jdk-sandbox: comparison jdk/src/jdk.crypto.pkcs11/share/classes/sun/security/pkcs11/P11KeyStore.java

equal deleted inserted replaced

-:97247477b481
+:6645de32a866
-/*
-* Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
-* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-*
-* This code is free software; you can redistribute it and/or modify it
-* under the terms of the GNU General Public License version 2 only, as
-* published by the Free Software Foundation.  Oracle designates this
-* particular file as subject to the "Classpath" exception as provided
-* by Oracle in the LICENSE file that accompanied this code.
-*
-* This code is distributed in the hope that it will be useful, but WITHOUT
-* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-* FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-* version 2 for more details (a copy is included in the LICENSE file that
-* accompanied this code).
-*
-* You should have received a copy of the GNU General Public License version
-* 2 along with this work; if not, write to the Free Software Foundation,
-* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-*
-* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-* or visit www.oracle.com if you need additional information or have any
-* questions.
-*/
-package sun.security.pkcs11;
-import java.math.BigInteger;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.io.IOException;
-import java.io.ByteArrayInputStream;
-import java.io.UnsupportedEncodingException;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.Date;
-import java.util.Enumeration;
-import java.util.ArrayList;
-import java.util.HashSet;
-import java.util.HashMap;
-import java.util.Set;
-import java.security.*;
-import java.security.KeyStore.*;
-import java.security.cert.Certificate;
-import java.security.cert.X509Certificate;
-import java.security.cert.CertificateFactory;
-import java.security.cert.CertificateException;
-import java.security.interfaces.*;
-import java.security.spec.*;
-import javax.crypto.SecretKey;
-import javax.crypto.interfaces.*;
-import javax.security.auth.x500.X500Principal;
-import javax.security.auth.login.LoginException;
-import javax.security.auth.callback.Callback;
-import javax.security.auth.callback.PasswordCallback;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.callback.UnsupportedCallbackException;
-import sun.security.util.Debug;
-import sun.security.util.DerValue;
-import sun.security.util.ECUtil;
-import sun.security.pkcs11.Secmod.*;
-import static sun.security.pkcs11.P11Util.*;
-import sun.security.pkcs11.wrapper.*;
-import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
-import sun.security.rsa.RSAKeyFactory;
-final class P11KeyStore extends KeyStoreSpi {
-private static final CK_ATTRIBUTE ATTR_CLASS_CERT =
-new CK_ATTRIBUTE(CKA_CLASS, CKO_CERTIFICATE);
-private static final CK_ATTRIBUTE ATTR_CLASS_PKEY =
-new CK_ATTRIBUTE(CKA_CLASS, CKO_PRIVATE_KEY);
-private static final CK_ATTRIBUTE ATTR_CLASS_SKEY =
-new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY);
-private static final CK_ATTRIBUTE ATTR_X509_CERT_TYPE =
-new CK_ATTRIBUTE(CKA_CERTIFICATE_TYPE, CKC_X_509);
-private static final CK_ATTRIBUTE ATTR_TOKEN_TRUE =
-new CK_ATTRIBUTE(CKA_TOKEN, true);
-// XXX for testing purposes only
-//  - NSS doesn't support persistent secret keys
-//    (key type gets mangled if secret key is a token key)
-//  - if debug is turned on, then this is set to false
-private static CK_ATTRIBUTE ATTR_SKEY_TOKEN_TRUE = ATTR_TOKEN_TRUE;
-private static final CK_ATTRIBUTE ATTR_TRUSTED_TRUE =
-new CK_ATTRIBUTE(CKA_TRUSTED, true);
-private static final CK_ATTRIBUTE ATTR_PRIVATE_TRUE =
-new CK_ATTRIBUTE(CKA_PRIVATE, true);
-private static final long NO_HANDLE = -1;
-private static final long FINDOBJECTS_MAX = 100;
-private static final String ALIAS_SEP = "/";
-private static final boolean NSS_TEST = false;
-private static final Debug debug =
-Debug.getInstance("pkcs11keystore");
-private static boolean CKA_TRUSTED_SUPPORTED = true;
-private final Token token;
-// If multiple certs are found to share the same CKA_LABEL
-// at load time (NSS-style keystore), then the keystore is read
-// and the unique keystore aliases are mapped to the entries.
-// However, write capabilities are disabled.
-private boolean writeDisabled = false;
-// Map of unique keystore aliases to entries in the token
-private HashMap<String, AliasInfo> aliasMap;
-// whether to use NSS Secmod info for trust attributes
-private final boolean useSecmodTrust;
-// if useSecmodTrust == true, which type of trust we are interested in
-private Secmod.TrustType nssTrustType;
-/**
-* The underlying token may contain multiple certs belonging to the
-* same "personality" (for example, a signing cert and encryption cert),
-* all sharing the same CKA_LABEL.  These must be resolved
-* into unique keystore aliases.
-*
-* In addition, private keys and certs may not have a CKA_LABEL.
-* It is assumed that a private key and corresponding certificate
-* share the same CKA_ID, and that the CKA_ID is unique across the token.
-* The CKA_ID may not be human-readable.
-* These pairs must be resolved into unique keystore aliases.
-*
-* Furthermore, secret keys are assumed to have a CKA_LABEL
-* unique across the entire token.
-*
-* When the KeyStore is loaded, instances of this class are
-* created to represent the private keys/secret keys/certs
-* that reside on the token.
-*/
-private static class AliasInfo {
-// CKA_CLASS - entry type
-private CK_ATTRIBUTE type = null;
-// CKA_LABEL of cert and secret key
-private String label = null;
-// CKA_ID of the private key/cert pair
-private byte[] id = null;
-// CKA_TRUSTED - true if cert is trusted
-private boolean trusted = false;
-// either end-entity cert or trusted cert depending on 'type'
-private X509Certificate cert = null;
-// chain
-private X509Certificate[] chain = null;
-// true if CKA_ID for private key and cert match up
-private boolean matched = false;
-// SecretKeyEntry
-public AliasInfo(String label) {
-this.type = ATTR_CLASS_SKEY;
-this.label = label;
-}
-// PrivateKeyEntry
-public AliasInfo(String label,
-byte[] id,
-boolean trusted,
-X509Certificate cert) {
-this.type = ATTR_CLASS_PKEY;
-this.label = label;
-this.id = id;
-this.trusted = trusted;
-this.cert = cert;
-}
-public String toString() {
-StringBuilder sb = new StringBuilder();
-if (type == ATTR_CLASS_PKEY) {
-sb.append("\ttype=[private key]\n");
-} else if (type == ATTR_CLASS_SKEY) {
-sb.append("\ttype=[secret key]\n");
-} else if (type == ATTR_CLASS_CERT) {
-sb.append("\ttype=[trusted cert]\n");
-}
-sb.append("\tlabel=[" + label + "]\n");
-if (id == null) {
-sb.append("\tid=[null]\n");
-} else {
-sb.append("\tid=" + P11KeyStore.getID(id) + "\n");
-}
-sb.append("\ttrusted=[" + trusted + "]\n");
-sb.append("\tmatched=[" + matched + "]\n");
-if (cert == null) {
-sb.append("\tcert=[null]\n");
-} else {
-sb.append("\tcert=[\tsubject: " +
-cert.getSubjectX500Principal() +
-"\n\t\tissuer: " +
-cert.getIssuerX500Principal() +
-"\n\t\tserialNum: " +
-cert.getSerialNumber().toString() +
-"]");
-}
-return sb.toString();
-}
-}
-/**
-* callback handler for passing password to Provider.login method
-*/
-private static class PasswordCallbackHandler implements CallbackHandler {
-private char[] password;
-private PasswordCallbackHandler(char[] password) {
-if (password != null) {
-this.password = password.clone();
-}
-}
-public void handle(Callback[] callbacks)
-throws IOException, UnsupportedCallbackException {
-if (!(callbacks[0] instanceof PasswordCallback)) {
-throw new UnsupportedCallbackException(callbacks[0]);
-}
-PasswordCallback pc = (PasswordCallback)callbacks[0];
-pc.setPassword(password);  // this clones the password if not null
-}
-protected void finalize() throws Throwable {
-if (password != null) {
-Arrays.fill(password, ' ');
-}
-super.finalize();
-}
-}
-/**
-* getTokenObject return value.
-*
-* if object is not found, type is set to null.
-* otherwise, type is set to the requested type.
-*/
-private static class THandle {
-private final long handle;              // token object handle
-private final CK_ATTRIBUTE type;        // CKA_CLASS
-private THandle(long handle, CK_ATTRIBUTE type) {
-this.handle = handle;
-this.type = type;
-}
-}
-P11KeyStore(Token token) {
-this.token = token;
-this.useSecmodTrust = token.provider.nssUseSecmodTrust;
-}
-/**
-* Returns the key associated with the given alias.
-* The key must have been associated with
-* the alias by a call to <code>setKeyEntry</code>,
-* or by a call to <code>setEntry</code> with a
-* <code>PrivateKeyEntry</code> or <code>SecretKeyEntry</code>.
-*
-* @param alias the alias name
-* @param password the password, which must be <code>null</code>
-*
-* @return the requested key, or null if the given alias does not exist
-* or does not identify a key-related entry.
-*
-* @exception NoSuchAlgorithmException if the algorithm for recovering the
-* key cannot be found
-* @exception UnrecoverableKeyException if the key cannot be recovered
-*/
-public synchronized Key engineGetKey(String alias, char[] password)
-throws NoSuchAlgorithmException, UnrecoverableKeyException {
-token.ensureValid();
-if (password != null && !token.config.getKeyStoreCompatibilityMode()) {
-throw new NoSuchAlgorithmException("password must be null");
-}
-AliasInfo aliasInfo = aliasMap.get(alias);
-if (aliasInfo == null || aliasInfo.type == ATTR_CLASS_CERT) {
-return null;
-}
-Session session = null;
-try {
-session = token.getOpSession();
-if (aliasInfo.type == ATTR_CLASS_PKEY) {
-THandle h = getTokenObject(session,
-aliasInfo.type,
-aliasInfo.id,
-null);
-if (h.type == ATTR_CLASS_PKEY) {
-return loadPkey(session, h.handle);
-}
-} else {
-THandle h = getTokenObject(session,
-ATTR_CLASS_SKEY,
-null,
-alias);
-if (h.type == ATTR_CLASS_SKEY) {
-return loadSkey(session, h.handle);
-}
-}
-// did not find anything
-return null;
-} catch (PKCS11Exception | KeyStoreException e) {
-throw new ProviderException(e);
-} finally {
-token.releaseSession(session);
-}
-}
-/**
-* Returns the certificate chain associated with the given alias.
