1
/*
2
 * Copyright (c) 2003, 2021, Oracle and/or its affiliates. All rights reserved.
3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4
 *
5
 * This code is free software; you can redistribute it and/or modify it
6
 * under the terms of the GNU General Public License version 2 only, as
7
 * published by the Free Software Foundation.  Oracle designates this
8
 * particular file as subject to the "Classpath" exception as provided
9
 * by Oracle in the LICENSE file that accompanied this code.
10
 *
11
 * This code is distributed in the hope that it will be useful, but WITHOUT
12
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
14
 * version 2 for more details (a copy is included in the LICENSE file that
15
 * accompanied this code).
16
 *
17
 * You should have received a copy of the GNU General Public License version
18
 * 2 along with this work; if not, write to the Free Software Foundation,
19
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20
 *
21
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22
 * or visit www.oracle.com if you need additional information or have any
23
 * questions.
24
 */
25

26
package sun.security.pkcs11;
27

28
import java.nio.ByteBuffer;
29

30
import java.security.*;
31
import java.security.spec.AlgorithmParameterSpec;
32

33
import javax.crypto.MacSpi;
34

35
import sun.nio.ch.DirectBuffer;
36

37
import sun.security.pkcs11.wrapper.*;
38
import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
39
import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
40

41
/**
42
 * MAC implementation class. This class currently supports HMAC using
43
 * MD5, SHA-1, SHA-2 family (SHA-224, SHA-256, SHA-384, and SHA-512),
44
 * SHA-3 family (SHA3-224, SHA3-256, SHA3-384, and SHA3-512), and the
45
 * SSL3 MAC using MD5 and SHA-1.
46
 *
47
 * Note that unlike other classes (e.g. Signature), this does not
48
 * composite various operations if the token only supports part of the
49
 * required functionality. The MAC implementations in SunJCE already
50
 * do exactly that by implementing an MAC on top of MessageDigests. We
51
 * could not do any better than they.
52
 *
53
 * @author  Andreas Sterbenz
54
 * @since   1.5
55
 */
56
final class P11Mac extends MacSpi {
57

58
    // token instance
59
    private final Token token;
60

61
    // algorithm name
62
    private final String algorithm;
63

64
    // mechanism object
65
    private final CK_MECHANISM ckMechanism;
66

67
    // length of the MAC in bytes
68
    private final int macLength;
69

70
    // key instance used, if operation active
71
    private P11Key p11Key;
72

73
    // associated session, if any
74
    private Session session;
75

76
    // initialization status
77
    private boolean initialized;
78

79
    // one byte buffer for the update(byte) method, initialized on demand
80
    private byte[] oneByte;
81

82
    P11Mac(Token token, String algorithm, long mechanism)
83
            throws PKCS11Exception {
84
        super();
85
        this.token = token;
86
        this.algorithm = algorithm;
87
        Long params = null;
88
        switch ((int)mechanism) {
89
        case (int)CKM_MD5_HMAC:
90
            macLength = 16;
91
            break;
92
        case (int)CKM_SHA_1_HMAC:
93
            macLength = 20;
94
            break;
95
        case (int)CKM_SHA224_HMAC:
96
        case (int)CKM_SHA512_224_HMAC:
97
        case (int)CKM_SHA3_224_HMAC:
98
            macLength = 28;
99
            break;
100
        case (int)CKM_SHA256_HMAC:
101
        case (int)CKM_SHA512_256_HMAC:
102
        case (int)CKM_SHA3_256_HMAC:
103
            macLength = 32;
104
            break;
105
        case (int)CKM_SHA384_HMAC:
106
        case (int)CKM_SHA3_384_HMAC:
107
            macLength = 48;
108
            break;
109
        case (int)CKM_SHA512_HMAC:
110
        case (int)CKM_SHA3_512_HMAC:
111
            macLength = 64;
112
            break;
113
        case (int)CKM_SSL3_MD5_MAC:
114
            macLength = 16;
115
            params = Long.valueOf(16);
116
            break;
117
        case (int)CKM_SSL3_SHA1_MAC:
118
            macLength = 20;
119
            params = Long.valueOf(20);
120
            break;
121
        default:
122
            throw new ProviderException("Unknown mechanism: " + mechanism);
123
        }
124
        ckMechanism = new CK_MECHANISM(mechanism, params);
125
    }
126

127
    // reset the states to the pre-initialized values
128
    private void reset(boolean doCancel) {
129
        if (!initialized) {
130
            return;
131
        }
132
        initialized = false;
133

134
        try {
135
            if (session == null) {
136
                return;
137
            }
138

