Skip to content

Commit 83e6a4c

Browse files
author
Valerie Peng
committed
8255409: Support the new C_GetInterfaceList, C_GetInterface, and C_SessionCancel APIs in PKCS#11 v3.0
Reviewed-by: ascarpino, weijun
1 parent 3cec700 commit 83e6a4c

File tree

18 files changed

+643
-197
lines changed

18 files changed

+643
-197
lines changed

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Config.java

Lines changed: 81 additions & 66 deletions
Original file line numberDiff line numberDiff line change
@@ -165,7 +165,7 @@ private static void debug(Object o) {
165165
// name of the C function that returns the PKCS#11 functionlist
166166
// This option primarily exists for the deprecated
167167
// Secmod.Module.getProvider() method.
168-
private String functionList = "C_GetFunctionList";
168+
private String functionList = null;
169169

170170
// whether to use NSS secmod mode. Implicitly set if nssLibraryDirectory,
171171
// nssSecmodDirectory, or nssModule is specified.
@@ -311,6 +311,12 @@ boolean getAllowSingleThreadedModules() {
311311
}
312312

313313
String getFunctionList() {
314+
if (functionList == null) {
315+
// defaults to "C_GetFunctionList" for NSS secmod
316+
if (nssUseSecmod || nssUseSecmodTrust) {
317+
return "C_GetFunctionList";
318+
}
319+
}
314320
return functionList;
315321
}
316322