-* The certificate chain must have been associated with the alias
-* by a call to <code>setKeyEntry</code>,
-* or by a call to <code>setEntry</code> with a
-* <code>PrivateKeyEntry</code>.
-*
-* @param alias the alias name
-*
-* @return the certificate chain (ordered with the user's certificate first
-* and the root certificate authority last), or null if the given alias
-* does not exist or does not contain a certificate chain
-*/
-public synchronized Certificate[] engineGetCertificateChain(String alias) {
-token.ensureValid();
-AliasInfo aliasInfo = aliasMap.get(alias);
-if (aliasInfo == null || aliasInfo.type != ATTR_CLASS_PKEY) {
-return null;
-}
-return aliasInfo.chain;
-}
-/**
-* Returns the certificate associated with the given alias.
-*
-* <p> If the given alias name identifies an entry
-* created by a call to <code>setCertificateEntry</code>,
-* or created by a call to <code>setEntry</code> with a
-* <code>TrustedCertificateEntry</code>,
-* then the trusted certificate contained in that entry is returned.
-*
-* <p> If the given alias name identifies an entry
-* created by a call to <code>setKeyEntry</code>,
-* or created by a call to <code>setEntry</code> with a
-* <code>PrivateKeyEntry</code>,
-* then the first element of the certificate chain in that entry
-* (if a chain exists) is returned.
-*
-* @param alias the alias name
-*
-* @return the certificate, or null if the given alias does not exist or
-* does not contain a certificate.
-*/
-public synchronized Certificate engineGetCertificate(String alias) {
-token.ensureValid();
-AliasInfo aliasInfo = aliasMap.get(alias);
-if (aliasInfo == null) {
-return null;
-}
-return aliasInfo.cert;
-}
-/**
-* Returns the creation date of the entry identified by the given alias.
-*
-* @param alias the alias name
-*
-* @return the creation date of this entry, or null if the given alias does
-* not exist
-*/
-public Date engineGetCreationDate(String alias) {
-token.ensureValid();
-throw new ProviderException(new UnsupportedOperationException());
-}
-/**
-* Assigns the given key to the given alias, protecting it with the given
-* password.
-*
-* <p>If the given key is of type <code>java.security.PrivateKey</code>,
-* it must be accompanied by a certificate chain certifying the
-* corresponding public key.
-*
-* <p>If the given alias already exists, the keystore information
-* associated with it is overridden by the given key (and possibly
-* certificate chain).
-*
-* @param alias the alias name
-* @param key the key to be associated with the alias
-* @param password the password to protect the key
-* @param chain the certificate chain for the corresponding public
-* key (only required if the given key is of type
-* <code>java.security.PrivateKey</code>).
-*
-* @exception KeyStoreException if the given key cannot be protected, or
-* this operation fails for some other reason
-*/
-public synchronized void engineSetKeyEntry(String alias, Key key,
-char[] password,
-Certificate[] chain)
-throws KeyStoreException {
-token.ensureValid();
-checkWrite();
-if (!(key instanceof PrivateKey) && !(key instanceof SecretKey)) {
-throw new KeyStoreException("key must be PrivateKey or SecretKey");
-} else if (key instanceof PrivateKey && chain == null) {
-throw new KeyStoreException
-("PrivateKey must be accompanied by non-null chain");
-} else if (key instanceof SecretKey && chain != null) {
-throw new KeyStoreException
-("SecretKey must be accompanied by null chain");
-} else if (password != null &&
-!token.config.getKeyStoreCompatibilityMode()) {
-throw new KeyStoreException("Password must be null");
-}
-KeyStore.Entry entry = null;
-try {
-if (key instanceof PrivateKey) {
-entry = new KeyStore.PrivateKeyEntry((PrivateKey)key, chain);
-} else if (key instanceof SecretKey) {
-entry = new KeyStore.SecretKeyEntry((SecretKey)key);
-}
-} catch (NullPointerException | IllegalArgumentException e) {
-throw new KeyStoreException(e);
-}
-engineSetEntry(alias, entry, new KeyStore.PasswordProtection(password));
-}
-/**
-* Assigns the given key (that has already been protected) to the given
-* alias.
-*
-* <p>If the protected key is of type
-* <code>java.security.PrivateKey</code>,
-* it must be accompanied by a certificate chain certifying the
-* corresponding public key.
-*
-* <p>If the given alias already exists, the keystore information
-* associated with it is overridden by the given key (and possibly
-* certificate chain).
-*
-* @param alias the alias name
-* @param key the key (in protected format) to be associated with the alias
-* @param chain the certificate chain for the corresponding public
-* key (only useful if the protected key is of type
-* <code>java.security.PrivateKey</code>).
-*
-* @exception KeyStoreException if this operation fails.
-*/
-public void engineSetKeyEntry(String alias, byte[] key, Certificate[] chain)
-throws KeyStoreException {
-token.ensureValid();
-throw new ProviderException(new UnsupportedOperationException());
-}
-/**
-* Assigns the given certificate to the given alias.
-*
-* <p> If the given alias identifies an existing entry
-* created by a call to <code>setCertificateEntry</code>,
-* or created by a call to <code>setEntry</code> with a
-* <code>TrustedCertificateEntry</code>,
-* the trusted certificate in the existing entry
-* is overridden by the given certificate.
-*
-* @param alias the alias name
-* @param cert the certificate
-*
-* @exception KeyStoreException if the given alias already exists and does
-* not identify an entry containing a trusted certificate,
-* or this operation fails for some other reason.
-*/
-public synchronized void engineSetCertificateEntry
-(String alias, Certificate cert) throws KeyStoreException {
-token.ensureValid();
-checkWrite();
-if (cert == null) {
-throw new KeyStoreException("invalid null certificate");
-}
-KeyStore.Entry entry = null;
-entry = new KeyStore.TrustedCertificateEntry(cert);
-engineSetEntry(alias, entry, null);
-}
-/**
-* Deletes the entry identified by the given alias from this keystore.
-*
-* @param alias the alias name
-*
-* @exception KeyStoreException if the entry cannot be removed.
-*/
-public synchronized void engineDeleteEntry(String alias)
-throws KeyStoreException {
-token.ensureValid();
-if (token.isWriteProtected()) {
-throw new KeyStoreException("token write-protected");
-}
-checkWrite();
-deleteEntry(alias);
-}
-/**
-* XXX - not sure whether to keep this
-*/
-private boolean deleteEntry(String alias) throws KeyStoreException {
-AliasInfo aliasInfo = aliasMap.get(alias);
-if (aliasInfo != null) {
-aliasMap.remove(alias);
-try {
-if (aliasInfo.type == ATTR_CLASS_CERT) {
-// trusted certificate entry
-return destroyCert(aliasInfo.id);
-} else if (aliasInfo.type == ATTR_CLASS_PKEY) {
-// private key entry
-return destroyPkey(aliasInfo.id) &&
-destroyChain(aliasInfo.id);
-} else if (aliasInfo.type == ATTR_CLASS_SKEY) {
-// secret key entry
-return destroySkey(alias);
-} else {
-throw new KeyStoreException("unexpected entry type");
-}
-} catch (PKCS11Exception | CertificateException e) {
-throw new KeyStoreException(e);
-}
-}
-return false;
-}
-/**
-* Lists all the alias names of this keystore.
-*
-* @return enumeration of the alias names
-*/
-public synchronized Enumeration<String> engineAliases() {
-token.ensureValid();
-// don't want returned enumeration to iterate off actual keySet -
-// otherwise applications that iterate and modify the keystore
-// may run into concurrent modification problems
-return Collections.enumeration(new HashSet<String>(aliasMap.keySet()));
-}
-/**
-* Checks if the given alias exists in this keystore.
-*
-* @param alias the alias name
-*
-* @return true if the alias exists, false otherwise
-*/
-public synchronized boolean engineContainsAlias(String alias) {
-token.ensureValid();
-return aliasMap.containsKey(alias);
-}
-/**
-* Retrieves the number of entries in this keystore.
-*
-* @return the number of entries in this keystore
-*/
-public synchronized int engineSize() {
-token.ensureValid();
-return aliasMap.size();
-}
-/**
-* Returns true if the entry identified by the given alias
-* was created by a call to <code>setKeyEntry</code>,
-* or created by a call to <code>setEntry</code> with a
-* <code>PrivateKeyEntry</code> or a <code>SecretKeyEntry</code>.
-*
-* @param alias the alias for the keystore entry to be checked
-*
-* @return true if the entry identified by the given alias is a
-* key-related, false otherwise.
-*/
-public synchronized boolean engineIsKeyEntry(String alias) {
-token.ensureValid();
-AliasInfo aliasInfo = aliasMap.get(alias);
-if (aliasInfo == null || aliasInfo.type == ATTR_CLASS_CERT) {
-return false;
-}
-return true;
-}
-/**
-* Returns true if the entry identified by the given alias
-* was created by a call to <code>setCertificateEntry</code>,
-* or created by a call to <code>setEntry</code> with a
-* <code>TrustedCertificateEntry</code>.
-*
-* @param alias the alias for the keystore entry to be checked
-*
-* @return true if the entry identified by the given alias contains a
-* trusted certificate, false otherwise.
-*/
-public synchronized boolean engineIsCertificateEntry(String alias) {
-token.ensureValid();
-AliasInfo aliasInfo = aliasMap.get(alias);
-if (aliasInfo == null || aliasInfo.type != ATTR_CLASS_CERT) {
-return false;
-}
-return true;
-}
-/**
-* Returns the (alias) name of the first keystore entry whose certificate
-* matches the given certificate.
-*
-* <p>This method attempts to match the given certificate with each
-* keystore entry. If the entry being considered was
-* created by a call to <code>setCertificateEntry</code>,
-* or created by a call to <code>setEntry</code> with a
-* <code>TrustedCertificateEntry</code>,
-* then the given certificate is compared to that entry's certificate.
-*
-* <p> If the entry being considered was
-* created by a call to <code>setKeyEntry</code>,
-* or created by a call to <code>setEntry</code> with a
-* <code>PrivateKeyEntry</code>,
-* then the given certificate is compared to the first
-* element of that entry's certificate chain.
-*
-* @param cert the certificate to match with.
-*
-* @return the alias name of the first entry with matching certificate,
-* or null if no such entry exists in this keystore.
-*/
-public synchronized String engineGetCertificateAlias(Certificate cert) {
-token.ensureValid();
-Enumeration<String> e = engineAliases();
-while (e.hasMoreElements()) {
-String alias = e.nextElement();
-Certificate tokenCert = engineGetCertificate(alias);
-if (tokenCert != null && tokenCert.equals(cert)) {
-return alias;
-}
-}
-return null;
-}
-/**
-* engineStore currently is a No-op.
