is new for PKCS #11 v2.20 amendment 3 */ +#define CKM_AES_CTR 0x00001086 + +/* Camellia is new for PKCS #11 v2.20 amendment 3 */ +#define CKM_CAMELLIA_KEY_GEN 0x00000550 +#define CKM_CAMELLIA_ECB 0x00000551 +#define CKM_CAMELLIA_CBC 0x00000552 +#define CKM_CAMELLIA_MAC 0x00000553 +#define CKM_CAMELLIA_MAC_GENERAL 0x00000554 +#define CKM_CAMELLIA_CBC_PAD 0x00000555 +#define CKM_CAMELLIA_ECB_ENCRYPT_DATA 0x00000556 +#define CKM_CAMELLIA_CBC_ENCRYPT_DATA 0x00000557 +#define CKM_CAMELLIA_CTR 0x00000558 + +/* ARIA is new for PKCS #11 v2.20 amendment 3 */ +#define CKM_ARIA_KEY_GEN 0x00000560 +#define CKM_ARIA_ECB 0x00000561 +#define CKM_ARIA_CBC 0x00000562 +#define CKM_ARIA_MAC 0x00000563 +#define CKM_ARIA_MAC_GENERAL 0x00000564 +#define CKM_ARIA_CBC_PAD 0x00000565 +#define CKM_ARIA_ECB_ENCRYPT_DATA 0x00000566 +#define CKM_ARIA_CBC_ENCRYPT_DATA 0x00000567 + + +/* Mechanism parameters */ + +/* CK_AES_CTR_PARAMS is new for PKCS #11 v2.20 amendment 3 */ +typedef struct CK_AES_CTR_PARAMS { + CK_ULONG ulCounterBits; + CK_BYTE cb[16]; +} CK_AES_CTR_PARAMS; + +typedef CK_AES_CTR_PARAMS CK_PTR CK_AES_CTR_PARAMS_PTR; + +/* CK_CAMELLIA_CTR_PARAMS is new for PKCS #11 v2.20 amendment 3 */ +typedef struct CK_CAMELLIA_CTR_PARAMS { + CK_ULONG ulCounterBits; + CK_BYTE cb[16]; +} CK_CAMELLIA_CTR_PARAMS; + +typedef CK_CAMELLIA_CTR_PARAMS CK_PTR CK_CAMELLIA_CTR_PARAMS_PTR; + +/* CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS is new for PKCS #11 v2.20 amendment 3 */ +typedef struct CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS { + CK_BYTE iv[16]; + CK_BYTE_PTR pData; + CK_ULONG length; +} CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS; + +typedef CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS_PTR; + +/* CK_ARIA_CBC_ENCRYPT_DATA_PARAMS is new for PKCS #11 v2.20 amendment 3 */ +typedef struct CK_ARIA_CBC_ENCRYPT_DATA_PARAMS { + CK_BYTE iv[16]; + CK_BYTE_PTR pData; + CK_ULONG length; +} CK_ARIA_CBC_ENCRYPT_DATA_PARAMS; + +typedef CK_ARIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_ARIA_CBC_ENCRYPT_DATA_PARAMS_PTR; + +#ifdef __cplusplus +} +#endif + +#endif + +#endif --- old/src/jdk.crypto.token/share/native/libj2pkcs11/pkcs11.h 2017-01-20 09:52:59.734288148 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,299 +0,0 @@ -/* pkcs11.h include file for PKCS #11. */ -/* $Revision: 1.4 $ */ - -/* License to copy and use this software is granted provided that it is - * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface - * (Cryptoki)" in all material mentioning or referencing this software. - - * License is also granted to make and use derivative works provided that - * such works are identified as "derived from the RSA Security Inc. PKCS #11 - * Cryptographic Token Interface (Cryptoki)" in all material mentioning or - * referencing the derived work. - - * RSA Security Inc. makes no representations concerning either the - * merchantability of this software or the suitability of this software for - * any particular purpose. It is provided "as is" without express or implied - * warranty of any kind. - */ - -#ifndef _PKCS11_H_ -#define _PKCS11_H_ 1 - -#ifdef __cplusplus -extern "C" { -#endif - -/* Before including this file (pkcs11.h) (or pkcs11t.h by - * itself), 6 platform-specific macros must be defined. These - * macros are described below, and typical definitions for them - * are also given. Be advised that these definitions can depend - * on both the platform and the compiler used (and possibly also - * on whether a Cryptoki library is linked statically or - * dynamically). - * - * In addition to defining these 6 macros, the packing convention - * for Cryptoki structures should be set. The Cryptoki - * convention on packing is that structures should be 1-byte - * aligned. - * - * If you're using Microsoft Developer Studio 5.0 to produce - * Win32 stuff, this might be done by using the following - * preprocessor directive before including pkcs11.h or pkcs11t.h: - * - * #pragma pack(push, cryptoki, 1) - * - * and using the following preprocessor directive after including - * pkcs11.h or pkcs11t.h: - * - * #pragma pack(pop, cryptoki) - * - * If you're using an earlier version of Microsoft Developer - * Studio to produce Win16 stuff, this might be done by using - * the following preprocessor directive before including - * pkcs11.h or pkcs11t.h: - * - * #pragma pack(1) - * - * In a UNIX environment, you're on your own for this. You might - * not need to do (or be able to do!) anything. - * - * - * Now for the macros: - * - * - * 1. CK_PTR: The indirection string for making a pointer to an - * object. It can be used like this: - * - * typedef CK_BYTE CK_PTR CK_BYTE_PTR; - * - * If you're using Microsoft Developer Studio 5.0 to produce - * Win32 stuff, it might be defined by: - * - * #define CK_PTR * - * - * If you're using an earlier version of Microsoft Developer - * Studio to produce Win16 stuff, it might be defined by: - * - * #define CK_PTR far * - * - * In a typical UNIX environment, it might be defined by: - * - * #define CK_PTR * - * - * - * 2. CK_DEFINE_FUNCTION(returnType, name): A macro which makes - * an exportable Cryptoki library function definition out of a - * return type and a function name. It should be used in the - * following fashion to define the exposed Cryptoki functions in - * a Cryptoki library: - * - * CK_DEFINE_FUNCTION(CK_RV, C_Initialize)( - * CK_VOID_PTR pReserved - * ) - * { - * ... - * } - * - * If you're using Microsoft Developer Studio 5.0 to define a - * function in a Win32 Cryptoki .dll, it might be defined by: - * - * #define CK_DEFINE_FUNCTION(returnType, name) \ - * returnType __declspec(dllexport) name - * - * If you're using an earlier version of Microsoft Developer - * Studio to define a function in a Win16 Cryptoki .dll, it - * might be defined by: - * - * #define CK_DEFINE_FUNCTION(returnType, name) \ - * returnType __export _far _pascal name - * - * In a UNIX environment, it might be defined by: - * - * #define CK_DEFINE_FUNCTION(returnType, name) \ - * returnType name - * - * - * 3. CK_DECLARE_FUNCTION(returnType, name): A macro which makes - * an importable Cryptoki library function declaration out of a - * return type and a function name. It should be used in the - * following fashion: - * - * extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)( - * CK_VOID_PTR pReserved - * ); - * - * If you're using Microsoft Developer Studio 5.0 to declare a - * function in a Win32 Cryptoki .dll, it might be defined by: - * - * #define CK_DECLARE_FUNCTION(returnType, name) \ - * returnType __declspec(dllimport) name - * - * If you're using an earlier version of Microsoft Developer - * Studio to declare a function in a Win16 Cryptoki .dll, it - * might be defined by: - * - * #define CK_DECLARE_FUNCTION(returnType, name) \ - * returnType __export _far _pascal name - * - * In a UNIX environment, it might be defined by: - * - * #define CK_DECLARE_FUNCTION(returnType, name) \ - * returnType name - * - * - * 4. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro - * which makes a Cryptoki API function pointer declaration or - * function pointer type declaration out of a return type and a - * function name. It should be used in the following fashion: - * - * // Define funcPtr to be a pointer to a Cryptoki API function - * // taking arguments args and returning CK_RV. - * CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args); - * - * or - * - * // Define funcPtrType to be the type of a pointer to a - * // Cryptoki API function taking arguments args and returning - * // CK_RV, and then define funcPtr to be a variable of type - * // funcPtrType. - * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args); - * funcPtrType funcPtr; - * - * If you're using Microsoft Developer Studio 5.0 to access - * functions in a Win32 Cryptoki .dll, in might be defined by: - * - * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ - * returnType __declspec(dllimport) (* name) - * - * If you're using an earlier version of Microsoft Developer - * Studio to access functions in a Win16 Cryptoki .dll, it might - * be defined by: - * - * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ - * returnType __export _far _pascal (* name) - * - * In a UNIX environment, it might be defined by: - * - * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ - * returnType (* name) - * - * - * 5. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes - * a function pointer type for an application callback out of - * a return type for the callback and a name for the callback. - * It should be used in the following fashion: - * - * CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args); - * - * to declare a function pointer, myCallback, to a callback - * which takes arguments args and returns a CK_RV. It can also - * be used like this: - * - * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args); - * myCallbackType myCallback; - * - * If you're using Microsoft Developer Studio 5.0 to do Win32 - * Cryptoki development, it might be defined by: - * - * #define CK_CALLBACK_FUNCTION(returnType, name) \ - * returnType (* name) - * - * If you're using an earlier version of Microsoft Developer - * Studio to do Win16 development, it might be defined by: - * - * #define CK_CALLBACK_FUNCTION(returnType, name) \ - * returnType _far _pascal (* name) - * - * In a UNIX environment, it might be defined by: - * - * #define CK_CALLBACK_FUNCTION(returnType, name) \ - * returnType (* name) - * - * - * 6. NULL_PTR: This macro is the value of a NULL pointer. - * - * In any ANSI/ISO C environment (and in many others as well), - * this should best be defined by - * - * #ifndef NULL_PTR - * #define NULL_PTR 0 - * #endif - */ - - -/* All the various Cryptoki types and #define'd values are in the - * file pkcs11t.h. */ -#include "pkcs11t.h" - -#define __PASTE(x,y) x##y - - -/* ============================================================== - * Define the "extern" form of all the entry points. - * ============================================================== - */ - -#define CK_NEED_ARG_LIST 1 -#define CK_PKCS11_FUNCTION_INFO(name) \ - extern CK_DECLARE_FUNCTION(CK_RV, name) - -/* pkcs11f.h has all the information about the Cryptoki - * function prototypes. */ -#include "pkcs11f.h" - -#undef CK_NEED_ARG_LIST -#undef CK_PKCS11_FUNCTION_INFO - - -/* ============================================================== - * Define the typedef form of all the entry points. That is, for - * each Cryptoki function C_XXX, define a type CK_C_XXX which is - * a pointer to that kind of function. - * ============================================================== - */ - -#define CK_NEED_ARG_LIST 1 -#define CK_PKCS11_FUNCTION_INFO(name) \ - typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name)) - -/* pkcs11f.h has all the information about the Cryptoki - * function prototypes. */ -#include "pkcs11f.h" - -#undef CK_NEED_ARG_LIST -#undef CK_PKCS11_FUNCTION_INFO - - -/* ============================================================== - * Define structed vector of entry points. A CK_FUNCTION_LIST - * contains a CK_VERSION indicating a library's Cryptoki version - * and then a whole slew of function pointers to the routines in - * the library. This type was declared, but not defined, in - * pkcs11t.h. - * ============================================================== - */ - -#define CK_PKCS11_FUNCTION_INFO(name) \ - __PASTE(CK_,name) name; - -struct CK_FUNCTION_LIST { - - CK_VERSION version; /* Cryptoki version */ - -/* Pile all the function pointers into the CK_FUNCTION_LIST. */ -/* pkcs11f.h has all the information about the Cryptoki - * function prototypes. */ -#include "pkcs11f.h" - -}; - -#undef CK_PKCS11_FUNCTION_INFO - - -#undef __PASTE - -#ifdef __cplusplus -} -#endif - -#endif --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11.h 2017-01-20 09:52:59.510288157 -0800 @@ -0,0 +1,299 @@ +/* pkcs11.h include file for PKCS #11. */ +/* $Revision: 1.4 $ */ + +/* License to copy and use this software is granted provided that it is + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface + * (Cryptoki)" in all material mentioning or referencing this software. + + * License is also granted to make and use derivative works provided that + * such works are identified as "derived from the RSA Security Inc. PKCS #11 + * Cryptographic Token Interface (Cryptoki)" in all material mentioning or + * referencing the derived work. + + * RSA Security Inc. makes no representations concerning either the + * merchantability of this software or the suitability of this software for + * any particular purpose. It is provided "as is" without express or implied + * warranty of any kind. + */ + +#ifndef _PKCS11_H_ +#define _PKCS11_H_ 1 + +#ifdef __cplusplus +extern "C" { +#endif + +/* Before including this file (pkcs11.h) (or pkcs11t.h by + * itself), 6 platform-specific macros must be defined. These + * macros are described below, and typical definitions for them + * are also given. Be advised that these definitions can depend + * on both the platform and the compiler used (and possibly also + * on whether a Cryptoki library is linked statically or + * dynamically). + * + * In addition to defining these 6 macros, the packing convention + * for Cryptoki structures should be set. The Cryptoki + * convention on packing is that structures should be 1-byte + * aligned. + * + * If you're using Microsoft Developer Studio 5.0 to produce + * Win32 stuff, this might be done by using the following + * preprocessor directive before including pkcs11.h or pkcs11t.h: + * + * #pragma pack(push, cryptoki, 1) + * + * and using the following preprocessor directive after including + * pkcs11.h or pkcs11t.h: + * + * #pragma pack(pop, cryptoki) + * + * If you're using an earlier version of Microsoft Developer + * Studio to produce Win16 stuff, this might be done by using + * the following preprocessor directive before including + * pkcs11.h or pkcs11t.h: + * + * #pragma pack(1) + * + * In a UNIX environment, you're on your own for this. You might + * not need to do (or be able to do!) anything. + * + * + * Now for the macros: + * + * + * 1. CK_PTR: The indirection string for making a pointer to an + * object. It can be used like this: + * + * typedef CK_BYTE CK_PTR CK_BYTE_PTR; + * + * If you're using Microsoft Developer Studio 5.0 to produce + * Win32 stuff, it might be defined by: + * + * #define CK_PTR * + * + * If you're using an earlier version of Microsoft Developer + * Studio to produce Win16 stuff, it might be defined by: + * + * #define CK_PTR far * + * + * In a typical UNIX environment, it might be defined by: + * + * #define CK_PTR * + * + * + * 2. CK_DEFINE_FUNCTION(returnType, name): A macro which makes + * an exportable Cryptoki library function definition out of a + * return type and a function name. It should be used in the + * following fashion to define the exposed Cryptoki functions in + * a Cryptoki library: + * + * CK_DEFINE_FUNCTION(CK_RV, C_Initialize)( + * CK_VOID_PTR pReserved + * ) + * { + * ... + * } + * + * If you're using Microsoft Developer Studio 5.0 to define a + * function in a Win32 Cryptoki .dll, it might be defined by: + * + * #define CK_DEFINE_FUNCTION(returnType, name) \ + * returnType __declspec(dllexport) name + * + * If you're using an earlier version of Microsoft Developer + * Studio to define a function in a Win16 Cryptoki .dll, it + * might be defined by: + * + * #define CK_DEFINE_FUNCTION(returnType, name) \ + * returnType __export _far _pascal name + * + * In a UNIX environment, it might be defined by: + * + * #define CK_DEFINE_FUNCTION(returnType, name) \ + * returnType name + * + * + * 3. CK_DECLARE_FUNCTION(returnType, name): A macro which makes + * an importable Cryptoki library function declaration out of a + * return type and a function name. It should be used in the + * following fashion: + * + * extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)( + * CK_VOID_PTR pReserved + * ); + * + * If you're using Microsoft Developer Studio 5.0 to declare a + * function in a Win32 Cryptoki .dll, it might be defined by: + * + * #define CK_DECLARE_FUNCTION(returnType, name) \ + * returnType __declspec(dllimport) name + * + * If you're using an earlier version of Microsoft Developer + * Studio to declare a function in a Win16 Cryptoki .dll, it + * might be defined by: + * + * #define CK_DECLARE_FUNCTION(returnType, name) \ + * returnType __export _far _pascal name + * + * In a UNIX environment, it might be defined by: + * + * #define CK_DECLARE_FUNCTION(returnType, name) \ + * returnType name + * + * + * 4. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro + * which makes a Cryptoki API function pointer declaration or + * function pointer type declaration out of a return type and a + * function name. It should be used in the following fashion: + * + * // Define funcPtr to be a pointer to a Cryptoki API function + * // taking arguments args and returning CK_RV. + * CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args); + * + * or + * + * // Define funcPtrType to be the type of a pointer to a + * // Cryptoki API function taking arguments args and returning + * // CK_RV, and then define funcPtr to be a variable of type + * // funcPtrType. + * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args); + * funcPtrType funcPtr; + * + * If you're using Microsoft Developer Studio 5.0 to access + * functions in a Win32 Cryptoki .dll, in might be defined by: + * + * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ + * returnType __declspec(dllimport) (* name) + * + * If you're using an earlier version of Microsoft Developer + * Studio to access functions in a Win16 Cryptoki .dll, it might + * be defined by: + * + * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ + * returnType __export _far _pascal (* name) + * + * In a UNIX environment, it might be defined by: + * + * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ + * returnType (* name) + * + * + * 5. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes + * a function pointer type for an application callback out of + * a return type for the callback and a name for the callback. + * It should be used in the following fashion: + * + * CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args); + * + * to declare a function pointer, myCallback, to a callback + * which takes arguments args and returns a CK_RV. It can also + * be used like this: + * + * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args); + * myCallbackType myCallback; + * + * If you're using Microsoft Developer Studio 5.0 to do Win32 + * Cryptoki development, it might be defined by: + * + * #define CK_CALLBACK_FUNCTION(returnType, name) \ + * returnType (* name) + * + * If you're using an earlier version of Microsoft Developer + * Studio to do Win16 development, it might be defined by: + * + * #define CK_CALLBACK_FUNCTION(returnType, name) \ + * returnType _far _pascal (* name) + * + * In a UNIX environment, it might be defined by: + * + * #define CK_CALLBACK_FUNCTION(returnType, name) \ + * returnType (* name) + * + * + * 6. NULL_PTR: This macro is the value of a NULL pointer. + * + * In any ANSI/ISO C environment (and in many others as well), + * this should best be defined by + * + * #ifndef NULL_PTR + * #define NULL_PTR 0 + * #endif + */ + + +/* All the various Cryptoki types and #define'd values are in the + * file pkcs11t.h. */ +#include "pkcs11t.h" + +#define __PASTE(x,y) x##y + + +/* ============================================================== + * Define the "extern" form of all the entry points. + * ============================================================== + */ + +#define CK_NEED_ARG_LIST 1 +#define CK_PKCS11_FUNCTION_INFO(name) \ + extern CK_DECLARE_FUNCTION(CK_RV, name) + +/* pkcs11f.h has all the information about the Cryptoki + * function prototypes. */ +#include "pkcs11f.h" + +#undef CK_NEED_ARG_LIST +#undef CK_PKCS11_FUNCTION_INFO + + +/* ============================================================== + * Define the typedef form of all the entry points. That is, for + * each Cryptoki function C_XXX, define a type CK_C_XXX which is + * a pointer to that kind of function. + * ============================================================== + */ + +#define CK_NEED_ARG_LIST 1 +#define CK_PKCS11_FUNCTION_INFO(name) \ + typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name)) + +/* pkcs11f.h has all the information about the Cryptoki + * function prototypes. */ +#include "pkcs11f.h" + +#undef CK_NEED_ARG_LIST +#undef CK_PKCS11_FUNCTION_INFO + + +/* ============================================================== + * Define structed vector of entry points. A CK_FUNCTION_LIST + * contains a CK_VERSION indicating a library's Cryptoki version + * and then a whole slew of function pointers to the routines in + * the library. This type was declared, but not defined, in + * pkcs11t.h. + * ============================================================== + */ + +#define CK_PKCS11_FUNCTION_INFO(name) \ + __PASTE(CK_,name) name; + +struct CK_FUNCTION_LIST { + + CK_VERSION version; /* Cryptoki version */ + +/* Pile all the function pointers into the CK_FUNCTION_LIST. */ +/* pkcs11f.h has all the information about the Cryptoki + * function prototypes. */ +#include "pkcs11f.h" + +}; + +#undef CK_PKCS11_FUNCTION_INFO + + +#undef __PASTE + +#ifdef __cplusplus +} +#endif + +#endif --- old/src/jdk.crypto.token/share/native/libj2pkcs11/pkcs11f.h 2017-01-20 09:53:00.082288135 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,912 +0,0 @@ -/* pkcs11f.h include file for PKCS #11. */ -/* $Revision: 1.4 $ */ - -/* License to copy and use this software is granted provided that it is - * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface - * (Cryptoki)" in all material mentioning or referencing this software. - - * License is also granted to make and use derivative works provided that - * such works are identified as "derived from the RSA Security Inc. PKCS #11 - * Cryptographic Token Interface (Cryptoki)" in all material mentioning or - * referencing the derived work. - - * RSA Security Inc. makes no representations concerning either the - * merchantability of this software or the suitability of this software for - * any particular purpose. It is provided "as is" without express or implied - * warranty of any kind. - */ - -/* This header file contains pretty much everything about all the */ -/* Cryptoki function prototypes. Because this information is */ -/* used for more than just declaring function prototypes, the */ -/* order of the functions appearing herein is important, and */ -/* should not be altered. */ - -/* General-purpose */ - -/* C_Initialize initializes the Cryptoki library. */ -CK_PKCS11_FUNCTION_INFO(C_Initialize) -#ifdef CK_NEED_ARG_LIST -( - CK_VOID_PTR pInitArgs /* if this is not NULL_PTR, it gets - * cast to CK_C_INITIALIZE_ARGS_PTR - * and dereferenced */ -); -#endif - - -/* C_Finalize indicates that an application is done with the - * Cryptoki library. */ -CK_PKCS11_FUNCTION_INFO(C_Finalize) -#ifdef CK_NEED_ARG_LIST -( - CK_VOID_PTR pReserved /* reserved. Should be NULL_PTR */ -); -#endif - - -/* C_GetInfo returns general information about Cryptoki. */ -CK_PKCS11_FUNCTION_INFO(C_GetInfo) -#ifdef CK_NEED_ARG_LIST -( - CK_INFO_PTR pInfo /* location that receives information */ -); -#endif - - -/* C_GetFunctionList returns the function list. */ -CK_PKCS11_FUNCTION_INFO(C_GetFunctionList) -#ifdef CK_NEED_ARG_LIST -( - CK_FUNCTION_LIST_PTR_PTR ppFunctionList /* receives pointer to - * function list */ -); -#endif - - - -/* Slot and token management */ - -/* C_GetSlotList obtains a list of slots in the system. */ -CK_PKCS11_FUNCTION_INFO(C_GetSlotList) -#ifdef CK_NEED_ARG_LIST -( - CK_BBOOL tokenPresent, /* only slots with tokens? */ - CK_SLOT_ID_PTR pSlotList, /* receives array of slot IDs */ - CK_ULONG_PTR pulCount /* receives number of slots */ -); -#endif - - -/* C_GetSlotInfo obtains information about a particular slot in - * the system. */ -CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo) -#ifdef CK_NEED_ARG_LIST -( - CK_SLOT_ID slotID, /* the ID of the slot */ - CK_SLOT_INFO_PTR pInfo /* receives the slot information */ -); -#endif - - -/* C_GetTokenInfo obtains information about a particular token - * in the system. */ -CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo) -#ifdef CK_NEED_ARG_LIST -( - CK_SLOT_ID slotID, /* ID of the token's slot */ - CK_TOKEN_INFO_PTR pInfo /* receives the token information */ -); -#endif - - -/* C_GetMechanismList obtains a list of mechanism types - * supported by a token. */ -CK_PKCS11_FUNCTION_INFO(C_GetMechanismList) -#ifdef CK_NEED_ARG_LIST -( - CK_SLOT_ID slotID, /* ID of token's slot */ - CK_MECHANISM_TYPE_PTR pMechanismList, /* gets mech. array */ - CK_ULONG_PTR pulCount /* gets # of mechs. */ -); -#endif - - -/* C_GetMechanismInfo obtains information about a particular - * mechanism possibly supported by a token. */ -CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo) -#ifdef CK_NEED_ARG_LIST -( - CK_SLOT_ID slotID, /* ID of the token's slot */ - CK_MECHANISM_TYPE type, /* type of mechanism */ - CK_MECHANISM_INFO_PTR pInfo /* receives mechanism info */ -); -#endif - - -/* C_InitToken initializes a token. */ -CK_PKCS11_FUNCTION_INFO(C_InitToken) -#ifdef CK_NEED_ARG_LIST -/* pLabel changed from CK_CHAR_PTR to CK_UTF8CHAR_PTR for v2.10 */ -( - CK_SLOT_ID slotID, /* ID of the token's slot */ - CK_UTF8CHAR_PTR pPin, /* the SO's initial PIN */ - CK_ULONG ulPinLen, /* length in bytes of the PIN */ - CK_UTF8CHAR_PTR pLabel /* 32-byte token label (blank padded) */ -); -#endif - - -/* C_InitPIN initializes the normal user's PIN. */ -CK_PKCS11_FUNCTION_INFO(C_InitPIN) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_UTF8CHAR_PTR pPin, /* the normal user's PIN */ - CK_ULONG ulPinLen /* length in bytes of the PIN */ -); -#endif - - -/* C_SetPIN modifies the PIN of the user who is logged in. */ -CK_PKCS11_FUNCTION_INFO(C_SetPIN) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_UTF8CHAR_PTR pOldPin, /* the old PIN */ - CK_ULONG ulOldLen, /* length of the old PIN */ - CK_UTF8CHAR_PTR pNewPin, /* the new PIN */ - CK_ULONG ulNewLen /* length of the new PIN */ -); -#endif - - - -/* Session management */ - -/* C_OpenSession opens a session between an application and a - * token. */ -CK_PKCS11_FUNCTION_INFO(C_OpenSession) -#ifdef CK_NEED_ARG_LIST -( - CK_SLOT_ID slotID, /* the slot's ID */ - CK_FLAGS flags, /* from CK_SESSION_INFO */ - CK_VOID_PTR pApplication, /* passed to callback */ - CK_NOTIFY Notify, /* callback function */ - CK_SESSION_HANDLE_PTR phSession /* gets session handle */ -); -#endif - - -/* C_CloseSession closes a session between an application and a - * token. */ -CK_PKCS11_FUNCTION_INFO(C_CloseSession) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession /* the session's handle */ -); -#endif - - -/* C_CloseAllSessions closes all sessions with a token. */ -CK_PKCS11_FUNCTION_INFO(C_CloseAllSessions) -#ifdef CK_NEED_ARG_LIST -( - CK_SLOT_ID slotID /* the token's slot */ -); -#endif - - -/* C_GetSessionInfo obtains information about the session. */ -CK_PKCS11_FUNCTION_INFO(C_GetSessionInfo) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_SESSION_INFO_PTR pInfo /* receives session info */ -); -#endif - - -/* C_GetOperationState obtains the state of the cryptographic operation - * in a session. */ -CK_PKCS11_FUNCTION_INFO(C_GetOperationState) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* session's handle */ - CK_BYTE_PTR pOperationState, /* gets state */ - CK_ULONG_PTR pulOperationStateLen /* gets state length */ -); -#endif - - -/* C_SetOperationState restores the state of the cryptographic - * operation in a session. */ -CK_PKCS11_FUNCTION_INFO(C_SetOperationState) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* session's handle */ - CK_BYTE_PTR pOperationState, /* holds state */ - CK_ULONG ulOperationStateLen, /* holds state length */ - CK_OBJECT_HANDLE hEncryptionKey, /* en/decryption key */ - CK_OBJECT_HANDLE hAuthenticationKey /* sign/verify key */ -); -#endif - - -/* C_Login logs a user into a token. */ -CK_PKCS11_FUNCTION_INFO(C_Login) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_USER_TYPE userType, /* the user type */ - CK_UTF8CHAR_PTR pPin, /* the user's PIN */ - CK_ULONG ulPinLen /* the length of the PIN */ -); -#endif - - -/* C_Logout logs a user out from a token. */ -CK_PKCS11_FUNCTION_INFO(C_Logout) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession /* the session's handle */ -); -#endif - - - -/* Object management */ - -/* C_CreateObject creates a new object. */ -CK_PKCS11_FUNCTION_INFO(C_CreateObject) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_ATTRIBUTE_PTR pTemplate, /* the object's template */ - CK_ULONG ulCount, /* attributes in template */ - CK_OBJECT_HANDLE_PTR phObject /* gets new object's handle. */ -); -#endif - - -/* C_CopyObject copies an object, creating a new object for the - * copy. */ -CK_PKCS11_FUNCTION_INFO(C_CopyObject) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_OBJECT_HANDLE hObject, /* the object's handle */ - CK_ATTRIBUTE_PTR pTemplate, /* template for new object */ - CK_ULONG ulCount, /* attributes in template */ - CK_OBJECT_HANDLE_PTR phNewObject /* receives handle of copy */ -); -#endif - - -/* C_DestroyObject destroys an object. */ -CK_PKCS11_FUNCTION_INFO(C_DestroyObject) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_OBJECT_HANDLE hObject /* the object's handle */ -); -#endif - - -/* C_GetObjectSize gets the size of an object in bytes. */ -CK_PKCS11_FUNCTION_INFO(C_GetObjectSize) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_OBJECT_HANDLE hObject, /* the object's handle */ - CK_ULONG_PTR pulSize /* receives size of object */ -); -#endif - - -/* C_GetAttributeValue obtains the value of one or more object - * attributes. */ -CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_OBJECT_HANDLE hObject, /* the object's handle */ - CK_ATTRIBUTE_PTR pTemplate, /* specifies attrs; gets vals */ - CK_ULONG ulCount /* attributes in template */ -); -#endif - - -/* C_SetAttributeValue modifies the value of one or more object - * attributes */ -CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_OBJECT_HANDLE hObject, /* the object's handle */ - CK_ATTRIBUTE_PTR pTemplate, /* specifies attrs and values */ - CK_ULONG ulCount /* attributes in template */ -); -#endif - - -/* C_FindObjectsInit initializes a search for token and session - * objects that match a template. */ -CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_ATTRIBUTE_PTR pTemplate, /* attribute values to match */ - CK_ULONG ulCount /* attrs in search template */ -); -#endif - - -/* C_FindObjects continues a search for token and session - * objects that match a template, obtaining additional object - * handles. */ -CK_PKCS11_FUNCTION_INFO(C_FindObjects) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* session's handle */ - CK_OBJECT_HANDLE_PTR phObject, /* gets obj. handles */ - CK_ULONG ulMaxObjectCount, /* max handles to get */ - CK_ULONG_PTR pulObjectCount /* actual # returned */ -); -#endif - - -/* C_FindObjectsFinal finishes a search for token and session - * objects. */ -CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession /* the session's handle */ -); -#endif - - - -/* Encryption and decryption */ - -/* C_EncryptInit initializes an encryption operation. */ -CK_PKCS11_FUNCTION_INFO(C_EncryptInit) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_MECHANISM_PTR pMechanism, /* the encryption mechanism */ - CK_OBJECT_HANDLE hKey /* handle of encryption key */ -); -#endif - - -/* C_Encrypt encrypts single-part data. */ -CK_PKCS11_FUNCTION_INFO(C_Encrypt) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* session's handle */ - CK_BYTE_PTR pData, /* the plaintext data */ - CK_ULONG ulDataLen, /* bytes of plaintext */ - CK_BYTE_PTR pEncryptedData, /* gets ciphertext */ - CK_ULONG_PTR pulEncryptedDataLen /* gets c-text size */ -); -#endif - - -/* C_EncryptUpdate continues a multiple-part encryption - * operation. */ -CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* session's handle */ - CK_BYTE_PTR