jdk-sandbox: comparison jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11KeyStore.java

equal deleted inserted replaced

-:97247477b481
+:6645de32a866
+/*
+* Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
+* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+*
+* This code is free software; you can redistribute it and/or modify it
+* under the terms of the GNU General Public License version 2 only, as
+* published by the Free Software Foundation.  Oracle designates this
+* particular file as subject to the "Classpath" exception as provided
+* by Oracle in the LICENSE file that accompanied this code.
+*
+* This code is distributed in the hope that it will be useful, but WITHOUT
+* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+* FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+* version 2 for more details (a copy is included in the LICENSE file that
+* accompanied this code).
+*
+* You should have received a copy of the GNU General Public License version
+* 2 along with this work; if not, write to the Free Software Foundation,
+* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+*
+* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+* or visit www.oracle.com if you need additional information or have any
+* questions.
+*/
+package sun.security.pkcs11;
+import java.math.BigInteger;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.IOException;
+import java.io.ByteArrayInputStream;
+import java.io.UnsupportedEncodingException;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.Date;
+import java.util.Enumeration;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.HashMap;
+import java.util.Set;
+import java.security.*;
+import java.security.KeyStore.*;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import java.security.cert.CertificateFactory;
+import java.security.cert.CertificateException;
+import java.security.interfaces.*;
+import java.security.spec.*;
+import javax.crypto.SecretKey;
+import javax.crypto.interfaces.*;
+import javax.security.auth.x500.X500Principal;
+import javax.security.auth.login.LoginException;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import sun.security.util.Debug;
+import sun.security.util.DerValue;
+import sun.security.util.ECUtil;
+import sun.security.pkcs11.Secmod.*;
+import static sun.security.pkcs11.P11Util.*;
+import sun.security.pkcs11.wrapper.*;
+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+import sun.security.rsa.RSAKeyFactory;
+final class P11KeyStore extends KeyStoreSpi {
+private static final CK_ATTRIBUTE ATTR_CLASS_CERT =
+new CK_ATTRIBUTE(CKA_CLASS, CKO_CERTIFICATE);
+private static final CK_ATTRIBUTE ATTR_CLASS_PKEY =
+new CK_ATTRIBUTE(CKA_CLASS, CKO_PRIVATE_KEY);
+private static final CK_ATTRIBUTE ATTR_CLASS_SKEY =
+new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY);
+private static final CK_ATTRIBUTE ATTR_X509_CERT_TYPE =
+new CK_ATTRIBUTE(CKA_CERTIFICATE_TYPE, CKC_X_509);
+private static final CK_ATTRIBUTE ATTR_TOKEN_TRUE =
+new CK_ATTRIBUTE(CKA_TOKEN, true);
+// XXX for testing purposes only
+//  - NSS doesn't support persistent secret keys
+//    (key type gets mangled if secret key is a token key)
+//  - if debug is turned on, then this is set to false
+private static CK_ATTRIBUTE ATTR_SKEY_TOKEN_TRUE = ATTR_TOKEN_TRUE;
+private static final CK_ATTRIBUTE ATTR_TRUSTED_TRUE =
+new CK_ATTRIBUTE(CKA_TRUSTED, true);
+private static final CK_ATTRIBUTE ATTR_PRIVATE_TRUE =
+new CK_ATTRIBUTE(CKA_PRIVATE, true);
+private static final long NO_HANDLE = -1;
+private static final long FINDOBJECTS_MAX = 100;
+private static final String ALIAS_SEP = "/";
+private static final boolean NSS_TEST = false;
+private static final Debug debug =
+Debug.getInstance("pkcs11keystore");
+private static boolean CKA_TRUSTED_SUPPORTED = true;
+private final Token token;
+// If multiple certs are found to share the same CKA_LABEL
+// at load time (NSS-style keystore), then the keystore is read
+// and the unique keystore aliases are mapped to the entries.
+// However, write capabilities are disabled.
+private boolean writeDisabled = false;
+// Map of unique keystore aliases to entries in the token
+private HashMap<String, AliasInfo> aliasMap;
+// whether to use NSS Secmod info for trust attributes
+private final boolean useSecmodTrust;
+// if useSecmodTrust == true, which type of trust we are interested in
+private Secmod.TrustType nssTrustType;
+/**
+* The underlying token may contain multiple certs belonging to the
+* same "personality" (for example, a signing cert and encryption cert),
+* all sharing the same CKA_LABEL.  These must be resolved
+* into unique keystore aliases.
+*
+* In addition, private keys and certs may not have a CKA_LABEL.
+* It is assumed that a private key and corresponding certificate
+* share the same CKA_ID, and that the CKA_ID is unique across the token.
+* The CKA_ID may not be human-readable.
+* These pairs must be resolved into unique keystore aliases.
+*
+* Furthermore, secret keys are assumed to have a CKA_LABEL
+* unique across the entire token.
+*
+* When the KeyStore is loaded, instances of this class are
+* created to represent the private keys/secret keys/certs
+* that reside on the token.
+*/
+private static class AliasInfo {
+// CKA_CLASS - entry type
+private CK_ATTRIBUTE type = null;
+// CKA_LABEL of cert and secret key
+private String label = null;
+// CKA_ID of the private key/cert pair
+private byte[] id = null;
+// CKA_TRUSTED - true if cert is trusted
+private boolean trusted = false;
+// either end-entity cert or trusted cert depending on 'type'
+private X509Certificate cert = null;
+// chain
+private X509Certificate[] chain = null;
+// true if CKA_ID for private key and cert match up
+private boolean matched = false;
+// SecretKeyEntry
+public AliasInfo(String label) {
+this.type = ATTR_CLASS_SKEY;
+this.label = label;
+}
+// PrivateKeyEntry
+public AliasInfo(String label,
+byte[] id,
+boolean trusted,
+X509Certificate cert) {
+this.type = ATTR_CLASS_PKEY;
+this.label = label;
+this.id = id;
+this.trusted = trusted;
+this.cert = cert;
+}
+public String toString() {
+StringBuilder sb = new StringBuilder();
+if (type == ATTR_CLASS_PKEY) {
+sb.append("\ttype=[private key]\n");
+} else if (type == ATTR_CLASS_SKEY) {
+sb.append("\ttype=[secret key]\n");
+} else if (type == ATTR_CLASS_CERT) {
+sb.append("\ttype=[trusted cert]\n");
+}
+sb.append("\tlabel=[" + label + "]\n");
+if (id == null) {
+sb.append("\tid=[null]\n");
+} else {
+sb.append("\tid=" + P11KeyStore.getID(id) + "\n");
+}
+sb.append("\ttrusted=[" + trusted + "]\n");
+sb.append("\tmatched=[" + matched + "]\n");
+if (cert == null) {
+sb.append("\tcert=[null]\n");
+} else {
+sb.append("\tcert=[\tsubject: " +
+cert.getSubjectX500Principal() +
+"\n\t\tissuer: " +
+cert.getIssuerX500Principal() +
+"\n\t\tserialNum: " +
+cert.getSerialNumber().toString() +
+"]");
+}
+return sb.toString();
+}
+}
+/**
+* callback handler for passing password to Provider.login method
+*/
+private static class PasswordCallbackHandler implements CallbackHandler {
+private char[] password;
+private PasswordCallbackHandler(char[] password) {
+if (password != null) {
+this.password = password.clone();
+}
+}
+public void handle(Callback[] callbacks)
+throws IOException, UnsupportedCallbackException {
+if (!(callbacks[0] instanceof PasswordCallback)) {
+throw new UnsupportedCallbackException(callbacks[0]);
+}
+PasswordCallback pc = (PasswordCallback)callbacks[0];
+pc.setPassword(password);  // this clones the password if not null
+}
+protected void finalize() throws Throwable {
+if (password != null) {
+Arrays.fill(password, ' ');
+}
+super.finalize();
+}
+}
+/**
+* getTokenObject return value.
+*
+* if object is not found, type is set to null.
+* otherwise, type is set to the requested type.
+*/
+private static class THandle {
+private final long handle;              // token object handle
+private final CK_ATTRIBUTE type;        // CKA_CLASS
+private THandle(long handle, CK_ATTRIBUTE type) {
+this.handle = handle;
+this.type = type;
+}
+}
+P11KeyStore(Token token) {
+this.token = token;
+this.useSecmodTrust = token.provider.nssUseSecmodTrust;
+}
+/**
+* Returns the key associated with the given alias.
+* The key must have been associated with
+* the alias by a call to <code>setKeyEntry</code>,
+* or by a call to <code>setEntry</code> with a
+* <code>PrivateKeyEntry</code> or <code>SecretKeyEntry</code>.
+*
+* @param alias the alias name
+* @param password the password, which must be <code>null</code>
+*
+* @return the requested key, or null if the given alias does not exist
+* or does not identify a key-related entry.
+*
+* @exception NoSuchAlgorithmException if the algorithm for recovering the
+* key cannot be found
+* @exception UnrecoverableKeyException if the key cannot be recovered
+*/
+public synchronized Key engineGetKey(String alias, char[] password)
+throws NoSuchAlgorithmException, UnrecoverableKeyException {
+token.ensureValid();
+if (password != null && !token.config.getKeyStoreCompatibilityMode()) {
+throw new NoSuchAlgorithmException("password must be null");
+}
+AliasInfo aliasInfo = aliasMap.get(alias);
+if (aliasInfo == null || aliasInfo.type == ATTR_CLASS_CERT) {
+return null;
+}
+Session session = null;
+try {
+session = token.getOpSession();
+if (aliasInfo.type == ATTR_CLASS_PKEY) {
+THandle h = getTokenObject(session,
+aliasInfo.type,
+aliasInfo.id,
+null);
+if (h.type == ATTR_CLASS_PKEY) {
+return loadPkey(session, h.handle);
+}
+} else {
+THandle h = getTokenObject(session,
+ATTR_CLASS_SKEY,
+null,
+alias);
+if (h.type == ATTR_CLASS_SKEY) {
+return loadSkey(session, h.handle);
+}
+}
+// did not find anything
+return null;
+} catch (PKCS11Exception | KeyStoreException e) {
+throw new ProviderException(e);
+} finally {
+token.releaseSession(session);
+}
+}
+/**
+* Returns the certificate chain associated with the given alias.
+* The certificate chain must have been associated with the alias
+* by a call to <code>setKeyEntry</code>,
+* or by a call to <code>setEntry</code> with a
+* <code>PrivateKeyEntry</code>.
