Search in sources :

Example 16 with P11EntityIdentifier

use of org.xipki.security.pkcs11.P11EntityIdentifier in project xipki by xipki.

the class IaikP11Slot method generateSecretKey0.

@Override
protected P11Identity generateSecretKey0(long keyType, int keysize, String label, P11NewKeyControl control) throws P11TokenException {
    if (keysize % 8 != 0) {
        throw new IllegalArgumentException("keysize is not multiple of 8: " + keysize);
    }
    long mech;
    if (PKCS11Constants.CKK_AES == keyType) {
        mech = PKCS11Constants.CKM_AES_KEY_GEN;
    } else if (PKCS11Constants.CKK_DES3 == keyType) {
        mech = PKCS11Constants.CKM_DES3_KEY_GEN;
    } else if (PKCS11Constants.CKK_GENERIC_SECRET == keyType) {
        mech = PKCS11Constants.CKM_GENERIC_SECRET_KEY_GEN;
    } else if (PKCS11Constants.CKK_SHA_1_HMAC == keyType || PKCS11Constants.CKK_SHA224_HMAC == keyType || PKCS11Constants.CKK_SHA256_HMAC == keyType || PKCS11Constants.CKK_SHA384_HMAC == keyType || PKCS11Constants.CKK_SHA512_HMAC == keyType || PKCS11Constants.CKK_SHA3_224_HMAC == keyType || PKCS11Constants.CKK_SHA3_256_HMAC == keyType || PKCS11Constants.CKK_SHA3_384_HMAC == keyType || PKCS11Constants.CKK_SHA3_512_HMAC == keyType) {
        mech = PKCS11Constants.CKM_GENERIC_SECRET_KEY_GEN;
    } else {
        throw new IllegalArgumentException("unsupported key type 0x" + Functions.toFullHex((int) keyType));
    }
    assertMechanismSupported(mech);
    ValuedSecretKey template = new ValuedSecretKey(keyType);
    template.getToken().setBooleanValue(true);
    template.getLabel().setCharArrayValue(label.toCharArray());
    template.getSign().setBooleanValue(true);
    template.getSensitive().setBooleanValue(true);
    template.getExtractable().setBooleanValue(control.isExtractable());
    template.getValueLen().setLongValue((long) (keysize / 8));
    Mechanism mechanism = Mechanism.get(mech);
    SecretKey key;
    Session session = borrowWritableSession();
    try {
        if (labelExists(session, label)) {
            throw new IllegalArgumentException("label " + label + " exists, please specify another one");
        }
        byte[] id = generateKeyId(session);
        template.getId().setByteArrayValue(id);
        try {
            key = (SecretKey) session.generateKey(mechanism, template);
        } catch (TokenException ex) {
            throw new P11TokenException("could not generate generic secret key using " + mechanism.getName(), ex);
        }
        P11ObjectIdentifier objId = new P11ObjectIdentifier(id, label);
        P11EntityIdentifier entityId = new P11EntityIdentifier(slotId, objId);
        return new IaikP11Identity(this, entityId, key);
    } finally {
        returnWritableSession(session);
    }
}
Also used : ValuedSecretKey(iaik.pkcs.pkcs11.objects.ValuedSecretKey) ValuedSecretKey(iaik.pkcs.pkcs11.objects.ValuedSecretKey) SecretKey(iaik.pkcs.pkcs11.objects.SecretKey) P11TokenException(org.xipki.security.exception.P11TokenException) TokenException(iaik.pkcs.pkcs11.TokenException) P11TokenException(org.xipki.security.exception.P11TokenException) P11EntityIdentifier(org.xipki.security.pkcs11.P11EntityIdentifier) P11ObjectIdentifier(org.xipki.security.pkcs11.P11ObjectIdentifier) Mechanism(iaik.pkcs.pkcs11.Mechanism) Session(iaik.pkcs.pkcs11.Session)

Example 17 with P11EntityIdentifier

use of org.xipki.security.pkcs11.P11EntityIdentifier in project xipki by xipki.

the class SignerFactoryRegisterImpl method newPkcs11Signer.