-* Entries are stored to the token during engineSetEntry
-*
-* @param stream this must be <code>null</code>
-* @param password this must be <code>null</code>
-*/
-public synchronized void engineStore(OutputStream stream, char[] password)
-throws IOException, NoSuchAlgorithmException, CertificateException {
-token.ensureValid();
-if (stream != null && !token.config.getKeyStoreCompatibilityMode()) {
-throw new IOException("output stream must be null");
-}
-if (password != null && !token.config.getKeyStoreCompatibilityMode()) {
-throw new IOException("password must be null");
-}
-}
-/**
-* engineStore currently is a No-op.
-* Entries are stored to the token during engineSetEntry
-*
-* @param param this must be <code>null</code>
-*
-* @exception IllegalArgumentException if the given
-*          <code>KeyStore.LoadStoreParameter</code>
-*          input is not <code>null</code>
-*/
-public synchronized void engineStore(KeyStore.LoadStoreParameter param)
-throws IOException, NoSuchAlgorithmException, CertificateException {
-token.ensureValid();
-if (param != null) {
-throw new IllegalArgumentException
-("LoadStoreParameter must be null");
-}
-}
-/**
-* Loads the keystore.
-*
-* @param stream the input stream, which must be <code>null</code>
-* @param password the password used to unlock the keystore,
-*          or <code>null</code> if the token supports a
-*          CKF_PROTECTED_AUTHENTICATION_PATH
-*
-* @exception IOException if the given <code>stream</code> is not
-*          <code>null</code>, if the token supports a
-*          CKF_PROTECTED_AUTHENTICATION_PATH and a non-null
-*          password is given, of if the token login operation failed
-*/
-public synchronized void engineLoad(InputStream stream, char[] password)
-throws IOException, NoSuchAlgorithmException, CertificateException {
-token.ensureValid();
-if (NSS_TEST) {
-ATTR_SKEY_TOKEN_TRUE = new CK_ATTRIBUTE(CKA_TOKEN, false);
-}
-if (stream != null && !token.config.getKeyStoreCompatibilityMode()) {
-throw new IOException("input stream must be null");
-}
-if (useSecmodTrust) {
-nssTrustType = Secmod.TrustType.ALL;
-}
-try {
-if (password == null) {
-login(null);
-} else {
-login(new PasswordCallbackHandler(password));
-}
-} catch(LoginException e) {
-Throwable cause = e.getCause();
-if (cause instanceof PKCS11Exception) {
-PKCS11Exception pe = (PKCS11Exception) cause;
-if (pe.getErrorCode() == CKR_PIN_INCORRECT) {
-// if password is wrong, the cause of the IOException
-// should be an UnrecoverableKeyException
-throw new IOException("load failed",
-new UnrecoverableKeyException().initCause(e));
-}
-}
-throw new IOException("load failed", e);
-}
-try {
-if (mapLabels() == true) {
-// CKA_LABELs are shared by multiple certs
-writeDisabled = true;
-}
-if (debug != null) {
-dumpTokenMap();
-}
-} catch (KeyStoreException | PKCS11Exception e) {
-throw new IOException("load failed", e);
-}
-}
-/**
-* Loads the keystore using the given
-* <code>KeyStore.LoadStoreParameter</code>.
-*
-* <p> The <code>LoadStoreParameter.getProtectionParameter()</code>
-* method is expected to return a <code>KeyStore.PasswordProtection</code>
-* object.  The password is retrieved from that object and used
-* to unlock the PKCS#11 token.
-*
-* <p> If the token supports a CKF_PROTECTED_AUTHENTICATION_PATH
-* then the provided password must be <code>null</code>.
-*
-* @param param the <code>KeyStore.LoadStoreParameter</code>
-*
-* @exception IllegalArgumentException if the given
-*          <code>KeyStore.LoadStoreParameter</code> is <code>null</code>,
-*          or if that parameter returns a <code>null</code>
-*          <code>ProtectionParameter</code> object.
-*          input is not recognized
-* @exception IOException if the token supports a
-*          CKF_PROTECTED_AUTHENTICATION_PATH and the provided password
-*          is non-null, or if the token login operation fails
-*/
-public synchronized void engineLoad(KeyStore.LoadStoreParameter param)
-throws IOException, NoSuchAlgorithmException,
-CertificateException {
-token.ensureValid();
-if (NSS_TEST) {
-ATTR_SKEY_TOKEN_TRUE = new CK_ATTRIBUTE(CKA_TOKEN, false);
-}
-// if caller wants to pass a NULL password,
-// force it to pass a non-NULL PasswordProtection that returns
-// a NULL password
-if (param == null) {
-throw new IllegalArgumentException
-("invalid null LoadStoreParameter");
-}
-if (useSecmodTrust) {
-if (param instanceof Secmod.KeyStoreLoadParameter) {
-nssTrustType = ((Secmod.KeyStoreLoadParameter)param).getTrustType();
-} else {
-nssTrustType = Secmod.TrustType.ALL;
-}
-}
-CallbackHandler handler;
-KeyStore.ProtectionParameter pp = param.getProtectionParameter();
-if (pp instanceof PasswordProtection) {
-char[] password = ((PasswordProtection)pp).getPassword();
-if (password == null) {
-handler = null;
-} else {
-handler = new PasswordCallbackHandler(password);
-}
-} else if (pp instanceof CallbackHandlerProtection) {
-handler = ((CallbackHandlerProtection)pp).getCallbackHandler();
-} else {
-throw new IllegalArgumentException
-("ProtectionParameter must be either " +
-"PasswordProtection or CallbackHandlerProtection");
-}
-try {
-login(handler);
-if (mapLabels() == true) {
-// CKA_LABELs are shared by multiple certs
-writeDisabled = true;
-}
-if (debug != null) {
-dumpTokenMap();
-}
-} catch (LoginException | KeyStoreException | PKCS11Exception e) {
-throw new IOException("load failed", e);
-}
-}
-private void login(CallbackHandler handler) throws LoginException {
-if ((token.tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH) == 0) {
-token.provider.login(null, handler);
-} else {
-// token supports protected authentication path
-// (external pin-pad, for example)
-if (handler != null &&
-!token.config.getKeyStoreCompatibilityMode()) {
-throw new LoginException("can not specify password if token " +
-"supports protected authentication path");
-}
-// must rely on application-set or default handler
-// if one is necessary
-token.provider.login(null, null);
-}
-}
-/**
-* Get a <code>KeyStore.Entry</code> for the specified alias
-*
-* @param alias get the <code>KeyStore.Entry</code> for this alias
-* @param protParam this must be <code>null</code>
-*
-* @return the <code>KeyStore.Entry</code> for the specified alias,
-*          or <code>null</code> if there is no such entry
-*
-* @exception KeyStoreException if the operation failed
-* @exception NoSuchAlgorithmException if the algorithm for recovering the
-*          entry cannot be found
-* @exception UnrecoverableEntryException if the specified
-*          <code>protParam</code> were insufficient or invalid
-*
-* @since 1.5
-*/
-public synchronized KeyStore.Entry engineGetEntry(String alias,
-KeyStore.ProtectionParameter protParam)
-throws KeyStoreException, NoSuchAlgorithmException,
-UnrecoverableEntryException {
-token.ensureValid();
-if (protParam != null &&
-protParam instanceof KeyStore.PasswordProtection &&
-((KeyStore.PasswordProtection)protParam).getPassword() != null &&
-!token.config.getKeyStoreCompatibilityMode()) {
-throw new KeyStoreException("ProtectionParameter must be null");
-}
-AliasInfo aliasInfo = aliasMap.get(alias);
-if (aliasInfo == null) {
-if (debug != null) {
-debug.println("engineGetEntry did not find alias [" +
-alias +
-"] in map");
-}
-return null;
-}
-Session session = null;
-try {
-session = token.getOpSession();
-if (aliasInfo.type == ATTR_CLASS_CERT) {
-// trusted certificate entry
-if (debug != null) {
-debug.println("engineGetEntry found trusted cert entry");
-}
-return new KeyStore.TrustedCertificateEntry(aliasInfo.cert);
-} else if (aliasInfo.type == ATTR_CLASS_SKEY) {
-// secret key entry
-if (debug != null) {
-debug.println("engineGetEntry found secret key entry");
-}
-THandle h = getTokenObject
-(session, ATTR_CLASS_SKEY, null, aliasInfo.label);
-if (h.type != ATTR_CLASS_SKEY) {
-throw new KeyStoreException
-("expected but could not find secret key");
-} else {
-SecretKey skey = loadSkey(session, h.handle);
-return new KeyStore.SecretKeyEntry(skey);
-}
-} else {
-// private key entry
-if (debug != null) {
-debug.println("engineGetEntry found private key entry");
-}
-THandle h = getTokenObject
-(session, ATTR_CLASS_PKEY, aliasInfo.id, null);
-if (h.type != ATTR_CLASS_PKEY) {
-throw new KeyStoreException
-("expected but could not find private key");
-} else {
-PrivateKey pkey = loadPkey(session, h.handle);
-Certificate[] chain = aliasInfo.chain;
-if ((pkey != null) && (chain != null)) {
-return new KeyStore.PrivateKeyEntry(pkey, chain);
-} else {
-if (debug != null) {
-debug.println
-("engineGetEntry got null cert chain or private key");
-}
-}
-}
-}
-return null;
-} catch (PKCS11Exception pe) {
-throw new KeyStoreException(pe);
-} finally {
-token.releaseSession(session);
-}
-}
-/**
-* Save a <code>KeyStore.Entry</code> under the specified alias.
-*
-* <p> If an entry already exists for the specified alias,
-* it is overridden.
-*
-* <p> This KeyStore implementation only supports the standard
-* entry types, and only supports X509Certificates in
-* TrustedCertificateEntries.  Also, this implementation does not support
-* protecting entries using a different password
-* from the one used for token login.
-*
-* <p> Entries are immediately stored on the token.