pPart, /* the plaintext data */ - CK_ULONG ulPartLen, /* plaintext data len */ - CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */ - CK_ULONG_PTR pulEncryptedPartLen /* gets c-text size */ -); -#endif - - -/* C_EncryptFinal finishes a multiple-part encryption - * operation. */ -CK_PKCS11_FUNCTION_INFO(C_EncryptFinal) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* session handle */ - CK_BYTE_PTR pLastEncryptedPart, /* last c-text */ - CK_ULONG_PTR pulLastEncryptedPartLen /* gets last size */ -); -#endif - - -/* C_DecryptInit initializes a decryption operation. */ -CK_PKCS11_FUNCTION_INFO(C_DecryptInit) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_MECHANISM_PTR pMechanism, /* the decryption mechanism */ - CK_OBJECT_HANDLE hKey /* handle of decryption key */ -); -#endif - - -/* C_Decrypt decrypts encrypted data in a single part. */ -CK_PKCS11_FUNCTION_INFO(C_Decrypt) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* session's handle */ - CK_BYTE_PTR pEncryptedData, /* ciphertext */ - CK_ULONG ulEncryptedDataLen, /* ciphertext length */ - CK_BYTE_PTR pData, /* gets plaintext */ - CK_ULONG_PTR pulDataLen /* gets p-text size */ -); -#endif - - -/* C_DecryptUpdate continues a multiple-part decryption - * operation. */ -CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* session's handle */ - CK_BYTE_PTR pEncryptedPart, /* encrypted data */ - CK_ULONG ulEncryptedPartLen, /* input length */ - CK_BYTE_PTR pPart, /* gets plaintext */ - CK_ULONG_PTR pulPartLen /* p-text size */ -); -#endif - - -/* C_DecryptFinal finishes a multiple-part decryption - * operation. */ -CK_PKCS11_FUNCTION_INFO(C_DecryptFinal) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_BYTE_PTR pLastPart, /* gets plaintext */ - CK_ULONG_PTR pulLastPartLen /* p-text size */ -); -#endif - - - -/* Message digesting */ - -/* C_DigestInit initializes a message-digesting operation. */ -CK_PKCS11_FUNCTION_INFO(C_DigestInit) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_MECHANISM_PTR pMechanism /* the digesting mechanism */ -); -#endif - - -/* C_Digest digests data in a single part. */ -CK_PKCS11_FUNCTION_INFO(C_Digest) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_BYTE_PTR pData, /* data to be digested */ - CK_ULONG ulDataLen, /* bytes of data to digest */ - CK_BYTE_PTR pDigest, /* gets the message digest */ - CK_ULONG_PTR pulDigestLen /* gets digest length */ -); -#endif - - -/* C_DigestUpdate continues a multiple-part message-digesting - * operation. */ -CK_PKCS11_FUNCTION_INFO(C_DigestUpdate) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_BYTE_PTR pPart, /* data to be digested */ - CK_ULONG ulPartLen /* bytes of data to be digested */ -); -#endif - - -/* C_DigestKey continues a multi-part message-digesting - * operation, by digesting the value of a secret key as part of - * the data already digested. */ -CK_PKCS11_FUNCTION_INFO(C_DigestKey) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_OBJECT_HANDLE hKey /* secret key to digest */ -); -#endif - - -/* C_DigestFinal finishes a multiple-part message-digesting - * operation. */ -CK_PKCS11_FUNCTION_INFO(C_DigestFinal) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_BYTE_PTR pDigest, /* gets the message digest */ - CK_ULONG_PTR pulDigestLen /* gets byte count of digest */ -); -#endif - - - -/* Signing and MACing */ - -/* C_SignInit initializes a signature (private key encryption) - * operation, where the signature is (will be) an appendix to - * the data, and plaintext cannot be recovered from the - *signature. */ -CK_PKCS11_FUNCTION_INFO(C_SignInit) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_MECHANISM_PTR pMechanism, /* the signature mechanism */ - CK_OBJECT_HANDLE hKey /* handle of signature key */ -); -#endif - - -/* C_Sign signs (encrypts with private key) data in a single - * part, where the signature is (will be) an appendix to the - * data, and plaintext cannot be recovered from the signature. */ -CK_PKCS11_FUNCTION_INFO(C_Sign) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_BYTE_PTR pData, /* the data to sign */ - CK_ULONG ulDataLen, /* count of bytes to sign */ - CK_BYTE_PTR pSignature, /* gets the signature */ - CK_ULONG_PTR pulSignatureLen /* gets signature length */ -); -#endif - - -/* C_SignUpdate continues a multiple-part signature operation, - * where the signature is (will be) an appendix to the data, - * and plaintext cannot be recovered from the signature. */ -CK_PKCS11_FUNCTION_INFO(C_SignUpdate) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_BYTE_PTR pPart, /* the data to sign */ - CK_ULONG ulPartLen /* count of bytes to sign */ -); -#endif - - -/* C_SignFinal finishes a multiple-part signature operation, - * returning the signature. */ -CK_PKCS11_FUNCTION_INFO(C_SignFinal) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_BYTE_PTR pSignature, /* gets the signature */ - CK_ULONG_PTR pulSignatureLen /* gets signature length */ -); -#endif - - -/* C_SignRecoverInit initializes a signature operation, where - * the data can be recovered from the signature. */ -CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_MECHANISM_PTR pMechanism, /* the signature mechanism */ - CK_OBJECT_HANDLE hKey /* handle of the signature key */ -); -#endif - - -/* C_SignRecover signs data in a single operation, where the - * data can be recovered from the signature. */ -CK_PKCS11_FUNCTION_INFO(C_SignRecover) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_BYTE_PTR pData, /* the data to sign */ - CK_ULONG ulDataLen, /* count of bytes to sign */ - CK_BYTE_PTR pSignature, /* gets the signature */ - CK_ULONG_PTR pulSignatureLen /* gets signature length */ -); -#endif - - - -/* Verifying signatures and MACs */ - -/* C_VerifyInit initializes a verification operation, where the - * signature is an appendix to the data, and plaintext cannot - * cannot be recovered from the signature (e.g. DSA). */ -CK_PKCS11_FUNCTION_INFO(C_VerifyInit) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_MECHANISM_PTR pMechanism, /* the verification mechanism */ - CK_OBJECT_HANDLE hKey /* verification key */ -); -#endif - - -/* C_Verify verifies a signature in a single-part operation, - * where the signature is an appendix to the data, and plaintext - * cannot be recovered from the signature. */ -CK_PKCS11_FUNCTION_INFO(C_Verify) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_BYTE_PTR pData, /* signed data */ - CK_ULONG ulDataLen, /* length of signed data */ - CK_BYTE_PTR pSignature, /* signature */ - CK_ULONG ulSignatureLen /* signature length*/ -); -#endif - - -/* C_VerifyUpdate continues a multiple-part verification - * operation, where the signature is an appendix to the data, - * and plaintext cannot be recovered from the signature. */ -CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_BYTE_PTR pPart, /* signed data */ - CK_ULONG ulPartLen /* length of signed data */ -); -#endif - - -/* C_VerifyFinal finishes a multiple-part verification - * operation, checking the signature. */ -CK_PKCS11_FUNCTION_INFO(C_VerifyFinal) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_BYTE_PTR pSignature, /* signature to verify */ - CK_ULONG ulSignatureLen /* signature length */ -); -#endif - - -/* C_VerifyRecoverInit initializes a signature verification - * operation, where the data is recovered from the signature. */ -CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_MECHANISM_PTR pMechanism, /* the verification mechanism */ - CK_OBJECT_HANDLE hKey /* verification key */ -); -#endif - - -/* C_VerifyRecover verifies a signature in a single-part - * operation, where the data is recovered from the signature. */ -CK_PKCS11_FUNCTION_INFO(C_VerifyRecover) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_BYTE_PTR pSignature, /* signature to verify */ - CK_ULONG ulSignatureLen, /* signature length */ - CK_BYTE_PTR pData, /* gets signed data */ - CK_ULONG_PTR pulDataLen /* gets signed data len */ -); -#endif - - - -/* Dual-function cryptographic operations */ - -/* C_DigestEncryptUpdate continues a multiple-part digesting - * and encryption operation. */ -CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* session's handle */ - CK_BYTE_PTR pPart, /* the plaintext data */ - CK_ULONG ulPartLen, /* plaintext length */ - CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */ - CK_ULONG_PTR pulEncryptedPartLen /* gets c-text length */ -); -#endif - - -/* C_DecryptDigestUpdate continues a multiple-part decryption and - * digesting operation. */ -CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* session's handle */ - CK_BYTE_PTR pEncryptedPart, /* ciphertext */ - CK_ULONG ulEncryptedPartLen, /* ciphertext length */ - CK_BYTE_PTR pPart, /* gets plaintext */ - CK_ULONG_PTR pulPartLen /* gets plaintext len */ -); -#endif - - -/* C_SignEncryptUpdate continues a multiple-part signing and - * encryption operation. */ -CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* session's handle */ - CK_BYTE_PTR pPart, /* the plaintext data */ - CK_ULONG ulPartLen, /* plaintext length */ - CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */ - CK_ULONG_PTR pulEncryptedPartLen /* gets c-text length */ -); -#endif - - -/* C_DecryptVerifyUpdate continues a multiple-part decryption and - * verify operation. */ -CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* session's handle */ - CK_BYTE_PTR pEncryptedPart, /* ciphertext */ - CK_ULONG ulEncryptedPartLen, /* ciphertext length */ - CK_BYTE_PTR pPart, /* gets plaintext */ - CK_ULONG_PTR pulPartLen /* gets p-text length */ -); -#endif - - - -/* Key management */ - -/* C_GenerateKey generates a secret key, creating a new key - * object. */ -CK_PKCS11_FUNCTION_INFO(C_GenerateKey) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_MECHANISM_PTR pMechanism, /* key generation mech. */ - CK_ATTRIBUTE_PTR pTemplate, /* template for new key */ - CK_ULONG ulCount, /* # of attrs in template */ - CK_OBJECT_HANDLE_PTR phKey /* gets handle of new key */ -); -#endif - - -/* C_GenerateKeyPair generates a public-key/private-key pair, - * creating new key objects. */ -CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* session - * handle */ - CK_MECHANISM_PTR pMechanism, /* key-gen - * mech. */ - CK_ATTRIBUTE_PTR pPublicKeyTemplate, /* template - * for pub. - * key */ - CK_ULONG ulPublicKeyAttributeCount, /* # pub. - * attrs. */ - CK_ATTRIBUTE_PTR pPrivateKeyTemplate, /* template - * for priv. - * key */ - CK_ULONG ulPrivateKeyAttributeCount, /* # priv. - * attrs. */ - CK_OBJECT_HANDLE_PTR phPublicKey, /* gets pub. - * key - * handle */ - CK_OBJECT_HANDLE_PTR phPrivateKey /* gets - * priv. key - * handle */ -); -#endif - - -/* C_WrapKey wraps (i.e., encrypts) a key. */ -CK_PKCS11_FUNCTION_INFO(C_WrapKey) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_MECHANISM_PTR pMechanism, /* the wrapping mechanism */ - CK_OBJECT_HANDLE hWrappingKey, /* wrapping key */ - CK_OBJECT_HANDLE hKey, /* key to be wrapped */ - CK_BYTE_PTR pWrappedKey, /* gets wrapped key */ - CK_ULONG_PTR pulWrappedKeyLen /* gets wrapped key size */ -); -#endif - - -/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new - * key object. */ -CK_PKCS11_FUNCTION_INFO(C_UnwrapKey) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* session's handle */ - CK_MECHANISM_PTR pMechanism, /* unwrapping mech. */ - CK_OBJECT_HANDLE hUnwrappingKey, /* unwrapping key */ - CK_BYTE_PTR pWrappedKey, /* the wrapped key */ - CK_ULONG ulWrappedKeyLen, /* wrapped key len */ - CK_ATTRIBUTE_PTR pTemplate, /* new key template */ - CK_ULONG ulAttributeCount, /* template length */ - CK_OBJECT_HANDLE_PTR phKey /* gets new handle */ -); -#endif - - -/* C_DeriveKey derives a key from a base key, creating a new key - * object. */ -CK_PKCS11_FUNCTION_INFO(C_DeriveKey) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* session's handle */ - CK_MECHANISM_PTR pMechanism, /* key deriv. mech. */ - CK_OBJECT_HANDLE hBaseKey, /* base key */ - CK_ATTRIBUTE_PTR pTemplate, /* new key template */ - CK_ULONG ulAttributeCount, /* template length */ - CK_OBJECT_HANDLE_PTR phKey /* gets new handle */ -); -#endif - - - -/* Random number generation */ - -/* C_SeedRandom mixes additional seed material into the token's - * random number generator. */ -CK_PKCS11_FUNCTION_INFO(C_SeedRandom) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_BYTE_PTR pSeed, /* the seed material */ - CK_ULONG ulSeedLen /* length of seed material */ -); -#endif - - -/* C_GenerateRandom generates random data. */ -CK_PKCS11_FUNCTION_INFO(C_GenerateRandom) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_BYTE_PTR RandomData, /* receives the random data */ - CK_ULONG ulRandomLen /* # of bytes to generate */ -); -#endif - - - -/* Parallel function management */ - -/* C_GetFunctionStatus is a legacy function; it obtains an - * updated status of a function running in parallel with an - * application. */ -CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession /* the session's handle */ -); -#endif - - -/* C_CancelFunction is a legacy function; it cancels a function - * running in parallel. */ -CK_PKCS11_FUNCTION_INFO(C_CancelFunction) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession /* the session's handle */ -); -#endif - - - -/* Functions added in for Cryptoki Version 2.01 or later */ - -/* C_WaitForSlotEvent waits for a slot event (token insertion, - * removal, etc.) to occur. */ -CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent) -#ifdef CK_NEED_ARG_LIST -( - CK_FLAGS flags, /* blocking/nonblocking flag */ - CK_SLOT_ID_PTR pSlot, /* location that receives the slot ID */ - CK_VOID_PTR pRserved /* reserved. Should be NULL_PTR */ -); -#endif --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11f.h 2017-01-20 09:52:59.862288143 -0800 @@ -0,0 +1,912 @@ +/* pkcs11f.h include file for PKCS #11. */ +/* $Revision: 1.4 $ */ + +/* License to copy and use this software is granted provided that it is + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface + * (Cryptoki)" in all material mentioning or referencing this software. + + * License is also granted to make and use derivative works provided that + * such works are identified as "derived from the RSA Security Inc. PKCS #11 + * Cryptographic Token Interface (Cryptoki)" in all material mentioning or + * referencing the derived work. + + * RSA Security Inc. makes no representations concerning either the + * merchantability of this software or the suitability of this software for + * any particular purpose. It is provided "as is" without express or implied + * warranty of any kind. + */ + +/* This header file contains pretty much everything about all the */ +/* Cryptoki function prototypes. Because this information is */ +/* used for more than just declaring function prototypes, the */ +/* order of the functions appearing herein is important, and */ +/* should not be altered. */ + +/* General-purpose */ + +/* C_Initialize initializes the Cryptoki library. */ +CK_PKCS11_FUNCTION_INFO(C_Initialize) +#ifdef CK_NEED_ARG_LIST +( + CK_VOID_PTR pInitArgs /* if this is not NULL_PTR, it gets + * cast to CK_C_INITIALIZE_ARGS_PTR + * and dereferenced */ +); +#endif + + +/* C_Finalize indicates that an application is done with the + * Cryptoki library. */ +CK_PKCS11_FUNCTION_INFO(C_Finalize) +#ifdef CK_NEED_ARG_LIST +( + CK_VOID_PTR pReserved /* reserved. Should be NULL_PTR */ +); +#endif + + +/* C_GetInfo returns general information about Cryptoki. */ +CK_PKCS11_FUNCTION_INFO(C_GetInfo) +#ifdef CK_NEED_ARG_LIST +( + CK_INFO_PTR pInfo /* location that receives information */ +); +#endif + + +/* C_GetFunctionList returns the function list. */ +CK_PKCS11_FUNCTION_INFO(C_GetFunctionList) +#ifdef CK_NEED_ARG_LIST +( + CK_FUNCTION_LIST_PTR_PTR ppFunctionList /* receives pointer to + * function list */ +); +#endif + + + +/* Slot and token management */ + +/* C_GetSlotList obtains a list of slots in the system. */ +CK_PKCS11_FUNCTION_INFO(C_GetSlotList) +#ifdef CK_NEED_ARG_LIST +( + CK_BBOOL tokenPresent, /* only slots with tokens? */ + CK_SLOT_ID_PTR pSlotList, /* receives array of slot IDs */ + CK_ULONG_PTR pulCount /* receives number of slots */ +); +#endif + + +/* C_GetSlotInfo obtains information about a particular slot in + * the system. */ +CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo) +#ifdef CK_NEED_ARG_LIST +( + CK_SLOT_ID slotID, /* the ID of the slot */ + CK_SLOT_INFO_PTR pInfo /* receives the slot information */ +); +#endif + + +/* C_GetTokenInfo obtains information about a particular token + * in the system. */ +CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo) +#ifdef CK_NEED_ARG_LIST +( + CK_SLOT_ID slotID, /* ID of the token's slot */ + CK_TOKEN_INFO_PTR pInfo /* receives the token information */ +); +#endif + + +/* C_GetMechanismList obtains a list of mechanism types + * supported by a token. */ +CK_PKCS11_FUNCTION_INFO(C_GetMechanismList) +#ifdef CK_NEED_ARG_LIST +( + CK_SLOT_ID slotID, /* ID of token's slot */ + CK_MECHANISM_TYPE_PTR pMechanismList, /* gets mech. array */ + CK_ULONG_PTR pulCount /* gets # of mechs. */ +); +#endif + + +/* C_GetMechanismInfo obtains information about a particular + * mechanism possibly supported by a token. */ +CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo) +#ifdef CK_NEED_ARG_LIST +( + CK_SLOT_ID slotID, /* ID of the token's slot */ + CK_MECHANISM_TYPE type, /* type of mechanism */ + CK_MECHANISM_INFO_PTR pInfo /* receives mechanism info */ +); +#endif + + +/* C_InitToken initializes a token. */ +CK_PKCS11_FUNCTION_INFO(C_InitToken) +#ifdef CK_NEED_ARG_LIST +/* pLabel changed from CK_CHAR_PTR to CK_UTF8CHAR_PTR for v2.10 */ +( + CK_SLOT_ID slotID, /* ID of the token's slot */ + CK_UTF8CHAR_PTR pPin, /* the SO's initial PIN */ + CK_ULONG ulPinLen, /* length in bytes of the PIN */ + CK_UTF8CHAR_PTR pLabel /* 32-byte token label (blank padded) */ +); +#endif + + +/* C_InitPIN initializes the normal user's PIN. */ +CK_PKCS11_FUNCTION_INFO(C_InitPIN) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_UTF8CHAR_PTR pPin, /* the normal user's PIN */ + CK_ULONG ulPinLen /* length in bytes of the PIN */ +); +#endif + + +/* C_SetPIN modifies the PIN of the user who is logged in. */ +CK_PKCS11_FUNCTION_INFO(C_SetPIN) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_UTF8CHAR_PTR pOldPin, /* the old PIN */ + CK_ULONG ulOldLen, /* length of the old PIN */ + CK_UTF8CHAR_PTR pNewPin, /* the new PIN */ + CK_ULONG ulNewLen /* length of the new PIN */ +); +#endif + + + +/* Session management */ + +/* C_OpenSession opens a session between an application and a + * token. */ +CK_PKCS11_FUNCTION_INFO(C_OpenSession) +#ifdef CK_NEED_ARG_LIST +( + CK_SLOT_ID slotID, /* the slot's ID */ + CK_FLAGS flags, /* from CK_SESSION_INFO */ + CK_VOID_PTR pApplication, /* passed to callback */ + CK_NOTIFY Notify, /* callback function */ + CK_SESSION_HANDLE_PTR phSession /* gets session handle */ +); +#endif + + +/* C_CloseSession closes a session between an application and a + * token. */ +CK_PKCS11_FUNCTION_INFO(C_CloseSession) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession /* the session's handle */ +); +#endif + + +/* C_CloseAllSessions closes all sessions with a token. */ +CK_PKCS11_FUNCTION_INFO(C_CloseAllSessions) +#ifdef CK_NEED_ARG_LIST +( + CK_SLOT_ID slotID /* the token's slot */ +); +#endif + + +/* C_GetSessionInfo obtains information about the session. */ +CK_PKCS11_FUNCTION_INFO(C_GetSessionInfo) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_SESSION_INFO_PTR pInfo /* receives session info */ +); +#endif + + +/* C_GetOperationState obtains the state of the cryptographic operation + * in a session. */ +CK_PKCS11_FUNCTION_INFO(C_GetOperationState) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* session's handle */ + CK_BYTE_PTR pOperationState, /* gets state */ + CK_ULONG_PTR pulOperationStateLen /* gets state length */ +); +#endif + + +/* C_SetOperationState restores the state of the cryptographic + * operation in a session. */ +CK_PKCS11_FUNCTION_INFO(C_SetOperationState) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* session's handle */ + CK_BYTE_PTR pOperationState, /* holds state */ + CK_ULONG ulOperationStateLen, /* holds state length */ + CK_OBJECT_HANDLE hEncryptionKey, /* en/decryption key */ + CK_OBJECT_HANDLE hAuthenticationKey /* sign/verify key */ +); +#endif + + +/* C_Login logs a user into a token. */ +CK_PKCS11_FUNCTION_INFO(C_Login) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_USER_TYPE userType, /* the user type */ + CK_UTF8CHAR_PTR pPin, /* the user's PIN */ + CK_ULONG ulPinLen /* the length of the PIN */ +); +#endif + + +/* C_Logout logs a user out from a token. */ +CK_PKCS11_FUNCTION_INFO(C_Logout) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession /* the session's handle */ +); +#endif + + + +/* Object management */ + +/* C_CreateObject creates a new object. */ +CK_PKCS11_FUNCTION_INFO(C_CreateObject) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_ATTRIBUTE_PTR pTemplate, /* the object's template */ + CK_ULONG ulCount, /* attributes in template */ + CK_OBJECT_HANDLE_PTR phObject /* gets new object's handle. */ +); +#endif + + +/* C_CopyObject copies an object, creating a new object for the + * copy. */ +CK_PKCS11_FUNCTION_INFO(C_CopyObject) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_OBJECT_HANDLE hObject, /* the object's handle */ + CK_ATTRIBUTE_PTR pTemplate, /* template for new object */ + CK_ULONG ulCount, /* attributes in template */ + CK_OBJECT_HANDLE_PTR phNewObject /* receives handle of copy */ +); +#endif + + +/* C_DestroyObject destroys an object. */ +CK_PKCS11_FUNCTION_INFO(C_DestroyObject) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_OBJECT_HANDLE hObject /* the object's handle */ +); +#endif + + +/* C_GetObjectSize gets the size of an object in bytes. */ +CK_PKCS11_FUNCTION_INFO(C_GetObjectSize) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_OBJECT_HANDLE hObject, /* the object's handle */ + CK_ULONG_PTR pulSize /* receives size of object */ +); +#endif + + +/* C_GetAttributeValue obtains the value of one or more object + * attributes. */ +CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_OBJECT_HANDLE hObject, /* the object's handle */ + CK_ATTRIBUTE_PTR pTemplate, /* specifies attrs; gets vals */ + CK_ULONG ulCount /* attributes in template */ +); +#endif + + +/* C_SetAttributeValue modifies the value of one or more object + * attributes */ +CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_OBJECT_HANDLE hObject, /* the object's handle */ + CK_ATTRIBUTE_PTR pTemplate, /* specifies attrs and values */ + CK_ULONG ulCount /* attributes in template */ +); +#endif + + +/* C_FindObjectsInit initializes a search for token and session + * objects that match a template. */ +CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_ATTRIBUTE_PTR pTemplate, /* attribute values to match */ + CK_ULONG ulCount /* attrs in search template */ +); +#endif + + +/* C_FindObjects continues a search for token and session + * objects that match a template, obtaining additional object + * handles. */ +CK_PKCS11_FUNCTION_INFO(C_FindObjects) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* session's handle */ + CK_OBJECT_HANDLE_PTR phObject, /* gets obj. handles */ + CK_ULONG ulMaxObjectCount, /* max handles to get */ + CK_ULONG_PTR pulObjectCount /* actual # returned */ +); +#endif + + +/* C_FindObjectsFinal finishes a search for token and session + * objects. */ +CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession /* the session's handle */ +); +#endif + + + +/* Encryption and decryption */ + +/* C_EncryptInit initializes an encryption operation. */ +CK_PKCS11_FUNCTION_INFO(C_EncryptInit) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_MECHANISM_PTR pMechanism, /* the encryption mechanism */ + CK_OBJECT_HANDLE hKey /* handle of encryption key */ +); +#endif + + +/* C_Encrypt encrypts single-part data. */ +CK_PKCS11_FUNCTION_INFO(C_Encrypt) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* session's handle */ + CK_BYTE_PTR pData, /* the plaintext data */ + CK_ULONG ulDataLen, /* bytes of plaintext */ + CK_BYTE_PTR pEncryptedData, /* gets ciphertext */ + CK_ULONG_PTR pulEncryptedDataLen /* gets c-text size */ +); +#endif + + +/* C_EncryptUpdate continues a multiple-part encryption + * operation. */ +CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* session's handle */ + CK_BYTE_PTR pPart, /* the plaintext data */ + CK_ULONG ulPartLen, /* plaintext data len */ + CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */ + CK_ULONG_PTR pulEncryptedPartLen /* gets c-text size */ +); +#endif + + +/* C_EncryptFinal finishes a multiple-part encryption + * operation. */ +CK_PKCS11_FUNCTION_INFO(C_EncryptFinal) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* session handle */ + CK_BYTE_PTR pLastEncryptedPart, /* last c-text */ + CK_ULONG_PTR pulLastEncryptedPartLen /* gets last size */ +); +#endif + + +/* C_DecryptInit initializes a decryption operation. */ +CK_PKCS11_FUNCTION_INFO(C_DecryptInit) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_MECHANISM_PTR pMechanism, /* the decryption mechanism */ + CK_OBJECT_HANDLE hKey /* handle of decryption key */ +); +#endif + + +/* C_Decrypt decrypts encrypted data in a single part. */ +CK_PKCS11_FUNCTION_INFO(C_Decrypt) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* session's handle */ + CK_BYTE_PTR pEncryptedData, /* ciphertext */ + CK_ULONG ulEncryptedDataLen, /* ciphertext length */ + CK_BYTE_PTR pData, /* gets plaintext */ + CK_ULONG_PTR pulDataLen /* gets p-text size */ +); +#endif + + +/* C_DecryptUpdate continues a multiple-part decryption + * operation. */ +CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* session's handle */ + CK_BYTE_PTR pEncryptedPart, /* encrypted data */ + CK_ULONG ulEncryptedPartLen, /* input length */ + CK_BYTE_PTR pPart, /* gets plaintext */ + CK_ULONG_PTR pulPartLen /* p-text size */ +); +#endif + + +/* C_DecryptFinal finishes a multiple-part decryption + * operation. */ +CK_PKCS11_FUNCTION_INFO(C_DecryptFinal) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_BYTE_PTR pLastPart, /* gets plaintext */ + CK_ULONG_PTR pulLastPartLen /* p-text size */ +); +#endif + + + +/* Message digesting */ + +/* C_DigestInit initializes a message-digesting operation. */ +CK_PKCS11_FUNCTION_INFO(C_DigestInit) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_MECHANISM_PTR pMechanism /* the digesting mechanism */ +); +#endif + + +/* C_Digest digests data in a single part. */ +CK_PKCS11_FUNCTION_INFO(C_Digest) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_BYTE_PTR pData, /* data to be digested */ + CK_ULONG ulDataLen, /* bytes of data to digest */ + CK_BYTE_PTR pDigest, /* gets the message digest */ + CK_ULONG_PTR pulDigestLen /* gets digest length */ +); +#endif + + +/* C_DigestUpdate continues a multiple-part message-digesting + * operation. */ +CK_PKCS11_FUNCTION_INFO(C_DigestUpdate) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_BYTE_PTR pPart, /* data to be digested */ + CK_ULONG ulPartLen /* bytes of data to be digested */ +); +#endif + + +/* C_DigestKey continues a multi-part message-digesting + * operation, by digesting the value of a secret key as part of + * the data already digested. */ +CK_PKCS11_FUNCTION_INFO(C_DigestKey) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_OBJECT_HANDLE hKey /* secret key to digest */ +); +#endif + + +/* C_DigestFinal finishes a multiple-part message-digesting + * operation. */ +CK_PKCS11_FUNCTION_INFO(C_DigestFinal) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_BYTE_PTR pDigest, /* gets the message digest */ + CK_ULONG_PTR pulDigestLen /* gets byte count of digest */ +); +#endif + + + +/* Signing and MACing */ + +/* C_SignInit initializes a signature (private key encryption) + * operation, where the signature is (will be) an appendix to + * the data, and plaintext cannot be recovered from the + *signature. */ +CK_PKCS11_FUNCTION_INFO(C_SignInit) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_MECHANISM_PTR pMechanism, /* the signature mechanism */ + CK_OBJECT_HANDLE hKey /* handle of signature key */ +); +#endif + + +/* C_Sign signs (encrypts with private key) data in a single + * part, where the signature is (will be) an appendix to the + * data, and plaintext cannot be recovered from the signature. */ +CK_PKCS11_FUNCTION_INFO(C_Sign) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_BYTE_PTR pData, /* the data to sign */ + CK_ULONG ulDataLen, /* count of bytes to sign */ + CK_BYTE_PTR pSignature, /* gets the signature */ + CK_ULONG_PTR pulSignatureLen /* gets signature length */ +); +#endif + + +/* C_SignUpdate continues a multiple-part signature operation, + * where the signature is (will be) an appendix to the data, + * and plaintext cannot be recovered from the signature. */ +CK_PKCS11_FUNCTION_INFO(C_SignUpdate) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_BYTE_PTR pPart, /* the data to sign */ + CK_ULONG ulPartLen /* count of bytes to sign */ +); +#endif + + +/* C_SignFinal finishes a multiple-part signature operation, + * returning the signature. */ +CK_PKCS11_FUNCTION_INFO(C_SignFinal) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_BYTE_PTR pSignature, /* gets the signature */ + CK_ULONG_PTR pulSignatureLen /* gets signature length */ +); +#endif + + +/* C_SignRecoverInit initializes a signature operation, where + * the data can be recovered from the signature. */ +CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_MECHANISM_PTR pMechanism, /* the signature mechanism */ + CK_OBJECT_HANDLE hKey /* handle of the signature key */ +); +#endif + + +/* C_SignRecover signs data in a single operation, where the + * data can be recovered from the signature. */ +CK_PKCS11_FUNCTION_INFO(C_SignRecover) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_BYTE_PTR pData, /* the data to sign */ + CK_ULONG ulDataLen, /* count of bytes to sign */ + CK_BYTE_PTR pSignature, /* gets the signature */ + CK_ULONG_PTR pulSignatureLen /* gets signature length */ +); +#endif + + + +/* Verifying signatures and MACs */ + +/* C_VerifyInit initializes a verification operation, where the + * signature is an appendix to the data, and plaintext cannot + * cannot be recovered from the signature (e.g. DSA). */ +CK_PKCS11_FUNCTION_INFO(C_VerifyInit) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_MECHANISM_PTR pMechanism, /* the verification mechanism */ + CK_OBJECT_HANDLE hKey /* verification key */ +); +#endif + + +/* C_Verify verifies a signature in a single-part operation, + * where the signature is an appendix to the data, and plaintext + * cannot be recovered from the signature. */ +CK_PKCS11_FUNCTION_INFO(C_Verify) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_BYTE_PTR pData, /* signed data */ + CK_ULONG ulDataLen, /* length of signed data */ + CK_BYTE_PTR pSignature, /* signature */ + CK_ULONG ulSignatureLen /* signature length*/ +); +#endif + + +/* C_VerifyUpdate continues a multiple-part verification + * operation, where the signature is an appendix to the data, + * and plaintext cannot be recovered from the signature. */ +CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_BYTE_PTR pPart, /* signed data */ + CK_ULONG ulPartLen /* length of signed data */ +); +#endif + + +/* C_VerifyFinal finishes a multiple-part verification + * operation, checking the signature. */ +CK_PKCS11_FUNCTION_INFO(C_VerifyFinal) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_BYTE_PTR pSignature, /* signature to verify */ + CK_ULONG ulSignatureLen /* signature length */ +); +#endif + + +/* C_VerifyRecoverInit initializes a signature verification + * operation, where the data is recovered from the signature. */ +CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_MECHANISM_PTR pMechanism, /* the verification mechanism */ + CK_OBJECT_HANDLE hKey /* verification key */ +); +#endif + + +/* C_VerifyRecover verifies a signature in a single-part + * operation, where the data is recovered from the signature. */ +CK_PKCS11_FUNCTION_INFO(C_VerifyRecover) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_BYTE_PTR pSignature, /* signature to verify */ + CK_ULONG ulSignatureLen, /* signature length */ + CK_BYTE_PTR pData, /* gets signed