Bug 1308027 - Merge pki-symkey into jss, r=jmagne

build_java.pl

@@ -32,6 +32,7 @@
 org.mozilla.jss.pkcs11.PK11PubKey     
 org.mozilla.jss.pkcs11.PK11SymKey      
 org.mozilla.jss.pkcs11.PK11KeyPairGenerator 
+org.mozilla.jss.pkcs11.PK11SymmetricKeyDeriver
 org.mozilla.jss.pkcs11.PK11KeyGenerator
 org.mozilla.jss.pkcs11.PK11Token
 org.mozilla.jss.pkcs11.PrivateKeyProxy  
@@ -79,7 +80,6 @@
 org.mozilla.jss.util
 );
 
-
 # setup environment
 setup_env();
 

lib/jss.def

@@ -127,6 +127,7 @@ Java_org_mozilla_jss_pkcs11_PK11Store_importPrivateKey;
 Java_org_mozilla_jss_pkcs11_PK11Store_putCertsInVector;
 Java_org_mozilla_jss_pkcs11_PK11Store_putKeysInVector;
 Java_org_mozilla_jss_pkcs11_PK11Store_putSymKeysInVector;
+Java_org_mozilla_jss_pkcs11_PK11Store_putSymKeysInVector;
 Java_org_mozilla_jss_pkcs11_SigContextProxy_releaseNativeResources;
 Java_org_mozilla_jss_pkcs11_PK11RSAPublicKey_getModulusByteArray;
 Java_org_mozilla_jss_pkcs11_PK11RSAPublicKey_getPublicExponentByteArray;
@@ -318,6 +319,8 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateRSAKeyPairWithOpFlags;
 Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateDSAKeyPairWithOpFlags;
 Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative;
 Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative;
+Java_org_mozilla_jss_pkcs11_PK11SymmetricKeyDeriver_nativeDeriveSymKey;
+Java_org_mozilla_jss_pkcs11_PK11SymKey_setNickNameNative;
 ;+    local:
 ;+       *;
 ;+};

org/mozilla/jss/crypto/CryptoStore.java

@@ -42,6 +42,16 @@ public interface CryptoStore {
     public PrivateKey[]
     getPrivateKeys() throws TokenException;
 
+    /**
+     * Returns all symmetric keys stored on this token.
+     *
+     * @return An array of all symmetric keys stored on this token.
+     * @exception TokenException If an error occurs on the token while
+     *      gathering the keys.
+     */
+    public SymmetricKey[]
+    getSymmetricKeys() throws TokenException;
+
     /**
      * Deletes the given PrivateKey from the CryptoToken.
      * This is a very dangerous call: it deletes the key from the underlying

org/mozilla/jss/crypto/CryptoToken.java

@@ -60,6 +60,9 @@ public interface CryptoToken {
     getCipherContext(EncryptionAlgorithm algorithm)
         throws java.security.NoSuchAlgorithmException, TokenException;
 
+    public abstract SymmetricKeyDeriver getSymmetricKeyDeriver()
+        throws TokenException;
+
     public abstract KeyWrapper
     getKeyWrapper(KeyWrapAlgorithm algorithm)
         throws java.security.NoSuchAlgorithmException, TokenException;

org/mozilla/jss/crypto/KeyWrapper.java

@@ -101,4 +101,20 @@ public SymmetricKey unwrapSymmetric(byte[] wrapped, SymmetricKey.Type type,
         throws TokenException, IllegalStateException,
             InvalidAlgorithmParameterException;
 
+    public SymmetricKey unwrapSymmetricPerm(byte[] wrapped, SymmetricKey.Type type,
+        SymmetricKey.Usage usage, int keyLength)
+        throws TokenException, IllegalStateException,
+            InvalidAlgorithmParameterException;
+
+    /**
+     * Unwraps a key and allows it to be used for all operations.
+     * @param keyLength The expected length of the key in bytes.  This is
+     *   only used for variable-length keys (RC4) and non-padding
+     *   algorithms. Otherwise, it can be set to anything(like 0).
+     */
+    public SymmetricKey unwrapSymmetricPerm(byte[] wrapped, SymmetricKey.Type type,
+        int keyLength)
+        throws TokenException, IllegalStateException,
+            InvalidAlgorithmParameterException;
+
 }

org/mozilla/jss/crypto/SymmetricKey.java

@@ -39,6 +39,10 @@ public NotExtractableException(String mesg) {
 
     String getFormat();
 