-*
-* @param alias save the <code>KeyStore.Entry</code> under this alias
-* @param entry the <code>Entry</code> to save
-* @param protParam this must be <code>null</code>
-*
-* @exception KeyStoreException if this operation fails
-*
-* @since 1.5
-*/
-public synchronized void engineSetEntry(String alias, KeyStore.Entry entry,
-KeyStore.ProtectionParameter protParam)
-throws KeyStoreException {
-token.ensureValid();
-checkWrite();
-if (protParam != null &&
-protParam instanceof KeyStore.PasswordProtection &&
-((KeyStore.PasswordProtection)protParam).getPassword() != null &&
-!token.config.getKeyStoreCompatibilityMode()) {
-throw new KeyStoreException(new UnsupportedOperationException
-("ProtectionParameter must be null"));
-}
-if (token.isWriteProtected()) {
-throw new KeyStoreException("token write-protected");
-}
-if (entry instanceof KeyStore.TrustedCertificateEntry) {
-if (useSecmodTrust == false) {
-// PKCS #11 does not allow app to modify trusted certs -
-throw new KeyStoreException(new UnsupportedOperationException
-("trusted certificates may only be set by " +
-"token initialization application"));
-}
-Module module = token.provider.nssModule;
-if ((module.type != ModuleType.KEYSTORE) && (module.type != ModuleType.FIPS)) {
-// XXX allow TRUSTANCHOR module
-throw new KeyStoreException("Trusted certificates can only be "
-+ "added to the NSS KeyStore module");
-}
-Certificate cert = ((TrustedCertificateEntry)entry).getTrustedCertificate();
-if (cert instanceof X509Certificate == false) {
-throw new KeyStoreException("Certificate must be an X509Certificate");
-}
-X509Certificate xcert = (X509Certificate)cert;
-AliasInfo info = aliasMap.get(alias);
-if (info != null) {
-// XXX try to update
-deleteEntry(alias);
-}
-try {
-storeCert(alias, xcert);
-module.setTrust(token, xcert);
-mapLabels();
-} catch (PKCS11Exception | CertificateException e) {
-throw new KeyStoreException(e);
-}
-} else {
-if (entry instanceof KeyStore.PrivateKeyEntry) {
-PrivateKey key =
-((KeyStore.PrivateKeyEntry)entry).getPrivateKey();
-if (!(key instanceof P11Key) &&
-!(key instanceof RSAPrivateKey) &&
-!(key instanceof DSAPrivateKey) &&
-!(key instanceof DHPrivateKey) &&
-!(key instanceof ECPrivateKey)) {
-throw new KeyStoreException("unsupported key type: " +
-key.getClass().getName());
-}
-// only support X509Certificate chains
-Certificate[] chain =
-((KeyStore.PrivateKeyEntry)entry).getCertificateChain();
-if (!(chain instanceof X509Certificate[])) {
-throw new KeyStoreException
-(new UnsupportedOperationException
-("unsupported certificate array type: " +
-chain.getClass().getName()));
-}
-try {
-boolean updatedAlias = false;
-Set<String> aliases = aliasMap.keySet();
-for (String oldAlias : aliases) {
-// see if there's an existing entry with the same info
-AliasInfo aliasInfo = aliasMap.get(oldAlias);
-if (aliasInfo.type == ATTR_CLASS_PKEY &&
-aliasInfo.cert.getPublicKey().equals
-(chain[0].getPublicKey())) {
-// found existing entry -
-// caller is renaming entry or updating cert chain
-//
-// set new CKA_LABEL/CKA_ID
-// and update certs if necessary
-updatePkey(alias,
-aliasInfo.id,
-(X509Certificate[])chain,
-!aliasInfo.cert.equals(chain[0]));
-updatedAlias = true;
-break;
-}
-}
-if (!updatedAlias) {
-// caller adding new entry
-engineDeleteEntry(alias);
-storePkey(alias, (KeyStore.PrivateKeyEntry)entry);
-}
-} catch (PKCS11Exception | CertificateException pe) {
-throw new KeyStoreException(pe);
-}
-} else if (entry instanceof KeyStore.SecretKeyEntry) {
-KeyStore.SecretKeyEntry ske = (KeyStore.SecretKeyEntry)entry;
-SecretKey skey = ske.getSecretKey();
-try {
-// first check if the key already exists
-AliasInfo aliasInfo = aliasMap.get(alias);
-if (aliasInfo != null) {
-engineDeleteEntry(alias);
-}
-storeSkey(alias, ske);
-} catch (PKCS11Exception pe) {
-throw new KeyStoreException(pe);
-}
-} else {
-throw new KeyStoreException(new UnsupportedOperationException
-("unsupported entry type: " + entry.getClass().getName()));
-}
-try {
-// XXX  NSS does not write out the CKA_ID we pass to them
-//
-// therefore we must re-map labels
-// (can not simply update aliasMap)
-mapLabels();
-if (debug != null) {
-dumpTokenMap();
-}
-} catch (PKCS11Exception | CertificateException pe) {
-throw new KeyStoreException(pe);
-}
-}
-if (debug != null) {
-debug.println
-("engineSetEntry added new entry for [" +
-alias +
-"] to token");
-}
-}
-/**
-* Determines if the keystore <code>Entry</code> for the specified
-* <code>alias</code> is an instance or subclass of the specified
-* <code>entryClass</code>.
-*
-* @param alias the alias name
-* @param entryClass the entry class
-*
-* @return true if the keystore <code>Entry</code> for the specified
-*          <code>alias</code> is an instance or subclass of the
-*          specified <code>entryClass</code>, false otherwise
-*/
-public synchronized boolean engineEntryInstanceOf
-(String alias, Class<? extends KeyStore.Entry> entryClass) {
-token.ensureValid();
-return super.engineEntryInstanceOf(alias, entryClass);
-}
-private X509Certificate loadCert(Session session, long oHandle)
-throws PKCS11Exception, CertificateException {
-CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[]
-{ new CK_ATTRIBUTE(CKA_VALUE) };
-token.p11.C_GetAttributeValue(session.id(), oHandle, attrs);
-byte[] bytes = attrs[0].getByteArray();
-if (bytes == null) {
-throw new CertificateException
-("unexpectedly retrieved null byte array");
-}
-CertificateFactory cf = CertificateFactory.getInstance("X.509");
-return (X509Certificate)cf.generateCertificate
-(new ByteArrayInputStream(bytes));
-}
-private X509Certificate[] loadChain(Session session,
-X509Certificate endCert)
-throws PKCS11Exception, CertificateException {
-ArrayList<X509Certificate> lChain = null;
-if (endCert.getSubjectX500Principal().equals
-(endCert.getIssuerX500Principal())) {
-// self signed
-return new X509Certificate[] { endCert };
-} else {
-lChain = new ArrayList<X509Certificate>();
-lChain.add(endCert);
-}
-// try loading remaining certs in chain by following
-// issuer->subject links
-X509Certificate next = endCert;
-while (true) {
-CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] {
-ATTR_TOKEN_TRUE,
-ATTR_CLASS_CERT,
-new CK_ATTRIBUTE(CKA_SUBJECT,
-next.getIssuerX500Principal().getEncoded()) };
-long[] ch = findObjects(session, attrs);
-if (ch == null || ch.length == 0) {
-// done
-break;
-} else {
-// if more than one found, use first
-if (debug != null && ch.length > 1) {
-debug.println("engineGetEntry found " +
-ch.length +
-" certificate entries for subject [" +
-next.getIssuerX500Principal().toString() +
-"] in token - using first entry");
-}
-next = loadCert(session, ch[0]);
-lChain.add(next);
-if (next.getSubjectX500Principal().equals
-(next.getIssuerX500Principal())) {
-// self signed
-break;
-}
-}
-}
-return lChain.toArray(new X509Certificate[lChain.size()]);
-}
-private SecretKey loadSkey(Session session, long oHandle)
-throws PKCS11Exception {
-CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] {
-new CK_ATTRIBUTE(CKA_KEY_TYPE) };
-token.p11.C_GetAttributeValue(session.id(), oHandle, attrs);
-long kType = attrs[0].getLong();
-String keyType = null;
-int keyLength = -1;
-// XXX NSS mangles the stored key type for secret key token objects
-if (kType == CKK_DES || kType == CKK_DES3) {
-if (kType == CKK_DES) {
-keyType = "DES";
-keyLength = 64;
-} else if (kType == CKK_DES3) {
-keyType = "DESede";
-keyLength = 192;
-}
-} else {
-if (kType == CKK_AES) {
-keyType = "AES";
-} else if (kType == CKK_BLOWFISH) {
-keyType = "Blowfish";
-} else if (kType == CKK_RC4) {
-keyType = "ARCFOUR";
-} else {
-if (debug != null) {
-debug.println("unknown key type [" +
-kType +
-"] - using 'Generic Secret'");
-}
-keyType = "Generic Secret";
-}
-// XXX NSS problem CKR_ATTRIBUTE_TYPE_INVALID?
-if (NSS_TEST) {
-keyLength = 128;
-} else {
-attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_VALUE_LEN) };
-token.p11.C_GetAttributeValue(session.id(), oHandle, attrs);
-keyLength = (int)attrs[0].getLong();
-}
-}
-return P11Key.secretKey(session, oHandle, keyType, keyLength, null);
-}
-private PrivateKey loadPkey(Session session, long oHandle)
-throws PKCS11Exception, KeyStoreException {
-CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] {
-new CK_ATTRIBUTE(CKA_KEY_TYPE) };
-token.p11.C_GetAttributeValue(session.id(), oHandle, attrs);
-long kType = attrs[0].getLong();
-String keyType = null;
-int keyLength = 0;
-if (kType == CKK_RSA) {
-keyType = "RSA";
-attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_MODULUS) };
-token.p11.C_GetAttributeValue(session.id(), oHandle, attrs);
-BigInteger modulus = attrs[0].getBigInteger();
-keyLength = modulus.bitLength();
-// This check will combine our "don't care" values here
-// with the system-wide min/max values.
-try {
-RSAKeyFactory.checkKeyLengths(keyLength, null,
--1, Integer.MAX_VALUE);
-} catch (InvalidKeyException e) {
-throw new KeyStoreException(e.getMessage());
-}
-return P11Key.privateKey(session,
-oHandle,
-keyType,
-keyLength,
-null);
-} else if (kType == CKK_DSA) {
-keyType = "DSA";
-attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_PRIME) };
-token.p11.C_GetAttributeValue(session.id(), oHandle, attrs);
-BigInteger prime = attrs[0].getBigInteger();
-keyLength = prime.bitLength();
-return P11Key.privateKey(session,
-oHandle,
-keyType,
-keyLength,
-null);
-} else if (kType == CKK_DH) {
-keyType = "DH";
-attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_PRIME) };
-token.p11.C_GetAttributeValue(session.id(), oHandle, attrs);
-BigInteger prime = attrs[0].getBigInteger();
-keyLength = prime.bitLength();
-return P11Key.privateKey(session,
-oHandle,
-keyType,
-keyLength,
-null);
-} else if (kType == CKK_EC) {
-attrs = new CK_ATTRIBUTE[] {
-new CK_ATTRIBUTE(CKA_EC_PARAMS),
-};
-token.p11.C_GetAttributeValue(session.id(), oHandle, attrs);
-byte[] encodedParams = attrs[0].getByteArray();
-try {
-ECParameterSpec params =
-ECUtil.getECParameterSpec(null, encodedParams);
-keyLength = params.getCurve().getField().getFieldSize();
-} catch (IOException e) {
-// we do not want to accept key with unsupported parameters
-throw new KeyStoreException("Unsupported parameters", e);
-}
-return P11Key.privateKey(session, oHandle, "EC", keyLength, null);
-} else {
-if (debug != null) {
-debug.println("unknown key type [" + kType + "]");
-}
-throw new KeyStoreException("unknown key type");
-}
-}
-/**
-* XXX  On ibutton, when you C_SetAttribute(CKA_ID) for a private key
-*      it not only changes the CKA_ID of the private key,
-*      it changes the CKA_ID of the corresponding cert too.