data */ + CK_ULONG_PTR pulDataLen /* gets signed data len */ +); +#endif + + + +/* Dual-function cryptographic operations */ + +/* C_DigestEncryptUpdate continues a multiple-part digesting + * and encryption operation. */ +CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* session's handle */ + CK_BYTE_PTR pPart, /* the plaintext data */ + CK_ULONG ulPartLen, /* plaintext length */ + CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */ + CK_ULONG_PTR pulEncryptedPartLen /* gets c-text length */ +); +#endif + + +/* C_DecryptDigestUpdate continues a multiple-part decryption and + * digesting operation. */ +CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* session's handle */ + CK_BYTE_PTR pEncryptedPart, /* ciphertext */ + CK_ULONG ulEncryptedPartLen, /* ciphertext length */ + CK_BYTE_PTR pPart, /* gets plaintext */ + CK_ULONG_PTR pulPartLen /* gets plaintext len */ +); +#endif + + +/* C_SignEncryptUpdate continues a multiple-part signing and + * encryption operation. */ +CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* session's handle */ + CK_BYTE_PTR pPart, /* the plaintext data */ + CK_ULONG ulPartLen, /* plaintext length */ + CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */ + CK_ULONG_PTR pulEncryptedPartLen /* gets c-text length */ +); +#endif + + +/* C_DecryptVerifyUpdate continues a multiple-part decryption and + * verify operation. */ +CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* session's handle */ + CK_BYTE_PTR pEncryptedPart, /* ciphertext */ + CK_ULONG ulEncryptedPartLen, /* ciphertext length */ + CK_BYTE_PTR pPart, /* gets plaintext */ + CK_ULONG_PTR pulPartLen /* gets p-text length */ +); +#endif + + + +/* Key management */ + +/* C_GenerateKey generates a secret key, creating a new key + * object. */ +CK_PKCS11_FUNCTION_INFO(C_GenerateKey) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_MECHANISM_PTR pMechanism, /* key generation mech. */ + CK_ATTRIBUTE_PTR pTemplate, /* template for new key */ + CK_ULONG ulCount, /* # of attrs in template */ + CK_OBJECT_HANDLE_PTR phKey /* gets handle of new key */ +); +#endif + + +/* C_GenerateKeyPair generates a public-key/private-key pair, + * creating new key objects. */ +CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* session + * handle */ + CK_MECHANISM_PTR pMechanism, /* key-gen + * mech. */ + CK_ATTRIBUTE_PTR pPublicKeyTemplate, /* template + * for pub. + * key */ + CK_ULONG ulPublicKeyAttributeCount, /* # pub. + * attrs. */ + CK_ATTRIBUTE_PTR pPrivateKeyTemplate, /* template + * for priv. + * key */ + CK_ULONG ulPrivateKeyAttributeCount, /* # priv. + * attrs. */ + CK_OBJECT_HANDLE_PTR phPublicKey, /* gets pub. + * key + * handle */ + CK_OBJECT_HANDLE_PTR phPrivateKey /* gets + * priv. key + * handle */ +); +#endif + + +/* C_WrapKey wraps (i.e., encrypts) a key. */ +CK_PKCS11_FUNCTION_INFO(C_WrapKey) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_MECHANISM_PTR pMechanism, /* the wrapping mechanism */ + CK_OBJECT_HANDLE hWrappingKey, /* wrapping key */ + CK_OBJECT_HANDLE hKey, /* key to be wrapped */ + CK_BYTE_PTR pWrappedKey, /* gets wrapped key */ + CK_ULONG_PTR pulWrappedKeyLen /* gets wrapped key size */ +); +#endif + + +/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new + * key object. */ +CK_PKCS11_FUNCTION_INFO(C_UnwrapKey) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* session's handle */ + CK_MECHANISM_PTR pMechanism, /* unwrapping mech. */ + CK_OBJECT_HANDLE hUnwrappingKey, /* unwrapping key */ + CK_BYTE_PTR pWrappedKey, /* the wrapped key */ + CK_ULONG ulWrappedKeyLen, /* wrapped key len */ + CK_ATTRIBUTE_PTR pTemplate, /* new key template */ + CK_ULONG ulAttributeCount, /* template length */ + CK_OBJECT_HANDLE_PTR phKey /* gets new handle */ +); +#endif + + +/* C_DeriveKey derives a key from a base key, creating a new key + * object. */ +CK_PKCS11_FUNCTION_INFO(C_DeriveKey) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* session's handle */ + CK_MECHANISM_PTR pMechanism, /* key deriv. mech. */ + CK_OBJECT_HANDLE hBaseKey, /* base key */ + CK_ATTRIBUTE_PTR pTemplate, /* new key template */ + CK_ULONG ulAttributeCount, /* template length */ + CK_OBJECT_HANDLE_PTR phKey /* gets new handle */ +); +#endif + + + +/* Random number generation */ + +/* C_SeedRandom mixes additional seed material into the token's + * random number generator. */ +CK_PKCS11_FUNCTION_INFO(C_SeedRandom) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_BYTE_PTR pSeed, /* the seed material */ + CK_ULONG ulSeedLen /* length of seed material */ +); +#endif + + +/* C_GenerateRandom generates random data. */ +CK_PKCS11_FUNCTION_INFO(C_GenerateRandom) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_BYTE_PTR RandomData, /* receives the random data */ + CK_ULONG ulRandomLen /* # of bytes to generate */ +); +#endif + + + +/* Parallel function management */ + +/* C_GetFunctionStatus is a legacy function; it obtains an + * updated status of a function running in parallel with an + * application. */ +CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession /* the session's handle */ +); +#endif + + +/* C_CancelFunction is a legacy function; it cancels a function + * running in parallel. */ +CK_PKCS11_FUNCTION_INFO(C_CancelFunction) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession /* the session's handle */ +); +#endif + + + +/* Functions added in for Cryptoki Version 2.01 or later */ + +/* C_WaitForSlotEvent waits for a slot event (token insertion, + * removal, etc.) to occur. */ +CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent) +#ifdef CK_NEED_ARG_LIST +( + CK_FLAGS flags, /* blocking/nonblocking flag */ + CK_SLOT_ID_PTR pSlot, /* location that receives the slot ID */ + CK_VOID_PTR pRserved /* reserved. Should be NULL_PTR */ +); +#endif --- old/src/jdk.crypto.token/share/native/libj2pkcs11/pkcs11t.h 2017-01-20 09:53:00.442288122 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,1685 +0,0 @@ -/* pkcs11t.h include file for PKCS #11. */ -/* $Revision: 1.6 $ */ - -/* License to copy and use this software is granted provided that it is - * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface - * (Cryptoki)" in all material mentioning or referencing this software. - - * License is also granted to make and use derivative works provided that - * such works are identified as "derived from the RSA Security Inc. PKCS #11 - * Cryptographic Token Interface (Cryptoki)" in all material mentioning or - * referencing the derived work. - - * RSA Security Inc. makes no representations concerning either the - * merchantability of this software or the suitability of this software for - * any particular purpose. It is provided "as is" without express or implied - * warranty of any kind. - */ - -/* See top of pkcs11.h for information about the macros that - * must be defined and the structure-packing conventions that - * must be set before including this file. */ - -#ifndef _PKCS11T_H_ -#define _PKCS11T_H_ 1 - -#define CK_TRUE 1 -#define CK_FALSE 0 - -#ifndef CK_DISABLE_TRUE_FALSE -#ifndef FALSE -#define FALSE CK_FALSE -#endif - -#ifndef TRUE -#define TRUE CK_TRUE -#endif -#endif - -/* an unsigned 8-bit value */ -typedef unsigned char CK_BYTE; - -/* an unsigned 8-bit character */ -typedef CK_BYTE CK_CHAR; - -/* an 8-bit UTF-8 character */ -typedef CK_BYTE CK_UTF8CHAR; - -/* a BYTE-sized Boolean flag */ -typedef CK_BYTE CK_BBOOL; - -/* an unsigned value, at least 32 bits long */ -typedef unsigned long int CK_ULONG; - -/* a signed value, the same size as a CK_ULONG */ -/* CK_LONG is new for v2.0 */ -typedef long int CK_LONG; - -/* at least 32 bits; each bit is a Boolean flag */ -typedef CK_ULONG CK_FLAGS; - - -/* some special values for certain CK_ULONG variables */ -#define CK_UNAVAILABLE_INFORMATION (~0UL) -#define CK_EFFECTIVELY_INFINITE 0 - - -typedef CK_BYTE CK_PTR CK_BYTE_PTR; -typedef CK_CHAR CK_PTR CK_CHAR_PTR; -typedef CK_UTF8CHAR CK_PTR CK_UTF8CHAR_PTR; -typedef CK_ULONG CK_PTR CK_ULONG_PTR; -typedef void CK_PTR CK_VOID_PTR; - -/* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */ -typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR; - - -/* The following value is always invalid if used as a session */ -/* handle or object handle */ -#define CK_INVALID_HANDLE 0 - - -typedef struct CK_VERSION { - CK_BYTE major; /* integer portion of version number */ - CK_BYTE minor; /* 1/100ths portion of version number */ -} CK_VERSION; - -typedef CK_VERSION CK_PTR CK_VERSION_PTR; - - -typedef struct CK_INFO { - /* manufacturerID and libraryDecription have been changed from - * CK_CHAR to CK_UTF8CHAR for v2.10 */ - CK_VERSION cryptokiVersion; /* Cryptoki interface ver */ - CK_UTF8CHAR manufacturerID[32]; /* blank padded */ - CK_FLAGS flags; /* must be zero */ - - /* libraryDescription and libraryVersion are new for v2.0 */ - CK_UTF8CHAR libraryDescription[32]; /* blank padded */ - CK_VERSION libraryVersion; /* version of library */ -} CK_INFO; - -typedef CK_INFO CK_PTR CK_INFO_PTR; - - -/* CK_NOTIFICATION enumerates the types of notifications that - * Cryptoki provides to an application */ -/* CK_NOTIFICATION has been changed from an enum to a CK_ULONG - * for v2.0 */ -typedef CK_ULONG CK_NOTIFICATION; -#define CKN_SURRENDER 0 - - -typedef CK_ULONG CK_SLOT_ID; - -typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR; - - -/* CK_SLOT_INFO provides information about a slot */ -typedef struct CK_SLOT_INFO { - /* slotDescription and manufacturerID have been changed from - * CK_CHAR to CK_UTF8CHAR for v2.10 */ - CK_UTF8CHAR slotDescription[64]; /* blank padded */ - CK_UTF8CHAR manufacturerID[32]; /* blank padded */ - CK_FLAGS flags; - - /* hardwareVersion and firmwareVersion are new for v2.0 */ - CK_VERSION hardwareVersion; /* version of hardware */ - CK_VERSION firmwareVersion; /* version of firmware */ -} CK_SLOT_INFO; - -/* flags: bit flags that provide capabilities of the slot - * Bit Flag Mask Meaning - */ -#define CKF_TOKEN_PRESENT 0x00000001 /* a token is there */ -#define CKF_REMOVABLE_DEVICE 0x00000002 /* removable devices*/ -#define CKF_HW_SLOT 0x00000004 /* hardware slot */ - -typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR; - - -/* CK_TOKEN_INFO provides information about a token */ -typedef struct CK_TOKEN_INFO { - /* label, manufacturerID, and model have been changed from - * CK_CHAR to CK_UTF8CHAR for v2.10 */ - CK_UTF8CHAR label[32]; /* blank padded */ - CK_UTF8CHAR manufacturerID[32]; /* blank padded */ - CK_UTF8CHAR model[16]; /* blank padded */ - CK_CHAR serialNumber[16]; /* blank padded */ - CK_FLAGS flags; /* see below */ - - /* ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount, - * ulRwSessionCount, ulMaxPinLen, and ulMinPinLen have all been - * changed from CK_USHORT to CK_ULONG for v2.0 */ - CK_ULONG ulMaxSessionCount; /* max open sessions */ - CK_ULONG ulSessionCount; /* sess. now open */ - CK_ULONG ulMaxRwSessionCount; /* max R/W sessions */ - CK_ULONG ulRwSessionCount; /* R/W sess. now open */ - CK_ULONG ulMaxPinLen; /* in bytes */ - CK_ULONG ulMinPinLen; /* in bytes */ - CK_ULONG ulTotalPublicMemory; /* in bytes */ - CK_ULONG ulFreePublicMemory; /* in bytes */ - CK_ULONG ulTotalPrivateMemory; /* in bytes */ - CK_ULONG ulFreePrivateMemory; /* in bytes */ - - /* hardwareVersion, firmwareVersion, and time are new for - * v2.0 */ - CK_VERSION hardwareVersion; /* version of hardware */ - CK_VERSION firmwareVersion; /* version of firmware */ - CK_CHAR utcTime[16]; /* time */ -} CK_TOKEN_INFO; - -/* The flags parameter is defined as follows: - * Bit Flag Mask Meaning - */ -#define CKF_RNG 0x00000001 /* has random # - * generator */ -#define CKF_WRITE_PROTECTED 0x00000002 /* token is - * write- - * protected */ -#define CKF_LOGIN_REQUIRED 0x00000004 /* user must - * login */ -#define CKF_USER_PIN_INITIALIZED 0x00000008 /* normal user's - * PIN is set */ - -/* CKF_RESTORE_KEY_NOT_NEEDED is new for v2.0. If it is set, - * that means that *every* time the state of cryptographic - * operations of a session is successfully saved, all keys - * needed to continue those operations are stored in the state */ -#define CKF_RESTORE_KEY_NOT_NEEDED 0x00000020 - -/* CKF_CLOCK_ON_TOKEN is new for v2.0. If it is set, that means - * that the token has some sort of clock. The time on that - * clock is returned in the token info structure */ -#define CKF_CLOCK_ON_TOKEN 0x00000040 - -/* CKF_PROTECTED_AUTHENTICATION_PATH is new for v2.0. If it is - * set, that means that there is some way for the user to login - * without sending a PIN through the Cryptoki library itself */ -#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100 - -/* CKF_DUAL_CRYPTO_OPERATIONS is new for v2.0. If it is true, - * that means that a single session with the token can perform - * dual simultaneous cryptographic operations (digest and - * encrypt; decrypt and digest; sign and encrypt; and decrypt - * and sign) */ -#define CKF_DUAL_CRYPTO_OPERATIONS 0x00000200 - -/* CKF_TOKEN_INITIALIZED if new for v2.10. If it is true, the - * token has been initialized using C_InitializeToken or an - * equivalent mechanism outside the scope of PKCS #11. - * Calling C_InitializeToken when this flag is set will cause - * the token to be reinitialized. */ -#define CKF_TOKEN_INITIALIZED 0x00000400 - -/* CKF_SECONDARY_AUTHENTICATION if new for v2.10. If it is - * true, the token supports secondary authentication for - * private key objects. This flag is deprecated in v2.11 and - onwards. */ -#define CKF_SECONDARY_AUTHENTICATION 0x00000800 - -/* CKF_USER_PIN_COUNT_LOW if new for v2.10. If it is true, an - * incorrect user login PIN has been entered at least once - * since the last successful authentication. */ -#define CKF_USER_PIN_COUNT_LOW 0x00010000 - -/* CKF_USER_PIN_FINAL_TRY if new for v2.10. If it is true, - * supplying an incorrect user PIN will it to become locked. */ -#define CKF_USER_PIN_FINAL_TRY 0x00020000 - -/* CKF_USER_PIN_LOCKED if new for v2.10. If it is true, the - * user PIN has been locked. User login to the token is not - * possible. */ -#define CKF_USER_PIN_LOCKED 0x00040000 - -/* CKF_USER_PIN_TO_BE_CHANGED if new for v2.10. If it is true, - * the user PIN value is the default value set by token - * initialization or manufacturing, or the PIN has been - * expired by the card. */ -#define CKF_USER_PIN_TO_BE_CHANGED 0x00080000 - -/* CKF_SO_PIN_COUNT_LOW if new for v2.10. If it is true, an - * incorrect SO login PIN has been entered at least once since - * the last successful authentication. */ -#define CKF_SO_PIN_COUNT_LOW 0x00100000 - -/* CKF_SO_PIN_FINAL_TRY if new for v2.10. If it is true, - * supplying an incorrect SO PIN will it to become locked. */ -#define CKF_SO_PIN_FINAL_TRY 0x00200000 - -/* CKF_SO_PIN_LOCKED if new for v2.10. If it is true, the SO - * PIN has been locked. SO login to the token is not possible. - */ -#define CKF_SO_PIN_LOCKED 0x00400000 - -/* CKF_SO_PIN_TO_BE_CHANGED if new for v2.10. If it is true, - * the SO PIN value is the default value set by token - * initialization or manufacturing, or the PIN has been - * expired by the card. */ -#define CKF_SO_PIN_TO_BE_CHANGED 0x00800000 - -typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR; - - -/* CK_SESSION_HANDLE is a Cryptoki-assigned value that - * identifies a session */ -typedef CK_ULONG CK_SESSION_HANDLE; - -typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR; - - -/* CK_USER_TYPE enumerates the types of Cryptoki users */ -/* CK_USER_TYPE has been changed from an enum to a CK_ULONG for - * v2.0 */ -typedef CK_ULONG CK_USER_TYPE; -/* Security Officer */ -#define CKU_SO 0 -/* Normal user */ -#define CKU_USER 1 -/* Context specific (added in v2.20) */ -#define CKU_CONTEXT_SPECIFIC 2 - -/* CK_STATE enumerates the session states */ -/* CK_STATE has been changed from an enum to a CK_ULONG for - * v2.0 */ -typedef CK_ULONG CK_STATE; -#define CKS_RO_PUBLIC_SESSION 0 -#define CKS_RO_USER_FUNCTIONS 1 -#define CKS_RW_PUBLIC_SESSION 2 -#define CKS_RW_USER_FUNCTIONS 3 -#define CKS_RW_SO_FUNCTIONS 4 - - -/* CK_SESSION_INFO provides information about a session */ -typedef struct CK_SESSION_INFO { - CK_SLOT_ID slotID; - CK_STATE state; - CK_FLAGS flags; /* see below */ - - /* ulDeviceError was changed from CK_USHORT to CK_ULONG for - * v2.0 */ - CK_ULONG ulDeviceError; /* device-dependent error code */ -} CK_SESSION_INFO; - -/* The flags are defined in the following table: - * Bit Flag Mask Meaning - */ -#define CKF_RW_SESSION 0x00000002 /* session is r/w */ -#define CKF_SERIAL_SESSION 0x00000004 /* no parallel */ - -typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR; - - -/* CK_OBJECT_HANDLE is a token-specific identifier for an - * object */ -typedef CK_ULONG CK_OBJECT_HANDLE; - -typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR; - - -/* CK_OBJECT_CLASS is a value that identifies the classes (or - * types) of objects that Cryptoki recognizes. It is defined - * as follows: */ -/* CK_OBJECT_CLASS was changed from CK_USHORT to CK_ULONG for - * v2.0 */ -typedef CK_ULONG CK_OBJECT_CLASS; - -/* The following classes of objects are defined: */ -/* CKO_HW_FEATURE is new for v2.10 */ -/* CKO_DOMAIN_PARAMETERS is new for v2.11 */ -/* CKO_MECHANISM is new for v2.20 */ -#define CKO_DATA 0x00000000 -#define CKO_CERTIFICATE 0x00000001 -#define CKO_PUBLIC_KEY 0x00000002 -#define CKO_PRIVATE_KEY 0x00000003 -#define CKO_SECRET_KEY 0x00000004 -#define CKO_HW_FEATURE 0x00000005 -#define CKO_DOMAIN_PARAMETERS 0x00000006 -#define CKO_MECHANISM 0x00000007 -#define CKO_VENDOR_DEFINED 0x80000000 - -typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR; - -/* CK_HW_FEATURE_TYPE is new for v2.10. CK_HW_FEATURE_TYPE is a - * value that identifies the hardware feature type of an object - * with CK_OBJECT_CLASS equal to CKO_HW_FEATURE. */ -typedef CK_ULONG CK_HW_FEATURE_TYPE; - -/* The following hardware feature types are defined */ -/* CKH_USER_INTERFACE is new for v2.20 */ -#define CKH_MONOTONIC_COUNTER 0x00000001 -#define CKH_CLOCK 0x00000002 -#define CKH_USER_INTERFACE 0x00000003 -#define CKH_VENDOR_DEFINED 0x80000000 - -/* CK_KEY_TYPE is a value that identifies a key type */ -/* CK_KEY_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */ -typedef CK_ULONG CK_KEY_TYPE; - -/* the following key types are defined: */ -#define CKK_RSA 0x00000000 -#define CKK_DSA 0x00000001 -#define CKK_DH 0x00000002 - -/* CKK_ECDSA and CKK_KEA are new for v2.0 */ -/* CKK_ECDSA is deprecated in v2.11, CKK_EC is preferred. */ -#define CKK_ECDSA 0x00000003 -#define CKK_EC 0x00000003 -#define CKK_X9_42_DH 0x00000004 -#define CKK_KEA 0x00000005 - -#define CKK_GENERIC_SECRET 0x00000010 -#define CKK_RC2 0x00000011 -#define CKK_RC4 0x00000012 -#define CKK_DES 0x00000013 -#define CKK_DES2 0x00000014 -#define CKK_DES3 0x00000015 - -/* all these key types are new for v2.0 */ -#define CKK_CAST 0x00000016 -#define CKK_CAST3 0x00000017 -/* CKK_CAST5 is deprecated in v2.11, CKK_CAST128 is preferred. */ -#define CKK_CAST5 0x00000018 -#define CKK_CAST128 0x00000018 -#define CKK_RC5 0x00000019 -#define CKK_IDEA 0x0000001A -#define CKK_SKIPJACK 0x0000001B -#define CKK_BATON 0x0000001C -#define CKK_JUNIPER 0x0000001D -#define CKK_CDMF 0x0000001E -#define CKK_AES 0x0000001F - -/* BlowFish and TwoFish are new for v2.20 */ -#define CKK_BLOWFISH 0x00000020 -#define CKK_TWOFISH 0x00000021 - -#define CKK_VENDOR_DEFINED 0x80000000 - - -/* CK_CERTIFICATE_TYPE is a value that identifies a certificate - * type */ -/* CK_CERTIFICATE_TYPE was changed from CK_USHORT to CK_ULONG - * for v2.0 */ -typedef CK_ULONG CK_CERTIFICATE_TYPE; - -/* The following certificate types are defined: */ -/* CKC_X_509_ATTR_CERT is new for v2.10 */ -/* CKC_WTLS is new for v2.20 */ -#define CKC_X_509 0x00000000 -#define CKC_X_509_ATTR_CERT 0x00000001 -#define CKC_WTLS 0x00000002 -#define CKC_VENDOR_DEFINED 0x80000000 - - -/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute - * type */ -/* CK_ATTRIBUTE_TYPE was changed from CK_USHORT to CK_ULONG for - * v2.0 */ -typedef CK_ULONG CK_ATTRIBUTE_TYPE; - -/* The CKF_ARRAY_ATTRIBUTE flag identifies an attribute which - consists of an array of values. */ -#define CKF_ARRAY_ATTRIBUTE 0x40000000 - -/* The following attribute types are defined: */ -#define CKA_CLASS 0x00000000 -#define CKA_TOKEN 0x00000001 -#define CKA_PRIVATE 0x00000002 -#define CKA_LABEL 0x00000003 -#define CKA_APPLICATION 0x00000010 -#define CKA_VALUE 0x00000011 - -/* CKA_OBJECT_ID is new for v2.10 */ -#define CKA_OBJECT_ID 0x00000012 - -#define CKA_CERTIFICATE_TYPE 0x00000080 -#define CKA_ISSUER 0x00000081 -#define CKA_SERIAL_NUMBER 0x00000082 - -/* CKA_AC_ISSUER, CKA_OWNER, and CKA_ATTR_TYPES are new - * for v2.10 */ -#define CKA_AC_ISSUER 0x00000083 -#define CKA_OWNER 0x00000084 -#define CKA_ATTR_TYPES 0x00000085 - -/* CKA_TRUSTED is new for v2.11 */ -#define CKA_TRUSTED 0x00000086 - -/* CKA_CERTIFICATE_CATEGORY ... - * CKA_CHECK_VALUE are new for v2.20 */ -#define CKA_CERTIFICATE_CATEGORY 0x00000087 -#define CKA_JAVA_MIDP_SECURITY_DOMAIN 0x00000088 -#define CKA_URL 0x00000089 -#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY 0x0000008A -#define CKA_HASH_OF_ISSUER_PUBLIC_KEY 0x0000008B -#define CKA_CHECK_VALUE 0x00000090 - -#define CKA_KEY_TYPE 0x00000100 -#define CKA_SUBJECT 0x00000101 -#define CKA_ID 0x00000102 -#define CKA_SENSITIVE 0x00000103 -#define CKA_ENCRYPT 0x00000104 -#define CKA_DECRYPT 0x00000105 -#define CKA_WRAP 0x00000106 -#define CKA_UNWRAP 0x00000107 -#define CKA_SIGN 0x00000108 -#define CKA_SIGN_RECOVER 0x00000109 -#define CKA_VERIFY 0x0000010A -#define CKA_VERIFY_RECOVER 0x0000010B -#define CKA_DERIVE 0x0000010C -#define CKA_START_DATE 0x00000110 -#define CKA_END_DATE 0x00000111 -#define CKA_MODULUS 0x00000120 -#define CKA_MODULUS_BITS 0x00000121 -#define CKA_PUBLIC_EXPONENT 0x00000122 -#define CKA_PRIVATE_EXPONENT 0x00000123 -#define CKA_PRIME_1 0x00000124 -#define CKA_PRIME_2 0x00000125 -#define CKA_EXPONENT_1 0x00000126 -#define CKA_EXPONENT_2 0x00000127 -#define CKA_COEFFICIENT 0x00000128 -#define CKA_PRIME 0x00000130 -#define CKA_SUBPRIME 0x00000131 -#define CKA_BASE 0x00000132 - -/* CKA_PRIME_BITS and CKA_SUB_PRIME_BITS are new for v2.11 */ -#define CKA_PRIME_BITS 0x00000133 -#define CKA_SUBPRIME_BITS 0x00000134 -#define CKA_SUB_PRIME_BITS CKA_SUBPRIME_BITS -/* (To retain backwards-compatibility) */ - -#define CKA_VALUE_BITS 0x00000160 -#define CKA_VALUE_LEN 0x00000161 - -/* CKA_EXTRACTABLE, CKA_LOCAL, CKA_NEVER_EXTRACTABLE, - * CKA_ALWAYS_SENSITIVE, CKA_MODIFIABLE, CKA_ECDSA_PARAMS, - * and CKA_EC_POINT are new for v2.0 */ -#define CKA_EXTRACTABLE 0x00000162 -#define CKA_LOCAL 0x00000163 -#define CKA_NEVER_EXTRACTABLE 0x00000164 -#define CKA_ALWAYS_SENSITIVE 0x00000165 - -/* CKA_KEY_GEN_MECHANISM is new for v2.11 */ -#define CKA_KEY_GEN_MECHANISM 0x00000166 - -#define CKA_MODIFIABLE 0x00000170 - -/* CKA_ECDSA_PARAMS is deprecated in v2.11, - * CKA_EC_PARAMS is preferred. */ -#define CKA_ECDSA_PARAMS 0x00000180 -#define CKA_EC_PARAMS 0x00000180 - -#define CKA_EC_POINT 0x00000181 - -/* CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS, - * are new for v2.10. Deprecated in v2.11 and onwards. */ -#define CKA_SECONDARY_AUTH 0x00000200 -#define CKA_AUTH_PIN_FLAGS 0x00000201 - -/* CKA_ALWAYS_AUTHENTICATE ... - * CKA_UNWRAP_TEMPLATE are new for v2.20 */ -#define CKA_ALWAYS_AUTHENTICATE 0x00000202 - -#define CKA_WRAP_WITH_TRUSTED 0x00000210 -#define CKA_WRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000211) -#define CKA_UNWRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000212) - -/* CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT, and CKA_HAS_RESET - * are new for v2.10 */ -#define CKA_HW_FEATURE_TYPE 0x00000300 -#define CKA_RESET_ON_INIT 0x00000301 -#define CKA_HAS_RESET 0x00000302 - -/* The following attributes are new for v2.20 */ -#define CKA_PIXEL_X 0x00000400 -#define CKA_PIXEL_Y 0x00000401 -#define CKA_RESOLUTION 0x00000402 -#define CKA_CHAR_ROWS 0x00000403 -#define CKA_CHAR_COLUMNS 0x00000404 -#define CKA_COLOR 0x00000405 -#define CKA_BITS_PER_PIXEL 0x00000406 -#define CKA_CHAR_SETS 0x00000480 -#define CKA_ENCODING_METHODS 0x00000481 -#define CKA_MIME_TYPES 0x00000482 -#define CKA_MECHANISM_TYPE 0x00000500 -#define CKA_REQUIRED_CMS_ATTRIBUTES 0x00000501 -#define CKA_DEFAULT_CMS_ATTRIBUTES 0x00000502 -#define CKA_SUPPORTED_CMS_ATTRIBUTES 0x00000503 -#define CKA_ALLOWED_MECHANISMS (CKF_ARRAY_ATTRIBUTE|0x00000600) - -#define CKA_VENDOR_DEFINED 0x80000000 - - -/* CK_ATTRIBUTE is a structure that includes the type, length - * and value of an attribute */ -typedef struct CK_ATTRIBUTE { - CK_ATTRIBUTE_TYPE type; - CK_VOID_PTR pValue; - - /* ulValueLen went from CK_USHORT to CK_ULONG for v2.0 */ - CK_ULONG ulValueLen; /* in bytes */ -} CK_ATTRIBUTE; - -typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR; - - -/* CK_DATE is a structure that defines a date */ -typedef struct CK_DATE{ - CK_CHAR year[4]; /* the year ("1900" - "9999") */ - CK_CHAR month[2]; /* the month ("01" - "12") */ - CK_CHAR day[2]; /* the day ("01" - "31") */ -} CK_DATE; - - -/* CK_MECHANISM_TYPE is a value that identifies a mechanism - * type */ -/* CK_MECHANISM_TYPE was changed from CK_USHORT to CK_ULONG for - * v2.0 */ -typedef CK_ULONG CK_MECHANISM_TYPE; - -/* the following mechanism types are defined: */ -#define CKM_RSA_PKCS_KEY_PAIR_GEN 0x00000000 -#define CKM_RSA_PKCS 0x00000001 -#define CKM_RSA_9796 0x00000002 -#define CKM_RSA_X_509 0x00000003 - -/* CKM_MD2_RSA_PKCS, CKM_MD5_RSA_PKCS, and CKM_SHA1_RSA_PKCS - * are new for v2.0. They are mechanisms which hash and sign */ -#define CKM_MD2_RSA_PKCS 0x00000004 -#define CKM_MD5_RSA_PKCS 0x00000005 -#define CKM_SHA1_RSA_PKCS 0x00000006 - -/* CKM_RIPEMD128_RSA_PKCS, CKM_RIPEMD160_RSA_PKCS, and - * CKM_RSA_PKCS_OAEP are new for v2.10 */ -#define CKM_RIPEMD128_RSA_PKCS 0x00000007 -#define CKM_RIPEMD160_RSA_PKCS 0x00000008 -#define CKM_RSA_PKCS_OAEP 0x00000009 - -/* CKM_RSA_X9_31_KEY_PAIR_GEN, CKM_RSA_X9_31, CKM_SHA1_RSA_X9_31, - * CKM_RSA_PKCS_PSS, and CKM_SHA1_RSA_PKCS_PSS are new for v2.11 */ -#define CKM_RSA_X9_31_KEY_PAIR_GEN 0x0000000A -#define CKM_RSA_X9_31 0x0000000B -#define CKM_SHA1_RSA_X9_31 0x0000000C -#define CKM_RSA_PKCS_PSS 0x0000000D -#define CKM_SHA1_RSA_PKCS_PSS 0x0000000E - -#define CKM_DSA_KEY_PAIR_GEN 0x00000010 -#define CKM_DSA 0x00000011 -#define CKM_DSA_SHA1 0x00000012 -#define CKM_DH_PKCS_KEY_PAIR_GEN 0x00000020 -#define CKM_DH_PKCS_DERIVE 0x00000021 - -/* CKM_X9_42_DH_KEY_PAIR_GEN, CKM_X9_42_DH_DERIVE, - * CKM_X9_42_DH_HYBRID_DERIVE, and CKM_X9_42_MQV_DERIVE are new for - * v2.11 */ -#define CKM_X9_42_DH_KEY_PAIR_GEN 0x00000030 -#define CKM_X9_42_DH_DERIVE 0x00000031 -#define CKM_X9_42_DH_HYBRID_DERIVE 0x00000032 -#define CKM_X9_42_MQV_DERIVE 0x00000033 - -/* CKM_SHA256/384/512 are new for v2.20 */ -#define CKM_SHA256_RSA_PKCS 0x00000040 -#define CKM_SHA384_RSA_PKCS 0x00000041 -#define CKM_SHA512_RSA_PKCS 0x00000042 -#define CKM_SHA256_RSA_PKCS_PSS 0x00000043 -#define CKM_SHA384_RSA_PKCS_PSS 0x00000044 -#define CKM_SHA512_RSA_PKCS_PSS 0x00000045 - -#define CKM_RC2_KEY_GEN 0x00000100 -#define CKM_RC2_ECB 0x00000101 -#define CKM_RC2_CBC 0x00000102 -#define CKM_RC2_MAC 0x00000103 - -/* CKM_RC2_MAC_GENERAL and CKM_RC2_CBC_PAD are new for v2.0 */ -#define CKM_RC2_MAC_GENERAL 0x00000104 -#define CKM_RC2_CBC_PAD 0x00000105 - -#define CKM_RC4_KEY_GEN 0x00000110 -#define CKM_RC4 0x00000111 -#define CKM_DES_KEY_GEN 0x00000120 -#define CKM_DES_ECB 0x00000121 -#define CKM_DES_CBC 0x00000122 -#define CKM_DES_MAC 0x00000123 - -/* CKM_DES_MAC_GENERAL and CKM_DES_CBC_PAD are new for v2.0 */ -#define CKM_DES_MAC_GENERAL 0x00000124 -#define CKM_DES_CBC_PAD 0x00000125 - -#define CKM_DES2_KEY_GEN 0x00000130 -#define CKM_DES3_KEY_GEN 0x00000131 -#define CKM_DES3_ECB 0x00000132 -#define CKM_DES3_CBC 0x00000133 -#define CKM_DES3_MAC 0x00000134 - -/* CKM_DES3_MAC_GENERAL, CKM_DES3_CBC_PAD, CKM_CDMF_KEY_GEN, - * CKM_CDMF_ECB, CKM_CDMF_CBC, CKM_CDMF_MAC, - * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0 */ -#define CKM_DES3_MAC_GENERAL 0x00000135 -#define CKM_DES3_CBC_PAD 0x00000136 -#define CKM_CDMF_KEY_GEN 0x00000140 -#define CKM_CDMF_ECB 0x00000141 -#define CKM_CDMF_CBC 0x00000142 -#define CKM_CDMF_MAC 0x00000143 -#define CKM_CDMF_MAC_GENERAL 0x00000144 -#define CKM_CDMF_CBC_PAD 0x00000145 - -/* the following four DES mechanisms are new for v2.20 */ -#define CKM_DES_OFB64 0x00000150 -#define CKM_DES_OFB8 0x00000151 -#define CKM_DES_CFB64 0x00000152 -#define CKM_DES_CFB8 0x00000153 - -#define CKM_MD2 0x00000200 - -/* CKM_MD2_HMAC and CKM_MD2_HMAC_GENERAL are new for v2.0 */ -#define CKM_MD2_HMAC 0x00000201 -#define CKM_MD2_HMAC_GENERAL 0x00000202 - -#define CKM_MD5 0x00000210 - -/* CKM_MD5_HMAC and CKM_MD5_HMAC_GENERAL are new for v2.0 */ -#define CKM_MD5_HMAC 0x00000211 -#define CKM_MD5_HMAC_GENERAL 0x00000212 - -#define CKM_SHA_1 0x00000220 - -/* CKM_SHA_1_HMAC and CKM_SHA_1_HMAC_GENERAL are new for v2.0 */ -#define CKM_SHA_1_HMAC 0x00000221 -#define CKM_SHA_1_HMAC_GENERAL 0x00000222 - -/* CKM_RIPEMD128, CKM_RIPEMD128_HMAC, - * CKM_RIPEMD128_HMAC_GENERAL, CKM_RIPEMD160, CKM_RIPEMD160_HMAC, - * and CKM_RIPEMD160_HMAC_GENERAL are new for v2.10 */ -#define CKM_RIPEMD128 0x00000230 -#define CKM_RIPEMD128_HMAC 0x00000231 -#define CKM_RIPEMD128_HMAC_GENERAL 0x00000232 -#define CKM_RIPEMD160 0x00000240 -#define CKM_RIPEMD160_HMAC 0x00000241 -#define CKM_RIPEMD160_HMAC_GENERAL 0x00000242 - -/* CKM_SHA256/384/512 are new for v2.20 */ -#define CKM_SHA256 0x00000250 -#define CKM_SHA256_HMAC 0x00000251 -#define CKM_SHA256_HMAC_GENERAL 0x00000252 -#define CKM_SHA384 0x00000260 -#define CKM_SHA384_HMAC 0x00000261 -#define CKM_SHA384_HMAC_GENERAL 0x00000262 -#define CKM_SHA512 0x00000270 -#define CKM_SHA512_HMAC 0x00000271 -#define CKM_SHA512_HMAC_GENERAL 0x00000272 - -/* All of the following mechanisms are new for v2.0 */ -/* Note that CAST128 and CAST5 are the same algorithm */ -#define CKM_CAST_KEY_GEN 0x00000300 -#define CKM_CAST_ECB 0x00000301 -#define CKM_CAST_CBC 0x00000302 -#define CKM_CAST_MAC 0x00000303 -#define CKM_CAST_MAC_GENERAL 0x00000304 -#define CKM_CAST_CBC_PAD 0x00000305 -#define CKM_CAST3_KEY_GEN 0x00000310 -#define CKM_CAST3_ECB 0x00000311 -#define CKM_CAST3_CBC 0x00000312 -#define CKM_CAST3_MAC 0x00000313 -#define CKM_CAST3_MAC_GENERAL 0x00000314 -#define CKM_CAST3_CBC_PAD 0x00000315 -#define CKM_CAST5_KEY_GEN 0x00000320 -#define CKM_CAST128_KEY_GEN 0x00000320 -#define CKM_CAST5_ECB 0x00000321 -#define CKM_CAST128_ECB 0x00000321 -#define CKM_CAST5_CBC 0x00000322 -#define CKM_CAST128_CBC 0x00000322 -#define CKM_CAST5_MAC 0x00000323 -#define CKM_CAST128_MAC 0x00000323 -#define CKM_CAST5_MAC_GENERAL 0x00000324 -#define CKM_CAST128_MAC_GENERAL 0x00000324 -#define CKM_CAST5_CBC_PAD 0x00000325 -#define CKM_CAST128_CBC_PAD 0x00000325 -#define CKM_RC5_KEY_GEN 0x00000330 -#define CKM_RC5_ECB 0x00000331 -#define CKM_RC5_CBC 0x00000332 -#define CKM_RC5_MAC 0x00000333 -#define CKM_RC5_MAC_GENERAL 0x00000334 -#define CKM_RC5_CBC_PAD 0x00000335 -#define CKM_IDEA_KEY_GEN 0x00000340 -#define CKM_IDEA_ECB 0x00000341 -#define CKM_IDEA_CBC 0x00000342 -#define CKM_IDEA_MAC 0x00000343 -#define CKM_IDEA_MAC_GENERAL 0x00000344 -#define CKM_IDEA_CBC_PAD 0x00000345 -#define CKM_GENERIC_SECRET_KEY_GEN 0x00000350 -#define CKM_CONCATENATE_BASE_AND_KEY 0x00000360 -#define CKM_CONCATENATE_BASE_AND_DATA 0x00000362 -#define CKM_CONCATENATE_DATA_AND_BASE 0x00000363 -#define CKM_XOR_BASE_AND_DATA 0x00000364 -#define CKM_EXTRACT_KEY_FROM_KEY 0x00000365 -#define CKM_SSL3_PRE_MASTER_KEY_GEN 0x00000370 -#define CKM_SSL3_MASTER_KEY_DERIVE 0x00000371 -#define CKM_SSL3_KEY_AND_MAC_DERIVE 0x00000372 - -/* CKM_SSL3_MASTER_KEY_DERIVE_DH, CKM_TLS_PRE_MASTER_KEY_GEN, - * CKM_TLS_MASTER_KEY_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE, and - * CKM_TLS_MASTER_KEY_DERIVE_DH are new for v2.11 */ -#define CKM_SSL3_MASTER_KEY_DERIVE_DH 0x00000373 -#define CKM_TLS_PRE_MASTER_KEY_GEN 0x00000374 -#define CKM_TLS_MASTER_KEY_DERIVE 0x00000375 -#define CKM_TLS_KEY_AND_MAC_DERIVE 0x00000376 -#define CKM_TLS_MASTER_KEY_DERIVE_DH 0x00000377 - -/* CKM_TLS_PRF is new for v2.20 */ -#define CKM_TLS_PRF 0x00000378 - -#define CKM_SSL3_MD5_MAC 0x00000380 -#define CKM_SSL3_SHA1_MAC 0x00000381 -#define CKM_MD5_KEY_DERIVATION 0x00000390 -#define