--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11ECKeyFactory.java Wed Dec 14 10:51:13 2016 -0800
@@ -0,0 +1,333 @@
+/*
+ * Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.pkcs11;
+
+import java.io.IOException;
+import java.math.BigInteger;
+
+import java.security.*;
+import java.security.interfaces.*;
+import java.security.spec.*;
+
+import static sun.security.pkcs11.TemplateManager.*;
+import sun.security.pkcs11.wrapper.*;
+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+
+import sun.security.util.DerValue;
+import sun.security.util.ECUtil;
+
+/**
+ * EC KeyFactory implementation.
+ *
+ * @author Andreas Sterbenz
+ * @since 1.6
+ */
+final class P11ECKeyFactory extends P11KeyFactory {
+ private static Provider sunECprovider;
+
+ private static Provider getSunECProvider() {
+ if (sunECprovider == null) {
+ sunECprovider = Security.getProvider("SunEC");
+ if (sunECprovider == null) {
+ throw new RuntimeException("Cannot load SunEC provider");
+ }
+ }
+
+ return sunECprovider;
+ }
+
+ P11ECKeyFactory(Token token, String algorithm) {
+ super(token, algorithm);
+ }
+
+ static ECParameterSpec getECParameterSpec(String name) {
+ return ECUtil.getECParameterSpec(getSunECProvider(), name);
+ }
+
+ static ECParameterSpec getECParameterSpec(int keySize) {
+ return ECUtil.getECParameterSpec(getSunECProvider(), keySize);
+ }
+
+ // Check that spec is a known supported curve and convert it to our
+ // ECParameterSpec subclass. If not possible, return null.
+ static ECParameterSpec getECParameterSpec(ECParameterSpec spec) {
+ return ECUtil.getECParameterSpec(getSunECProvider(), spec);
+ }
+
+ static ECParameterSpec decodeParameters(byte[] params) throws IOException {
+ return ECUtil.getECParameterSpec(getSunECProvider(), params);
+ }
+
+ static byte[] encodeParameters(ECParameterSpec params) {
+ return ECUtil.encodeECParameterSpec(getSunECProvider(), params);
+ }
+
+ static ECPoint decodePoint(byte[] encoded, EllipticCurve curve) throws IOException {
+ return ECUtil.decodePoint(encoded, curve);
+ }
+
+ // Used by ECDH KeyAgreement
+ static byte[] getEncodedPublicValue(PublicKey key) throws InvalidKeyException {
+ if (key instanceof ECPublicKey) {
+ ECPublicKey ecKey = (ECPublicKey)key;
+ ECPoint w = ecKey.getW();
+ ECParameterSpec params = ecKey.getParams();
+ return ECUtil.encodePoint(w, params.getCurve());
+ } else {
+ // should never occur
+ throw new InvalidKeyException
+ ("Key class not yet supported: " + key.getClass().getName());
+ }
+ }
+
+ PublicKey implTranslatePublicKey(PublicKey key) throws InvalidKeyException {
+ try {
+ if (key instanceof ECPublicKey) {
+ ECPublicKey ecKey = (ECPublicKey)key;
+ return generatePublic(
+ ecKey.getW(),
+ ecKey.getParams()
+ );
+ } else if ("X.509".equals(key.getFormat())) {
+ // let Sun provider parse for us, then recurse
+ byte[] encoded = key.getEncoded();
+
+ try {
+ key = ECUtil.decodeX509ECPublicKey(encoded);
+ } catch (InvalidKeySpecException ikse) {
+ throw new InvalidKeyException(ikse);
+ }
+
+ return implTranslatePublicKey(key);
+ } else {
+ throw new InvalidKeyException("PublicKey must be instance "
+ + "of ECPublicKey or have X.509 encoding");
+ }
+ } catch (PKCS11Exception e) {
+ throw new InvalidKeyException("Could not create EC public key", e);
+ }
+ }
+
+ PrivateKey implTranslatePrivateKey(PrivateKey key)