+*
+* @param alias the alias name
+*
+* @return the certificate chain (ordered with the user's certificate first
+* and the root certificate authority last), or null if the given alias
+* does not exist or does not contain a certificate chain
+*/
+public synchronized Certificate[] engineGetCertificateChain(String alias) {
+token.ensureValid();
+AliasInfo aliasInfo = aliasMap.get(alias);
+if (aliasInfo == null || aliasInfo.type != ATTR_CLASS_PKEY) {
+return null;
+}
+return aliasInfo.chain;
+}
+/**
+* Returns the certificate associated with the given alias.
+*
+* <p> If the given alias name identifies an entry
+* created by a call to <code>setCertificateEntry</code>,
+* or created by a call to <code>setEntry</code> with a
+* <code>TrustedCertificateEntry</code>,
+* then the trusted certificate contained in that entry is returned.
+*
+* <p> If the given alias name identifies an entry
+* created by a call to <code>setKeyEntry</code>,
+* or created by a call to <code>setEntry</code> with a
+* <code>PrivateKeyEntry</code>,
+* then the first element of the certificate chain in that entry
+* (if a chain exists) is returned.
+*
+* @param alias the alias name
+*
+* @return the certificate, or null if the given alias does not exist or
+* does not contain a certificate.
+*/
+public synchronized Certificate engineGetCertificate(String alias) {
+token.ensureValid();
+AliasInfo aliasInfo = aliasMap.get(alias);
+if (aliasInfo == null) {
+return null;
+}
+return aliasInfo.cert;
+}
+/**
+* Returns the creation date of the entry identified by the given alias.
+*
+* @param alias the alias name
+*
+* @return the creation date of this entry, or null if the given alias does
+* not exist
+*/
+public Date engineGetCreationDate(String alias) {
+token.ensureValid();
+throw new ProviderException(new UnsupportedOperationException());
+}
+/**
+* Assigns the given key to the given alias, protecting it with the given
+* password.
+*
+* <p>If the given key is of type <code>java.security.PrivateKey</code>,
+* it must be accompanied by a certificate chain certifying the
+* corresponding public key.
+*
+* <p>If the given alias already exists, the keystore information
+* associated with it is overridden by the given key (and possibly
+* certificate chain).
+*
+* @param alias the alias name
+* @param key the key to be associated with the alias
+* @param password the password to protect the key
+* @param chain the certificate chain for the corresponding public
+* key (only required if the given key is of type
+* <code>java.security.PrivateKey</code>).
+*
+* @exception KeyStoreException if the given key cannot be protected, or
+* this operation fails for some other reason
+*/
+public synchronized void engineSetKeyEntry(String alias, Key key,
+char[] password,
+Certificate[] chain)
+throws KeyStoreException {
+token.ensureValid();
+checkWrite();
+if (!(key instanceof PrivateKey) && !(key instanceof SecretKey)) {
+throw new KeyStoreException("key must be PrivateKey or SecretKey");
+} else if (key instanceof PrivateKey && chain == null) {
+throw new KeyStoreException
+("PrivateKey must be accompanied by non-null chain");
+} else if (key instanceof SecretKey && chain != null) {
+throw new KeyStoreException
+("SecretKey must be accompanied by null chain");
+} else if (password != null &&
+!token.config.getKeyStoreCompatibilityMode()) {
+throw new KeyStoreException("Password must be null");
+}
+KeyStore.Entry entry = null;
+try {
+if (key instanceof PrivateKey) {
+entry = new KeyStore.PrivateKeyEntry((PrivateKey)key, chain);
+} else if (key instanceof SecretKey) {
+entry = new KeyStore.SecretKeyEntry((SecretKey)key);
+}
+} catch (NullPointerException | IllegalArgumentException e) {
+throw new KeyStoreException(e);
+}
+engineSetEntry(alias, entry, new KeyStore.PasswordProtection(password));
+}
+/**
+* Assigns the given key (that has already been protected) to the given
+* alias.
+*
+* <p>If the protected key is of type
+* <code>java.security.PrivateKey</code>,
+* it must be accompanied by a certificate chain certifying the
+* corresponding public key.
+*
+* <p>If the given alias already exists, the keystore information
+* associated with it is overridden by the given key (and possibly
+* certificate chain).
+*
+* @param alias the alias name
+* @param key the key (in protected format) to be associated with the alias
+* @param chain the certificate chain for the corresponding public
+* key (only useful if the protected key is of type
+* <code>java.security.PrivateKey</code>).
+*
+* @exception KeyStoreException if this operation fails.
+*/
+public void engineSetKeyEntry(String alias, byte[] key, Certificate[] chain)
+throws KeyStoreException {
+token.ensureValid();
+throw new ProviderException(new UnsupportedOperationException());
+}
+/**
+* Assigns the given certificate to the given alias.
+*
+* <p> If the given alias identifies an existing entry
+* created by a call to <code>setCertificateEntry</code>,
+* or created by a call to <code>setEntry</code> with a
+* <code>TrustedCertificateEntry</code>,
+* the trusted certificate in the existing entry
+* is overridden by the given certificate.
+*
+* @param alias the alias name
+* @param cert the certificate
+*
+* @exception KeyStoreException if the given alias already exists and does
+* not identify an entry containing a trusted certificate,
+* or this operation fails for some other reason.
+*/
+public synchronized void engineSetCertificateEntry
+(String alias, Certificate cert) throws KeyStoreException {
+token.ensureValid();
+checkWrite();
+if (cert == null) {
+throw new KeyStoreException("invalid null certificate");
+}
+KeyStore.Entry entry = null;
+entry = new KeyStore.TrustedCertificateEntry(cert);
+engineSetEntry(alias, entry, null);
+}
+/**
+* Deletes the entry identified by the given alias from this keystore.
+*
+* @param alias the alias name
+*
+* @exception KeyStoreException if the entry cannot be removed.
+*/
+public synchronized void engineDeleteEntry(String alias)
+throws KeyStoreException {
+token.ensureValid();
+if (token.isWriteProtected()) {
+throw new KeyStoreException("token write-protected");
+}
+checkWrite();
+deleteEntry(alias);
+}
+/**
+* XXX - not sure whether to keep this
+*/
+private boolean deleteEntry(String alias) throws KeyStoreException {
+AliasInfo aliasInfo = aliasMap.get(alias);
+if (aliasInfo != null) {
+aliasMap.remove(alias);
+try {
+if (aliasInfo.type == ATTR_CLASS_CERT) {
+// trusted certificate entry
+return destroyCert(aliasInfo.id);
+} else if (aliasInfo.type == ATTR_CLASS_PKEY) {
+// private key entry
+return destroyPkey(aliasInfo.id) &&
+destroyChain(aliasInfo.id);
+} else if (aliasInfo.type == ATTR_CLASS_SKEY) {
+// secret key entry
+return destroySkey(alias);
+} else {
+throw new KeyStoreException("unexpected entry type");
+}
+} catch (PKCS11Exception | CertificateException e) {
+throw new KeyStoreException(e);
+}
+}
+return false;
+}
+/**
+* Lists all the alias names of this keystore.
+*
+* @return enumeration of the alias names
+*/
+public synchronized Enumeration<String> engineAliases() {
+token.ensureValid();
+// don't want returned enumeration to iterate off actual keySet -
+// otherwise applications that iterate and modify the keystore
+// may run into concurrent modification problems
+return Collections.enumeration(new HashSet<String>(aliasMap.keySet()));
+}
+/**
+* Checks if the given alias exists in this keystore.
+*
+* @param alias the alias name
+*
+* @return true if the alias exists, false otherwise
+*/
+public synchronized boolean engineContainsAlias(String alias) {
+token.ensureValid();
+return aliasMap.containsKey(alias);
+}
+/**
+* Retrieves the number of entries in this keystore.
+*
+* @return the number of entries in this keystore
+*/
+public synchronized int engineSize() {
+token.ensureValid();
+return aliasMap.size();
+}
+/**
+* Returns true if the entry identified by the given alias
+* was created by a call to <code>setKeyEntry</code>,
+* or created by a call to <code>setEntry</code> with a
+* <code>PrivateKeyEntry</code> or a <code>SecretKeyEntry</code>.
+*
+* @param alias the alias for the keystore entry to be checked
+*
+* @return true if the entry identified by the given alias is a
+* key-related, false otherwise.
+*/
+public synchronized boolean engineIsKeyEntry(String alias) {
+token.ensureValid();
+AliasInfo aliasInfo = aliasMap.get(alias);
+if (aliasInfo == null || aliasInfo.type == ATTR_CLASS_CERT) {
+return false;
+}
+return true;
+}
+/**
+* Returns true if the entry identified by the given alias
+* was created by a call to <code>setCertificateEntry</code>,
+* or created by a call to <code>setEntry</code> with a
+* <code>TrustedCertificateEntry</code>.
+*
+* @param alias the alias for the keystore entry to be checked
+*
+* @return true if the entry identified by the given alias contains a
+* trusted certificate, false otherwise.
+*/
+public synchronized boolean engineIsCertificateEntry(String alias) {
+token.ensureValid();
+AliasInfo aliasInfo = aliasMap.get(alias);
+if (aliasInfo == null || aliasInfo.type != ATTR_CLASS_CERT) {
+return false;
+}
+return true;
+}
+/**
+* Returns the (alias) name of the first keystore entry whose certificate
+* matches the given certificate.
+*
+* <p>This method attempts to match the given certificate with each
+* keystore entry. If the entry being considered was
+* created by a call to <code>setCertificateEntry</code>,
+* or created by a call to <code>setEntry</code> with a
+* <code>TrustedCertificateEntry</code>,
+* then the given certificate is compared to that entry's certificate.
+*
+* <p> If the entry being considered was
+* created by a call to <code>setKeyEntry</code>,
+* or created by a call to <code>setEntry</code> with a
+* <code>PrivateKeyEntry</code>,
+* then the given certificate is compared to the first
+* element of that entry's certificate chain.
+*
+* @param cert the certificate to match with.
+*
+* @return the alias name of the first entry with matching certificate,
+* or null if no such entry exists in this keystore.
+*/
+public synchronized String engineGetCertificateAlias(Certificate cert) {
+token.ensureValid();
+Enumeration<String> e = engineAliases();
+while (e.hasMoreElements()) {
+String alias = e.nextElement();
+Certificate tokenCert = engineGetCertificate(alias);
+if (tokenCert != null && tokenCert.equals(cert)) {
+return alias;
+}
+}
+return null;
+}
+/**
+* engineStore currently is a No-op.
