private void assertCanGenKeypair(String methodName, long mechanism, P11NewKeyControl control) throws P11UnsupportedMechanismException, P11PermissionException, P11DuplicateEntityException { ParamUtil.requireNonNull("control", control); assertWritable(methodName); assertMechanismSupported(mechanism); assertNoIdentityAndCert(control.getId(), control.getLabel()); }
public P11Identity getIdentity(P11SlotIdentifier slotId, P11ObjectIdentifier keyId) throws P11TokenException { P11Slot slot = module.getSlot(slotId); return (slot == null) ? null : slot.getIdentity(keyId); }
public boolean supportsMechanism(long mechanism) { try { return p11CryptService.getSlot(identityId.getSlotId()).supportsMechanism(mechanism); } catch (P11TokenException ex) { return false; } }
/** * Generates an SM2 keypair. * * @param control * Control of the key generation process. Must not be {@code null}. * @return the identifier of the identity within the PKCS#P11 token. * @throws P11TokenException * if PKCS#11 token exception occurs. */ // CHECKSTYLE:SKIP public P11IdentityId generateSM2Keypair(P11NewKeyControl control) throws P11TokenException { assertCanGenKeypair("generateSM2Keypair", PKCS11Constants.CKM_VENDOR_SM2_KEY_PAIR_GEN, control); P11Identity identity = generateSM2Keypair0(control); addIdentity(identity); P11IdentityId id = identity.getId(); LOG.info("generated SM2 keypair {}", id); return id; }
throw new IllegalArgumentException("key size is not multiple of 1024: " + keysize); assertCanGenKeypair("generateRSAKeypair", PKCS11Constants.CKM_RSA_PKCS_KEY_PAIR_GEN, control); P11Identity identity = generateRSAKeypair0(keysize, tmpPublicExponent, control); addIdentity(identity); P11IdentityId id = identity.getId(); LOG.info("generated RSA keypair {}", id);
/** * Removes the key (private key, public key, secret key, and certificates) associated with * the given identifier {@code objectId}. * * @param identityId * Identity identifier. Must not be {@code null}. * @throws P11TokenException * if PKCS#11 token exception occurs. */ public void removeIdentity(P11IdentityId identityId) throws P11TokenException { Args.notNull(identityId, "identityId"); assertWritable("removeIdentity"); P11ObjectIdentifier keyId = identityId.getKeyId(); if (identities.containsKey(keyId)) { if (identityId.getCertId() != null) { certificates.remove(identityId.getCertId()); } identities.get(keyId).setCertificates(null); identities.remove(keyId); updateCaCertsOfIdentities(); } removeIdentity0(identityId); }
/** * Generates a DSA keypair. * * @param p * p of DSA. Must not be {@code null}. * @param q * q of DSA. Must not be {@code null}. * @param g * g of DSA. Must not be {@code null}. * @param control * Control of the key generation process. Must not be {@code null}. * @return the identifier of the identity within the PKCS#P11 token. * @throws P11TokenException * if PKCS#11 token exception occurs. */ // CHECKSTYLE:SKIP public P11IdentityId generateDSAKeypair(BigInteger p, BigInteger q, BigInteger g, P11NewKeyControl control) throws P11TokenException { Args.notNull(p, "p"); Args.notNull(q, "q"); Args.notNull(g, "g"); assertCanGenKeypair("generateDSAKeypair", PKCS11Constants.CKM_DSA_KEY_PAIR_GEN, control); P11Identity identity = generateDSAKeypair0(p, q, g, control); addIdentity(identity); P11IdentityId id = identity.getId(); LOG.info("generated DSA keypair {}", id); return id; }
/** * Generates a secret key in the PKCS#11 token. * * @param keyType * Key type * @param keysize * Key size in bit * @param control * Control of the key generation process. Must not be {@code null}. * @return the identifier of the identity within the PKCS#11 token. * @throws P11TokenException * if PKCS#11 token exception occurs. */ public P11IdentityId generateSecretKey(long keyType, int keysize, P11NewKeyControl control) throws P11TokenException { assertWritable("generateSecretKey"); ParamUtil.requireNonNull("control", control); assertNoIdentityAndCert(control.getId(), control.getLabel()); P11Identity identity = generateSecretKey0(keyType, keysize, control); addIdentity(identity); P11IdentityId id = identity.getId(); LOG.info("generated secret key {}", id); return id; }
