public final class LunaSlotManager
extends java.lang.Object
The JCA API is not adequate for dealing with all the interfaces available with Luna HSMs.
LunaSlotManager
methods provide additional proprietary and custom functionality where necessary.
When the application starts up, LunaSlotManager
attempts to find already-logged-in slots. If any are
detected, it sets up the login state internally so the user doesn't have to log in again. These initial logged-in
slots could be authenticated as SECURITY_OFFICER(RW only) or CRYPTO_USER(RW or RO).
If a login was done external to LunaSlotManager
with a non- default application id,
setApplicationId
should be used to set LunaSlotManager
's application id to that value. This
means that this application does not need to login as the application ID establishes an application context for all
applications accessing the HSM partition with the given application ID.
The first logged-in slot is used as the default slot for all crypto operations where a slot is not explicitly
specified (this includes all JCA/JCE crypto operations). This default can be changed with setDefaultSlot
if more slots are logged in to later. If the default slot is changed while the application is running, the value will
change across all threads. ALthough the operation of changing the default slot is thread-safe, one should not do this
unless all on the fly operations are complete so as to not get confusing results.
Modifier and Type | Field and Description |
---|---|
protected static java.util.logging.Logger |
LOGGER |
Modifier and Type | Method and Description |
---|---|
boolean |
arePrivateKeysDerivable()
Checks if newly-generated private keys can derive other keys.
|
boolean |
arePrivateKeysExtractable()
Checks if newly-generated private keys are extractable.
|
boolean |
areSecretKeysDerivable()
Checks if newly-generated secret keys can derive other keys.
|
boolean |
areSecretKeysExtractable()
Checks if newly-generated secret keys are extractable.
|
void |
clrReconnectRequired()
Clear the reinit flag in LunaSlotManager
|
void |
detectTokenConnectionProblem(int slot)
Check for token presence but, unlike isTokenPresent, throw an exception if there is no token as we know there
should be one.
|
void |
disableReconnect() |
void |
enableReconnect() |
int |
findSlotFromLabel(java.lang.String tokenLabel)
Searches the currently present slots for one with a label matching the one we're given.
|
int |
getCurrentObjectCount()
Returns the current persistent object count for the token at the current default slot.
|
int |
getCurrentObjectCount(int slot)
Returns the current persistent object count for the token at the specified slot.
|
int |
getCurrentTotalObjectCount()
Returns the current persistent object count all logged-in tokens.
|
static int |
getCvSlotType()
returns the CV_SLOT
|
int |
getDefaultSlot()
Gets the current default slot number.
|
int |
getDSAParmGenQBits()
Get the DSA parm gen qbits value in LunaSlotManager
|
LunaHAStatus |
getHAStatus()
Gets the HA Status for the default slot.
|
LunaHAStatus |
getHAStatus(int slot)
Gets the HA Status for the specified slot.
|
static LunaSlotManager |
getInstance()
Returns the only instance of the singleton LunaSlotManager class.
|
LunaAPI |
getLunaAPI()
Returns a reference to the LunaAPI object.
|
static int |
getLunaSlotType()
returns the LUNA_SLOT
|
int |
getNumberOfSlots()
Determines how many slots are present in the system.
|
LunaPkcs11Attributes |
getPkcs11Attribute(long mechanism)
Gets the LunaPkcs11Attribute instance for a given mechanism.
|
boolean |
getReconnectEnabled()
Get the reconnect enabled flag in LunaSlotManager
|
boolean |
getReconnectRequired()
Get the reinit flag in LunaSlotManager
|
static boolean |
getRequireFIPSWrap()
Should JSP require the FIPS internal JSP key wrapping or not regardless of FIPS setting
|
static boolean |
getRequirePKA() |
int |
getSessionObjectAuditorEntrySize() |
int[] |
getSlotList()
Returns a list of slots that have tokens present.
|
static java.lang.Integer |
getSlotType(int aInSlot)
Check the slot type
|
java.lang.Long[] |
getTokenFirmwareVersion(int slot)
Reads the serial number of the token contained in the given slot.
|
java.lang.String |
getTokenLabel(int slot)
Reads the label of the token contained in the given slot.
|
java.lang.String |
getTokenSerialNumber(int slot)
Reads the serial number of the token contained in the given slot.
|
byte[] |
getWrappingKeyBytesToo(int slot)
Returns wrapping key bytes for DeriveKeyAndWrapEcDh feature.
|
int |
getWrappingKeyHandle(int slot)
Returns the handle for the wrapping key for a given slot.