+    String getNickName();
+
+    void setNickName(String nickName);
+
     public final static class Type {
         // all names converted to lowercase for case insensitivity
         private static Hashtable nameMap = new Hashtable();

org/mozilla/jss/crypto/SymmetricKeyDeriver.java

@@ -0,0 +1,79 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape Security Services for Java.
+ *     
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1998-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+package org.mozilla.jss.crypto;
+
+import java.security.spec.AlgorithmParameterSpec;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.PublicKey;
+import java.security.InvalidKeyException;
+
+public interface SymmetricKeyDeriver {
+
+   /* Use with the encrypt type mechanisms
+      Example: initDerive(
+                    symKey,  (PKCS11Constants.CKM_DES3_ECB_ENCRYPT_DATA) 4354L, derivationData, null,
+                    PKCS11Constants.CKM_DES3_ECB, PKCS11Constants.CKA_DERIVE, 16);
+   */
+
+    public abstract void initDerive(SymmetricKey baseKey, 
+        long deriveMech, byte[] param, byte[] iv, long targetMech, long operation, long keySize)
+        throws InvalidKeyException;
+
+
+
+    /* Use with key extraction and key concatanation mechanisms
+  
+    Example:
+       param: byte array that has the bit position of where to extract
+     initDerive(
+                derivedKey, PKCS11Constants.CKM_EXTRACT_KEY_FROM_KEY,param,null,
+                PKCS11Constants.CKA_ENCRYPT, PKCS11Constants.CKA_DERIVE,8);
+ 
+ 
+    initDerive(
+               baseSymKey,secondarySymKey, PKCS11Constants.CKM_CONCATENATE_BASE_AND_KEY,null,null,
+               PKCS11Constants.CKM_DES3_ECB, PKCS11Constants.CKA_DERIVE,0);
+ 
+    */ 
+
+    public abstract void initDerive(SymmetricKey baseKey, 
+        SymmetricKey secondaryKey, long deriveMech, byte[] param, byte[] iv, long targetMech, long operation, long keySize)
+        throws InvalidKeyException; 
+
+   public abstract SymmetricKey  derive()
+       throws TokenException;
+}

org/mozilla/jss/pkcs11/PK11KeyWrapper.c

@@ -487,14 +487,15 @@ JNIEXPORT jobject JNICALL
 Java_org_mozilla_jss_pkcs11_PK11KeyWrapper_nativeUnwrapSymWithSym
     (JNIEnv *env, jclass clazz, jobject tokenObj, jobject unwrapperObj,
         jbyteArray wrappedBA, jobject wrapAlgObj, jobject typeAlgObj,
-        jint keyLen, jbyteArray ivBA, jint usageEnum)
+        jint keyLen, jbyteArray ivBA, jint usageEnum, jboolean temporary)
 {
     PK11SymKey *symKey=NULL, *wrappingKey=NULL;
     CK_MECHANISM_TYPE wrappingMech, keyTypeMech;
     SECItem *wrappedKey=NULL, *iv=NULL, *param=NULL;
     jobject keyObj = NULL;
     CK_ULONG operation;
     CK_FLAGS flags;
+    PRBool isPermanent = PR_FALSE;
 
     /* get key type */
     keyTypeMech = JSS_getPK11MechFromAlg(env, typeAlgObj);
@@ -547,8 +548,21 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapper_nativeUnwrapSymWithSym
         flags = 0;
     }
 
