org.xipki.security.pkcs11

Class P11Slot

java.lang.Object

org.xipki.security.pkcs11.P11Slot

All Implemented Interfaces:

Closeable, AutoCloseable

public abstract class P11Slot
extends Object
implements Closeable

PKCS#11 slot.

Since:

2.0.0

Author:

Lijun Liao

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	P11Slot.P11KeyUsage
static class	P11Slot.P11NewKeyControl
static class	P11Slot.P11NewObjectControl
static class	P11Slot.P11SlotRefreshResult

Field Summary

Fields

Modifier and Type	Field and Description
protected String	moduleName
protected P11SlotIdentifier	slotId

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	P11Slot(String moduleName, P11SlotIdentifier slotId, boolean readOnly, P11ModuleConf.P11MechanismFilter mechanismFilter)

Method Summary

Modifier and Type	Method and Description
P11ObjectIdentifier	addCert(X509Cert cert, P11Slot.P11NewObjectControl control) Adds the certificate to the PKCS#11 token under the given identifier objectId.
protected abstract P11ObjectIdentifier	addCert0(X509Cert cert, P11Slot.P11NewObjectControl control) Adds the certificate to the PKCS#11 token under the given identifier objectId.
protected void	addIdentity(P11Identity identity)
void	assertMechanismSupported(long mechanism)
protected void	assertNoIdentityAndCert(byte[] id, String label)
protected void	assertWritable(String operationName)
abstract void	close()
protected static byte[]	decodeHex(String hex) Returns the hex representation of the bytes.
protected boolean	existsCertForId(byte[] id)
protected boolean	existsCertForLabel(String label)
protected boolean	existsIdentityForId(byte[] id)
protected boolean	existsIdentityForLabel(String label)
X509Cert	exportCert(P11ObjectIdentifier objectId) Exports the certificate of the given identifier objectId.
P11IdentityId	generateDSAKeypair(BigInteger p, BigInteger q, BigInteger g, P11Slot.P11NewKeyControl control) Generates a DSA keypair.
P11IdentityId	generateDSAKeypair(int plength, int qlength, P11Slot.P11NewKeyControl control) Generates a DSA keypair.
protected abstract P11Identity	generateDSAKeypair0(BigInteger p, BigInteger q, BigInteger g, P11Slot.P11NewKeyControl control) Generates a DSA keypair.
P11IdentityId	generateECEdwardsKeypair(org.bouncycastle.asn1.ASN1ObjectIdentifier curveOid, P11Slot.P11NewKeyControl control) Generates an EC Edwards keypair.
protected abstract P11Identity	generateECEdwardsKeypair0(org.bouncycastle.asn1.ASN1ObjectIdentifier curveId, P11Slot.P11NewKeyControl control) Generates an EC Edwards keypair.
P11IdentityId	generateECKeypair(org.bouncycastle.asn1.ASN1ObjectIdentifier curveOid, P11Slot.P11NewKeyControl control) Generates an EC keypair.
protected abstract P11Identity	generateECKeypair0(org.bouncycastle.asn1.ASN1ObjectIdentifier curveId, P11Slot.P11NewKeyControl control) Generates an EC keypair.
P11IdentityId	generateECMontgomeryKeypair(org.bouncycastle.asn1.ASN1ObjectIdentifier curveOid, P11Slot.P11NewKeyControl control) Generates an EC Montgomery keypair.
protected abstract P11Identity	generateECMontgomeryKeypair0(org.bouncycastle.asn1.ASN1ObjectIdentifier curveId, P11Slot.P11NewKeyControl control) Generates an EC Montgomery keypair.
protected String	generateLabel(String label)