|
int |
getWrappingKeyHandleToo(int slot)
Returns the wrapping key handle for DeriveKeyAndWrapEcDh feature.
|
boolean |
isAttributeCachingEnabled()
Checks if PKCS attribute caching is enabled.
|
boolean |
isFIPSEnabled()
Returns the FIPS-enabled status of the provider, as shown below.
|
static boolean |
isFwAtOrAbove(int aInSlot,
java.lang.String aInFwVersion)
Check if the FW version for the input slot is at least at the desired level
|
static boolean |
isInitialized() |
boolean |
isLoggedIn()
Checks if the application is logged in to at least one token.
|
boolean |
isLoggedIn(int slot)
Checks if the application is logged in to the given slot.
|
boolean |
isShuttingDown()
Return true if the application's shutdown hook has been called, false otherwise.
|
boolean |
isTokenPresent(int slot)
Tests a slot to see if a token is present at the given slot.
|
void |
logExternal(int slot,
java.lang.String logMsg)
Sends a log message to the token at the specified slot.
|
void |
logExternal(java.lang.String logMsg)
Sends a log message to the token at the specified slot.
|
boolean |
login(int slot,
java.lang.String password)
Logs in to a slot as a normal user role with the specified password.
|
boolean |
login(int slot,
UserRole userType,
java.lang.String password)
Logs in to a slot with the specified user role and password.
|
int |
login(java.lang.String password)
Logs in to the current default slot as a normal user, using the given password.
|
boolean |
login(java.lang.String tokenLabel,
java.lang.String password)
Logs in to the token with the given label as a normal user, with the given password.
|
void |
logout()
Logs out from the current default slot.
|
void |
logout(int slotNum)
Logs out from the specified slot.
|
boolean |
querySecretKeysDeriveFlag()
Deprecated.
|
void |
reinitialize()
Re-initializes the connection to the HSM.
|
void |
reinitialize(boolean aInNuclearOption)
Re-initialize the JSP connection.
|
void |
releaseKey(LunaTokenObject lto)
Releases a reference to a session key.
|
void |
reloadProvider(LunaProvider provider)
Reloads the algorithms supplied in the
LunaProvider instance. |
void |
resetDSAParmGenQBits()
Set the DSA parm gen qbits value in LunaSlotManager back to initial value
|
void |
setApplicationId(int majorId,
int minorId)
Sets the major and minor application IDs.
|
void |
setAttributeCaching(boolean enabled)
Enables or disables attribute caching.
|
boolean |
setDefaultSlot(int slotNum)
Sets the default slot to the given slot.
|
void |
setDSAParmGenQBits(int qbits)
Set the DSA parm gen qbits value in LunaSlotManager
|
void |
setPIN(int slot,
java.lang.String oldPin,
java.lang.String newPin)
Sets the PIN using the given slot, old PIN and new PIN.
|
void |
setPIN(java.lang.String oldPin,
java.lang.String newPin)
Sets the PIN using the given old PIN and new PIN.
|
void |
setPkcs11Attributes(long mechanism,
LunaPkcs11Attributes attributes)
Sets the LunaPkcs11Attributes for a given mechanism.
|
void |
setPkcs11AttributesConfig(java.io.InputStream stream)
Sets and parses global PKCS11 attributes configuration.
|
void |
setPrivateKeysDerivable(boolean deriveFlag)
Determines whether newly-generated private keys will be created with the derive flag set.
|
void |
setPrivateKeysExtractable(boolean extractable)
Determines whether newly-generated private keys will be created with the extractable flag set.
|
void |
setReconnectRequired(long rc)
Set the reinit flag in LunaSlotManager iff required
|
static void |
setRequireFIPSWrap(boolean aInFlag)
Should JSP require the FIPS internal JSP key wrapping or not regardless of FIPS setting
|
static void |
setRequirePKA(boolean aInFlag) |
void |
setSecretKeysDerivable(boolean deriveFlag)
Determines whether newly-generated secret keys will be created with the derive flag set.
|
void |
setSecretKeysExtractable(boolean extractable)
Determines whether newly-generated secret keys will be created with the extractable flag set.
|
void |
setThreadLocalDefaultSlot(boolean threadLocal)
Determines if the default slot will be global or thread-local.
|
void |
setTokenObjectType(boolean aInTokenObjectType) |
static boolean |
useFIPSKeyWrap(int aInSlot)
Check if JSP should use the new AES_KWP mechanism or revert to the older DES3 mechanism
for ephemeral key wrapping/unwrapping for provider interop.
