com.safenetinc.luna.provider.key

Class LunaKey

java.lang.Object

com.safenetinc.luna.provider.key.LunaKey

All Implemented Interfaces:

Serializable, Key

Direct Known Subclasses:

LunaKeyDh, LunaKeyDsa, LunaKeyEC, LunaKeyRsa, LunaSecretKey

public class LunaKey
extends Object
implements Key

The LunaKey class encapsulates all keys stored on Luna hardware.

LunaKey objects can be created through KeyGenerator and KeyPairGenerator objects making use of the "LunaProvider" provider. Alternately, they can be created to represent keys already stored on the hardware, using a KeyStore (type "Luna") or the LocateKeyByAlias() method.

See Also:

Serialized Form

Field Summary

Fields

Modifier and Type	Field and Description
protected int	keySize Size of the token key, in bits.
protected static LunaAPI	lapi
protected long	mKeyClass
protected long	mKeyType
protected LunaTokenObject	mObject
static int	UNLIMITED_USE Use this value with setUsageLimit to enable usage counting for this key without actually asserting a limit on the use.
protected static byte[]	WRAP_IV

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	LunaKey() Creates an uninitialized LunaKey object.
	LunaKey(int hKey) Create a LunaKey object from the key stored in the default slot with the given handle.
	LunaKey(int hKey, int slot) Create a LunaKey object from the key stored in the specified slot with the given handle.
protected	LunaKey(int hKey, int slot, long keyClass, long keyType) Create a LunaKey object from the key stored in the specified slot with the given handle.
protected	LunaKey(int hKey, int slot, Map<Long,Object> sessionParameters) Create a LunaKey object from the key stored in the specified slot with the given handle.
	LunaKey(LunaTokenObject object) Create a LunaKey object from the key stored on the Luna hardware.

Method Summary

Modifier and Type	Method and Description
static BigInteger	AttributeToBigInteger(byte[] in) Turn an integer attribute (such as CKA_MODULUS) into a BigInteger.
static byte[]	BigIntegerToAttribute(BigInteger b) Converts a big integer into a byte array suitable for use as a token object attribute.
void	DestroyKey() Destroys the key completely, including removing it from the hardware.
boolean	equals(Object obj) Check for equivalence between this LunaKey object and the object that's passed in.
String	getAlgorithm() Returns a String representation of the key algorithm
String	GetAlias() Returns the alias of the LunaKey object.
Date	GetDateMadePersistent() Returns the date that the LunaKey was made persistent.
byte[]	getEncoded() Returns the encoded form of the LunaKey object.
protected byte[]	getEncodedInternal()
byte[]	GetFingerprint() Returns a fingerprint of an object (a byte array that contains a cryptographic hash of various attributes of the object).
String	getFormat() Returns the name of the format used to encode the LunaKey object.
long	GetKeyClass() Returns the PKCS11 object class of the key.
int	GetKeyHandle() Returns the handle of the key stored in hardware.
int	getKeySize() Returns the size of the key wrapped by this LunaKey, in bits.
static long	GetKeyType(String algorithm) Returns the key type identifier for the given algorithm
LunaSession	getSession() Returns a new LunaSession on same slot as this key.
int	getSlot() Returns the slot the key is stored in.
int	getUsageCount() Get the number of times this key has been used.
int	getUsageLimit() Get the usage limit set on this on this key.
int	hashCode() Two Keys are considered equal if their encoded forms match, so we simply return the hash code of the encoded bytes.
protected void	Initialize(int hKey, int slot, long keyClass, long keyType) Initialize a LunaKey object with the given data.
protected void	Initialize(int hKey, int slot, Map<Long,Object> sessionParameters) Initialize a LunaKey object with the given data.
protected static int	injectKey(byte[] keyBytes, long keyAlg, long keyType, int slot, boolean extractable, boolean derive)
static PrivateKey	InjectPrivateKey(byte[] encodedKey, long algId) Injects the given encoded private key of the specified algorithm type into the token at the default slot.
static PrivateKey	InjectPrivateKey(byte[] encodedKey, long algId, int slot) Injects the given encoded private key of the specified algorithm type into the token at the specified slot.
static PrivateKey	InjectPrivateKey(PrivateKey key) Inject (encrypt encoded key and unwrap) a non-Luna private key into the token at the default slot.
static PrivateKey	InjectPrivateKey(PrivateKey key, int slot) Inject (encrypt encoded key and unwrap) a non-Luna private key into the token at the specified slot.
boolean	IsKeyPersistent() Returns a boolean indicating whether or not the given LunaKey object is persistent.
static LunaKey	LocateKeyByAlias(String alias) Locate a persisted key on the default slot using the alias assigned when MakePersistant() was invoked.
static LunaKey	LocateKeyByAlias(String alias, int slot) Locate a persisted key on the specified slot using the alias assigned when MakePersistant() was invoked.
static LunaKey	LocateKeyByFingerprint(byte[] fingerprint) Locate a persisted key on the default slot using the key's fingerprint.
static LunaKey	LocateKeyByFingerprint(byte[] fingerprint, int slot) Locate a persisted key on the specified slot using the key's fingerprint.
static LunaKey	LocateKeyByHandle(int handle) Locate a persisted key on the default slot using the handle assigned when MakePersistant() was invoked.
static LunaKey	LocateKeyByHandle(int handle, int slot) Locate a persisted key on the specified slot using the handle assigned when MakePersistent() was invoked.
static LunaKey	LocateKeyOnlyByAlias(String alias) Locate a persisted key on the default slot using the alias assigned when MakePersistant() was invoked.
static LunaKey	LocateKeyOnlyByAlias(String alias, int slot) Locate a persisted key on the specified slot using the alias assigned when MakePersistant() was invoked.
void	MakePersistent(String alias) The MakePersistent() method can be used to ensure that a key that has been generated will continue to exist from one instance of an application to another.
void	release() This method is used to signal to the Luna provider that an application is finished with a session (temporary) object on the HSM.
protected void	setKeySize() Sets the size of the key we're wrapping, in bits.
boolean	setUsageCount(int count) Set the usage count on this key.
boolean	setUsageLimit(int limit) Set the usage limit on this key.
String	toString() Returns a string representation of the key object.
protected void	verifyClassAndType() Checks that the existing object handle being wrapped by this LunaKey objects has the key class and key type expected by the LunaKey subclass.