-*      And vice versa.
-*
-* XXX  On ibutton, CKR_DEVICE_ERROR if you C_SetAttribute(CKA_ID)
-*      for a private key, and then try to delete the corresponding cert.
-*      So this code reverses the order.
-*      After the cert is first destroyed (if necessary),
-*      then the CKA_ID of the private key can be changed successfully.
-*
-* @param replaceCert if true, then caller is updating alias info for
-*                  existing cert (only update CKA_ID/CKA_LABEL).
-*                  if false, then caller is updating cert chain
-*                  (delete old end cert and add new chain).
-*/
-private void updatePkey(String alias,
-byte[] cka_id,
-X509Certificate[] chain,
-boolean replaceCert) throws
-KeyStoreException, CertificateException, PKCS11Exception {
-// XXX
-//
-// always set replaceCert to true
-//
-// NSS does not allow resetting of CKA_LABEL on an existing cert
-// (C_SetAttribute call succeeds, but is ignored)
-replaceCert = true;
-Session session = null;
-try {
-session = token.getOpSession();
-// first get private key object handle and hang onto it
-THandle h = getTokenObject(session, ATTR_CLASS_PKEY, cka_id, null);
-long pKeyHandle;
-if (h.type == ATTR_CLASS_PKEY) {
-pKeyHandle = h.handle;
-} else {
-throw new KeyStoreException
-("expected but could not find private key " +
-"with CKA_ID " +
-getID(cka_id));
-}
-// next find existing end entity cert
-h = getTokenObject(session, ATTR_CLASS_CERT, cka_id, null);
-if (h.type != ATTR_CLASS_CERT) {
-throw new KeyStoreException
-("expected but could not find certificate " +
-"with CKA_ID " +
-getID(cka_id));
-} else {
-if (replaceCert) {
-// replacing existing cert and chain
-destroyChain(cka_id);
-} else {
-// renaming alias for existing cert
-CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] {
-new CK_ATTRIBUTE(CKA_LABEL, alias),
-new CK_ATTRIBUTE(CKA_ID, alias) };
-token.p11.C_SetAttributeValue
-(session.id(), h.handle, attrs);
-}
-}
-// add new chain
-if (replaceCert) {
-// add all certs in chain
-storeChain(alias, chain);
-} else {
-// already updated alias info for existing end cert -
-// just update CA certs
-storeCaCerts(chain, 1);
-}
-// finally update CKA_ID for private key
-//
-// ibutton may have already done this (that is ok)
-CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] {
-new CK_ATTRIBUTE(CKA_ID, alias) };
-token.p11.C_SetAttributeValue(session.id(), pKeyHandle, attrs);
-if (debug != null) {
-debug.println("updatePkey set new alias [" +
-alias +
-"] for private key entry");
-}
-} finally {
-token.releaseSession(session);
-}
-}
-private void updateP11Pkey(String alias, CK_ATTRIBUTE attribute, P11Key key)
-throws PKCS11Exception {
-// if token key, update alias.
-// if session key, convert to token key.
-Session session = null;
-try {
-session = token.getOpSession();
-if (key.tokenObject == true) {
-// token key - set new CKA_ID
-CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] {
-new CK_ATTRIBUTE(CKA_ID, alias) };
-token.p11.C_SetAttributeValue
-(session.id(), key.keyID, attrs);
-if (debug != null) {
-debug.println("updateP11Pkey set new alias [" +
-alias +
-"] for key entry");
-}
-} else {
-// session key - convert to token key and set CKA_ID
-CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] {
-ATTR_TOKEN_TRUE,
-new CK_ATTRIBUTE(CKA_ID, alias),
-};
-if (attribute != null) {
-attrs = addAttribute(attrs, attribute);
-}
-token.p11.C_CopyObject(session.id(), key.keyID, attrs);
-if (debug != null) {
-debug.println("updateP11Pkey copied private session key " +
-"for [" +
-alias +
-"] to token entry");
-}
-}
-} finally {
-token.releaseSession(session);
-}
-}
-private void storeCert(String alias, X509Certificate cert)
-throws PKCS11Exception, CertificateException {
-ArrayList<CK_ATTRIBUTE> attrList = new ArrayList<CK_ATTRIBUTE>();
-attrList.add(ATTR_TOKEN_TRUE);
-attrList.add(ATTR_CLASS_CERT);
-attrList.add(ATTR_X509_CERT_TYPE);
-attrList.add(new CK_ATTRIBUTE(CKA_SUBJECT,
-cert.getSubjectX500Principal().getEncoded()));
-attrList.add(new CK_ATTRIBUTE(CKA_ISSUER,
-cert.getIssuerX500Principal().getEncoded()));
-attrList.add(new CK_ATTRIBUTE(CKA_SERIAL_NUMBER,
-cert.getSerialNumber().toByteArray()));
-attrList.add(new CK_ATTRIBUTE(CKA_VALUE, cert.getEncoded()));
-if (alias != null) {
-attrList.add(new CK_ATTRIBUTE(CKA_LABEL, alias));
-attrList.add(new CK_ATTRIBUTE(CKA_ID, alias));
-} else {
-// ibutton requires something to be set
-// - alias must be unique
-attrList.add(new CK_ATTRIBUTE(CKA_ID,
-getID(cert.getSubjectX500Principal().getName
-(X500Principal.CANONICAL), cert)));
-}
-Session session = null;
-try {
-session = token.getOpSession();
-token.p11.C_CreateObject(session.id(),
-attrList.toArray(new CK_ATTRIBUTE[attrList.size()]));
-} finally {
-token.releaseSession(session);
-}
-}
-private void storeChain(String alias, X509Certificate[] chain)
-throws PKCS11Exception, CertificateException {
-// add new chain
-//
-// end cert has CKA_LABEL and CKA_ID set to alias.
-// other certs in chain have neither set.
-storeCert(alias, chain[0]);
-storeCaCerts(chain, 1);
-}
-private void storeCaCerts(X509Certificate[] chain, int start)
-throws PKCS11Exception, CertificateException {
-// do not add duplicate CA cert if already in token
-//
-// XXX   ibutton stores duplicate CA certs, NSS does not
-Session session = null;
-HashSet<X509Certificate> cacerts = new HashSet<X509Certificate>();
-try {
-session = token.getOpSession();
-CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] {
-ATTR_TOKEN_TRUE,
-ATTR_CLASS_CERT };
-long[] handles = findObjects(session, attrs);
-// load certs currently on the token
-for (long handle : handles) {
-cacerts.add(loadCert(session, handle));
-}
-} finally {
-token.releaseSession(session);
-}
-for (int i = start; i < chain.length; i++) {
-if (!cacerts.contains(chain[i])) {
-storeCert(null, chain[i]);
-} else if (debug != null) {
-debug.println("ignoring duplicate CA cert for [" +
-chain[i].getSubjectX500Principal() +
-"]");
-}
-}
-}
-private void storeSkey(String alias, KeyStore.SecretKeyEntry ske)
-throws PKCS11Exception, KeyStoreException {
-SecretKey skey = ske.getSecretKey();
-// No need to specify CKA_CLASS, CKA_KEY_TYPE, CKA_VALUE since
-// they are handled in P11SecretKeyFactory.createKey() method.
-CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] {
-ATTR_SKEY_TOKEN_TRUE,
-ATTR_PRIVATE_TRUE,
-new CK_ATTRIBUTE(CKA_LABEL, alias),
-};
-try {
-P11SecretKeyFactory.convertKey(token, skey, null, attrs);
-} catch (InvalidKeyException ike) {
-// re-throw KeyStoreException to match javadoc
-throw new KeyStoreException("Cannot convert to PKCS11 keys", ike);
-}
-// update global alias map
-aliasMap.put(alias, new AliasInfo(alias));
-if (debug != null) {
-debug.println("storeSkey created token secret key for [" +
-alias + "]");
-}
-}
-private static CK_ATTRIBUTE[] addAttribute(CK_ATTRIBUTE[] attrs, CK_ATTRIBUTE attr) {
-int n = attrs.length;
-CK_ATTRIBUTE[] newAttrs = new CK_ATTRIBUTE[n + 1];
-System.arraycopy(attrs, 0, newAttrs, 0, n);
-newAttrs[n] = attr;
-return newAttrs;
-}
-private void storePkey(String alias, KeyStore.PrivateKeyEntry pke)
-throws PKCS11Exception, CertificateException, KeyStoreException  {
-PrivateKey key = pke.getPrivateKey();
-CK_ATTRIBUTE[] attrs = null;
-// If the key is a token object on this token, update it instead
-// of creating a duplicate key object.
-// Otherwise, treat a P11Key like any other key, if it is extractable.