CKM_MD2_KEY_DERIVATION 0x00000391 -#define CKM_SHA1_KEY_DERIVATION 0x00000392 - -/* CKM_SHA256/384/512 are new for v2.20 */ -#define CKM_SHA256_KEY_DERIVATION 0x00000393 -#define CKM_SHA384_KEY_DERIVATION 0x00000394 -#define CKM_SHA512_KEY_DERIVATION 0x00000395 - -#define CKM_PBE_MD2_DES_CBC 0x000003A0 -#define CKM_PBE_MD5_DES_CBC 0x000003A1 -#define CKM_PBE_MD5_CAST_CBC 0x000003A2 -#define CKM_PBE_MD5_CAST3_CBC 0x000003A3 -#define CKM_PBE_MD5_CAST5_CBC 0x000003A4 -#define CKM_PBE_MD5_CAST128_CBC 0x000003A4 -#define CKM_PBE_SHA1_CAST5_CBC 0x000003A5 -#define CKM_PBE_SHA1_CAST128_CBC 0x000003A5 -#define CKM_PBE_SHA1_RC4_128 0x000003A6 -#define CKM_PBE_SHA1_RC4_40 0x000003A7 -#define CKM_PBE_SHA1_DES3_EDE_CBC 0x000003A8 -#define CKM_PBE_SHA1_DES2_EDE_CBC 0x000003A9 -#define CKM_PBE_SHA1_RC2_128_CBC 0x000003AA -#define CKM_PBE_SHA1_RC2_40_CBC 0x000003AB - -/* CKM_PKCS5_PBKD2 is new for v2.10 */ -#define CKM_PKCS5_PBKD2 0x000003B0 - -#define CKM_PBA_SHA1_WITH_SHA1_HMAC 0x000003C0 - -/* WTLS mechanisms are new for v2.20 */ -#define CKM_WTLS_PRE_MASTER_KEY_GEN 0x000003D0 -#define CKM_WTLS_MASTER_KEY_DERIVE 0x000003D1 -#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC 0x000003D2 -#define CKM_WTLS_PRF 0x000003D3 -#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE 0x000003D4 -#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE 0x000003D5 - -#define CKM_KEY_WRAP_LYNKS 0x00000400 -#define CKM_KEY_WRAP_SET_OAEP 0x00000401 - -/* CKM_CMS_SIG is new for v2.20 */ -#define CKM_CMS_SIG 0x00000500 - -/* Fortezza mechanisms */ -#define CKM_SKIPJACK_KEY_GEN 0x00001000 -#define CKM_SKIPJACK_ECB64 0x00001001 -#define CKM_SKIPJACK_CBC64 0x00001002 -#define CKM_SKIPJACK_OFB64 0x00001003 -#define CKM_SKIPJACK_CFB64 0x00001004 -#define CKM_SKIPJACK_CFB32 0x00001005 -#define CKM_SKIPJACK_CFB16 0x00001006 -#define CKM_SKIPJACK_CFB8 0x00001007 -#define CKM_SKIPJACK_WRAP 0x00001008 -#define CKM_SKIPJACK_PRIVATE_WRAP 0x00001009 -#define CKM_SKIPJACK_RELAYX 0x0000100a -#define CKM_KEA_KEY_PAIR_GEN 0x00001010 -#define CKM_KEA_KEY_DERIVE 0x00001011 -#define CKM_FORTEZZA_TIMESTAMP 0x00001020 -#define CKM_BATON_KEY_GEN 0x00001030 -#define CKM_BATON_ECB128 0x00001031 -#define CKM_BATON_ECB96 0x00001032 -#define CKM_BATON_CBC128 0x00001033 -#define CKM_BATON_COUNTER 0x00001034 -#define CKM_BATON_SHUFFLE 0x00001035 -#define CKM_BATON_WRAP 0x00001036 - -/* CKM_ECDSA_KEY_PAIR_GEN is deprecated in v2.11, - * CKM_EC_KEY_PAIR_GEN is preferred */ -#define CKM_ECDSA_KEY_PAIR_GEN 0x00001040 -#define CKM_EC_KEY_PAIR_GEN 0x00001040 - -#define CKM_ECDSA 0x00001041 -#define CKM_ECDSA_SHA1 0x00001042 - -/* CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE, and CKM_ECMQV_DERIVE - * are new for v2.11 */ -#define CKM_ECDH1_DERIVE 0x00001050 -#define CKM_ECDH1_COFACTOR_DERIVE 0x00001051 -#define CKM_ECMQV_DERIVE 0x00001052 - -#define CKM_JUNIPER_KEY_GEN 0x00001060 -#define CKM_JUNIPER_ECB128 0x00001061 -#define CKM_JUNIPER_CBC128 0x00001062 -#define CKM_JUNIPER_COUNTER 0x00001063 -#define CKM_JUNIPER_SHUFFLE 0x00001064 -#define CKM_JUNIPER_WRAP 0x00001065 -#define CKM_FASTHASH 0x00001070 - -/* CKM_AES_KEY_GEN, CKM_AES_ECB, CKM_AES_CBC, CKM_AES_MAC, - * CKM_AES_MAC_GENERAL, CKM_AES_CBC_PAD, CKM_DSA_PARAMETER_GEN, - * CKM_DH_PKCS_PARAMETER_GEN, and CKM_X9_42_DH_PARAMETER_GEN are - * new for v2.11 */ -#define CKM_AES_KEY_GEN 0x00001080 -#define CKM_AES_ECB 0x00001081 -#define CKM_AES_CBC 0x00001082 -#define CKM_AES_MAC 0x00001083 -#define CKM_AES_MAC_GENERAL 0x00001084 -#define CKM_AES_CBC_PAD 0x00001085 - -/* BlowFish and TwoFish are new for v2.20 */ -#define CKM_BLOWFISH_KEY_GEN 0x00001090 -#define CKM_BLOWFISH_CBC 0x00001091 -#define CKM_TWOFISH_KEY_GEN 0x00001092 -#define CKM_TWOFISH_CBC 0x00001093 - - -/* CKM_xxx_ENCRYPT_DATA mechanisms are new for v2.20 */ -#define CKM_DES_ECB_ENCRYPT_DATA 0x00001100 -#define CKM_DES_CBC_ENCRYPT_DATA 0x00001101 -#define CKM_DES3_ECB_ENCRYPT_DATA 0x00001102 -#define CKM_DES3_CBC_ENCRYPT_DATA 0x00001103 -#define CKM_AES_ECB_ENCRYPT_DATA 0x00001104 -#define CKM_AES_CBC_ENCRYPT_DATA 0x00001105 - -#define CKM_DSA_PARAMETER_GEN 0x00002000 -#define CKM_DH_PKCS_PARAMETER_GEN 0x00002001 -#define CKM_X9_42_DH_PARAMETER_GEN 0x00002002 - -#define CKM_VENDOR_DEFINED 0x80000000 - -typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR; - - -/* CK_MECHANISM is a structure that specifies a particular - * mechanism */ -typedef struct CK_MECHANISM { - CK_MECHANISM_TYPE mechanism; - CK_VOID_PTR pParameter; - - /* ulParameterLen was changed from CK_USHORT to CK_ULONG for - * v2.0 */ - CK_ULONG ulParameterLen; /* in bytes */ -} CK_MECHANISM; - -typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR; - - -/* CK_MECHANISM_INFO provides information about a particular - * mechanism */ -typedef struct CK_MECHANISM_INFO { - CK_ULONG ulMinKeySize; - CK_ULONG ulMaxKeySize; - CK_FLAGS flags; -} CK_MECHANISM_INFO; - -/* The flags are defined as follows: - * Bit Flag Mask Meaning */ -#define CKF_HW 0x00000001 /* performed by HW */ - -/* The flags CKF_ENCRYPT, CKF_DECRYPT, CKF_DIGEST, CKF_SIGN, - * CKG_SIGN_RECOVER, CKF_VERIFY, CKF_VERIFY_RECOVER, - * CKF_GENERATE, CKF_GENERATE_KEY_PAIR, CKF_WRAP, CKF_UNWRAP, - * and CKF_DERIVE are new for v2.0. They specify whether or not - * a mechanism can be used for a particular task */ -#define CKF_ENCRYPT 0x00000100 -#define CKF_DECRYPT 0x00000200 -#define CKF_DIGEST 0x00000400 -#define CKF_SIGN 0x00000800 -#define CKF_SIGN_RECOVER 0x00001000 -#define CKF_VERIFY 0x00002000 -#define CKF_VERIFY_RECOVER 0x00004000 -#define CKF_GENERATE 0x00008000 -#define CKF_GENERATE_KEY_PAIR 0x00010000 -#define CKF_WRAP 0x00020000 -#define CKF_UNWRAP 0x00040000 -#define CKF_DERIVE 0x00080000 - -/* CKF_EC_F_P, CKF_EC_F_2M, CKF_EC_ECPARAMETERS, CKF_EC_NAMEDCURVE, - * CKF_EC_UNCOMPRESS, and CKF_EC_COMPRESS are new for v2.11. They - * describe a token's EC capabilities not available in mechanism - * information. */ -#define CKF_EC_F_P 0x00100000 -#define CKF_EC_F_2M 0x00200000 -#define CKF_EC_ECPARAMETERS 0x00400000 -#define CKF_EC_NAMEDCURVE 0x00800000 -#define CKF_EC_UNCOMPRESS 0x01000000 -#define CKF_EC_COMPRESS 0x02000000 - -#define CKF_EXTENSION 0x80000000 /* FALSE for this version */ - -typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR; - - -/* CK_RV is a value that identifies the return value of a - * Cryptoki function */ -/* CK_RV was changed from CK_USHORT to CK_ULONG for v2.0 */ -typedef CK_ULONG CK_RV; - -#define CKR_OK 0x00000000 -#define CKR_CANCEL 0x00000001 -#define CKR_HOST_MEMORY 0x00000002 -#define CKR_SLOT_ID_INVALID 0x00000003 - -/* CKR_FLAGS_INVALID was removed for v2.0 */ - -/* CKR_GENERAL_ERROR and CKR_FUNCTION_FAILED are new for v2.0 */ -#define CKR_GENERAL_ERROR 0x00000005 -#define CKR_FUNCTION_FAILED 0x00000006 - -/* CKR_ARGUMENTS_BAD, CKR_NO_EVENT, CKR_NEED_TO_CREATE_THREADS, - * and CKR_CANT_LOCK are new for v2.01 */ -#define CKR_ARGUMENTS_BAD 0x00000007 -#define CKR_NO_EVENT 0x00000008 -#define CKR_NEED_TO_CREATE_THREADS 0x00000009 -#define CKR_CANT_LOCK 0x0000000A - -#define CKR_ATTRIBUTE_READ_ONLY 0x00000010 -#define CKR_ATTRIBUTE_SENSITIVE 0x00000011 -#define CKR_ATTRIBUTE_TYPE_INVALID 0x00000012 -#define CKR_ATTRIBUTE_VALUE_INVALID 0x00000013 -#define CKR_DATA_INVALID 0x00000020 -#define CKR_DATA_LEN_RANGE 0x00000021 -#define CKR_DEVICE_ERROR 0x00000030 -#define CKR_DEVICE_MEMORY 0x00000031 -#define CKR_DEVICE_REMOVED 0x00000032 -#define CKR_ENCRYPTED_DATA_INVALID 0x00000040 -#define CKR_ENCRYPTED_DATA_LEN_RANGE 0x00000041 -#define CKR_FUNCTION_CANCELED 0x00000050 -#define CKR_FUNCTION_NOT_PARALLEL 0x00000051 - -/* CKR_FUNCTION_NOT_SUPPORTED is new for v2.0 */ -#define CKR_FUNCTION_NOT_SUPPORTED 0x00000054 - -#define CKR_KEY_HANDLE_INVALID 0x00000060 - -/* CKR_KEY_SENSITIVE was removed for v2.0 */ - -#define CKR_KEY_SIZE_RANGE 0x00000062 -#define CKR_KEY_TYPE_INCONSISTENT 0x00000063 - -/* CKR_KEY_NOT_NEEDED, CKR_KEY_CHANGED, CKR_KEY_NEEDED, - * CKR_KEY_INDIGESTIBLE, CKR_KEY_FUNCTION_NOT_PERMITTED, - * CKR_KEY_NOT_WRAPPABLE, and CKR_KEY_UNEXTRACTABLE are new for - * v2.0 */ -#define CKR_KEY_NOT_NEEDED 0x00000064 -#define CKR_KEY_CHANGED 0x00000065 -#define CKR_KEY_NEEDED 0x00000066 -#define CKR_KEY_INDIGESTIBLE 0x00000067 -#define CKR_KEY_FUNCTION_NOT_PERMITTED 0x00000068 -#define CKR_KEY_NOT_WRAPPABLE 0x00000069 -#define CKR_KEY_UNEXTRACTABLE 0x0000006A - -#define CKR_MECHANISM_INVALID 0x00000070 -#define CKR_MECHANISM_PARAM_INVALID 0x00000071 - -/* CKR_OBJECT_CLASS_INCONSISTENT and CKR_OBJECT_CLASS_INVALID - * were removed for v2.0 */ -#define CKR_OBJECT_HANDLE_INVALID 0x00000082 -#define CKR_OPERATION_ACTIVE 0x00000090 -#define CKR_OPERATION_NOT_INITIALIZED 0x00000091 -#define CKR_PIN_INCORRECT 0x000000A0 -#define CKR_PIN_INVALID 0x000000A1 -#define CKR_PIN_LEN_RANGE 0x000000A2 - -/* CKR_PIN_EXPIRED and CKR_PIN_LOCKED are new for v2.0 */ -#define CKR_PIN_EXPIRED 0x000000A3 -#define CKR_PIN_LOCKED 0x000000A4 - -#define CKR_SESSION_CLOSED 0x000000B0 -#define CKR_SESSION_COUNT 0x000000B1 -#define CKR_SESSION_HANDLE_INVALID 0x000000B3 -#define CKR_SESSION_PARALLEL_NOT_SUPPORTED 0x000000B4 -#define CKR_SESSION_READ_ONLY 0x000000B5 -#define CKR_SESSION_EXISTS 0x000000B6 - -/* CKR_SESSION_READ_ONLY_EXISTS and - * CKR_SESSION_READ_WRITE_SO_EXISTS are new for v2.0 */ -#define CKR_SESSION_READ_ONLY_EXISTS 0x000000B7 -#define CKR_SESSION_READ_WRITE_SO_EXISTS 0x000000B8 - -#define CKR_SIGNATURE_INVALID 0x000000C0 -#define CKR_SIGNATURE_LEN_RANGE 0x000000C1 -#define CKR_TEMPLATE_INCOMPLETE 0x000000D0 -#define CKR_TEMPLATE_INCONSISTENT 0x000000D1 -#define CKR_TOKEN_NOT_PRESENT 0x000000E0 -#define CKR_TOKEN_NOT_RECOGNIZED 0x000000E1 -#define CKR_TOKEN_WRITE_PROTECTED 0x000000E2 -#define CKR_UNWRAPPING_KEY_HANDLE_INVALID 0x000000F0 -#define CKR_UNWRAPPING_KEY_SIZE_RANGE 0x000000F1 -#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT 0x000000F2 -#define CKR_USER_ALREADY_LOGGED_IN 0x00000100 -#define CKR_USER_NOT_LOGGED_IN 0x00000101 -#define CKR_USER_PIN_NOT_INITIALIZED 0x00000102 -#define CKR_USER_TYPE_INVALID 0x00000103 - -/* CKR_USER_ANOTHER_ALREADY_LOGGED_IN and CKR_USER_TOO_MANY_TYPES - * are new to v2.01 */ -#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN 0x00000104 -#define CKR_USER_TOO_MANY_TYPES 0x00000105 - -#define CKR_WRAPPED_KEY_INVALID 0x00000110 -#define CKR_WRAPPED_KEY_LEN_RANGE 0x00000112 -#define CKR_WRAPPING_KEY_HANDLE_INVALID 0x00000113 -#define CKR_WRAPPING_KEY_SIZE_RANGE 0x00000114 -#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT 0x00000115 -#define CKR_RANDOM_SEED_NOT_SUPPORTED 0x00000120 - -/* These are new to v2.0 */ -#define CKR_RANDOM_NO_RNG 0x00000121 - -/* These are new to v2.11 */ -#define CKR_DOMAIN_PARAMS_INVALID 0x00000130 - -/* These are new to v2.0 */ -#define CKR_BUFFER_TOO_SMALL 0x00000150 -#define CKR_SAVED_STATE_INVALID 0x00000160 -#define CKR_INFORMATION_SENSITIVE 0x00000170 -#define CKR_STATE_UNSAVEABLE 0x00000180 - -/* These are new to v2.01 */ -#define CKR_CRYPTOKI_NOT_INITIALIZED 0x00000190 -#define CKR_CRYPTOKI_ALREADY_INITIALIZED 0x00000191 -#define CKR_MUTEX_BAD 0x000001A0 -#define CKR_MUTEX_NOT_LOCKED 0x000001A1 - -/* This is new to v2.20 */ -#define CKR_FUNCTION_REJECTED 0x00000200 - -#define CKR_VENDOR_DEFINED 0x80000000 - - -/* CK_NOTIFY is an application callback that processes events */ -typedef CK_CALLBACK_FUNCTION(CK_RV, CK_NOTIFY)( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_NOTIFICATION event, - CK_VOID_PTR pApplication /* passed to C_OpenSession */ -); - - -/* CK_FUNCTION_LIST is a structure holding a Cryptoki spec - * version and pointers of appropriate types to all the - * Cryptoki functions */ -/* CK_FUNCTION_LIST is new for v2.0 */ -typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST; - -typedef CK_FUNCTION_LIST CK_PTR CK_FUNCTION_LIST_PTR; - -typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR; - - -/* CK_CREATEMUTEX is an application callback for creating a - * mutex object */ -typedef CK_CALLBACK_FUNCTION(CK_RV, CK_CREATEMUTEX)( - CK_VOID_PTR_PTR ppMutex /* location to receive ptr to mutex */ -); - - -/* CK_DESTROYMUTEX is an application callback for destroying a - * mutex object */ -typedef CK_CALLBACK_FUNCTION(CK_RV, CK_DESTROYMUTEX)( - CK_VOID_PTR pMutex /* pointer to mutex */ -); - - -/* CK_LOCKMUTEX is an application callback for locking a mutex */ -typedef CK_CALLBACK_FUNCTION(CK_RV, CK_LOCKMUTEX)( - CK_VOID_PTR pMutex /* pointer to mutex */ -); - - -/* CK_UNLOCKMUTEX is an application callback for unlocking a - * mutex */ -typedef CK_CALLBACK_FUNCTION(CK_RV, CK_UNLOCKMUTEX)( - CK_VOID_PTR pMutex /* pointer to mutex */ -); - - -/* CK_C_INITIALIZE_ARGS provides the optional arguments to - * C_Initialize */ -typedef struct CK_C_INITIALIZE_ARGS { - CK_CREATEMUTEX CreateMutex; - CK_DESTROYMUTEX DestroyMutex; - CK_LOCKMUTEX LockMutex; - CK_UNLOCKMUTEX UnlockMutex; - CK_FLAGS flags; - CK_VOID_PTR pReserved; -} CK_C_INITIALIZE_ARGS; - -/* flags: bit flags that provide capabilities of the slot - * Bit Flag Mask Meaning - */ -#define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001 -#define CKF_OS_LOCKING_OK 0x00000002 - -typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR; - - -/* additional flags for parameters to functions */ - -/* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */ -#define CKF_DONT_BLOCK 1 - -/* CK_RSA_PKCS_OAEP_MGF_TYPE is new for v2.10. - * CK_RSA_PKCS_OAEP_MGF_TYPE is used to indicate the Message - * Generation Function (MGF) applied to a message block when - * formatting a message block for the PKCS #1 OAEP encryption - * scheme. */ -typedef CK_ULONG CK_RSA_PKCS_MGF_TYPE; - -typedef CK_RSA_PKCS_MGF_TYPE CK_PTR CK_RSA_PKCS_MGF_TYPE_PTR; - -/* The following MGFs are defined */ -/* CKG_MGF1_SHA256, CKG_MGF1_SHA384, and CKG_MGF1_SHA512 - * are new for v2.20 */ -#define CKG_MGF1_SHA1 0x00000001 -#define CKG_MGF1_SHA256 0x00000002 -#define CKG_MGF1_SHA384 0x00000003 -#define CKG_MGF1_SHA512 0x00000004 - -/* CK_RSA_PKCS_OAEP_SOURCE_TYPE is new for v2.10. - * CK_RSA_PKCS_OAEP_SOURCE_TYPE is used to indicate the source - * of the encoding parameter when formatting a message block - * for the PKCS #1 OAEP encryption scheme. */ -typedef CK_ULONG CK_RSA_PKCS_OAEP_SOURCE_TYPE; - -typedef CK_RSA_PKCS_OAEP_SOURCE_TYPE CK_PTR CK_RSA_PKCS_OAEP_SOURCE_TYPE_PTR; - -/* The following encoding parameter sources are defined */ -#define CKZ_DATA_SPECIFIED 0x00000001 - -/* CK_RSA_PKCS_OAEP_PARAMS is new for v2.10. - * CK_RSA_PKCS_OAEP_PARAMS provides the parameters to the - * CKM_RSA_PKCS_OAEP mechanism. */ -typedef struct CK_RSA_PKCS_OAEP_PARAMS { - CK_MECHANISM_TYPE hashAlg; - CK_RSA_PKCS_MGF_TYPE mgf; - CK_RSA_PKCS_OAEP_SOURCE_TYPE source; - CK_VOID_PTR pSourceData; - CK_ULONG ulSourceDataLen; -} CK_RSA_PKCS_OAEP_PARAMS; - -typedef CK_RSA_PKCS_OAEP_PARAMS CK_PTR CK_RSA_PKCS_OAEP_PARAMS_PTR; - -/* CK_RSA_PKCS_PSS_PARAMS is new for v2.11. - * CK_RSA_PKCS_PSS_PARAMS provides the parameters to the - * CKM_RSA_PKCS_PSS mechanism(s). */ -typedef struct CK_RSA_PKCS_PSS_PARAMS { - CK_MECHANISM_TYPE hashAlg; - CK_RSA_PKCS_MGF_TYPE mgf; - CK_ULONG sLen; -} CK_RSA_PKCS_PSS_PARAMS; - -typedef CK_RSA_PKCS_PSS_PARAMS CK_PTR CK_RSA_PKCS_PSS_PARAMS_PTR; - -/* CK_EC_KDF_TYPE is new for v2.11. */ -typedef CK_ULONG CK_EC_KDF_TYPE; - -/* The following EC Key Derivation Functions are defined */ -#define CKD_NULL 0x00000001 -#define CKD_SHA1_KDF 0x00000002 - -/* CK_ECDH1_DERIVE_PARAMS is new for v2.11. - * CK_ECDH1_DERIVE_PARAMS provides the parameters to the - * CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE mechanisms, - * where each party contributes one key pair. - */ -typedef struct CK_ECDH1_DERIVE_PARAMS { - CK_EC_KDF_TYPE kdf; - CK_ULONG ulSharedDataLen; - CK_BYTE_PTR pSharedData; - CK_ULONG ulPublicDataLen; - CK_BYTE_PTR pPublicData; -} CK_ECDH1_DERIVE_PARAMS; - -typedef CK_ECDH1_DERIVE_PARAMS CK_PTR CK_ECDH1_DERIVE_PARAMS_PTR; - - -/* CK_ECDH2_DERIVE_PARAMS is new for v2.11. - * CK_ECDH2_DERIVE_PARAMS provides the parameters to the - * CKM_ECMQV_DERIVE mechanism, where each party contributes two key pairs. */ -typedef struct CK_ECDH2_DERIVE_PARAMS { - CK_EC_KDF_TYPE kdf; - CK_ULONG ulSharedDataLen; - CK_BYTE_PTR pSharedData; - CK_ULONG ulPublicDataLen; - CK_BYTE_PTR pPublicData; - CK_ULONG ulPrivateDataLen; - CK_OBJECT_HANDLE hPrivateData; - CK_ULONG ulPublicDataLen2; - CK_BYTE_PTR pPublicData2; -} CK_ECDH2_DERIVE_PARAMS; - -typedef CK_ECDH2_DERIVE_PARAMS CK_PTR CK_ECDH2_DERIVE_PARAMS_PTR; - -typedef struct CK_ECMQV_DERIVE_PARAMS { - CK_EC_KDF_TYPE kdf; - CK_ULONG ulSharedDataLen; - CK_BYTE_PTR pSharedData; - CK_ULONG ulPublicDataLen; - CK_BYTE_PTR pPublicData; - CK_ULONG ulPrivateDataLen; - CK_OBJECT_HANDLE hPrivateData; - CK_ULONG ulPublicDataLen2; - CK_BYTE_PTR pPublicData2; - CK_OBJECT_HANDLE publicKey; -} CK_ECMQV_DERIVE_PARAMS; - -typedef CK_ECMQV_DERIVE_PARAMS CK_PTR CK_ECMQV_DERIVE_PARAMS_PTR; - -/* Typedefs and defines for the CKM_X9_42_DH_KEY_PAIR_GEN and the - * CKM_X9_42_DH_PARAMETER_GEN mechanisms (new for PKCS #11 v2.11) */ -typedef CK_ULONG CK_X9_42_DH_KDF_TYPE; -typedef CK_X9_42_DH_KDF_TYPE CK_PTR CK_X9_42_DH_KDF_TYPE_PTR; - -/* The following X9.42 DH key derivation functions are defined - (besides CKD_NULL already defined : */ -#define CKD_SHA1_KDF_ASN1 0x00000003 -#define CKD_SHA1_KDF_CONCATENATE 0x00000004 - -/* CK_X9_42_DH1_DERIVE_PARAMS is new for v2.11. - * CK_X9_42_DH1_DERIVE_PARAMS provides the parameters to the - * CKM_X9_42_DH_DERIVE key derivation mechanism, where each party - * contributes one key pair */ -typedef struct CK_X9_42_DH1_DERIVE_PARAMS { - CK_X9_42_DH_KDF_TYPE kdf; - CK_ULONG ulOtherInfoLen; - CK_BYTE_PTR pOtherInfo; - CK_ULONG ulPublicDataLen; - CK_BYTE_PTR pPublicData; -} CK_X9_42_DH1_DERIVE_PARAMS; - -typedef struct CK_X9_42_DH1_DERIVE_PARAMS CK_PTR CK_X9_42_DH1_DERIVE_PARAMS_PTR; - -/* CK_X9_42_DH2_DERIVE_PARAMS is new for v2.11. - * CK_X9_42_DH2_DERIVE_PARAMS provides the parameters to the - * CKM_X9_42_DH_HYBRID_DERIVE and CKM_X9_42_MQV_DERIVE key derivation - * mechanisms, where each party contributes two key pairs */ -typedef struct CK_X9_42_DH2_DERIVE_PARAMS { - CK_X9_42_DH_KDF_TYPE kdf; - CK_ULONG ulOtherInfoLen; - CK_BYTE_PTR pOtherInfo; - CK_ULONG ulPublicDataLen; - CK_BYTE_PTR pPublicData; - CK_ULONG ulPrivateDataLen; - CK_OBJECT_HANDLE hPrivateData; - CK_ULONG ulPublicDataLen2; - CK_BYTE_PTR pPublicData2; -} CK_X9_42_DH2_DERIVE_PARAMS; - -typedef CK_X9_42_DH2_DERIVE_PARAMS CK_PTR CK_X9_42_DH2_DERIVE_PARAMS_PTR; - -typedef struct CK_X9_42_MQV_DERIVE_PARAMS { - CK_X9_42_DH_KDF_TYPE kdf; - CK_ULONG ulOtherInfoLen; - CK_BYTE_PTR pOtherInfo; - CK_ULONG ulPublicDataLen; - CK_BYTE_PTR pPublicData; - CK_ULONG ulPrivateDataLen; - CK_OBJECT_HANDLE hPrivateData; - CK_ULONG ulPublicDataLen2; - CK_BYTE_PTR pPublicData2; - CK_OBJECT_HANDLE publicKey; -} CK_X9_42_MQV_DERIVE_PARAMS; - -typedef CK_X9_42_MQV_DERIVE_PARAMS CK_PTR CK_X9_42_MQV_DERIVE_PARAMS_PTR; - -/* CK_KEA_DERIVE_PARAMS provides the parameters to the - * CKM_KEA_DERIVE mechanism */ -/* CK_KEA_DERIVE_PARAMS is new for v2.0 */ -typedef struct CK_KEA_DERIVE_PARAMS { - CK_BBOOL isSender; - CK_ULONG ulRandomLen; - CK_BYTE_PTR pRandomA; - CK_BYTE_PTR pRandomB; - CK_ULONG ulPublicDataLen; - CK_BYTE_PTR pPublicData; -} CK_KEA_DERIVE_PARAMS; - -typedef CK_KEA_DERIVE_PARAMS CK_PTR CK_KEA_DERIVE_PARAMS_PTR; - - -/* CK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and - * CKM_RC2_MAC mechanisms. An instance of CK_RC2_PARAMS just - * holds the effective keysize */ -typedef CK_ULONG CK_RC2_PARAMS; - -typedef CK_RC2_PARAMS CK_PTR CK_RC2_PARAMS_PTR; - - -/* CK_RC2_CBC_PARAMS provides the parameters to the CKM_RC2_CBC - * mechanism */ -typedef struct CK_RC2_CBC_PARAMS { - /* ulEffectiveBits was changed from CK_USHORT to CK_ULONG for - * v2.0 */ - CK_ULONG ulEffectiveBits; /* effective bits (1-1024) */ - - CK_BYTE iv[8]; /* IV for CBC mode */ -} CK_RC2_CBC_PARAMS; - -typedef CK_RC2_CBC_PARAMS CK_PTR CK_RC2_CBC_PARAMS_PTR; - - -/* CK_RC2_MAC_GENERAL_PARAMS provides the parameters for the - * CKM_RC2_MAC_GENERAL mechanism */ -/* CK_RC2_MAC_GENERAL_PARAMS is new for v2.0 */ -typedef struct CK_RC2_MAC_GENERAL_PARAMS { - CK_ULONG ulEffectiveBits; /* effective bits (1-1024) */ - CK_ULONG ulMacLength; /* Length of MAC in bytes */ -} CK_RC2_MAC_GENERAL_PARAMS; - -typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR \ - CK_RC2_MAC_GENERAL_PARAMS_PTR; - - -/* CK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and - * CKM_RC5_MAC mechanisms */ -/* CK_RC5_PARAMS is new for v2.0 */ -typedef struct CK_RC5_PARAMS { - CK_ULONG ulWordsize; /* wordsize in bits */ - CK_ULONG ulRounds; /* number of rounds */ -} CK_RC5_PARAMS; - -typedef CK_RC5_PARAMS CK_PTR CK_RC5_PARAMS_PTR; - - -/* CK_RC5_CBC_PARAMS provides the parameters to the CKM_RC5_CBC - * mechanism */ -/* CK_RC5_CBC_PARAMS is new for v2.0 */ -typedef struct CK_RC5_CBC_PARAMS { - CK_ULONG ulWordsize; /* wordsize in bits */ - CK_ULONG ulRounds; /* number of rounds */ - CK_BYTE_PTR pIv; /* pointer to IV */ - CK_ULONG ulIvLen; /* length of IV in bytes */ -} CK_RC5_CBC_PARAMS; - -typedef CK_RC5_CBC_PARAMS CK_PTR CK_RC5_CBC_PARAMS_PTR; - - -/* CK_RC5_MAC_GENERAL_PARAMS provides the parameters for the - * CKM_RC5_MAC_GENERAL mechanism */ -/* CK_RC5_MAC_GENERAL_PARAMS is new for v2.0 */ -typedef struct CK_RC5_MAC_GENERAL_PARAMS { - CK_ULONG ulWordsize; /* wordsize in bits */ - CK_ULONG ulRounds; /* number of rounds */ - CK_ULONG ulMacLength; /* Length of MAC in bytes */ -} CK_RC5_MAC_GENERAL_PARAMS; - -typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR \ - CK_RC5_MAC_GENERAL_PARAMS_PTR; - - -/* CK_MAC_GENERAL_PARAMS provides the parameters to most block - * ciphers' MAC_GENERAL mechanisms. Its value is the length of - * the MAC */ -/* CK_MAC_GENERAL_PARAMS is new for v2.0 */ -typedef CK_ULONG CK_MAC_GENERAL_PARAMS; - -typedef CK_MAC_GENERAL_PARAMS CK_PTR CK_MAC_GENERAL_PARAMS_PTR; - -/* CK_DES/AES_ECB/CBC_ENCRYPT_DATA_PARAMS are new for v2.20 */ -typedef struct CK_DES_CBC_ENCRYPT_DATA_PARAMS { - CK_BYTE iv[8]; - CK_BYTE_PTR pData; - CK_ULONG length; -} CK_DES_CBC_ENCRYPT_DATA_PARAMS; - -typedef CK_DES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_DES_CBC_ENCRYPT_DATA_PARAMS_PTR; - -typedef struct CK_AES_CBC_ENCRYPT_DATA_PARAMS { - CK_BYTE iv[16]; - CK_BYTE_PTR pData; - CK_ULONG length; -} CK_AES_CBC_ENCRYPT_DATA_PARAMS; - -typedef CK_AES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_AES_CBC_ENCRYPT_DATA_PARAMS_PTR; - -/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the - * CKM_SKIPJACK_PRIVATE_WRAP mechanism */ -/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS is new for v2.0 */ -typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS { - CK_ULONG ulPasswordLen; - CK_BYTE_PTR pPassword; - CK_ULONG ulPublicDataLen; - CK_BYTE_PTR pPublicData; - CK_ULONG ulPAndGLen; - CK_ULONG ulQLen; - CK_ULONG ulRandomLen; - CK_BYTE_PTR pRandomA; - CK_BYTE_PTR pPrimeP; - CK_BYTE_PTR pBaseG; - CK_BYTE_PTR pSubprimeQ; -} CK_SKIPJACK_PRIVATE_WRAP_PARAMS; - -typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR \ - CK_SKIPJACK_PRIVATE_WRAP_PTR; - - -/* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the - * CKM_SKIPJACK_RELAYX mechanism */ -/* CK_SKIPJACK_RELAYX_PARAMS is new for v2.0 */ -typedef struct CK_SKIPJACK_RELAYX_PARAMS { - CK_ULONG ulOldWrappedXLen; - CK_BYTE_PTR pOldWrappedX; - CK_ULONG ulOldPasswordLen; - CK_BYTE_PTR pOldPassword; - CK_ULONG ulOldPublicDataLen; - CK_BYTE_PTR pOldPublicData; - CK_ULONG ulOldRandomLen; - CK_BYTE_PTR pOldRandomA; - CK_ULONG ulNewPasswordLen; - CK_BYTE_PTR pNewPassword; - CK_ULONG ulNewPublicDataLen; - CK_BYTE_PTR pNewPublicData; - CK_ULONG ulNewRandomLen; - CK_BYTE_PTR pNewRandomA; -} CK_SKIPJACK_RELAYX_PARAMS; - -typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR \ - CK_SKIPJACK_RELAYX_PARAMS_PTR; - - -typedef struct CK_PBE_PARAMS { - CK_BYTE_PTR pInitVector; - CK_UTF8CHAR_PTR pPassword; - CK_ULONG ulPasswordLen; - CK_BYTE_PTR pSalt; - CK_ULONG ulSaltLen; - CK_ULONG ulIteration; -} CK_PBE_PARAMS; - -typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR; - - -/* CK_KEY_WRAP_SET_OAEP_PARAMS provides the parameters to the - * CKM_KEY_WRAP_SET_OAEP mechanism */ -/* CK_KEY_WRAP_SET_OAEP_PARAMS is new for v2.0 */ -typedef struct CK_KEY_WRAP_SET_OAEP_PARAMS { - CK_BYTE bBC; /* block contents byte */ - CK_BYTE_PTR pX; /* extra data */ - CK_ULONG ulXLen; /* length of extra data in bytes */ -} CK_KEY_WRAP_SET_OAEP_PARAMS; - -typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR \ - CK_KEY_WRAP_SET_OAEP_PARAMS_PTR; - - -typedef struct CK_SSL3_RANDOM_DATA { - CK_BYTE_PTR pClientRandom; - CK_ULONG ulClientRandomLen; - CK_BYTE_PTR pServerRandom; - CK_ULONG ulServerRandomLen; -} CK_SSL3_RANDOM_DATA; - - -typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS { - CK_SSL3_RANDOM_DATA RandomInfo; - CK_VERSION_PTR pVersion; -} CK_SSL3_MASTER_KEY_DERIVE_PARAMS; - -typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR \ - CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR; - - -typedef struct CK_SSL3_KEY_MAT_OUT { - CK_OBJECT_HANDLE hClientMacSecret; - CK_OBJECT_HANDLE hServerMacSecret; - CK_OBJECT_HANDLE hClientKey; - CK_OBJECT_HANDLE hServerKey; - CK_BYTE_PTR pIVClient; - CK_BYTE_PTR pIVServer; -} CK_SSL3_KEY_MAT_OUT; - -typedef CK_SSL3_KEY_MAT_OUT CK_PTR CK_SSL3_KEY_MAT_OUT_PTR; - - -typedef struct CK_SSL3_KEY_MAT_PARAMS { - CK_ULONG ulMacSizeInBits; - CK_ULONG ulKeySizeInBits; - CK_ULONG ulIVSizeInBits; - CK_BBOOL bIsExport; - CK_SSL3_RANDOM_DATA RandomInfo; - CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial; -} CK_SSL3_KEY_MAT_PARAMS; - -typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR; - -/* CK_TLS_PRF_PARAMS is new for version 2.20 */ -typedef struct CK_TLS_PRF_PARAMS { - CK_BYTE_PTR pSeed; - CK_ULONG ulSeedLen; - CK_BYTE_PTR pLabel; - CK_ULONG ulLabelLen; - CK_BYTE_PTR pOutput; - CK_ULONG_PTR pulOutputLen; -} CK_TLS_PRF_PARAMS; - -typedef CK_TLS_PRF_PARAMS CK_PTR CK_TLS_PRF_PARAMS_PTR; - -/* WTLS is new for version 2.20 */ -typedef struct CK_WTLS_RANDOM_DATA { - CK_BYTE_PTR pClientRandom; - CK_ULONG ulClientRandomLen; - CK_BYTE_PTR pServerRandom; - CK_ULONG ulServerRandomLen; -} CK_WTLS_RANDOM_DATA; - -typedef CK_WTLS_RANDOM_DATA CK_PTR CK_WTLS_RANDOM_DATA_PTR; - -typedef struct CK_WTLS_MASTER_KEY_DERIVE_PARAMS { - CK_MECHANISM_TYPE DigestMechanism; - CK_WTLS_RANDOM_DATA RandomInfo; - CK_BYTE_PTR pVersion; -} CK_WTLS_MASTER_KEY_DERIVE_PARAMS; - -typedef CK_WTLS_MASTER_KEY_DERIVE_PARAMS CK_PTR \ - CK_WTLS_MASTER_KEY_DERIVE_PARAMS_PTR; - -typedef struct CK_WTLS_PRF_PARAMS { - CK_MECHANISM_TYPE DigestMechanism; - CK_BYTE_PTR pSeed; - CK_ULONG ulSeedLen; - CK_BYTE_PTR pLabel; - CK_ULONG ulLabelLen; - CK_BYTE_PTR pOutput; - CK_ULONG_PTR pulOutputLen; -} CK_WTLS_PRF_PARAMS; - -typedef CK_WTLS_PRF_PARAMS CK_PTR CK_WTLS_PRF_PARAMS_PTR; - -typedef struct CK_WTLS_KEY_MAT_OUT { - CK_OBJECT_HANDLE hMacSecret; - CK_OBJECT_HANDLE hKey; - CK_BYTE_PTR pIV; -} CK_WTLS_KEY_MAT_OUT; - -typedef CK_WTLS_KEY_MAT_OUT CK_PTR CK_WTLS_KEY_MAT_OUT_PTR; - -typedef struct CK_WTLS_KEY_MAT_PARAMS { - CK_MECHANISM_TYPE DigestMechanism; - CK_ULONG ulMacSizeInBits; - CK_ULONG ulKeySizeInBits; - CK_ULONG ulIVSizeInBits; - CK_ULONG ulSequenceNumber; - CK_BBOOL bIsExport; - CK_WTLS_RANDOM_DATA RandomInfo; - CK_WTLS_KEY_MAT_OUT_PTR pReturnedKeyMaterial; -} CK_WTLS_KEY_MAT_PARAMS; - -typedef CK_WTLS_KEY_MAT_PARAMS CK_PTR CK_WTLS_KEY_MAT_PARAMS_PTR; - -/* CMS is new for version 2.20 */ -typedef struct CK_CMS_SIG_PARAMS { - CK_OBJECT_HANDLE certificateHandle; - CK_MECHANISM_PTR pSigningMechanism; - CK_MECHANISM_PTR pDigestMechanism; - CK_UTF8CHAR_PTR pContentType; - CK_BYTE_PTR pRequestedAttributes; - CK_ULONG ulRequestedAttributesLen; - CK_BYTE_PTR pRequiredAttributes; - CK_ULONG ulRequiredAttributesLen; -} CK_CMS_SIG_PARAMS; - -typedef CK_CMS_SIG_PARAMS CK_PTR CK_CMS_SIG_PARAMS_PTR; - -typedef struct CK_KEY_DERIVATION_STRING_DATA { - CK_BYTE_PTR pData; - CK_ULONG ulLen; -} CK_KEY_DERIVATION_STRING_DATA; - -typedef CK_KEY_DERIVATION_STRING_DATA CK_PTR \ - CK_KEY_DERIVATION_STRING_DATA_PTR; - - -/* The CK_EXTRACT_PARAMS is used for the - * CKM_EXTRACT_KEY_FROM_KEY mechanism. It specifies which bit - * of the base key should be used as the first bit of the - * derived key */ -/* CK_EXTRACT_PARAMS is new for v2.0 */ -typedef CK_ULONG CK_EXTRACT_PARAMS; - -typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR; - -/* CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is new for v2.10. - * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is used to - * indicate the Pseudo-Random Function (PRF) used to generate - * key bits using PKCS #5 PBKDF2. */ -typedef CK_ULONG CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE; - -typedef CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE CK_PTR CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE_PTR; - -/* The following PRFs are defined in PKCS #5 v2.0. */ -#define CKP_PKCS5_PBKD2_HMAC_SHA1 0x00000001 - - -/* CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is new for v2.10. - * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is used to indicate the - * source of the salt value when deriving a key using PKCS #5 - * PBKDF2. */ -typedef CK_ULONG CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE; - -typedef CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE CK_PTR CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE_PTR; - -/* The following salt value sources are defined in PKCS #5 v2.0. */ -#define CKZ_SALT_SPECIFIED 0x00000001 - -/* CK_PKCS5_PBKD2_PARAMS is new for v2.10. - * CK_PKCS5_PBKD2_PARAMS is a structure that provides the - * parameters to the CKM_PKCS5_PBKD2 mechanism. */ -typedef struct CK_PKCS5_PBKD2_PARAMS { - CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource; - CK_VOID_PTR pSaltSourceData; - CK_ULONG ulSaltSourceDataLen; - CK_ULONG iterations; - CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf; - CK_VOID_PTR pPrfData; - CK_ULONG ulPrfDataLen; - CK_UTF8CHAR_PTR pPassword; - CK_ULONG_PTR ulPasswordLen; -} CK_PKCS5_PBKD2_PARAMS; - -typedef CK_PKCS5_PBKD2_PARAMS CK_PTR CK_PKCS5_PBKD2_PARAMS_PTR; - -#endif --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11t.h 2017-01-20 09:53:00.218288130 -0800 @@ -0,0 +1,1685 @@ +/* pkcs11t.h include file for PKCS #11. */ +/* $Revision: 1.6 $ */ + +/* License to copy and use this software is granted provided that it is + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface + * (Cryptoki)" in all material mentioning or referencing this software. + + * License is also granted to make and use derivative works provided that + * such works are identified as "derived from the RSA Security Inc. PKCS #11 + * Cryptographic Token Interface (Cryptoki)" in all material mentioning or + * referencing the derived work. + + * RSA Security Inc. makes no representations concerning either the + * merchantability of this software or the suitability of this software for + * any particular purpose. It is provided "as is" without express or implied + * warranty of any kind. + */ + +/* See top of pkcs11.h for information about the macros that + * must be defined and the structure-packing conventions that + * must be set before including this file. */ + +#ifndef _PKCS11T_H_ +#define _PKCS11T_H_ 1 + +#define CK_TRUE 1 +#define CK_FALSE 0 + +#ifndef CK_DISABLE_TRUE_FALSE +#ifndef FALSE +#define FALSE CK_FALSE +#endif + +#ifndef TRUE +#define TRUE CK_TRUE +#endif +#endif + +/* an unsigned 8-bit value */ +typedef unsigned char CK_BYTE; + +/* an unsigned 8-bit character */ +typedef CK_BYTE CK_CHAR; + +/* an 8-bit UTF-8 character */ +typedef CK_BYTE CK_UTF8CHAR; + +/* a BYTE-sized Boolean flag */ +typedef CK_BYTE CK_BBOOL; + +/* an unsigned value, at least 32 bits long */ +typedef unsigned long int CK_ULONG; + +/* a signed value, the same size as a CK_ULONG */ +/* CK_LONG is new for v2.0 */ +typedef long int CK_LONG; + +/* at least 32 bits; each bit is a Boolean flag */ +typedef CK_ULONG CK_FLAGS; + + +/* some special values for certain CK_ULONG variables */ +#define CK_UNAVAILABLE_INFORMATION (~0UL) +#define CK_EFFECTIVELY_INFINITE 0 + + +typedef CK_BYTE CK_PTR CK_BYTE_PTR; +typedef CK_CHAR CK_PTR CK_CHAR_PTR; +typedef CK_UTF8CHAR CK_PTR CK_UTF8CHAR_PTR; +typedef CK_ULONG