P11IdentityId	generateRSAKeypair(int keysize, BigInteger publicExponent, P11Slot.P11NewKeyControl control) Generates an RSA keypair.
protected abstract P11Identity	generateRSAKeypair0(int keysize, BigInteger publicExponent, P11Slot.P11NewKeyControl control) Generates an RSA keypair.
P11IdentityId	generateSecretKey(long keyType, int keysize, P11Slot.P11NewKeyControl control) Generates a secret key in the PKCS#11 token.
protected abstract P11Identity	generateSecretKey0(long keyType, int keysize, P11Slot.P11NewKeyControl control) Generates a secret key in the PKCS#11 token.
P11IdentityId	generateSM2Keypair(P11Slot.P11NewKeyControl control) Generates an SM2 keypair.
protected abstract P11Identity	generateSM2Keypair0(P11Slot.P11NewKeyControl control) Generates an SM2p256v1 keypair.
X509Cert	getCert(P11ObjectIdentifier objectId) Gets certificate with the given identifier id.
X509Cert	getCertForId(byte[] id) Gets certificate with the given identifier id.
Set<P11ObjectIdentifier>	getCertIds()
static String	getDescription(byte[] keyId, char[] keyLabel)
static String	getDescription(byte[] keyId, String keyLabel)
P11Identity	getIdentity(P11ObjectIdentifier keyId)
P11IdentityId	getIdentityId(byte[] keyId, String keyLabel)
Set<P11ObjectIdentifier>	getIdentityKeyIds()
Set<Long>	getMechanisms()
String	getModuleName()
P11ObjectIdentifier	getObjectId(byte[] id, String label)
P11SlotIdentifier	getSlotId()
boolean	hasIdentity(P11ObjectIdentifier keyId)
protected static String	hex(byte[] bytes) Returns the hex representation of the bytes.
P11ObjectIdentifier	importSecretKey(long keyType, byte[] keyValue, P11Slot.P11NewKeyControl control) Imports secret key object in the PKCS#11 token.
protected abstract P11Identity	importSecretKey0(long keyType, byte[] keyValue, P11Slot.P11NewKeyControl control) Imports secret key object in the PKCS#11 token.
boolean	isReadOnly()
void	refresh()
protected abstract P11Slot.P11SlotRefreshResult	refresh0()
void	removeCerts(P11ObjectIdentifier objectId) Remove certificates.
protected abstract void	removeCerts0(P11ObjectIdentifier objectId)
void	removeIdentity(P11IdentityId identityId) Removes the key (private key, public key, secret key, and certificates) associated with the given identifier objectId.
protected abstract void	removeIdentity0(P11IdentityId identityId) Removes the key (private key, public key, secret key, and certificates) associated with the given identifier objectId.
void	removeIdentityByKeyId(P11ObjectIdentifier keyId) Removes the key (private key, public key, secret key, and certificates) associated with the given identifier objectId.
abstract int	removeObjects(byte[] id, String label) Remove objects.
void	showDetails(OutputStream stream, boolean verbose) Writes the token details to the given stream.
boolean	supportsMechanism(long mechanism)
void	updateCertificate(P11ObjectIdentifier keyId, X509Cert newCert) Updates the certificate associated with the given ID keyId with the given certificate newCert.
protected abstract void	updateCertificate0(P11ObjectIdentifier keyId, X509Cert newCert) Updates the certificate associated with the given objectId with the given certificate newCert.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

