// Copyright (c) 2002 Graz University of Technology. All rights reserved. // // Redistribution and use in source and binary forms, with or without modification, // are permitted provided that the following conditions are met: // // 1. Redistributions of source code must retain the above copyright notice, this // list of conditions and the following disclaimer. // // 2. Redistributions in binary form must reproduce the above copyright notice, // this list of conditions and the following disclaimer in the documentation // and/or other materials provided with the distribution. // // 3. The end-user documentation included with the redistribution, if any, must // include the following acknowledgment: // // "This product includes software developed by IAIK of Graz University of // Technology." // // Alternately, this acknowledgment may appear in the software itself, if and // wherever such third-party acknowledgments normally appear. // // 4. The names "Graz University of Technology" and "IAIK of Graz University of // Technology" must not be used to endorse or promote products derived from this // software without prior written permission. // // 5. Products derived from this software may not be called "IAIK PKCS Wrapper", // nor may "IAIK" appear in their name, without prior written permission of // Graz University of Technology. // // THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED // WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED // WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR // PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, // OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, // PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, // OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON // ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY // OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE // POSSIBILITY OF SUCH DAMAGE. package iaik.pkcs.pkcs11.objects; import iaik.pkcs.pkcs11.Session; import iaik.pkcs.pkcs11.TokenException; import iaik.pkcs.pkcs11.wrapper.Constants; import iaik.pkcs.pkcs11.wrapper.PKCS11Exception; /** * This is the base class for secret (symmetric) keys. Objects of this class * represent secret keys as specified by PKCS#11 v2.11. * * @author Karl Scheibelhofer * @version 1.0 * @invariants (sensitive_ <> null) * and (encrypt_ <> null) * and (decrypt_ <> null) * and (sign_ <> null) * and (verify_ <> null) * and (wrap_ <> null) * and (unwrap_ <> null) * and (extractable_ <> null) * and (alwaysSensitive_ <> null) * and (neverExtractable_ <> null) */ public class SecretKey extends Key { /** * True, if this key is sensitive. */ protected BooleanAttribute sensitive_; /** * True, if this key can be used for encryption. */ protected BooleanAttribute encrypt_; /** * True, if this key can be used for decryption. */ protected BooleanAttribute decrypt_; /** * True, if this key can be used for signing. */ protected BooleanAttribute sign_; /** * True, if this key can be used for verification. */ protected BooleanAttribute verify_; /** * True, if this key can be used for wrapping other keys. */ protected BooleanAttribute wrap_; /** * True, if this key can be used for unwrapping other keys. */ protected BooleanAttribute unwrap_; /** * True, if this key is extractable from the token. */ protected BooleanAttribute extractable_; /** * True, if this key was always sensitive. */ protected BooleanAttribute alwaysSensitive_; /** * True, if this key was never extractable. */ protected BooleanAttribute neverExtractable_; /** * Key checksum of this private key. */ protected ByteArrayAttribute checkValue_; /** * True, if this private key can only be wrapped with a wrapping key * having set the attribute trusted to true. */ protected BooleanAttribute wrapWithTrusted_; /** * True, if this public key can be used for wrapping other keys. */ protected BooleanAttribute trusted_; /** * Template of the key, that can be wrapped. */ protected AttributeArray wrapTemplate_; /** * Template of the key, that can be unwrapped. */ protected AttributeArray unwrapTemplate_; /** * Default Constructor. * * @preconditions * @postconditions */ public SecretKey() { super(); objectClass_.setLongValue(ObjectClass.SECRET_KEY); } /** * Called by sub-classes to create an instance of a PKCS#11 secret key. * * @param session The session to use for reading attributes. * This session must have the appropriate rights; i.e. * it must be a user-session, if