pkcs11/KeyStore/SecretKeysBasic.java

251876Speter/*
251876Speter * Copyright (c) 2008, 2013, Oracle and/or its affiliates. All rights reserved.
251876Speter * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
251876Speter *
251876Speter * This code is free software; you can redistribute it and/or modify it
251876Speter * under the terms of the GNU General Public License version 2 only, as
251876Speter * published by the Free Software Foundation.
251876Speter *
251876Speter * This code is distributed in the hope that it will be useful, but WITHOUT
251876Speter * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
251876Speter * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
251876Speter * version 2 for more details (a copy is included in the LICENSE file that
251876Speter * accompanied this code).
251876Speter *
251876Speter * You should have received a copy of the GNU General Public License version
251876Speter * 2 along with this work; if not, write to the Free Software Foundation,
251876Speter * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
251876Speter *
251876Speter * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
251876Speter * or visit www.oracle.com if you need additional information or have any
251876Speter * questions.
251876Speter */
251876Speter
251876Speterimport java.io.*;
251876Speterimport java.util.*;
251876Speterimport java.security.*;
251876Speterimport javax.crypto.*;
251876Speterimport javax.crypto.spec.*;
251876Speterimport javax.xml.bind.DatatypeConverter;
251876Speter
251876Speterpublic class SecretKeysBasic extends PKCS11Test {
251876Speter
251876Speter    private static final char SEP = File.separatorChar;
251876Speter    private static char[] tokenPwd;
251876Speter    private static final char[] nssPwd =
251876Speter            new char[]{'t', 'e', 's', 't', '1', '2'};
251876Speter    private static final char[] solarisPwd =
251876Speter            new char[]{'p', 'i', 'n'};
251876Speter    private static SecretKey sk1;
251876Speter    private static SecretKey sk2;
251876Speter    private static SecretKey softkey;
251876Speter    private static KeyStore ks;
251876Speter    private static final String KS_TYPE = "PKCS11";
251876Speter    private static Provider provider;
251876Speter
251876Speter    public static void main(String[] args) throws Exception {
251876Speter        main(new SecretKeysBasic());
251876Speter    }
251876Speter
251876Speter    public void main(Provider p) throws Exception {
251876Speter        this.provider = p;
251876Speter
251876Speter        // create secret key
251876Speter        byte[] keyVal = new byte[16];
251876Speter        (new SecureRandom()).nextBytes(keyVal);
251876Speter        // NSS will throw CKR_HOST_MEMORY if calling C_DecryptInit w/
251876Speter        // (keyVal[0] == 0)
251876Speter        if (keyVal[0] == 0) {
251876Speter            keyVal[0] = 1;
251876Speter        }
251876Speter        softkey = new SecretKeySpec(keyVal, "AES");
251876Speter        dumpKey("softkey", softkey);
251876Speter
251876Speter        KeyGenerator kg = KeyGenerator.getInstance("DESede", provider);
251876Speter        sk1 = kg.generateKey();
251876Speter        dumpKey("skey1", sk1);
251876Speter        sk2 = kg.generateKey();
251876Speter        dumpKey("skey2", sk2);
251876Speter
251876Speter        String token = System.getProperty("TOKEN");
251876Speter
251876Speter        if (token == null || token.length() == 0) {
251876Speter            System.out.println("Error: missing TOKEN system property");
251876Speter            throw new Exception("token arg required");
251876Speter        }
251876Speter
251876Speter        if ("nss".equals(token)) {
251876Speter            tokenPwd = nssPwd;
251876Speter        } else if ("solaris".equals(token)) {
251876Speter            tokenPwd = solarisPwd;
251876Speter        }
251876Speter
251876Speter        int testnum = 1;
251876Speter        doTest();
251876Speter    }
251876Speter
251876Speter    private static boolean checkSecretKeyEntry(String alias,
251876Speter            SecretKey expected,
251876Speter            boolean saveBeforeCheck)
251876Speter            throws Exception {
251876Speter
251876Speter        // A bug in NSS 3.12 (Mozilla bug 471665) causes AES key lengths
251876Speter        // to be read incorrectly.  Checking for improper 16 byte length
251876Speter        // in key string.
