sun.security.pkcs11: public final class: SunPKCS11

sun.security.pkcs11
public final class: SunPKCS11 [javadoc | source]

java.lang.Object
   java.util.Dictionary
      java.util.Hashtable
         java.util.Properties
            java.security.Provider
               java.security.AuthProvider
                  sun.security.pkcs11.SunPKCS11

All Implemented Interfaces:
Map, Serializable, Cloneable

PKCS#11 provider main class.

author: Andreas - Sterbenz

since: 1.5 -

Field Summary
static final Debug	debug
final PKCS11	p11
final Config	config
final long	slotID
final boolean	removable
final Module	nssModule
final boolean	nssUseSecmodTrust

Constructor:
public SunPKCS11() { super("SunPKCS11-Dummy", 1.7d, "SunPKCS11-Dummy"); throw new ProviderException ("SunPKCS11 requires configuration file argument"); }
public SunPKCS11(String configName) { this(checkNull(configName), null); }
public SunPKCS11(InputStream configStream) { this(getDummyConfigName(), checkNull(configStream)); }
public SunPKCS11(String configName, InputStream configStream) { super("SunPKCS11-" + Config.getConfig(configName, configStream).getName(), 1.7d, Config.getConfig(configName, configStream).getDescription()); this.configName = configName; this.config = Config.removeConfig(configName); if (debug != null) { System.out.println("SunPKCS11 loading " + configName); } String library = config.getLibrary(); String functionList = config.getFunctionList(); long slotID = config.getSlotID(); int slotListIndex = config.getSlotListIndex(); boolean useSecmod = config.getNssUseSecmod(); boolean nssUseSecmodTrust = config.getNssUseSecmodTrust(); Module nssModule = null; // // Initialization via Secmod. The way this works is as follows: // SunPKCS11 is either in normal mode or in NSS Secmod mode. // Secmod is activated by specifying one or more of the following // options in the config file: // nssUseSecmod, nssSecmodDirectory, nssLibrary, nssModule // // XXX add more explanation here // // If we are in Secmod mode and configured to use either the // nssKeyStore or the nssTrustAnchors module, we automatically // switch to using the NSS trust attributes for trusted certs (KeyStore). // if (useSecmod) { // note: Config ensures library/slot/slotListIndex not specified // in secmod mode. Secmod secmod = Secmod.getInstance(); DbMode nssDbMode = config.getNssDbMode(); try { String nssLibraryDirectory = config.getNssLibraryDirectory(); String nssSecmodDirectory = config.getNssSecmodDirectory(); if (secmod.isInitialized()) { if (nssSecmodDirectory != null) { String s = secmod.getConfigDir(); if ((s != null) && (s.equals(nssSecmodDirectory) == false)) { throw new ProviderException("Secmod directory " + nssSecmodDirectory + " invalid, NSS already initialized with " + s); } } if (nssLibraryDirectory != null) { String s = secmod.getLibDir(); if ((s != null) && (s.equals(nssLibraryDirectory) == false)) { throw new ProviderException("NSS library directory " + nssLibraryDirectory + " invalid, NSS already initialized with " + s); } } } else { if (nssDbMode != DbMode.NO_DB) { if (nssSecmodDirectory == null) { throw new ProviderException("Secmod not initialized and " + "nssSecmodDirectory not specified"); } } else { if (nssSecmodDirectory != null) { throw new ProviderException ("nssSecmodDirectory must not be specified in noDb mode"); } } secmod.initialize(nssDbMode, nssSecmodDirectory, nssLibraryDirectory); } } catch (IOException e) { // XXX which exception to throw throw new ProviderException("Could not initialize NSS", e); } List< Module > modules = secmod.getModules(); if (config.getShowInfo()) { System.out.println("NSS modules: " + modules); } String moduleName = config.getNssModule(); if (moduleName == null) { nssModule = secmod.getModule(ModuleType.FIPS); if (nssModule != null) { moduleName = "fips"; } else { moduleName = (nssDbMode == DbMode.NO_DB) ? "crypto" : "keystore"; } } if (moduleName.equals("fips")) { nssModule = secmod.getModule(ModuleType.FIPS); nssUseSecmodTrust = true; functionList = "FC_GetFunctionList"; } else if (moduleName.equals("keystore")) { nssModule = secmod.getModule(ModuleType.KEYSTORE); nssUseSecmodTrust = true; } else if (moduleName.equals("crypto")) { nssModule = secmod.getModule(ModuleType.CRYPTO); } else if (moduleName.equals("trustanchors")) { // XXX should the option be called trustanchor or trustanchors?? nssModule = secmod.getModule(ModuleType.TRUSTANCHOR); nssUseSecmodTrust = true; } else if (moduleName.startsWith("external-")) { int moduleIndex; try { moduleIndex = Integer.parseInt (moduleName.substring("external-".length())); } catch (NumberFormatException e) { moduleIndex = -1; } if (moduleIndex < 1) { throw new ProviderException ("Invalid external module: " + moduleName); } int k = 0; for (Module module : modules) { if (module.getType() == ModuleType.EXTERNAL) { if (++k == moduleIndex) { nssModule = module; break; } } } if (nssModule == null) { throw new ProviderException("Invalid module " + moduleName + ": only " + k + " external NSS modules available"); } } else { throw new ProviderException("Unknown NSS module: " + moduleName); } if (nssModule == null) { throw new ProviderException("NSS module not available: " + moduleName); } if (nssModule.hasInitializedProvider()) { throw new ProviderException("Secmod module already configured"); } library = nssModule.libraryName; slotListIndex = nssModule.slot; } this.nssUseSecmodTrust = nssUseSecmodTrust; this.nssModule = nssModule; File libraryFile = new File(library); // if the filename is a simple filename without path // (e.g. "libpkcs11.so"), it may refer to a library somewhere on the // OS library search path. Omit the test for file existance as that // only looks in the current directory. if (libraryFile.getName().equals(library) == false) { if (new File(library).isFile() == false) { String msg = "Library " + library + " does not exist"; if (config.getHandleStartupErrors() == Config.ERR_HALT) { throw new ProviderException(msg); } else { throw new UnsupportedOperationException(msg); } } } try { if (debug != null) { debug.println("Initializing PKCS#11 library " + library); } CK_C_INITIALIZE_ARGS initArgs = new CK_C_INITIALIZE_ARGS(); String nssArgs = config.getNssArgs(); if (nssArgs != null) { initArgs.pReserved = nssArgs; } // request multithreaded access first initArgs.flags = CKF_OS_LOCKING_OK; PKCS11 tmpPKCS11; try { tmpPKCS11 = PKCS11.getInstance (library, functionList, initArgs, config.getOmitInitialize()); } catch (PKCS11Exception e) { if (debug != null) { debug.println("Multi-threaded initialization failed: " + e); } if (config.getAllowSingleThreadedModules() == false) { throw e; } // fall back to single threaded access if (nssArgs == null) { // if possible, use null initArgs for better compatibility initArgs = null; } else { initArgs.flags = 0; } tmpPKCS11 = PKCS11.getInstance (library, functionList, initArgs, config.getOmitInitialize()); } p11 = tmpPKCS11; CK_INFO p11Info = p11.C_GetInfo(); if (p11Info.cryptokiVersion.major < 2) { throw new ProviderException("Only PKCS#11 v2.0 and later " + "supported, library version is v" + p11Info.cryptokiVersion); } boolean showInfo = config.getShowInfo(); if (showInfo) { System.out.println("Information for provider " + getName()); System.out.println("Library info:"); System.out.println(p11Info); } if ((slotID < 0) \|\| showInfo) { long[] slots = p11.C_GetSlotList(false); if (showInfo) { System.out.println("All slots: " + toString(slots)); slots = p11.C_GetSlotList(true); System.out.println("Slots with tokens: " + toString(slots)); } if (slotID < 0) { if ((slotListIndex < 0) \|\| (slotListIndex >= slots.length)) { throw new ProviderException("slotListIndex is " + slotListIndex + " but token only has " + slots.length + " slots"); } slotID = slots[slotListIndex]; } } this.slotID = slotID; CK_SLOT_INFO slotInfo = p11.C_GetSlotInfo(slotID); removable = (slotInfo.flags & CKF_REMOVABLE_DEVICE) != 0; initToken(slotInfo); if (nssModule != null) { nssModule.setProvider(this); } } catch (Exception e) { if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { throw new UnsupportedOperationException ("Initialization failed", e); } else { throw new ProviderException ("Initialization failed", e); } } }