moduleName

protected final String moduleName

slotId

protected final P11SlotIdentifier slotId

Constructor Detail

P11Slot

protected P11Slot(String moduleName,
                  P11SlotIdentifier slotId,
                  boolean readOnly,
                  P11ModuleConf.P11MechanismFilter mechanismFilter)
           throws P11TokenException

Throws:

P11TokenException

Method Detail

hex

protected static String hex(byte[] bytes)

Returns the hex representation of the bytes.

Parameters:

bytes - Data to be encoded. Must not be null.

Returns:

the hex representation of the bytes.

decodeHex

protected static byte[] decodeHex(String hex)

Returns the hex representation of the bytes.

Parameters:

hex - Data to be decoded. Must not be null.

Returns:

the hex representation of the bytes.

getDescription

public static String getDescription(byte[] keyId,
                                    char[] keyLabel)

getDescription

public static String getDescription(byte[] keyId,
                                    String keyLabel)

updateCertificate0

protected abstract void updateCertificate0(P11ObjectIdentifier keyId,
                                           X509Cert newCert)
                                    throws P11TokenException,
                                           CertificateException

Updates the certificate associated with the given objectId with the given certificate newCert.

Parameters:

keyId - Object identifier of the private key. Must not be null.

newCert - Certificate to be added. Must not be null.

Throws:

CertificateException - if process with certificate fails.

P11TokenException - if PKCS#11 token exception occurs.

removeIdentity0

protected abstract void removeIdentity0(P11IdentityId identityId)
                                 throws P11TokenException

Removes the key (private key, public key, secret key, and certificates) associated with the given identifier objectId.

Parameters:

identityId - Identity identifier. Must not be null.

Throws:

P11TokenException - if PKCS#11 token exception occurs.

addCert0

protected abstract P11ObjectIdentifier addCert0(X509Cert cert,
                                                P11Slot.P11NewObjectControl control)
                                         throws P11TokenException,
                                                CertificateException

Adds the certificate to the PKCS#11 token under the given identifier objectId.

Parameters:

cert - Certificate to be added. Must not be null.

control - Control of the object creation process. Must not be null.

Returns:

the PKCS#11 identifier of the added certificate.

Throws:

CertificateException - if process with certificate fails.

P11TokenException - if PKCS#11 token exception occurs.

generateSecretKey0

protected abstract P11Identity generateSecretKey0(long keyType,
                                                  int keysize,
                                                  P11Slot.P11NewKeyControl control)
                                           throws P11TokenException

Generates a secret key in the PKCS#11 token.

Parameters:

keyType - key type

keysize - key size

control - Control of the key generation process. Must not be null.

Returns:

the identifier of the key within the PKCS#11 token.

Throws:

P11TokenException - if PKCS#11 token exception occurs.

importSecretKey0

protected abstract P11Identity importSecretKey0(long keyType,
                                                byte[] keyValue,
                                                P11Slot.P11NewKeyControl control)
                                         throws P11TokenException

Imports secret key object in the PKCS#11 token. The key itself will not be generated within the PKCS#11 token.

Parameters:

keyType - key type.

keyValue - Key value. Must not be null.

control - Control of the key generation process. Must not be null.

Returns:

the identifier of the key within the PKCS#P11 token.

Throws:

P11TokenException - if PKCS#11 token exception occurs.

generateDSAKeypair0

protected abstract P11Identity generateDSAKeypair0(BigInteger p,
                                                   BigInteger q,
                                                   BigInteger g,
                                                   P11Slot.P11NewKeyControl control)
                                            throws P11TokenException

Generates a DSA keypair.

Parameters:

p - p of DSA. Must not be null.

q - q of DSA. Must not be null.

g - g of DSA. Must not be null.

control - Control of the key generation process. Must not be null.

Returns:

the identifier of the key within the PKCS#P11 token.

Throws:

P11TokenException - if PKCS#11 token exception occurs.

generateECEdwardsKeypair0

protected abstract P11Identity generateECEdwardsKeypair0(org.bouncycastle.asn1.ASN1ObjectIdentifier curveId,
                                                         P11Slot.P11NewKeyControl control)
                                                  throws P11TokenException

Generates an EC Edwards keypair.

Parameters:

curveId - Object Identifier of the curve. Must not be null.

control - Control of the key generation process. Must not be null.

Returns:

the identifier of the key within the PKCS#P11 token.

Throws:

P11TokenException - if PKCS#11 token exception occurs.

generateECMontgomeryKeypair0

protected abstract P11Identity generateECMontgomeryKeypair0(org.bouncycastle.asn1.ASN1ObjectIdentifier curveId,
                                                            P11Slot.P11NewKeyControl control)
                                                     throws P11TokenException

Generates an EC Montgomery keypair.