|
public static boolean isInitialized()
public static LunaSlotManager getInstance()
public LunaAPI getLunaAPI()
public int getDefaultSlot()
public int getDSAParmGenQBits()
public void setDSAParmGenQBits(int qbits)
qbits
- the number of qbits to use in a DSA parameter generationpublic void resetDSAParmGenQBits()
public void enableReconnect()
public void disableReconnect()
public boolean getReconnectEnabled()
public void setReconnectRequired(long rc)
rc
- return code from cryptoki libpublic boolean getReconnectRequired()
public void clrReconnectRequired()
public boolean setDefaultSlot(int slotNum)
slotNum
- The slot to make the default. This must be a logged-in slotpublic boolean isFIPSEnabled()
public boolean areSecretKeysExtractable()
The default value is false
.
public void setSecretKeysExtractable(boolean extractable)
extractable
- The extractable setting.public boolean areSecretKeysDerivable()
The default value is false
.
@Deprecated public boolean querySecretKeysDeriveFlag()
public void setSecretKeysDerivable(boolean deriveFlag)
deriveFlag
- The derive setting.public boolean arePrivateKeysDerivable()
The default value is false
.
public void setPrivateKeysDerivable(boolean deriveFlag)
deriveFlag
- The derive setting.public boolean arePrivateKeysExtractable()
The default value is false
.
public void setPrivateKeysExtractable(boolean extractable)
extractable
- The extractable setting.public boolean isAttributeCachingEnabled()
The caching behaviour for provider objects is dynamic. If this attribute is changed from true
to
false
, all existing provider objects will access the HSM directly for their next attribute read. Note:
in this scenario objects will clear their entire cache the first time an attribute is requested after this setting
has been changed.
Caching is enabled by default to enhance performance. To ensure data consistency, it should be disabled if another application is accessing the same HSM objects, or if LunaAPI is being used to manipulate the objects directly.
public void setAttributeCaching(boolean enabled)
isAttributeCachingEnabled
for more discussion of the
consequences.
Attribute caching is enabled by default.
enabled
- the new value of the attribute caching parameterpublic void setThreadLocalDefaultSlot(boolean threadLocal)
If thread-local default slots are enabled while there are multiple threads, the default slot for each thread is
initially set to the value of the global default slot at that time. If thread-local default slots are disabled
while the application is running, the last slot set using setDefaultSlot
will become the global
default slot.
threadLocal
- If true, the default slot will be thread-local. If false, the default slot will be global.public boolean isShuttingDown()
public int getWrappingKeyHandle(int slot)
This method is for internal use only.
slot
- the slot to get the wrapping key forpublic int getWrappingKeyHandleToo(int slot)
slot
- desired slot numberpublic byte[] getWrappingKeyBytesToo(int slot)
slot
- desired slot numberpublic int getCurrentObjectCount(int slot) throws LunaException
slot
- The slot to checkLunaException
- If the slot is uninitializedpublic int getCurrentObjectCount() throws LunaException
LunaException
- If there is no default slotpublic void logExternal(int slot, java.lang.String logMsg) throws LunaException
slot
- The slot to send the log msg tologMsg
- log msg stringLunaException
- If the slot is uninitializedpublic void logExternal(java.lang.String logMsg) throws LunaException
logMsg
- log msg stringLunaException
- If there is no default slotpublic void detectTokenConnectionProblem(int slot)
slot
- slot numberpublic void setTokenObjectType(boolean aInTokenObjectType)
aInTokenObjectType
- 1 for token object, 0 for session objectpublic int getCurrentTotalObjectCount()
public int getNumberOfSlots()
public int[] getSlotList()
public boolean isTokenPresent(int slot)
slot
- The number of the slot to testtrue
if a token is present in the slotpublic java.lang.String getTokenLabel(int slot) throws LunaCryptokiException
slot
- The slot of the token to readLunaCryptokiException
- If there is no token at that slotpublic java.lang.String getTokenSerialNumber(int slot) throws LunaCryptokiException
slot
- The slot of the token to readLunaCryptokiException
- If there is no token at that slotpublic java.lang.Long[] getTokenFirmwareVersion(int slot) throws LunaCryptokiException
slot
- The slot of the token to readLunaCryptokiException
- If there is no token at that slotpublic void setApplicationId(int majorId, int minorId)
majorId
- The major application IDminorId
- The minor application IDpublic LunaHAStatus getHAStatus(int slot)
slot
- The slot to check the HA status onLunaHAStatus
object containing the status informationpublic LunaHAStatus getHAStatus()
LunaHAStatus
object containing the status informationpublic boolean isLoggedIn()
This method only checks slots that were already logged in when the application was started, and slots that have been logged in to by this application.
public boolean isLoggedIn(int slot)
slot
- The slot to check if the application is logged in.public void releaseKey(LunaTokenObject lto)
LunaKey.release()
for the
public API.lto
- the session key to releasepublic boolean login(int slot, UserRole userType, java.lang.String password)
Slots are enumerated starting from 1 (e.g. a system with four slots would have slots numbered '1', '2', '3' and '4').