@@ -408,67 +414,73 @@ private void parse() throws IOException {
408414
if (token != TT_WORD) {
409415
throw excToken("Unexpected token:");
410416
}
411-
String word = st.sval;
412-
if (word.equals("name")) {
413-
name = parseStringEntry(word);
414-
} else if (word.equals("library")) {
415-
library = parseLibrary(word);
416-
} else if (word.equals("description")) {
417-
parseDescription(word);
418-
} else if (word.equals("slot")) {
419-
parseSlotID(word);
420-
} else if (word.equals("slotListIndex")) {
421-
parseSlotListIndex(word);
422-
} else if (word.equals("enabledMechanisms")) {
423-
parseEnabledMechanisms(word);
424-
} else if (word.equals("disabledMechanisms")) {
425-
parseDisabledMechanisms(word);
426-
} else if (word.equals("attributes")) {
427-
parseAttributes(word);
428-
} else if (word.equals("handleStartupErrors")) {
429-
parseHandleStartupErrors(word);
430-
} else if (word.endsWith("insertionCheckInterval")) {
431-
insertionCheckInterval = parseIntegerEntry(word);
417+
switch (st.sval) {
418+
case "name"->
419+
name = parseStringEntry(st.sval);
420+
case "library"->
421+
library = parseLibrary(st.sval);
422+
case "description"->
423+
parseDescription(st.sval);
424+
case "slot"->
425+
parseSlotID(st.sval);
426+
case "slotListIndex"->
427+
parseSlotListIndex(st.sval);
428+
case "enabledMechanisms"->
429+
parseEnabledMechanisms(st.sval);
430+
case "disabledMechanisms"->
431+
parseDisabledMechanisms(st.sval);
432+
case "attributes"->
433+
parseAttributes(st.sval);
434+
case "handleStartupErrors"->
435+
parseHandleStartupErrors(st.sval);
436+
case "insertionCheckInterval"-> {
437+
insertionCheckInterval = parseIntegerEntry(st.sval);
432438
if (insertionCheckInterval < 100) {
433-
throw excLine(word + " must be at least 100 ms");
439+
throw excLine(st.sval + " must be at least 100 ms");
434440
}
435-
} else if (word.equals("cleaner.shortInterval")) {
436-
resourceCleanerShortInterval = parseIntegerEntry(word);
441+
}
442+
case "cleaner.shortInterval"-> {
443+
resourceCleanerShortInterval = parseIntegerEntry(st.sval);
437444
if (resourceCleanerShortInterval < 1_000) {
438-
throw excLine(word + " must be at least 1000 ms");
445+
throw excLine(st.sval + " must be at least 1000 ms");
439446
}
440-
} else if (word.equals("cleaner.longInterval")) {
441-
resourceCleanerLongInterval = parseIntegerEntry(word);
447+
}
448+
case "cleaner.longInterval"-> {
449+
resourceCleanerLongInterval = parseIntegerEntry(st.sval);
442450
if (resourceCleanerLongInterval < 1_000) {
443-
throw excLine(word + " must be at least 1000 ms");
451+
throw excLine(st.sval + " must be at least 1000 ms");
444452
}
445-
} else if (word.equals("destroyTokenAfterLogout")) {
446-
destroyTokenAfterLogout = parseBooleanEntry(word);
447-
} else if (word.equals("showInfo")) {
448-
showInfo = parseBooleanEntry(word);
449-
} else if (word.equals("keyStoreCompatibilityMode")) {
450-
keyStoreCompatibilityMode = parseBooleanEntry(word);
451-
} else if (word.equals("explicitCancel")) {
452-
explicitCancel = parseBooleanEntry(word);
453-
} else if (word.equals("omitInitialize")) {
454-
omitInitialize = parseBooleanEntry(word);
455-
} else if (word.equals("allowSingleThreadedModules")) {
456-
allowSingleThreadedModules = parseBooleanEntry(word);
457-
} else if (word.equals("functionList")) {
458-
functionList = parseStringEntry(word);
459-
} else if (word.equals("nssUseSecmod")) {
460-
nssUseSecmod = parseBooleanEntry(word);
461-
} else if (word.equals("nssLibraryDirectory")) {
462-
nssLibraryDirectory = parseLibrary(word);
453+
}
454+
case "destroyTokenAfterLogout"->
455+
destroyTokenAfterLogout = parseBooleanEntry(st.sval);
456+
case "showInfo"->
457+
showInfo = parseBooleanEntry(st.sval);
458+
case "keyStoreCompatibilityMode"->
459+
keyStoreCompatibilityMode = parseBooleanEntry(st.sval);
460+
case "explicitCancel"->
461+
explicitCancel = parseBooleanEntry(st.sval);
462+
case "omitInitialize"->
463+
omitInitialize = parseBooleanEntry(st.sval);
464+
case "allowSingleThreadedModules"->
465+
allowSingleThreadedModules = parseBooleanEntry(st.sval);
466+
case "functionList"->
467+
functionList = parseStringEntry(st.sval);
468+
case "nssUseSecmod"->
469+
nssUseSecmod = parseBooleanEntry(st.sval);
470+
case "nssLibraryDirectory"-> {
471+
nssLibraryDirectory = parseLibrary(st.sval);
463472
nssUseSecmod = true;
464-
} else if (word.equals("nssSecmodDirectory")) {
465-
nssSecmodDirectory = expand(parseStringEntry(word));
473+
}
474+
case "nssSecmodDirectory"-> {
475+
nssSecmodDirectory = expand(parseStringEntry(st.sval));
466476
nssUseSecmod = true;
467-
} else if (word.equals("nssModule")) {
468-
nssModule = parseStringEntry(word);
477+
}
478+
case "nssModule"-> {
479+
nssModule = parseStringEntry(st.sval);
469480
nssUseSecmod = true;
470-
} else if (word.equals("nssDbMode")) {
471-
String mode = parseStringEntry(word);
481+
}
482+
case "nssDbMode"-> {
483+
String mode = parseStringEntry(st.sval);
472484
if (mode.equals("readWrite")) {
473485
nssDbMode = Secmod.DbMode.READ_WRITE;
474486
} else if (mode.equals("readOnly")) {
@@ -479,22 +491,25 @@ private void parse() throws IOException {
479491
throw excToken("nssDbMode must be one of readWrite, readOnly, and noDb:");
480492
}
481493
nssUseSecmod = true;
482-
} else if (word.equals("nssNetscapeDbWorkaround")) {
483-
nssNetscapeDbWorkaround = parseBooleanEntry(word);
494+
}
495+
case "nssNetscapeDbWorkaround"-> {
496+
nssNetscapeDbWorkaround = parseBooleanEntry(st.sval);
484497
nssUseSecmod = true;
485-
} else if (word.equals("nssArgs")) {
486-
parseNSSArgs(word);
487-
} else if (word.equals("nssUseSecmodTrust")) {
488-
nssUseSecmodTrust = parseBooleanEntry(word);
489-
} else if (word.equals("useEcX963Encoding")) {
490-
useEcX963Encoding = parseBooleanEntry(word);
491-
} else if (word.equals("nssOptimizeSpace")) {
492-
nssOptimizeSpace = parseBooleanEntry(word);
493-
} else {
498+
}
499+
case "nssArgs"->
500+
parseNSSArgs(st.sval);
501+
case "nssUseSecmodTrust"->
502+
nssUseSecmodTrust = parseBooleanEntry(st.sval);
503+
case "useEcX963Encoding"->
504+
useEcX963Encoding = parseBooleanEntry(st.sval);
505+
case "nssOptimizeSpace"->
506+
nssOptimizeSpace = parseBooleanEntry(st.sval);
507+
default->
494508
throw new ConfigurationException
495-
("Unknown keyword '" + word + "', line " + st.lineno());
509+
("Unknown keyword '" + st.sval + "', line " +
510+
st.lineno());
496511
}
497-
parsedKeywords.add(word);
512+
parsedKeywords.add(st.sval);
498513
}
499514
reader.close();
500515
reader = null;