+* Entries are stored to the token during engineSetEntry
+*
+* @param stream this must be <code>null</code>
+* @param password this must be <code>null</code>
+*/
+public synchronized void engineStore(OutputStream stream, char[] password)
+throws IOException, NoSuchAlgorithmException, CertificateException {
+token.ensureValid();
+if (stream != null && !token.config.getKeyStoreCompatibilityMode()) {
+throw new IOException("output stream must be null");
+}
+if (password != null && !token.config.getKeyStoreCompatibilityMode()) {
+throw new IOException("password must be null");
+}
+}
+/**
+* engineStore currently is a No-op.
+* Entries are stored to the token during engineSetEntry
+*
+* @param param this must be <code>null</code>
+*
+* @exception IllegalArgumentException if the given
+*          <code>KeyStore.LoadStoreParameter</code>
+*          input is not <code>null</code>
+*/
+public synchronized void engineStore(KeyStore.LoadStoreParameter param)
+throws IOException, NoSuchAlgorithmException, CertificateException {
+token.ensureValid();
+if (param != null) {
+throw new IllegalArgumentException
+("LoadStoreParameter must be null");
+}
+}
+/**
+* Loads the keystore.
+*
+* @param stream the input stream, which must be <code>null</code>
+* @param password the password used to unlock the keystore,
+*          or <code>null</code> if the token supports a
+*          CKF_PROTECTED_AUTHENTICATION_PATH
+*
+* @exception IOException if the given <code>stream</code> is not
+*          <code>null</code>, if the token supports a
+*          CKF_PROTECTED_AUTHENTICATION_PATH and a non-null
+*          password is given, of if the token login operation failed
+*/
+public synchronized void engineLoad(InputStream stream, char[] password)
+throws IOException, NoSuchAlgorithmException, CertificateException {
+token.ensureValid();
+if (NSS_TEST) {
+ATTR_SKEY_TOKEN_TRUE = new CK_ATTRIBUTE(CKA_TOKEN, false);
+}
+if (stream != null && !token.config.getKeyStoreCompatibilityMode()) {
+throw new IOException("input stream must be null");
+}
+if (useSecmodTrust) {
+nssTrustType = Secmod.TrustType.ALL;
+}
+try {
+if (password == null) {
+login(null);
+} else {
+login(new PasswordCallbackHandler(password));
+}
+} catch(LoginException e) {
+Throwable cause = e.getCause();
+if (cause instanceof PKCS11Exception) {
+PKCS11Exception pe = (PKCS11Exception) cause;
+if (pe.getErrorCode() == CKR_PIN_INCORRECT) {
+// if password is wrong, the cause of the IOException
+// should be an UnrecoverableKeyException
+throw new IOException("load failed",
+new UnrecoverableKeyException().initCause(e));
+}
+}
+throw new IOException("load failed", e);
+}
+try {
+if (mapLabels() == true) {
+// CKA_LABELs are shared by multiple certs
+writeDisabled = true;
+}
+if (debug != null) {
+dumpTokenMap();
+}
+} catch (KeyStoreException | PKCS11Exception e) {
+throw new IOException("load failed", e);
+}
+}
+/**
+* Loads the keystore using the given
+* <code>KeyStore.LoadStoreParameter</code>.
+*
+* <p> The <code>LoadStoreParameter.getProtectionParameter()</code>
+* method is expected to return a <code>KeyStore.PasswordProtection</code>
+* object.  The password is retrieved from that object and used
+* to unlock the PKCS#11 token.
+*
+* <p> If the token supports a CKF_PROTECTED_AUTHENTICATION_PATH
+* then the provided password must be <code>null</code>.
+*
+* @param param the <code>KeyStore.LoadStoreParameter</code>
+*
+* @exception IllegalArgumentException if the given
+*          <code>KeyStore.LoadStoreParameter</code> is <code>null</code>,
+*          or if that parameter returns a <code>null</code>
+*          <code>ProtectionParameter</code> object.
+*          input is not recognized
+* @exception IOException if the token supports a
+*          CKF_PROTECTED_AUTHENTICATION_PATH and the provided password
+*          is non-null, or if the token login operation fails
+*/
+public synchronized void engineLoad(KeyStore.LoadStoreParameter param)
+throws IOException, NoSuchAlgorithmException,
+CertificateException {
+token.ensureValid();
+if (NSS_TEST) {
+ATTR_SKEY_TOKEN_TRUE = new CK_ATTRIBUTE(CKA_TOKEN, false);
+}
+// if caller wants to pass a NULL password,
+// force it to pass a non-NULL PasswordProtection that returns
+// a NULL password
+if (param == null) {
+throw new IllegalArgumentException
+("invalid null LoadStoreParameter");
+}
+if (useSecmodTrust) {
+if (param instanceof Secmod.KeyStoreLoadParameter) {
+nssTrustType = ((Secmod.KeyStoreLoadParameter)param).getTrustType();
+} else {
+nssTrustType = Secmod.TrustType.ALL;
+}
+}
+CallbackHandler handler;
+KeyStore.ProtectionParameter pp = param.getProtectionParameter();
+if (pp instanceof PasswordProtection) {
+char[] password = ((PasswordProtection)pp).getPassword();
+if (password == null) {
+handler = null;
+} else {
+handler = new PasswordCallbackHandler(password);
+}
+} else if (pp instanceof CallbackHandlerProtection) {
+handler = ((CallbackHandlerProtection)pp).getCallbackHandler();
+} else {
+throw new IllegalArgumentException
+("ProtectionParameter must be either " +
+"PasswordProtection or CallbackHandlerProtection");
+}
+try {
+login(handler);
+if (mapLabels() == true) {
+// CKA_LABELs are shared by multiple certs
+writeDisabled = true;
+}
+if (debug != null) {
+dumpTokenMap();
+}
+} catch (LoginException | KeyStoreException | PKCS11Exception e) {
+throw new IOException("load failed", e);
+}
+}
+private void login(CallbackHandler handler) throws LoginException {
+if ((token.tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH) == 0) {
+token.provider.login(null, handler);
+} else {
+// token supports protected authentication path
+// (external pin-pad, for example)
+if (handler != null &&
+!token.config.getKeyStoreCompatibilityMode()) {
+throw new LoginException("can not specify password if token " +
+"supports protected authentication path");
+}
+// must rely on application-set or default handler
+// if one is necessary
+token.provider.login(null, null);
+}
+}
+/**
+* Get a <code>KeyStore.Entry</code> for the specified alias
+*
+* @param alias get the <code>KeyStore.Entry</code> for this alias
+* @param protParam this must be <code>null</code>
+*
+* @return the <code>KeyStore.Entry</code> for the specified alias,
+*          or <code>null</code> if there is no such entry
+*
+* @exception KeyStoreException if the operation failed
+* @exception NoSuchAlgorithmException if the algorithm for recovering the
+*          entry cannot be found
+* @exception UnrecoverableEntryException if the specified
+*          <code>protParam</code> were insufficient or invalid
+*
+* @since 1.5
+*/
+public synchronized KeyStore.Entry engineGetEntry(String alias,
+KeyStore.ProtectionParameter protParam)
+throws KeyStoreException, NoSuchAlgorithmException,
+UnrecoverableEntryException {
+token.ensureValid();
+if (protParam != null &&
+protParam instanceof KeyStore.PasswordProtection &&
+((KeyStore.PasswordProtection)protParam).getPassword() != null &&
+!token.config.getKeyStoreCompatibilityMode()) {
+throw new KeyStoreException("ProtectionParameter must be null");
+}
+AliasInfo aliasInfo = aliasMap.get(alias);
+if (aliasInfo == null) {
+if (debug != null) {
+debug.println("engineGetEntry did not find alias [" +
+alias +
+"] in map");
+}
+return null;
+}
+Session session = null;
+try {
+session = token.getOpSession();
+if (aliasInfo.type == ATTR_CLASS_CERT) {
+// trusted certificate entry
+if (debug != null) {
+debug.println("engineGetEntry found trusted cert entry");
+}
+return new KeyStore.TrustedCertificateEntry(aliasInfo.cert);
+} else if (aliasInfo.type == ATTR_CLASS_SKEY) {
+// secret key entry
+if (debug != null) {
+debug.println("engineGetEntry found secret key entry");
+}
+THandle h = getTokenObject
+(session, ATTR_CLASS_SKEY, null, aliasInfo.label);
+if (h.type != ATTR_CLASS_SKEY) {
+throw new KeyStoreException
+("expected but could not find secret key");
+} else {
+SecretKey skey = loadSkey(session, h.handle);
+return new KeyStore.SecretKeyEntry(skey);
+}
+} else {
+// private key entry
+if (debug != null) {
+debug.println("engineGetEntry found private key entry");
+}
+THandle h = getTokenObject
+(session, ATTR_CLASS_PKEY, aliasInfo.id, null);
+if (h.type != ATTR_CLASS_PKEY) {
+throw new KeyStoreException
+("expected but could not find private key");
+} else {
+PrivateKey pkey = loadPkey(session, h.handle);
+Certificate[] chain = aliasInfo.chain;
+if ((pkey != null) && (chain != null)) {
+return new KeyStore.PrivateKeyEntry(pkey, chain);
+} else {
+if (debug != null) {
+debug.println
+("engineGetEntry got null cert chain or private key");
+}
+}
+}
+}
+return null;
+} catch (PKCS11Exception pe) {
+throw new KeyStoreException(pe);
+} finally {
+token.releaseSession(session);
+}
+}
+/**
+* Save a <code>KeyStore.Entry</code> under the specified alias.
+*
+* <p> If an entry already exists for the specified alias,
+* it is overridden.
+*
+* <p> This KeyStore implementation only supports the standard
+* entry types, and only supports X509Certificates in
+* TrustedCertificateEntries.  Also, this implementation does not support
+* protecting entries using a different password
+* from the one used for token login.
+*
+* <p> Entries are immediately stored on the token.