+ throws InvalidKeyException {
+ try {
+ if (key instanceof ECPrivateKey) {
+ ECPrivateKey ecKey = (ECPrivateKey)key;
+ return generatePrivate(
+ ecKey.getS(),
+ ecKey.getParams()
+ );
+ } else if ("PKCS#8".equals(key.getFormat())) {
+ // let Sun provider parse for us, then recurse
+ byte[] encoded = key.getEncoded();
+
+ try {
+ key = ECUtil.decodePKCS8ECPrivateKey(encoded);
+ } catch (InvalidKeySpecException ikse) {
+ throw new InvalidKeyException(ikse);
+ }
+
+ return implTranslatePrivateKey(key);
+ } else {
+ throw new InvalidKeyException("PrivateKey must be instance "
+ + "of ECPrivateKey or have PKCS#8 encoding");
+ }
+ } catch (PKCS11Exception e) {
+ throw new InvalidKeyException("Could not create EC private key", e);
+ }
+ }
+
+ // see JCA spec
+ protected PublicKey engineGeneratePublic(KeySpec keySpec)
+ throws InvalidKeySpecException {
+ token.ensureValid();
+ if (keySpec instanceof X509EncodedKeySpec) {
+ try {
+ byte[] encoded = ((X509EncodedKeySpec)keySpec).getEncoded();
+ PublicKey key = ECUtil.decodeX509ECPublicKey(encoded);
+ return implTranslatePublicKey(key);
+ } catch (InvalidKeyException e) {
+ throw new InvalidKeySpecException
+ ("Could not create EC public key", e);
+ }
+ }
+ if (keySpec instanceof ECPublicKeySpec == false) {
+ throw new InvalidKeySpecException("Only ECPublicKeySpec and "
+ + "X509EncodedKeySpec supported for EC public keys");
+ }
+ try {
+ ECPublicKeySpec ec = (ECPublicKeySpec)keySpec;
+ return generatePublic(
+ ec.getW(),
+ ec.getParams()
+ );
+ } catch (PKCS11Exception e) {
+ throw new InvalidKeySpecException
+ ("Could not create EC public key", e);
+ }
+ }
+
+ // see JCA spec
+ protected PrivateKey engineGeneratePrivate(KeySpec keySpec)
+ throws InvalidKeySpecException {
+ token.ensureValid();
+ if (keySpec instanceof PKCS8EncodedKeySpec) {
+ try {
+ byte[] encoded = ((PKCS8EncodedKeySpec)keySpec).getEncoded();
+ PrivateKey key = ECUtil.decodePKCS8ECPrivateKey(encoded);
+ return implTranslatePrivateKey(key);
+ } catch (GeneralSecurityException e) {
+ throw new InvalidKeySpecException
+ ("Could not create EC private key", e);
+ }
+ }
+ if (keySpec instanceof ECPrivateKeySpec == false) {
+ throw new InvalidKeySpecException("Only ECPrivateKeySpec and "
+ + "PKCS8EncodedKeySpec supported for EC private keys");
+ }
+ try {
+ ECPrivateKeySpec ec = (ECPrivateKeySpec)keySpec;
+ return generatePrivate(
+ ec.getS(),
+ ec.getParams()
+ );
+ } catch (PKCS11Exception e) {
+ throw new InvalidKeySpecException
+ ("Could not create EC private key", e);
+ }
+ }
+
+ private PublicKey generatePublic(ECPoint point, ECParameterSpec params)
+ throws PKCS11Exception {
+ byte[] encodedParams =
+ ECUtil.encodeECParameterSpec(getSunECProvider(), params);
+ byte[] encodedPoint =
+ ECUtil.encodePoint(point, params.getCurve());
+
+ // Check whether the X9.63 encoding of an EC point shall be wrapped
+ // in an ASN.1 OCTET STRING
+ if (!token.config.getUseEcX963Encoding()) {
+ try {
+ encodedPoint =
+ new DerValue(DerValue.tag_OctetString, encodedPoint)
+ .toByteArray();
+ } catch (IOException e) {
+ throw new
+ IllegalArgumentException("Could not DER encode point", e);
+ }
+ }
+
+ CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] {
+ new CK_ATTRIBUTE(CKA_CLASS, CKO_PUBLIC_KEY),
+ new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_EC),