-    symKey = PK11_UnwrapSymKeyWithFlags(wrappingKey, wrappingMech, param,
-        wrappedKey, keyTypeMech, operation, keyLen, flags);
+    if( temporary ) {
+        isPermanent = PR_FALSE;
+    } else {
+        isPermanent = PR_TRUE;
+    }
+
+    if( isPermanent == PR_FALSE) {
+        symKey = PK11_UnwrapSymKeyWithFlags(wrappingKey, wrappingMech, param,
+            wrappedKey, keyTypeMech, operation, keyLen, flags);
+
+    } else {
+        symKey = PK11_UnwrapSymKeyWithFlagsPerm(wrappingKey, wrappingMech, param,
+            wrappedKey, keyTypeMech, operation, keyLen, flags,isPermanent);
+    }
+
     if( symKey == NULL ) {
         JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to unwrap key");
         goto finish;
@@ -670,7 +684,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapper_nativeUnwrapSymWithPriv
 JNIEXPORT jobject JNICALL
 Java_org_mozilla_jss_pkcs11_PK11KeyWrapper_nativeUnwrapSymPlaintext
     (JNIEnv *env, jclass clazz, jobject tokenObj, jbyteArray wrappedBA,
-        jobject typeAlgObj, jint usageEnum)
+        jobject typeAlgObj, jint usageEnum, jboolean temporary)
 {
     PK11SymKey *symKey=NULL;
     CK_MECHANISM_TYPE keyTypeMech;
@@ -679,6 +693,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapper_nativeUnwrapSymPlaintext
     PK11SlotInfo *slot = NULL;
     CK_ULONG operation;
     CK_FLAGS flags;
+    PRBool isPerm = PR_FALSE;
 
     /* get key type */
     keyTypeMech = JSS_getPK11MechFromAlg(env, typeAlgObj);
@@ -687,6 +702,12 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapper_nativeUnwrapSymPlaintext
         goto finish;
     }
 
+    if( temporary ) {
+        isPerm = PR_FALSE;
+    } else {
+        isPerm = PR_TRUE;
+    }
+
     /* get the slot */
     if( JSS_PK11_getTokenSlotPtr(env, tokenObj, &slot) != PR_SUCCESS) {
         /* exception was thrown */
@@ -710,7 +731,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapper_nativeUnwrapSymPlaintext
 
     /* pull in the key */
     symKey = PK11_ImportSymKeyWithFlags(slot, keyTypeMech, PK11_OriginUnwrap,
-        operation, wrappedKey, flags, PR_FALSE /*isPerm*/, NULL);
+        operation, wrappedKey, flags, isPerm, NULL);
     if( symKey == NULL ) {
         JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to unwrap key");
         goto finish;

org/mozilla/jss/pkcs11/PK11KeyWrapper.java

@@ -466,8 +466,25 @@ private void checkParams(AlgorithmParameterSpec params)
         return unwrapSymmetric(wrapped, type, -1, keyLen);
     }
 
+    public SymmetricKey
+    unwrapSymmetricPerm(byte[] wrapped, SymmetricKey.Type type,
+        SymmetricKey.Usage usage, int keyLen)
+        throws TokenException, IllegalStateException,
+            InvalidAlgorithmParameterException
+    {
+        return unwrapSymmetricPerm(wrapped, type, usage.getVal(), keyLen);
+    }
+
+    public SymmetricKey
+    unwrapSymmetricPerm(byte[] wrapped, SymmetricKey.Type type, int keyLen)
+        throws TokenException, IllegalStateException,
+            InvalidAlgorithmParameterException
+    {
+        return unwrapSymmetricPerm(wrapped, type, -1, keyLen);
+    }
+
     private SymmetricKey
-    unwrapSymmetric(byte[] wrapped, SymmetricKey.Type type,
+    unwrapSymmetricPerm(byte[] wrapped, SymmetricKey.Type type,
         int usageEnum, int keyLen)
         throws TokenException, IllegalStateException,
             InvalidAlgorithmParameterException
@@ -476,6 +493,10 @@ private void checkParams(AlgorithmParameterSpec params)
             throw new IllegalStateException();
         }
 