CK_PTR CK_ULONG_PTR; +typedef void CK_PTR CK_VOID_PTR; + +/* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */ +typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR; + + +/* The following value is always invalid if used as a session */ +/* handle or object handle */ +#define CK_INVALID_HANDLE 0 + + +typedef struct CK_VERSION { + CK_BYTE major; /* integer portion of version number */ + CK_BYTE minor; /* 1/100ths portion of version number */ +} CK_VERSION; + +typedef CK_VERSION CK_PTR CK_VERSION_PTR; + + +typedef struct CK_INFO { + /* manufacturerID and libraryDecription have been changed from + * CK_CHAR to CK_UTF8CHAR for v2.10 */ + CK_VERSION cryptokiVersion; /* Cryptoki interface ver */ + CK_UTF8CHAR manufacturerID[32]; /* blank padded */ + CK_FLAGS flags; /* must be zero */ + + /* libraryDescription and libraryVersion are new for v2.0 */ + CK_UTF8CHAR libraryDescription[32]; /* blank padded */ + CK_VERSION libraryVersion; /* version of library */ +} CK_INFO; + +typedef CK_INFO CK_PTR CK_INFO_PTR; + + +/* CK_NOTIFICATION enumerates the types of notifications that + * Cryptoki provides to an application */ +/* CK_NOTIFICATION has been changed from an enum to a CK_ULONG + * for v2.0 */ +typedef CK_ULONG CK_NOTIFICATION; +#define CKN_SURRENDER 0 + + +typedef CK_ULONG CK_SLOT_ID; + +typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR; + + +/* CK_SLOT_INFO provides information about a slot */ +typedef struct CK_SLOT_INFO { + /* slotDescription and manufacturerID have been changed from + * CK_CHAR to CK_UTF8CHAR for v2.10 */ + CK_UTF8CHAR slotDescription[64]; /* blank padded */ + CK_UTF8CHAR manufacturerID[32]; /* blank padded */ + CK_FLAGS flags; + + /* hardwareVersion and firmwareVersion are new for v2.0 */ + CK_VERSION hardwareVersion; /* version of hardware */ + CK_VERSION firmwareVersion; /* version of firmware */ +} CK_SLOT_INFO; + +/* flags: bit flags that provide capabilities of the slot + * Bit Flag Mask Meaning + */ +#define CKF_TOKEN_PRESENT 0x00000001 /* a token is there */ +#define CKF_REMOVABLE_DEVICE 0x00000002 /* removable devices*/ +#define CKF_HW_SLOT 0x00000004 /* hardware slot */ + +typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR; + + +/* CK_TOKEN_INFO provides information about a token */ +typedef struct CK_TOKEN_INFO { + /* label, manufacturerID, and model have been changed from + * CK_CHAR to CK_UTF8CHAR for v2.10 */ + CK_UTF8CHAR label[32]; /* blank padded */ + CK_UTF8CHAR manufacturerID[32]; /* blank padded */ + CK_UTF8CHAR model[16]; /* blank padded */ + CK_CHAR serialNumber[16]; /* blank padded */ + CK_FLAGS flags; /* see below */ + + /* ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount, + * ulRwSessionCount, ulMaxPinLen, and ulMinPinLen have all been + * changed from CK_USHORT to CK_ULONG for v2.0 */ + CK_ULONG ulMaxSessionCount; /* max open sessions */ + CK_ULONG ulSessionCount; /* sess. now open */ + CK_ULONG ulMaxRwSessionCount; /* max R/W sessions */ + CK_ULONG ulRwSessionCount; /* R/W sess. now open */ + CK_ULONG ulMaxPinLen; /* in bytes */ + CK_ULONG ulMinPinLen; /* in bytes */ + CK_ULONG ulTotalPublicMemory; /* in bytes */ + CK_ULONG ulFreePublicMemory; /* in bytes */ + CK_ULONG ulTotalPrivateMemory; /* in bytes */ + CK_ULONG ulFreePrivateMemory; /* in bytes */ + + /* hardwareVersion, firmwareVersion, and time are new for + * v2.0 */ + CK_VERSION hardwareVersion; /* version of hardware */ + CK_VERSION firmwareVersion; /* version of firmware */ + CK_CHAR utcTime[16]; /* time */ +} CK_TOKEN_INFO; + +/* The flags parameter is defined as follows: + * Bit Flag Mask Meaning + */ +#define CKF_RNG 0x00000001 /* has random # + * generator */ +#define CKF_WRITE_PROTECTED 0x00000002 /* token is + * write- + * protected */ +#define CKF_LOGIN_REQUIRED 0x00000004 /* user must + * login */ +#define CKF_USER_PIN_INITIALIZED 0x00000008 /* normal user's + * PIN is set */ + +/* CKF_RESTORE_KEY_NOT_NEEDED is new for v2.0. If it is set, + * that means that *every* time the state of cryptographic + * operations of a session is successfully saved, all keys + * needed to continue those operations are stored in the state */ +#define CKF_RESTORE_KEY_NOT_NEEDED 0x00000020 + +/* CKF_CLOCK_ON_TOKEN is new for v2.0. If it is set, that means + * that the token has some sort of clock. The time on that + * clock is returned in the token info structure */ +#define CKF_CLOCK_ON_TOKEN 0x00000040 + +/* CKF_PROTECTED_AUTHENTICATION_PATH is new for v2.0. If it is + * set, that means that there is some way for the user to login + * without sending a PIN through the Cryptoki library itself */ +#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100 + +/* CKF_DUAL_CRYPTO_OPERATIONS is new for v2.0. If it is true, + * that means that a single session with the token can perform + * dual simultaneous cryptographic operations (digest and + * encrypt; decrypt and digest; sign and encrypt; and decrypt + * and sign) */ +#define CKF_DUAL_CRYPTO_OPERATIONS 0x00000200 + +/* CKF_TOKEN_INITIALIZED if new for v2.10. If it is true, the + * token has been initialized using C_InitializeToken or an + * equivalent mechanism outside the scope of PKCS #11. + * Calling C_InitializeToken when this flag is set will cause + * the token to be reinitialized. */ +#define CKF_TOKEN_INITIALIZED 0x00000400 + +/* CKF_SECONDARY_AUTHENTICATION if new for v2.10. If it is + * true, the token supports secondary authentication for + * private key objects. This flag is deprecated in v2.11 and + onwards. */ +#define CKF_SECONDARY_AUTHENTICATION 0x00000800 + +/* CKF_USER_PIN_COUNT_LOW if new for v2.10. If it is true, an + * incorrect user login PIN has been entered at least once + * since the last successful authentication. */ +#define CKF_USER_PIN_COUNT_LOW 0x00010000 + +/* CKF_USER_PIN_FINAL_TRY if new for v2.10. If it is true, + * supplying an incorrect user PIN will it to become locked. */ +#define CKF_USER_PIN_FINAL_TRY 0x00020000 + +/* CKF_USER_PIN_LOCKED if new for v2.10. If it is true, the + * user PIN has been locked. User login to the token is not + * possible. */ +#define CKF_USER_PIN_LOCKED 0x00040000 + +/* CKF_USER_PIN_TO_BE_CHANGED if new for v2.10. If it is true, + * the user PIN value is the default value set by token + * initialization or manufacturing, or the PIN has been + * expired by the card. */ +#define CKF_USER_PIN_TO_BE_CHANGED 0x00080000 + +/* CKF_SO_PIN_COUNT_LOW if new for v2.10. If it is true, an + * incorrect SO login PIN has been entered at least once since + * the last successful authentication. */ +#define CKF_SO_PIN_COUNT_LOW 0x00100000 + +/* CKF_SO_PIN_FINAL_TRY if new for v2.10. If it is true, + * supplying an incorrect SO PIN will it to become locked. */ +#define CKF_SO_PIN_FINAL_TRY 0x00200000 + +/* CKF_SO_PIN_LOCKED if new for v2.10. If it is true, the SO + * PIN has been locked. SO login to the token is not possible. + */ +#define CKF_SO_PIN_LOCKED 0x00400000 + +/* CKF_SO_PIN_TO_BE_CHANGED if new for v2.10. If it is true, + * the SO PIN value is the default value set by token + * initialization or manufacturing, or the PIN has been + * expired by the card. */ +#define CKF_SO_PIN_TO_BE_CHANGED 0x00800000 + +typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR; + + +/* CK_SESSION_HANDLE is a Cryptoki-assigned value that + * identifies a session */ +typedef CK_ULONG CK_SESSION_HANDLE; + +typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR; + + +/* CK_USER_TYPE enumerates the types of Cryptoki users */ +/* CK_USER_TYPE has been changed from an enum to a CK_ULONG for + * v2.0 */ +typedef CK_ULONG CK_USER_TYPE; +/* Security Officer */ +#define CKU_SO 0 +/* Normal user */ +#define CKU_USER 1 +/* Context specific (added in v2.20) */ +#define CKU_CONTEXT_SPECIFIC 2 + +/* CK_STATE enumerates the session states */ +/* CK_STATE has been changed from an enum to a CK_ULONG for + * v2.0 */ +typedef CK_ULONG CK_STATE; +#define CKS_RO_PUBLIC_SESSION 0 +#define CKS_RO_USER_FUNCTIONS 1 +#define CKS_RW_PUBLIC_SESSION 2 +#define CKS_RW_USER_FUNCTIONS 3 +#define CKS_RW_SO_FUNCTIONS 4 + + +/* CK_SESSION_INFO provides information about a session */ +typedef struct CK_SESSION_INFO { + CK_SLOT_ID slotID; + CK_STATE state; + CK_FLAGS flags; /* see below */ + + /* ulDeviceError was changed from CK_USHORT to CK_ULONG for + * v2.0 */ + CK_ULONG ulDeviceError; /* device-dependent error code */ +} CK_SESSION_INFO; + +/* The flags are defined in the following table: + * Bit Flag Mask Meaning + */ +#define CKF_RW_SESSION 0x00000002 /* session is r/w */ +#define CKF_SERIAL_SESSION 0x00000004 /* no parallel */ + +typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR; + + +/* CK_OBJECT_HANDLE is a token-specific identifier for an + * object */ +typedef CK_ULONG CK_OBJECT_HANDLE; + +typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR; + + +/* CK_OBJECT_CLASS is a value that identifies the classes (or + * types) of objects that Cryptoki recognizes. It is defined + * as follows: */ +/* CK_OBJECT_CLASS was changed from CK_USHORT to CK_ULONG for + * v2.0 */ +typedef CK_ULONG CK_OBJECT_CLASS; + +/* The following classes of objects are defined: */ +/* CKO_HW_FEATURE is new for v2.10 */ +/* CKO_DOMAIN_PARAMETERS is new for v2.11 */ +/* CKO_MECHANISM is new for v2.20 */ +#define CKO_DATA 0x00000000 +#define CKO_CERTIFICATE 0x00000001 +#define CKO_PUBLIC_KEY 0x00000002 +#define CKO_PRIVATE_KEY 0x00000003 +#define CKO_SECRET_KEY 0x00000004 +#define CKO_HW_FEATURE 0x00000005 +#define CKO_DOMAIN_PARAMETERS 0x00000006 +#define CKO_MECHANISM 0x00000007 +#define CKO_VENDOR_DEFINED 0x80000000 + +typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR; + +/* CK_HW_FEATURE_TYPE is new for v2.10. CK_HW_FEATURE_TYPE is a + * value that identifies the hardware feature type of an object + * with CK_OBJECT_CLASS equal to CKO_HW_FEATURE. */ +typedef CK_ULONG CK_HW_FEATURE_TYPE; + +/* The following hardware feature types are defined */ +/* CKH_USER_INTERFACE is new for v2.20 */ +#define CKH_MONOTONIC_COUNTER 0x00000001 +#define CKH_CLOCK 0x00000002 +#define CKH_USER_INTERFACE 0x00000003 +#define CKH_VENDOR_DEFINED 0x80000000 + +/* CK_KEY_TYPE is a value that identifies a key type */ +/* CK_KEY_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */ +typedef CK_ULONG CK_KEY_TYPE; + +/* the following key types are defined: */ +#define CKK_RSA 0x00000000 +#define CKK_DSA 0x00000001 +#define CKK_DH 0x00000002 + +/* CKK_ECDSA and CKK_KEA are new for v2.0 */ +/* CKK_ECDSA is deprecated in v2.11, CKK_EC is preferred. */ +#define CKK_ECDSA 0x00000003 +#define CKK_EC 0x00000003 +#define CKK_X9_42_DH 0x00000004 +#define CKK_KEA 0x00000005 + +#define CKK_GENERIC_SECRET 0x00000010 +#define CKK_RC2 0x00000011 +#define CKK_RC4 0x00000012 +#define CKK_DES 0x00000013 +#define CKK_DES2 0x00000014 +#define CKK_DES3 0x00000015 + +/* all these key types are new for v2.0 */ +#define CKK_CAST 0x00000016 +#define CKK_CAST3 0x00000017 +/* CKK_CAST5 is deprecated in v2.11, CKK_CAST128 is preferred. */ +#define CKK_CAST5 0x00000018 +#define CKK_CAST128 0x00000018 +#define CKK_RC5 0x00000019 +#define CKK_IDEA 0x0000001A +#define CKK_SKIPJACK 0x0000001B +#define CKK_BATON 0x0000001C +#define CKK_JUNIPER 0x0000001D +#define CKK_CDMF 0x0000001E +#define CKK_AES 0x0000001F + +/* BlowFish and TwoFish are new for v2.20 */ +#define CKK_BLOWFISH 0x00000020 +#define CKK_TWOFISH 0x00000021 + +#define CKK_VENDOR_DEFINED 0x80000000 + + +/* CK_CERTIFICATE_TYPE is a value that identifies a certificate + * type */ +/* CK_CERTIFICATE_TYPE was changed from CK_USHORT to CK_ULONG + * for v2.0 */ +typedef CK_ULONG CK_CERTIFICATE_TYPE; + +/* The following certificate types are defined: */ +/* CKC_X_509_ATTR_CERT is new for v2.10 */ +/* CKC_WTLS is new for v2.20 */ +#define CKC_X_509 0x00000000 +#define CKC_X_509_ATTR_CERT 0x00000001 +#define CKC_WTLS 0x00000002 +#define CKC_VENDOR_DEFINED 0x80000000 + + +/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute + * type */ +/* CK_ATTRIBUTE_TYPE was changed from CK_USHORT to CK_ULONG for + * v2.0 */ +typedef CK_ULONG CK_ATTRIBUTE_TYPE; + +/* The CKF_ARRAY_ATTRIBUTE flag identifies an attribute which + consists of an array of values. */ +#define CKF_ARRAY_ATTRIBUTE 0x40000000 + +/* The following attribute types are defined: */ +#define CKA_CLASS 0x00000000 +#define CKA_TOKEN 0x00000001 +#define CKA_PRIVATE 0x00000002 +#define CKA_LABEL 0x00000003 +#define CKA_APPLICATION 0x00000010 +#define CKA_VALUE 0x00000011 + +/* CKA_OBJECT_ID is new for v2.10 */ +#define CKA_OBJECT_ID 0x00000012 + +#define CKA_CERTIFICATE_TYPE 0x00000080 +#define CKA_ISSUER 0x00000081 +#define CKA_SERIAL_NUMBER 0x00000082 + +/* CKA_AC_ISSUER, CKA_OWNER, and CKA_ATTR_TYPES are new + * for v2.10 */ +#define CKA_AC_ISSUER 0x00000083 +#define CKA_OWNER 0x00000084 +#define CKA_ATTR_TYPES 0x00000085 + +/* CKA_TRUSTED is new for v2.11 */ +#define CKA_TRUSTED 0x00000086 + +/* CKA_CERTIFICATE_CATEGORY ... + * CKA_CHECK_VALUE are new for v2.20 */ +#define CKA_CERTIFICATE_CATEGORY 0x00000087 +#define CKA_JAVA_MIDP_SECURITY_DOMAIN 0x00000088 +#define CKA_URL 0x00000089 +#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY 0x0000008A +#define CKA_HASH_OF_ISSUER_PUBLIC_KEY 0x0000008B +#define CKA_CHECK_VALUE 0x00000090 + +#define CKA_KEY_TYPE 0x00000100 +#define CKA_SUBJECT 0x00000101 +#define CKA_ID 0x00000102 +#define CKA_SENSITIVE 0x00000103 +#define CKA_ENCRYPT 0x00000104 +#define CKA_DECRYPT 0x00000105 +#define CKA_WRAP 0x00000106 +#define CKA_UNWRAP 0x00000107 +#define CKA_SIGN 0x00000108 +#define CKA_SIGN_RECOVER 0x00000109 +#define CKA_VERIFY 0x0000010A +#define CKA_VERIFY_RECOVER 0x0000010B +#define CKA_DERIVE 0x0000010C +#define CKA_START_DATE 0x00000110 +#define CKA_END_DATE 0x00000111 +#define CKA_MODULUS 0x00000120 +#define CKA_MODULUS_BITS 0x00000121 +#define CKA_PUBLIC_EXPONENT 0x00000122 +#define CKA_PRIVATE_EXPONENT 0x00000123 +#define CKA_PRIME_1 0x00000124 +#define CKA_PRIME_2 0x00000125 +#define CKA_EXPONENT_1 0x00000126 +#define CKA_EXPONENT_2 0x00000127 +#define CKA_COEFFICIENT 0x00000128 +#define CKA_PRIME 0x00000130 +#define CKA_SUBPRIME 0x00000131 +#define CKA_BASE 0x00000132 + +/* CKA_PRIME_BITS and CKA_SUB_PRIME_BITS are new for v2.11 */ +#define CKA_PRIME_BITS 0x00000133 +#define CKA_SUBPRIME_BITS 0x00000134 +#define CKA_SUB_PRIME_BITS CKA_SUBPRIME_BITS +/* (To retain backwards-compatibility) */ + +#define CKA_VALUE_BITS 0x00000160 +#define CKA_VALUE_LEN 0x00000161 + +/* CKA_EXTRACTABLE, CKA_LOCAL, CKA_NEVER_EXTRACTABLE, + * CKA_ALWAYS_SENSITIVE, CKA_MODIFIABLE, CKA_ECDSA_PARAMS, + * and CKA_EC_POINT are new for v2.0 */ +#define CKA_EXTRACTABLE 0x00000162 +#define CKA_LOCAL 0x00000163 +#define CKA_NEVER_EXTRACTABLE 0x00000164 +#define CKA_ALWAYS_SENSITIVE 0x00000165 + +/* CKA_KEY_GEN_MECHANISM is new for v2.11 */ +#define CKA_KEY_GEN_MECHANISM 0x00000166 + +#define CKA_MODIFIABLE 0x00000170 + +/* CKA_ECDSA_PARAMS is deprecated in v2.11, + * CKA_EC_PARAMS is preferred. */ +#define CKA_ECDSA_PARAMS 0x00000180 +#define CKA_EC_PARAMS 0x00000180 + +#define CKA_EC_POINT 0x00000181 + +/* CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS, + * are new for v2.10. Deprecated in v2.11 and onwards. */ +#define CKA_SECONDARY_AUTH 0x00000200 +#define CKA_AUTH_PIN_FLAGS 0x00000201 + +/* CKA_ALWAYS_AUTHENTICATE ... + * CKA_UNWRAP_TEMPLATE are new for v2.20 */ +#define CKA_ALWAYS_AUTHENTICATE 0x00000202 + +#define CKA_WRAP_WITH_TRUSTED 0x00000210 +#define CKA_WRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000211) +#define CKA_UNWRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000212) + +/* CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT, and CKA_HAS_RESET + * are new for v2.10 */ +#define CKA_HW_FEATURE_TYPE 0x00000300 +#define CKA_RESET_ON_INIT 0x00000301 +#define CKA_HAS_RESET 0x00000302 + +/* The following attributes are new for v2.20 */ +#define CKA_PIXEL_X 0x00000400 +#define CKA_PIXEL_Y 0x00000401 +#define CKA_RESOLUTION 0x00000402 +#define CKA_CHAR_ROWS 0x00000403 +#define CKA_CHAR_COLUMNS 0x00000404 +#define CKA_COLOR 0x00000405 +#define CKA_BITS_PER_PIXEL 0x00000406 +#define CKA_CHAR_SETS 0x00000480 +#define CKA_ENCODING_METHODS 0x00000481 +#define CKA_MIME_TYPES 0x00000482 +#define CKA_MECHANISM_TYPE 0x00000500 +#define CKA_REQUIRED_CMS_ATTRIBUTES 0x00000501 +#define CKA_DEFAULT_CMS_ATTRIBUTES 0x00000502 +#define CKA_SUPPORTED_CMS_ATTRIBUTES 0x00000503 +#define CKA_ALLOWED_MECHANISMS (CKF_ARRAY_ATTRIBUTE|0x00000600) + +#define CKA_VENDOR_DEFINED 0x80000000 + + +/* CK_ATTRIBUTE is a structure that includes the type, length + * and value of an attribute */ +typedef struct CK_ATTRIBUTE { + CK_ATTRIBUTE_TYPE type; + CK_VOID_PTR pValue; + + /* ulValueLen went from CK_USHORT to CK_ULONG for v2.0 */ + CK_ULONG ulValueLen; /* in bytes */ +} CK_ATTRIBUTE; + +typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR; + + +/* CK_DATE is a structure that defines a date */ +typedef struct CK_DATE{ + CK_CHAR year[4]; /* the year ("1900" - "9999") */ + CK_CHAR month[2]; /* the month ("01" - "12") */ + CK_CHAR day[2]; /* the day ("01" - "31") */ +} CK_DATE; + + +/* CK_MECHANISM_TYPE is a value that identifies a mechanism + * type */ +/* CK_MECHANISM_TYPE was changed from CK_USHORT to CK_ULONG for + * v2.0 */ +typedef CK_ULONG CK_MECHANISM_TYPE; + +/* the following mechanism types are defined: */ +#define CKM_RSA_PKCS_KEY_PAIR_GEN 0x00000000 +#define CKM_RSA_PKCS 0x00000001 +#define CKM_RSA_9796 0x00000002 +#define CKM_RSA_X_509 0x00000003 + +/* CKM_MD2_RSA_PKCS, CKM_MD5_RSA_PKCS, and CKM_SHA1_RSA_PKCS + * are new for v2.0. They are mechanisms which hash and sign */ +#define CKM_MD2_RSA_PKCS 0x00000004 +#define CKM_MD5_RSA_PKCS 0x00000005 +#define CKM_SHA1_RSA_PKCS 0x00000006 + +/* CKM_RIPEMD128_RSA_PKCS, CKM_RIPEMD160_RSA_PKCS, and + * CKM_RSA_PKCS_OAEP are new for v2.10 */ +#define CKM_RIPEMD128_RSA_PKCS 0x00000007 +#define CKM_RIPEMD160_RSA_PKCS 0x00000008 +#define CKM_RSA_PKCS_OAEP 0x00000009 + +/* CKM_RSA_X9_31_KEY_PAIR_GEN, CKM_RSA_X9_31, CKM_SHA1_RSA_X9_31, + * CKM_RSA_PKCS_PSS, and CKM_SHA1_RSA_PKCS_PSS are new for v2.11 */ +#define CKM_RSA_X9_31_KEY_PAIR_GEN 0x0000000A +#define CKM_RSA_X9_31 0x0000000B +#define CKM_SHA1_RSA_X9_31 0x0000000C +#define CKM_RSA_PKCS_PSS 0x0000000D +#define CKM_SHA1_RSA_PKCS_PSS 0x0000000E + +#define CKM_DSA_KEY_PAIR_GEN 0x00000010 +#define CKM_DSA 0x00000011 +#define CKM_DSA_SHA1 0x00000012 +#define CKM_DH_PKCS_KEY_PAIR_GEN 0x00000020 +#define CKM_DH_PKCS_DERIVE 0x00000021 + +/* CKM_X9_42_DH_KEY_PAIR_GEN, CKM_X9_42_DH_DERIVE, + * CKM_X9_42_DH_HYBRID_DERIVE, and CKM_X9_42_MQV_DERIVE are new for + * v2.11 */ +#define CKM_X9_42_DH_KEY_PAIR_GEN 0x00000030 +#define CKM_X9_42_DH_DERIVE 0x00000031 +#define CKM_X9_42_DH_HYBRID_DERIVE 0x00000032 +#define CKM_X9_42_MQV_DERIVE 0x00000033 + +/* CKM_SHA256/384/512 are new for v2.20 */ +#define CKM_SHA256_RSA_PKCS 0x00000040 +#define CKM_SHA384_RSA_PKCS 0x00000041 +#define CKM_SHA512_RSA_PKCS 0x00000042 +#define CKM_SHA256_RSA_PKCS_PSS 0x00000043 +#define CKM_SHA384_RSA_PKCS_PSS 0x00000044 +#define CKM_SHA512_RSA_PKCS_PSS 0x00000045 + +#define CKM_RC2_KEY_GEN 0x00000100 +#define CKM_RC2_ECB 0x00000101 +#define CKM_RC2_CBC 0x00000102 +#define CKM_RC2_MAC 0x00000103 + +/* CKM_RC2_MAC_GENERAL and CKM_RC2_CBC_PAD are new for v2.0 */ +#define CKM_RC2_MAC_GENERAL 0x00000104 +#define CKM_RC2_CBC_PAD 0x00000105 + +#define CKM_RC4_KEY_GEN 0x00000110 +#define CKM_RC4 0x00000111 +#define CKM_DES_KEY_GEN 0x00000120 +#define CKM_DES_ECB 0x00000121 +#define CKM_DES_CBC 0x00000122 +#define CKM_DES_MAC 0x00000123 + +/* CKM_DES_MAC_GENERAL and CKM_DES_CBC_PAD are new for v2.0 */ +#define CKM_DES_MAC_GENERAL 0x00000124 +#define CKM_DES_CBC_PAD 0x00000125 + +#define CKM_DES2_KEY_GEN 0x00000130 +#define CKM_DES3_KEY_GEN 0x00000131 +#define CKM_DES3_ECB 0x00000132 +#define CKM_DES3_CBC 0x00000133 +#define CKM_DES3_MAC 0x00000134 + +/* CKM_DES3_MAC_GENERAL, CKM_DES3_CBC_PAD, CKM_CDMF_KEY_GEN, + * CKM_CDMF_ECB, CKM_CDMF_CBC, CKM_CDMF_MAC, + * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0 */ +#define CKM_DES3_MAC_GENERAL 0x00000135 +#define CKM_DES3_CBC_PAD 0x00000136 +#define CKM_CDMF_KEY_GEN 0x00000140 +#define CKM_CDMF_ECB 0x00000141 +#define CKM_CDMF_CBC 0x00000142 +#define CKM_CDMF_MAC 0x00000143 +#define CKM_CDMF_MAC_GENERAL 0x00000144 +#define CKM_CDMF_CBC_PAD 0x00000145 + +/* the following four DES mechanisms are new for v2.20 */ +#define CKM_DES_OFB64 0x00000150 +#define CKM_DES_OFB8 0x00000151 +#define CKM_DES_CFB64 0x00000152 +#define CKM_DES_CFB8 0x00000153 + +#define CKM_MD2 0x00000200 + +/* CKM_MD2_HMAC and CKM_MD2_HMAC_GENERAL are new for v2.0 */ +#define CKM_MD2_HMAC 0x00000201 +#define CKM_MD2_HMAC_GENERAL 0x00000202 + +#define CKM_MD5 0x00000210 + +/* CKM_MD5_HMAC and CKM_MD5_HMAC_GENERAL are new for v2.0 */ +#define CKM_MD5_HMAC 0x00000211 +#define CKM_MD5_HMAC_GENERAL 0x00000212 + +#define CKM_SHA_1 0x00000220 + +/* CKM_SHA_1_HMAC and CKM_SHA_1_HMAC_GENERAL are new for v2.0 */ +#define CKM_SHA_1_HMAC 0x00000221 +#define CKM_SHA_1_HMAC_GENERAL 0x00000222 + +/* CKM_RIPEMD128, CKM_RIPEMD128_HMAC, + * CKM_RIPEMD128_HMAC_GENERAL, CKM_RIPEMD160, CKM_RIPEMD160_HMAC, + * and CKM_RIPEMD160_HMAC_GENERAL are new for v2.10 */ +#define CKM_RIPEMD128 0x00000230 +#define CKM_RIPEMD128_HMAC 0x00000231 +#define CKM_RIPEMD128_HMAC_GENERAL 0x00000232 +#define CKM_RIPEMD160 0x00000240 +#define CKM_RIPEMD160_HMAC 0x00000241 +#define CKM_RIPEMD160_HMAC_GENERAL 0x00000242 + +/* CKM_SHA256/384/512 are new for v2.20 */ +#define CKM_SHA256 0x00000250 +#define CKM_SHA256_HMAC 0x00000251 +#define CKM_SHA256_HMAC_GENERAL 0x00000252 +#define CKM_SHA384 0x00000260 +#define CKM_SHA384_HMAC 0x00000261 +#define CKM_SHA384_HMAC_GENERAL 0x00000262 +#define CKM_SHA512 0x00000270 +#define CKM_SHA512_HMAC 0x00000271 +#define CKM_SHA512_HMAC_GENERAL 0x00000272 + +/* All of the following mechanisms are new for v2.0 */ +/* Note that CAST128 and CAST5 are the same algorithm */ +#define CKM_CAST_KEY_GEN 0x00000300 +#define CKM_CAST_ECB 0x00000301 +#define CKM_CAST_CBC 0x00000302 +#define CKM_CAST_MAC 0x00000303 +#define CKM_CAST_MAC_GENERAL 0x00000304 +#define CKM_CAST_CBC_PAD 0x00000305 +#define CKM_CAST3_KEY_GEN 0x00000310 +#define CKM_CAST3_ECB 0x00000311 +#define CKM_CAST3_CBC 0x00000312 +#define CKM_CAST3_MAC 0x00000313 +#define CKM_CAST3_MAC_GENERAL 0x00000314 +#define CKM_CAST3_CBC_PAD 0x00000315 +#define CKM_CAST5_KEY_GEN 0x00000320 +#define CKM_CAST128_KEY_GEN 0x00000320 +#define CKM_CAST5_ECB 0x00000321 +#define CKM_CAST128_ECB 0x00000321 +#define CKM_CAST5_CBC 0x00000322 +#define CKM_CAST128_CBC 0x00000322 +#define CKM_CAST5_MAC 0x00000323 +#define CKM_CAST128_MAC 0x00000323 +#define CKM_CAST5_MAC_GENERAL 0x00000324 +#define CKM_CAST128_MAC_GENERAL 0x00000324 +#define CKM_CAST5_CBC_PAD 0x00000325 +#define CKM_CAST128_CBC_PAD 0x00000325 +#define CKM_RC5_KEY_GEN 0x00000330 +#define CKM_RC5_ECB 0x00000331 +#define CKM_RC5_CBC 0x00000332 +#define CKM_RC5_MAC 0x00000333 +#define CKM_RC5_MAC_GENERAL 0x00000334 +#define CKM_RC5_CBC_PAD 0x00000335 +#define CKM_IDEA_KEY_GEN 0x00000340 +#define CKM_IDEA_ECB 0x00000341 +#define CKM_IDEA_CBC 0x00000342 +#define CKM_IDEA_MAC 0x00000343 +#define CKM_IDEA_MAC_GENERAL 0x00000344 +#define CKM_IDEA_CBC_PAD 0x00000345 +#define CKM_GENERIC_SECRET_KEY_GEN 0x00000350 +#define CKM_CONCATENATE_BASE_AND_KEY 0x00000360 +#define CKM_CONCATENATE_BASE_AND_DATA 0x00000362 +#define CKM_CONCATENATE_DATA_AND_BASE 0x00000363 +#define CKM_XOR_BASE_AND_DATA 0x00000364 +#define CKM_EXTRACT_KEY_FROM_KEY 0x00000365 +#define CKM_SSL3_PRE_MASTER_KEY_GEN 0x00000370 +#define CKM_SSL3_MASTER_KEY_DERIVE 0x00000371 +#define CKM_SSL3_KEY_AND_MAC_DERIVE 0x00000372 + +/* CKM_SSL3_MASTER_KEY_DERIVE_DH, CKM_TLS_PRE_MASTER_KEY_GEN, + * CKM_TLS_MASTER_KEY_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE, and + * CKM_TLS_MASTER_KEY_DERIVE_DH are new for v2.11 */ +#define CKM_SSL3_MASTER_KEY_DERIVE_DH 0x00000373 +#define CKM_TLS_PRE_MASTER_KEY_GEN 0x00000374 +#define CKM_TLS_MASTER_KEY_DERIVE 0x00000375 +#define CKM_TLS_KEY_AND_MAC_DERIVE 0x00000376 +#define CKM_TLS_MASTER_KEY_DERIVE_DH 0x00000377 + +/* CKM_TLS_PRF is new for v2.20 */ +#define CKM_TLS_PRF 0x00000378 + +#define CKM_SSL3_MD5_MAC 0x00000380 +#define CKM_SSL3_SHA1_MAC 0x00000381 +#define CKM_MD5_KEY_DERIVATION 0x00000390 +#define CKM_MD2_KEY_DERIVATION 0x00000391 +#define CKM_SHA1_KEY_DERIVATION 0x00000392 + +/* CKM_SHA256/384/512 are new for v2.20 */ +#define CKM_SHA256_KEY_DERIVATION 0x00000393 +#define CKM_SHA384_KEY_DERIVATION 0x00000394 +#define CKM_SHA512_KEY_DERIVATION 0x00000395 + +#define CKM_PBE_MD2_DES_CBC 0x000003A0 +#define CKM_PBE_MD5_DES_CBC 0x000003A1 +#define CKM_PBE_MD5_CAST_CBC 0x000003A2 +#define CKM_PBE_MD5_CAST3_CBC 0x000003A3 +#define CKM_PBE_MD5_CAST5_CBC 0x000003A4 +#define CKM_PBE_MD5_CAST128_CBC 0x000003A4 +#define CKM_PBE_SHA1_CAST5_CBC 0x000003A5 +#define CKM_PBE_SHA1_CAST128_CBC 0x000003A5 +#define CKM_PBE_SHA1_RC4_128 0x000003A6 +#define CKM_PBE_SHA1_RC4_40 0x000003A7 +#define CKM_PBE_SHA1_DES3_EDE_CBC 0x000003A8 +#define CKM_PBE_SHA1_DES2_EDE_CBC 0x000003A9 +#define CKM_PBE_SHA1_RC2_128_CBC 0x000003AA +#define CKM_PBE_SHA1_RC2_40_CBC 0x000003AB + +/* CKM_PKCS5_PBKD2 is new for v2.10 */ +#define CKM_PKCS5_PBKD2 0x000003B0 + +#define CKM_PBA_SHA1_WITH_SHA1_HMAC 0x000003C0 + +/* WTLS mechanisms are new for v2.20 */ +#define CKM_WTLS_PRE_MASTER_KEY_GEN 0x000003D0 +#define CKM_WTLS_MASTER_KEY_DERIVE 0x000003D1 +#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC 0x000003D2 +#define CKM_WTLS_PRF 0x000003D3 +#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE 0x000003D4 +#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE 0x000003D5 + +#define CKM_KEY_WRAP_LYNKS 0x00000400 +#define CKM_KEY_WRAP_SET_OAEP 0x00000401 + +/* CKM_CMS_SIG is new for v2.20 */ +#define CKM_CMS_SIG 0x00000500 + +/* Fortezza mechanisms */ +#define CKM_SKIPJACK_KEY_GEN 0x00001000 +#define CKM_SKIPJACK_ECB64 0x00001001 +#define CKM_SKIPJACK_CBC64 0x00001002 +#define CKM_SKIPJACK_OFB64 0x00001003 +#define CKM_SKIPJACK_CFB64 0x00001004 +#define CKM_SKIPJACK_CFB32 0x00001005 +#define CKM_SKIPJACK_CFB16 0x00001006 +#define CKM_SKIPJACK_CFB8 0x00001007 +#define CKM_SKIPJACK_WRAP 0x00001008 +#define CKM_SKIPJACK_PRIVATE_WRAP 0x00001009 +#define CKM_SKIPJACK_RELAYX 0x0000100a +#define CKM_KEA_KEY_PAIR_GEN 0x00001010 +#define CKM_KEA_KEY_DERIVE 0x00001011 +#define CKM_FORTEZZA_TIMESTAMP 0x00001020 +#define CKM_BATON_KEY_GEN 0x00001030 +#define CKM_BATON_ECB128 0x00001031 +#define CKM_BATON_ECB96 0x00001032 +#define CKM_BATON_CBC128 0x00001033 +#define CKM_BATON_COUNTER 0x00001034 +#define CKM_BATON_SHUFFLE 0x00001035 +#define CKM_BATON_WRAP 0x00001036 + +/* CKM_ECDSA_KEY_PAIR_GEN is deprecated in v2.11, + * CKM_EC_KEY_PAIR_GEN is preferred */ +#define CKM_ECDSA_KEY_PAIR_GEN 0x00001040 +#define CKM_EC_KEY_PAIR_GEN 0x00001040 + +#define CKM_ECDSA 0x00001041 +#define CKM_ECDSA_SHA1 0x00001042 + +/* CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE, and CKM_ECMQV_DERIVE + * are new for v2.11 */ +#define CKM_ECDH1_DERIVE 0x00001050 +#define CKM_ECDH1_COFACTOR_DERIVE 0x00001051 +#define CKM_ECMQV_DERIVE 0x00001052 + +#define CKM_JUNIPER_KEY_GEN 0x00001060 +#define CKM_JUNIPER_ECB128 0x00001061 +#define CKM_JUNIPER_CBC128 0x00001062 +#define CKM_JUNIPER_COUNTER 0x00001063 +#define CKM_JUNIPER_SHUFFLE 0x00001064 +#define CKM_JUNIPER_WRAP 0x00001065 +#define CKM_FASTHASH 0x00001070 + +/* CKM_AES_KEY_GEN, CKM_AES_ECB, CKM_AES_CBC, CKM_AES_MAC, + * CKM_AES_MAC_GENERAL, CKM_AES_CBC_PAD, CKM_DSA_PARAMETER_GEN, + * CKM_DH_PKCS_PARAMETER_GEN, and CKM_X9_42_DH_PARAMETER_GEN are + * new for v2.11 */ +#define CKM_AES_KEY_GEN 0x00001080 +#define CKM_AES_ECB 0x00001081 +#define CKM_AES_CBC 0x00001082 +#define CKM_AES_MAC 0x00001083 +#define CKM_AES_MAC_GENERAL 0x00001084 +#define CKM_AES_CBC_PAD 0x00001085 + +/* BlowFish and TwoFish are new for v2.20 */ +#define CKM_BLOWFISH_KEY_GEN 0x00001090 +#define CKM_BLOWFISH_CBC 0x00001091 +#define CKM_TWOFISH_KEY_GEN 0x00001092 +#define CKM_TWOFISH_CBC 0x00001093 + + +/* CKM_xxx_ENCRYPT_DATA mechanisms are new for v2.20 */ +#define CKM_DES_ECB_ENCRYPT_DATA 0x00001100 +#define CKM_DES_CBC_ENCRYPT_DATA 0x00001101 +#define CKM_DES3_ECB_ENCRYPT_DATA 0x00001102 +#define CKM_DES3_CBC_ENCRYPT_DATA 0x00001103 +#define CKM_AES_ECB_ENCRYPT_DATA 0x00001104 +#define CKM_AES_CBC_ENCRYPT_DATA 0x00001105 + +#define CKM_DSA_PARAMETER_GEN 0x00002000 +#define CKM_DH_PKCS_PARAMETER_GEN 0x00002001 +#define CKM_X9_42_DH_PARAMETER_GEN 0x00002002 + +#define CKM_VENDOR_DEFINED 0x80000000 + +typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR; + + +/* CK_MECHANISM is a structure that specifies a particular + * mechanism */ +typedef struct CK_MECHANISM { + CK_MECHANISM_TYPE mechanism; + CK_VOID_PTR pParameter; + + /* ulParameterLen was changed from CK_USHORT to CK_ULONG for + * v2.0 */ + CK_ULONG ulParameterLen; /* in bytes */ +} CK_MECHANISM; + +typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR; + + +/* CK_MECHANISM_INFO provides information about a particular + * mechanism */ +typedef struct CK_MECHANISM_INFO { + CK_ULONG ulMinKeySize; + CK_ULONG ulMaxKeySize; + CK_FLAGS flags; +} CK_MECHANISM_INFO; + +/* The flags are defined as follows: + * Bit Flag Mask Meaning */ +#define CKF_HW 0x00000001 /* performed by HW */ + +/* The flags CKF_ENCRYPT, CKF_DECRYPT, CKF_DIGEST, CKF_SIGN, + * CKG_SIGN_RECOVER, CKF_VERIFY, CKF_VERIFY_RECOVER, + * CKF_GENERATE, CKF_GENERATE_KEY_PAIR, CKF_WRAP, CKF_UNWRAP, + * and CKF_DERIVE are new for v2.0. They specify whether or not + * a mechanism can be used for a particular task */ +#define CKF_ENCRYPT 0x00000100 +#define CKF_DECRYPT 0x00000200 +#define CKF_DIGEST 0x00000400 +#define CKF_SIGN 0x00000800 +#define CKF_SIGN_RECOVER 0x00001000 +#define CKF_VERIFY 0x00002000 +#define CKF_VERIFY_RECOVER 0x00004000 +#define CKF_GENERATE 0x00008000 +#define CKF_GENERATE_KEY_PAIR 0x00010000 +#define CKF_WRAP 0x00020000 +#define CKF_UNWRAP 0x00040000 +#define CKF_DERIVE 0x00080000 + +/* CKF_EC_F_P, CKF_EC_F_2M, CKF_EC_ECPARAMETERS, CKF_EC_NAMEDCURVE, + * CKF_EC_UNCOMPRESS, and CKF_EC_COMPRESS are new for v2.11. They + * describe a token's EC capabilities not available in mechanism + * information. */ +#define CKF_EC_F_P 0x00100000 +#define CKF_EC_F_2M 0x00200000 +#define CKF_EC_ECPARAMETERS 0x00400000 +#define CKF_EC_NAMEDCURVE 0x00800000 +#define CKF_EC_UNCOMPRESS 0x01000000 +#define CKF_EC_COMPRESS 0x02000000 + +#define CKF_EXTENSION 0x80000000 /* FALSE for this version */ + +typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR; + + +/* CK_RV is a value that identifies the return value of a + * Cryptoki function */ +/* CK_RV was changed from CK_USHORT to CK_ULONG for v2.0 */ +typedef CK_ULONG CK_RV; + +#define CKR_OK 0x00000000 +#define CKR_CANCEL 0x00000001 +#define CKR_HOST_MEMORY 0x00000002 +#define CKR_SLOT_ID_INVALID 0x00000003 + +/* CKR_FLAGS_INVALID was removed for v2.0 */ + +/* CKR_GENERAL_ERROR and CKR_FUNCTION_FAILED are new for v2.0 */ +#define CKR_GENERAL_ERROR 0x00000005 +#define CKR_FUNCTION_FAILED 0x00000006 + +/* CKR_ARGUMENTS_BAD, CKR_NO_EVENT, CKR_NEED_TO_CREATE_THREADS, + * and CKR_CANT_LOCK are new for v2.01 */ +#define CKR_ARGUMENTS_BAD 0x00000007 +#define CKR_NO_EVENT 0x00000008 +#define CKR_NEED_TO_CREATE_THREADS 0x00000009 +#define CKR_CANT_LOCK 0x0000000A + +#define CKR_ATTRIBUTE_READ_ONLY 0x00000010 +#define CKR_ATTRIBUTE_SENSITIVE 0x00000011 +#define CKR_ATTRIBUTE_TYPE_INVALID 0x00000012 +#define CKR_ATTRIBUTE_VALUE_INVALID 0x00000013 +#define CKR_DATA_INVALID 0x00000020 +#define CKR_DATA_LEN_RANGE 0x00000021 +#define CKR_DEVICE_ERROR 0x00000030 +#define CKR_DEVICE_MEMORY 0x00000031 +#define CKR_DEVICE_REMOVED 0x00000032 +#define CKR_ENCRYPTED_DATA_INVALID 0x00000040 +#define CKR_ENCRYPTED_DATA_LEN_RANGE 0x00000041 +#define CKR_FUNCTION_CANCELED 0x00000050 +#define CKR_FUNCTION_NOT_PARALLEL 0x00000051 + +/* CKR_FUNCTION_NOT_SUPPORTED is new for v2.0 */ +#define CKR_FUNCTION_NOT_SUPPORTED 0x00000054 + +#define CKR_KEY_HANDLE_INVALID 0x00000060 + +/* CKR_KEY_SENSITIVE was removed for v2.0 */ + +#define CKR_KEY_SIZE_RANGE 0x00000062 +#define CKR_KEY_TYPE_INCONSISTENT 0x00000063 + +/* CKR_KEY_NOT_NEEDED, CKR_KEY_CHANGED, CKR_KEY_NEEDED, + * CKR_KEY_INDIGESTIBLE, CKR_KEY_FUNCTION_NOT_PERMITTED, + * CKR_KEY_NOT_WRAPPABLE, and