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -401,7 +401,13 @@ private void implInit(int opmode, Key key, byte[] iv, int tagLen,
401401
}
402402

403403
private void cancelOperation() {
404-
// cancel operation by finishing it; avoid killSession as some
404+
token.ensureValid();
405+
if (P11Util.trySessionCancel(token, session,
406+
(encrypt ? CKF_ENCRYPT : CKF_DECRYPT))) {
407+
return;
408+
}
409+
410+
// cancel by finishing operations; avoid killSession as some
405411
// hardware vendors may require re-login
406412
int bufLen = doFinalLength(0);
407413
byte[] buffer = new byte[bufLen];
@@ -453,7 +459,7 @@ private void initialize() throws PKCS11Exception {
453459

454460
token.ensureValid();
455461

456-
byte[] aad = (aadBuffer.size() > 0? aadBuffer.toByteArray() : null);
462+
byte[] aad = (aadBuffer.size() > 0 ? aadBuffer.toByteArray() : null);
457463

458464
long p11KeyID = p11Key.getKeyID();
459465
try {
@@ -507,7 +513,7 @@ private int doFinalLength(int inLen) {
507513
result -= tagLen;
508514
}
509515
}
510-
return (result > 0? result : 0);
516+
return (result > 0 ? result : 0);
511517
}
512518

513519
// reset the states to the pre-initialized values

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -445,8 +445,14 @@ private void reset(boolean doCancel) {
445445

446446
private void cancelOperation() {
447447
token.ensureValid();
448-
// cancel operation by finishing it; avoid killSession as some
449-
// hardware vendors may require re-login
448+
449+
if (P11Util.trySessionCancel(token, session,
450+
(encrypt ? CKF_ENCRYPT : CKF_DECRYPT))) {
451+
return;
452+
}
453+
454+
// cancel by finishing operations; avoid killSession as
455+
// some hardware vendors may require re-login
450456
try {
451457
int bufLen = doFinalLength(0);
452458
byte[] buffer = new byte[bufLen];
@@ -458,7 +464,7 @@ private void cancelOperation() {
458464
} catch (PKCS11Exception e) {
459465
if (e.match(CKR_OPERATION_NOT_INITIALIZED)) {
460466
// Cancel Operation may be invoked after an error on a PKCS#11
461-
// call. If the operation inside the token was already cancelled,
467+
// call. If the operation inside the token is already cancelled,
462468
// do not fail here. This is part of a defensive mechanism for
463469
// PKCS#11 libraries that do not strictly follow the standard.
464470
return;
@@ -488,7 +494,7 @@ private void initialize() throws PKCS11Exception {
488494
if (session == null) {
489495
session = token.getOpSession();
490496
}
491-
CK_MECHANISM mechParams = (blockMode == MODE_CTR?
497+
CK_MECHANISM mechParams = (blockMode == MODE_CTR ?
492498
new CK_MECHANISM(mechanism, new CK_AES_CTR_PARAMS(iv)) :
493499
new CK_MECHANISM(mechanism, iv));
494500
if (encrypt) {

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyWrapCipher.java

Lines changed: 13 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -126,7 +126,7 @@ private enum KeyWrapType {
126126
String[] algoParts = algorithm.split("/");
127127
if (algoParts[0].startsWith("AES")) {
128128
int index = algoParts[0].indexOf('_');
129-
fixedKeySize = (index == -1? -1 :
129+
fixedKeySize = (index == -1 ? -1 :
130130
// should be well-formed since we specify what we support
131131
Integer.parseInt(algoParts[0].substring(index+1)) >> 3);
132132
try {
@@ -180,7 +180,7 @@ protected byte[] engineGetIV() {
180180
protected AlgorithmParameters engineGetParameters() {
181181
// KW and KWP uses but not require parameters, return the default
182182
// IV when no IV is supplied by caller
183-
byte[] iv = (this.iv == null? type.defIv : this.iv);
183+
byte[] iv = (this.iv == null ? type.defIv : this.iv);
184184

185185
AlgorithmParameterSpec spec = new IvParameterSpec(iv);
186186
try {
@@ -213,7 +213,7 @@ protected void engineInit(int opmode, Key key,
213213
("Only IvParameterSpec is supported");
214214
}
215215

216-
byte[] ivValue = (params == null? null :
216+
byte[] ivValue = (params == null ? null :
217217
((IvParameterSpec)params).getIV());
218218