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Field Detail

WRAP_IV

protected static final byte[] WRAP_IV

lapi

protected static final LunaAPI lapi

mObject

protected transient LunaTokenObject mObject

mKeyClass

protected long mKeyClass

mKeyType

protected long mKeyType

keySize

protected int keySize

Size of the token key, in bits. If 0, the key size is unknown

UNLIMITED_USE

public static final int UNLIMITED_USE

Use this value with setUsageLimit to enable usage counting for this key without actually asserting a limit on the use. By default key usage is not counted.

See Also:

Constant Field Values

Constructor Detail

LunaKey

protected LunaKey()

Creates an uninitialized LunaKey object. This constructor does nothing, but cannot be removed as subclasses might depend on it. To initialize a LunaKey, use one of the other constructors or use one of the LocateKeyBy... factory methods

LunaKey

public LunaKey(int hKey)

Create a LunaKey object from the key stored in the default slot with the given handle.

Parameters:

hKey - The handle of the key stored in hardware.

LunaKey

public LunaKey(int hKey,
               int slot)

Create a LunaKey object from the key stored in the specified slot with the given handle.

Parameters:

hKey - The handle of the key stored in hardware.

slot - The slot the key is stored in

LunaKey

protected LunaKey(int hKey,
                  int slot,
                  long keyClass,
                  long keyType)

Create a LunaKey object from the key stored in the specified slot with the given handle. This private constructor is used when the providers knows the key class and type already, and can avoid a dip down to the HSM to get that information.

Parameters:

hKey - The handle of the key stored in hardware.

slot - The slot the key is stored in

keyClass - the PKCS class of the key

keyType - the PKCS type of the key

LunaKey

protected LunaKey(int hKey,
                  int slot,
                  Map<Long,Object> sessionParameters)

Create a LunaKey object from the key stored in the specified slot with the given handle. This private constructor is used when the providers knows the key class and type already, and can avoid a dip down to the HSM to get that information.

Parameters:

hKey - The handle of the key stored in hardware.

slot - The slot the key is stored in

sessionParameters - session parameters which will avoid an attribute call to the hsm.

LunaKey

public LunaKey(LunaTokenObject object)

Create a LunaKey object from the key stored on the Luna hardware.

Parameters:

object - The LunaTokenObject corresponding to the key in hardware.