+*
+* @param alias save the <code>KeyStore.Entry</code> under this alias
+* @param entry the <code>Entry</code> to save
+* @param protParam this must be <code>null</code>
+*
+* @exception KeyStoreException if this operation fails
+*
+* @since 1.5
+*/
+public synchronized void engineSetEntry(String alias, KeyStore.Entry entry,
+KeyStore.ProtectionParameter protParam)
+throws KeyStoreException {
+token.ensureValid();
+checkWrite();
+if (protParam != null &&
+protParam instanceof KeyStore.PasswordProtection &&
+((KeyStore.PasswordProtection)protParam).getPassword() != null &&
+!token.config.getKeyStoreCompatibilityMode()) {
+throw new KeyStoreException(new UnsupportedOperationException
+("ProtectionParameter must be null"));
+}
+if (token.isWriteProtected()) {
+throw new KeyStoreException("token write-protected");
+}
+if (entry instanceof KeyStore.TrustedCertificateEntry) {
+if (useSecmodTrust == false) {
+// PKCS #11 does not allow app to modify trusted certs -
+throw new KeyStoreException(new UnsupportedOperationException
+("trusted certificates may only be set by " +
+"token initialization application"));
+}
+Module module = token.provider.nssModule;
+if ((module.type != ModuleType.KEYSTORE) && (module.type != ModuleType.FIPS)) {
+// XXX allow TRUSTANCHOR module
+throw new KeyStoreException("Trusted certificates can only be "
++ "added to the NSS KeyStore module");
+}
+Certificate cert = ((TrustedCertificateEntry)entry).getTrustedCertificate();
+if (cert instanceof X509Certificate == false) {
+throw new KeyStoreException("Certificate must be an X509Certificate");
+}
+X509Certificate xcert = (X509Certificate)cert;
+AliasInfo info = aliasMap.get(alias);
+if (info != null) {
+// XXX try to update
+deleteEntry(alias);
+}
+try {
+storeCert(alias, xcert);
+module.setTrust(token, xcert);
+mapLabels();
+} catch (PKCS11Exception | CertificateException e) {
+throw new KeyStoreException(e);
+}
+} else {
+if (entry instanceof KeyStore.PrivateKeyEntry) {
+PrivateKey key =
+((KeyStore.PrivateKeyEntry)entry).getPrivateKey();
+if (!(key instanceof P11Key) &&
+!(key instanceof RSAPrivateKey) &&
+!(key instanceof DSAPrivateKey) &&
+!(key instanceof DHPrivateKey) &&
+!(key instanceof ECPrivateKey)) {
+throw new KeyStoreException("unsupported key type: " +
+key.getClass().getName());
+}
+// only support X509Certificate chains
+Certificate[] chain =
+((KeyStore.PrivateKeyEntry)entry).getCertificateChain();
+if (!(chain instanceof X509Certificate[])) {
+throw new KeyStoreException
+(new UnsupportedOperationException
+("unsupported certificate array type: " +
+chain.getClass().getName()));
+}
+try {
+boolean updatedAlias = false;
+Set<String> aliases = aliasMap.keySet();
+for (String oldAlias : aliases) {
+// see if there's an existing entry with the same info
+AliasInfo aliasInfo = aliasMap.get(oldAlias);
+if (aliasInfo.type == ATTR_CLASS_PKEY &&
+aliasInfo.cert.getPublicKey().equals
+(chain[0].getPublicKey())) {
+// found existing entry -
+// caller is renaming entry or updating cert chain
+//
+// set new CKA_LABEL/CKA_ID
+// and update certs if necessary
+updatePkey(alias,
+aliasInfo.id,
+(X509Certificate[])chain,
+!aliasInfo.cert.equals(chain[0]));
+updatedAlias = true;
+break;
+}
+}
+if (!updatedAlias) {
+// caller adding new entry
+engineDeleteEntry(alias);
+storePkey(alias, (KeyStore.PrivateKeyEntry)entry);
+}
+} catch (PKCS11Exception | CertificateException pe) {
+throw new KeyStoreException(pe);
+}
+} else if (entry instanceof KeyStore.SecretKeyEntry) {
+KeyStore.SecretKeyEntry ske = (KeyStore.SecretKeyEntry)entry;
+SecretKey skey = ske.getSecretKey();
+try {
+// first check if the key already exists
+AliasInfo aliasInfo = aliasMap.get(alias);
+if (aliasInfo != null) {
+engineDeleteEntry(alias);
+}
+storeSkey(alias, ske);
+} catch (PKCS11Exception pe) {
+throw new KeyStoreException(pe);
+}
+} else {
+throw new KeyStoreException(new UnsupportedOperationException
+("unsupported entry type: " + entry.getClass().getName()));
+}
+try {
+// XXX  NSS does not write out the CKA_ID we pass to them
+//
+// therefore we must re-map labels
+// (can not simply update aliasMap)
+mapLabels();
+if (debug != null) {
+dumpTokenMap();
+}
+} catch (PKCS11Exception | CertificateException pe) {
+throw new KeyStoreException(pe);
+}
+}
+if (debug != null) {
+debug.println
+("engineSetEntry added new entry for [" +
+alias +
+"] to token");
+}
+}
+/**
+* Determines if the keystore <code>Entry</code> for the specified
+* <code>alias</code> is an instance or subclass of the specified
+* <code>entryClass</code>.
+*
+* @param alias the alias name
+* @param entryClass the entry class
+*
+* @return true if the keystore <code>Entry</code> for the specified
+*          <code>alias</code> is an instance or subclass of the
+*          specified <code>entryClass</code>, false otherwise
+*/
+public synchronized boolean engineEntryInstanceOf
+(String alias, Class<? extends KeyStore.Entry> entryClass) {
+token.ensureValid();
+return super.engineEntryInstanceOf(alias, entryClass);
+}
+private X509Certificate loadCert(Session session, long oHandle)
+throws PKCS11Exception, CertificateException {
+CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[]
+{ new CK_ATTRIBUTE(CKA_VALUE) };
+token.p11.C_GetAttributeValue(session.id(), oHandle, attrs);
+byte[] bytes = attrs[0].getByteArray();
+if (bytes == null) {
+throw new CertificateException
+("unexpectedly retrieved null byte array");
+}
+CertificateFactory cf = CertificateFactory.getInstance("X.509");
+return (X509Certificate)cf.generateCertificate
+(new ByteArrayInputStream(bytes));
+}
+private X509Certificate[] loadChain(Session session,
+X509Certificate endCert)
+throws PKCS11Exception, CertificateException {
+ArrayList<X509Certificate> lChain = null;
+if (endCert.getSubjectX500Principal().equals
+(endCert.getIssuerX500Principal())) {
+// self signed
+return new X509Certificate[] { endCert };
+} else {
+lChain = new ArrayList<X509Certificate>();
+lChain.add(endCert);
+}
+// try loading remaining certs in chain by following
+// issuer->subject links
+X509Certificate next = endCert;
+while (true) {
+CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] {
+ATTR_TOKEN_TRUE,
+ATTR_CLASS_CERT,
+new CK_ATTRIBUTE(CKA_SUBJECT,
+next.getIssuerX500Principal().getEncoded()) };
+long[] ch = findObjects(session, attrs);
+if (ch == null || ch.length == 0) {
+// done
+break;
+} else {
+// if more than one found, use first
+if (debug != null && ch.length > 1) {
+debug.println("engineGetEntry found " +
+ch.length +
+" certificate entries for subject [" +
+next.getIssuerX500Principal().toString() +
+"] in token - using first entry");
+}
+next = loadCert(session, ch[0]);
+lChain.add(next);
+if (next.getSubjectX500Principal().equals
+(next.getIssuerX500Principal())) {
+// self signed
+break;
+}
+}
+}
+return lChain.toArray(new X509Certificate[lChain.size()]);
+}
+private SecretKey loadSkey(Session session, long oHandle)
+throws PKCS11Exception {
+CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] {
+new CK_ATTRIBUTE(CKA_KEY_TYPE) };
+token.p11.C_GetAttributeValue(session.id(), oHandle, attrs);
+long kType = attrs[0].getLong();
+String keyType = null;
+int keyLength = -1;
+// XXX NSS mangles the stored key type for secret key token objects
+if (kType == CKK_DES || kType == CKK_DES3) {
+if (kType == CKK_DES) {
+keyType = "DES";
+keyLength = 64;
+} else if (kType == CKK_DES3) {
+keyType = "DESede";
+keyLength = 192;
+}
+} else {
+if (kType == CKK_AES) {
+keyType = "AES";
+} else if (kType == CKK_BLOWFISH) {
+keyType = "Blowfish";
+} else if (kType == CKK_RC4) {
+keyType = "ARCFOUR";
+} else {
+if (debug != null) {
+debug.println("unknown key type [" +
+kType +
+"] - using 'Generic Secret'");
+}
+keyType = "Generic Secret";
+}
+// XXX NSS problem CKR_ATTRIBUTE_TYPE_INVALID?
+if (NSS_TEST) {
+keyLength = 128;
+} else {
+attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_VALUE_LEN) };
+token.p11.C_GetAttributeValue(session.id(), oHandle, attrs);
+keyLength = (int)attrs[0].getLong();
+}
+}
+return P11Key.secretKey(session, oHandle, keyType, keyLength, null);
+}
+private PrivateKey loadPkey(Session session, long oHandle)
+throws PKCS11Exception, KeyStoreException {
+CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] {
+new CK_ATTRIBUTE(CKA_KEY_TYPE) };
+token.p11.C_GetAttributeValue(session.id(), oHandle, attrs);
+long kType = attrs[0].getLong();
+String keyType = null;
+int keyLength = 0;
+if (kType == CKK_RSA) {
+keyType = "RSA";
+attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_MODULUS) };
+token.p11.C_GetAttributeValue(session.id(), oHandle, attrs);
+BigInteger modulus = attrs[0].getBigInteger();
+keyLength = modulus.bitLength();
+// This check will combine our "don't care" values here
+// with the system-wide min/max values.
+try {
+RSAKeyFactory.checkKeyLengths(keyLength, null,
+-1, Integer.MAX_VALUE);
+} catch (InvalidKeyException e) {
+throw new KeyStoreException(e.getMessage());
+}
+return P11Key.privateKey(session,
+oHandle,
+keyType,
+keyLength,
+null);
+} else if (kType == CKK_DSA) {
+keyType = "DSA";
+attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_PRIME) };
+token.p11.C_GetAttributeValue(session.id(), oHandle, attrs);
+BigInteger prime = attrs[0].getBigInteger();
+keyLength = prime.bitLength();
+return P11Key.privateKey(session,
+oHandle,
+keyType,
+keyLength,
+null);
+} else if (kType == CKK_DH) {
+keyType = "DH";
+attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_PRIME) };
+token.p11.C_GetAttributeValue(session.id(), oHandle, attrs);
+BigInteger prime = attrs[0].getBigInteger();
+keyLength = prime.bitLength();
+return P11Key.privateKey(session,
+oHandle,
+keyType,
+keyLength,
+null);
+} else if (kType == CKK_EC) {
+attrs = new CK_ATTRIBUTE[] {
+new CK_ATTRIBUTE(CKA_EC_PARAMS),
+};
+token.p11.C_GetAttributeValue(session.id(), oHandle, attrs);
+byte[] encodedParams = attrs[0].getByteArray();
+try {
+ECParameterSpec params =
+ECUtil.getECParameterSpec(null, encodedParams);
+keyLength = params.getCurve().getField().getFieldSize();
+} catch (IOException e) {
+// we do not want to accept key with unsupported parameters
+throw new KeyStoreException("Unsupported parameters", e);
+}
+return P11Key.privateKey(session, oHandle, "EC", keyLength, null);
+} else {
+if (debug != null) {
+debug.println("unknown key type [" + kType + "]");
+}
+throw new KeyStoreException("unknown key type");
+}
+}
+/**
+* XXX  On ibutton, when you C_SetAttribute(CKA_ID) for a private key
+*      it not only changes the CKA_ID of the private key,
+*      it changes the CKA_ID of the corresponding cert too.