Parameters:

curveId - Object Identifier of the curve. Must not be null.

control - Control of the key generation process. Must not be null.

Returns:

the identifier of the key within the PKCS#P11 token.

Throws:

P11TokenException - if PKCS#11 token exception occurs.

generateECKeypair0

protected abstract P11Identity generateECKeypair0(org.bouncycastle.asn1.ASN1ObjectIdentifier curveId,
                                                  P11Slot.P11NewKeyControl control)
                                           throws P11TokenException

Generates an EC keypair.

Parameters:

curveId - Object identifier of the EC curve. Must not be null.

control - Control of the key generation process. Must not be null.

Returns:

the identifier of the key within the PKCS#P11 token.

Throws:

P11TokenException - if PKCS#11 token exception occurs.

generateSM2Keypair0

protected abstract P11Identity generateSM2Keypair0(P11Slot.P11NewKeyControl control)
                                            throws P11TokenException

Generates an SM2p256v1 keypair.

Parameters:

control - Control of the key generation process. Must not be null.

Returns:

the identifier of the key within the PKCS#P11 token.

Throws:

P11TokenException - if PKCS#11 token exception occurs.

generateRSAKeypair0

protected abstract P11Identity generateRSAKeypair0(int keysize,
                                                   BigInteger publicExponent,
                                                   P11Slot.P11NewKeyControl control)
                                            throws P11TokenException

Generates an RSA keypair.

Parameters:

keysize - key size in bit

publicExponent - RSA public exponent. Could be null.

control - Control of the key generation process. Must not be null.

Returns:

the identifier of the key within the PKCS#P11 token.

Throws:

P11TokenException - if PKCS#11 token exception occurs.

refresh0

protected abstract P11Slot.P11SlotRefreshResult refresh0()
                                                  throws P11TokenException

Throws:

P11TokenException

removeCerts0

protected abstract void removeCerts0(P11ObjectIdentifier objectId)
                              throws P11TokenException

Throws:

P11TokenException

close

public abstract void close()

Specified by:

close in interface Closeable

Specified by:

close in interface AutoCloseable

removeObjects

public abstract int removeObjects(byte[] id,
                                  String label)
                           throws P11TokenException

Remove objects.

Parameters:

id - Id of the objects to be deleted. At least one of id and label may not be null.

label - Label of the objects to be deleted

Returns:

how many objects have been deleted

Throws:

P11TokenException - If PKCS#11 error happens.

getCertForId

public X509Cert getCertForId(byte[] id)

Gets certificate with the given identifier id.

Parameters:

id - Identifier of the certificate. Must not be null.

Returns:

certificate with the given identifier.

getCert

public X509Cert getCert(P11ObjectIdentifier objectId)

Gets certificate with the given identifier id.

Parameters:

objectId - Identifier of the certificate. Must not be null.

Returns:

certificate with the given identifier.

refresh

public void refresh()
             throws P11TokenException

Throws:

P11TokenException

addIdentity

protected void addIdentity(P11Identity identity)
                    throws P11DuplicateEntityException

Throws:

P11DuplicateEntityException

hasIdentity

public boolean hasIdentity(P11ObjectIdentifier keyId)

getMechanisms

public Set<Long> getMechanisms()

supportsMechanism

public boolean supportsMechanism(long mechanism)

assertMechanismSupported

public void assertMechanismSupported(long mechanism)
                              throws P11UnsupportedMechanismException

Throws:

P11UnsupportedMechanismException

getIdentityKeyIds

public Set<P11ObjectIdentifier> getIdentityKeyIds()

getCertIds

public Set<P11ObjectIdentifier> getCertIds()

getModuleName

public String getModuleName()

getSlotId

public P11SlotIdentifier getSlotId()

isReadOnly

public boolean isReadOnly()

getIdentity

public P11Identity getIdentity(P11ObjectIdentifier keyId)
                        throws P11UnknownEntityException

Throws:

P11UnknownEntityException

assertNoIdentityAndCert

protected void assertNoIdentityAndCert(byte[] id,
                                       String label)
                                throws P11DuplicateEntityException

Throws:

P11DuplicateEntityException

getObjectId

public P11ObjectIdentifier getObjectId(byte[] id,
                                       String label)

getIdentityId

public P11IdentityId getIdentityId(byte[] keyId,
                                   String keyLabel)

exportCert

public X509Cert exportCert(P11ObjectIdentifier objectId)
                    throws P11TokenException

Exports the certificate of the given identifier objectId.

