Example 31 with P11ObjectIdentifier
use of org.xipki.security.pkcs11.P11ObjectIdentifier in project xipki by xipki.
the class IaikP11Slot method refresh0.
@Override
protected P11SlotRefreshResult refresh0() throws P11TokenException {
Mechanism[] mechanisms;
try {
mechanisms = slot.getToken().getMechanismList();
} catch (TokenException ex) {
throw new P11TokenException("could not getMechanismList: " + ex.getMessage(), ex);
}
P11SlotRefreshResult ret = new P11SlotRefreshResult();
if (mechanisms != null) {
for (Mechanism mech : mechanisms) {
ret.addMechanism(mech.getMechanismCode());
}
}
ConcurrentBagEntry<Session> session = borrowSession();
try {
// secret keys
List<SecretKey> secretKeys = getAllSecretKeyObjects(session.value());
for (SecretKey secKey : secretKeys) {
byte[] keyId = secKey.getId().getByteArrayValue();
if (keyId == null || keyId.length == 0) {
continue;
}
analyseSingleKey(secKey, ret);
}
// first get the list of all CA certificates
List<X509PublicKeyCertificate> p11Certs = getAllCertificateObjects(session.value());
for (X509PublicKeyCertificate p11Cert : p11Certs) {
P11ObjectIdentifier objId = new P11ObjectIdentifier(p11Cert.getId().getByteArrayValue(), toString(p11Cert.getLabel()));
ret.addCertificate(objId, parseCert(p11Cert));
}
List<PrivateKey> privKeys = getAllPrivateObjects(session.value());
for (PrivateKey privKey : privKeys) {
byte[] keyId = privKey.getId().getByteArrayValue();
if (keyId == null || keyId.length == 0) {
break;
}
try {
analyseSingleKey(session.value(), privKey, ret);
} catch (XiSecurityException ex) {
LogUtil.error(LOG, ex, "XiSecurityException while initializing private key " + "with id " + hex(keyId));
continue;
} catch (Throwable th) {
String label = "";
if (privKey.getLabel() != null) {
label = new String(privKey.getLabel().getCharArrayValue());
}
LOG.error("unexpected exception while initializing private key with id " + hex(keyId) + " and label " + label, th);
continue;
}
}
return ret;
} finally {
sessions.requite(session);
}
}
Also used :
RSAPrivateKey(iaik.pkcs.pkcs11.objects.RSAPrivateKey)
ECPrivateKey(iaik.pkcs.pkcs11.objects.ECPrivateKey)
SM2PrivateKey(iaik.pkcs.pkcs11.objects.SM2PrivateKey)
PrivateKey(iaik.pkcs.pkcs11.objects.PrivateKey)
DSAPrivateKey(iaik.pkcs.pkcs11.objects.DSAPrivateKey)
P11TokenException(org.xipki.security.exception.P11TokenException)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
Mechanism(iaik.pkcs.pkcs11.Mechanism)
ValuedSecretKey(iaik.pkcs.pkcs11.objects.ValuedSecretKey)
SecretKey(iaik.pkcs.pkcs11.objects.SecretKey)
XiSecurityException(org.xipki.security.exception.XiSecurityException)
P11SlotRefreshResult(org.xipki.security.pkcs11.P11SlotRefreshResult)
P11TokenException(org.xipki.security.exception.P11TokenException)
TokenException(iaik.pkcs.pkcs11.TokenException)
X509PublicKeyCertificate(iaik.pkcs.pkcs11.objects.X509PublicKeyCertificate)
P11ObjectIdentifier(org.xipki.security.pkcs11.P11ObjectIdentifier)
Session(iaik.pkcs.pkcs11.Session)
Example 32 with P11ObjectIdentifier
use of org.xipki.security.pkcs11.P11ObjectIdentifier in project xipki by xipki.
the class IaikP11Slot method analyseSingleKey.
private void analyseSingleKey(SecretKey secretKey, P11SlotRefreshResult refreshResult) {
byte[] id = secretKey.getId().getByteArrayValue();
P11ObjectIdentifier objectId = new P11ObjectIdentifier(id, toString(secretKey.getLabel()));
IaikP11Identity identity = new IaikP11Identity(this, new P11EntityIdentifier(slotId, objectId), secretKey);
refreshResult.addIdentity(identity);
}
Also used :
P11EntityIdentifier(org.xipki.security.pkcs11.P11EntityIdentifier)
P11ObjectIdentifier(org.xipki.security.pkcs11.P11ObjectIdentifier)
Example 33 with P11ObjectIdentifier
use of org.xipki.security.pkcs11.P11ObjectIdentifier in project xipki by xipki.
the class IaikP11Slot method generateSecretKey0.