+        /* Since we want permanent,make the temporary arg false */
+        boolean temporary = false;
+
+
         if( (! algorithm.isPadded()) && (type == SymmetricKey.RC4) ) {
             if( keyLen <= 0 ) {
                 throw new InvalidAlgorithmParameterException(
@@ -489,12 +510,52 @@ private void checkParams(AlgorithmParameterSpec params)
 
         if( algorithm == KeyWrapAlgorithm.PLAINTEXT ) {
             return nativeUnwrapSymPlaintext(token, wrapped, algFromType(type),
-                usageEnum );
+                usageEnum,temporary );
         } else {
             if( symKey != null ) {
                 Assert._assert(pubKey==null && privKey==null);
                 return nativeUnwrapSymWithSym(token, symKey, wrapped, algorithm,
-                        algFromType(type), keyLen, IV, usageEnum);
+                        algFromType(type), keyLen, IV, usageEnum,temporary);
+            } else {
+                Assert._assert(privKey!=null && pubKey==null && symKey==null);
+                throw new TokenException("We do not support permnament unwrapping with private key.");
+            }
+        }
+    }
+
+
+    private SymmetricKey
+    unwrapSymmetric(byte[] wrapped, SymmetricKey.Type type,
+        int usageEnum, int keyLen)
+        throws TokenException, IllegalStateException,
+            InvalidAlgorithmParameterException
+    {
+        if( state != UNWRAP ) {
+            throw new IllegalStateException();
+        }
+
+        if( (! algorithm.isPadded()) && (type == SymmetricKey.RC4) ) {
+            if( keyLen <= 0 ) {
+                throw new InvalidAlgorithmParameterException(
+                    "RC4 keys wrapped in unpadded algorithms need key length"+
+                    " specified when unwrapping");
+            }
+        } else {
+            // Don't use the key length
+            //keyLen = 0;
+        }
+
+        /* Since we DONT want permanent,make the temporary arg true */
+        boolean temporary = true;
+
+        if( algorithm == KeyWrapAlgorithm.PLAINTEXT ) {
+            return nativeUnwrapSymPlaintext(token, wrapped, algFromType(type),
+                usageEnum, temporary );
+        } else {
+            if( symKey != null ) {
+                Assert._assert(pubKey==null && privKey==null);
+                return nativeUnwrapSymWithSym(token, symKey, wrapped, algorithm,
+                        algFromType(type), keyLen, IV, usageEnum,temporary);
             } else {
                 Assert._assert(privKey!=null && pubKey==null && symKey==null);
                 return nativeUnwrapSymWithPriv(token, privKey, wrapped,
@@ -556,7 +617,7 @@ private void checkParams(AlgorithmParameterSpec params)
     private static native SymmetricKey
     nativeUnwrapSymWithSym(PK11Token token, SymmetricKey unwrappingKey,
         byte[] wrappedKey, KeyWrapAlgorithm alg, Algorithm type, int keyLen,
-        byte[] IV, int usageEnum)
+        byte[] IV, int usageEnum, boolean temporary)
             throws TokenException;
 
     /**
@@ -570,7 +631,7 @@ private void checkParams(AlgorithmParameterSpec params)
 
     private static native SymmetricKey
     nativeUnwrapSymPlaintext(PK11Token token, byte[] wrappedKey,
-        Algorithm type, int usageEnum);
+        Algorithm type, int usageEnum, boolean temporary);
 
     private void reset() {
         state = UNINITIALIZED;

org/mozilla/jss/pkcs11/PK11MessageDigest.c

@@ -67,17 +67,19 @@ Java_org_mozilla_jss_pkcs11_PK11MessageDigest_initHMAC
     }
 
     /* copy the key, setting the CKA_SIGN attribute */
+    /*
     newKey = PK11_CopySymKeyForSigning(origKey, mech);
     if( newKey == NULL ) {
         JSS_throwMsg(env, DIGEST_EXCEPTION,
                         "Unable to set CKA_SIGN attribute on symmetric key");
         goto finish;
     }
+    */
 
     param.data = NULL;
     param.len = 0;
 
-    context = PK11_CreateContextBySymKey(mech, CKA_SIGN, newKey, &param);
+    context = PK11_CreateContextBySymKey(mech, CKA_SIGN, origKey, &param);
     if( context == NULL ) {
         JSS_throwMsg(env, DIGEST_EXCEPTION,
             "Unable to initialize digest context");