Parameters:

objectId - Object identifier. Must not be null.

Returns:

the exported certificate

Throws:

P11TokenException - if PKCS#11 token exception occurs.

removeCerts

public void removeCerts(P11ObjectIdentifier objectId)
                 throws P11TokenException

Remove certificates.

Parameters:

objectId - Object identifier. Must not be null.

Throws:

P11TokenException - if PKCS#11 token exception occurs.

removeIdentity

public void removeIdentity(P11IdentityId identityId)
                    throws P11TokenException

Removes the key (private key, public key, secret key, and certificates) associated with the given identifier objectId.

Parameters:

identityId - Identity identifier. Must not be null.

Throws:

P11TokenException - if PKCS#11 token exception occurs.

removeIdentityByKeyId

public void removeIdentityByKeyId(P11ObjectIdentifier keyId)
                           throws P11TokenException

Removes the key (private key, public key, secret key, and certificates) associated with the given identifier objectId.

Parameters:

keyId - Key identifier. Must not be null.

Throws:

P11TokenException - if PKCS#11 token exception occurs.

addCert

public P11ObjectIdentifier addCert(X509Cert cert,
                                   P11Slot.P11NewObjectControl control)
                            throws P11TokenException,
                                   CertificateException

Adds the certificate to the PKCS#11 token under the given identifier objectId.

Parameters:

cert - Certificate to be added. Must not be null.

control - Control of the object creation process. Must not be null.

Returns:

the identifier of the newly added certificate.

Throws:

CertificateException - if process with certificate fails.

P11TokenException - if PKCS#11 token exception occurs.

generateLabel

protected String generateLabel(String label)
                        throws P11TokenException

Throws:

P11TokenException

generateSecretKey

public P11IdentityId generateSecretKey(long keyType,
                                       int keysize,
                                       P11Slot.P11NewKeyControl control)
                                throws P11TokenException

Generates a secret key in the PKCS#11 token.

Parameters:

keyType - Key type

keysize - Key size in bit

control - Control of the key generation process. Must not be null.

Returns:

the identifier of the identity within the PKCS#11 token.

Throws:

P11TokenException - if PKCS#11 token exception occurs.

importSecretKey

public P11ObjectIdentifier importSecretKey(long keyType,
                                           byte[] keyValue,
                                           P11Slot.P11NewKeyControl control)
                                    throws P11TokenException

Imports secret key object in the PKCS#11 token. The key itself will not be generated within the PKCS#11 token.

Parameters:

keyType - Key type

keyValue - Key value. Must not be null.

control - Control of the key generation process. Must not be null.

Returns:

the identifier of the key within the PKCS#11 token.

Throws:

P11TokenException - if PKCS#11 token exception occurs.

generateRSAKeypair

public P11IdentityId generateRSAKeypair(int keysize,
                                        BigInteger publicExponent,
                                        P11Slot.P11NewKeyControl control)
                                 throws P11TokenException

Generates an RSA keypair.

Parameters:

keysize - key size in bit

publicExponent - RSA public exponent. Could be null.

control - Control of the key generation process. Must not be null.

Returns:

the identifier of the identity within the PKCS#P11 token.

Throws:

P11TokenException - if PKCS#11 token exception occurs.

generateDSAKeypair

public P11IdentityId generateDSAKeypair(int plength,
                                        int qlength,
                                        P11Slot.P11NewKeyControl control)
                                 throws P11TokenException

Generates a DSA keypair.