139
            if (doCancel && token.explicitCancel) {
140
                cancelOperation();
141
            }
142
        } finally {
143
            p11Key.releaseKeyID();
144
            session = token.releaseSession(session);
145
        }
146
    }
147

148
    private void cancelOperation() {
149
        token.ensureValid();
150
        // cancel operation by finishing it; avoid killSession as some
151
        // hardware vendors may require re-login
152
        try {
153
            token.p11.C_SignFinal(session.id(), 0);
154
        } catch (PKCS11Exception e) {
155
            if (e.getErrorCode() == CKR_OPERATION_NOT_INITIALIZED) {
156
                // Cancel Operation may be invoked after an error on a PKCS#11
157
                // call. If the operation inside the token was already cancelled,
158
                // do not fail here. This is part of a defensive mechanism for
159
                // PKCS#11 libraries that do not strictly follow the standard.
160
                return;
161
            }
162
            throw new ProviderException("Cancel failed", e);
163
        }
164
    }
165

166
    private void ensureInitialized() throws PKCS11Exception {
167
        if (!initialized) {
168
            initialize();
169
        }
170
    }
171

172
    private void initialize() throws PKCS11Exception {
173
        if (p11Key == null) {
174
            throw new ProviderException(
175
                    "Operation cannot be performed without calling engineInit first");
176
        }
177
        token.ensureValid();
178
        long p11KeyID = p11Key.getKeyID();
179
        try {
180
            if (session == null) {
181
                session = token.getOpSession();
182
            }
183
            token.p11.C_SignInit(session.id(), ckMechanism, p11KeyID);
184
        } catch (PKCS11Exception e) {
185
            p11Key.releaseKeyID();
186
            session = token.releaseSession(session);
187
            throw e;
188
        }
189
        initialized = true;
190
    }
191

192
    // see JCE spec
193
    protected int engineGetMacLength() {
194
        return macLength;
195
    }
196

197
    // see JCE spec
198
    protected void engineReset() {
199
        reset(true);
200
    }
201

202
    // see JCE spec
203
    protected void engineInit(Key key, AlgorithmParameterSpec params)
204
            throws InvalidKeyException, InvalidAlgorithmParameterException {
205
        if (params != null) {
206
            throw new InvalidAlgorithmParameterException
207
                ("Parameters not supported");
208
        }
209
        reset(true);
210
        p11Key = P11SecretKeyFactory.convertKey(token, key, algorithm);
211
        try {
212
            initialize();
213
        } catch (PKCS11Exception e) {
214
            throw new InvalidKeyException("init() failed", e);
215
        }
216
    }
217

218
    // see JCE spec
219
    protected byte[] engineDoFinal() {
220
        try {
221
            ensureInitialized();
222
            return token.p11.C_SignFinal(session.id(), 0);
223
        } catch (PKCS11Exception e) {
224
            // As per the PKCS#11 standard, C_SignFinal may only
225
            // keep the operation active on CKR_BUFFER_TOO_SMALL errors or
226
            // successful calls to determine the output length. However,
227
            // these cases are handled at OpenJDK's libj2pkcs11 native
228
            // library. Thus, P11Mac::reset can be called with a 'false'
229
            // doCancel argument from here.
230
            throw new ProviderException("doFinal() failed", e);
231
        } finally {
232
            reset(false);
233
        }
234
    }
235

236
    // see JCE spec
237
    protected void engineUpdate(byte input) {
238
        if (oneByte == null) {
239
           oneByte = new byte[1];
240
        }
241
        oneByte[0] = input;
242
        engineUpdate(oneByte, 0, 1);
243
    }
244

245
    // see JCE spec
246
    protected void engineUpdate(byte[] b, int ofs, int len) {
247
        try {
248
            ensureInitialized();
249
            token.p11.C_SignUpdate(session.id(), 0, b, ofs, len);
250
        } catch (PKCS11Exception e) {
251
            throw new ProviderException("update() failed", e);
252
        }
253
    }
254

255
    // see JCE spec
256
    protected void engineUpdate(ByteBuffer byteBuffer) {
257
        try {
258
            ensureInitialized();
259
            int len = byteBuffer.remaining();
260
            if (len <= 0) {
261
                return;
262
            }
263
            if (byteBuffer instanceof DirectBuffer == false) {
264
                super.engineUpdate(byteBuffer);
265
                return;
266
            }
267
            long addr = ((DirectBuffer)byteBuffer).address();
268
            int ofs = byteBuffer.position();
269
            token.p11.C_SignUpdate(session.id(), addr + ofs, null, 0, len);
270
            byteBuffer.position(ofs + len);
271
        } catch (PKCS11Exception e) {
272
            throw new ProviderException("update() failed", e);
273
        }
274
    }
275
}
276

277