+*      And vice versa.
+*
+* XXX  On ibutton, CKR_DEVICE_ERROR if you C_SetAttribute(CKA_ID)
+*      for a private key, and then try to delete the corresponding cert.
+*      So this code reverses the order.
+*      After the cert is first destroyed (if necessary),
+*      then the CKA_ID of the private key can be changed successfully.
+*
+* @param replaceCert if true, then caller is updating alias info for
+*                  existing cert (only update CKA_ID/CKA_LABEL).
+*                  if false, then caller is updating cert chain
+*                  (delete old end cert and add new chain).
+*/
+private void updatePkey(String alias,
+byte[] cka_id,
+X509Certificate[] chain,
+boolean replaceCert) throws
+KeyStoreException, CertificateException, PKCS11Exception {
+// XXX
+//
+// always set replaceCert to true
+//
+// NSS does not allow resetting of CKA_LABEL on an existing cert
+// (C_SetAttribute call succeeds, but is ignored)
+replaceCert = true;
+Session session = null;
+try {
+session = token.getOpSession();
+// first get private key object handle and hang onto it
+THandle h = getTokenObject(session, ATTR_CLASS_PKEY, cka_id, null);
+long pKeyHandle;
+if (h.type == ATTR_CLASS_PKEY) {
+pKeyHandle = h.handle;
+} else {
+throw new KeyStoreException
+("expected but could not find private key " +
+"with CKA_ID " +
+getID(cka_id));
+}
+// next find existing end entity cert
+h = getTokenObject(session, ATTR_CLASS_CERT, cka_id, null);
+if (h.type != ATTR_CLASS_CERT) {
+throw new KeyStoreException
+("expected but could not find certificate " +
+"with CKA_ID " +
+getID(cka_id));
+} else {
+if (replaceCert) {
+// replacing existing cert and chain
+destroyChain(cka_id);
+} else {
+// renaming alias for existing cert
+CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] {
+new CK_ATTRIBUTE(CKA_LABEL, alias),
+new CK_ATTRIBUTE(CKA_ID, alias) };
+token.p11.C_SetAttributeValue
+(session.id(), h.handle, attrs);
+}
+}
+// add new chain
+if (replaceCert) {
+// add all certs in chain
+storeChain(alias, chain);
+} else {
+// already updated alias info for existing end cert -
+// just update CA certs
+storeCaCerts(chain, 1);
+}
+// finally update CKA_ID for private key
+//
+// ibutton may have already done this (that is ok)
+CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] {
+new CK_ATTRIBUTE(CKA_ID, alias) };
+token.p11.C_SetAttributeValue(session.id(), pKeyHandle, attrs);
+if (debug != null) {
+debug.println("updatePkey set new alias [" +
+alias +
+"] for private key entry");
+}
+} finally {
+token.releaseSession(session);
+}
+}
+private void updateP11Pkey(String alias, CK_ATTRIBUTE attribute, P11Key key)
+throws PKCS11Exception {
+// if token key, update alias.
+// if session key, convert to token key.
+Session session = null;
+try {
+session = token.getOpSession();
+if (key.tokenObject == true) {
+// token key - set new CKA_ID
+CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] {
+new CK_ATTRIBUTE(CKA_ID, alias) };
+token.p11.C_SetAttributeValue
+(session.id(), key.keyID, attrs);
+if (debug != null) {
+debug.println("updateP11Pkey set new alias [" +
+alias +
+"] for key entry");
+}
+} else {
+// session key - convert to token key and set CKA_ID
+CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] {
+ATTR_TOKEN_TRUE,
+new CK_ATTRIBUTE(CKA_ID, alias),
+};
+if (attribute != null) {
+attrs = addAttribute(attrs, attribute);
+}
+token.p11.C_CopyObject(session.id(), key.keyID, attrs);
+if (debug != null) {
+debug.println("updateP11Pkey copied private session key " +
+"for [" +
+alias +
+"] to token entry");
+}
+}
+} finally {
+token.releaseSession(session);
+}
+}
+private void storeCert(String alias, X509Certificate cert)
+throws PKCS11Exception, CertificateException {
+ArrayList<CK_ATTRIBUTE> attrList = new ArrayList<CK_ATTRIBUTE>();
+attrList.add(ATTR_TOKEN_TRUE);
+attrList.add(ATTR_CLASS_CERT);
+attrList.add(ATTR_X509_CERT_TYPE);
+attrList.add(new CK_ATTRIBUTE(CKA_SUBJECT,
+cert.getSubjectX500Principal().getEncoded()));
+attrList.add(new CK_ATTRIBUTE(CKA_ISSUER,
+cert.getIssuerX500Principal().getEncoded()));
+attrList.add(new CK_ATTRIBUTE(CKA_SERIAL_NUMBER,
+cert.getSerialNumber().toByteArray()));
+attrList.add(new CK_ATTRIBUTE(CKA_VALUE, cert.getEncoded()));
+if (alias != null) {
+attrList.add(new CK_ATTRIBUTE(CKA_LABEL, alias));
+attrList.add(new CK_ATTRIBUTE(CKA_ID, alias));
+} else {
+// ibutton requires something to be set
+// - alias must be unique
+attrList.add(new CK_ATTRIBUTE(CKA_ID,
+getID(cert.getSubjectX500Principal().getName
+(X500Principal.CANONICAL), cert)));
+}
+Session session = null;
+try {
+session = token.getOpSession();
+token.p11.C_CreateObject(session.id(),
+attrList.toArray(new CK_ATTRIBUTE[attrList.size()]));
+} finally {
+token.releaseSession(session);
+}
+}
+private void storeChain(String alias, X509Certificate[] chain)
+throws PKCS11Exception, CertificateException {
+// add new chain
+//
+// end cert has CKA_LABEL and CKA_ID set to alias.
+// other certs in chain have neither set.
+storeCert(alias, chain[0]);
+storeCaCerts(chain, 1);
+}
+private void storeCaCerts(X509Certificate[] chain, int start)
+throws PKCS11Exception, CertificateException {
+// do not add duplicate CA cert if already in token
+//
+// XXX   ibutton stores duplicate CA certs, NSS does not
+Session session = null;
+HashSet<X509Certificate> cacerts = new HashSet<X509Certificate>();
+try {
+session = token.getOpSession();
+CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] {
+ATTR_TOKEN_TRUE,
+ATTR_CLASS_CERT };
+long[] handles = findObjects(session, attrs);
+// load certs currently on the token
+for (long handle : handles) {
+cacerts.add(loadCert(session, handle));
+}
+} finally {
+token.releaseSession(session);
+}
+for (int i = start; i < chain.length; i++) {
+if (!cacerts.contains(chain[i])) {
+storeCert(null, chain[i]);
+} else if (debug != null) {
+debug.println("ignoring duplicate CA cert for [" +
+chain[i].getSubjectX500Principal() +
+"]");
+}
+}
+}
+private void storeSkey(String alias, KeyStore.SecretKeyEntry ske)
+throws PKCS11Exception, KeyStoreException {
+SecretKey skey = ske.getSecretKey();
+// No need to specify CKA_CLASS, CKA_KEY_TYPE, CKA_VALUE since
+// they are handled in P11SecretKeyFactory.createKey() method.
+CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] {
+ATTR_SKEY_TOKEN_TRUE,
+ATTR_PRIVATE_TRUE,
+new CK_ATTRIBUTE(CKA_LABEL, alias),
+};
+try {
+P11SecretKeyFactory.convertKey(token, skey, null, attrs);
+} catch (InvalidKeyException ike) {
+// re-throw KeyStoreException to match javadoc
+throw new KeyStoreException("Cannot convert to PKCS11 keys", ike);
+}
+// update global alias map
+aliasMap.put(alias, new AliasInfo(alias));
+if (debug != null) {
+debug.println("storeSkey created token secret key for [" +
+alias + "]");
+}
+}
+private static CK_ATTRIBUTE[] addAttribute(CK_ATTRIBUTE[] attrs, CK_ATTRIBUTE attr) {
+int n = attrs.length;
+CK_ATTRIBUTE[] newAttrs = new CK_ATTRIBUTE[n + 1];
+System.arraycopy(attrs, 0, newAttrs, 0, n);
+newAttrs[n] = attr;
+return newAttrs;
+}
+private void storePkey(String alias, KeyStore.PrivateKeyEntry pke)
+throws PKCS11Exception, CertificateException, KeyStoreException  {
+PrivateKey key = pke.getPrivateKey();
+CK_ATTRIBUTE[] attrs = null;
+// If the key is a token object on this token, update it instead
+// of creating a duplicate key object.
+// Otherwise, treat a P11Key like any other key, if it is extractable.