-if (key instanceof P11Key) {
-P11Key p11Key = (P11Key)key;
-if (p11Key.tokenObject && (p11Key.token == this.token)) {
-updateP11Pkey(alias, null, p11Key);
-storeChain(alias, (X509Certificate[])pke.getCertificateChain());
-return;
-}
-}
-boolean useNDB = token.config.getNssNetscapeDbWorkaround();
-PublicKey publicKey = pke.getCertificate().getPublicKey();
-if (key instanceof RSAPrivateKey) {
-X509Certificate cert = (X509Certificate)pke.getCertificate();
-attrs = getRsaPrivKeyAttrs
-(alias, (RSAPrivateKey)key, cert.getSubjectX500Principal());
-} else if (key instanceof DSAPrivateKey) {
-DSAPrivateKey dsaKey = (DSAPrivateKey)key;
-CK_ATTRIBUTE[] idAttrs = getIdAttributes(key, publicKey, false, useNDB);
-if (idAttrs[0] == null) {
-idAttrs[0] = new CK_ATTRIBUTE(CKA_ID, alias);
-}
-attrs = new CK_ATTRIBUTE[] {
-ATTR_TOKEN_TRUE,
-ATTR_CLASS_PKEY,
-ATTR_PRIVATE_TRUE,
-new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_DSA),
-idAttrs[0],
-new CK_ATTRIBUTE(CKA_PRIME, dsaKey.getParams().getP()),
-new CK_ATTRIBUTE(CKA_SUBPRIME, dsaKey.getParams().getQ()),
-new CK_ATTRIBUTE(CKA_BASE, dsaKey.getParams().getG()),
-new CK_ATTRIBUTE(CKA_VALUE, dsaKey.getX()),
-};
-if (idAttrs[1] != null) {
-attrs = addAttribute(attrs, idAttrs[1]);
-}
-attrs = token.getAttributes
-(TemplateManager.O_IMPORT, CKO_PRIVATE_KEY, CKK_DSA, attrs);
-if (debug != null) {
-debug.println("storePkey created DSA template");
-}
-} else if (key instanceof DHPrivateKey) {
-DHPrivateKey dhKey = (DHPrivateKey)key;
-CK_ATTRIBUTE[] idAttrs = getIdAttributes(key, publicKey, false, useNDB);
-if (idAttrs[0] == null) {
-idAttrs[0] = new CK_ATTRIBUTE(CKA_ID, alias);
-}
-attrs = new CK_ATTRIBUTE[] {
-ATTR_TOKEN_TRUE,
-ATTR_CLASS_PKEY,
-ATTR_PRIVATE_TRUE,
-new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_DH),
-idAttrs[0],
-new CK_ATTRIBUTE(CKA_PRIME, dhKey.getParams().getP()),
-new CK_ATTRIBUTE(CKA_BASE, dhKey.getParams().getG()),
-new CK_ATTRIBUTE(CKA_VALUE, dhKey.getX()),
-};
-if (idAttrs[1] != null) {
-attrs = addAttribute(attrs, idAttrs[1]);
-}
-attrs = token.getAttributes
-(TemplateManager.O_IMPORT, CKO_PRIVATE_KEY, CKK_DH, attrs);
-} else if (key instanceof ECPrivateKey) {
-ECPrivateKey ecKey = (ECPrivateKey)key;
-CK_ATTRIBUTE[] idAttrs = getIdAttributes(key, publicKey, false, useNDB);
-if (idAttrs[0] == null) {
-idAttrs[0] = new CK_ATTRIBUTE(CKA_ID, alias);
-}
-byte[] encodedParams =
-ECUtil.encodeECParameterSpec(null, ecKey.getParams());
-attrs = new CK_ATTRIBUTE[] {
-ATTR_TOKEN_TRUE,
-ATTR_CLASS_PKEY,
-ATTR_PRIVATE_TRUE,
-new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_EC),
-idAttrs[0],
-new CK_ATTRIBUTE(CKA_VALUE, ecKey.getS()),
-new CK_ATTRIBUTE(CKA_EC_PARAMS, encodedParams),
-};
-if (idAttrs[1] != null) {
-attrs = addAttribute(attrs, idAttrs[1]);
-}
-attrs = token.getAttributes
-(TemplateManager.O_IMPORT, CKO_PRIVATE_KEY, CKK_EC, attrs);
-if (debug != null) {
-debug.println("storePkey created EC template");
-}
-} else if (key instanceof P11Key) {
-// sensitive/non-extractable P11Key
-P11Key p11Key = (P11Key)key;
-if (p11Key.token != this.token) {
-throw new KeyStoreException
-("Cannot move sensitive keys across tokens");
-}
-CK_ATTRIBUTE netscapeDB = null;
-if (useNDB) {
-// Note that this currently fails due to an NSS bug.
-// They do not allow the CKA_NETSCAPE_DB attribute to be
-// specified during C_CopyObject() and fail with
-// CKR_ATTRIBUTE_READ_ONLY.
-// But if we did not specify it, they would fail with
-// CKA_TEMPLATE_INCOMPLETE, so leave this code in here.
-CK_ATTRIBUTE[] idAttrs = getIdAttributes(key, publicKey, false, true);
-netscapeDB = idAttrs[1];
-}
-// Update the key object.
-updateP11Pkey(alias, netscapeDB, p11Key);
-storeChain(alias, (X509Certificate[])pke.getCertificateChain());
-return;
-} else {
-throw new KeyStoreException("unsupported key type: " + key);
-}
-Session session = null;
-try {
-session = token.getOpSession();
-// create private key entry
-token.p11.C_CreateObject(session.id(), attrs);
-if (debug != null) {
-debug.println("storePkey created token key for [" +
-alias +
-"]");
-}
-} finally {
-token.releaseSession(session);
-}
-storeChain(alias, (X509Certificate[])pke.getCertificateChain());
-}
-private CK_ATTRIBUTE[] getRsaPrivKeyAttrs(String alias,
-RSAPrivateKey key,
-X500Principal subject) throws PKCS11Exception {
-// subject is currently ignored - could be used to set CKA_SUBJECT
-CK_ATTRIBUTE[] attrs = null;
-if (key instanceof RSAPrivateCrtKey) {
-if (debug != null) {
-debug.println("creating RSAPrivateCrtKey attrs");
-}
-RSAPrivateCrtKey rsaKey = (RSAPrivateCrtKey)key;
-attrs = new CK_ATTRIBUTE[] {
-ATTR_TOKEN_TRUE,
-ATTR_CLASS_PKEY,
-ATTR_PRIVATE_TRUE,
-new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_RSA),
-new CK_ATTRIBUTE(CKA_ID, alias),
-new CK_ATTRIBUTE(CKA_MODULUS,
-rsaKey.getModulus()),
-new CK_ATTRIBUTE(CKA_PRIVATE_EXPONENT,
-rsaKey.getPrivateExponent()),
-new CK_ATTRIBUTE(CKA_PUBLIC_EXPONENT,
-rsaKey.getPublicExponent()),
-new CK_ATTRIBUTE(CKA_PRIME_1,
-rsaKey.getPrimeP()),
-new CK_ATTRIBUTE(CKA_PRIME_2,
-rsaKey.getPrimeQ()),
-new CK_ATTRIBUTE(CKA_EXPONENT_1,
-rsaKey.getPrimeExponentP()),
-new CK_ATTRIBUTE(CKA_EXPONENT_2,
-rsaKey.getPrimeExponentQ()),
-new CK_ATTRIBUTE(CKA_COEFFICIENT,
-rsaKey.getCrtCoefficient()) };
-attrs = token.getAttributes
-(TemplateManager.O_IMPORT, CKO_PRIVATE_KEY, CKK_RSA, attrs);
-} else {
-if (debug != null) {
-debug.println("creating RSAPrivateKey attrs");
-}
-RSAPrivateKey rsaKey = key;
-attrs = new CK_ATTRIBUTE[] {
-ATTR_TOKEN_TRUE,
-ATTR_CLASS_PKEY,
-ATTR_PRIVATE_TRUE,
-new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_RSA),
-new CK_ATTRIBUTE(CKA_ID, alias),
-new CK_ATTRIBUTE(CKA_MODULUS,
-rsaKey.getModulus()),
-new CK_ATTRIBUTE(CKA_PRIVATE_EXPONENT,
-rsaKey.getPrivateExponent()) };
-attrs = token.getAttributes
-(TemplateManager.O_IMPORT, CKO_PRIVATE_KEY, CKK_RSA, attrs);
-}
-return attrs;
-}
-/**
-* Compute the CKA_ID and/or CKA_NETSCAPE_DB attributes that should be
-* used for this private key. It uses the same algorithm to calculate the
-* values as NSS. The public and private keys MUST match for the result to
-* be correct.
-*
-* It returns a 2 element array with CKA_ID at index 0 and CKA_NETSCAPE_DB
-* at index 1. The boolean flags determine what is to be calculated.
-* If false or if we could not calculate the value, that element is null.
-*
-* NOTE that we currently do not use the CKA_ID value calculated by this
-* method.