/** * Imports secret key object in the PKCS#11 token. The key itself will not be generated * within the PKCS#11 token. * * @param keyType * Key type * @param keyValue * Key value. Must not be {@code null}. * @param control * Control of the key generation process. Must not be {@code null}. * @return the identifier of the key within the PKCS#11 token. * @throws P11TokenException * if PKCS#11 token exception occurs. */ public P11ObjectIdentifier importSecretKey(long keyType, byte[] keyValue, P11NewKeyControl control) throws P11TokenException { ParamUtil.requireNonNull("control", control); assertWritable("createSecretKey"); assertNoIdentityAndCert(control.getId(), control.getLabel()); P11Identity identity = importSecretKey0(keyType, keyValue, control); addIdentity(identity); P11ObjectIdentifier objId = identity.getId().getKeyId(); LOG.info("created secret key {}", objId); return objId; }
/** * Adds the certificate to the PKCS#11 token under the given identifier {@code objectId}. * * @param cert * Certificate to be added. Must not be {@code null}. * @param control * Control of the object creation process. Must not be {@code null}. * @throws CertificateException * if process with certificate fails. * @throws P11TokenException * if PKCS#11 token exception occurs. */ public P11ObjectIdentifier addCert(X509Certificate cert, P11NewObjectControl control) throws P11TokenException, CertificateException { ParamUtil.requireNonNull("cert", cert); ParamUtil.requireNonNull("control", control); assertWritable("addCert"); if (control.getLabel() == null) { String cn = X509Util.getCommonName(cert.getSubjectX500Principal()); control = new P11NewObjectControl(control.getId(), generateLabel(cn)); } P11ObjectIdentifier objectId = addCert0(cert, control); certificates.put(objectId, new X509Cert(cert)); updateCaCertsOfIdentities(); LOG.info("added certificate {}", objectId); return objectId; }
/** * Generates an EC keypair. * * @param curveNameOrOid * Object identifier or name of the EC curve. Must not be {@code null}. * @param control * Control of the key generation process. Must not be {@code null}. * @return the identifier of the identity within the PKCS#P11 token. * @throws P11TokenException * if PKCS#11 token exception occurs. */ // CHECKSTYLE:SKIP public P11IdentityId generateECKeypair(String curveNameOrOid, P11NewKeyControl control) throws P11TokenException { Args.notBlank(curveNameOrOid, "curveNameOrOid"); assertCanGenKeypair("generateECKeypair", PKCS11Constants.CKM_EC_KEY_PAIR_GEN, control); ASN1ObjectIdentifier curveId = AlgorithmUtil.getCurveOidForCurveNameOrOid(curveNameOrOid); if (curveId == null) { throw new IllegalArgumentException("unknown curve " + curveNameOrOid); } P11Identity identity = generateECKeypair0(curveId, control); addIdentity(identity); P11IdentityId id = identity.getId(); LOG.info("generated EC keypair {}", id); return id; }
/** * TODO. * @param objectId * Object identifier. Must not be {@code null}. * @throws P11TokenException * if PKCS#11 token exception occurs. */ public void removeCerts(P11ObjectIdentifier objectId) throws P11TokenException { Args.notNull(objectId, "objectId"); assertWritable("removeCerts"); P11ObjectIdentifier keyId = null; for (P11ObjectIdentifier m : identities.keySet()) { P11Identity identity = identities.get(m); if (objectId.equals(identity.getId().getCertId())) { keyId = m; break; } } if (keyId != null) { certificates.remove(objectId); identities.get(keyId).setCertificates(null); } else if (certificates.containsKey(objectId)) { certificates.remove(objectId); } else { throw new P11UnknownEntityException(slotId, objectId); } updateCaCertsOfIdentities(); removeCerts0(objectId); }
ParamUtil.requireNonNull("keyId", keyId); ParamUtil.requireNonNull("newCert", newCert); assertWritable("updateCertificate"); updateCertificate0(keyId, newCert); identity.setCertificates(new X509Certificate[]{newCert}); updateCaCertsOfIdentities(); LOG.info("updated certificate for key {}", keyId);
? slot.getObjectIdForId(keyId) : slot.getObjectIdForLabel(keyLabel); if (p11ObjId == null) { String str2 = (keyId != null) ? "id " + Hex.toHexString(keyId) : "label " + keyLabel; throw new ObjectCreationException("cound not find identity with " + str2); P11EntityIdentifier entityId = new P11EntityIdentifier(slot.slotId(), p11ObjId); signatureAlgId = AlgorithmUtil.getSigAlgId(null, conf); } else { PublicKey pubKey = slot.getIdentity(p11ObjId).publicKey(); signatureAlgId = AlgorithmUtil.getSigAlgId(pubKey, conf);
