CoCalc -- P11Mac.java

GitHub Repository: PojavLauncherTeam/openjdk-multiarch-jdk8u
Path: blob/aarch64-shenandoah-jdk8u272-b10/jdk/src/share/classes/sun/security/pkcs11/P11Mac.java
³⁸⁹¹⁹ views
1
/*
2
 * Copyright (c) 2003, 2021, Oracle and/or its affiliates. All rights reserved.
3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4
 *
5
 * This code is free software; you can redistribute it and/or modify it
6
 * under the terms of the GNU General Public License version 2 only, as
7
 * published by the Free Software Foundation.  Oracle designates this
8
 * particular file as subject to the "Classpath" exception as provided
9
 * by Oracle in the LICENSE file that accompanied this code.
10
 *
11
 * This code is distributed in the hope that it will be useful, but WITHOUT
12
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
14
 * version 2 for more details (a copy is included in the LICENSE file that
15
 * accompanied this code).
16
 *
17
 * You should have received a copy of the GNU General Public License version
18
 * 2 along with this work; if not, write to the Free Software Foundation,
19
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20
 *
21
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22
 * or visit www.oracle.com if you need additional information or have any
23
 * questions.
24
 */
25

26
package sun.security.pkcs11;
27

28
import java.nio.ByteBuffer;
29

30
import java.security.*;
31
import java.security.spec.AlgorithmParameterSpec;
32

33
import javax.crypto.MacSpi;
34

35
import sun.nio.ch.DirectBuffer;
36

37
import sun.security.pkcs11.wrapper.*;
38
import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
39

40
/**
41
 * MAC implementation class. This class currently supports HMAC using
42
 * MD5, SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 and the SSL3 MAC
43
 * using MD5 and SHA-1.
44
 *
45
 * Note that unlike other classes (e.g. Signature), this does not
46
 * composite various operations if the token only supports part of the
47
 * required functionality. The MAC implementations in SunJCE already
48
 * do exactly that by implementing an MAC on top of MessageDigests. We
49
 * could not do any better than they.
50
 *
51
 * @author  Andreas Sterbenz
52
 * @since   1.5
53
 */
54
final class P11Mac extends MacSpi {
55

56
    // token instance
57
    private final Token token;
58

59
    // algorithm name
60
    private final String algorithm;
61

62
    // mechanism object
63
    private final CK_MECHANISM ckMechanism;
64

65
    // length of the MAC in bytes
66
    private final int macLength;
67

68
    // key instance used, if operation active
69
    private P11Key p11Key;
70

71
    // associated session, if any
72
    private Session session;
73

74
    // initialization status
75
    private boolean initialized;
76

77
    // one byte buffer for the update(byte) method, initialized on demand
78
    private byte[] oneByte;
79

80
    P11Mac(Token token, String algorithm, long mechanism)
81
            throws PKCS11Exception {
82
        super();
83
        this.token = token;
84
        this.algorithm = algorithm;
85
        Long params = null;
86
        switch ((int)mechanism) {
87
        case (int)CKM_MD5_HMAC:
88
            macLength = 16;
89
            break;
90
        case (int)CKM_SHA_1_HMAC:
91
            macLength = 20;
92
            break;
93
        case (int)CKM_SHA224_HMAC:
94
            macLength = 28;
95
            break;
96
        case (int)CKM_SHA256_HMAC:
97
            macLength = 32;
98
            break;
99
        case (int)CKM_SHA384_HMAC:
100
            macLength = 48;
101
            break;
102
        case (int)CKM_SHA512_HMAC:
103
            macLength = 64;
104
            break;
105
        case (int)CKM_SSL3_MD5_MAC:
106
            macLength = 16;
107
            params = Long.valueOf(16);
108
            break;
109
        case (int)CKM_SSL3_SHA1_MAC:
110
            macLength = 20;
111
            params = Long.valueOf(20);
112
            break;
113
        default:
114
            throw new ProviderException("Unknown mechanism: " + mechanism);
115
        }
116
        ckMechanism = new CK_MECHANISM(mechanism, params);
117
    }
118

119
    // reset the states to the pre-initialized values
120
    private void reset(boolean doCancel) {
121
        if (!initialized) {
122
            return;
123
        }
124
        initialized = false;
125

126
        try {
127
            if (session == null) {
128
                return;
129
            }
130

131
            if (doCancel && token.explicitCancel) {
132
                cancelOperation();
133
            }
134
        } finally {
135
            p11Key.releaseKeyID();
136
            session = token.releaseSession(session);
137
        }
138
    }
139