-*/
-private CK_ATTRIBUTE[] getIdAttributes(PrivateKey privateKey,
-PublicKey publicKey, boolean id, boolean netscapeDb) {
-CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[2];
-if ((id || netscapeDb) == false) {
-return attrs;
-}
-String alg = privateKey.getAlgorithm();
-if (id && alg.equals("RSA") && (publicKey instanceof RSAPublicKey)) {
-// CKA_NETSCAPE_DB not needed for RSA public keys
-BigInteger n = ((RSAPublicKey)publicKey).getModulus();
-attrs[0] = new CK_ATTRIBUTE(CKA_ID, sha1(getMagnitude(n)));
-} else if (alg.equals("DSA") && (publicKey instanceof DSAPublicKey)) {
-BigInteger y = ((DSAPublicKey)publicKey).getY();
-if (id) {
-attrs[0] = new CK_ATTRIBUTE(CKA_ID, sha1(getMagnitude(y)));
-}
-if (netscapeDb) {
-attrs[1] = new CK_ATTRIBUTE(CKA_NETSCAPE_DB, y);
-}
-} else if (alg.equals("DH") && (publicKey instanceof DHPublicKey)) {
-BigInteger y = ((DHPublicKey)publicKey).getY();
-if (id) {
-attrs[0] = new CK_ATTRIBUTE(CKA_ID, sha1(getMagnitude(y)));
-}
-if (netscapeDb) {
-attrs[1] = new CK_ATTRIBUTE(CKA_NETSCAPE_DB, y);
-}
-} else if (alg.equals("EC") && (publicKey instanceof ECPublicKey)) {
-ECPublicKey ecPub = (ECPublicKey)publicKey;
-ECPoint point = ecPub.getW();
-ECParameterSpec params = ecPub.getParams();
-byte[] encodedPoint = ECUtil.encodePoint(point, params.getCurve());
-if (id) {
-attrs[0] = new CK_ATTRIBUTE(CKA_ID, sha1(encodedPoint));
-}
-if (netscapeDb) {
-attrs[1] = new CK_ATTRIBUTE(CKA_NETSCAPE_DB, encodedPoint);
-}
-} else {
-throw new RuntimeException("Unknown key algorithm " + alg);
-}
-return attrs;
-}
-/**
-* return true if cert destroyed
-*/
-private boolean destroyCert(byte[] cka_id)
-throws PKCS11Exception, KeyStoreException {
-Session session = null;
-try {
-session = token.getOpSession();
-THandle h = getTokenObject(session, ATTR_CLASS_CERT, cka_id, null);
-if (h.type != ATTR_CLASS_CERT) {
-return false;
-}
-token.p11.C_DestroyObject(session.id(), h.handle);
-if (debug != null) {
-debug.println("destroyCert destroyed cert with CKA_ID [" +
-getID(cka_id) +
-"]");
-}
-return true;
-} finally {
-token.releaseSession(session);
-}
-}
-/**
-* return true if chain destroyed
-*/
-private boolean destroyChain(byte[] cka_id)
-throws PKCS11Exception, CertificateException, KeyStoreException {
-Session session = null;
-try {
-session = token.getOpSession();
-THandle h = getTokenObject(session, ATTR_CLASS_CERT, cka_id, null);
-if (h.type != ATTR_CLASS_CERT) {
-if (debug != null) {
-debug.println("destroyChain could not find " +
-"end entity cert with CKA_ID [0x" +
-Functions.toHexString(cka_id) +
-"]");
-}
-return false;
-}
-X509Certificate endCert = loadCert(session, h.handle);
-token.p11.C_DestroyObject(session.id(), h.handle);
-if (debug != null) {
-debug.println("destroyChain destroyed end entity cert " +
-"with CKA_ID [" +
-getID(cka_id) +
-"]");
-}
-// build chain following issuer->subject links
-X509Certificate next = endCert;
-while (true) {
-if (next.getSubjectX500Principal().equals
-(next.getIssuerX500Principal())) {
-// self signed - done
-break;
-}
-CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] {
-ATTR_TOKEN_TRUE,
-ATTR_CLASS_CERT,
-new CK_ATTRIBUTE(CKA_SUBJECT,
-next.getIssuerX500Principal().getEncoded()) };
-long[] ch = findObjects(session, attrs);
-if (ch == null || ch.length == 0) {
-// done
-break;
-} else {
-// if more than one found, use first
-if (debug != null && ch.length > 1) {
-debug.println("destroyChain found " +
-ch.length +
-" certificate entries for subject [" +
-next.getIssuerX500Principal() +
-"] in token - using first entry");
-}
-next = loadCert(session, ch[0]);
-// only delete if not part of any other chain
-attrs = new CK_ATTRIBUTE[] {
-ATTR_TOKEN_TRUE,
-ATTR_CLASS_CERT,
-new CK_ATTRIBUTE(CKA_ISSUER,
-next.getSubjectX500Principal().getEncoded()) };
-long[] issuers = findObjects(session, attrs);
-boolean destroyIt = false;
-if (issuers == null || issuers.length == 0) {
-// no other certs with this issuer -
-// destroy it
-destroyIt = true;
-} else if (issuers.length == 1) {
-X509Certificate iCert = loadCert(session, issuers[0]);
-if (next.equals(iCert)) {
-// only cert with issuer is itself (self-signed) -
-// destroy it
-destroyIt = true;
-}
-}
-if (destroyIt) {
-token.p11.C_DestroyObject(session.id(), ch[0]);
-if (debug != null) {
-debug.println
-("destroyChain destroyed cert in chain " +
-"with subject [" +
-next.getSubjectX500Principal() + "]");
-}
-} else {
-if (debug != null) {
-debug.println("destroyChain did not destroy " +
-"shared cert in chain with subject [" +
-next.getSubjectX500Principal() + "]");
-}
-}
-}
-}
-return true;
-} finally {
-token.releaseSession(session);
-}
-}
-/**
-* return true if secret key destroyed
-*/
-private boolean destroySkey(String alias)
-throws PKCS11Exception, KeyStoreException {
-Session session = null;
-try {
-session = token.getOpSession();
-THandle h = getTokenObject(session, ATTR_CLASS_SKEY, null, alias);
-if (h.type != ATTR_CLASS_SKEY) {
-if (debug != null) {
-debug.println("destroySkey did not find secret key " +
-"with CKA_LABEL [" +
-alias +
-"]");
-}
-return false;
-}
-token.p11.C_DestroyObject(session.id(), h.handle);
-return true;
-} finally {
-token.releaseSession(session);
-}
-}
-/**
-* return true if private key destroyed
-*/
-private boolean destroyPkey(byte[] cka_id)
-throws PKCS11Exception, KeyStoreException {
-Session session = null;
-try {
-session = token.getOpSession();
-THandle h = getTokenObject(session, ATTR_CLASS_PKEY, cka_id, null);
-if (h.type != ATTR_CLASS_PKEY) {
-if (debug != null) {
-debug.println
-("destroyPkey did not find private key with CKA_ID [" +
-getID(cka_id) +
-"]");
-}
-return false;
-}
-token.p11.C_DestroyObject(session.id(), h.handle);
-return true;
-} finally {
-token.releaseSession(session);
-}
-}
-/**
-* build [alias + issuer + serialNumber] string from a cert
-*/
-private String getID(String alias, X509Certificate cert) {
-X500Principal issuer = cert.getIssuerX500Principal();
-BigInteger serialNum = cert.getSerialNumber();
-return alias +
-ALIAS_SEP +
-issuer.getName(X500Principal.CANONICAL) +
-ALIAS_SEP +
-serialNum.toString();
-}
-/**
-* build CKA_ID string from bytes
-*/
-private static String getID(byte[] bytes) {
-boolean printable = true;
-for (int i = 0; i < bytes.length; i++) {
-if (!DerValue.isPrintableStringChar((char)bytes[i])) {
-printable = false;
-break;
-}
-}
-if (!printable) {
-return "0x" + Functions.toHexString(bytes);
-} else {
-try {
-return new String(bytes, "UTF-8");
-} catch (UnsupportedEncodingException uee) {
-return "0x" + Functions.toHexString(bytes);
-}
-}
-}
-/**
-* find an object on the token
-*
-* @param type either ATTR_CLASS_CERT, ATTR_CLASS_PKEY, or ATTR_CLASS_SKEY
-* @param cka_id the CKA_ID if type is ATTR_CLASS_CERT or ATTR_CLASS_PKEY
-* @param cka_label the CKA_LABEL if type is ATTR_CLASS_SKEY
-*/
-private THandle getTokenObject(Session session,
-CK_ATTRIBUTE type,
-byte[] cka_id,
-String cka_label)
-throws PKCS11Exception, KeyStoreException {
-CK_ATTRIBUTE[] attrs;
-if (type == ATTR_CLASS_SKEY) {
-attrs = new CK_ATTRIBUTE[] {
-ATTR_SKEY_TOKEN_TRUE,
-new CK_ATTRIBUTE(CKA_LABEL, cka_label),
-type };
-} else {
-attrs = new CK_ATTRIBUTE[] {
-ATTR_TOKEN_TRUE,
-new CK_ATTRIBUTE(CKA_ID, cka_id),
-type };
-}
-long[] h = findObjects(session, attrs);
-if (h.length == 0) {
-if (debug != null) {
-if (type == ATTR_CLASS_SKEY) {
-debug.println("getTokenObject did not find secret key " +
-"with CKA_LABEL [" +
-cka_label +
-"]");
-} else if (type == ATTR_CLASS_CERT) {
-debug.println
-("getTokenObject did not find cert with CKA_ID [" +
-getID(cka_id) +
-"]");
-} else {
-debug.println("getTokenObject did not find private key " +
-"with CKA_ID [" +
-getID(cka_id) +
-"]");
-}
-}
-} else if (h.length == 1) {
-// found object handle - return it
-return new THandle(h[0], type);
-} else {
-// found multiple object handles -
-// see if token ignored CKA_LABEL during search (e.g. NSS)
-if (type == ATTR_CLASS_SKEY) {
-ArrayList<THandle> list = new ArrayList<THandle>(h.length);
-for (int i = 0; i < h.length; i++) {
-CK_ATTRIBUTE[] label = new CK_ATTRIBUTE[]
-{ new CK_ATTRIBUTE(CKA_LABEL) };
-token.p11.C_GetAttributeValue(session.id(), h[i], label);
-if (label[0].pValue != null &&
-cka_label.equals(new String(label[0].getCharArray()))) {
-list.add(new THandle(h[i], ATTR_CLASS_SKEY));
-}
-}
-if (list.size() == 1) {
-// yes, there was only one CKA_LABEL that matched
-return list.get(0);
-} else {
-throw new KeyStoreException("invalid KeyStore state: " +
-"found " +
-list.size() +
-" secret keys sharing CKA_LABEL [" +
-cka_label +
-"]");
-}
-} else if (type == ATTR_CLASS_CERT) {
-throw new KeyStoreException("invalid KeyStore state: " +
-"found " +
-h.length +
-" certificates sharing CKA_ID " +
-getID(cka_id));
-} else {
-throw new KeyStoreException("invalid KeyStore state: " +
-"found " +
-h.length +
-" private keys sharing CKA_ID " +
-getID(cka_id));
-}
-}
-return new THandle(NO_HANDLE, null);
-}
-/**
-* Create a mapping of all key pairs, trusted certs, and secret keys
-* on the token into logical KeyStore entries unambiguously
-* accessible via an alias.
-*
-* If the token is removed, the map may contain stale values.
-* KeyStore.load should be called to re-create the map.
-*
-* Assume all private keys and matching certs share a unique CKA_ID.
-*
-* Assume all secret keys have a unique CKA_LABEL.
-*
-* @return true if multiple certs found sharing the same CKA_LABEL
-*          (if so, write capabilities are disabled)
-*/
-private boolean mapLabels() throws
-PKCS11Exception, CertificateException, KeyStoreException {
-CK_ATTRIBUTE[] trustedAttr = new CK_ATTRIBUTE[] {
-new CK_ATTRIBUTE(CKA_TRUSTED) };
-Session session = null;
-try {
-session = token.getOpSession();
-// get all private key CKA_IDs
-ArrayList<byte[]> pkeyIDs = new ArrayList<byte[]>();
-CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] {
-ATTR_TOKEN_TRUE,
-ATTR_CLASS_PKEY,
-};
-long[] handles = findObjects(session, attrs);
-for (long handle : handles) {
-attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_ID) };
-token.p11.C_GetAttributeValue(session.id(), handle, attrs);
-if (attrs[0].pValue != null) {
-pkeyIDs.add(attrs[0].getByteArray());
-}
-}
-// Get all certificates
-//
-// If cert does not have a CKA_LABEL nor CKA_ID, it is ignored.
-//
-// Get the CKA_LABEL for each cert
-// (if the cert does not have a CKA_LABEL, use the CKA_ID).
