--- a/jdk/src/jdk.crypto.pkcs11/share/classes/sun/security/pkcs11/P11KeyGenerator.java Wed Dec 14 19:46:21 2016 +0100
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,284 +0,0 @@
-/*
- * Copyright (c) 2003, 2008, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation. Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.pkcs11;
-
-import java.security.*;
-import java.security.spec.AlgorithmParameterSpec;
-
-import javax.crypto.*;
-
-import static sun.security.pkcs11.TemplateManager.*;
-import sun.security.pkcs11.wrapper.*;
-import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
-
-/**
- * KeyGenerator implementation class. This class currently supports
- * DES, DESede, AES, ARCFOUR, and Blowfish.
- *
- * @author Andreas Sterbenz
- * @since 1.5
- */
-final class P11KeyGenerator extends KeyGeneratorSpi {
-
- // token instance
- private final Token token;
-
- // algorithm name
- private final String algorithm;
-
- // mechanism id
- private long mechanism;
-
- // raw key size in bits, e.g. 64 for DES. Always valid.
- private int keySize;
-
- // bits of entropy in the key, e.g. 56 for DES. Always valid.
- private int significantKeySize;
-
- // keyType (CKK_*), needed for TemplateManager call only.
- private long keyType;
-
- // for determining if both 112 and 168 bits of DESede key lengths
- // are supported.
- private boolean supportBothKeySizes;
-
- /**
- * Utility method for checking if the specified key size is valid
- * and within the supported range. Return the significant key size
- * upon successful validation.
- * @param keyGenMech the PKCS#11 key generation mechanism.
- * @param keySize the to-be-checked key size for this mechanism.
- * @param token token which provides this mechanism.
- * @return the significant key size (in bits) corresponding to the
- * specified key size.
- * @throws InvalidParameterException if the specified key size is invalid.
- * @throws ProviderException if this mechanism isn't supported by SunPKCS11
- * or underlying native impl.
- */
- static int checkKeySize(long keyGenMech, int keySize, Token token)
- throws InvalidAlgorithmParameterException, ProviderException {
- int sigKeySize;
- switch ((int)keyGenMech) {
- case (int)CKM_DES_KEY_GEN:
- if ((keySize != 64) && (keySize != 56)) {
- throw new InvalidAlgorithmParameterException
- ("DES key length must be 56 bits");
- }
- sigKeySize = 56;
- break;
- case (int)CKM_DES2_KEY_GEN:
- case (int)CKM_DES3_KEY_GEN:
- if ((keySize == 112) || (keySize == 128)) {
- sigKeySize = 112;
- } else if ((keySize == 168) || (keySize == 192)) {
- sigKeySize = 168;
- } else {
- throw new InvalidAlgorithmParameterException
- ("DESede key length must be 112, or 168 bits");
- }
- break;
- default:
- // Handle all variable-key-length algorithms here
- CK_MECHANISM_INFO info = null;
- try {
- info = token.getMechanismInfo(keyGenMech);
- } catch (PKCS11Exception p11e) {
- // Should never happen
- throw new ProviderException
- ("Cannot retrieve mechanism info", p11e);
- }
- if (info == null) {
- // XXX Unable to retrieve the supported key length from
- // the underlying native impl. Skip the checking for now.
- return keySize;
- }
- // PKCS#11 defines these to be in number of bytes except for
- // RC4 which is in bits. However, some PKCS#11 impls still use
- // bytes for all mechs, e.g. NSS. We try to detect this
- // inconsistency if the minKeySize seems unreasonably small.
- int minKeySize = (int)info.ulMinKeySize;
- int maxKeySize = (int)info.ulMaxKeySize;
- if (keyGenMech != CKM_RC4_KEY_GEN || minKeySize < 8) {
- minKeySize = (int)info.ulMinKeySize << 3;
- maxKeySize = (int)info.ulMaxKeySize << 3;
- }
- // Explicitly disallow keys shorter than 40-bits for security
- if (minKeySize < 40) minKeySize = 40;
- if (keySize < minKeySize || keySize > maxKeySize) {
- throw new InvalidAlgorithmParameterException
- ("Key length must be between " + minKeySize +
- " and " + maxKeySize + " bits");
- }
- if (keyGenMech == CKM_AES_KEY_GEN) {
- if ((keySize != 128) && (keySize != 192) &&
- (keySize != 256)) {
- throw new InvalidAlgorithmParameterException
- ("AES key length must be " + minKeySize +
- (maxKeySize >= 192? ", 192":"") +
- (maxKeySize >= 256? ", or 256":"") + " bits");
- }
- }
- sigKeySize = keySize;
- }
- return sigKeySize;
- }
-
- P11KeyGenerator(Token token, String algorithm, long mechanism)
- throws PKCS11Exception {
- super();
- this.token = token;
- this.algorithm = algorithm;
- this.mechanism = mechanism;
-
- if (this.mechanism == CKM_DES3_KEY_GEN) {
- /* Given the current lookup order specified in SunPKCS11.java,
- if CKM_DES2_KEY_GEN is used to construct this object, it
- means that CKM_DES3_KEY_GEN is disabled or unsupported.