251876Speter        if (isNSS(provider) && expected.getAlgorithm().equals("AES") &&
251876Speter                (getNSSVersion() >= 3.12 && getNSSVersion() <= 3.122)) {
251876Speter            System.out.println("NSS 3.12 bug returns incorrect AES key "+
251876Speter                    "length breaking key storage. Aborting...");
251876Speter            return true;
251876Speter        }
251876Speter
251876Speter        if (saveBeforeCheck) {
251876Speter            ks.setKeyEntry(alias, expected, null, null);
251876Speter        }
251876Speter        SecretKey result = (SecretKey) (ks.getKey(alias, null));
251876Speter        String keyEncFormat = result.getFormat();
251876Speter        if (keyEncFormat == null) {
251876Speter            // sensitive or un-extractable keys - verify by encrypt/decrypt
251876Speter            byte[] data = new byte[64];
251876Speter            Cipher c =
251876Speter                    Cipher.getInstance(result.getAlgorithm() + "/CBC/NoPadding",
251876Speter                    provider);
251876Speter            c.init(Cipher.ENCRYPT_MODE, expected);
251876Speter            byte[] encOut = c.doFinal(data);
251876Speter            c.init(Cipher.DECRYPT_MODE, result, c.getParameters());
251876Speter            byte[] decOut = c.doFinal(encOut);
251876Speter            if (!Arrays.equals(data, decOut)) {
251876Speter                return false;
251876Speter            }
251876Speter        } else if (keyEncFormat.toUpperCase().equals("RAW")) {
251876Speter            if (!Arrays.equals(result.getEncoded(), expected.getEncoded())) {
251876Speter                dumpKey("\texpected:", expected);
251876Speter                dumpKey("\treturns:", result);
251876Speter                return false;
251876Speter            }
251876Speter        }
251876Speter        return true;
251876Speter    }
251876Speter
251876Speter    private static void dumpKey(String info, SecretKey key) {
251876Speter        System.out.println(info + "> " + key);
251876Speter        System.out.println("\tALGO=" + key.getAlgorithm());
251876Speter        if (key.getFormat() != null) {
251876Speter            System.out.println("\t[" + key.getFormat() + "] VALUE=" +
251876Speter                    DatatypeConverter.printHexBinary(key.getEncoded()));
251876Speter        } else {
251876Speter            System.out.println("\tVALUE=n/a");
251876Speter        }
251876Speter    }
251876Speter
251876Speter    private static void doTest() throws Exception {
251876Speter        if (ks == null) {
251876Speter            ks = KeyStore.getInstance(KS_TYPE, provider);
251876Speter            ks.load(null, tokenPwd);
251876Speter        }
251876Speter
251876Speter        System.out.println("Number of entries: " + ks.size());
251876Speter        if (ks.size() != 0) {
251876Speter            System.out.println("Deleting entries under aliases: ");
251876Speter            for (Enumeration<String> aliases = ks.aliases();
251876Speter                    aliases.hasMoreElements();) {
251876Speter                String alias = aliases.nextElement();
251876Speter                System.out.println("\t" + alias);
251876Speter                ks.deleteEntry(alias);
251876Speter            }
251876Speter        }
251876Speter
251876Speter        String alias = "testSKey";
251876Speter
251876Speter        boolean testResult = checkSecretKeyEntry(alias, softkey, true);
251876Speter        if (!testResult) {
251876Speter            System.out.println("FAILURE: setKey() w/ softSecretKey failed");
251876Speter        }
251876Speter
251876Speter        if (!checkSecretKeyEntry(alias, sk1, true)) {
251876Speter            testResult = false;
251876Speter            System.out.println("FAILURE: setKey() w/ skey1 failed");
251876Speter        }
251876Speter        if (!checkSecretKeyEntry(alias, sk2, true)) {
251876Speter            testResult = false;
251876Speter            System.out.println("FAILURE: setKey() w/ skey2 failed");
251876Speter        }
251876Speter
251876Speter        ks.store(null);
251876Speter        System.out.println("Reloading keystore...");
251876Speter
251876Speter        ks.load(null, "whatever".toCharArray());
251876Speter        if (ks.size() != 1) {
251876Speter            System.out.println("FAILURE: reload#1 ks.size() != 1");
251876Speter        }
251876Speter        if (!checkSecretKeyEntry(alias, sk2, false)) {
251876Speter            testResult = false;
251876Speter            System.out.println("FAILURE: reload#1 ks entry check failed");
251876Speter        }
251876Speter
251876Speter        ks.deleteEntry(alias);
251876Speter        ks.store(null);
251876Speter
251876Speter        System.out.println("Reloading keystore...");
251876Speter        ks.load(null, "whatever".toCharArray());
251876Speter        if (ks.size() != 0) {
251876Speter            testResult = false;
251876Speter            System.out.println("FAILURE: reload#2 ks.size() != 0");
251876Speter        }
251876Speter        if (!testResult) {
251876Speter            throw new Exception("One or more test failed!");
251876Speter        }
251876Speter    }
251876Speter}
251876Speter