4599N/A * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. 0N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 0N/A * This code is free software; you can redistribute it and/or modify it 0N/A * under the terms of the GNU General Public License version 2 only, as 2362N/A * published by the Free Software Foundation. Oracle designates this 0N/A * particular file as subject to the "Classpath" exception as provided 2362N/A * by Oracle in the LICENSE file that accompanied this code. 0N/A * This code is distributed in the hope that it will be useful, but WITHOUT 0N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 0N/A * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 0N/A * version 2 for more details (a copy is included in the LICENSE file that 0N/A * accompanied this code). 0N/A * You should have received a copy of the GNU General Public License version 0N/A * 2 along with this work; if not, write to the Free Software Foundation, 0N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 2362N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 2362N/A * or visit www.oracle.com if you need additional information or have any 0N/A * PKCS#11 provider main class. 0N/A * @author Andreas Sterbenz 0N/A // the PKCS11 object through which we make the native calls 0N/A // name of the configuration file 0N/A // configuration information 0N/A // id of the PKCS#11 slot we are using 0N/A super(
"SunPKCS11-Dummy",
1.7d,
"SunPKCS11-Dummy");
0N/A (
"SunPKCS11 requires configuration file argument");
0N/A return "---DummyConfig-" +
id +
"---";
1111N/A * @deprecated use new SunPKCS11(String) or new SunPKCS11(InputStream) 0N/A // Initialization via Secmod. The way this works is as follows: 0N/A // SunPKCS11 is either in normal mode or in NSS Secmod mode. 0N/A // Secmod is activated by specifying one or more of the following 0N/A // options in the config file: 0N/A // nssUseSecmod, nssSecmodDirectory, nssLibrary, nssModule 0N/A // XXX add more explanation here 0N/A // If we are in Secmod mode and configured to use either the 0N/A // nssKeyStore or the nssTrustAnchors module, we automatically 1111N/A // switch to using the NSS trust attributes for trusted certs 1111N/A +
" invalid, NSS already initialized with " 1111N/A +
" invalid, NSS already initialized with " 1111N/A "Secmod not initialized and " 1111N/A +
"nssSecmodDirectory not specified");
1111N/A "nssSecmodDirectory must not be " 1111N/A +
"specified in noDb mode");
0N/A // XXX which exception to throw 0N/A // XXX should the option be called trustanchor or trustanchors?? 0N/A +
": only " + k +
" external NSS modules available");
0N/A // if the filename is a simple filename without path 0N/A // (e.g. "libpkcs11.so"), it may refer to a library somewhere on the 0N/A // OS library search path. Omit the test for file existance as that 0N/A // only looks in the current directory. 0N/A // request multithreaded access first 0N/A // fall back to single threaded access 0N/A // if possible, use null initArgs for better compatibility 0N/A (
"Initialization failed", e);
0N/A (
"Initialization failed", e);
0N/A // Map from mechanism to List of Descriptors that should be 0N/A // registered if the mechanism is supported 0N/A private static int[] m(
long m1) {
0N/A return new int[] {(
int)
m1};
0N/A private static int[] m(
long m1,
long m2) {
0N/A return new int[] {(
int)
m1, (
int)
m2};
0N/A private static int[] m(
long m1,
long m2,
long m3) {
0N/A return new int[] {(
int)
m1, (
int)
m2, (
int)
m3};
0N/A private static int[] m(
long m1,
long m2,
long m3,
long m4) {
0N/A // names of all the implementation classes 0N/A // use local variables, only used here 0N/A // XXX register all aliases 0N/A // register (Secret)KeyFactories if there are any mechanisms 0N/A // for a particular algorithm that we support 0N/A // AlgorithmParameters for EC. 0N/A // Only needed until we have an EC implementation in the SUN provider. 1111N/A d(
AGP,
"EC",
"sun.security.ec.ECParameters",
0N/A d(
KA,
"ECDH",
"sun.security.pkcs11.P11ECDHKeyAgreement",
0N/A // XXX attributes for Ciphers (supported modes, padding) 0N/A // XXX RSA_X_509, RSA_OAEP not yet supported 3002N/A * TLS 1.2 uses a different hash algorithm than 1.0/1.1 for the 3002N/A * PRF calculations. As of 2010, there is no PKCS11-level 3002N/A * support for TLS 1.2 PRF calculations, and no known OS's have 3002N/A * an internal variant we could use. Therefore for TLS 1.2, we 3002N/A * are updating JSSE to request different provider algorithms 3002N/A * (e.g. "SunTls12Prf"), and currently only SunJCE has these 3002N/A * If we reused the names such as "SunTlsPrf", the PKCS11 3002N/A * providers would need be updated to fail correctly when 3002N/A * presented with the wrong version number (via 3002N/A * Provider.Service.supportsParameters()), and we would also 3002N/A * need to add the appropriate supportsParamters() checks into 3002N/A * KeyGenerators (not currently there). 3002N/A * In the future, if PKCS11 support is added, we will restructure 1111N/A "sun.security.pkcs11.P11TlsRsaPremasterSecretGenerator",
1111N/A "sun.security.pkcs11.P11TlsMasterSecretGenerator",
1111N/A "sun.security.pkcs11.P11TlsKeyMaterialGenerator",