Method Detail

Initialize

protected void Initialize(int hKey,
                          int slot,
                          long keyClass,
                          long keyType)

Initialize a LunaKey object with the given data.

Parameters:

hKey - the key's handle on the HSM

slot - the slot the key resides in

keyClass - the PKCS class of the key

keyType - the PKCS type of the key

Initialize

protected void Initialize(int hKey,
                          int slot,
                          Map<Long,Object> sessionParameters)

Initialize a LunaKey object with the given data.

Parameters:

hKey - the key's handle on the HSM

slot - the slot the key resides in

sessionParameters - the (session or token) indicator, PKCS class, type and length of the key

verifyClassAndType

protected void verifyClassAndType()

Checks that the existing object handle being wrapped by this LunaKey objects has the key class and key type expected by the LunaKey subclass.

Throws:

LunaException - if there is a mismatch

setKeySize

protected void setKeySize()

Sets the size of the key we're wrapping, in bits. This method should be called when a LunaKey is initialized with a key token object.

getKeySize

public int getKeySize()

Returns the size of the key wrapped by this LunaKey, in bits.

Returns:

The key size in bits

GetKeyHandle

public int GetKeyHandle()

Returns the handle of the key stored in hardware.

Returns:

the handle of the key in the HSM

getSession

public LunaSession getSession()

Returns a new LunaSession on same slot as this key.

Returns:

A LunaSession that can access this key

getSlot

public int getSlot()

Returns the slot the key is stored in.

Returns:

the slot number the key is stored in

GetFingerprint

public byte[] GetFingerprint()

Returns a fingerprint of an object (a byte array that contains a cryptographic hash of various attributes of the object). It is exceedingly unlikely that any two objects will share a fingerprint unless the objects are true duplicates of each other.

Returns:

the fingerprint of the key object on the HSM

GetKeyClass

public long GetKeyClass()

Returns the PKCS11 object class of the key. This will indicate it is a public, private or secret key.

Returns:

the PKCS11 object class of the key

toString

public String toString()

Returns a string representation of the key object. This will consist of the handle, the PKCS11 object class, and the algorithm type of the key.

Overrides:

toString in class Object

Returns:

a String representation of the key object.

MakePersistent

public void MakePersistent(String alias)

The MakePersistent() method can be used to ensure that a key that has been generated will continue to exist from one instance of an application to another. If a key is made persistent, it is associated with the given alias, and can be retrieved later using the LocateKeyByAlias static method.

The same alias can be assigned to both a public and a private key. If the same alias is assigned to two public or two private keys, an exception is thrown.

If a key is not made persistent after it is generated, it will disappear from the token when the application terminates.

Parameters:

alias - The alias to assign to the key.

GetDateMadePersistent

public Date GetDateMadePersistent()

Returns the date that the LunaKey was made persistent.

Returns:

the date that the LunaKey was made persistent

DestroyKey

public void DestroyKey()

Destroys the key completely, including removing it from the hardware.

getAlgorithm

public String getAlgorithm()

Returns a String representation of the key algorithm

Specified by:

getAlgorithm in interface Key

Returns:

a String representation of the key algorithm

getFormat

public String getFormat()

Returns the name of the format used to encode the LunaKey object.

This will be one of

• proprietary: keys with sensitive information, where the LunaKey only contains a reference to the handle of the key; the actual key bytes can't be extracted for encoding
• X.509: public keys
• RAW: secret keys, if they're set to be extractable

Specified by:

getFormat in interface Key

Returns:

the format of the encoded key

getEncoded

public byte[] getEncoded()

Returns the encoded form of the LunaKey object. This key class does not allow its key data to be extracted from the HSM, so the encoded form will contain only the a reference to the key's handle on the HSM.

Specified by:

getEncoded in interface Key

Returns:

an 8-byte encoding of object's handle on the HSM. The first four bytes are always zero. The last 4 bytes are the integer handle encoded as a byte array

getEncodedInternal

protected byte[] getEncodedInternal()

equals

public boolean equals(Object obj)

Check for equivalence between this LunaKey object and the object that's passed in.

This method compares the two keys by getting their encoded form, so it would compare this key's:

1. Field values if it's a public and or an extractable secret key (better)
2. Encoded PKCS#11 handle if it's a private and or a non-extractable secret key (not so good but not much we can do about it)

The second case, where we compare the encoded handle, would not work out when the comparison's done against a software key. Since we can't extract the field values from the hardware, there's no real solution to this problem.