@Override
protected P11Identity generateSecretKey0(long keyType, int keysize, String label, P11NewKeyControl control) throws P11TokenException {
if (keysize % 8 != 0) {
throw new IllegalArgumentException("keysize is not multiple of 8: " + keysize);
}
long mech;
if (PKCS11Constants.CKK_AES == keyType) {
mech = PKCS11Constants.CKM_AES_KEY_GEN;
} else if (PKCS11Constants.CKK_DES3 == keyType) {
mech = PKCS11Constants.CKM_DES3_KEY_GEN;
} else if (PKCS11Constants.CKK_GENERIC_SECRET == keyType) {
mech = PKCS11Constants.CKM_GENERIC_SECRET_KEY_GEN;
} else if (PKCS11Constants.CKK_SHA_1_HMAC == keyType || PKCS11Constants.CKK_SHA224_HMAC == keyType || PKCS11Constants.CKK_SHA256_HMAC == keyType || PKCS11Constants.CKK_SHA384_HMAC == keyType || PKCS11Constants.CKK_SHA512_HMAC == keyType || PKCS11Constants.CKK_SHA3_224_HMAC == keyType || PKCS11Constants.CKK_SHA3_256_HMAC == keyType || PKCS11Constants.CKK_SHA3_384_HMAC == keyType || PKCS11Constants.CKK_SHA3_512_HMAC == keyType) {
mech = PKCS11Constants.CKM_GENERIC_SECRET_KEY_GEN;
} else {
throw new IllegalArgumentException("unsupported key type 0x" + Functions.toFullHex((int) keyType));
}
assertMechanismSupported(mech);
ValuedSecretKey template = new ValuedSecretKey(keyType);
template.getToken().setBooleanValue(true);
template.getLabel().setCharArrayValue(label.toCharArray());
template.getSign().setBooleanValue(true);
template.getSensitive().setBooleanValue(true);
template.getExtractable().setBooleanValue(control.isExtractable());
template.getValueLen().setLongValue((long) (keysize / 8));
Mechanism mechanism = Mechanism.get(mech);
SecretKey key;
Session session = borrowWritableSession();
try {
if (labelExists(session, label)) {
throw new IllegalArgumentException("label " + label + " exists, please specify another one");
}
byte[] id = generateKeyId(session);
template.getId().setByteArrayValue(id);
try {
key = (SecretKey) session.generateKey(mechanism, template);
} catch (TokenException ex) {
throw new P11TokenException("could not generate generic secret key using " + mechanism.getName(), ex);
}
P11ObjectIdentifier objId = new P11ObjectIdentifier(id, label);
P11EntityIdentifier entityId = new P11EntityIdentifier(slotId, objId);
return new IaikP11Identity(this, entityId, key);
} finally {
returnWritableSession(session);
}
}
Also used :
ValuedSecretKey(iaik.pkcs.pkcs11.objects.ValuedSecretKey)
ValuedSecretKey(iaik.pkcs.pkcs11.objects.ValuedSecretKey)
SecretKey(iaik.pkcs.pkcs11.objects.SecretKey)
P11TokenException(org.xipki.security.exception.P11TokenException)
TokenException(iaik.pkcs.pkcs11.TokenException)
P11TokenException(org.xipki.security.exception.P11TokenException)
P11EntityIdentifier(org.xipki.security.pkcs11.P11EntityIdentifier)
P11ObjectIdentifier(org.xipki.security.pkcs11.P11ObjectIdentifier)
Mechanism(iaik.pkcs.pkcs11.Mechanism)
Session(iaik.pkcs.pkcs11.Session)
Example 34 with P11ObjectIdentifier
use of org.xipki.security.pkcs11.P11ObjectIdentifier in project xipki by xipki.
the class SignerFactoryRegisterImpl method newPkcs11Signer.