Parameters:

plength - bit length of P

qlength - bit length of Q

control - Control of the key generation process. Must not be null.

Returns:

the identifier of the identity within the PKCS#P11 token.

Throws:

P11TokenException - if PKCS#11 token exception occurs.

generateDSAKeypair

public P11IdentityId generateDSAKeypair(BigInteger p,
                                        BigInteger q,
                                        BigInteger g,
                                        P11Slot.P11NewKeyControl control)
                                 throws P11TokenException

Generates a DSA keypair.

Parameters:

p - p of DSA. Must not be null.

q - q of DSA. Must not be null.

g - g of DSA. Must not be null.

control - Control of the key generation process. Must not be null.

Returns:

the identifier of the identity within the PKCS#P11 token.

Throws:

P11TokenException - if PKCS#11 token exception occurs.

generateECKeypair

public P11IdentityId generateECKeypair(org.bouncycastle.asn1.ASN1ObjectIdentifier curveOid,
                                       P11Slot.P11NewKeyControl control)
                                throws P11TokenException

Generates an EC keypair.

Parameters:

curveOid - Object identifier of the EC curve. Must not be null.

control - Control of the key generation process. Must not be null.

Returns:

the identifier of the identity within the PKCS#P11 token.

Throws:

P11TokenException - if PKCS#11 token exception occurs.

generateECEdwardsKeypair

public P11IdentityId generateECEdwardsKeypair(org.bouncycastle.asn1.ASN1ObjectIdentifier curveOid,
                                              P11Slot.P11NewKeyControl control)
                                       throws P11TokenException

Generates an EC Edwards keypair.

Parameters:

curveOid - Object Identifier of the EdEC curve as defined in RFC 8410. Must not be null.

control - Control of the key generation process. Must not be null.

Returns:

the identifier of the identity within the PKCS#P11 token.

Throws:

P11TokenException - if PKCS#11 token exception occurs.

generateECMontgomeryKeypair

public P11IdentityId generateECMontgomeryKeypair(org.bouncycastle.asn1.ASN1ObjectIdentifier curveOid,
                                                 P11Slot.P11NewKeyControl control)
                                          throws P11TokenException

Generates an EC Montgomery keypair.

Parameters:

curveOid - Object Identifier of the EdEC curve as defined in RFC 8410. Must not be null.

control - Control of the key generation process. Must not be null.

Returns:

the identifier of the identity within the PKCS#P11 token.

Throws:

P11TokenException - if PKCS#11 token exception occurs.

generateSM2Keypair

public P11IdentityId generateSM2Keypair(P11Slot.P11NewKeyControl control)
                                 throws P11TokenException

Generates an SM2 keypair.

Parameters:

control - Control of the key generation process. Must not be null.

Returns:

the identifier of the identity within the PKCS#P11 token.

Throws:

P11TokenException - if PKCS#11 token exception occurs.

updateCertificate

public void updateCertificate(P11ObjectIdentifier keyId,
                              X509Cert newCert)
                       throws P11TokenException,
                              CertificateException

Updates the certificate associated with the given ID keyId with the given certificate newCert.

Parameters:

keyId - Object identifier of the private key. Must not be null.

newCert - Certificate to be added. Must not be null.

Throws:

CertificateException - if process with certificate fails.

P11TokenException - if PKCS#11 token exception occurs.

showDetails

public void showDetails(OutputStream stream,
                        boolean verbose)
                 throws IOException

Writes the token details to the given stream.

Parameters:

stream - Output stream. Must not be null.

verbose - Whether to show the details verbosely.

Throws:

IOException - if IO error occurs.

assertWritable

protected void assertWritable(String operationName)
                       throws P11PermissionException

Throws:

P11PermissionException

existsIdentityForId

protected boolean existsIdentityForId(byte[] id)

existsIdentityForLabel

protected boolean existsIdentityForLabel(String label)

existsCertForId

protected boolean existsCertForId(byte[] id)

existsCertForLabel

protected boolean existsCertForLabel(String label)