Overrides:

equals in class Object

Returns:

true if the keys are equal, as per the definition above

hashCode

public int hashCode()

Two Keys are considered equal if their encoded forms match, so we simply return the hash code of the encoded bytes.

Overrides:

hashCode in class Object

Returns:

the hash code of the encoded key

GetAlias

public String GetAlias()

Returns the alias of the LunaKey object.

Returns:

the alias of the LunaKey object

IsKeyPersistent

public boolean IsKeyPersistent()

Returns a boolean indicating whether or not the given LunaKey object is persistent.

Returns:

true if the key is persistent on the HSM

release

public void release()

This method is used to signal to the Luna provider that an application is finished with a session (temporary) object on the HSM. The object on the HSM is *not* deleted. This method should be used when a process is finished with a session object that it did not create and does not explicitly want to delete. This method should not be used under normal operation. It is meant for situations like the following:

Two processes A and B share the same PKCS application id. Process A creates a session key. Process B can get a reference to this key by using the LunaKey(handle) constructor. When B is finished with the object it shouldn't delete it since A might still need it. It shouldn't let it just go out of scope either since when it gets GC'd, B's SessionObjectAuditor will delete the object on the HSM. B should call release() first on the key to avoid this latter situation.

Programming note: sharing session objects across processes is not a standard use of the Luna provider and may cause strange behaviour unless you are very careful about what you are doing. In almost all cases it is better to persist a key on the HSM with MakePersistent() before using it outside the originating process.

BigIntegerToAttribute

public static byte[] BigIntegerToAttribute(BigInteger b)

Converts a big integer into a byte array suitable for use as a token object attribute.

Since BigIntegers are signed, they use the upper bit for the sign. If an unsigned value with the upper bit set is converted to a BigInteger, the BigInteger will have an extra zero added. This routine removes that extra zero if necessary.

Parameters:

b - the BigInteger to convert

Returns:

an encoded attribute form of b

AttributeToBigInteger

public static BigInteger AttributeToBigInteger(byte[] in)

Turn an integer attribute (such as CKA_MODULUS) into a BigInteger. Sign conversions (attributes are unsigned while BigIntegers are signed) are handled by adding a leading zero if necessary.

Parameters:

in - the encoded attribute to convert

Returns:

a BigInteger representation of in

GetKeyType

public static long GetKeyType(String algorithm)
                       throws ProviderException

Returns the key type identifier for the given algorithm

Parameters:

algorithm - A string containing the name of the key algorithm

Returns:

An integer which identifies the algorithm type

Throws:

ProviderException

InjectPrivateKey

public static PrivateKey InjectPrivateKey(byte[] encodedKey,
                                          long algId)
                                   throws InvalidKeyException

Injects the given encoded private key of the specified algorithm type into the token at the default slot. The key should be the entire pkcs8-encoded bytestream, wrapped as an octet string.

Parameters:

encodedKey - The PKCS-8 encoded private key

algId - The algorithm type of the key

Returns:

The Luna PrivateKey object corresponding to the encoded key

Throws:

InvalidKeyException - exception

InjectPrivateKey

public static PrivateKey InjectPrivateKey(byte[] encodedKey,
                                          long algId,
                                          int slot)
                                   throws InvalidKeyException

Injects the given encoded private key of the specified algorithm type into the token at the specified slot. The key should be the entire pkcs8-encoded bytestream, wrapped as an octet string.

Parameters:

encodedKey - The PKCS-8 encoded private key

algId - The algorithm type of the key

slot - The slot of the token to inject the key into

Returns:

The Luna PrivateKey object corresponding to the encoded key

Throws:

InvalidKeyException - exception

InjectPrivateKey

public static PrivateKey InjectPrivateKey(PrivateKey key)
                                   throws InvalidKeyException

Inject (encrypt encoded key and unwrap) a non-Luna private key into the token at the default slot.

Parameters:

key - The non-Luna key object

Returns:

The corresponding Luna private key

Throws:

InvalidKeyException - exception

InjectPrivateKey

public static PrivateKey InjectPrivateKey(PrivateKey key,
                                          int slot)
                                   throws InvalidKeyException

Inject (encrypt encoded key and unwrap) a non-Luna private key into the token at the specified slot.