+if (key instanceof P11Key) {
+P11Key p11Key = (P11Key)key;
+if (p11Key.tokenObject && (p11Key.token == this.token)) {
+updateP11Pkey(alias, null, p11Key);
+storeChain(alias, (X509Certificate[])pke.getCertificateChain());
+return;
+}
+}
+boolean useNDB = token.config.getNssNetscapeDbWorkaround();
+PublicKey publicKey = pke.getCertificate().getPublicKey();
+if (key instanceof RSAPrivateKey) {
+X509Certificate cert = (X509Certificate)pke.getCertificate();
+attrs = getRsaPrivKeyAttrs
+(alias, (RSAPrivateKey)key, cert.getSubjectX500Principal());
+} else if (key instanceof DSAPrivateKey) {
+DSAPrivateKey dsaKey = (DSAPrivateKey)key;
+CK_ATTRIBUTE[] idAttrs = getIdAttributes(key, publicKey, false, useNDB);
+if (idAttrs[0] == null) {
+idAttrs[0] = new CK_ATTRIBUTE(CKA_ID, alias);
+}
+attrs = new CK_ATTRIBUTE[] {
+ATTR_TOKEN_TRUE,
+ATTR_CLASS_PKEY,
+ATTR_PRIVATE_TRUE,
+new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_DSA),
+idAttrs[0],
+new CK_ATTRIBUTE(CKA_PRIME, dsaKey.getParams().getP()),
+new CK_ATTRIBUTE(CKA_SUBPRIME, dsaKey.getParams().getQ()),
+new CK_ATTRIBUTE(CKA_BASE, dsaKey.getParams().getG()),
+new CK_ATTRIBUTE(CKA_VALUE, dsaKey.getX()),
+};
+if (idAttrs[1] != null) {
+attrs = addAttribute(attrs, idAttrs[1]);
+}
+attrs = token.getAttributes
+(TemplateManager.O_IMPORT, CKO_PRIVATE_KEY, CKK_DSA, attrs);
+if (debug != null) {
+debug.println("storePkey created DSA template");
+}
+} else if (key instanceof DHPrivateKey) {
+DHPrivateKey dhKey = (DHPrivateKey)key;
+CK_ATTRIBUTE[] idAttrs = getIdAttributes(key, publicKey, false, useNDB);
+if (idAttrs[0] == null) {
+idAttrs[0] = new CK_ATTRIBUTE(CKA_ID, alias);
+}
+attrs = new CK_ATTRIBUTE[] {
+ATTR_TOKEN_TRUE,
+ATTR_CLASS_PKEY,
+ATTR_PRIVATE_TRUE,
+new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_DH),
+idAttrs[0],
+new CK_ATTRIBUTE(CKA_PRIME, dhKey.getParams().getP()),
+new CK_ATTRIBUTE(CKA_BASE, dhKey.getParams().getG()),
+new CK_ATTRIBUTE(CKA_VALUE, dhKey.getX()),
+};
+if (idAttrs[1] != null) {
+attrs = addAttribute(attrs, idAttrs[1]);
+}
+attrs = token.getAttributes
+(TemplateManager.O_IMPORT, CKO_PRIVATE_KEY, CKK_DH, attrs);
+} else if (key instanceof ECPrivateKey) {
+ECPrivateKey ecKey = (ECPrivateKey)key;
+CK_ATTRIBUTE[] idAttrs = getIdAttributes(key, publicKey, false, useNDB);
+if (idAttrs[0] == null) {
+idAttrs[0] = new CK_ATTRIBUTE(CKA_ID, alias);
+}
+byte[] encodedParams =
+ECUtil.encodeECParameterSpec(null, ecKey.getParams());
+attrs = new CK_ATTRIBUTE[] {
+ATTR_TOKEN_TRUE,
+ATTR_CLASS_PKEY,
+ATTR_PRIVATE_TRUE,
+new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_EC),
+idAttrs[0],
+new CK_ATTRIBUTE(CKA_VALUE, ecKey.getS()),
+new CK_ATTRIBUTE(CKA_EC_PARAMS, encodedParams),
+};
+if (idAttrs[1] != null) {
+attrs = addAttribute(attrs, idAttrs[1]);
+}
+attrs = token.getAttributes
+(TemplateManager.O_IMPORT, CKO_PRIVATE_KEY, CKK_EC, attrs);
+if (debug != null) {
+debug.println("storePkey created EC template");
+}
+} else if (key instanceof P11Key) {
+// sensitive/non-extractable P11Key
+P11Key p11Key = (P11Key)key;
+if (p11Key.token != this.token) {
+throw new KeyStoreException
+("Cannot move sensitive keys across tokens");
+}
+CK_ATTRIBUTE netscapeDB = null;
+if (useNDB) {
+// Note that this currently fails due to an NSS bug.
+// They do not allow the CKA_NETSCAPE_DB attribute to be
+// specified during C_CopyObject() and fail with
+// CKR_ATTRIBUTE_READ_ONLY.
+// But if we did not specify it, they would fail with
+// CKA_TEMPLATE_INCOMPLETE, so leave this code in here.
+CK_ATTRIBUTE[] idAttrs = getIdAttributes(key, publicKey, false, true);
+netscapeDB = idAttrs[1];
+}
+// Update the key object.
+updateP11Pkey(alias, netscapeDB, p11Key);
+storeChain(alias, (X509Certificate[])pke.getCertificateChain());
+return;
+} else {
+throw new KeyStoreException("unsupported key type: " + key);
+}
+Session session = null;
+try {
+session = token.getOpSession();
+// create private key entry
+token.p11.C_CreateObject(session.id(), attrs);
+if (debug != null) {
+debug.println("storePkey created token key for [" +
+alias +
+"]");
+}
+} finally {
+token.releaseSession(session);
+}
+storeChain(alias, (X509Certificate[])pke.getCertificateChain());
+}
+private CK_ATTRIBUTE[] getRsaPrivKeyAttrs(String alias,
+RSAPrivateKey key,
+X500Principal subject) throws PKCS11Exception {
+// subject is currently ignored - could be used to set CKA_SUBJECT
+CK_ATTRIBUTE[] attrs = null;
+if (key instanceof RSAPrivateCrtKey) {
+if (debug != null) {
+debug.println("creating RSAPrivateCrtKey attrs");
+}
+RSAPrivateCrtKey rsaKey = (RSAPrivateCrtKey)key;
+attrs = new CK_ATTRIBUTE[] {
+ATTR_TOKEN_TRUE,
+ATTR_CLASS_PKEY,
+ATTR_PRIVATE_TRUE,
+new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_RSA),
+new CK_ATTRIBUTE(CKA_ID, alias),
+new CK_ATTRIBUTE(CKA_MODULUS,
+rsaKey.getModulus()),
+new CK_ATTRIBUTE(CKA_PRIVATE_EXPONENT,
+rsaKey.getPrivateExponent()),
+new CK_ATTRIBUTE(CKA_PUBLIC_EXPONENT,
+rsaKey.getPublicExponent()),
+new CK_ATTRIBUTE(CKA_PRIME_1,
+rsaKey.getPrimeP()),
+new CK_ATTRIBUTE(CKA_PRIME_2,
+rsaKey.getPrimeQ()),
+new CK_ATTRIBUTE(CKA_EXPONENT_1,
+rsaKey.getPrimeExponentP()),
+new CK_ATTRIBUTE(CKA_EXPONENT_2,
+rsaKey.getPrimeExponentQ()),
+new CK_ATTRIBUTE(CKA_COEFFICIENT,
+rsaKey.getCrtCoefficient()) };
+attrs = token.getAttributes
+(TemplateManager.O_IMPORT, CKO_PRIVATE_KEY, CKK_RSA, attrs);
+} else {
+if (debug != null) {
+debug.println("creating RSAPrivateKey attrs");
+}
+RSAPrivateKey rsaKey = key;
+attrs = new CK_ATTRIBUTE[] {
+ATTR_TOKEN_TRUE,
+ATTR_CLASS_PKEY,
+ATTR_PRIVATE_TRUE,
+new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_RSA),
+new CK_ATTRIBUTE(CKA_ID, alias),
+new CK_ATTRIBUTE(CKA_MODULUS,
+rsaKey.getModulus()),
+new CK_ATTRIBUTE(CKA_PRIVATE_EXPONENT,
+rsaKey.getPrivateExponent()) };
+attrs = token.getAttributes
+(TemplateManager.O_IMPORT, CKO_PRIVATE_KEY, CKK_RSA, attrs);
+}
+return attrs;
+}
+/**
+* Compute the CKA_ID and/or CKA_NETSCAPE_DB attributes that should be
+* used for this private key. It uses the same algorithm to calculate the
+* values as NSS. The public and private keys MUST match for the result to
+* be correct.
+*
+* It returns a 2 element array with CKA_ID at index 0 and CKA_NETSCAPE_DB
+* at index 1. The boolean flags determine what is to be calculated.
+* If false or if we could not calculate the value, that element is null.
+*
+* NOTE that we currently do not use the CKA_ID value calculated by this
+* method.