-//
-// Map each cert to the its CKA_LABEL
-// (multiple certs may be mapped to a single CKA_LABEL)
-HashMap<String, HashSet<AliasInfo>> certMap =
-new HashMap<String, HashSet<AliasInfo>>();
-attrs = new CK_ATTRIBUTE[] {
-ATTR_TOKEN_TRUE,
-ATTR_CLASS_CERT,
-};
-handles = findObjects(session, attrs);
-for (long handle : handles) {
-attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_LABEL) };
-String cka_label = null;
-byte[] cka_id = null;
-try {
-token.p11.C_GetAttributeValue(session.id(), handle, attrs);
-if (attrs[0].pValue != null) {
-// there is a CKA_LABEL
-cka_label = new String(attrs[0].getCharArray());
-}
-} catch (PKCS11Exception pe) {
-if (pe.getErrorCode() != CKR_ATTRIBUTE_TYPE_INVALID) {
-throw pe;
-}
-// GetAttributeValue for CKA_LABEL not supported
-//
-// XXX SCA1000
-}
-// get CKA_ID
-attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_ID) };
-token.p11.C_GetAttributeValue(session.id(), handle, attrs);
-if (attrs[0].pValue == null) {
-if (cka_label == null) {
-// no cka_label nor cka_id - ignore
-continue;
-}
-} else {
-if (cka_label == null) {
-// use CKA_ID as CKA_LABEL
-cka_label = getID(attrs[0].getByteArray());
-}
-cka_id = attrs[0].getByteArray();
-}
-X509Certificate cert = loadCert(session, handle);
-// get CKA_TRUSTED
-boolean cka_trusted = false;
-if (useSecmodTrust) {
-cka_trusted = Secmod.getInstance().isTrusted(cert, nssTrustType);
-} else {
-if (CKA_TRUSTED_SUPPORTED) {
-try {
-token.p11.C_GetAttributeValue
-(session.id(), handle, trustedAttr);
-cka_trusted = trustedAttr[0].getBoolean();
-} catch (PKCS11Exception pe) {
-if (pe.getErrorCode() == CKR_ATTRIBUTE_TYPE_INVALID) {
-// XXX  NSS, ibutton, sca1000
-CKA_TRUSTED_SUPPORTED = false;
-if (debug != null) {
-debug.println
-("CKA_TRUSTED attribute not supported");
-}
-}
-}
-}
-}
-HashSet<AliasInfo> infoSet = certMap.get(cka_label);
-if (infoSet == null) {
-infoSet = new HashSet<AliasInfo>(2);
-certMap.put(cka_label, infoSet);
-}
-// initially create private key entry AliasInfo entries -
-// these entries will get resolved into their true
-// entry types later
-infoSet.add(new AliasInfo
-(cka_label,
-cka_id,
-cka_trusted,
-cert));
-}
-// create list secret key CKA_LABELS -
-// if there are duplicates (either between secret keys,
-// or between a secret key and another object),
-// throw an exception
-HashMap<String, AliasInfo> sKeyMap =
-new HashMap<String, AliasInfo>();
-attrs = new CK_ATTRIBUTE[] {
-ATTR_SKEY_TOKEN_TRUE,
-ATTR_CLASS_SKEY,
-};
-handles = findObjects(session, attrs);
-for (long handle : handles) {
-attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_LABEL) };
-token.p11.C_GetAttributeValue(session.id(), handle, attrs);
-if (attrs[0].pValue != null) {
-// there is a CKA_LABEL
-String cka_label = new String(attrs[0].getCharArray());
-if (sKeyMap.get(cka_label) == null) {
-sKeyMap.put(cka_label, new AliasInfo(cka_label));
-} else {
-throw new KeyStoreException("invalid KeyStore state: " +
-"found multiple secret keys sharing same " +
-"CKA_LABEL [" +
-cka_label +
-"]");
-}
-}
-}
-// update global aliasMap with alias mappings
-ArrayList<AliasInfo> matchedCerts =
-mapPrivateKeys(pkeyIDs, certMap);
-boolean sharedLabel = mapCerts(matchedCerts, certMap);
-mapSecretKeys(sKeyMap);
-return sharedLabel;
-} finally {
-token.releaseSession(session);
-}
-}
-/**
-* for each private key CKA_ID, find corresponding cert with same CKA_ID.
-* if found cert, see if cert CKA_LABEL is unique.
-*     if CKA_LABEL unique, map private key/cert alias to that CKA_LABEL.
-*     if CKA_LABEL not unique, map private key/cert alias to:
-*                   CKA_LABEL + ALIAS_SEP + ISSUER + ALIAS_SEP + SERIAL
-* if cert not found, ignore private key
-* (don't support private key entries without a cert chain yet)
-*
-* @return a list of AliasInfo entries that represents all matches
-*/
-private ArrayList<AliasInfo> mapPrivateKeys(ArrayList<byte[]> pkeyIDs,
-HashMap<String, HashSet<AliasInfo>> certMap)
-throws PKCS11Exception, CertificateException {
-// reset global alias map
-aliasMap = new HashMap<String, AliasInfo>();
-// list of matched certs that we will return
-ArrayList<AliasInfo> matchedCerts = new ArrayList<AliasInfo>();
-for (byte[] pkeyID : pkeyIDs) {
-// try to find a matching CKA_ID in a certificate
-boolean foundMatch = false;
-Set<String> certLabels = certMap.keySet();
-for (String certLabel : certLabels) {
-// get cert CKA_IDs (if present) for each cert
-HashSet<AliasInfo> infoSet = certMap.get(certLabel);
-for (AliasInfo aliasInfo : infoSet) {
-if (Arrays.equals(pkeyID, aliasInfo.id)) {
-// found private key with matching cert
-if (infoSet.size() == 1) {
-// unique CKA_LABEL - use certLabel as alias
-aliasInfo.matched = true;
-aliasMap.put(certLabel, aliasInfo);
-} else {
-// create new alias
-aliasInfo.matched = true;
-aliasMap.put(getID(certLabel, aliasInfo.cert),
-aliasInfo);
-}
-matchedCerts.add(aliasInfo);
-foundMatch = true;
-break;
-}
-}
-if (foundMatch) {
-break;
-}
-}
-if (!foundMatch) {
-if (debug != null) {
-debug.println
-("did not find match for private key with CKA_ID [" +
-getID(pkeyID) +
-"] (ignoring entry)");
-}
-}
-}
-return matchedCerts;
-}
-/**
-* for each cert not matched with a private key but is CKA_TRUSTED:
-*     if CKA_LABEL unique, map cert to CKA_LABEL.
-*     if CKA_LABEL not unique, map cert to [label+issuer+serialNum]
-*
-* if CKA_TRUSTED not supported, treat all certs not part of a chain
-* as trusted
-*
-* @return true if multiple certs found sharing the same CKA_LABEL
-*/
-private boolean mapCerts(ArrayList<AliasInfo> matchedCerts,
-HashMap<String, HashSet<AliasInfo>> certMap)
-throws PKCS11Exception, CertificateException {
-// load all cert chains
-for (AliasInfo aliasInfo : matchedCerts) {
-Session session = null;
-try {
-session = token.getOpSession();
-aliasInfo.chain = loadChain(session, aliasInfo.cert);
-} finally {
-token.releaseSession(session);
-}
-}
-// find all certs in certMap not part of a cert chain
-// - these are trusted
-boolean sharedLabel = false;
-Set<String> certLabels = certMap.keySet();
-for (String certLabel : certLabels) {
-HashSet<AliasInfo> infoSet = certMap.get(certLabel);
-for (AliasInfo aliasInfo : infoSet) {
-if (aliasInfo.matched == true) {
-// already found a private key match for this cert -
-// just continue
-aliasInfo.trusted = false;
-continue;
-}
-// cert in this aliasInfo is not matched yet
-//
-// if CKA_TRUSTED_SUPPORTED == true,
-// then check if cert is trusted
-if (CKA_TRUSTED_SUPPORTED) {
-if (aliasInfo.trusted) {
-// trusted certificate
-if (mapTrustedCert
-(certLabel, aliasInfo, infoSet) == true) {
-sharedLabel = true;
-}
-}
-continue;
-}
-// CKA_TRUSTED_SUPPORTED == false
-//
-// XXX treat all certs not part of a chain as trusted
-// XXX
-// XXX Unsupported
-//
-// boolean partOfChain = false;
-// for (AliasInfo matchedInfo : matchedCerts) {
-//     for (int i = 0; i < matchedInfo.chain.length; i++) {
-//      if (matchedInfo.chain[i].equals(aliasInfo.cert)) {
-//          partOfChain = true;
-//          break;
-//      }
-//     }
-//     if (partOfChain) {
-//      break;
-//     }
-// }
-//
-// if (!partOfChain) {
-//     if (mapTrustedCert(certLabel,aliasInfo,infoSet) == true){
-//      sharedLabel = true;
-//     }
-// } else {
-//    if (debug != null) {
-//      debug.println("ignoring unmatched/untrusted cert " +
-//          "that is part of cert chain - cert subject is [" +
-//          aliasInfo.cert.getSubjectX500Principal().getName
-//                              (X500Principal.CANONICAL) +
-//          "]");
-//     }
-// }
-}
-}
-return sharedLabel;
-}
-private boolean mapTrustedCert(String certLabel,
-AliasInfo aliasInfo,
-HashSet<AliasInfo> infoSet) {
-boolean sharedLabel = false;
-aliasInfo.type = ATTR_CLASS_CERT;
-aliasInfo.trusted = true;
-if (infoSet.size() == 1) {
-// unique CKA_LABEL - use certLabel as alias
-aliasMap.put(certLabel, aliasInfo);
-} else {
-// create new alias
-sharedLabel = true;
-aliasMap.put(getID(certLabel, aliasInfo.cert), aliasInfo);
-}
-return sharedLabel;
-}
-/**
-* If the secret key shares a CKA_LABEL with another entry,
-* throw an exception
-*/
-private void mapSecretKeys(HashMap<String, AliasInfo> sKeyMap)
-throws KeyStoreException {
-for (String label : sKeyMap.keySet()) {
-if (aliasMap.containsKey(label)) {
-throw new KeyStoreException("invalid KeyStore state: " +
-"found secret key sharing CKA_LABEL [" +
-label +
-"] with another token object");
-}
-}
-aliasMap.putAll(sKeyMap);
-}
-private void dumpTokenMap() {
-Set<String> aliases = aliasMap.keySet();
-System.out.println("Token Alias Map:");
-if (aliases.isEmpty()) {
-System.out.println("  [empty]");
-} else {
-for (String s : aliases) {
-System.out.println("  " + s + aliasMap.get(s));
-}
-}
-}
-private void checkWrite() throws KeyStoreException {
-if (writeDisabled) {
-throw new KeyStoreException
-("This PKCS11KeyStore does not support write capabilities");
-}
-}
-private final static long[] LONG0 = new long[0];
-private static long[] findObjects(Session session, CK_ATTRIBUTE[] attrs)
-throws PKCS11Exception {
-Token token = session.token;
-long[] handles = LONG0;
-token.p11.C_FindObjectsInit(session.id(), attrs);
-while (true) {
-long[] h = token.p11.C_FindObjects(session.id(), FINDOBJECTS_MAX);
-if (h.length == 0) {
-break;
-}
-handles = P11Util.concat(handles, h);
-}
-token.p11.C_FindObjectsFinal(session.id());
-return handles;
-}
-}

changeset 42693	6645de32a866
parent 42692	97247477b481
child 42694	53aaff453c11