Parameters:

key - The non-Luna key object

slot - The slot of the token to inject the key into

Returns:

The corresponding Luna private key

Throws:

InvalidKeyException - If the key is not encoded in PKCS8 format, or if it is an ECC key on an unsupported named curve

injectKey

protected static int injectKey(byte[] keyBytes,
                               long keyAlg,
                               long keyType,
                               int slot,
                               boolean extractable,
                               boolean derive)

setUsageLimit

public boolean setUsageLimit(int limit)

Set the usage limit on this key. Once this key has been used for signing the specified number of times, any further operations using this key will return an exception.

Parameters:

limit - The maximum number of times this key may be used. This number cannot be less than zero.

Returns:

true if the limit was set successfully, false otherwise

getUsageLimit

public int getUsageLimit()

Get the usage limit set on this on this key.

Returns:

the usage limit set on this key

Throws:

LunaException - if there is no limit set on this key

setUsageCount

public boolean setUsageCount(int count)

Set the usage count on this key. This can be useful if a key has been restored from backup and you need to increase the usage count to match the last know count of the formerly active key.

Parameters:

count - The new usage count of the key. This number cannot be less than zero.

Returns:

true if the count was set successfully, false otherwise

getUsageCount

public int getUsageCount()

Get the number of times this key has been used.

Returns:

the usage count of this key

Throws:

LunaException - if the count isn't being tracked (i.e. there is no usage limit specified for this key)

LocateKeyByAlias

public static LunaKey LocateKeyByAlias(String alias)

Locate a persisted key on the default slot using the alias assigned when MakePersistant() was invoked. This method will find public keys, private keys and secret keys.

Parameters:

alias - The alias of the key to retrieve

Returns:

Returns the key object, or null if nothing matched

LocateKeyByAlias

public static LunaKey LocateKeyByAlias(String alias,
                                       int slot)

Locate a persisted key on the specified slot using the alias assigned when MakePersistant() was invoked. This method will find public keys, private keys and secret keys.

Parameters:

alias - The alias of the key to retrieve

slot - The slot to search

Returns:

Returns the key object, or null if nothing matched

LocateKeyByFingerprint

public static LunaKey LocateKeyByFingerprint(byte[] fingerprint)

Locate a persisted key on the default slot using the key's fingerprint.

Parameters:

fingerprint - The fingerprint of the key to retrieve

Returns:

Returns the key object, or null if nothing matched

LocateKeyByFingerprint

public static LunaKey LocateKeyByFingerprint(byte[] fingerprint,
                                             int slot)

Locate a persisted key on the specified slot using the key's fingerprint.

Parameters:

fingerprint - The fingerprint of the key to retrieve

slot - The slot to search

Returns:

Returns the key object.

LocateKeyOnlyByAlias

public static LunaKey LocateKeyOnlyByAlias(String alias)

Locate a persisted key on the default slot using the alias assigned when MakePersistant() was invoked. This method will find private keys and secret keys.

Parameters:

alias - The alias of the key to retrieve

Returns:

Returns the key object

LocateKeyOnlyByAlias

public static LunaKey LocateKeyOnlyByAlias(String alias,
                                           int slot)

Locate a persisted key on the specified slot using the alias assigned when MakePersistant() was invoked. This method will find private keys and secret keys.

Parameters:

alias - The alias of the key to retrieve

slot - The slot to search

Returns:

Returns the key object

LocateKeyByHandle

public static LunaKey LocateKeyByHandle(int handle)

Locate a persisted key on the default slot using the handle assigned when MakePersistant() was invoked.

This method should not be used to look up a session (non-persisted) key that was created by another Java process. Doing so may make the key unavailable at an unexpected time in this process or the originating process. If you need to share keys between processes, persist them first.

Parameters:

handle - The handle of the key to retrieve

Returns:

Returns the key object

LocateKeyByHandle

public static LunaKey LocateKeyByHandle(int handle,
                                        int slot)

Locate a persisted key on the specified slot using the handle assigned when MakePersistent() was invoked.

This method should not be used to look up a session (non-persisted) key that was created by another Java process. Doing so may make the key unavailable at an unexpected time in this process or the originating process. If you need to share keys between processes, persist them first.

Parameters:

handle - The handle of the key to retrieve

slot - The slot to search

Returns:

Returns the key object