private ConcurrentContentSigner newPkcs11Signer(SecurityFactory securityFactory, String type, SignerConf conf, X509Certificate[] certificateChain) throws ObjectCreationException {
    if (p11CryptServiceFactory == null) {
        throw new ObjectCreationException("p11CryptServiceFactory is not set");
    }
    String str = conf.getConfValue("parallelism");
    int parallelism = securityFactory.getDefaultSignerParallelism();
    if (str != null) {
        try {
            parallelism = Integer.parseInt(str);
        } catch (NumberFormatException ex) {
            throw new ObjectCreationException("invalid parallelism " + str);
        }
        if (parallelism < 1) {
            throw new ObjectCreationException("invalid parallelism " + str);
        }
    }
    String moduleName = conf.getConfValue("module");
    str = conf.getConfValue("slot");
    Integer slotIndex = (str == null) ? null : Integer.parseInt(str);
    str = conf.getConfValue("slot-id");
    Long slotId = (str == null) ? null : Long.parseLong(str);
    if ((slotIndex == null && slotId == null) || (slotIndex != null && slotId != null)) {
        throw new ObjectCreationException("exactly one of slot (index) and slot-id must be specified");
    }
    String keyLabel = conf.getConfValue("key-label");
    str = conf.getConfValue("key-id");
    byte[] keyId = null;
    if (str != null) {
        keyId = Hex.decode(str);
    }
    if ((keyId == null && keyLabel == null) || (keyId != null && keyLabel != null)) {
        throw new ObjectCreationException("exactly one of key-id and key-label must be specified");
    }
    P11CryptService p11Service;
    P11Slot slot;
    try {
        p11Service = p11CryptServiceFactory.getP11CryptService(moduleName);
        P11Module module = p11Service.getModule();
        P11SlotIdentifier p11SlotId;
        if (slotId != null) {
            p11SlotId = module.getSlotIdForId(slotId);
        } else if (slotIndex != null) {
            p11SlotId = module.getSlotIdForIndex(slotIndex);
        } else {
            throw new RuntimeException("should not reach here");
        }
        slot = module.getSlot(p11SlotId);
    } catch (P11TokenException | XiSecurityException ex) {
        throw new ObjectCreationException(ex.getMessage(), ex);
    }
    P11ObjectIdentifier p11ObjId = (keyId != null) ? slot.getObjectIdForId(keyId) : slot.getObjectIdForLabel(keyLabel);
    if (p11ObjId == null) {
        String str2 = (keyId != null) ? "id " + Hex.encode(keyId) : "label " + keyLabel;
        throw new ObjectCreationException("cound not find identity with " + str2);
    }
    P11EntityIdentifier entityId = new P11EntityIdentifier(slot.getSlotId(), p11ObjId);
    try {
        AlgorithmIdentifier macAlgId = null;
        String algoName = conf.getConfValue("algo");
        if (algoName != null) {
            try {
                macAlgId = AlgorithmUtil.getMacAlgId(algoName);
            } catch (NoSuchAlgorithmException ex) {
            // do nothing
            }
        }
        if (macAlgId != null) {
            P11MacContentSignerBuilder signerBuilder = new P11MacContentSignerBuilder(p11Service, entityId);
            return signerBuilder.createSigner(macAlgId, parallelism);
        } else {
            AlgorithmIdentifier signatureAlgId;
            if (conf.getHashAlgo() == null) {
                signatureAlgId = AlgorithmUtil.getSigAlgId(null, conf);
            } else {
                PublicKey pubKey = slot.getIdentity(p11ObjId).getPublicKey();
                signatureAlgId = AlgorithmUtil.getSigAlgId(pubKey, conf);
            }
            P11ContentSignerBuilder signerBuilder = new P11ContentSignerBuilder(p11Service, securityFactory, entityId, certificateChain);
            return signerBuilder.createSigner(signatureAlgId, parallelism);
        }
    } catch (P11TokenException | NoSuchAlgorithmException | XiSecurityException ex) {
        throw new ObjectCreationException(ex.getMessage(), ex);
    }
}
Also used : P11MacContentSignerBuilder(org.xipki.security.pkcs11.P11MacContentSignerBuilder) P11Module(org.xipki.security.pkcs11.P11Module) P11SlotIdentifier(org.xipki.security.pkcs11.P11SlotIdentifier) PublicKey(java.security.PublicKey) P11Slot(org.xipki.security.pkcs11.P11Slot) P11TokenException(org.xipki.security.exception.P11TokenException) P11EntityIdentifier(org.xipki.security.pkcs11.P11EntityIdentifier) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) P11ContentSignerBuilder(org.xipki.security.pkcs11.P11ContentSignerBuilder) P11CryptService(org.xipki.security.pkcs11.P11CryptService) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier) XiSecurityException(org.xipki.security.exception.XiSecurityException) ObjectCreationException(org.xipki.common.ObjectCreationException) P11ObjectIdentifier(org.xipki.security.pkcs11.P11ObjectIdentifier)

Aggregations

P11EntityIdentifier (org.xipki.security.pkcs11.P11EntityIdentifier)17 P11ObjectIdentifier (org.xipki.security.pkcs11.P11ObjectIdentifier)11 P11TokenException (org.xipki.security.exception.P11TokenException)10 Asn1P11EntityIdentifier (org.xipki.p11proxy.msg.Asn1P11EntityIdentifier)8 PublicKey (java.security.PublicKey)5 X509Certificate (java.security.cert.X509Certificate)4 X509Cert (org.xipki.security.X509Cert)4 Session (iaik.pkcs.pkcs11.Session)3 TokenException (iaik.pkcs.pkcs11.TokenException)3 InvalidKeyException (java.security.InvalidKeyException)3 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)3 CertificateException (java.security.cert.CertificateException)3 DEROctetString (org.bouncycastle.asn1.DEROctetString)3 Asn1EntityIdAndCert (org.xipki.p11proxy.msg.Asn1EntityIdAndCert)3 BadAsn1ObjectException (org.xipki.security.exception.BadAsn1ObjectException)3 XiSecurityException (org.xipki.security.exception.XiSecurityException)3 SecretKey (iaik.pkcs.pkcs11.objects.SecretKey)2 ValuedSecretKey (iaik.pkcs.pkcs11.objects.ValuedSecretKey)2 P11SlotRefreshResult (org.xipki.security.pkcs11.P11SlotRefreshResult)2 Mechanism (iaik.pkcs.pkcs11.Mechanism)1