140
    private void cancelOperation() {
141
        token.ensureValid();
142
        // cancel operation by finishing it; avoid killSession as some
143
        // hardware vendors may require re-login
144
        try {
145
            token.p11.C_SignFinal(session.id(), 0);
146
        } catch (PKCS11Exception e) {
147
            if (e.getErrorCode() == CKR_OPERATION_NOT_INITIALIZED) {
148
                // Cancel Operation may be invoked after an error on a PKCS#11
149
                // call. If the operation inside the token was already cancelled,
150
                // do not fail here. This is part of a defensive mechanism for
151
                // PKCS#11 libraries that do not strictly follow the standard.
152
                return;
153
            }
154
            throw new ProviderException("Cancel failed", e);
155
        }
156
    }
157

158
    private void ensureInitialized() throws PKCS11Exception {
159
        if (!initialized) {
160
            initialize();
161
        }
162
    }
163

164
    private void initialize() throws PKCS11Exception {
165
        if (p11Key == null) {
166
            throw new ProviderException(
167
                    "Operation cannot be performed without calling engineInit first");
168
        }
169
        token.ensureValid();
170
        long p11KeyID = p11Key.getKeyID();
171
        try {
172
            if (session == null) {
173
                session = token.getOpSession();
174
            }
175
            token.p11.C_SignInit(session.id(), ckMechanism, p11KeyID);
176
        } catch (PKCS11Exception e) {
177
            p11Key.releaseKeyID();
178
            session = token.releaseSession(session);
179
            throw e;
180
        }
181
        initialized = true;
182
    }
183

184
    // see JCE spec
185
    protected int engineGetMacLength() {
186
        return macLength;
187
    }
188

189
    // see JCE spec
190
    protected void engineReset() {
191
        reset(true);
192
    }
193

194
    // see JCE spec
195
    protected void engineInit(Key key, AlgorithmParameterSpec params)
196
            throws InvalidKeyException, InvalidAlgorithmParameterException {
197
        if (params != null) {
198
            throw new InvalidAlgorithmParameterException
199
                ("Parameters not supported");
200
        }
201
        reset(true);
202
        p11Key = P11SecretKeyFactory.convertKey(token, key, algorithm);
203
        try {
204
            initialize();
205
        } catch (PKCS11Exception e) {
206
            throw new InvalidKeyException("init() failed", e);
207
        }
208
    }
209

210
    // see JCE spec
211
    protected byte[] engineDoFinal() {
212
        try {
213
            ensureInitialized();
214
            return token.p11.C_SignFinal(session.id(), 0);
215
        } catch (PKCS11Exception e) {
216
            // As per the PKCS#11 standard, C_SignFinal may only
217
            // keep the operation active on CKR_BUFFER_TOO_SMALL errors or
218
            // successful calls to determine the output length. However,
219
            // these cases are handled at OpenJDK's libj2pkcs11 native
220
            // library. Thus, P11Mac::reset can be called with a 'false'
221
            // doCancel argument from here.
222
            throw new ProviderException("doFinal() failed", e);
223
        } finally {
224
            reset(false);
225
        }
226
    }
227

228
    // see JCE spec
229
    protected void engineUpdate(byte input) {
230
        if (oneByte == null) {
231
           oneByte = new byte[1];
232
        }
233
        oneByte[0] = input;
234
        engineUpdate(oneByte, 0, 1);
235
    }
236

237
    // see JCE spec
238
    protected void engineUpdate(byte[] b, int ofs, int len) {
239
        try {
240
            ensureInitialized();
241
            token.p11.C_SignUpdate(session.id(), 0, b, ofs, len);
242
        } catch (PKCS11Exception e) {
243
            throw new ProviderException("update() failed", e);
244
        }
245
    }
246

247
    // see JCE spec
248
    protected void engineUpdate(ByteBuffer byteBuffer) {
249
        try {
250
            ensureInitialized();
251
            int len = byteBuffer.remaining();
252
            if (len <= 0) {
253
                return;
254
            }
255
            if (byteBuffer instanceof DirectBuffer == false) {
256
                super.engineUpdate(byteBuffer);
257
                return;
258
            }
259
            long addr = ((DirectBuffer)byteBuffer).address();
260
            int ofs = byteBuffer.position();
261
            token.p11.C_SignUpdate(session.id(), addr + ofs, null, 0, len);
262
            byteBuffer.position(ofs + len);
263
        } catch (PKCS11Exception e) {
264
            throw new ProviderException("update() failed", e);
265
        }
266
    }
267
}
268

269
Product

Resources

Company