private ConcurrentContentSigner newPkcs11Signer(SecurityFactory securityFactory, String type, SignerConf conf, X509Certificate[] certificateChain) throws ObjectCreationException {
if (p11CryptServiceFactory == null) {
throw new ObjectCreationException("p11CryptServiceFactory is not set");
}
String str = conf.getConfValue("parallelism");
int parallelism = securityFactory.getDefaultSignerParallelism();
if (str != null) {
try {
parallelism = Integer.parseInt(str);
} catch (NumberFormatException ex) {
throw new ObjectCreationException("invalid parallelism " + str);
}
if (parallelism < 1) {
throw new ObjectCreationException("invalid parallelism " + str);
}
}
String moduleName = conf.getConfValue("module");
str = conf.getConfValue("slot");
Integer slotIndex = (str == null) ? null : Integer.parseInt(str);
str = conf.getConfValue("slot-id");
Long slotId = (str == null) ? null : Long.parseLong(str);
if ((slotIndex == null && slotId == null) || (slotIndex != null && slotId != null)) {
throw new ObjectCreationException("exactly one of slot (index) and slot-id must be specified");
}
String keyLabel = conf.getConfValue("key-label");
str = conf.getConfValue("key-id");
byte[] keyId = null;
if (str != null) {
keyId = Hex.decode(str);
}
if ((keyId == null && keyLabel == null) || (keyId != null && keyLabel != null)) {
throw new ObjectCreationException("exactly one of key-id and key-label must be specified");
}
P11CryptService p11Service;
P11Slot slot;
try {
p11Service = p11CryptServiceFactory.getP11CryptService(moduleName);
P11Module module = p11Service.getModule();
P11SlotIdentifier p11SlotId;
if (slotId != null) {
p11SlotId = module.getSlotIdForId(slotId);
} else if (slotIndex != null) {
p11SlotId = module.getSlotIdForIndex(slotIndex);
} else {
throw new RuntimeException("should not reach here");
}
slot = module.getSlot(p11SlotId);
} catch (P11TokenException | XiSecurityException ex) {
throw new ObjectCreationException(ex.getMessage(), ex);
}
P11ObjectIdentifier p11ObjId = (keyId != null) ? slot.getObjectIdForId(keyId) : slot.getObjectIdForLabel(keyLabel);
if (p11ObjId == null) {
String str2 = (keyId != null) ? "id " + Hex.encode(keyId) : "label " + keyLabel;
throw new ObjectCreationException("cound not find identity with " + str2);
}
P11EntityIdentifier entityId = new P11EntityIdentifier(slot.getSlotId(), p11ObjId);
try {
AlgorithmIdentifier macAlgId = null;
String algoName = conf.getConfValue("algo");
if (algoName != null) {
try {
macAlgId = AlgorithmUtil.getMacAlgId(algoName);
} catch (NoSuchAlgorithmException ex) {
// do nothing
}
}
if (macAlgId != null) {
P11MacContentSignerBuilder signerBuilder = new P11MacContentSignerBuilder(p11Service, entityId);
return signerBuilder.createSigner(macAlgId, parallelism);
} else {
AlgorithmIdentifier signatureAlgId;
if (conf.getHashAlgo() == null) {
signatureAlgId = AlgorithmUtil.getSigAlgId(null, conf);
} else {
PublicKey pubKey = slot.getIdentity(p11ObjId).getPublicKey();
signatureAlgId = AlgorithmUtil.getSigAlgId(pubKey, conf);
}
P11ContentSignerBuilder signerBuilder = new P11ContentSignerBuilder(p11Service, securityFactory, entityId, certificateChain);
return signerBuilder.createSigner(signatureAlgId, parallelism);
}
} catch (P11TokenException | NoSuchAlgorithmException | XiSecurityException ex) {
throw new ObjectCreationException(ex.getMessage(), ex);
}
}
Also used :
P11MacContentSignerBuilder(org.xipki.security.pkcs11.P11MacContentSignerBuilder)
P11Module(org.xipki.security.pkcs11.P11Module)
P11SlotIdentifier(org.xipki.security.pkcs11.P11SlotIdentifier)
PublicKey(java.security.PublicKey)
P11Slot(org.xipki.security.pkcs11.P11Slot)
P11TokenException(org.xipki.security.exception.P11TokenException)
P11EntityIdentifier(org.xipki.security.pkcs11.P11EntityIdentifier)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
P11ContentSignerBuilder(org.xipki.security.pkcs11.P11ContentSignerBuilder)
P11CryptService(org.xipki.security.pkcs11.P11CryptService)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
XiSecurityException(org.xipki.security.exception.XiSecurityException)
ObjectCreationException(org.xipki.common.ObjectCreationException)
P11ObjectIdentifier(org.xipki.security.pkcs11.P11ObjectIdentifier)
Aggregations
P11ObjectIdentifier (org.xipki.security.pkcs11.P11ObjectIdentifier)30
P11EntityIdentifier (org.xipki.security.pkcs11.P11EntityIdentifier)15
P11Slot (org.xipki.security.pkcs11.P11Slot)15
P11TokenException (org.xipki.security.exception.P11TokenException)10
X509Certificate (java.security.cert.X509Certificate)8
Asn1P11EntityIdentifier (org.xipki.p11proxy.msg.Asn1P11EntityIdentifier)6
IllegalCmdParamException (org.xipki.console.karaf.IllegalCmdParamException)5
Session (iaik.pkcs.pkcs11.Session)4
TokenException (iaik.pkcs.pkcs11.TokenException)4
PublicKey (java.security.PublicKey)4
DEROctetString (org.bouncycastle.asn1.DEROctetString)4
X509Cert (org.xipki.security.X509Cert)4
XiSecurityException (org.xipki.security.exception.XiSecurityException)4
SecretKey (iaik.pkcs.pkcs11.objects.SecretKey)3
ValuedSecretKey (iaik.pkcs.pkcs11.objects.ValuedSecretKey)3
InvalidKeyException (java.security.InvalidKeyException)3
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)3
CertificateException (java.security.cert.CertificateException)3
P11SlotRefreshResult (org.xipki.security.pkcs11.P11SlotRefreshResult)3
Mechanism (iaik.pkcs.pkcs11.Mechanism)2