+*/
+private CK_ATTRIBUTE[] getIdAttributes(PrivateKey privateKey,
+PublicKey publicKey, boolean id, boolean netscapeDb) {
+CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[2];
+if ((id || netscapeDb) == false) {
+return attrs;
+}
+String alg = privateKey.getAlgorithm();
+if (id && alg.equals("RSA") && (publicKey instanceof RSAPublicKey)) {
+// CKA_NETSCAPE_DB not needed for RSA public keys
+BigInteger n = ((RSAPublicKey)publicKey).getModulus();
+attrs[0] = new CK_ATTRIBUTE(CKA_ID, sha1(getMagnitude(n)));
+} else if (alg.equals("DSA") && (publicKey instanceof DSAPublicKey)) {
+BigInteger y = ((DSAPublicKey)publicKey).getY();
+if (id) {
+attrs[0] = new CK_ATTRIBUTE(CKA_ID, sha1(getMagnitude(y)));
+}
+if (netscapeDb) {
+attrs[1] = new CK_ATTRIBUTE(CKA_NETSCAPE_DB, y);
+}
+} else if (alg.equals("DH") && (publicKey instanceof DHPublicKey)) {
+BigInteger y = ((DHPublicKey)publicKey).getY();
+if (id) {
+attrs[0] = new CK_ATTRIBUTE(CKA_ID, sha1(getMagnitude(y)));
+}
+if (netscapeDb) {
+attrs[1] = new CK_ATTRIBUTE(CKA_NETSCAPE_DB, y);
+}
+} else if (alg.equals("EC") && (publicKey instanceof ECPublicKey)) {
+ECPublicKey ecPub = (ECPublicKey)publicKey;
+ECPoint point = ecPub.getW();
+ECParameterSpec params = ecPub.getParams();
+byte[] encodedPoint = ECUtil.encodePoint(point, params.getCurve());
+if (id) {
+attrs[0] = new CK_ATTRIBUTE(CKA_ID, sha1(encodedPoint));
+}
+if (netscapeDb) {
+attrs[1] = new CK_ATTRIBUTE(CKA_NETSCAPE_DB, encodedPoint);
+}
+} else {
+throw new RuntimeException("Unknown key algorithm " + alg);
+}
+return attrs;
+}
+/**
+* return true if cert destroyed
+*/
+private boolean destroyCert(byte[] cka_id)
+throws PKCS11Exception, KeyStoreException {
+Session session = null;
+try {
+session = token.getOpSession();
+THandle h = getTokenObject(session, ATTR_CLASS_CERT, cka_id, null);
+if (h.type != ATTR_CLASS_CERT) {
+return false;
+}
+token.p11.C_DestroyObject(session.id(), h.handle);
+if (debug != null) {
+debug.println("destroyCert destroyed cert with CKA_ID [" +
+getID(cka_id) +
+"]");
+}
+return true;
+} finally {
+token.releaseSession(session);
+}
+}
+/**
+* return true if chain destroyed
+*/
+private boolean destroyChain(byte[] cka_id)
+throws PKCS11Exception, CertificateException, KeyStoreException {
+Session session = null;
+try {
+session = token.getOpSession();
+THandle h = getTokenObject(session, ATTR_CLASS_CERT, cka_id, null);
+if (h.type != ATTR_CLASS_CERT) {
+if (debug != null) {
+debug.println("destroyChain could not find " +
+"end entity cert with CKA_ID [0x" +
+Functions.toHexString(cka_id) +
+"]");
+}
+return false;
+}
+X509Certificate endCert = loadCert(session, h.handle);
+token.p11.C_DestroyObject(session.id(), h.handle);
+if (debug != null) {
+debug.println("destroyChain destroyed end entity cert " +
+"with CKA_ID [" +
+getID(cka_id) +
+"]");
+}
+// build chain following issuer->subject links
+X509Certificate next = endCert;
+while (true) {
+if (next.getSubjectX500Principal().equals
+(next.getIssuerX500Principal())) {
+// self signed - done
+break;
+}
+CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] {
+ATTR_TOKEN_TRUE,
+ATTR_CLASS_CERT,
+new CK_ATTRIBUTE(CKA_SUBJECT,
+next.getIssuerX500Principal().getEncoded()) };
+long[] ch = findObjects(session, attrs);
+if (ch == null || ch.length == 0) {
+// done
+break;
+} else {
+// if more than one found, use first
+if (debug != null && ch.length > 1) {
+debug.println("destroyChain found " +
+ch.length +
+" certificate entries for subject [" +
+next.getIssuerX500Principal() +
+"] in token - using first entry");
+}
+next = loadCert(session, ch[0]);
+// only delete if not part of any other chain
+attrs = new CK_ATTRIBUTE[] {
+ATTR_TOKEN_TRUE,
+ATTR_CLASS_CERT,
+new CK_ATTRIBUTE(CKA_ISSUER,
+next.getSubjectX500Principal().getEncoded()) };
+long[] issuers = findObjects(session, attrs);
+boolean destroyIt = false;
+if (issuers == null || issuers.length == 0) {
+// no other certs with this issuer -
+// destroy it
+destroyIt = true;
+} else if (issuers.length == 1) {
+X509Certificate iCert = loadCert(session, issuers[0]);
+if (next.equals(iCert)) {
+// only cert with issuer is itself (self-signed) -
+// destroy it
+destroyIt = true;
+}
+}
+if (destroyIt) {
+token.p11.C_DestroyObject(session.id(), ch[0]);
+if (debug != null) {
+debug.println
+("destroyChain destroyed cert in chain " +
+"with subject [" +
+next.getSubjectX500Principal() + "]");
+}
+} else {
+if (debug != null) {
+debug.println("destroyChain did not destroy " +
+"shared cert in chain with subject [" +
+next.getSubjectX500Principal() + "]");
+}
+}
+}
+}
+return true;
+} finally {
+token.releaseSession(session);
+}
+}
+/**
+* return true if secret key destroyed
+*/
+private boolean destroySkey(String alias)
+throws PKCS11Exception, KeyStoreException {
+Session session = null;
+try {
+session = token.getOpSession();
+THandle h = getTokenObject(session, ATTR_CLASS_SKEY, null, alias);
+if (h.type != ATTR_CLASS_SKEY) {
+if (debug != null) {
+debug.println("destroySkey did not find secret key " +
+"with CKA_LABEL [" +
+alias +
+"]");
+}
+return false;
+}
+token.p11.C_DestroyObject(session.id(), h.handle);
+return true;
+} finally {
+token.releaseSession(session);
+}
+}
+/**
+* return true if private key destroyed
+*/
+private boolean destroyPkey(byte[] cka_id)
+throws PKCS11Exception, KeyStoreException {
+Session session = null;
+try {
+session = token.getOpSession();
+THandle h = getTokenObject(session, ATTR_CLASS_PKEY, cka_id, null);
+if (h.type != ATTR_CLASS_PKEY) {
+if (debug != null) {
+debug.println
+("destroyPkey did not find private key with CKA_ID [" +
+getID(cka_id) +
+"]");
+}
+return false;
+}
+token.p11.C_DestroyObject(session.id(), h.handle);
+return true;
+} finally {
+token.releaseSession(session);
+}
+}
+/**
+* build [alias + issuer + serialNumber] string from a cert
+*/
+private String getID(String alias, X509Certificate cert) {
+X500Principal issuer = cert.getIssuerX500Principal();
+BigInteger serialNum = cert.getSerialNumber();
+return alias +
+ALIAS_SEP +
+issuer.getName(X500Principal.CANONICAL) +
+ALIAS_SEP +
+serialNum.toString();
+}
+/**
+* build CKA_ID string from bytes
+*/
+private static String getID(byte[] bytes) {
+boolean printable = true;
+for (int i = 0; i < bytes.length; i++) {
+if (!DerValue.isPrintableStringChar((char)bytes[i])) {
+printable = false;
+break;
+}
+}
+if (!printable) {
+return "0x" + Functions.toHexString(bytes);
+} else {
+try {
+return new String(bytes, "UTF-8");
+} catch (UnsupportedEncodingException uee) {
+return "0x" + Functions.toHexString(bytes);
+}
+}
+}
+/**
+* find an object on the token
+*
+* @param type either ATTR_CLASS_CERT, ATTR_CLASS_PKEY, or ATTR_CLASS_SKEY
+* @param cka_id the CKA_ID if type is ATTR_CLASS_CERT or ATTR_CLASS_PKEY
+* @param cka_label the CKA_LABEL if type is ATTR_CLASS_SKEY
+*/
+private THandle getTokenObject(Session session,
+CK_ATTRIBUTE type,
+byte[] cka_id,
+String cka_label)
+throws PKCS11Exception, KeyStoreException {
+CK_ATTRIBUTE[] attrs;
+if (type == ATTR_CLASS_SKEY) {
+attrs = new CK_ATTRIBUTE[] {
+ATTR_SKEY_TOKEN_TRUE,
+new CK_ATTRIBUTE(CKA_LABEL, cka_label),
+type };
+} else {
+attrs = new CK_ATTRIBUTE[] {
+ATTR_TOKEN_TRUE,
+new CK_ATTRIBUTE(CKA_ID, cka_id),
+type };
+}
+long[] h = findObjects(session, attrs);
+if (h.length == 0) {
+if (debug != null) {
+if (type == ATTR_CLASS_SKEY) {
+debug.println("getTokenObject did not find secret key " +
+"with CKA_LABEL [" +
+cka_label +
+"]");
+} else if (type == ATTR_CLASS_CERT) {
+debug.println
+("getTokenObject did not find cert with CKA_ID [" +
+getID(cka_id) +
+"]");
+} else {
+debug.println("getTokenObject did not find private key " +
+"with CKA_ID [" +
+getID(cka_id) +
+"]");
+}
+}
+} else if (h.length == 1) {
+// found object handle - return it
+return new THandle(h[0], type);
+} else {
+// found multiple object handles -
+// see if token ignored CKA_LABEL during search (e.g. NSS)
+if (type == ATTR_CLASS_SKEY) {
+ArrayList<THandle> list = new ArrayList<THandle>(h.length);
+for (int i = 0; i < h.length; i++) {
+CK_ATTRIBUTE[] label = new CK_ATTRIBUTE[]
+{ new CK_ATTRIBUTE(CKA_LABEL) };
+token.p11.C_GetAttributeValue(session.id(), h[i], label);
+if (label[0].pValue != null &&
+cka_label.equals(new String(label[0].getCharArray()))) {
+list.add(new THandle(h[i], ATTR_CLASS_SKEY));
+}
+}
+if (list.size() == 1) {
+// yes, there was only one CKA_LABEL that matched
+return list.get(0);
+} else {
+throw new KeyStoreException("invalid KeyStore state: " +
+"found " +
+list.size() +
+" secret keys sharing CKA_LABEL [" +
+cka_label +
+"]");
+}
+} else if (type == ATTR_CLASS_CERT) {
+throw new KeyStoreException("invalid KeyStore state: " +
+"found " +
+h.length +
+" certificates sharing CKA_ID " +
+getID(cka_id));
+} else {
+throw new KeyStoreException("invalid KeyStore state: " +
+"found " +
+h.length +
+" private keys sharing CKA_ID " +
+getID(cka_id));
+}
+}
+return new THandle(NO_HANDLE, null);
+}
+/**
+* Create a mapping of all key pairs, trusted certs, and secret keys
+* on the token into logical KeyStore entries unambiguously
+* accessible via an alias.
+*
+* If the token is removed, the map may contain stale values.
+* KeyStore.load should be called to re-create the map.
+*
+* Assume all private keys and matching certs share a unique CKA_ID.
+*
+* Assume all secret keys have a unique CKA_LABEL.
+*
+* @return true if multiple certs found sharing the same CKA_LABEL
+*          (if so, write capabilities are disabled)
+*/
+private boolean mapLabels() throws
+PKCS11Exception, CertificateException, KeyStoreException {
+CK_ATTRIBUTE[] trustedAttr = new CK_ATTRIBUTE[] {
+new CK_ATTRIBUTE(CKA_TRUSTED) };
+Session session = null;
+try {
+session = token.getOpSession();
+// get all private key CKA_IDs
+ArrayList<byte[]> pkeyIDs = new ArrayList<byte[]>();
+CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] {
+ATTR_TOKEN_TRUE,
+ATTR_CLASS_PKEY,
+};
+long[] handles = findObjects(session, attrs);
+for (long handle : handles) {
+attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_ID) };
+token.p11.C_GetAttributeValue(session.id(), handle, attrs);
+if (attrs[0].pValue != null) {
+pkeyIDs.add(attrs[0].getByteArray());
+}
+}
+// Get all certificates
+//
+// If cert does not have a CKA_LABEL nor CKA_ID, it is ignored.
+//
+// Get the CKA_LABEL for each cert
+// (if the cert does not have a CKA_LABEL, use the CKA_ID).