- */
- supportBothKeySizes =
- (token.provider.config.isEnabled(CKM_DES2_KEY_GEN) &&
- (token.getMechanismInfo(CKM_DES2_KEY_GEN) != null));
- }
- setDefaultKeySize();
- }
-
- // set default keysize and also initialize keyType
- private void setDefaultKeySize() {
- switch ((int)mechanism) {
- case (int)CKM_DES_KEY_GEN:
- keySize = 64;
- keyType = CKK_DES;
- break;
- case (int)CKM_DES2_KEY_GEN:
- keySize = 128;
- keyType = CKK_DES2;
- break;
- case (int)CKM_DES3_KEY_GEN:
- keySize = 192;
- keyType = CKK_DES3;
- break;
- case (int)CKM_AES_KEY_GEN:
- keySize = 128;
- keyType = CKK_AES;
- break;
- case (int)CKM_RC4_KEY_GEN:
- keySize = 128;
- keyType = CKK_RC4;
- break;
- case (int)CKM_BLOWFISH_KEY_GEN:
- keySize = 128;
- keyType = CKK_BLOWFISH;
- break;
- default:
- throw new ProviderException("Unknown mechanism " + mechanism);
- }
- try {
- significantKeySize = checkKeySize(mechanism, keySize, token);
- } catch (InvalidAlgorithmParameterException iape) {
- throw new ProviderException("Unsupported default key size", iape);
- }
- }
-
- // see JCE spec
- protected void engineInit(SecureRandom random) {
- token.ensureValid();
- setDefaultKeySize();
- }
-
- // see JCE spec
- protected void engineInit(AlgorithmParameterSpec params,
- SecureRandom random) throws InvalidAlgorithmParameterException {
- throw new InvalidAlgorithmParameterException
- ("AlgorithmParameterSpec not supported");
- }
-
- // see JCE spec
- protected void engineInit(int keySize, SecureRandom random) {
- token.ensureValid();
- int newSignificantKeySize;
- try {
- newSignificantKeySize = checkKeySize(mechanism, keySize, token);
- } catch (InvalidAlgorithmParameterException iape) {
- throw (InvalidParameterException)
- (new InvalidParameterException().initCause(iape));
- }
- if ((mechanism == CKM_DES2_KEY_GEN) ||
- (mechanism == CKM_DES3_KEY_GEN)) {
- long newMechanism = (newSignificantKeySize == 112 ?
- CKM_DES2_KEY_GEN : CKM_DES3_KEY_GEN);
- if (mechanism != newMechanism) {
- if (supportBothKeySizes) {
- mechanism = newMechanism;
- // Adjust keyType to reflect the mechanism change
- keyType = (mechanism == CKM_DES2_KEY_GEN ?
- CKK_DES2 : CKK_DES3);
- } else {
- throw new InvalidParameterException
- ("Only " + significantKeySize +
- "-bit DESede is supported");
- }
- }
- }
- this.keySize = keySize;
- this.significantKeySize = newSignificantKeySize;
- }
-
- // see JCE spec
- protected SecretKey engineGenerateKey() {
- Session session = null;
- try {
- session = token.getObjSession();
- CK_ATTRIBUTE[] attributes;
- switch ((int)keyType) {
- case (int)CKK_DES:
- case (int)CKK_DES2:
- case (int)CKK_DES3:
- // fixed length, do not specify CKA_VALUE_LEN
- attributes = new CK_ATTRIBUTE[] {
- new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
- };
- break;
- default:
- attributes = new CK_ATTRIBUTE[] {
- new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
- new CK_ATTRIBUTE(CKA_VALUE_LEN, keySize >> 3),
- };
- break;
- }
- attributes = token.getAttributes
- (O_GENERATE, CKO_SECRET_KEY, keyType, attributes);
- long keyID = token.p11.C_GenerateKey
- (session.id(), new CK_MECHANISM(mechanism), attributes);
- return P11Key.secretKey
- (session, keyID, algorithm, significantKeySize, attributes);
- } catch (PKCS11Exception e) {
- throw new ProviderException("Could not generate key", e);
- } finally {
- token.releaseSession(session);
- }
- }
-
-}