+ new CK_ATTRIBUTE(CKA_EC_POINT, encodedPoint),
+ new CK_ATTRIBUTE(CKA_EC_PARAMS, encodedParams),
+ };
+ attributes = token.getAttributes
+ (O_IMPORT, CKO_PUBLIC_KEY, CKK_EC, attributes);
+ Session session = null;
+ try {
+ session = token.getObjSession();
+ long keyID = token.p11.C_CreateObject(session.id(), attributes);
+ return P11Key.publicKey
+ (session, keyID, "EC", params.getCurve().getField().getFieldSize(), attributes);
+ } finally {
+ token.releaseSession(session);
+ }
+ }
+
+ private PrivateKey generatePrivate(BigInteger s, ECParameterSpec params)
+ throws PKCS11Exception {
+ byte[] encodedParams =
+ ECUtil.encodeECParameterSpec(getSunECProvider(), params);
+ CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] {
+ new CK_ATTRIBUTE(CKA_CLASS, CKO_PRIVATE_KEY),
+ new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_EC),
+ new CK_ATTRIBUTE(CKA_VALUE, s),
+ new CK_ATTRIBUTE(CKA_EC_PARAMS, encodedParams),
+ };
+ attributes = token.getAttributes
+ (O_IMPORT, CKO_PRIVATE_KEY, CKK_EC, attributes);
+ Session session = null;
+ try {
+ session = token.getObjSession();
+ long keyID = token.p11.C_CreateObject(session.id(), attributes);
+ return P11Key.privateKey
+ (session, keyID, "EC", params.getCurve().getField().getFieldSize(), attributes);
+ } finally {
+ token.releaseSession(session);
+ }
+ }
+
+ <T extends KeySpec> T implGetPublicKeySpec(P11Key key, Class<T> keySpec,
+ Session[] session) throws PKCS11Exception, InvalidKeySpecException {
+ if (ECPublicKeySpec.class.isAssignableFrom(keySpec)) {
+ session[0] = token.getObjSession();
+ CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] {
+ new CK_ATTRIBUTE(CKA_EC_POINT),
+ new CK_ATTRIBUTE(CKA_EC_PARAMS),
+ };
+ token.p11.C_GetAttributeValue(session[0].id(), key.keyID, attributes);
+ try {
+ ECParameterSpec params = decodeParameters(attributes[1].getByteArray());
+ ECPoint point = decodePoint(attributes[0].getByteArray(), params.getCurve());
+ return keySpec.cast(new ECPublicKeySpec(point, params));
+ } catch (IOException e) {
+ throw new InvalidKeySpecException("Could not parse key", e);
+ }
+ } else { // X.509 handled in superclass
+ throw new InvalidKeySpecException("Only ECPublicKeySpec and "
+ + "X509EncodedKeySpec supported for EC public keys");
+ }
+ }
+
+ <T extends KeySpec> T implGetPrivateKeySpec(P11Key key, Class<T> keySpec,
+ Session[] session) throws PKCS11Exception, InvalidKeySpecException {
+ if (ECPrivateKeySpec.class.isAssignableFrom(keySpec)) {
+ session[0] = token.getObjSession();
+ CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] {
+ new CK_ATTRIBUTE(CKA_VALUE),
+ new CK_ATTRIBUTE(CKA_EC_PARAMS),
+ };
+ token.p11.C_GetAttributeValue(session[0].id(), key.keyID, attributes);
+ try {
+ ECParameterSpec params = decodeParameters(attributes[1].getByteArray());
+ return keySpec.cast(
+ new ECPrivateKeySpec(attributes[0].getBigInteger(), params));
+ } catch (IOException e) {
+ throw new InvalidKeySpecException("Could not parse key", e);
+ }
+ } else { // PKCS#8 handled in superclass
+ throw new InvalidKeySpecException("Only ECPrivateKeySpec "
+ + "and PKCS8EncodedKeySpec supported for EC private keys");
+ }
+ }
+
+ KeyFactory implGetSoftwareFactory() throws GeneralSecurityException {
+ return KeyFactory.getInstance("EC", getSunECProvider());
+ }
+
+}