+//
+// Map each cert to the its CKA_LABEL
+// (multiple certs may be mapped to a single CKA_LABEL)
+HashMap<String, HashSet<AliasInfo>> certMap =
+new HashMap<String, HashSet<AliasInfo>>();
+attrs = new CK_ATTRIBUTE[] {
+ATTR_TOKEN_TRUE,
+ATTR_CLASS_CERT,
+};
+handles = findObjects(session, attrs);
+for (long handle : handles) {
+attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_LABEL) };
+String cka_label = null;
+byte[] cka_id = null;
+try {
+token.p11.C_GetAttributeValue(session.id(), handle, attrs);
+if (attrs[0].pValue != null) {
+// there is a CKA_LABEL
+cka_label = new String(attrs[0].getCharArray());
+}
+} catch (PKCS11Exception pe) {
+if (pe.getErrorCode() != CKR_ATTRIBUTE_TYPE_INVALID) {
+throw pe;
+}
+// GetAttributeValue for CKA_LABEL not supported
+//
+// XXX SCA1000
+}
+// get CKA_ID
+attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_ID) };
+token.p11.C_GetAttributeValue(session.id(), handle, attrs);
+if (attrs[0].pValue == null) {
+if (cka_label == null) {
+// no cka_label nor cka_id - ignore
+continue;
+}
+} else {
+if (cka_label == null) {
+// use CKA_ID as CKA_LABEL
+cka_label = getID(attrs[0].getByteArray());
+}
+cka_id = attrs[0].getByteArray();
+}
+X509Certificate cert = loadCert(session, handle);
+// get CKA_TRUSTED
+boolean cka_trusted = false;
+if (useSecmodTrust) {
+cka_trusted = Secmod.getInstance().isTrusted(cert, nssTrustType);
+} else {
+if (CKA_TRUSTED_SUPPORTED) {
+try {
+token.p11.C_GetAttributeValue
+(session.id(), handle, trustedAttr);
+cka_trusted = trustedAttr[0].getBoolean();
+} catch (PKCS11Exception pe) {
+if (pe.getErrorCode() == CKR_ATTRIBUTE_TYPE_INVALID) {
+// XXX  NSS, ibutton, sca1000
+CKA_TRUSTED_SUPPORTED = false;
+if (debug != null) {
+debug.println
+("CKA_TRUSTED attribute not supported");
+}
+}
+}
+}
+}
+HashSet<AliasInfo> infoSet = certMap.get(cka_label);
+if (infoSet == null) {
+infoSet = new HashSet<AliasInfo>(2);
+certMap.put(cka_label, infoSet);
+}
+// initially create private key entry AliasInfo entries -
+// these entries will get resolved into their true
+// entry types later
+infoSet.add(new AliasInfo
+(cka_label,
+cka_id,
+cka_trusted,
+cert));
+}
+// create list secret key CKA_LABELS -
+// if there are duplicates (either between secret keys,
+// or between a secret key and another object),
+// throw an exception
+HashMap<String, AliasInfo> sKeyMap =
+new HashMap<String, AliasInfo>();
+attrs = new CK_ATTRIBUTE[] {
+ATTR_SKEY_TOKEN_TRUE,
+ATTR_CLASS_SKEY,
+};
+handles = findObjects(session, attrs);
+for (long handle : handles) {
+attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_LABEL) };
+token.p11.C_GetAttributeValue(session.id(), handle, attrs);
+if (attrs[0].pValue != null) {
+// there is a CKA_LABEL
+String cka_label = new String(attrs[0].getCharArray());
+if (sKeyMap.get(cka_label) == null) {
+sKeyMap.put(cka_label, new AliasInfo(cka_label));
+} else {
+throw new KeyStoreException("invalid KeyStore state: " +
+"found multiple secret keys sharing same " +
+"CKA_LABEL [" +
+cka_label +
+"]");
+}
+}
+}
+// update global aliasMap with alias mappings
+ArrayList<AliasInfo> matchedCerts =
+mapPrivateKeys(pkeyIDs, certMap);
+boolean sharedLabel = mapCerts(matchedCerts, certMap);
+mapSecretKeys(sKeyMap);
+return sharedLabel;
+} finally {
+token.releaseSession(session);
+}
+}
+/**
+* for each private key CKA_ID, find corresponding cert with same CKA_ID.
+* if found cert, see if cert CKA_LABEL is unique.
+*     if CKA_LABEL unique, map private key/cert alias to that CKA_LABEL.
+*     if CKA_LABEL not unique, map private key/cert alias to:
+*                   CKA_LABEL + ALIAS_SEP + ISSUER + ALIAS_SEP + SERIAL
+* if cert not found, ignore private key
+* (don't support private key entries without a cert chain yet)
+*
+* @return a list of AliasInfo entries that represents all matches
+*/
+private ArrayList<AliasInfo> mapPrivateKeys(ArrayList<byte[]> pkeyIDs,
+HashMap<String, HashSet<AliasInfo>> certMap)
+throws PKCS11Exception, CertificateException {
+// reset global alias map
+aliasMap = new HashMap<String, AliasInfo>();
+// list of matched certs that we will return
+ArrayList<AliasInfo> matchedCerts = new ArrayList<AliasInfo>();
+for (byte[] pkeyID : pkeyIDs) {
+// try to find a matching CKA_ID in a certificate
+boolean foundMatch = false;
+Set<String> certLabels = certMap.keySet();
+for (String certLabel : certLabels) {
+// get cert CKA_IDs (if present) for each cert
+HashSet<AliasInfo> infoSet = certMap.get(certLabel);
+for (AliasInfo aliasInfo : infoSet) {
+if (Arrays.equals(pkeyID, aliasInfo.id)) {
+// found private key with matching cert
+if (infoSet.size() == 1) {
+// unique CKA_LABEL - use certLabel as alias
+aliasInfo.matched = true;
+aliasMap.put(certLabel, aliasInfo);
+} else {
+// create new alias
+aliasInfo.matched = true;
+aliasMap.put(getID(certLabel, aliasInfo.cert),
+aliasInfo);
+}
+matchedCerts.add(aliasInfo);
+foundMatch = true;
+break;
+}
+}
+if (foundMatch) {
+break;
+}
+}
+if (!foundMatch) {
+if (debug != null) {
+debug.println
+("did not find match for private key with CKA_ID [" +
+getID(pkeyID) +
+"] (ignoring entry)");
+}
+}
+}
+return matchedCerts;
+}
+/**
+* for each cert not matched with a private key but is CKA_TRUSTED:
+*     if CKA_LABEL unique, map cert to CKA_LABEL.
+*     if CKA_LABEL not unique, map cert to [label+issuer+serialNum]
+*
+* if CKA_TRUSTED not supported, treat all certs not part of a chain
+* as trusted
+*
+* @return true if multiple certs found sharing the same CKA_LABEL
+*/
+private boolean mapCerts(ArrayList<AliasInfo> matchedCerts,
+HashMap<String, HashSet<AliasInfo>> certMap)
+throws PKCS11Exception, CertificateException {
+// load all cert chains
+for (AliasInfo aliasInfo : matchedCerts) {
+Session session = null;
+try {
+session = token.getOpSession();
+aliasInfo.chain = loadChain(session, aliasInfo.cert);
+} finally {
+token.releaseSession(session);
+}
+}
+// find all certs in certMap not part of a cert chain
+// - these are trusted
+boolean sharedLabel = false;
+Set<String> certLabels = certMap.keySet();
+for (String certLabel : certLabels) {
+HashSet<AliasInfo> infoSet = certMap.get(certLabel);
+for (AliasInfo aliasInfo : infoSet) {
+if (aliasInfo.matched == true) {
+// already found a private key match for this cert -
+// just continue
+aliasInfo.trusted = false;
+continue;
+}
+// cert in this aliasInfo is not matched yet
+//
+// if CKA_TRUSTED_SUPPORTED == true,
+// then check if cert is trusted
+if (CKA_TRUSTED_SUPPORTED) {
+if (aliasInfo.trusted) {
+// trusted certificate
+if (mapTrustedCert
+(certLabel, aliasInfo, infoSet) == true) {
+sharedLabel = true;
+}
+}
+continue;
+}
+// CKA_TRUSTED_SUPPORTED == false
+//
+// XXX treat all certs not part of a chain as trusted
+// XXX
+// XXX Unsupported
+//
+// boolean partOfChain = false;
+// for (AliasInfo matchedInfo : matchedCerts) {
+//     for (int i = 0; i < matchedInfo.chain.length; i++) {
+//      if (matchedInfo.chain[i].equals(aliasInfo.cert)) {
+//          partOfChain = true;
+//          break;
+//      }
+//     }
+//     if (partOfChain) {
+//      break;
+//     }
+// }
+//
+// if (!partOfChain) {
+//     if (mapTrustedCert(certLabel,aliasInfo,infoSet) == true){
+//      sharedLabel = true;
+//     }
+// } else {
+//    if (debug != null) {
+//      debug.println("ignoring unmatched/untrusted cert " +
+//          "that is part of cert chain - cert subject is [" +
+//          aliasInfo.cert.getSubjectX500Principal().getName
+//                              (X500Principal.CANONICAL) +
+//          "]");
+//     }
+// }
+}
+}
+return sharedLabel;
+}
+private boolean mapTrustedCert(String certLabel,
+AliasInfo aliasInfo,
+HashSet<AliasInfo> infoSet) {
+boolean sharedLabel = false;
+aliasInfo.type = ATTR_CLASS_CERT;
+aliasInfo.trusted = true;
+if (infoSet.size() == 1) {
+// unique CKA_LABEL - use certLabel as alias
+aliasMap.put(certLabel, aliasInfo);
+} else {
+// create new alias
+sharedLabel = true;
+aliasMap.put(getID(certLabel, aliasInfo.cert), aliasInfo);
+}
+return sharedLabel;
+}
+/**
+* If the secret key shares a CKA_LABEL with another entry,
+* throw an exception
+*/
+private void mapSecretKeys(HashMap<String, AliasInfo> sKeyMap)
+throws KeyStoreException {
+for (String label : sKeyMap.keySet()) {
+if (aliasMap.containsKey(label)) {
+throw new KeyStoreException("invalid KeyStore state: " +
+"found secret key sharing CKA_LABEL [" +
+label +
+"] with another token object");
+}
+}
+aliasMap.putAll(sKeyMap);
+}
+private void dumpTokenMap() {
+Set<String> aliases = aliasMap.keySet();
+System.out.println("Token Alias Map:");
+if (aliases.isEmpty()) {
+System.out.println("  [empty]");
+} else {
+for (String s : aliases) {
+System.out.println("  " + s + aliasMap.get(s));
+}
+}
+}
+private void checkWrite() throws KeyStoreException {
+if (writeDisabled) {
+throw new KeyStoreException
+("This PKCS11KeyStore does not support write capabilities");
+}
+}
+private final static long[] LONG0 = new long[0];
+private static long[] findObjects(Session session, CK_ATTRIBUTE[] attrs)
+throws PKCS11Exception {
+Token token = session.token;
+long[] handles = LONG0;
+token.p11.C_FindObjectsInit(session.id(), attrs);
+while (true) {
+long[] h = token.p11.C_FindObjects(session.id(), FINDOBJECTS_MAX);
+if (h.length == 0) {
+break;
+}
+handles = P11Util.concat(handles, h);
+}
+token.p11.C_FindObjectsFinal(session.id());
+return handles;
+}
+}

changeset 42693	6645de32a866
parent 32634	614f8e5859aa