it is a private object. * @param objectHandle The object handle as given from the PKCS#111 module. * @exception TokenException If getting the attributes failed. * @preconditions (session <> null) * @postconditions */ protected SecretKey(Session session, long objectHandle) throws TokenException { super(session, objectHandle); objectClass_.setLongValue(ObjectClass.SECRET_KEY); } /** * The getInstance method of the Object class uses this method to create * an instance of a PKCS#11 secret key. This method reads the key * type attribute and calls the getInstance method of the according sub-class. * If the key type is a vendor defined it uses the * VendorDefinedKeyBuilder set by the application. If no secret key * could be constructed, this method returns null. * * @param session The session to use for reading attributes. * This session must have the appropriate rights; i.e. * it must be a user-session, if it is a private object. * @param objectHandle The object handle as given from the PKCS#111 module. * @return The object representing the PKCS#11 object. * The returned object can be casted to the * according sub-class. * @exception TokenException If getting the attributes failed. * @preconditions (session <> null) * @postconditions (result <> null) */ public static Object getInstance(Session session, long objectHandle) throws TokenException { if (session == null) { throw new NullPointerException("Argument \"session\" must not be null."); } KeyTypeAttribute keyTypeAttribute = new KeyTypeAttribute(); getAttributeValue(session, objectHandle, keyTypeAttribute); Long keyType = keyTypeAttribute.getLongValue(); Object newObject; if (keyTypeAttribute.isPresent() && (keyType != null)) { if (keyType.equals(Key.KeyType.DES)) { newObject = DESSecretKey.getInstance(session, objectHandle); } else if (keyType.equals(Key.KeyType.DES2)) { newObject = DES2SecretKey.getInstance(session, objectHandle); } else if (keyType.equals(Key.KeyType.DES3)) { newObject = DES3SecretKey.getInstance(session, objectHandle); } else if (keyType.equals(Key.KeyType.AES)) { newObject = AESSecretKey.getInstance(session, objectHandle); } else if (keyType.equals(Key.KeyType.RC2)) { newObject = RC2SecretKey.getInstance(session, objectHandle); } else if (keyType.equals(Key.KeyType.RC4)) { newObject = RC4SecretKey.getInstance(session, objectHandle); } else if (keyType.equals(Key.KeyType.RC5)) { newObject = RC5SecretKey.getInstance(session, objectHandle); } else if (keyType.equals(Key.KeyType.IDEA)) { newObject = IDEASecretKey.getInstance(session, objectHandle); } else if (keyType.equals(Key.KeyType.GENERIC_SECRET)) { newObject = GenericSecretKey.getInstance(session, objectHandle); } else if (keyType.equals(Key.KeyType.CAST)) { newObject = CASTSecretKey.getInstance(session, objectHandle); } else if (keyType.equals(Key.KeyType.CAST3)) { newObject = CAST3SecretKey.getInstance(session, objectHandle); } else if (keyType.equals(Key.KeyType.CAST5)) { newObject = CAST5SecretKey.getInstance(session, objectHandle); } else if (keyType.equals(Key.KeyType.CAST128)) { newObject = CAST128SecretKey.getInstance(session, objectHandle); } else if (keyType.equals(Key.KeyType.BLOWFISH)) { newObject = BlowfishSecretKey.getInstance(session, objectHandle); } else if (keyType.equals(Key.KeyType.TWOFISH)) { newObject = TwofishSecretKey.getInstance(session, objectHandle); } else if (keyType.equals(Key.KeyType.SKIPJACK)) { newObject = SkipJackSecretKey.getInstance(session, objectHandle); } else if (keyType.equals(Key.KeyType.BATON)) { newObject = BatonSecretKey.getInstance(session, objectHandle); } else if (keyType.equals(Key.KeyType.JUNIPER)) { newObject = JuniperSecretKey.getInstance(session, objectHandle); } else if (keyType.equals(Key.KeyType.CDMF)) { newObject = CDMFSecretKey.getInstance(session, objectHandle); } else if ((keyType.longValue() & KeyType.VENDOR_DEFINED.longValue()) != 0L) { newObject = getUnknownSecretKey(session, objectHandle); } else { newObject = getUnknownSecretKey(session, objectHandle); } } else { newObject = getUnknownSecretKey(session, objectHandle); } return newObject; } /** * Try to create a key which has no or an unkown secret key type * type attribute. * This implementation will try to use a vendor defined key * builder, if such has been set. * If this is impossible or fails, it will create just * a simple {@link iaik.pkcs.pkcs11.objects.SecretKey SecretKey }. * * @param session The session to use. * @param