CKR_KEY_UNEXTRACTABLE are new for + * v2.0 */ +#define CKR_KEY_NOT_NEEDED 0x00000064 +#define CKR_KEY_CHANGED 0x00000065 +#define CKR_KEY_NEEDED 0x00000066 +#define CKR_KEY_INDIGESTIBLE 0x00000067 +#define CKR_KEY_FUNCTION_NOT_PERMITTED 0x00000068 +#define CKR_KEY_NOT_WRAPPABLE 0x00000069 +#define CKR_KEY_UNEXTRACTABLE 0x0000006A + +#define CKR_MECHANISM_INVALID 0x00000070 +#define CKR_MECHANISM_PARAM_INVALID 0x00000071 + +/* CKR_OBJECT_CLASS_INCONSISTENT and CKR_OBJECT_CLASS_INVALID + * were removed for v2.0 */ +#define CKR_OBJECT_HANDLE_INVALID 0x00000082 +#define CKR_OPERATION_ACTIVE 0x00000090 +#define CKR_OPERATION_NOT_INITIALIZED 0x00000091 +#define CKR_PIN_INCORRECT 0x000000A0 +#define CKR_PIN_INVALID 0x000000A1 +#define CKR_PIN_LEN_RANGE 0x000000A2 + +/* CKR_PIN_EXPIRED and CKR_PIN_LOCKED are new for v2.0 */ +#define CKR_PIN_EXPIRED 0x000000A3 +#define CKR_PIN_LOCKED 0x000000A4 + +#define CKR_SESSION_CLOSED 0x000000B0 +#define CKR_SESSION_COUNT 0x000000B1 +#define CKR_SESSION_HANDLE_INVALID 0x000000B3 +#define CKR_SESSION_PARALLEL_NOT_SUPPORTED 0x000000B4 +#define CKR_SESSION_READ_ONLY 0x000000B5 +#define CKR_SESSION_EXISTS 0x000000B6 + +/* CKR_SESSION_READ_ONLY_EXISTS and + * CKR_SESSION_READ_WRITE_SO_EXISTS are new for v2.0 */ +#define CKR_SESSION_READ_ONLY_EXISTS 0x000000B7 +#define CKR_SESSION_READ_WRITE_SO_EXISTS 0x000000B8 + +#define CKR_SIGNATURE_INVALID 0x000000C0 +#define CKR_SIGNATURE_LEN_RANGE 0x000000C1 +#define CKR_TEMPLATE_INCOMPLETE 0x000000D0 +#define CKR_TEMPLATE_INCONSISTENT 0x000000D1 +#define CKR_TOKEN_NOT_PRESENT 0x000000E0 +#define CKR_TOKEN_NOT_RECOGNIZED 0x000000E1 +#define CKR_TOKEN_WRITE_PROTECTED 0x000000E2 +#define CKR_UNWRAPPING_KEY_HANDLE_INVALID 0x000000F0 +#define CKR_UNWRAPPING_KEY_SIZE_RANGE 0x000000F1 +#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT 0x000000F2 +#define CKR_USER_ALREADY_LOGGED_IN 0x00000100 +#define CKR_USER_NOT_LOGGED_IN 0x00000101 +#define CKR_USER_PIN_NOT_INITIALIZED 0x00000102 +#define CKR_USER_TYPE_INVALID 0x00000103 + +/* CKR_USER_ANOTHER_ALREADY_LOGGED_IN and CKR_USER_TOO_MANY_TYPES + * are new to v2.01 */ +#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN 0x00000104 +#define CKR_USER_TOO_MANY_TYPES 0x00000105 + +#define CKR_WRAPPED_KEY_INVALID 0x00000110 +#define CKR_WRAPPED_KEY_LEN_RANGE 0x00000112 +#define CKR_WRAPPING_KEY_HANDLE_INVALID 0x00000113 +#define CKR_WRAPPING_KEY_SIZE_RANGE 0x00000114 +#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT 0x00000115 +#define CKR_RANDOM_SEED_NOT_SUPPORTED 0x00000120 + +/* These are new to v2.0 */ +#define CKR_RANDOM_NO_RNG 0x00000121 + +/* These are new to v2.11 */ +#define CKR_DOMAIN_PARAMS_INVALID 0x00000130 + +/* These are new to v2.0 */ +#define CKR_BUFFER_TOO_SMALL 0x00000150 +#define CKR_SAVED_STATE_INVALID 0x00000160 +#define CKR_INFORMATION_SENSITIVE 0x00000170 +#define CKR_STATE_UNSAVEABLE 0x00000180 + +/* These are new to v2.01 */ +#define CKR_CRYPTOKI_NOT_INITIALIZED 0x00000190 +#define CKR_CRYPTOKI_ALREADY_INITIALIZED 0x00000191 +#define CKR_MUTEX_BAD 0x000001A0 +#define CKR_MUTEX_NOT_LOCKED 0x000001A1 + +/* This is new to v2.20 */ +#define CKR_FUNCTION_REJECTED 0x00000200 + +#define CKR_VENDOR_DEFINED 0x80000000 + + +/* CK_NOTIFY is an application callback that processes events */ +typedef CK_CALLBACK_FUNCTION(CK_RV, CK_NOTIFY)( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_NOTIFICATION event, + CK_VOID_PTR pApplication /* passed to C_OpenSession */ +); + + +/* CK_FUNCTION_LIST is a structure holding a Cryptoki spec + * version and pointers of appropriate types to all the + * Cryptoki functions */ +/* CK_FUNCTION_LIST is new for v2.0 */ +typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST; + +typedef CK_FUNCTION_LIST CK_PTR CK_FUNCTION_LIST_PTR; + +typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR; + + +/* CK_CREATEMUTEX is an application callback for creating a + * mutex object */ +typedef CK_CALLBACK_FUNCTION(CK_RV, CK_CREATEMUTEX)( + CK_VOID_PTR_PTR ppMutex /* location to receive ptr to mutex */ +); + + +/* CK_DESTROYMUTEX is an application callback for destroying a + * mutex object */ +typedef CK_CALLBACK_FUNCTION(CK_RV, CK_DESTROYMUTEX)( + CK_VOID_PTR pMutex /* pointer to mutex */ +); + + +/* CK_LOCKMUTEX is an application callback for locking a mutex */ +typedef CK_CALLBACK_FUNCTION(CK_RV, CK_LOCKMUTEX)( + CK_VOID_PTR pMutex /* pointer to mutex */ +); + + +/* CK_UNLOCKMUTEX is an application callback for unlocking a + * mutex */ +typedef CK_CALLBACK_FUNCTION(CK_RV, CK_UNLOCKMUTEX)( + CK_VOID_PTR pMutex /* pointer to mutex */ +); + + +/* CK_C_INITIALIZE_ARGS provides the optional arguments to + * C_Initialize */ +typedef struct CK_C_INITIALIZE_ARGS { + CK_CREATEMUTEX CreateMutex; + CK_DESTROYMUTEX DestroyMutex; + CK_LOCKMUTEX LockMutex; + CK_UNLOCKMUTEX UnlockMutex; + CK_FLAGS flags; + CK_VOID_PTR pReserved; +} CK_C_INITIALIZE_ARGS; + +/* flags: bit flags that provide capabilities of the slot + * Bit Flag Mask Meaning + */ +#define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001 +#define CKF_OS_LOCKING_OK 0x00000002 + +typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR; + + +/* additional flags for parameters to functions */ + +/* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */ +#define CKF_DONT_BLOCK 1 + +/* CK_RSA_PKCS_OAEP_MGF_TYPE is new for v2.10. + * CK_RSA_PKCS_OAEP_MGF_TYPE is used to indicate the Message + * Generation Function (MGF) applied to a message block when + * formatting a message block for the PKCS #1 OAEP encryption + * scheme. */ +typedef CK_ULONG CK_RSA_PKCS_MGF_TYPE; + +typedef CK_RSA_PKCS_MGF_TYPE CK_PTR CK_RSA_PKCS_MGF_TYPE_PTR; + +/* The following MGFs are defined */ +/* CKG_MGF1_SHA256, CKG_MGF1_SHA384, and CKG_MGF1_SHA512 + * are new for v2.20 */ +#define CKG_MGF1_SHA1 0x00000001 +#define CKG_MGF1_SHA256 0x00000002 +#define CKG_MGF1_SHA384 0x00000003 +#define CKG_MGF1_SHA512 0x00000004 + +/* CK_RSA_PKCS_OAEP_SOURCE_TYPE is new for v2.10. + * CK_RSA_PKCS_OAEP_SOURCE_TYPE is used to indicate the source + * of the encoding parameter when formatting a message block + * for the PKCS #1 OAEP encryption scheme. */ +typedef CK_ULONG CK_RSA_PKCS_OAEP_SOURCE_TYPE; + +typedef CK_RSA_PKCS_OAEP_SOURCE_TYPE CK_PTR CK_RSA_PKCS_OAEP_SOURCE_TYPE_PTR; + +/* The following encoding parameter sources are defined */ +#define CKZ_DATA_SPECIFIED 0x00000001 + +/* CK_RSA_PKCS_OAEP_PARAMS is new for v2.10. + * CK_RSA_PKCS_OAEP_PARAMS provides the parameters to the + * CKM_RSA_PKCS_OAEP mechanism. */ +typedef struct CK_RSA_PKCS_OAEP_PARAMS { + CK_MECHANISM_TYPE hashAlg; + CK_RSA_PKCS_MGF_TYPE mgf; + CK_RSA_PKCS_OAEP_SOURCE_TYPE source; + CK_VOID_PTR pSourceData; + CK_ULONG ulSourceDataLen; +} CK_RSA_PKCS_OAEP_PARAMS; + +typedef CK_RSA_PKCS_OAEP_PARAMS CK_PTR CK_RSA_PKCS_OAEP_PARAMS_PTR; + +/* CK_RSA_PKCS_PSS_PARAMS is new for v2.11. + * CK_RSA_PKCS_PSS_PARAMS provides the parameters to the + * CKM_RSA_PKCS_PSS mechanism(s). */ +typedef struct CK_RSA_PKCS_PSS_PARAMS { + CK_MECHANISM_TYPE hashAlg; + CK_RSA_PKCS_MGF_TYPE mgf; + CK_ULONG sLen; +} CK_RSA_PKCS_PSS_PARAMS; + +typedef CK_RSA_PKCS_PSS_PARAMS CK_PTR CK_RSA_PKCS_PSS_PARAMS_PTR; + +/* CK_EC_KDF_TYPE is new for v2.11. */ +typedef CK_ULONG CK_EC_KDF_TYPE; + +/* The following EC Key Derivation Functions are defined */ +#define CKD_NULL 0x00000001 +#define CKD_SHA1_KDF 0x00000002 + +/* CK_ECDH1_DERIVE_PARAMS is new for v2.11. + * CK_ECDH1_DERIVE_PARAMS provides the parameters to the + * CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE mechanisms, + * where each party contributes one key pair. + */ +typedef struct CK_ECDH1_DERIVE_PARAMS { + CK_EC_KDF_TYPE kdf; + CK_ULONG ulSharedDataLen; + CK_BYTE_PTR pSharedData; + CK_ULONG ulPublicDataLen; + CK_BYTE_PTR pPublicData; +} CK_ECDH1_DERIVE_PARAMS; + +typedef CK_ECDH1_DERIVE_PARAMS CK_PTR CK_ECDH1_DERIVE_PARAMS_PTR; + + +/* CK_ECDH2_DERIVE_PARAMS is new for v2.11. + * CK_ECDH2_DERIVE_PARAMS provides the parameters to the + * CKM_ECMQV_DERIVE mechanism, where each party contributes two key pairs. */ +typedef struct CK_ECDH2_DERIVE_PARAMS { + CK_EC_KDF_TYPE kdf; + CK_ULONG ulSharedDataLen; + CK_BYTE_PTR pSharedData; + CK_ULONG ulPublicDataLen; + CK_BYTE_PTR pPublicData; + CK_ULONG ulPrivateDataLen; + CK_OBJECT_HANDLE hPrivateData; + CK_ULONG ulPublicDataLen2; + CK_BYTE_PTR pPublicData2; +} CK_ECDH2_DERIVE_PARAMS; + +typedef CK_ECDH2_DERIVE_PARAMS CK_PTR CK_ECDH2_DERIVE_PARAMS_PTR; + +typedef struct CK_ECMQV_DERIVE_PARAMS { + CK_EC_KDF_TYPE kdf; + CK_ULONG ulSharedDataLen; + CK_BYTE_PTR pSharedData; + CK_ULONG ulPublicDataLen; + CK_BYTE_PTR pPublicData; + CK_ULONG ulPrivateDataLen; + CK_OBJECT_HANDLE hPrivateData; + CK_ULONG ulPublicDataLen2; + CK_BYTE_PTR pPublicData2; + CK_OBJECT_HANDLE publicKey; +} CK_ECMQV_DERIVE_PARAMS; + +typedef CK_ECMQV_DERIVE_PARAMS CK_PTR CK_ECMQV_DERIVE_PARAMS_PTR; + +/* Typedefs and defines for the CKM_X9_42_DH_KEY_PAIR_GEN and the + * CKM_X9_42_DH_PARAMETER_GEN mechanisms (new for PKCS #11 v2.11) */ +typedef CK_ULONG CK_X9_42_DH_KDF_TYPE; +typedef CK_X9_42_DH_KDF_TYPE CK_PTR CK_X9_42_DH_KDF_TYPE_PTR; + +/* The following X9.42 DH key derivation functions are defined + (besides CKD_NULL already defined : */ +#define CKD_SHA1_KDF_ASN1 0x00000003 +#define CKD_SHA1_KDF_CONCATENATE 0x00000004 + +/* CK_X9_42_DH1_DERIVE_PARAMS is new for v2.11. + * CK_X9_42_DH1_DERIVE_PARAMS provides the parameters to the + * CKM_X9_42_DH_DERIVE key derivation mechanism, where each party + * contributes one key pair */ +typedef struct CK_X9_42_DH1_DERIVE_PARAMS { + CK_X9_42_DH_KDF_TYPE kdf; + CK_ULONG ulOtherInfoLen; + CK_BYTE_PTR pOtherInfo; + CK_ULONG ulPublicDataLen; + CK_BYTE_PTR pPublicData; +} CK_X9_42_DH1_DERIVE_PARAMS; + +typedef struct CK_X9_42_DH1_DERIVE_PARAMS CK_PTR CK_X9_42_DH1_DERIVE_PARAMS_PTR; + +/* CK_X9_42_DH2_DERIVE_PARAMS is new for v2.11. + * CK_X9_42_DH2_DERIVE_PARAMS provides the parameters to the + * CKM_X9_42_DH_HYBRID_DERIVE and CKM_X9_42_MQV_DERIVE key derivation + * mechanisms, where each party contributes two key pairs */ +typedef struct CK_X9_42_DH2_DERIVE_PARAMS { + CK_X9_42_DH_KDF_TYPE kdf; + CK_ULONG ulOtherInfoLen; + CK_BYTE_PTR pOtherInfo; + CK_ULONG ulPublicDataLen; + CK_BYTE_PTR pPublicData; + CK_ULONG ulPrivateDataLen; + CK_OBJECT_HANDLE hPrivateData; + CK_ULONG ulPublicDataLen2; + CK_BYTE_PTR pPublicData2; +} CK_X9_42_DH2_DERIVE_PARAMS; + +typedef CK_X9_42_DH2_DERIVE_PARAMS CK_PTR CK_X9_42_DH2_DERIVE_PARAMS_PTR; + +typedef struct CK_X9_42_MQV_DERIVE_PARAMS { + CK_X9_42_DH_KDF_TYPE kdf; + CK_ULONG ulOtherInfoLen; + CK_BYTE_PTR pOtherInfo; + CK_ULONG ulPublicDataLen; + CK_BYTE_PTR pPublicData; + CK_ULONG ulPrivateDataLen; + CK_OBJECT_HANDLE hPrivateData; + CK_ULONG ulPublicDataLen2; + CK_BYTE_PTR pPublicData2; + CK_OBJECT_HANDLE publicKey; +} CK_X9_42_MQV_DERIVE_PARAMS; + +typedef CK_X9_42_MQV_DERIVE_PARAMS CK_PTR CK_X9_42_MQV_DERIVE_PARAMS_PTR; + +/* CK_KEA_DERIVE_PARAMS provides the parameters to the + * CKM_KEA_DERIVE mechanism */ +/* CK_KEA_DERIVE_PARAMS is new for v2.0 */ +typedef struct CK_KEA_DERIVE_PARAMS { + CK_BBOOL isSender; + CK_ULONG ulRandomLen; + CK_BYTE_PTR pRandomA; + CK_BYTE_PTR pRandomB; + CK_ULONG ulPublicDataLen; + CK_BYTE_PTR pPublicData; +} CK_KEA_DERIVE_PARAMS; + +typedef CK_KEA_DERIVE_PARAMS CK_PTR CK_KEA_DERIVE_PARAMS_PTR; + + +/* CK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and + * CKM_RC2_MAC mechanisms. An instance of CK_RC2_PARAMS just + * holds the effective keysize */ +typedef CK_ULONG CK_RC2_PARAMS; + +typedef CK_RC2_PARAMS CK_PTR CK_RC2_PARAMS_PTR; + + +/* CK_RC2_CBC_PARAMS provides the parameters to the CKM_RC2_CBC + * mechanism */ +typedef struct CK_RC2_CBC_PARAMS { + /* ulEffectiveBits was changed from CK_USHORT to CK_ULONG for + * v2.0 */ + CK_ULONG ulEffectiveBits; /* effective bits (1-1024) */ + + CK_BYTE iv[8]; /* IV for CBC mode */ +} CK_RC2_CBC_PARAMS; + +typedef CK_RC2_CBC_PARAMS CK_PTR CK_RC2_CBC_PARAMS_PTR; + + +/* CK_RC2_MAC_GENERAL_PARAMS provides the parameters for the + * CKM_RC2_MAC_GENERAL mechanism */ +/* CK_RC2_MAC_GENERAL_PARAMS is new for v2.0 */ +typedef struct CK_RC2_MAC_GENERAL_PARAMS { + CK_ULONG ulEffectiveBits; /* effective bits (1-1024) */ + CK_ULONG ulMacLength; /* Length of MAC in bytes */ +} CK_RC2_MAC_GENERAL_PARAMS; + +typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR \ + CK_RC2_MAC_GENERAL_PARAMS_PTR; + + +/* CK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and + * CKM_RC5_MAC mechanisms */ +/* CK_RC5_PARAMS is new for v2.0 */ +typedef struct CK_RC5_PARAMS { + CK_ULONG ulWordsize; /* wordsize in bits */ + CK_ULONG ulRounds; /* number of rounds */ +} CK_RC5_PARAMS; + +typedef CK_RC5_PARAMS CK_PTR CK_RC5_PARAMS_PTR; + + +/* CK_RC5_CBC_PARAMS provides the parameters to the CKM_RC5_CBC + * mechanism */ +/* CK_RC5_CBC_PARAMS is new for v2.0 */ +typedef struct CK_RC5_CBC_PARAMS { + CK_ULONG ulWordsize; /* wordsize in bits */ + CK_ULONG ulRounds; /* number of rounds */ + CK_BYTE_PTR pIv; /* pointer to IV */ + CK_ULONG ulIvLen; /* length of IV in bytes */ +} CK_RC5_CBC_PARAMS; + +typedef CK_RC5_CBC_PARAMS CK_PTR CK_RC5_CBC_PARAMS_PTR; + + +/* CK_RC5_MAC_GENERAL_PARAMS provides the parameters for the + * CKM_RC5_MAC_GENERAL mechanism */ +/* CK_RC5_MAC_GENERAL_PARAMS is new for v2.0 */ +typedef struct CK_RC5_MAC_GENERAL_PARAMS { + CK_ULONG ulWordsize; /* wordsize in bits */ + CK_ULONG ulRounds; /* number of rounds */ + CK_ULONG ulMacLength; /* Length of MAC in bytes */ +} CK_RC5_MAC_GENERAL_PARAMS; + +typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR \ + CK_RC5_MAC_GENERAL_PARAMS_PTR; + + +/* CK_MAC_GENERAL_PARAMS provides the parameters to most block + * ciphers' MAC_GENERAL mechanisms. Its value is the length of + * the MAC */ +/* CK_MAC_GENERAL_PARAMS is new for v2.0 */ +typedef CK_ULONG CK_MAC_GENERAL_PARAMS; + +typedef CK_MAC_GENERAL_PARAMS CK_PTR CK_MAC_GENERAL_PARAMS_PTR; + +/* CK_DES/AES_ECB/CBC_ENCRYPT_DATA_PARAMS are new for v2.20 */ +typedef struct CK_DES_CBC_ENCRYPT_DATA_PARAMS { + CK_BYTE iv[8]; + CK_BYTE_PTR pData; + CK_ULONG length; +} CK_DES_CBC_ENCRYPT_DATA_PARAMS; + +typedef CK_DES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_DES_CBC_ENCRYPT_DATA_PARAMS_PTR; + +typedef struct CK_AES_CBC_ENCRYPT_DATA_PARAMS { + CK_BYTE iv[16]; + CK_BYTE_PTR pData; + CK_ULONG length; +} CK_AES_CBC_ENCRYPT_DATA_PARAMS; + +typedef CK_AES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_AES_CBC_ENCRYPT_DATA_PARAMS_PTR; + +/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the + * CKM_SKIPJACK_PRIVATE_WRAP mechanism */ +/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS is new for v2.0 */ +typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS { + CK_ULONG ulPasswordLen; + CK_BYTE_PTR pPassword; + CK_ULONG ulPublicDataLen; + CK_BYTE_PTR pPublicData; + CK_ULONG ulPAndGLen; + CK_ULONG ulQLen; + CK_ULONG ulRandomLen; + CK_BYTE_PTR pRandomA; + CK_BYTE_PTR pPrimeP; + CK_BYTE_PTR pBaseG; + CK_BYTE_PTR pSubprimeQ; +} CK_SKIPJACK_PRIVATE_WRAP_PARAMS; + +typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR \ + CK_SKIPJACK_PRIVATE_WRAP_PTR; + + +/* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the + * CKM_SKIPJACK_RELAYX mechanism */ +/* CK_SKIPJACK_RELAYX_PARAMS is new for v2.0 */ +typedef struct CK_SKIPJACK_RELAYX_PARAMS { + CK_ULONG ulOldWrappedXLen; + CK_BYTE_PTR pOldWrappedX; + CK_ULONG ulOldPasswordLen; + CK_BYTE_PTR pOldPassword; + CK_ULONG ulOldPublicDataLen; + CK_BYTE_PTR pOldPublicData; + CK_ULONG ulOldRandomLen; + CK_BYTE_PTR pOldRandomA; + CK_ULONG ulNewPasswordLen; + CK_BYTE_PTR pNewPassword; + CK_ULONG ulNewPublicDataLen; + CK_BYTE_PTR pNewPublicData; + CK_ULONG ulNewRandomLen; + CK_BYTE_PTR pNewRandomA; +} CK_SKIPJACK_RELAYX_PARAMS; + +typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR \ + CK_SKIPJACK_RELAYX_PARAMS_PTR; + + +typedef struct CK_PBE_PARAMS { + CK_BYTE_PTR pInitVector; + CK_UTF8CHAR_PTR pPassword; + CK_ULONG ulPasswordLen; + CK_BYTE_PTR pSalt; + CK_ULONG ulSaltLen; + CK_ULONG ulIteration; +} CK_PBE_PARAMS; + +typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR; + + +/* CK_KEY_WRAP_SET_OAEP_PARAMS provides the parameters to the + * CKM_KEY_WRAP_SET_OAEP mechanism */ +/* CK_KEY_WRAP_SET_OAEP_PARAMS is new for v2.0 */ +typedef struct CK_KEY_WRAP_SET_OAEP_PARAMS { + CK_BYTE bBC; /* block contents byte */ + CK_BYTE_PTR pX; /* extra data */ + CK_ULONG ulXLen; /* length of extra data in bytes */ +} CK_KEY_WRAP_SET_OAEP_PARAMS; + +typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR \ + CK_KEY_WRAP_SET_OAEP_PARAMS_PTR; + + +typedef struct CK_SSL3_RANDOM_DATA { + CK_BYTE_PTR pClientRandom; + CK_ULONG ulClientRandomLen; + CK_BYTE_PTR pServerRandom; + CK_ULONG ulServerRandomLen; +} CK_SSL3_RANDOM_DATA; + + +typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS { + CK_SSL3_RANDOM_DATA RandomInfo; + CK_VERSION_PTR pVersion; +} CK_SSL3_MASTER_KEY_DERIVE_PARAMS; + +typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR \ + CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR; + + +typedef struct CK_SSL3_KEY_MAT_OUT { + CK_OBJECT_HANDLE hClientMacSecret; + CK_OBJECT_HANDLE hServerMacSecret; + CK_OBJECT_HANDLE hClientKey; + CK_OBJECT_HANDLE hServerKey; + CK_BYTE_PTR pIVClient; + CK_BYTE_PTR pIVServer; +} CK_SSL3_KEY_MAT_OUT; + +typedef CK_SSL3_KEY_MAT_OUT CK_PTR CK_SSL3_KEY_MAT_OUT_PTR; + + +typedef struct CK_SSL3_KEY_MAT_PARAMS { + CK_ULONG ulMacSizeInBits; + CK_ULONG ulKeySizeInBits; + CK_ULONG ulIVSizeInBits; + CK_BBOOL bIsExport; + CK_SSL3_RANDOM_DATA RandomInfo; + CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial; +} CK_SSL3_KEY_MAT_PARAMS; + +typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR; + +/* CK_TLS_PRF_PARAMS is new for version 2.20 */ +typedef struct CK_TLS_PRF_PARAMS { + CK_BYTE_PTR pSeed; + CK_ULONG ulSeedLen; + CK_BYTE_PTR pLabel; + CK_ULONG ulLabelLen; + CK_BYTE_PTR pOutput; + CK_ULONG_PTR pulOutputLen; +} CK_TLS_PRF_PARAMS; + +typedef CK_TLS_PRF_PARAMS CK_PTR CK_TLS_PRF_PARAMS_PTR; + +/* WTLS is new for version 2.20 */ +typedef struct CK_WTLS_RANDOM_DATA { + CK_BYTE_PTR pClientRandom; + CK_ULONG ulClientRandomLen; + CK_BYTE_PTR pServerRandom; + CK_ULONG ulServerRandomLen; +} CK_WTLS_RANDOM_DATA; + +typedef CK_WTLS_RANDOM_DATA CK_PTR CK_WTLS_RANDOM_DATA_PTR; + +typedef struct CK_WTLS_MASTER_KEY_DERIVE_PARAMS { + CK_MECHANISM_TYPE DigestMechanism; + CK_WTLS_RANDOM_DATA RandomInfo; + CK_BYTE_PTR pVersion; +} CK_WTLS_MASTER_KEY_DERIVE_PARAMS; + +typedef CK_WTLS_MASTER_KEY_DERIVE_PARAMS CK_PTR \ + CK_WTLS_MASTER_KEY_DERIVE_PARAMS_PTR; + +typedef struct CK_WTLS_PRF_PARAMS { + CK_MECHANISM_TYPE DigestMechanism; + CK_BYTE_PTR pSeed; + CK_ULONG ulSeedLen; + CK_BYTE_PTR pLabel; + CK_ULONG ulLabelLen; + CK_BYTE_PTR pOutput; + CK_ULONG_PTR pulOutputLen; +} CK_WTLS_PRF_PARAMS; + +typedef CK_WTLS_PRF_PARAMS CK_PTR CK_WTLS_PRF_PARAMS_PTR; + +typedef struct CK_WTLS_KEY_MAT_OUT { + CK_OBJECT_HANDLE hMacSecret; + CK_OBJECT_HANDLE hKey; + CK_BYTE_PTR pIV; +} CK_WTLS_KEY_MAT_OUT; + +typedef CK_WTLS_KEY_MAT_OUT CK_PTR CK_WTLS_KEY_MAT_OUT_PTR; + +typedef struct CK_WTLS_KEY_MAT_PARAMS { + CK_MECHANISM_TYPE DigestMechanism; + CK_ULONG ulMacSizeInBits; + CK_ULONG ulKeySizeInBits; + CK_ULONG ulIVSizeInBits; + CK_ULONG ulSequenceNumber; + CK_BBOOL bIsExport; + CK_WTLS_RANDOM_DATA RandomInfo; + CK_WTLS_KEY_MAT_OUT_PTR pReturnedKeyMaterial; +} CK_WTLS_KEY_MAT_PARAMS; + +typedef CK_WTLS_KEY_MAT_PARAMS CK_PTR CK_WTLS_KEY_MAT_PARAMS_PTR; + +/* CMS is new for version 2.20 */ +typedef struct CK_CMS_SIG_PARAMS { + CK_OBJECT_HANDLE certificateHandle; + CK_MECHANISM_PTR pSigningMechanism; + CK_MECHANISM_PTR pDigestMechanism; + CK_UTF8CHAR_PTR pContentType; + CK_BYTE_PTR pRequestedAttributes; + CK_ULONG ulRequestedAttributesLen; + CK_BYTE_PTR pRequiredAttributes; + CK_ULONG ulRequiredAttributesLen; +} CK_CMS_SIG_PARAMS; + +typedef CK_CMS_SIG_PARAMS CK_PTR CK_CMS_SIG_PARAMS_PTR; + +typedef struct CK_KEY_DERIVATION_STRING_DATA { + CK_BYTE_PTR pData; + CK_ULONG ulLen; +} CK_KEY_DERIVATION_STRING_DATA; + +typedef CK_KEY_DERIVATION_STRING_DATA CK_PTR \ + CK_KEY_DERIVATION_STRING_DATA_PTR; + + +/* The CK_EXTRACT_PARAMS is used for the + * CKM_EXTRACT_KEY_FROM_KEY mechanism. It specifies which bit + * of the base key should be used as the first bit of the + * derived key */ +/* CK_EXTRACT_PARAMS is new for v2.0 */ +typedef CK_ULONG CK_EXTRACT_PARAMS; + +typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR; + +/* CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is new for v2.10. + * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is used to + * indicate the Pseudo-Random Function (PRF) used to generate + * key bits using PKCS #5 PBKDF2. */ +typedef CK_ULONG CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE; + +typedef CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE CK_PTR CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE_PTR; + +/* The following PRFs are defined in PKCS #5 v2.0. */ +#define CKP_PKCS5_PBKD2_HMAC_SHA1 0x00000001 + + +/* CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is new for v2.10. + * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is used to indicate the + * source of the salt value when deriving a key using PKCS #5 + * PBKDF2. */ +typedef CK_ULONG CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE; + +typedef CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE CK_PTR CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE_PTR; + +/* The following salt value sources are defined in PKCS #5 v2.0. */ +#define CKZ_SALT_SPECIFIED 0x00000001 + +/* CK_PKCS5_PBKD2_PARAMS is new for v2.10. + * CK_PKCS5_PBKD2_PARAMS is a structure that provides the + * parameters to the CKM_PKCS5_PBKD2 mechanism. */ +typedef struct CK_PKCS5_PBKD2_PARAMS { + CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource; + CK_VOID_PTR pSaltSourceData; + CK_ULONG ulSaltSourceDataLen; + CK_ULONG iterations; + CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf; + CK_VOID_PTR pPrfData; + CK_ULONG ulPrfDataLen; + CK_UTF8CHAR_PTR pPassword; + CK_ULONG_PTR ulPasswordLen; +} CK_PKCS5_PBKD2_PARAMS; + +typedef CK_PKCS5_PBKD2_PARAMS CK_PTR CK_PKCS5_PBKD2_PARAMS_PTR; + +#endif --- old/src/jdk.crypto.token/share/native/libj2pkcs11/pkcs11wrapper.h 2017-01-20 09:53:00.790288108 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,473 +0,0 @@ -/* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. - */ - -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * pkcs11wrapper.h - * 18.05.2001 - * - * declaration of all functions used by pkcs11wrapper.c - * - * @author Karl Scheibelhofer - * @author Martin Schlaeffer - */ - -#ifndef _PKCS11WRAPPER_H -#define _PKCS11WRAPPER_H 1 - -/* disable asserts in product mode */ -#ifndef DEBUG - #ifndef NDEBUG - #define NDEBUG - #endif -#endif - -/* extra PKCS#11 constants not in the standard include files */ - -#define CKA_NETSCAPE_BASE (0x80000000 + 0x4E534350) -#define CKA_NETSCAPE_TRUST_BASE (CKA_NETSCAPE_BASE + 0x2000) - -#define CKA_NETSCAPE_TRUST_SERVER_AUTH (CKA_NETSCAPE_TRUST_BASE + 8) -#define CKA_NETSCAPE_TRUST_CLIENT_AUTH (CKA_NETSCAPE_TRUST_BASE + 9) -#define CKA_NETSCAPE_TRUST_CODE_SIGNING (CKA_NETSCAPE_TRUST_BASE + 10) -#define CKA_NETSCAPE_TRUST_EMAIL_PROTECTION (CKA_NETSCAPE_TRUST_BASE + 11) - -/* - - Define the PKCS#11 functions to include and exclude. Reduces the size - of the binary somewhat. - - This list needs to be kept in sync with the mapfile and PKCS11.java - -*/ - -#define P11_ENABLE_C_INITIALIZE -#define P11_ENABLE_C_FINALIZE -#define P11_ENABLE_C_GETINFO -#define P11_ENABLE_C_GETSLOTLIST -#define P11_ENABLE_C_GETSLOTINFO -#define P11_ENABLE_C_GETTOKENINFO -#define P11_ENABLE_C_GETMECHANISMLIST -#define P11_ENABLE_C_GETMECHANISMINFO -#undef P11_ENABLE_C_INITTOKEN -#undef P11_ENABLE_C_INITPIN -#undef P11_ENABLE_C_SETPIN -#define P11_ENABLE_C_OPENSESSION -#define P11_ENABLE_C_CLOSESESSION -#undef P11_ENABLE_C_CLOSEALLSESSIONS -#define P11_ENABLE_C_GETSESSIONINFO -#define P11_ENABLE_C_GETOPERATIONSTATE -#define P11_ENABLE_C_SETOPERATIONSTATE -#define P11_ENABLE_C_LOGIN -#define P11_ENABLE_C_LOGOUT -#define P11_ENABLE_C_CREATEOBJECT -#define P11_ENABLE_C_COPYOBJECT -#define P11_ENABLE_C_DESTROYOBJECT -#undef P11_ENABLE_C_GETOBJECTSIZE -#define P11_ENABLE_C_GETATTRIBUTEVALUE -#define P11_ENABLE_C_SETATTRIBUTEVALUE -#define P11_ENABLE_C_FINDOBJECTSINIT -#define P11_ENABLE_C_FINDOBJECTS -#define P11_ENABLE_C_FINDOBJECTSFINAL -#define P11_ENABLE_C_ENCRYPTINIT -#define P11_ENABLE_C_ENCRYPT -#define P11_ENABLE_C_ENCRYPTUPDATE -#define P11_ENABLE_C_ENCRYPTFINAL -#define P11_ENABLE_C_DECRYPTINIT -#define P11_ENABLE_C_DECRYPT -#define P11_ENABLE_C_DECRYPTUPDATE -#define P11_ENABLE_C_DECRYPTFINAL -#define P11_ENABLE_C_DIGESTINIT -#define P11_ENABLE_C_DIGEST -#define P11_ENABLE_C_DIGESTUPDATE -#define P11_ENABLE_C_DIGESTKEY -#define P11_ENABLE_C_DIGESTFINAL -#define P11_ENABLE_C_SIGNINIT -#define P11_ENABLE_C_SIGN -#define P11_ENABLE_C_SIGNUPDATE -#define P11_ENABLE_C_SIGNFINAL -#define P11_ENABLE_C_SIGNRECOVERINIT -#define P11_ENABLE_C_SIGNRECOVER -#define P11_ENABLE_C_VERIFYINIT -#define P11_ENABLE_C_VERIFY -#define P11_ENABLE_C_VERIFYUPDATE -#define P11_ENABLE_C_VERIFYFINAL -#define P11_ENABLE_C_VERIFYRECOVERINIT -#define P11_ENABLE_C_VERIFYRECOVER -#undef P11_ENABLE_C_DIGESTENCRYPTUPDATE -#undef P11_ENABLE_C_DECRYPTDIGESTUPDATE -#undef P11_ENABLE_C_SIGNENCRYPTUPDATE -#undef P11_ENABLE_C_DECRYPTVERIFYUPDATE -#define P11_ENABLE_C_GENERATEKEY -#define P11_ENABLE_C_GENERATEKEYPAIR -#define P11_ENABLE_C_WRAPKEY -#define P11_ENABLE_C_UNWRAPKEY -#define P11_ENABLE_C_DERIVEKEY -#define P11_ENABLE_C_SEEDRANDOM -#define P11_ENABLE_C_GENERATERANDOM -#undef P11_ENABLE_C_GETFUNCTIONSTATUS -#undef P11_ENABLE_C_CANCELFUNCTION -#undef P11_ENABLE_C_WAITFORSLOTEVENT - -/* include the platform dependent part of the header */ -#include "p11_md.h" - -#include "pkcs11.h" -#include "pkcs-11v2-20a3.h" -#include -#include -#include - -#define MAX_STACK_BUFFER_LEN (4 * 1024) -#define MAX_HEAP_BUFFER_LEN (64 * 1024) - -#define MAX_DIGEST_LEN (64) - -#ifndef min -#define min(a, b) (((a) < (b)) ? (a) : (b)) -#endif - -#define ckBBoolToJBoolean(x) ((x == TRUE) ? JNI_TRUE : JNI_FALSE); -#define jBooleanToCKBBool(x) ((x == JNI_TRUE) ? TRUE : FALSE); - -#define ckByteToJByte(x) ((jbyte) x) -#define jByteToCKByte(x) ((CK_BYTE) x) - -#define ckLongToJLong(x) ((jlong) x) -#define jLongToCKLong(x) ((CK_LONG) x) - -#define ckULongToJLong(x) ((jlong) x) -#define jLongToCKULong(x) ((CK_ULONG) x) - -// For CK_UNAVAILABLE_INFORMATION, always return -1 to avoid 32/64 bit problems. -#define ckULongSpecialToJLong(x) (((x) == CK_UNAVAILABLE_INFORMATION) \ - ? (jlong)-1 : ((jlong) x)) - -#define ckCharToJChar(x) ((jchar) x) -#define jCharToCKChar(x) ((CK_CHAR) x) - -#define ckUTF8CharToJChar(x) ((jchar) x) -#define jCharToCKUTF8Char(x) ((CK_UTF8CHAR) x) - -#define ckFlageToJLong(x) ((jlong) x) - -#define ckVoidPtrToJObject(x) ((jobject) x) -#define jObjectToCKVoidPtr(x) ((CK_VOID_PTR) x) - -#define jIntToCKLong(x) ((CK_LONG) x) -#define jIntToCKULong(x) ((CK_ULONG) x) -#define ckLongToJInt(x) ((jint) x) -#define ckULongToJInt(x) ((jint) x) -#define ckULongToJSize(x) ((jsize) x) -#define unsignedIntToCKULong(x) ((CK_ULONG) x) - -#ifdef P11_DEBUG -#define TRACE0(s) { printf(s); fflush(stdout); } -#define TRACE1(s, p1) { printf(s, p1); fflush(stdout); } -#define TRACE2(s, p1, p2) { printf(s, p1, p2); fflush(stdout); } -#define TRACE3(s, p1, p2, p3) { printf(s, p1, p2, p3); fflush(stdout); } -#else -#define TRACE0(s) -#define TRACE1(s, p1) -#define TRACE2(s, p1, p2) -#define TRACE3(s, p1, p2, p3) -#define TRACE_INTEND -#define TRACE_UNINTEND -#endif - -/* debug output */ -extern jboolean debug; -void printDebug(const char *format, ...); - -#define CK_ASSERT_OK 0L - -#define CLASS_INFO "sun/security/pkcs11/wrapper/CK_INFO" -#define CLASS_VERSION "sun/security/pkcs11/wrapper/CK_VERSION" -#define CLASS_SLOT_INFO "sun/security/pkcs11/wrapper/CK_SLOT_INFO" -#define CLASS_TOKEN_INFO "sun/security/pkcs11/wrapper/CK_TOKEN_INFO" -#define CLASS_MECHANISM "sun/security/pkcs11/wrapper/CK_MECHANISM" -#define CLASS_MECHANISM_INFO "sun/security/pkcs11/wrapper/CK_MECHANISM_INFO" -#define CLASS_SESSION_INFO "sun/security/pkcs11/wrapper/CK_SESSION_INFO" -#define CLASS_ATTRIBUTE "sun/security/pkcs11/wrapper/CK_ATTRIBUTE" -#define CLASS_DATE "sun/security/pkcs11/wrapper/CK_DATE" -#define CLASS_PKCS11EXCEPTION "sun/security/pkcs11/wrapper/PKCS11Exception" -#define CLASS_PKCS11RUNTIMEEXCEPTION "sun/security/pkcs11/wrapper/PKCS11RuntimeException" -#define CLASS_FILE_NOT_FOUND_EXCEPTION "java/io/FileNotFoundException" -#define CLASS_C_INITIALIZE_ARGS "sun/security/pkcs11/wrapper/CK_C_INITIALIZE_ARGS" -#define CLASS_CREATEMUTEX "sun/security/pkcs11/wrapper/CK_CREATEMUTEX" -#define CLASS_DESTROYMUTEX "sun/security/pkcs11/wrapper/CK_DESTROYMUTEX" -#define CLASS_LOCKMUTEX "sun/security/pkcs11/wrapper/CK_LOCKMUTEX" -#define CLASS_UNLOCKMUTEX "sun/security/pkcs11/wrapper/CK_UNLOCKMUTEX" -#define CLASS_NOTIFY "sun/security/pkcs11/wrapper/CK_NOTIFY" - - -/* mechanism parameter classes */ - -#define CLASS_RSA_PKCS_OAEP_PARAMS "sun/security/pkcs11/wrapper/CK_RSA_PKCS_OAEP_PARAMS" -#define CLASS_MAC_GENERAL_PARAMS "sun/security/pkcs11/wrapper/CK_MAC_GENERAL_PARAMS" -#define CLASS_PBE_PARAMS "sun/security/pkcs11/wrapper/CK_PBE_PARAMS" -#define PBE_INIT_VECTOR_SIZE 8 -#define CLASS_PKCS5_PBKD2_PARAMS "sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS" -#define CLASS_EXTRACT_PARAMS "sun/security/pkcs11/wrapper/CK_EXTRACT_PARAMS" - -#define CLASS_RSA_PKCS_PSS_PARAMS "sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS" -#define CLASS_ECDH1_DERIVE_PARAMS "sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS" -#define CLASS_ECDH2_DERIVE_PARAMS "sun/security/pkcs11/wrapper/CK_ECDH2_DERIVE_PARAMS" -#define CLASS_X9_42_DH1_DERIVE_PARAMS "sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS" -#define CLASS_X9_42_DH2_DERIVE_PARAMS "sun/security/pkcs11/wrapper/CK_X9_42_DH2_DERIVE_PARAMS" - -/* -#define CLASS_KEA_DERIVE_PARAMS "sun/security/pkcs11/wrapper/CK_KEA_DERIVE_PARAMS" -#define CLASS_RC2_PARAMS "sun/security/pkcs11/wrapper/CK_RC2_PARAMS" -#define CLASS_RC2_CBC_PARAMS "sun/security/pkcs11/wrapper/CK_RC2_CBC_PARAMS" -#define CLASS_RC2_MAC_GENERAL_PARAMS "sun/security/pkcs11/wrapper/CK_RC2_MAC_GENERAL_PARAMS" -#define CLASS_RC5_PARAMS "sun/security/pkcs11/wrapper/CK_RC5_PARAMS" -#define CLASS_RC5_CBC_PARAMS "sun/security/pkcs11/wrapper/CK_RC5_CBC_PARAMS" -#define CLASS_RC5_MAC_GENERAL_PARAMS "sun/security/pkcs11/wrapper/CK_RC5_MAC_GENERAL_PARAMS" -#define CLASS_SKIPJACK_PRIVATE_WRAP_PARAMS "sun/security/pkcs11/wrapper/CK_SKIPJACK_PRIVATE_WRAP_PARAMS" -#define CLASS_SKIPJACK_RELAYX_PARAMS "sun/security/pkcs11/wrapper/CK_SKIPJACK_RELAYX_PARAMS" -#define CLASS_KEY_WRAP_SET_OAEP_PARAMS "sun/security/pkcs11/wrapper/CK_KEY_WRAP_SET_OAEP_PARAMS" -#define CLASS_KEY_DERIVATION_STRING_DATA "sun/security/pkcs11/wrapper/CK_KEY_DERIVATION_STRING_DATA" -*/ - -#define CLASS_SSL3_RANDOM_DATA "sun/security/pkcs11/wrapper/CK_SSL3_RANDOM_DATA" -// CLASS_SSL3_RANDOM_DATA is used by CLASS_SSL3_MASTER_KEY_DERIVE_PARAMS -#define CLASS_SSL3_KEY_MAT_OUT "sun/security/pkcs11/wrapper/CK_SSL3_KEY_MAT_OUT" -// CLASS_SSL3_KEY_MAT_OUT is used by CLASS_SSL3_KEY_MAT_PARAMS -#define CLASS_SSL3_MASTER_KEY_DERIVE_PARAMS "sun/security/pkcs11/wrapper/CK_SSL3_MASTER_KEY_DERIVE_PARAMS" -#define CLASS_SSL3_KEY_MAT_PARAMS "sun/security/pkcs11/wrapper/CK_SSL3_KEY_MAT_PARAMS" -#define CLASS_TLS_PRF_PARAMS "sun/security/pkcs11/wrapper/CK_TLS_PRF_PARAMS" -#define CLASS_AES_CTR_PARAMS "sun/security/pkcs11/wrapper/CK_AES_CTR_PARAMS" - -/* function to convert a PKCS#11 return value other than CK_OK into a Java Exception - * or to throw a PKCS11RuntimeException - */ - -jlong ckAssertReturnValueOK(JNIEnv *env, CK_RV returnValue); -void throwOutOfMemoryError(JNIEnv *env, const char *message); -void throwNullPointerException(JNIEnv *env, const char *message); -void throwIOException(JNIEnv *env, const char *message); -void throwPKCS11RuntimeException(JNIEnv *env, const char *message); -void throwDisconnectedRuntimeException(JNIEnv *env); - -/* function to free CK_ATTRIBUTE array - */ -void freeCKAttributeArray(CK_ATTRIBUTE_PTR