0N/A d(
KG,
"SunTlsPrf",
"sun.security.pkcs11.P11TlsPrfGenerator",
0N/A // background thread that periodically checks for token insertion 0N/A // if no token is present. We need to do that in a separate thread because 0N/A // the insertion check may block for quite a long time on some tokens. 0N/A // create the poller thread, if not already active 0N/A // destroy the poller thread, if active 264N/A /* Commented out to work with Solaris softtoken impl which 264N/A returns 0-value flags, e.g. both REMOVABLE_DEVICE and 264N/A TOKEN_PRESENT are false, when it can't access the token. 0N/A if (removable == false) { 0N/A // destroy the token. Called if we detect that it has been removed 0N/A // mismatch, our token must already be destroyed 0N/A // unregister all algorithms 0N/A // test if a token is present and initialize this provider for it if so. 0N/A // does nothing if no token is found 0N/A // called from constructor and by poller 0N/A (
"Token info for token in slot " +
slotID +
":");
1111N/A // Create a map from the various Descriptors to the "most 1111N/A // preferred" mechanism that was defined during the 1111N/A // could be mapped to CKM_DES_CBC_PAD or CKM_DES_CBC. Prefer 1111N/A // return a CKM_DES_CBC_PAD. 0N/A // we do not know of mechs with the upper 32 bits set 1111N/A // See if there is something "more preferred" 1111N/A // than what we currently have in the supportedAlgs 0N/A // register algorithms in provider 0N/A // do not register SecureRandom if the token does 0N/A // not support many sessions. if we did, we might 0N/A // run out of sessions in the middle of a 0N/A // nextBytes() call where we cannot fail over. 0N/A "sun.security.pkcs11.P11SecureRandom",
null,
0N/A "sun.security.pkcs11.P11KeyStore",
0N/A // reference equality 0N/A // RSA signatures and cipher 0N/A // MACs and symmetric ciphers 0N/A // do not check algorithm name, mismatch is unlikely anyway 0N/A // should not reach here, 0N/A // unknown engine type or algorithm 0N/A * Log in to this provider. 0N/A * <p> If the token expects a PIN to be supplied by the caller, 0N/A * the <code>handler</code> implementation must support 0N/A * a <code>PasswordCallback</code>. 0N/A * <p> To determine if the token supports a protected authentication path, 0N/A * the CK_TOKEN_INFO flag, CKF_PROTECTED_AUTHENTICATION_PATH, is consulted. 0N/A * @param subject this parameter is ignored 0N/A * @param handler the <code>CallbackHandler</code> used by 0N/A * this provider to communicate with the caller 0N/A * @exception LoginException if the login operation fails 0N/A * @exception SecurityException if the does not pass a security check for 0N/A * <code>SecurityPermission("authProvider.<i>name</i>")</code>, 0N/A * where <i>name</i> is the value returned by 0N/A * this provider's <code>getName</code> method 0N/A // see if a login is required 0N/A "ignoring login request");
0N/A // see if user already logged in 0N/A // user already logged in 0N/A // ignore - fall thru and attempt login 0N/A // get the pin if necessary 0N/A // XXX PolicyTool is dependent on this message text 0N/A (
"no password provided, and no callback handler " +
0N/A "available for retrieving password");
3050N/A (
"PKCS11.Token.providerName.Password."));
0N/A (
"Unable to perform password callback");
0N/A // perform token login 0N/A // pin is NULL if using CKF_PROTECTED_AUTHENTICATION_PATH 0N/A // we do not store the PIN in the subject for now 0N/A * Log out from this provider 0N/A * @exception LoginException if the logout operation fails 0N/A * @exception SecurityException if the does not pass a security check for 0N/A * <code>SecurityPermission("authProvider.<i>name</i>")</code>, 0N/A * where <i>name</i> is the value returned by 0N/A * this provider's <code>getName</code> method 0N/A // app may call logout for cleanup, allow 0N/A "ignoring logout request");
0N/A // perform token logout 0N/A * Set a <code>CallbackHandler</code> 0N/A * <p> The provider uses this handler if one is not passed to the 0N/A * <code>login</code> method. The provider also uses this handler 0N/A * if it invokes <code>login</code> on behalf of callers. 0N/A * In either case if a handler is not set via this method, 0N/A * the provider queries the 0N/A * <i>auth.login.defaultCallbackHandler</i> security property 0N/A * for the fully qualified class name of a default handler implementation. 0N/A * If the security property is not set, 0N/A * the provider is assumed to have alternative means 0N/A * for obtaining authentication information. 0N/A * @param handler a <code>CallbackHandler</code> for obtaining 0N/A * authentication information, which may be <code>null</code> 0N/A * @exception SecurityException if the caller does not pass a 0N/A * security check for 0N/A * <code>SecurityPermission("authProvider.<i>name</i>")</code>, 0N/A * where <i>name</i> is the value returned by 0N/A * this provider's <code>getName</code> method 0N/A // get default handler if necessary 0N/A // see if handler was set via setCallbackHandler 0N/A (
"auth.login.defaultCallbackHandler");
0N/A * Serialized representation of the SunPKCS11 provider. 0N/A +
"installed in java.security.Security can be serialized");