objectHandle The handle of the object * @return A new Object. * @throws TokenException If no object could be created. * @preconditions (session <> null) * @postconditions (result <> null) */ protected static Object getUnknownSecretKey(Session session, long objectHandle) throws TokenException { if (session == null) { throw new NullPointerException("Argument \"session\" must not be null."); } Object newObject; if (Key.vendorKeyBuilder_ != null) { try { newObject = Key.vendorKeyBuilder_.build(session, objectHandle); } catch (PKCS11Exception ex) { // we can just treat it like some unknown type of secret key newObject = new SecretKey(session, objectHandle); } } else { // we can just treat it like some unknown type of secret key newObject = new SecretKey(session, objectHandle); } return newObject; } /** * Put all attributes of the given object into the attributes table of this * object. This method is only static to be able to access invoke the * implementation of this method for each class separately (see use in * clone()). * * @param object The object to handle. * @preconditions (object <> null) * @postconditions */ protected static void putAttributesInTable(SecretKey object) { if (object == null) { throw new NullPointerException("Argument \"object\" must not be null."); } object.attributeTable_.put(Attribute.SENSITIVE, object.sensitive_); object.attributeTable_.put(Attribute.ENCRYPT, object.encrypt_); object.attributeTable_.put(Attribute.DECRYPT, object.decrypt_); object.attributeTable_.put(Attribute.SIGN, object.sign_); object.attributeTable_.put(Attribute.VERIFY, object.verify_); object.attributeTable_.put(Attribute.WRAP, object.wrap_); object.attributeTable_.put(Attribute.UNWRAP, object.unwrap_); object.attributeTable_.put(Attribute.EXTRACTABLE, object.extractable_); object.attributeTable_.put(Attribute.ALWAYS_SENSITIVE, object.alwaysSensitive_); object.attributeTable_.put(Attribute.NEVER_EXTRACTABLE, object.neverExtractable_); object.attributeTable_.put(Attribute.CHECK_VALUE, object.checkValue_); object.attributeTable_.put(Attribute.WRAP_WITH_TRUSTED, object.wrapWithTrusted_); object.attributeTable_.put(Attribute.TRUSTED, object.trusted_); object.attributeTable_.put(Attribute.WRAP_TEMPLATE, object.wrapTemplate_); object.attributeTable_.put(Attribute.UNWRAP_TEMPLATE, object.unwrapTemplate_); } /** * Allocates the attribute objects for this class and adds them to the * attribute table. * * @preconditions * @postconditions */ protected void allocateAttributes() { super.allocateAttributes(); sensitive_ = new BooleanAttribute(Attribute.SENSITIVE); encrypt_ = new BooleanAttribute(Attribute.ENCRYPT); decrypt_ = new BooleanAttribute(Attribute.DECRYPT); sign_ = new BooleanAttribute(Attribute.SIGN); verify_ = new BooleanAttribute(Attribute.VERIFY); wrap_ = new BooleanAttribute(Attribute.WRAP); unwrap_ = new BooleanAttribute(Attribute.UNWRAP); extractable_ = new BooleanAttribute(Attribute.EXTRACTABLE); alwaysSensitive_ = new BooleanAttribute(Attribute.ALWAYS_SENSITIVE); neverExtractable_ = new BooleanAttribute(Attribute.NEVER_EXTRACTABLE); checkValue_ = new ByteArrayAttribute(Attribute.CHECK_VALUE); wrapWithTrusted_ = new BooleanAttribute(Attribute.WRAP_WITH_TRUSTED); trusted_ = new BooleanAttribute(Attribute.TRUSTED); wrapTemplate_ = new AttributeArray(Attribute.WRAP_TEMPLATE); unwrapTemplate_ = new AttributeArray(Attribute.UNWRAP_TEMPLATE); putAttributesInTable(this); } /** * Create a (deep) clone of this object. * * @return A clone of this object. * @preconditions * @postconditions (result <> null) * and (result instanceof SecretKey) * and (result.equals(this)) */ public java.lang.Object clone() { SecretKey clone = (SecretKey) super.clone(); clone.sensitive_ = (BooleanAttribute) this.sensitive_.clone(); clone.encrypt_ = (BooleanAttribute) this.encrypt_.clone(); clone.decrypt_ = (BooleanAttribute) this.decrypt_.clone(); clone.sign_ = (BooleanAttribute) this.sign_.clone(); clone.verify_ = (BooleanAttribute) this.verify_.clone(); clone.wrap_ = (BooleanAttribute) this.wrap_.clone(); clone.unwrap_ = (BooleanAttribute) this.unwrap_.clone(); clone.extractable_ = (BooleanAttribute) this.extractable_.clone(); clone.alwaysSensitive_ = (BooleanAttribute) this.alwaysSensitive_.clone(); clone.neverExtractable_ = (BooleanAttribute) this.neverExtractable_.clone(); clone.checkValue_ = (ByteArrayAttribute) this.checkValue_.clone(); clone.wrapWithTrusted_ = (BooleanAttribute) this.wrapWithTrusted_.clone(); clone.trusted_ = (BooleanAttribute) this.trusted_.clone(); clone.wrapTemplate_ = (AttributeArray) this.wrapTemplate_.clone(); clone.unwrapTemplate_ = (AttributeArray) this.unwrapTemplate_.clone(); putAttributesInTable(clone); // put all cloned attributes into the new table return clone; } /** * Compares all member variables of this object with the other object. * Returns only true, if all are equal in both objects. * * @param otherObject The other object to compare to. * @return True, if other is an instance of this class and all member * variables of both objects are equal. False, otherwise. * @preconditions * @postconditions */ public boolean equals(java.lang.Object otherObject) { boolean equal = false; if (otherObject instanceof SecretKey) { SecretKey other = (SecretKey) otherObject; equal = (this == other) || (super.equals(other) && this.sensitive_.equals(other.sensitive_) && this.encrypt_.equals(other.encrypt_) && this.decrypt_.equals(other.decrypt_) && this.sign_.equals(other.sign_) && this.verify_.equals(other.verify_) && this.wrap_.equals(other.wrap_) && this.unwrap_.equals(other.unwrap_) && this.extractable_.equals(other.extractable_) && this.alwaysSensitive_.equals(other.alwaysSensitive_) && this.neverExtractable_.equals(other.neverExtractable_) && this.checkValue_.equals(other.checkValue_) && this.wrapWithTrusted_.equals(other.wrapWithTrusted_) && this.trusted_.equals(other.trusted_) && this.wrapTemplate_.equals(other.wrapTemplate_) && this.unwrapTemplate_ .equals(other.unwrapTemplate_)); } return equal; } /** * Gets the sensitive attribute of this key. * * @return The sensitive attribute. * @preconditions * @postconditions (result <> null) */ public BooleanAttribute getSensitive() { return sensitive_; } /** * Gets the encrypt attribute of this key. * * @return The encrypt attribute. * @preconditions * @postconditions (result <> null) */ public BooleanAttribute getEncrypt() { return encrypt_; } /** * Gets the verify attribute of this key. * * @return The verify attribute. * @preconditions * @postconditions (result <> null) */ public BooleanAttribute getVerify() { return verify_; } /** * Gets the decrypt attribute of this key. * * @return The decrypt attribute. * @preconditions * @postconditions (result <> null) */ public BooleanAttribute getDecrypt() { return decrypt_; } /** * Gets the sign attribute of this key. * * @return The sign attribute. * @preconditions * @postconditions (result <> null) */ public BooleanAttribute getSign() { return sign_; } /** * Gets the wrap attribute of this key. * * @return The wrap attribute. * @preconditions * @postconditions (result <> null) */ public BooleanAttribute getWrap() { return wrap_; } /** * Gets the unwrap attribute of this key. * * @return The unwrap attribute. * @preconditions * @postconditions (result <> null) */ public BooleanAttribute getUnwrap() { return unwrap_; } /** * Gets the extractable attribute of this key. * * @return The extractable attribute. * @preconditions * @postconditions (result <> null) */ public BooleanAttribute getExtractable() { return extractable_; } /** * Gets the always sensitive attribute of this key. * * @return The always sensitive attribute. * @preconditions * @postconditions (result <> null) */ public BooleanAttribute getAlwaysSensitive() { return alwaysSensitive_; } /** * Gets the never extractable attribute of this key. * * @return The never extractable attribute. * @preconditions * @postconditions (result <> null) */ public BooleanAttribute getNeverExtractable() { return neverExtractable_; } /** * Gets the check value attribute of this key. * * @return The check value attribute. * @preconditions * @postconditions (result <> null) */ public ByteArrayAttribute getCheckValue() { return checkValue_; } /** * Gets the wrap with trusted attribute of this key. * * @return The wrap with trusted attribute. * @preconditions * @postconditions (result <> null) */ public BooleanAttribute getWrapWithTrusted() { return wrapWithTrusted_; } /** * Gets the trusted attribute of this key. * * @return The trusted attribute. * @preconditions * @postconditions (result <> null) */ public BooleanAttribute getTrusted() { return trusted_; } /** * Gets the wrap template attribute of this key. This * attribute can only be used with PKCS#11 modules supporting * cryptoki version 2.20 or higher. * * @return The wrap template attribute. * @preconditions * @postconditions (result <> null) */ public AttributeArray getWrapTemplate() { return wrapTemplate_; } /** * Gets the unwrap template attribute of this key. This * attribute can only be used with PKCS#11 modules supporting * cryptoki version 2.20 or higher. * * @return The unwrap template attribute. * @preconditions * @postconditions (result <> null) */ public AttributeArray getUnwrapTemplate() { return unwrapTemplate_; } /** * Read the values of the attributes of this object from the token. * * @param session The session handle to use for reading attributes. * This session must have the appropriate rights; i.e. * it must be a user-session, if it is a private object. * @exception TokenException If getting the attributes failed. * @preconditions (session <> null) * @postconditions */ public void readAttributes(Session session) throws TokenException { super.readAttributes(session); // Object.getAttributeValue(session, objectHandle_, sensitive_); // Object.getAttributeValue(session, objectHandle_, encrypt_); // Object.getAttributeValue(session, objectHandle_, decrypt_); // Object.getAttributeValue(session, objectHandle_, sign_); // Object.getAttributeValue(session, objectHandle_, verify_); // Object.getAttributeValue(session, objectHandle_, wrap_); // Object.getAttributeValue(session, objectHandle_, unwrap_); // Object.getAttributeValue(session, objectHandle_, extractable_); // Object.getAttributeValue(session, objectHandle_, alwaysSensitive_); // Object.getAttributeValue(session, objectHandle_, neverExtractable_); Object.getAttributeValues(session, objectHandle_, new Attribute[] { sensitive_, encrypt_, decrypt_, sign_, verify_, wrap_, unwrap_, extractable_, alwaysSensitive_, neverExtractable_, checkValue_, wrapWithTrusted_, trusted_ }); Object.getAttributeValue(session, objectHandle_, wrapTemplate_); Object.getAttributeValue(session, objectHandle_, unwrapTemplate_); // Object.getAttributeValues(session, objectHandle_, new Attribute[] { // wrapTemplate_, unwrapTemplate_ }); } /** * This method returns a string representation of the current object. The * output is only for debugging purposes and should not be used for other * purposes. * * @return A string presentation of this object for debugging output. * @preconditions * @postconditions (result <> null) */ public String toString() { StringBuffer buffer = new StringBuffer(1024); buffer.append(super.toString()); buffer.append(Constants.NEWLINE); buffer.append(Constants.INDENT); buffer.append("Sensitive: "); buffer.append(sensitive_.toString()); buffer.append(Constants.NEWLINE); buffer.append(Constants.INDENT); buffer.append("Encrypt: "); buffer.append(encrypt_.toString()); buffer.append(Constants.NEWLINE); buffer.append(Constants.INDENT); buffer.append("Decrypt: "); buffer.append(decrypt_.toString()); buffer.append(Constants.NEWLINE); buffer.append(Constants.INDENT); buffer.append("Sign: "); buffer.append(sign_.toString()); buffer.append(Constants.NEWLINE); buffer.append(Constants.INDENT); buffer.append("Verify: "); buffer.append(verify_.toString()); buffer.append(Constants.NEWLINE); buffer.append(Constants.INDENT); buffer.append("Wrap: "); buffer.append(wrap_.toString()); buffer.append(Constants.NEWLINE); buffer.append(Constants.INDENT); buffer.append("Unwrap: "); buffer.append(unwrap_.toString()); buffer.append(Constants.NEWLINE); buffer.append(Constants.INDENT); buffer.append("Extractable: "); buffer.append(extractable_.toString()); buffer.append(Constants.NEWLINE); buffer.append(Constants.INDENT); buffer.append("Always Sensitive: "); buffer.append(alwaysSensitive_.toString()); buffer.append(Constants.NEWLINE); buffer.append(Constants.INDENT); buffer.append("Never Extractable: "); buffer.append(neverExtractable_.toString()); buffer.append(Constants.NEWLINE); buffer.append(Constants.INDENT); buffer.append("Check Value: "); buffer.append(checkValue_.toString()); buffer.append(Constants.NEWLINE); buffer.append(Constants.INDENT); buffer.append("Wrap With Trusted: "); buffer.append(wrapWithTrusted_.toString()); buffer.append(Constants.NEWLINE); buffer.append(Constants.INDENT); buffer.append("Trusted: "); buffer.append(trusted_.toString()); buffer.append(Constants.NEWLINE); buffer.append(Constants.INDENT); buffer.append("Wrap Template: "); buffer.append(wrapTemplate_.toString()); buffer.append(Constants.NEWLINE); buffer.append(Constants.INDENT); buffer.append("Unwrap Template: "); buffer.append(unwrapTemplate_.toString()); return buffer.toString(); } }