public byte[] digestSecretKey(long mechanism) throws P11TokenException, XiSecurityException { slot.assertMechanismSupported(mechanism); if (LOG.isDebugEnabled()) { LOG.debug("digest secret with mechanism {}", Functions.getMechanismDescription(mechanism)); } return digestSecretKey0(mechanism); }
private void engineLoad(String moduleName) throws P11TokenException, XiSecurityException { P11CryptService p11Service = p11CryptServiceFactory.getP11CryptService(moduleName); P11Module module = p11Service.getModule(); List<P11SlotIdentifier> slotIds = module.getSlotIds(); for (P11SlotIdentifier slotId: slotIds) { P11Slot slot = module.getSlot(slotId); Set<P11ObjectIdentifier> identityIds = slot.getIdentityKeyIds(); for (P11ObjectIdentifier objId : identityIds) { P11Identity identity = slot.getIdentity(objId); X509Certificate[] chain = identity.certificateChain(); if (chain == null || chain.length == 0) { continue; } P11PrivateKey key = new P11PrivateKey(p11Service, identity.getId()); KeyCertEntry keyCertEntry = new KeyCertEntry(key, chain); keyCerts.put(moduleName + "#slotid-" + slotId.getId() + "#keyid-" + objId.getIdHex(), keyCertEntry); keyCerts.put(moduleName + "#slotid-" + slotId.getId() + "#keylabel-" + objId.getLabel(), keyCertEntry); keyCerts.put(moduleName + "#slotindex-" + slotId.getIndex() + "#keyid-" + objId.getIdHex(), keyCertEntry); keyCerts.put(moduleName + "#slotindex-" + slotId.getIndex() + "#keylabel-" + objId.getLabel(), keyCertEntry); } } } // method engineLoad
P11IdentityId identityId = slot.getIdentityId(keyId, keyLabel); if (identityId == null) { String str2 = (keyId != null) ? "id " + Hex.encode(keyId) : "label " + keyLabel; signatureAlgId = AlgorithmUtil.getSigAlgId(null, conf); } else { PublicKey pubKey = slot.getIdentity(identityId.getKeyId()).getPublicKey(); signatureAlgId = AlgorithmUtil.getSigAlgId(pubKey, conf);
private void engineLoad(final String moduleName) throws P11TokenException, XiSecurityException { P11CryptService p11Service = p11CryptServiceFactory.getP11CryptService(moduleName); P11Module module = p11Service.module(); List<P11SlotIdentifier> slotIds = module.slotIdentifiers(); for (P11SlotIdentifier slotId: slotIds) { P11Slot slot = module.getSlot(slotId); Set<P11ObjectIdentifier> identityIds = slot.identityIdentifiers(); for (P11ObjectIdentifier objId : identityIds) { P11Identity identity = slot.getIdentity(objId); X509Certificate[] chain = identity.certificateChain(); if (chain == null || chain.length == 0) { continue; } P11PrivateKey key = new P11PrivateKey(p11Service, identity.identityId()); KeyCertEntry keyCertEntry = new KeyCertEntry(key, chain); keyCerts.put(moduleName + "#slotid-" + slotId.id() + "#keyid-" + objId.idHex(), keyCertEntry); keyCerts.put(moduleName + "#slotid-" + slotId.id() + "#keylabel-" + objId.label(), keyCertEntry); keyCerts.put(moduleName + "#slotindex-" + slotId.index() + "#keyid-" + objId.idHex(), keyCertEntry); keyCerts.put(moduleName + "#slotindex-" + slotId.index() + "#keylabel-" + objId.label(), keyCertEntry); } } } // method engineLoad
public synchronized void refresh() throws P11TokenException { LOG.info("refreshing PKCS#11 module {}", module.getName()); List<P11SlotIdentifier> slotIds = module.slotIdentifiers(); for (P11SlotIdentifier slotId : slotIds) { P11Slot slot; try { slot = module.getSlot(slotId); } catch (P11TokenException ex) { LogUtil.warn(LOG, ex, "P11TokenException while initializing slot " + slotId); continue; } catch (Throwable th) { LOG.error("unexpected error while initializing slot " + slotId, th); continue; } slot.refresh(); } LOG.info("refreshed PKCS#11 module {}", module.getName()); } // method refresh
private void updateCaCertsOfIdentity(P11Identity identity) { X509Certificate[] certchain = identity.certificateChain(); if (certchain == null || certchain.length == 0) { return; } X509Certificate[] newCertchain = buildCertPath(certchain[0]); if (!Arrays.equals(certchain, newCertchain)) { try { identity.setCertificates(newCertchain); } catch (P11TokenException ex) { LOG.warn("could not set certificates for identity {}", identity.getId()); } } }