--- /dev/null 2017-01-18 09:30:05.425422781 -0800 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Secmod.java 2017-01-18 23:07:18.751885485 -0800 @@ -0,0 +1,787 @@ +/* + * Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.pkcs11; + +import java.io.*; +import java.util.*; + +import java.security.*; +import java.security.KeyStore.*; +import java.security.cert.X509Certificate; + +import sun.security.pkcs11.wrapper.*; +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + + +/** + * The Secmod class defines the interface to the native NSS + * library and the configuration information it stores in its + * secmod.db file. + * + *
Example code: + *
+ * Secmod secmod = Secmod.getInstance(); + * if (secmod.isInitialized() == false) { + * secmod.initialize("/home/myself/.mozilla"); + * } + * + * Provider p = secmod.getModule(ModuleType.KEYSTORE).getProvider(); + * KeyStore ks = KeyStore.getInstance("PKCS11", p); + * ks.load(null, password); + *+ * + * @since 1.6 + * @author Andreas Sterbenz + */ +public final class Secmod { + + private final static boolean DEBUG = false; + + private final static Secmod INSTANCE; + + static { + sun.security.pkcs11.wrapper.PKCS11.loadNative(); + INSTANCE = new Secmod(); + } + + private final static String NSS_LIB_NAME = "nss3"; + + private final static String SOFTTOKEN_LIB_NAME = "softokn3"; + + private final static String TRUST_LIB_NAME = "nssckbi"; + + // handle to be passed to the native code, 0 means not initialized + private long nssHandle; + + // whether this is a supported version of NSS + private boolean supported; + + // list of the modules + private List
+ * It allows the set of trusted certificates that are returned by
+ * the KeyStore to be specified.
+ */
+ public static final class KeyStoreLoadParameter implements LoadStoreParameter {
+ final TrustType trustType;
+ final ProtectionParameter protection;
+ public KeyStoreLoadParameter(TrustType trustType, char[] password) {
+ this(trustType, new PasswordProtection(password));
+
+ }
+ public KeyStoreLoadParameter(TrustType trustType, ProtectionParameter prot) {
+ if (trustType == null) {
+ throw new NullPointerException("trustType must not be null");
+ }
+ this.trustType = trustType;
+ this.protection = prot;
+ }
+ public ProtectionParameter getProtectionParameter() {
+ return protection;
+ }
+ public TrustType getTrustType() {
+ return trustType;
+ }
+ }
+
+ static class TrustAttributes {
+ final long handle;
+ final long clientAuth, serverAuth, codeSigning, emailProtection;
+ final byte[] shaHash;
+ TrustAttributes(Token token, X509Certificate cert, Bytes bytes, long trustValue) {
+ Session session = null;
+ try {
+ session = token.getOpSession();
+ // XXX use KeyStore TrustType settings to determine which
+ // attributes to set
+ CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] {
+ new CK_ATTRIBUTE(CKA_TOKEN, true),
+ new CK_ATTRIBUTE(CKA_CLASS, CKO_NETSCAPE_TRUST),
+ new CK_ATTRIBUTE(CKA_NETSCAPE_TRUST_SERVER_AUTH, trustValue),
+ new CK_ATTRIBUTE(CKA_NETSCAPE_TRUST_CODE_SIGNING, trustValue),
+ new CK_ATTRIBUTE(CKA_NETSCAPE_TRUST_EMAIL_PROTECTION, trustValue),
+ new CK_ATTRIBUTE(CKA_NETSCAPE_TRUST_CLIENT_AUTH, trustValue),
+ new CK_ATTRIBUTE(CKA_NETSCAPE_CERT_SHA1_HASH, bytes.b),
+ new CK_ATTRIBUTE(CKA_NETSCAPE_CERT_MD5_HASH, getDigest(cert, "MD5")),
+ new CK_ATTRIBUTE(CKA_ISSUER, cert.getIssuerX500Principal().getEncoded()),
+ new CK_ATTRIBUTE(CKA_SERIAL_NUMBER, cert.getSerialNumber().toByteArray()),
+ // XXX per PKCS#11 spec, the serial number should be in ASN.1
+ };
+ handle = token.p11.C_CreateObject(session.id(), attrs);
+ shaHash = bytes.b;
+ clientAuth = trustValue;
+ serverAuth = trustValue;
+ codeSigning = trustValue;
+ emailProtection = trustValue;
+ } catch (PKCS11Exception e) {
+ throw new ProviderException("Could not create trust object", e);
+ } finally {
+ token.releaseSession(session);
+ }
+ }
+ TrustAttributes(Token token, Session session, long handle)
+ throws PKCS11Exception {
+ this.handle = handle;
+ CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] {
+ new CK_ATTRIBUTE(CKA_NETSCAPE_TRUST_SERVER_AUTH),
+ new CK_ATTRIBUTE(CKA_NETSCAPE_TRUST_CODE_SIGNING),
+ new CK_ATTRIBUTE(CKA_NETSCAPE_TRUST_EMAIL_PROTECTION),
+ new CK_ATTRIBUTE(CKA_NETSCAPE_CERT_SHA1_HASH),
+ };
+
+ token.p11.C_GetAttributeValue(session.id(), handle, attrs);
+ serverAuth = attrs[0].getLong();
+ codeSigning = attrs[1].getLong();
+ emailProtection = attrs[2].getLong();
+ shaHash = attrs[3].getByteArray();
+
+ attrs = new CK_ATTRIBUTE[] {
+ new CK_ATTRIBUTE(CKA_NETSCAPE_TRUST_CLIENT_AUTH),
+ };
+ long c;
+ try {
+ token.p11.C_GetAttributeValue(session.id(), handle, attrs);
+ c = attrs[0].getLong();
+ } catch (PKCS11Exception e) {
+ // trust anchor module does not support this attribute
+ c = serverAuth;
+ }
+ clientAuth = c;
+ }
+ Bytes getHash() {
+ return new Bytes(shaHash);
+ }
+ boolean isTrusted(TrustType type) {
+ switch (type) {
+ case CLIENT_AUTH:
+ return isTrusted(clientAuth);
+ case SERVER_AUTH:
+ return isTrusted(serverAuth);
+ case CODE_SIGNING:
+ return isTrusted(codeSigning);
+ case EMAIL_PROTECTION:
+ return isTrusted(emailProtection);
+ case ALL:
+ return isTrusted(TrustType.CLIENT_AUTH)
+ && isTrusted(TrustType.SERVER_AUTH)
+ && isTrusted(TrustType.CODE_SIGNING)
+ && isTrusted(TrustType.EMAIL_PROTECTION);
+ default:
+ return false;
+ }
+ }
+
+ private boolean isTrusted(long l) {
+ // XXX CKT_TRUSTED?
+ return (l == CKT_NETSCAPE_TRUSTED_DELEGATOR);
+ }
+
+ }
+
+ private static class Bytes {
+ final byte[] b;
+ Bytes(byte[] b) {
+ this.b = b;
+ }
+ public int hashCode() {
+ return Arrays.hashCode(b);
+ }
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (o instanceof Bytes == false) {
+ return false;
+ }
+ Bytes other = (Bytes)o;
+ return Arrays.equals(this.b, other.b);
+ }
+ }
+
+ private static Map