attrPtr, int len); - -/* funktions to convert Java arrays to a CK-type array and the array length */ - -void jBooleanArrayToCKBBoolArray(JNIEnv *env, const jbooleanArray jArray, CK_BBOOL **ckpArray, CK_ULONG_PTR ckLength); -void jByteArrayToCKByteArray(JNIEnv *env, const jbyteArray jArray, CK_BYTE_PTR *ckpArray, CK_ULONG_PTR ckLength); -void jLongArrayToCKULongArray(JNIEnv *env, const jlongArray jArray, CK_ULONG_PTR *ckpArray, CK_ULONG_PTR ckLength); -void jCharArrayToCKCharArray(JNIEnv *env, const jcharArray jArray, CK_CHAR_PTR *ckpArray, CK_ULONG_PTR ckLength); -void jCharArrayToCKUTF8CharArray(JNIEnv *env, const jcharArray jArray, CK_UTF8CHAR_PTR *ckpArray, CK_ULONG_PTR ckLength); -void jStringToCKUTF8CharArray(JNIEnv *env, const jstring jArray, CK_UTF8CHAR_PTR *ckpArray, CK_ULONG_PTR ckpLength); -void jAttributeArrayToCKAttributeArray(JNIEnv *env, jobjectArray jAArray, CK_ATTRIBUTE_PTR *ckpArray, CK_ULONG_PTR ckpLength); -/*void jObjectArrayToCKVoidPtrArray(JNIEnv *env, const jobjectArray jArray, CK_VOID_PTR_PTR ckpArray, CK_ULONG_PTR ckpLength); */ - - -/* funktions to convert a CK-type array and the array length to a Java array */ - -jbyteArray ckByteArrayToJByteArray(JNIEnv *env, const CK_BYTE_PTR ckpArray, CK_ULONG ckLength); -jlongArray ckULongArrayToJLongArray(JNIEnv *env, const CK_ULONG_PTR ckpArray, CK_ULONG ckLength); -jcharArray ckCharArrayToJCharArray(JNIEnv *env, const CK_CHAR_PTR ckpArray, CK_ULONG length); -jcharArray ckUTF8CharArrayToJCharArray(JNIEnv *env, const CK_UTF8CHAR_PTR ckpArray, CK_ULONG ckLength); - - -/* funktions to convert a CK-type structure or a pointer to a CK-value to a Java object */ - -jobject ckBBoolPtrToJBooleanObject(JNIEnv *env, const CK_BBOOL* ckpValue); -jobject ckULongPtrToJLongObject(JNIEnv *env, const CK_ULONG_PTR ckpValue); -jobject ckDatePtrToJDateObject(JNIEnv *env, const CK_DATE *ckpValue); -jobject ckVersionPtrToJVersion(JNIEnv *env, const CK_VERSION_PTR ckpVersion); -jobject ckSessionInfoPtrToJSessionInfo(JNIEnv *env, const CK_SESSION_INFO_PTR ckpSessionInfo); -jobject ckAttributePtrToJAttribute(JNIEnv *env, const CK_ATTRIBUTE_PTR ckpAttribute); - - -/* funktion to convert the CK-value used by the CK_ATTRIBUTE structure to a Java object */ - -jobject ckAttributeValueToJObject(JNIEnv *env, const CK_ATTRIBUTE_PTR ckpAttribute); - - -/* funktions to convert a Java object to a CK-type structure or a pointer to a CK-value */ - -CK_BBOOL* jBooleanObjectToCKBBoolPtr(JNIEnv *env, jobject jObject); -CK_BYTE_PTR jByteObjectToCKBytePtr(JNIEnv *env, jobject jObject); -CK_ULONG* jIntegerObjectToCKULongPtr(JNIEnv *env, jobject jObject); -CK_ULONG* jLongObjectToCKULongPtr(JNIEnv *env, jobject jObject); -CK_CHAR_PTR jCharObjectToCKCharPtr(JNIEnv *env, jobject jObject); -CK_VERSION_PTR jVersionToCKVersionPtr(JNIEnv *env, jobject jVersion); -CK_DATE * jDateObjectPtrToCKDatePtr(JNIEnv *env, jobject jDate); -CK_ATTRIBUTE jAttributeToCKAttribute(JNIEnv *env, jobject jAttribute); -/*CK_MECHANISM jMechanismToCKMechanism(JNIEnv *env, jobject jMechanism);*/ -void jMechanismToCKMechanism(JNIEnv *env, jobject jMechanism, CK_MECHANISM_PTR ckMechanismPtr); - - -/* funktions to convert Java objects used by the Mechanism and Attribute class to a CK-type structure */ - -void jObjectToPrimitiveCKObjectPtrPtr(JNIEnv *env, jobject jObject, CK_VOID_PTR *ckpObjectPtr, CK_ULONG *pLength); -void jMechanismParameterToCKMechanismParameter(JNIEnv *env, jobject jParam, CK_VOID_PTR *ckpParamPtr, CK_ULONG *ckpLength); - - -/* functions to convert a specific Java mechanism parameter object to a CK-mechanism parameter structure */ - -CK_RSA_PKCS_OAEP_PARAMS jRsaPkcsOaepParamToCKRsaPkcsOaepParam(JNIEnv *env, jobject jParam); -CK_KEA_DERIVE_PARAMS jKeaDeriveParamToCKKeaDeriveParam(JNIEnv *env, jobject jParam); -CK_RC2_CBC_PARAMS jRc2CbcParamToCKRc2CbcParam(JNIEnv *env, jobject jParam); -CK_RC2_MAC_GENERAL_PARAMS jRc2MacGeneralParamToCKRc2MacGeneralParam(JNIEnv *env, jobject jParam); -CK_RC5_PARAMS jRc5ParamToCKRc5Param(JNIEnv *env, jobject jParam); -CK_RC5_CBC_PARAMS jRc5CbcParamToCKRc5CbcParam(JNIEnv *env, jobject jParam); -CK_RC5_MAC_GENERAL_PARAMS jRc5MacGeneralParamToCKRc5MacGeneralParam(JNIEnv *env, jobject jParam); -CK_SKIPJACK_PRIVATE_WRAP_PARAMS jSkipjackPrivateWrapParamToCKSkipjackPrivateWrapParam(JNIEnv *env, jobject jParam); -CK_SKIPJACK_RELAYX_PARAMS jSkipjackRelayxParamToCKSkipjackRelayxParam(JNIEnv *env, jobject jParam); -CK_PBE_PARAMS jPbeParamToCKPbeParam(JNIEnv *env, jobject jParam); -void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism); -CK_PKCS5_PBKD2_PARAMS jPkcs5Pbkd2ParamToCKPkcs5Pbkd2Param(JNIEnv *env, jobject jParam); -CK_KEY_WRAP_SET_OAEP_PARAMS jKeyWrapSetOaepParamToCKKeyWrapSetOaepParam(JNIEnv *env, jobject jParam); -void copyBackSetUnwrappedKey(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism); -CK_SSL3_MASTER_KEY_DERIVE_PARAMS jSsl3MasterKeyDeriveParamToCKSsl3MasterKeyDeriveParam(JNIEnv *env, jobject jParam); -void copyBackClientVersion(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism); -CK_SSL3_KEY_MAT_PARAMS jSsl3KeyMatParamToCKSsl3KeyMatParam(JNIEnv *env, jobject jParam); -void copyBackSSLKeyMatParams(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism); -CK_KEY_DERIVATION_STRING_DATA jKeyDerivationStringDataToCKKeyDerivationStringData(JNIEnv *env, jobject jParam); -CK_RSA_PKCS_PSS_PARAMS jRsaPkcsPssParamToCKRsaPkcsPssParam(JNIEnv *env, jobject jParam); -CK_ECDH1_DERIVE_PARAMS jEcdh1DeriveParamToCKEcdh1DeriveParam(JNIEnv *env, jobject jParam); -CK_ECDH2_DERIVE_PARAMS jEcdh2DeriveParamToCKEcdh2DeriveParam(JNIEnv *env, jobject jParam); -CK_X9_42_DH1_DERIVE_PARAMS jX942Dh1DeriveParamToCKX942Dh1DeriveParam(JNIEnv *env, jobject jParam); -CK_X9_42_DH2_DERIVE_PARAMS jX942Dh2DeriveParamToCKX942Dh2DeriveParam(JNIEnv *env, jobject jParam); - - -/* functions to convert the InitArgs object for calling the right Java mutex functions */ - -CK_C_INITIALIZE_ARGS_PTR makeCKInitArgsAdapter(JNIEnv *env, jobject pInitArgs); - -#ifndef NO_CALLBACKS /* if the library should not make callbacks; e.g. no javai.lib or jvm.lib available */ -CK_RV callJCreateMutex(CK_VOID_PTR_PTR ppMutex); -CK_RV callJDestroyMutex(CK_VOID_PTR pMutex); -CK_RV callJLockMutex(CK_VOID_PTR pMutex); -CK_RV callJUnlockMutex(CK_VOID_PTR pMutex); -#endif /* NO_CALLBACKS */ - -void putModuleEntry(JNIEnv *env, jobject pkcs11Implementation, ModuleData *moduleData); -ModuleData * removeModuleEntry(JNIEnv *env, jobject pkcs11Implementation); -CK_FUNCTION_LIST_PTR getFunctionList(JNIEnv *env, jobject pkcs11Implementation); - -/* A structure to encapsulate the required data for a Notify callback */ -struct NotifyEncapsulation { - - /* The object that implements the CK_NOTIFY interface and which should be - * notified. - */ - jobject jNotifyObject; - - /* The data object to pass back to the Notify object upon callback. */ - jobject jApplicationData; -}; -typedef struct NotifyEncapsulation NotifyEncapsulation; - -/* The function for handling notify callbacks. */ -CK_RV notifyCallback( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_NOTIFICATION event, - CK_VOID_PTR pApplication /* passed to C_OpenSession */ -); - - -/* A node of the list of notify callbacks. To be able to free the resources after use. */ -struct NotifyListNode { - - /* The handle of the session this notify object is attached to*/ - CK_SESSION_HANDLE hSession; - - /* Reference to the Notify encapsulation object that was passed to C_OpenSession. */ - NotifyEncapsulation *notifyEncapsulation; - - /* Pointer to the next node in the list. */ - struct NotifyListNode *next; - -}; -typedef struct NotifyListNode NotifyListNode; - -void putNotifyEntry(JNIEnv *env, CK_SESSION_HANDLE hSession, NotifyEncapsulation *notifyEncapsulation); -NotifyEncapsulation * removeNotifyEntry(JNIEnv *env, CK_SESSION_HANDLE hSession); -NotifyEncapsulation * removeFirstNotifyEntry(JNIEnv *env); - -jobject createLockObject(JNIEnv *env); -void destroyLockObject(JNIEnv *env, jobject jLockObject); - -extern jfieldID pNativeDataID; -extern jfieldID mech_mechanismID; -extern jfieldID mech_pParameterID; - -extern jclass jByteArrayClass; -extern jclass jLongClass; - -#ifndef NO_CALLBACKS -extern NotifyListNode *notifyListHead; -extern jobject notifyListLock; - -extern jobject jInitArgsObject; -extern CK_C_INITIALIZE_ARGS_PTR ckpGlobalInitArgs; -#endif /* NO_CALLBACKS */ - -#ifdef P11_MEMORYDEBUG -#include - -/* Simple malloc/free dumper */ -void *p11malloc(size_t c, char *file, int line); -void p11free(void *p, char *file, int line); - -/* Use THIS_FILE when it is available. */ -#ifndef THIS_FILE - #define THIS_FILE __FILE__ -#endif - -#define malloc(c) (p11malloc((c), THIS_FILE, __LINE__)) -#define free(c) (p11free((c), THIS_FILE, __LINE__)) - -#endif - -#endif /* _PKCS11WRAPPER_H */ --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h 2017-01-20 09:53:00.570288117 -0800 @@ -0,0 +1,473 @@ +/* + * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + */ + +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * pkcs11wrapper.h + * 18.05.2001 + * + * declaration of all functions used by pkcs11wrapper.c + * + * @author Karl Scheibelhofer + * @author Martin Schlaeffer + */ + +#ifndef _PKCS11WRAPPER_H +#define _PKCS11WRAPPER_H 1 + +/* disable asserts in product mode */ +#ifndef DEBUG + #ifndef NDEBUG + #define NDEBUG + #endif +#endif + +/* extra PKCS#11 constants not in the standard include files */ + +#define CKA_NETSCAPE_BASE (0x80000000 + 0x4E534350) +#define CKA_NETSCAPE_TRUST_BASE (CKA_NETSCAPE_BASE + 0x2000) + +#define CKA_NETSCAPE_TRUST_SERVER_AUTH (CKA_NETSCAPE_TRUST_BASE + 8) +#define CKA_NETSCAPE_TRUST_CLIENT_AUTH (CKA_NETSCAPE_TRUST_BASE + 9) +#define CKA_NETSCAPE_TRUST_CODE_SIGNING (CKA_NETSCAPE_TRUST_BASE + 10) +#define CKA_NETSCAPE_TRUST_EMAIL_PROTECTION (CKA_NETSCAPE_TRUST_BASE + 11) + +/* + + Define the PKCS#11 functions to include and exclude. Reduces the size + of the binary somewhat. + + This list needs to be kept in sync with the mapfile and PKCS11.java + +*/ + +#define P11_ENABLE_C_INITIALIZE +#define P11_ENABLE_C_FINALIZE +#define P11_ENABLE_C_GETINFO +#define P11_ENABLE_C_GETSLOTLIST +#define P11_ENABLE_C_GETSLOTINFO +#define P11_ENABLE_C_GETTOKENINFO +#define P11_ENABLE_C_GETMECHANISMLIST +#define P11_ENABLE_C_GETMECHANISMINFO +#undef P11_ENABLE_C_INITTOKEN +#undef P11_ENABLE_C_INITPIN +#undef P11_ENABLE_C_SETPIN +#define P11_ENABLE_C_OPENSESSION +#define P11_ENABLE_C_CLOSESESSION +#undef P11_ENABLE_C_CLOSEALLSESSIONS +#define P11_ENABLE_C_GETSESSIONINFO +#define P11_ENABLE_C_GETOPERATIONSTATE +#define P11_ENABLE_C_SETOPERATIONSTATE +#define P11_ENABLE_C_LOGIN +#define P11_ENABLE_C_LOGOUT +#define P11_ENABLE_C_CREATEOBJECT +#define P11_ENABLE_C_COPYOBJECT +#define P11_ENABLE_C_DESTROYOBJECT +#undef P11_ENABLE_C_GETOBJECTSIZE +#define P11_ENABLE_C_GETATTRIBUTEVALUE +#define P11_ENABLE_C_SETATTRIBUTEVALUE +#define P11_ENABLE_C_FINDOBJECTSINIT +#define P11_ENABLE_C_FINDOBJECTS +#define P11_ENABLE_C_FINDOBJECTSFINAL +#define P11_ENABLE_C_ENCRYPTINIT +#define P11_ENABLE_C_ENCRYPT +#define P11_ENABLE_C_ENCRYPTUPDATE +#define P11_ENABLE_C_ENCRYPTFINAL +#define P11_ENABLE_C_DECRYPTINIT +#define P11_ENABLE_C_DECRYPT +#define P11_ENABLE_C_DECRYPTUPDATE +#define P11_ENABLE_C_DECRYPTFINAL +#define P11_ENABLE_C_DIGESTINIT +#define P11_ENABLE_C_DIGEST +#define P11_ENABLE_C_DIGESTUPDATE +#define P11_ENABLE_C_DIGESTKEY +#define P11_ENABLE_C_DIGESTFINAL +#define P11_ENABLE_C_SIGNINIT +#define P11_ENABLE_C_SIGN +#define P11_ENABLE_C_SIGNUPDATE +#define P11_ENABLE_C_SIGNFINAL +#define P11_ENABLE_C_SIGNRECOVERINIT +#define P11_ENABLE_C_SIGNRECOVER +#define P11_ENABLE_C_VERIFYINIT +#define P11_ENABLE_C_VERIFY +#define P11_ENABLE_C_VERIFYUPDATE +#define P11_ENABLE_C_VERIFYFINAL +#define P11_ENABLE_C_VERIFYRECOVERINIT +#define P11_ENABLE_C_VERIFYRECOVER +#undef P11_ENABLE_C_DIGESTENCRYPTUPDATE +#undef P11_ENABLE_C_DECRYPTDIGESTUPDATE +#undef P11_ENABLE_C_SIGNENCRYPTUPDATE +#undef P11_ENABLE_C_DECRYPTVERIFYUPDATE +#define P11_ENABLE_C_GENERATEKEY +#define P11_ENABLE_C_GENERATEKEYPAIR +#define P11_ENABLE_C_WRAPKEY +#define P11_ENABLE_C_UNWRAPKEY +#define P11_ENABLE_C_DERIVEKEY +#define P11_ENABLE_C_SEEDRANDOM +#define P11_ENABLE_C_GENERATERANDOM +#undef P11_ENABLE_C_GETFUNCTIONSTATUS +#undef P11_ENABLE_C_CANCELFUNCTION +#undef P11_ENABLE_C_WAITFORSLOTEVENT + +/* include the platform dependent part of the header */ +#include "p11_md.h" + +#include "pkcs11.h" +#include "pkcs-11v2-20a3.h" +#include +#include +#include + +#define MAX_STACK_BUFFER_LEN (4 * 1024) +#define MAX_HEAP_BUFFER_LEN (64 * 1024) + +#define MAX_DIGEST_LEN (64) + +#ifndef min +#define min(a, b) (((a) < (b)) ? (a) : (b)) +#endif + +#define ckBBoolToJBoolean(x) ((x == TRUE) ? JNI_TRUE : JNI_FALSE); +#define jBooleanToCKBBool(x) ((x == JNI_TRUE) ? TRUE : FALSE); + +#define ckByteToJByte(x) ((jbyte) x) +#define jByteToCKByte(x) ((CK_BYTE) x) + +#define ckLongToJLong(x) ((jlong) x) +#define jLongToCKLong(x) ((CK_LONG) x) + +#define ckULongToJLong(x) ((jlong) x) +#define jLongToCKULong(x) ((CK_ULONG) x) + +// For CK_UNAVAILABLE_INFORMATION, always return -1 to avoid 32/64 bit problems. +#define ckULongSpecialToJLong(x) (((x) == CK_UNAVAILABLE_INFORMATION) \ + ? (jlong)-1 : ((jlong) x)) + +#define ckCharToJChar(x) ((jchar) x) +#define jCharToCKChar(x) ((CK_CHAR) x) + +#define ckUTF8CharToJChar(x) ((jchar) x) +#define jCharToCKUTF8Char(x) ((CK_UTF8CHAR) x) + +#define ckFlageToJLong(x) ((jlong) x) + +#define ckVoidPtrToJObject(x) ((jobject) x) +#define jObjectToCKVoidPtr(x) ((CK_VOID_PTR) x) + +#define jIntToCKLong(x) ((CK_LONG) x) +#define jIntToCKULong(x) ((CK_ULONG) x) +#define ckLongToJInt(x) ((jint) x) +#define ckULongToJInt(x) ((jint) x) +#define ckULongToJSize(x) ((jsize) x) +#define unsignedIntToCKULong(x) ((CK_ULONG) x) + +#ifdef P11_DEBUG +#define TRACE0(s) { printf(s); fflush(stdout); } +#define TRACE1(s, p1) { printf(s, p1); fflush(stdout); } +#define TRACE2(s, p1, p2) { printf(s, p1, p2); fflush(stdout); } +#define TRACE3(s, p1, p2, p3) { printf(s, p1, p2, p3); fflush(stdout); } +#else +#define TRACE0(s) +#define TRACE1(s, p1) +#define TRACE2(s, p1, p2) +#define TRACE3(s, p1, p2, p3) +#define TRACE_INTEND +#define TRACE_UNINTEND +#endif + +/* debug output */ +extern jboolean debug; +void printDebug(const char *format, ...); + +#define CK_ASSERT_OK 0L + +#define CLASS_INFO "sun/security/pkcs11/wrapper/CK_INFO" +#define CLASS_VERSION "sun/security/pkcs11/wrapper/CK_VERSION" +#define CLASS_SLOT_INFO "sun/security/pkcs11/wrapper/CK_SLOT_INFO" +#define CLASS_TOKEN_INFO "sun/security/pkcs11/wrapper/CK_TOKEN_INFO" +#define CLASS_MECHANISM "sun/security/pkcs11/wrapper/CK_MECHANISM" +#define CLASS_MECHANISM_INFO "sun/security/pkcs11/wrapper/CK_MECHANISM_INFO" +#define CLASS_SESSION_INFO "sun/security/pkcs11/wrapper/CK_SESSION_INFO" +#define CLASS_ATTRIBUTE "sun/security/pkcs11/wrapper/CK_ATTRIBUTE" +#define CLASS_DATE "sun/security/pkcs11/wrapper/CK_DATE" +#define CLASS_PKCS11EXCEPTION "sun/security/pkcs11/wrapper/PKCS11Exception" +#define CLASS_PKCS11RUNTIMEEXCEPTION "sun/security/pkcs11/wrapper/PKCS11RuntimeException" +#define CLASS_FILE_NOT_FOUND_EXCEPTION "java/io/FileNotFoundException" +#define CLASS_C_INITIALIZE_ARGS "sun/security/pkcs11/wrapper/CK_C_INITIALIZE_ARGS" +#define CLASS_CREATEMUTEX "sun/security/pkcs11/wrapper/CK_CREATEMUTEX" +#define CLASS_DESTROYMUTEX "sun/security/pkcs11/wrapper/CK_DESTROYMUTEX" +#define CLASS_LOCKMUTEX "sun/security/pkcs11/wrapper/CK_LOCKMUTEX" +#define CLASS_UNLOCKMUTEX "sun/security/pkcs11/wrapper/CK_UNLOCKMUTEX" +#define CLASS_NOTIFY "sun/security/pkcs11/wrapper/CK_NOTIFY" + + +/* mechanism parameter classes */ + +#define CLASS_RSA_PKCS_OAEP_PARAMS "sun/security/pkcs11/wrapper/CK_RSA_PKCS_OAEP_PARAMS" +#define CLASS_MAC_GENERAL_PARAMS "sun/security/pkcs11/wrapper/CK_MAC_GENERAL_PARAMS" +#define CLASS_PBE_PARAMS "sun/security/pkcs11/wrapper/CK_PBE_PARAMS" +#define PBE_INIT_VECTOR_SIZE 8 +#define CLASS_PKCS5_PBKD2_PARAMS "sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS" +#define CLASS_EXTRACT_PARAMS "sun/security/pkcs11/wrapper/CK_EXTRACT_PARAMS" + +#define CLASS_RSA_PKCS_PSS_PARAMS "sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS" +#define CLASS_ECDH1_DERIVE_PARAMS "sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS" +#define CLASS_ECDH2_DERIVE_PARAMS "sun/security/pkcs11/wrapper/CK_ECDH2_DERIVE_PARAMS" +#define CLASS_X9_42_DH1_DERIVE_PARAMS "sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS" +#define CLASS_X9_42_DH2_DERIVE_PARAMS "sun/security/pkcs11/wrapper/CK_X9_42_DH2_DERIVE_PARAMS" + +/* +#define CLASS_KEA_DERIVE_PARAMS "sun/security/pkcs11/wrapper/CK_KEA_DERIVE_PARAMS" +#define CLASS_RC2_PARAMS "sun/security/pkcs11/wrapper/CK_RC2_PARAMS" +#define CLASS_RC2_CBC_PARAMS "sun/security/pkcs11/wrapper/CK_RC2_CBC_PARAMS" +#define CLASS_RC2_MAC_GENERAL_PARAMS "sun/security/pkcs11/wrapper/CK_RC2_MAC_GENERAL_PARAMS" +#define CLASS_RC5_PARAMS "sun/security/pkcs11/wrapper/CK_RC5_PARAMS" +#define CLASS_RC5_CBC_PARAMS "sun/security/pkcs11/wrapper/CK_RC5_CBC_PARAMS" +#define CLASS_RC5_MAC_GENERAL_PARAMS "sun/security/pkcs11/wrapper/CK_RC5_MAC_GENERAL_PARAMS" +#define CLASS_SKIPJACK_PRIVATE_WRAP_PARAMS "sun/security/pkcs11/wrapper/CK_SKIPJACK_PRIVATE_WRAP_PARAMS" +#define CLASS_SKIPJACK_RELAYX_PARAMS "sun/security/pkcs11/wrapper/CK_SKIPJACK_RELAYX_PARAMS" +#define CLASS_KEY_WRAP_SET_OAEP_PARAMS "sun/security/pkcs11/wrapper/CK_KEY_WRAP_SET_OAEP_PARAMS" +#define CLASS_KEY_DERIVATION_STRING_DATA "sun/security/pkcs11/wrapper/CK_KEY_DERIVATION_STRING_DATA" +*/ + +#define CLASS_SSL3_RANDOM_DATA "sun/security/pkcs11/wrapper/CK_SSL3_RANDOM_DATA" +// CLASS_SSL3_RANDOM_DATA is used by CLASS_SSL3_MASTER_KEY_DERIVE_PARAMS +#define CLASS_SSL3_KEY_MAT_OUT "sun/security/pkcs11/wrapper/CK_SSL3_KEY_MAT_OUT" +// CLASS_SSL3_KEY_MAT_OUT is used by CLASS_SSL3_KEY_MAT_PARAMS +#define CLASS_SSL3_MASTER_KEY_DERIVE_PARAMS "sun/security/pkcs11/wrapper/CK_SSL3_MASTER_KEY_DERIVE_PARAMS" +#define CLASS_SSL3_KEY_MAT_PARAMS "sun/security/pkcs11/wrapper/CK_SSL3_KEY_MAT_PARAMS" +#define CLASS_TLS_PRF_PARAMS "sun/security/pkcs11/wrapper/CK_TLS_PRF_PARAMS" +#define CLASS_AES_CTR_PARAMS "sun/security/pkcs11/wrapper/CK_AES_CTR_PARAMS" + +/* function to convert a PKCS#11 return value other than CK_OK into a Java Exception + * or to throw a PKCS11RuntimeException + */ + +jlong ckAssertReturnValueOK(JNIEnv *env, CK_RV returnValue); +void throwOutOfMemoryError(JNIEnv *env, const char *message); +void throwNullPointerException(JNIEnv *env, const char *message); +void throwIOException(JNIEnv *env, const char *message); +void throwPKCS11RuntimeException(JNIEnv *env, const char *message); +void throwDisconnectedRuntimeException(JNIEnv *env); + +/* function to free CK_ATTRIBUTE array + */ +void freeCKAttributeArray(CK_ATTRIBUTE_PTR attrPtr, int len); + +/* funktions to convert Java arrays to a CK-type array and the array length */ + +void jBooleanArrayToCKBBoolArray(JNIEnv *env, const jbooleanArray jArray, CK_BBOOL **ckpArray, CK_ULONG_PTR ckLength); +void jByteArrayToCKByteArray(JNIEnv *env, const jbyteArray jArray, CK_BYTE_PTR *ckpArray, CK_ULONG_PTR ckLength); +void jLongArrayToCKULongArray(JNIEnv *env, const jlongArray jArray, CK_ULONG_PTR *ckpArray, CK_ULONG_PTR ckLength); +void jCharArrayToCKCharArray(JNIEnv *env, const jcharArray jArray, CK_CHAR_PTR *ckpArray, CK_ULONG_PTR ckLength); +void jCharArrayToCKUTF8CharArray(JNIEnv *env, const jcharArray jArray, CK_UTF8CHAR_PTR *ckpArray, CK_ULONG_PTR ckLength); +void jStringToCKUTF8CharArray(JNIEnv *env, const jstring jArray, CK_UTF8CHAR_PTR *ckpArray, CK_ULONG_PTR ckpLength); +void jAttributeArrayToCKAttributeArray(JNIEnv *env, jobjectArray jAArray, CK_ATTRIBUTE_PTR *ckpArray, CK_ULONG_PTR ckpLength); +/*void jObjectArrayToCKVoidPtrArray(JNIEnv *env, const jobjectArray jArray, CK_VOID_PTR_PTR ckpArray, CK_ULONG_PTR ckpLength); */ + + +/* funktions to convert a CK-type array and the array length to a Java array */ + +jbyteArray ckByteArrayToJByteArray(JNIEnv *env, const CK_BYTE_PTR ckpArray, CK_ULONG ckLength); +jlongArray ckULongArrayToJLongArray(JNIEnv *env, const CK_ULONG_PTR ckpArray, CK_ULONG ckLength); +jcharArray ckCharArrayToJCharArray(JNIEnv *env, const CK_CHAR_PTR ckpArray, CK_ULONG length); +jcharArray ckUTF8CharArrayToJCharArray(JNIEnv *env, const CK_UTF8CHAR_PTR ckpArray, CK_ULONG ckLength); + + +/* funktions to convert a CK-type structure or a pointer to a CK-value to a Java object */ + +jobject ckBBoolPtrToJBooleanObject(JNIEnv *env, const CK_BBOOL* ckpValue); +jobject ckULongPtrToJLongObject(JNIEnv *env, const CK_ULONG_PTR ckpValue); +jobject ckDatePtrToJDateObject(JNIEnv *env, const CK_DATE *ckpValue); +jobject ckVersionPtrToJVersion(JNIEnv *env, const CK_VERSION_PTR ckpVersion); +jobject ckSessionInfoPtrToJSessionInfo(JNIEnv *env, const CK_SESSION_INFO_PTR ckpSessionInfo); +jobject ckAttributePtrToJAttribute(JNIEnv *env, const CK_ATTRIBUTE_PTR ckpAttribute); + + +/* funktion to convert the CK-value used by the CK_ATTRIBUTE structure to a Java object */ + +jobject ckAttributeValueToJObject(JNIEnv *env, const CK_ATTRIBUTE_PTR ckpAttribute); + + +/* funktions to convert a Java object to a CK-type structure or a pointer to a CK-value */ + +CK_BBOOL* jBooleanObjectToCKBBoolPtr(JNIEnv *env, jobject jObject); +CK_BYTE_PTR jByteObjectToCKBytePtr(JNIEnv *env, jobject jObject); +CK_ULONG* jIntegerObjectToCKULongPtr(JNIEnv *env, jobject jObject); +CK_ULONG* jLongObjectToCKULongPtr(JNIEnv *env, jobject jObject); +CK_CHAR_PTR jCharObjectToCKCharPtr(JNIEnv *env, jobject jObject); +CK_VERSION_PTR jVersionToCKVersionPtr(JNIEnv *env, jobject jVersion); +CK_DATE * jDateObjectPtrToCKDatePtr(JNIEnv *env, jobject jDate); +CK_ATTRIBUTE jAttributeToCKAttribute(JNIEnv *env, jobject jAttribute); +/*CK_MECHANISM jMechanismToCKMechanism(JNIEnv *env, jobject jMechanism);*/ +void jMechanismToCKMechanism(JNIEnv *env, jobject jMechanism, CK_MECHANISM_PTR ckMechanismPtr); + + +/* funktions to convert Java objects used by the Mechanism and Attribute class to a CK-type structure */ + +void jObjectToPrimitiveCKObjectPtrPtr(JNIEnv *env, jobject jObject, CK_VOID_PTR *ckpObjectPtr, CK_ULONG *pLength); +void jMechanismParameterToCKMechanismParameter(JNIEnv *env, jobject jParam, CK_VOID_PTR *ckpParamPtr, CK_ULONG *ckpLength); + + +/* functions to convert a specific Java mechanism parameter object to a CK-mechanism parameter structure */ + +CK_RSA_PKCS_OAEP_PARAMS jRsaPkcsOaepParamToCKRsaPkcsOaepParam(JNIEnv *env, jobject jParam); +CK_KEA_DERIVE_PARAMS jKeaDeriveParamToCKKeaDeriveParam(JNIEnv *env, jobject jParam); +CK_RC2_CBC_PARAMS jRc2CbcParamToCKRc2CbcParam(JNIEnv *env, jobject jParam); +CK_RC2_MAC_GENERAL_PARAMS jRc2MacGeneralParamToCKRc2MacGeneralParam(JNIEnv *env, jobject jParam); +CK_RC5_PARAMS jRc5ParamToCKRc5Param(JNIEnv *env, jobject jParam); +CK_RC5_CBC_PARAMS jRc5CbcParamToCKRc5CbcParam(JNIEnv *env, jobject jParam); +CK_RC5_MAC_GENERAL_PARAMS jRc5MacGeneralParamToCKRc5MacGeneralParam(JNIEnv *env, jobject jParam); +CK_SKIPJACK_PRIVATE_WRAP_PARAMS jSkipjackPrivateWrapParamToCKSkipjackPrivateWrapParam(JNIEnv *env, jobject jParam); +CK_SKIPJACK_RELAYX_PARAMS jSkipjackRelayxParamToCKSkipjackRelayxParam(JNIEnv *env, jobject jParam); +CK_PBE_PARAMS jPbeParamToCKPbeParam(JNIEnv *env, jobject jParam); +void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism); +CK_PKCS5_PBKD2_PARAMS jPkcs5Pbkd2ParamToCKPkcs5Pbkd2Param(JNIEnv *env, jobject jParam); +CK_KEY_WRAP_SET_OAEP_PARAMS jKeyWrapSetOaepParamToCKKeyWrapSetOaepParam(JNIEnv *env, jobject jParam); +void copyBackSetUnwrappedKey(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism); +CK_SSL3_MASTER_KEY_DERIVE_PARAMS jSsl3MasterKeyDeriveParamToCKSsl3MasterKeyDeriveParam(JNIEnv *env, jobject jParam); +void copyBackClientVersion(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism); +CK_SSL3_KEY_MAT_PARAMS jSsl3KeyMatParamToCKSsl3KeyMatParam(JNIEnv *env, jobject jParam); +void copyBackSSLKeyMatParams(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism); +CK_KEY_DERIVATION_STRING_DATA jKeyDerivationStringDataToCKKeyDerivationStringData(JNIEnv *env, jobject jParam); +CK_RSA_PKCS_PSS_PARAMS jRsaPkcsPssParamToCKRsaPkcsPssParam(JNIEnv *env, jobject jParam); +CK_ECDH1_DERIVE_PARAMS jEcdh1DeriveParamToCKEcdh1DeriveParam(JNIEnv *env, jobject jParam); +CK_ECDH2_DERIVE_PARAMS jEcdh2DeriveParamToCKEcdh2DeriveParam(JNIEnv *env, jobject jParam); +CK_X9_42_DH1_DERIVE_PARAMS jX942Dh1DeriveParamToCKX942Dh1DeriveParam(JNIEnv *env, jobject jParam); +CK_X9_42_DH2_DERIVE_PARAMS jX942Dh2DeriveParamToCKX942Dh2DeriveParam(JNIEnv *env, jobject jParam); + + +/* functions to convert the InitArgs object for calling the right Java mutex functions */ + +CK_C_INITIALIZE_ARGS_PTR makeCKInitArgsAdapter(JNIEnv *env, jobject pInitArgs); + +#ifndef NO_CALLBACKS /* if the library should not make callbacks; e.g. no javai.lib or jvm.lib available */ +CK_RV callJCreateMutex(CK_VOID_PTR_PTR ppMutex); +CK_RV callJDestroyMutex(CK_VOID_PTR pMutex); +CK_RV callJLockMutex(CK_VOID_PTR pMutex); +CK_RV callJUnlockMutex(CK_VOID_PTR pMutex); +#endif /* NO_CALLBACKS */ + +void putModuleEntry(JNIEnv *env, jobject pkcs11Implementation, ModuleData *moduleData); +ModuleData * removeModuleEntry(JNIEnv *env, jobject pkcs11Implementation); +CK_FUNCTION_LIST_PTR getFunctionList(JNIEnv *env, jobject pkcs11Implementation); + +/* A structure to encapsulate the required data for a Notify callback */ +struct NotifyEncapsulation { + + /* The object that implements the CK_NOTIFY interface and which should be + * notified. + */ + jobject jNotifyObject; + + /* The data object to pass back to the Notify object upon callback. */ + jobject jApplicationData; +}; +typedef struct NotifyEncapsulation NotifyEncapsulation; + +/* The function for handling notify callbacks. */ +CK_RV notifyCallback( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_NOTIFICATION event, + CK_VOID_PTR pApplication /* passed to C_OpenSession */ +); + + +/* A node of the list of notify callbacks. To be able to free the resources after use. */ +struct NotifyListNode { + + /* The handle of the session this notify object is attached to*/ + CK_SESSION_HANDLE hSession; + + /* Reference to the Notify encapsulation object that was passed to C_OpenSession. */ + NotifyEncapsulation *notifyEncapsulation; + + /* Pointer to the next node in the list. */ + struct NotifyListNode *next; + +}; +typedef struct NotifyListNode NotifyListNode; + +void putNotifyEntry(JNIEnv *env, CK_SESSION_HANDLE hSession, NotifyEncapsulation *notifyEncapsulation); +NotifyEncapsulation * removeNotifyEntry(JNIEnv *env, CK_SESSION_HANDLE hSession); +NotifyEncapsulation * removeFirstNotifyEntry(JNIEnv *env); + +jobject createLockObject(JNIEnv *env); +void destroyLockObject(JNIEnv *env, jobject jLockObject); + +extern jfieldID pNativeDataID; +extern jfieldID mech_mechanismID; +extern jfieldID mech_pParameterID; + +extern jclass jByteArrayClass; +extern jclass jLongClass; + +#ifndef NO_CALLBACKS +extern NotifyListNode *notifyListHead; +extern jobject notifyListLock; + +extern jobject jInitArgsObject; +extern CK_C_INITIALIZE_ARGS_PTR ckpGlobalInitArgs; +#endif /* NO_CALLBACKS */ + +#ifdef P11_MEMORYDEBUG +#include + +/* Simple malloc/free dumper */ +void *p11malloc(size_t c, char *file, int line); +void p11free(void *p, char *file, int line); + +/* Use THIS_FILE when it is available. */ +#ifndef THIS_FILE + #define THIS_FILE __FILE__ +#endif + +#define malloc(c) (p11malloc((c), THIS_FILE, __LINE__)) +#define free(c) (p11free((c), THIS_FILE, __LINE__)) + +#endif + +#endif /* _PKCS11WRAPPER_H */ --- old/src/jdk.crypto.token/solaris/conf/security/sunpkcs11-solaris.cfg 2017-01-20 09:53:01.134288095 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,23 +0,0 @@ -# -# Configuration file to allow the SunPKCS11 provider to utilize -# the Solaris Cryptographic Framework, if it is available -# - -name = Solaris - -description = SunPKCS11 accessing Solaris Cryptographic Framework - -library = /usr/lib/$ISA/libpkcs11.so - -handleStartupErrors = ignoreAll - -# Use the X9.63 encoding for EC points (do not wrap in an ASN.1 OctetString). -useEcX963Encoding = true - -attributes = compatibility - -disabledMechanisms = { - CKM_DSA_KEY_PAIR_GEN - SecureRandom -} - --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/solaris/conf/security/sunpkcs11-solaris.cfg 2017-01-20 09:53:00.914288104 -0800 @@ -0,0 +1,23 @@ +# +# Configuration file to allow the SunPKCS11 provider to utilize +# the Solaris Cryptographic Framework, if it is available +# + +name = Solaris + +description = SunPKCS11 accessing Solaris Cryptographic Framework + +library = /usr/lib/$ISA/libpkcs11.so + +handleStartupErrors = ignoreAll + +# Use the X9.63 encoding for EC points (do not wrap in an ASN.1 OctetString). +useEcX963Encoding = true + +attributes = compatibility + +disabledMechanisms = { + CKM_DSA_KEY_PAIR_GEN + SecureRandom +} + --- old/src/jdk.crypto.token/unix/native/libj2pkcs11/j2secmod_md.c 2017-01-20 09:53:01.482288082 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,89 +0,0 @@ -/* - * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -#include -#include -#include - -#include - -#include - -#include "j2secmod.h" -#include "pkcs11wrapper.h" - -void *findFunction(JNIEnv *env, jlong jHandle, const char *functionName) { - void *hModule = (void*)jlong_to_ptr(jHandle); - void *fAddress = dlsym(hModule, functionName); - if (fAddress == NULL) { - char errorMessage[256]; - snprintf(errorMessage, sizeof(errorMessage), "Symbol not found: %s", functionName); - throwNullPointerException(env, errorMessage); - return NULL; - } - return fAddress; -} - -JNIEXPORT jlong JNICALL Java_sun_security_pkcs11_Secmod_nssGetLibraryHandle - (JNIEnv *env, jclass thisClass, jstring jLibName) -{ - void *hModule; - const char *libName = (*env)->GetStringUTFChars(env, jLibName, NULL); - if (libName == NULL) { - return 0L; - } - - // look up existing handle only, do not load -#if defined(AIX) - hModule = dlopen(libName, RTLD_LAZY); -#else - hModule = dlopen(libName, RTLD_NOLOAD); -#endif - dprintf2("-handle for %s: %u\n", libName, hModule); - (*env)->ReleaseStringUTFChars(env, jLibName, libName); - return ptr_to_jlong(hModule); -} - -JNIEXPORT jlong JNICALL Java_sun_security_pkcs11_Secmod_nssLoadLibrary - (JNIEnv *env, jclass thisClass, jstring jLibName) -{ - void *hModule; - const char *libName = (*env)->GetStringUTFChars(env, jLibName, NULL); - if (libName == NULL) { - return 0L; - } - - dprintf1("-lib %s\n", libName); - hModule = dlopen(libName, RTLD_LAZY); - (*env)->ReleaseStringUTFChars(env, jLibName, libName); - dprintf2("-handle: %u (0X%X)\n", hModule, hModule); - - if (hModule == NULL) { - throwIOException(env, dlerror()); - return 0; - } - - return ptr_to_jlong(hModule); -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/unix/native/libj2pkcs11/j2secmod_md.c 2017-01-20 09:53:01.262288091 -0800 @@ -0,0 +1,89 @@ +/* + * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +#include +#include +#include + +#include + +#include + +#include "j2secmod.h" +#include "pkcs11wrapper.h" + +void *findFunction(JNIEnv *env, jlong jHandle, const char *functionName) { + void *hModule = (void*)jlong_to_ptr(jHandle); + void *fAddress = dlsym(hModule, functionName); + if (fAddress == NULL) { + char errorMessage[256]; + snprintf(errorMessage, sizeof(errorMessage), "Symbol not found: %s", functionName); + throwNullPointerException(env, errorMessage); + return NULL; + } + return fAddress; +} + +JNIEXPORT jlong JNICALL Java_sun_security_pkcs11_Secmod_nssGetLibraryHandle + (JNIEnv *env, jclass thisClass, jstring jLibName) +{ + void *hModule; + const char *libName = (*env)->GetStringUTFChars(env, jLibName, NULL); + if (libName == NULL) { + return 0L; + } + + // look up existing handle only, do not load +#if defined(AIX) + hModule = dlopen(libName, RTLD_LAZY); +#else + hModule = dlopen(libName, RTLD_NOLOAD); +#endif + dprintf2("-handle for %s: %u\n", libName, hModule); + (*env)->ReleaseStringUTFChars(env, jLibName, libName); + return ptr_to_jlong(hModule); +} + +JNIEXPORT jlong JNICALL Java_sun_security_pkcs11_Secmod_nssLoadLibrary + (JNIEnv *env, jclass thisClass, jstring jLibName) +{ + void *hModule; + const char *libName = (*env)->GetStringUTFChars(env, jLibName, NULL); + if (libName == NULL) { + return 0L; + } + + dprintf1("-lib %s\n", libName); + hModule = dlopen(libName, RTLD_LAZY); + (*env)->ReleaseStringUTFChars(env, jLibName, libName); + dprintf2("-handle: %u (0X%X)\n", hModule, hModule); + + if (hModule == NULL) { + throwIOException(env, dlerror()); + return 0; + } + + return ptr_to_jlong(hModule); +} --- old/src/jdk.crypto.token/unix/native/libj2pkcs11/j2secmod_md.h 2017-01-20 09:53:01.826288069 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,45 +0,0 @@ -/* - * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -// in nss.h: -// extern PRBool NSS_VersionCheck(const char *importedVersion); -// extern SECStatus NSS_Initialize(const char *configdir, -// const char *certPrefix, const char *keyPrefix, -// const char *secmodName, PRUint32 flags); - -typedef int (*FPTR_VersionCheck)(const char *importedVersion); -typedef int (*FPTR_Initialize)(const char *configdir, - const char *certPrefix, const char *keyPrefix, - const char *secmodName, unsigned int flags); - -// in secmod.h -//extern SECMODModule *SECMOD_LoadModule(char *moduleSpec,SECMODModule *parent, -// PRBool recurse); -//char **SECMOD_GetModuleSpecList(SECMODModule *module); -//extern SECMODModuleList *SECMOD_GetDBModuleList(void); - -typedef void *(*FPTR_LoadModule)(char *moduleSpec, void *parent, int recurse); -typedef char **(*FPTR_GetModuleSpecList)(void *module); -typedef void *(*FPTR_GetDBModuleList)(void); --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/unix/native/libj2pkcs11/j2secmod_md.h 2017-01-20 09:53:01.606288078 -0800 @@ -0,0 +1,45 @@ +/* + * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +// in nss.h: +// extern PRBool NSS_VersionCheck(const char *importedVersion); +// extern SECStatus NSS_Initialize(const char *configdir, +// const char *certPrefix, const char *keyPrefix, +// const char *secmodName, PRUint32 flags); + +typedef int (*FPTR_VersionCheck)(const char *importedVersion); +typedef int (*FPTR_Initialize)(const char *configdir, + const char *certPrefix, const char *keyPrefix, + const char *secmodName, unsigned int flags); + +// in secmod.h +//extern SECMODModule *SECMOD_LoadModule(char *moduleSpec,SECMODModule *parent, +// PRBool recurse); +//char **SECMOD_GetModuleSpecList(SECMODModule *module); +//extern SECMODModuleList *SECMOD_GetDBModuleList(void); + +typedef void *(*FPTR_LoadModule)(char *moduleSpec, void *parent, int recurse); +typedef char **(*FPTR_GetModuleSpecList)(void *module); +typedef void *(*FPTR_GetDBModuleList)(void); --- old/src/jdk.crypto.token/unix/native/libj2pkcs11/p11_md.c 2017-01-20 09:53:02.170288056 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,183 +0,0 @@ -/* - * Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved. - */ - -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * pkcs11wrapper.c - * 18.05.2001 - * - * This module contains the native functions of the Java to PKCS#11 interface - * which are platform dependent. This includes loading a dynamic link libary, - * retrieving the function list and unloading the dynamic link library. - * - * @author Karl Scheibelhofer - */ - -#include "pkcs11wrapper.h" - -#include -#include -#include -#include - -#include - -#include - -#include "sun_security_pkcs11_wrapper_PKCS11.h" - -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: connect - * Signature: (Ljava/lang/String;)V - */ -JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_connect - (JNIEnv *env, jobject obj, jstring jPkcs11ModulePath, jstring jGetFunctionList) -{ - void *hModule; - char *error; - CK_C_GetFunctionList C_GetFunctionList=NULL; - CK_RV rv; - ModuleData *moduleData; - jobject globalPKCS11ImplementationReference; - char *systemErrorMessage; - char *exceptionMessage; - const char *getFunctionListStr; - - const char *libraryNameStr = (*env)->GetStringUTFChars(env, jPkcs11ModulePath, 0); - if (libraryNameStr == NULL) { - return; - } - TRACE1("DEBUG: connect to PKCS#11 module: %s ... ", libraryNameStr); - - - /* - * Load the PKCS #11 DLL - */ - dlerror(); /* clear any old error message not fetched */ -#ifdef DEBUG - hModule = dlopen(libraryNameStr, RTLD_NOW); -#else - hModule = dlopen(libraryNameStr, RTLD_LAZY); -#endif /* DEBUG */ - - if (hModule == NULL) { - systemErrorMessage = dlerror(); - exceptionMessage = (char *) malloc(sizeof(char) * (strlen(systemErrorMessage) + strlen(libraryNameStr) + 1)); - if (exceptionMessage == NULL) { - throwOutOfMemoryError(env, 0); - return; - } - strcpy(exceptionMessage, systemErrorMessage); - strcat(exceptionMessage, libraryNameStr); - throwIOException(env, exceptionMessage); - (*env)->ReleaseStringUTFChars(env, jPkcs11ModulePath, libraryNameStr); - free(exceptionMessage); - return; - } - - /* - * Get function pointer to C_GetFunctionList - */ - dlerror(); /* clear any old error message not fetched */ - // with the old JAR file jGetFunctionList is null, temporarily check for that - if (jGetFunctionList != NULL) { - getFunctionListStr = (*env)->GetStringUTFChars(env, jGetFunctionList, 0); - if (getFunctionListStr == NULL) { - return; - } - C_GetFunctionList = (CK_C_GetFunctionList) dlsym(hModule, getFunctionListStr); - (*env)->ReleaseStringUTFChars(env, jGetFunctionList, getFunctionListStr); - } - if (C_GetFunctionList == NULL) { - throwIOException(env, "ERROR: C_GetFunctionList == NULL"); - return; - } else if ( (systemErrorMessage = dlerror()) != NULL ){ - throwIOException(env, systemErrorMessage); - return; - } - - /* - * Get function pointers to all PKCS #11 functions - */ - moduleData = (ModuleData *) malloc(sizeof(ModuleData)); - if (moduleData == NULL) { - dlclose(hModule); - throwOutOfMemoryError(env, 0); - return; - } - moduleData->hModule = hModule; - moduleData->applicationMutexHandler = NULL; - rv = (C_GetFunctionList)(&(moduleData->ckFunctionListPtr)); - globalPKCS11ImplementationReference = (*env)->NewGlobalRef(env, obj); - putModuleEntry(env, globalPKCS11ImplementationReference, moduleData); - - (*env)->ReleaseStringUTFChars(env, jPkcs11ModulePath, libraryNameStr); - TRACE0("FINISHED\n"); - - if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -} - -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: disconnect - * Signature: ()V - */ -JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_disconnect - (JNIEnv *env, jobject obj) -{ - ModuleData *moduleData; - TRACE0("DEBUG: disconnecting module..."); - moduleData = removeModuleEntry(env, obj); - - if (moduleData != NULL) { - dlclose(moduleData->hModule); - } - - free(moduleData); - TRACE0("FINISHED\n"); - -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/unix/native/libj2pkcs11/p11_md.c 2017-01-20 09:53:01.950288065 -0800 @@ -0,0 +1,183 @@ +/* + * Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved. + */ + +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * pkcs11wrapper.c + * 18.05.2001 + * + * This module contains the native functions of the Java to PKCS#11 interface + * which are platform dependent. This includes loading a dynamic link libary, + * retrieving the function list and unloading the dynamic link library. + * + * @author Karl Scheibelhofer + */ + +#include "pkcs11wrapper.h" + +#include +#include +#include +#include + +#include + +#include + +#include "sun_security_pkcs11_wrapper_PKCS11.h" + +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: connect + * Signature: (Ljava/lang/String;)V + */ +JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_connect + (JNIEnv *env, jobject obj, jstring jPkcs11ModulePath, jstring jGetFunctionList) +{ + void *hModule; + char *error; + CK_C_GetFunctionList C_GetFunctionList=NULL; + CK_RV rv; + ModuleData *moduleData; + jobject globalPKCS11ImplementationReference; + char *systemErrorMessage; + char *exceptionMessage; + const char *getFunctionListStr; + + const char *libraryNameStr = (*env)->GetStringUTFChars(env, jPkcs11ModulePath, 0); + if (libraryNameStr == NULL) { + return; + } + TRACE1("DEBUG: connect to PKCS#11 module: %s ... ", libraryNameStr); + + + /* + * Load the PKCS #11 DLL + */ + dlerror(); /* clear any old error message not fetched */ +#ifdef DEBUG + hModule = dlopen(libraryNameStr, RTLD_NOW); +#else + hModule = dlopen(libraryNameStr, RTLD_LAZY); +#endif /* DEBUG */ + + if (hModule == NULL) { + systemErrorMessage = dlerror(); + exceptionMessage = (char *) malloc(sizeof(char) * (strlen(systemErrorMessage) + strlen(libraryNameStr) + 1)); + if (exceptionMessage == NULL) { + throwOutOfMemoryError(env, 0); + return; + } + strcpy(exceptionMessage, systemErrorMessage); + strcat(exceptionMessage, libraryNameStr); + throwIOException(env, exceptionMessage); + (*env)->ReleaseStringUTFChars(env, jPkcs11ModulePath, libraryNameStr); + free(exceptionMessage); + return; + } + + /* + * Get function pointer to C_GetFunctionList + */ + dlerror(); /* clear any old error message not fetched */ + // with the old JAR file jGetFunctionList is null, temporarily check for that + if (jGetFunctionList != NULL) { + getFunctionListStr = (*env)->GetStringUTFChars(env, jGetFunctionList, 0); + if (getFunctionListStr == NULL) { + return; + } + C_GetFunctionList = (CK_C_GetFunctionList) dlsym(hModule, getFunctionListStr); + (*env)->ReleaseStringUTFChars(env, jGetFunctionList, getFunctionListStr); + } + if (C_GetFunctionList == NULL) { + throwIOException(env, "ERROR: C_GetFunctionList == NULL"); + return; + } else if ( (systemErrorMessage = dlerror()) != NULL ){ + throwIOException(env, systemErrorMessage); + return; + } + + /* + * Get function pointers to all PKCS #11 functions + */ + moduleData = (ModuleData *) malloc(sizeof(ModuleData)); + if (moduleData == NULL) { + dlclose(hModule); + throwOutOfMemoryError(env, 0); + return; + } + moduleData->hModule = hModule; + moduleData->applicationMutexHandler = NULL; + rv = (C_GetFunctionList)(&(moduleData->ckFunctionListPtr)); + globalPKCS11ImplementationReference = (*env)->NewGlobalRef(env, obj); + putModuleEntry(env, globalPKCS11ImplementationReference, moduleData); + + (*env)->ReleaseStringUTFChars(env, jPkcs11ModulePath, libraryNameStr); + TRACE0("FINISHED\n"); + + if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } +} + +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: disconnect + * Signature: ()V + */ +JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_disconnect + (JNIEnv *env, jobject obj) +{ + ModuleData *moduleData; + TRACE0("DEBUG: disconnecting module..."); + moduleData = removeModuleEntry(env, obj); + + if (moduleData != NULL) { + dlclose(moduleData->hModule); + } + + free(moduleData); + TRACE0("FINISHED\n"); + +} --- old/src/jdk.crypto.token/unix/native/libj2pkcs11/p11_md.h 2017-01-20 09:53:02.530288043 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,90 +0,0 @@ -/* - * reserved comment block - * DO NOT REMOVE OR ALTER! - */ -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * pkcs11wrapper.h - * 18.05.2001 - * - * declaration of all functions used by pkcs11wrapper.c - * - * @author Karl Scheibelhofer - */ - -/* defines for UNIX platforms *************************************************/ - -#ifndef _P11_MD_H -#define _P11_MD_H 1 - -#define CK_PTR * -#define CK_DEFINE_FUNCTION(returnType, name) returnType name -#define CK_DECLARE_FUNCTION(returnType, name) returnType name -#define CK_DECLARE_FUNCTION_POINTER(returnType, name) returnType (* name) -#define CK_CALLBACK_FUNCTION(returnType, name) returnType (* name) -#ifndef NULL_PTR -#define NULL_PTR 0 -#endif - -#include "pkcs11.h" - -#include "jni.h" - -/* A data structure to hold required information about a PKCS#11 module. */ -struct ModuleData { - - /* the module (DLL or shared library) handle */ - void *hModule; - - /* The pointer to the PKCS#11 functions of this module. */ - CK_FUNCTION_LIST_PTR ckFunctionListPtr; - - /* Reference to the object to use for mutex handling. NULL, if not used. */ - jobject applicationMutexHandler; - -}; -typedef struct ModuleData ModuleData; - -#endif /* _P11_MD_H */ --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/unix/native/libj2pkcs11/p11_md.h 2017-01-20 09:53:02.310288051 -0800 @@ -0,0 +1,90 @@ +/* + * reserved comment block + * DO NOT REMOVE OR ALTER! + */ +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * pkcs11wrapper.h + * 18.05.2001 + * + * declaration of all functions used by pkcs11wrapper.c + * + * @author Karl Scheibelhofer + */ + +/* defines for UNIX platforms *************************************************/ + +#ifndef _P11_MD_H +#define _P11_MD_H 1 + +#define CK_PTR * +#define CK_DEFINE_FUNCTION(returnType, name) returnType name +#define CK_DECLARE_FUNCTION(returnType, name) returnType name +#define CK_DECLARE_FUNCTION_POINTER(returnType, name) returnType (* name) +#define CK_CALLBACK_FUNCTION(returnType, name) returnType (* name) +#ifndef NULL_PTR +#define NULL_PTR 0 +#endif + +#include "pkcs11.h" + +#include "jni.h" + +/* A data structure to hold required information about a PKCS#11 module. */ +struct ModuleData { + + /* the module (DLL or shared library) handle */ + void *hModule; + + /* The pointer to the PKCS#11 functions of this module. */ + CK_FUNCTION_LIST_PTR ckFunctionListPtr; + + /* Reference to the object to use for mutex handling. NULL, if not used. */ + jobject applicationMutexHandler; + +}; +typedef struct ModuleData ModuleData; + +#endif /* _P11_MD_H */ --- old/src/jdk.crypto.token/windows/native/libj2pkcs11/j2secmod_md.c 2017-01-20 09:53:02.874288030 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,90 +0,0 @@ -/* - * Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -#include -#include -#include - -#include - -#include "j2secmod.h" - -extern void throwNullPointerException(JNIEnv *env, const char *message); -extern void throwIOException(JNIEnv *env, const char *message); - -void *findFunction(JNIEnv *env, jlong jHandle, const char *functionName) { - HINSTANCE hModule = (HINSTANCE)jHandle; - void *fAddress = GetProcAddress(hModule, functionName); - if (fAddress == NULL) { - char errorMessage[256]; - _snprintf(errorMessage, sizeof(errorMessage), "Symbol not found: %s", functionName); - throwNullPointerException(env, errorMessage); - return NULL; - } - return fAddress; -} - -JNIEXPORT jlong JNICALL Java_sun_security_pkcs11_Secmod_nssGetLibraryHandle - (JNIEnv *env, jclass thisClass, jstring jLibName) -{ - const char *libName = (*env)->GetStringUTFChars(env, jLibName, NULL); - HMODULE hModule = GetModuleHandle(libName); - dprintf2("-handle for %s: %d\n", libName, hModule); - (*env)->ReleaseStringUTFChars(env, jLibName, libName); - return (jlong)hModule; -} - -JNIEXPORT jlong JNICALL Java_sun_security_pkcs11_Secmod_nssLoadLibrary - (JNIEnv *env, jclass thisClass, jstring jName) -{ - HINSTANCE hModule; - LPVOID lpMsgBuf; - - const char *libName = (*env)->GetStringUTFChars(env, jName, NULL); - dprintf1("-lib %s\n", libName); - - hModule = LoadLibrary(libName); - (*env)->ReleaseStringUTFChars(env, jName, libName); - - if (hModule == NULL) { - FormatMessage( - FORMAT_MESSAGE_ALLOCATE_BUFFER | - FORMAT_MESSAGE_FROM_SYSTEM | - FORMAT_MESSAGE_IGNORE_INSERTS, - NULL, - GetLastError(), - 0, /* Default language */ - (LPTSTR) &lpMsgBuf, - 0, - NULL - ); - dprintf1("-error: %s\n", lpMsgBuf); - throwIOException(env, (char*)lpMsgBuf); - LocalFree(lpMsgBuf); - return 0; - } - dprintf2("-handle: %d (0X%X)\n", hModule, hModule); - return (jlong)hModule; -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/windows/native/libj2pkcs11/j2secmod_md.c 2017-01-20 09:53:02.658288038 -0800 @@ -0,0 +1,90 @@ +/* + * Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +#include +#include +#include + +#include + +#include "j2secmod.h" + +extern void throwNullPointerException(JNIEnv *env, const char *message); +extern void throwIOException(JNIEnv *env, const char *message); + +void *findFunction(JNIEnv *env, jlong jHandle, const char *functionName) { + HINSTANCE hModule = (HINSTANCE)jHandle; + void *fAddress = GetProcAddress(hModule, functionName); + if (fAddress == NULL) { + char errorMessage[256]; + _snprintf(errorMessage, sizeof(errorMessage), "Symbol not found: %s", functionName); + throwNullPointerException(env, errorMessage); + return NULL; + } + return fAddress; +} + +JNIEXPORT jlong JNICALL Java_sun_security_pkcs11_Secmod_nssGetLibraryHandle + (JNIEnv *env, jclass thisClass, jstring jLibName) +{ + const char *libName = (*env)->GetStringUTFChars(env, jLibName, NULL); + HMODULE hModule = GetModuleHandle(libName); + dprintf2("-handle for %s: %d\n", libName, hModule); + (*env)->ReleaseStringUTFChars(env, jLibName, libName); + return (jlong)hModule; +} + +JNIEXPORT jlong JNICALL Java_sun_security_pkcs11_Secmod_nssLoadLibrary + (JNIEnv *env, jclass thisClass, jstring jName) +{ + HINSTANCE hModule; + LPVOID lpMsgBuf; + + const char *libName = (*env)->GetStringUTFChars(env, jName, NULL); + dprintf1("-lib %s\n", libName); + + hModule = LoadLibrary(libName); + (*env)->ReleaseStringUTFChars(env, jName, libName); + + if (hModule == NULL) { + FormatMessage( + FORMAT_MESSAGE_ALLOCATE_BUFFER | + FORMAT_MESSAGE_FROM_SYSTEM | + FORMAT_MESSAGE_IGNORE_INSERTS, + NULL, + GetLastError(), + 0, /* Default language */ + (LPTSTR) &lpMsgBuf, + 0, + NULL + ); + dprintf1("-error: %s\n", lpMsgBuf); + throwIOException(env, (char*)lpMsgBuf); + LocalFree(lpMsgBuf); + return 0; + } + dprintf2("-handle: %d (0X%X)\n", hModule, hModule); + return (jlong)hModule; +} --- old/src/jdk.crypto.token/windows/native/libj2pkcs11/j2secmod_md.h 2017-01-20 09:53:03.214288017 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,47 +0,0 @@ -/* - * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -#include - -// in nss.h: -// extern PRBool NSS_VersionCheck(const char *importedVersion); -// extern SECStatus NSS_Initialize(const char *configdir, -// const char *certPrefix, const char *keyPrefix, -// const char *secmodName, PRUint32 flags); - -typedef int __declspec(dllimport) (*FPTR_VersionCheck)(const char *importedVersion); -typedef int __declspec(dllimport) (*FPTR_Initialize)(const char *configdir, - const char *certPrefix, const char *keyPrefix, - const char *secmodName, unsigned int flags); - -// in secmod.h -//extern SECMODModule *SECMOD_LoadModule(char *moduleSpec,SECMODModule *parent, -// PRBool recurse); -//char **SECMOD_GetModuleSpecList(SECMODModule *module); -//extern SECMODModuleList *SECMOD_GetDBModuleList(void); - -typedef void __declspec(dllimport) *(*FPTR_LoadModule)(char *moduleSpec, void *parent, int recurse); -typedef char __declspec(dllimport) **(*FPTR_GetModuleSpecList)(void *module); -typedef void __declspec(dllimport) *(*FPTR_GetDBModuleList)(void); --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/windows/native/libj2pkcs11/j2secmod_md.h 2017-01-20 09:53:03.002288025 -0800 @@ -0,0 +1,47 @@ +/* + * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +#include + +// in nss.h: +// extern PRBool NSS_VersionCheck(const char *importedVersion); +// extern SECStatus NSS_Initialize(const char *configdir, +// const char *certPrefix, const char *keyPrefix, +// const char *secmodName, PRUint32 flags); + +typedef int __declspec(dllimport) (*FPTR_VersionCheck)(const char *importedVersion); +typedef int __declspec(dllimport) (*FPTR_Initialize)(const char *configdir, + const char *certPrefix, const char *keyPrefix, + const char *secmodName, unsigned int flags); + +// in secmod.h +//extern SECMODModule *SECMOD_LoadModule(char *moduleSpec,SECMODModule *parent, +// PRBool recurse); +//char **SECMOD_GetModuleSpecList(SECMODModule *module); +//extern SECMODModuleList *SECMOD_GetDBModuleList(void); + +typedef void __declspec(dllimport) *(*FPTR_LoadModule)(char *moduleSpec, void *parent, int recurse); +typedef char __declspec(dllimport) **(*FPTR_GetModuleSpecList)(void *module); +typedef void __declspec(dllimport) *(*FPTR_GetDBModuleList)(void); --- old/src/jdk.crypto.token/windows/native/libj2pkcs11/p11_md.c 2017-01-20 09:53:03.678287999 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,177 +0,0 @@ -/* - * Copyright (c) 2003, 2005, Oracle and/or its affiliates. All rights reserved. - */ - -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * pkcs11wrapper.c - * 18.05.2001 - * - * This module contains the native functions of the Java to PKCS#11 interface - * which are platform dependent. This includes loading a dynamic link libary, - * retrieving the function list and unloading the dynamic link library. - * - * @author Karl Scheibelhofer - */ - -#include "pkcs11wrapper.h" - -#include -#include -#include -#include - -#include - -#include - -#include "sun_security_pkcs11_wrapper_PKCS11.h" - -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: connect - * Signature: (Ljava/lang/String;)V - */ -JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_connect - (JNIEnv *env, jobject obj, jstring jPkcs11ModulePath, jstring jGetFunctionList) -{ - HINSTANCE hModule; - CK_C_GetFunctionList C_GetFunctionList; - CK_RV rv; - ModuleData *moduleData; - jobject globalPKCS11ImplementationReference; - LPVOID lpMsgBuf; - char *exceptionMessage; - const char *getFunctionListStr; - - const char *libraryNameStr = (*env)->GetStringUTFChars(env, jPkcs11ModulePath, 0); - TRACE1("DEBUG: connect to PKCS#11 module: %s ... ", libraryNameStr); - - - /* - * Load the PKCS #11 DLL - */ - hModule = LoadLibrary(libraryNameStr); - if (hModule == NULL) { - FormatMessage( - FORMAT_MESSAGE_ALLOCATE_BUFFER | - FORMAT_MESSAGE_FROM_SYSTEM | - FORMAT_MESSAGE_IGNORE_INSERTS, - NULL, - GetLastError(), - 0, /* Default language */ - (LPTSTR) &lpMsgBuf, - 0, - NULL - ); - exceptionMessage = (char *) malloc(sizeof(char) * (strlen((LPTSTR) lpMsgBuf) + strlen(libraryNameStr) + 1)); - strcpy(exceptionMessage, (LPTSTR) lpMsgBuf); - strcat(exceptionMessage, libraryNameStr); - throwIOException(env, (LPTSTR) exceptionMessage); - /* Free the buffer. */ - free(exceptionMessage); - LocalFree(lpMsgBuf); - return; - } - - /* - * Get function pointer to C_GetFunctionList - */ - getFunctionListStr = (*env)->GetStringUTFChars(env, jGetFunctionList, 0); - C_GetFunctionList = (CK_C_GetFunctionList) GetProcAddress(hModule, getFunctionListStr); - (*env)->ReleaseStringUTFChars(env, jGetFunctionList, getFunctionListStr); - if (C_GetFunctionList == NULL) { - FormatMessage( - FORMAT_MESSAGE_ALLOCATE_BUFFER | - FORMAT_MESSAGE_FROM_SYSTEM | - FORMAT_MESSAGE_IGNORE_INSERTS, - NULL, - GetLastError(), - 0, /* Default language */ - (LPTSTR) &lpMsgBuf, - 0, - NULL - ); - throwIOException(env, (LPTSTR) lpMsgBuf); - /* Free the buffer. */ - LocalFree( lpMsgBuf ); - return; - } - - /* - * Get function pointers to all PKCS #11 functions - */ - moduleData = (ModuleData *) malloc(sizeof(ModuleData)); - moduleData->hModule = hModule; - moduleData->applicationMutexHandler = NULL; - rv = (C_GetFunctionList)(&(moduleData->ckFunctionListPtr)); - globalPKCS11ImplementationReference = (*env)->NewGlobalRef(env, obj); - putModuleEntry(env, globalPKCS11ImplementationReference, moduleData); - - (*env)->ReleaseStringUTFChars(env, jPkcs11ModulePath, libraryNameStr); - TRACE0("FINISHED\n"); - - if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -} - -/* - * Class: sun_security_pkcs11_wrapper_PKCS11 - * Method: disconnect - * Signature: ()V - */ -JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_disconnect - (JNIEnv *env, jobject obj) -{ - ModuleData *moduleData; - TRACE0("DEBUG: disconnecting module..."); - moduleData = removeModuleEntry(env, obj); - - if (moduleData != NULL) { - FreeLibrary(moduleData->hModule); - } - - free(moduleData); - TRACE0("FINISHED\n"); -} --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/windows/native/libj2pkcs11/p11_md.c 2017-01-20 09:53:03.466288007 -0800 @@ -0,0 +1,177 @@ +/* + * Copyright (c) 2003, 2005, Oracle and/or its affiliates. All rights reserved. + */ + +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * pkcs11wrapper.c + * 18.05.2001 + * + * This module contains the native functions of the Java to PKCS#11 interface + * which are platform dependent. This includes loading a dynamic link libary, + * retrieving the function list and unloading the dynamic link library. + * + * @author Karl Scheibelhofer + */ + +#include "pkcs11wrapper.h" + +#include +#include +#include +#include + +#include + +#include + +#include "sun_security_pkcs11_wrapper_PKCS11.h" + +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: connect + * Signature: (Ljava/lang/String;)V + */ +JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_connect + (JNIEnv *env, jobject obj, jstring jPkcs11ModulePath, jstring jGetFunctionList) +{ + HINSTANCE hModule; + CK_C_GetFunctionList C_GetFunctionList; + CK_RV rv; + ModuleData *moduleData; + jobject globalPKCS11ImplementationReference; + LPVOID lpMsgBuf; + char *exceptionMessage; + const char *getFunctionListStr; + + const char *libraryNameStr = (*env)->GetStringUTFChars(env, jPkcs11ModulePath, 0); + TRACE1("DEBUG: connect to PKCS#11 module: %s ... ", libraryNameStr); + + + /* + * Load the PKCS #11 DLL + */ + hModule = LoadLibrary(libraryNameStr); + if (hModule == NULL) { + FormatMessage( + FORMAT_MESSAGE_ALLOCATE_BUFFER | + FORMAT_MESSAGE_FROM_SYSTEM | + FORMAT_MESSAGE_IGNORE_INSERTS, + NULL, + GetLastError(), + 0, /* Default language */ + (LPTSTR) &lpMsgBuf, + 0, + NULL + ); + exceptionMessage = (char *) malloc(sizeof(char) * (strlen((LPTSTR) lpMsgBuf) + strlen(libraryNameStr) + 1)); + strcpy(exceptionMessage, (LPTSTR) lpMsgBuf); + strcat(exceptionMessage, libraryNameStr); + throwIOException(env, (LPTSTR) exceptionMessage); + /* Free the buffer. */ + free(exceptionMessage); + LocalFree(lpMsgBuf); + return; + } + + /* + * Get function pointer to C_GetFunctionList + */ + getFunctionListStr = (*env)->GetStringUTFChars(env, jGetFunctionList, 0); + C_GetFunctionList = (CK_C_GetFunctionList) GetProcAddress(hModule, getFunctionListStr); + (*env)->ReleaseStringUTFChars(env, jGetFunctionList, getFunctionListStr); + if (C_GetFunctionList == NULL) { + FormatMessage( + FORMAT_MESSAGE_ALLOCATE_BUFFER | + FORMAT_MESSAGE_FROM_SYSTEM | + FORMAT_MESSAGE_IGNORE_INSERTS, + NULL, + GetLastError(), + 0, /* Default language */ + (LPTSTR) &lpMsgBuf, + 0, + NULL + ); + throwIOException(env, (LPTSTR) lpMsgBuf); + /* Free the buffer. */ + LocalFree( lpMsgBuf ); + return; + } + + /* + * Get function pointers to all PKCS #11 functions + */ + moduleData = (ModuleData *) malloc(sizeof(ModuleData)); + moduleData->hModule = hModule; + moduleData->applicationMutexHandler = NULL; + rv = (C_GetFunctionList)(&(moduleData->ckFunctionListPtr)); + globalPKCS11ImplementationReference = (*env)->NewGlobalRef(env, obj); + putModuleEntry(env, globalPKCS11ImplementationReference, moduleData); + + (*env)->ReleaseStringUTFChars(env, jPkcs11ModulePath, libraryNameStr); + TRACE0("FINISHED\n"); + + if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } +} + +/* + * Class: sun_security_pkcs11_wrapper_PKCS11 + * Method: disconnect + * Signature: ()V + */ +JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_disconnect + (JNIEnv *env, jobject obj) +{ + ModuleData *moduleData; + TRACE0("DEBUG: disconnecting module..."); + moduleData = removeModuleEntry(env, obj); + + if (moduleData != NULL) { + FreeLibrary(moduleData->hModule); + } + + free(moduleData); + TRACE0("FINISHED\n"); +} --- old/src/jdk.crypto.token/windows/native/libj2pkcs11/p11_md.h 2017-01-20 09:53:04.030287986 -0800 +++ /dev/null 2017-01-18 09:30:05.425422781 -0800 @@ -1,98 +0,0 @@ -/* - * reserved comment block - * DO NOT REMOVE OR ALTER! - */ -/* Copyright (c) 2002 Graz University of Technology. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. The end-user documentation included with the redistribution, if any, must - * include the following acknowledgment: - * - * "This product includes software developed by IAIK of Graz University of - * Technology." - * - * Alternately, this acknowledgment may appear in the software itself, if - * and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Graz University of Technology" and "IAIK of Graz University of - * Technology" must not be used to endorse or promote products derived from - * this software without prior written permission. - * - * 5. Products derived from this software may not be called - * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior - * written permission of Graz University of Technology. - * - * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * platoform.h - * 10.12.2001 - * - * declaration of all platform dependent functions used by pkcs11wrapper.c - * - * @author Karl Scheibelhofer - */ - -/* defines for WIN32 platform *************************************************/ - -#include - -/* statement according to PKCS11 docu */ -#pragma pack(push, cryptoki, 1) - -/* definitions according to PKCS#11 docu for Win32 environment */ -#define CK_PTR * -#define CK_DEFINE_FUNCTION(returnType, name) returnType __declspec(dllexport) name -#define CK_DECLARE_FUNCTION(returnType, name) returnType __declspec(dllimport) name -#define CK_DECLARE_FUNCTION_POINTER(returnType, name) returnType __declspec(dllimport) (* name) -#define CK_CALLBACK_FUNCTION(returnType, name) returnType (* name) -#ifndef NULL_PTR -#define NULL_PTR 0 -#endif /* NULL_PTR */ - -/* to avoid clash with Win32 #define */ -#ifdef CreateMutex -#undef CreateMutex -#endif /* CreateMutex */ - -#include "pkcs11.h" - -/* statement according to PKCS11 docu */ -#pragma pack(pop, cryptoki) - -#include "jni.h" - -/* A data structure to hold required information about a PKCS#11 module. */ -struct ModuleData { - - HINSTANCE hModule; - - /* The pointer to the PKCS#11 functions of this module. */ - CK_FUNCTION_LIST_PTR ckFunctionListPtr; - - /* Reference to the object to use for mutex handling. NULL, if not used. */ - jobject applicationMutexHandler; - -}; -typedef struct ModuleData ModuleData; --- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/windows/native/libj2pkcs11/p11_md.h 2017-01-20 09:53:03.814287994 -0800 @@ -0,0 +1,98 @@ +/* + * reserved comment block + * DO NOT REMOVE OR ALTER! + */ +/* Copyright (c) 2002 Graz University of Technology. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. The end-user documentation included with the redistribution, if any, must + * include the following acknowledgment: + * + * "This product includes software developed by IAIK of Graz University of + * Technology." + * + * Alternately, this acknowledgment may appear in the software itself, if + * and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Graz University of Technology" and "IAIK of Graz University of + * Technology" must not be used to endorse or promote products derived from + * this software without prior written permission. + * + * 5. Products derived from this software may not be called + * "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior + * written permission of Graz University of Technology. + * + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * platoform.h + * 10.12.2001 + * + * declaration of all platform dependent functions used by pkcs11wrapper.c + * + * @author Karl Scheibelhofer + */ + +/* defines for WIN32 platform *************************************************/ + +#include + +/* statement according to PKCS11 docu */ +#pragma pack(push, cryptoki, 1) + +/* definitions according to PKCS#11 docu for Win32 environment */ +#define CK_PTR * +#define CK_DEFINE_FUNCTION(returnType, name) returnType __declspec(dllexport) name +#define CK_DECLARE_FUNCTION(returnType, name) returnType __declspec(dllimport) name +#define CK_DECLARE_FUNCTION_POINTER(returnType, name) returnType __declspec(dllimport) (* name) +#define CK_CALLBACK_FUNCTION(returnType, name) returnType (* name) +#ifndef NULL_PTR +#define NULL_PTR 0 +#endif /* NULL_PTR */ + +/* to avoid clash with Win32 #define */ +#ifdef CreateMutex +#undef CreateMutex +#endif /* CreateMutex */ + +#include "pkcs11.h" + +/* statement according to PKCS11 docu */ +#pragma pack(pop, cryptoki) + +#include "jni.h" + +/* A data structure to hold required information about a PKCS#11 module. */ +struct ModuleData { + + HINSTANCE hModule; + + /* The pointer to the PKCS#11 functions of this module. */ + CK_FUNCTION_LIST_PTR ckFunctionListPtr; + + /* Reference to the object to use for mutex handling. NULL, if not used. */ + jobject applicationMutexHandler; + +}; +typedef struct ModuleData ModuleData;