Method from sun.security.pkcs11.SunPKCS11 Summary:
equals, getToken, hashCode, login, logout, setCallbackHandler, uninitToken, verifySelfIntegrity

Methods from java.security.AuthProvider:
login, logout, setCallbackHandler

Methods from java.security.Provider:
clear, elements, entrySet, get, getInfo, getName, getProperty, getService, getServices, getVersion, keySet, keys, load, put, putAll, remove, toString, values

Methods from java.util.Properties:
getProperty, getProperty, list, list, load, load, loadFromXML, propertyNames, save, setProperty, store, store, storeToXML, storeToXML, stringPropertyNames

Methods from java.util.Hashtable:
clear, clone, contains, containsKey, containsValue, elements, entrySet, equals, get, hashCode, isEmpty, keySet, keys, put, putAll, remove, size, toString, values

Methods from java.util.Dictionary:
elements, get, isEmpty, keys, put, remove, size

Methods from java.lang.Object:
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method from sun.security.pkcs11.SunPKCS11 Detail:
public boolean equals(Object obj) { return this == obj; }
Token getToken() { return token; }
public int hashCode() { return System.identityHashCode(this); }
public void login(Subject subject, CallbackHandler handler) throws LoginException { // security check SecurityManager sm = System.getSecurityManager(); if (sm != null) { if (debug != null) { debug.println("checking login permission"); } sm.checkPermission(new SecurityPermission ("authProvider." + this.getName())); } if (hasValidToken() == false) { throw new LoginException("No token present"); } // see if a login is required if ((token.tokenInfo.flags & CKF_LOGIN_REQUIRED) == 0) { if (debug != null) { debug.println("login operation not required for token - " + "ignoring login request"); } return; } // see if user already logged in try { if (token.isLoggedInNow(null)) { // user already logged in if (debug != null) { debug.println("user already logged in"); } return; } } catch (PKCS11Exception e) { // ignore - fall thru and attempt login } // get the pin if necessary char[] pin = null; if ((token.tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH) == 0) { // get password CallbackHandler myHandler = getCallbackHandler(handler); if (myHandler == null) { // XXX PolicyTool is dependent on this message text throw new LoginException ("no password provided, and no callback handler " + "available for retrieving password"); } java.text.MessageFormat form = new java.text.MessageFormat (ResourcesMgr.getString ("PKCS11 Token [providerName] Password: ")); Object[] source = { getName() }; PasswordCallback pcall = new PasswordCallback(form.format(source), false); Callback[] callbacks = { pcall }; try { myHandler.handle(callbacks); } catch (Exception e) { LoginException le = new LoginException ("Unable to perform password callback"); le.initCause(e); throw le; } pin = pcall.getPassword(); pcall.clearPassword(); if (pin == null) { if (debug != null) { debug.println("caller passed NULL pin"); } } } // perform token login Session session = null; try { session = token.getOpSession(); // pin is NULL if using CKF_PROTECTED_AUTHENTICATION_PATH p11.C_Login(session.id(), CKU_USER, pin); if (debug != null) { debug.println("login succeeded"); } } catch (PKCS11Exception pe) { if (pe.getErrorCode() == CKR_USER_ALREADY_LOGGED_IN) { // let this one go if (debug != null) { debug.println("user already logged in"); } return; } else if (pe.getErrorCode() == CKR_PIN_INCORRECT) { FailedLoginException fle = new FailedLoginException(); fle.initCause(pe); throw fle; } else { LoginException le = new LoginException(); le.initCause(pe); throw le; } } finally { token.releaseSession(session); if (pin != null) { Arrays.fill(pin, ' "); } } // we do not store the PIN in the subject for now } Log in to this provider. If the token expects a PIN to be supplied by the caller, the `handler` implementation must support a `PasswordCallback`. To determine if the token supports a protected authentication path, the CK_TOKEN_INFO flag, CKF_PROTECTED_AUTHENTICATION_PATH, is consulted.
public void logout() throws LoginException { // security check SecurityManager sm = System.getSecurityManager(); if (sm != null) { sm.checkPermission (new SecurityPermission("authProvider." + this.getName())); } if (hasValidToken() == false) { // app may call logout for cleanup, allow return; } if ((token.tokenInfo.flags & CKF_LOGIN_REQUIRED) == 0) { if (debug != null) { debug.println("logout operation not required for token - " + "ignoring logout request"); } return; } try { if (token.isLoggedInNow(null) == false) { if (debug != null) { debug.println("user not logged in"); } return; } } catch (PKCS11Exception e) { // ignore } // perform token logout Session session = null; try { session = token.getOpSession(); p11.C_Logout(session.id()); if (debug != null) { debug.println("logout succeeded"); } } catch (PKCS11Exception pe) { if (pe.getErrorCode() == CKR_USER_NOT_LOGGED_IN) { // let this one go if (debug != null) { debug.println("user not logged in"); } return; } LoginException le = new LoginException(); le.initCause(pe); throw le; } finally { token.releaseSession(session); } } Log out from this provider
public void setCallbackHandler(CallbackHandler handler) { // security check SecurityManager sm = System.getSecurityManager(); if (sm != null) { sm.checkPermission (new SecurityPermission("authProvider." + this.getName())); } synchronized (LOCK_HANDLER) { pHandler = handler; } } Set a `CallbackHandler` The provider uses this handler if one is not passed to the `login` method. The provider also uses this handler if it invokes `login` on behalf of callers. In either case if a handler is not set via this method, the provider queries the auth.login.defaultCallbackHandler security property for the fully qualified class name of a default handler implementation. If the security property is not set, the provider is assumed to have alternative means for obtaining authentication information.
synchronized void uninitToken(Token token) { if (this.token != token) { // mismatch, our token must already be destroyed return; } destroyPoller(); this.token = null; // unregister all algorithms AccessController.doPrivileged(new PrivilegedAction< Object >() { public Object run() { clear(); return null; } }); createPoller(); }
static void verifySelfIntegrity(Class c) { if (integrityVerified) { return; } doVerifySelfIntegrity(c); }