219219
implInit(opmode, key, ivValue, sr);
@@ -285,7 +285,14 @@ private void implInit(int opmode, Key key, byte[] iv, SecureRandom sr)
285285
}
286286

287287
private void cancelOperation() {
288-
// cancel operation by finishing it; avoid killSession as some
288+
token.ensureValid();
289+
290+
if (P11Util.trySessionCancel(token, session,
291+
(opmode == Cipher.ENCRYPT_MODE ? CKF_ENCRYPT : CKF_DECRYPT))) {
292+
return;
293+
}
294+
295+
// cancel by finishing operations; avoid killSession as some
289296
// hardware vendors may require re-login
290297
byte[] in = dataBuffer.toByteArray();
291298
int inLen = in.length;
@@ -379,7 +386,7 @@ private int doFinalLength(int inLen) {
379386
} else {
380387
result -= BLK_SIZE; // minus the leading block including the ICV
381388
}
382-
return (result > 0? result : 0);
389+
return (result > 0 ? result : 0);
383390
}
384391

385392
// reset the states to the pre-initialized values
@@ -654,7 +661,7 @@ protected byte[] engineWrap(Key tbwKey) throws IllegalBlockSizeException,
654661
P11Key tbwP11Key = null;
655662
if (!(tbwKey instanceof P11Key)) {
656663
try {
657-
tbwP11Key = (tbwKey instanceof SecretKey?
664+
tbwP11Key = (tbwKey instanceof SecretKey ?
658665
P11SecretKeyFactory.convertKey(token, tbwKey,
659666
tbwKey.getAlgorithm()) :
660667
P11KeyFactory.convertKey(token, tbwKey,

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -147,7 +147,12 @@ private void reset(boolean doCancel) {
147147

148148
private void cancelOperation() {
149149
token.ensureValid();
150-
// cancel operation by finishing it; avoid killSession as some
150+
151+
if (P11Util.trySessionCancel(token, session, CKF_SIGN)) {
152+
return;
153+
}
154+
155+
// cancel by finishing operations; avoid killSession as some
151156
// hardware vendors may require re-login
152157
try {
153158
token.p11.C_SignFinal(session.id(), 0);

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java

Lines changed: 12 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -170,7 +170,7 @@ private static boolean isDigestEqual(String stdAlg, String givenAlg) {
170170
this.mechanism = new CK_MECHANISM(mechId);
171171
int idx = algorithm.indexOf("with");
172172
// convert to stdName
173-
this.mdAlg = (idx == -1?
173+
this.mdAlg = (idx == -1 ?
174174
null : toStdName(algorithm.substring(0, idx)));
175175

176176
switch ((int)mechId) {
@@ -193,7 +193,7 @@ private static boolean isDigestEqual(String stdAlg, String givenAlg) {
193193
throw new NoSuchAlgorithmException("Unsupported algorithm: " +
194194
algorithm);
195195
}
196-
this.md = (this.mdAlg == null? null :
196+
this.md = (this.mdAlg == null ? null :
197197
MessageDigest.getInstance(this.mdAlg));
198198
type = T_DIGEST;
199199
break;
@@ -269,9 +269,16 @@ private void reset(boolean doCancel) {
269269

270270
private void cancelOperation() {
271271
token.ensureValid();
272+
272273
if (DEBUG) System.out.print("Cancelling operation");
273274

274-
// cancel operation by finishing it; avoid killSession as some
275+
if (P11Util.trySessionCancel(token, session,
276+
(mode == M_SIGN ? CKF_SIGN : CKF_VERIFY))) {
277+
if (DEBUG) System.out.println(" by C_SessionCancel");
278+
return;
279+
}
280+
281+
// cancel by finishing operations; avoid killSession call as some
275282
// hardware vendors may require re-login
276283
try {
277284
if (mode == M_SIGN) {
@@ -280,7 +287,7 @@ private void cancelOperation() {
280287
token.p11.C_SignFinal(session.id(), 0);
281288
} else {
282289
byte[] digest =
283-
(md == null? new byte[0] : md.digest());
290+
(md == null ? new byte[0] : md.digest());
284291
if (DEBUG) System.out.println(" by C_Sign");
285292
token.p11.C_Sign(session.id(), digest);
286293
}
@@ -292,7 +299,7 @@ private void cancelOperation() {
292299
token.p11.C_VerifyFinal(session.id(), signature);
293300
} else {
294301
byte[] digest =
295-
(md == null? new byte[0] : md.digest());
302+
(md == null ? new byte[0] : md.digest());
296303
if (DEBUG) System.out.println(" by C_Verify");
297304
token.p11.C_Verify(session.id(), digest, signature);
298305
}

0 commit comments

Comments
 (0)