If an application attempts to use a Luna HSM without explicitly logging in, the Luna provider will attempt to find a token which is already logged in. If no such token exists, an exception will be thrown.
slot
- The slot containing the token to log in touserType
- The type of user logging inpassword
- The password to use for login. If the given slot contains a token
which requires the use of a PED for PIN entry and a non-empty
string is provided for the password argument, the login method
will throw an exception "function 'C_Login' returns 0x80000028"
(0x80000028 = CKR_INVALID_ENTRY_TYPE).public boolean login(int slot, java.lang.String password)
slot
- The slot containing the token to log in topassword
- The password to use for login.public int login(java.lang.String password)
password
- The password to use for the login.public boolean login(java.lang.String tokenLabel, java.lang.String password)
tokenLabel
- The label of the token to which to loginpassword
- The password to use for the loginLunaException
- if the given password is incorrectpublic void setPIN(java.lang.String oldPin, java.lang.String newPin)
oldPin
- The current PIN for the user.newPin
- The new PIN for the user.public void setPIN(int slot, java.lang.String oldPin, java.lang.String newPin)
slot
- The slot to use.oldPin
- The current PIN for the user.newPin
- The new PIN for the user.public int findSlotFromLabel(java.lang.String tokenLabel)
tokenLabel
- The token label to search forpublic void logout()
public void logout(int slotNum)
slotNum
- The slot to log out ofpublic void reinitialize()
This operation has consequences to be aware of:
reinitialize()
reinitialize()
was called then the object
handles of token objects may change, due to the fact that the HA library uses a virtual handle table. In this case
best practice would be to let all Java crypto objects that refer to token objects on the HSM be garbage collected
before calling reinitialize()
.public void reinitialize(boolean aInNuclearOption)
aInNuclearOption
- if true, then it finalizes and re-initializes the library which requires all threads
to be halted before-hand as the carpet is pulled out completely from any thread on the
fly which leads to indeterminate behavior as allowed in the PKCS#11 specpublic void reloadProvider(LunaProvider provider)
LunaProvider
instance. It is recommended to use the
LunaProvider.getInstance()
method in order to get an LunaProvider
instance to allow making calls to JCA getInstance methods by passing in a provider dynamically. If this
recommendation isn't followed and an instance is obtained using "new LunaProvider()", then this method can be used
to update the LunaProvider
instance once authentication to the partitions has been performed in order that
the provider instance accurately represents the supplied algorithms that are available with respect to FIPS mode.
This method has no purpose if using a statically registered provider, if using the LunaProvider
instance
returned from LunaProvider.getInstance()
or if all of the partitions are in
non-FIPS mode.provider
- the instance of LunaProvider
to have the list of supplied algorithms reloaded.public static java.lang.Integer getSlotType(int aInSlot)
aInSlot
- the desired slot to checkpublic static int getCvSlotType()
public static int getLunaSlotType()
public static boolean isFwAtOrAbove(int aInSlot, java.lang.String aInFwVersion)
aInSlot
- the desired slot to checkaInFwVersion
- the desired FW version to check againstpublic static void setRequireFIPSWrap(boolean aInFlag)
aInFlag
- a boolean for the desired settingpublic static boolean getRequireFIPSWrap()
public static boolean useFIPSKeyWrap(int aInSlot)
aInSlot
- the desired slot to checkpublic int getSessionObjectAuditorEntrySize()
public static void setRequirePKA(boolean aInFlag)
public static boolean getRequirePKA()
public void setPkcs11AttributesConfig(java.io.InputStream stream) throws java.io.IOException
The LUNA_PKCS11_ATTRIBUTES_CONFIG environment variable can be set to point at a configuration file as an alternative to using this method.
For more information about the configuration file see LunaPkcs11AttributesConfig
.
stream
- the InputStream of the configuration to parse.java.io.IOException
- if there is an IO errorpublic LunaPkcs11Attributes getPkcs11Attribute(long mechanism)
mechanism
- the mechanismpublic void setPkcs11Attributes(long mechanism, LunaPkcs11Attributes attributes)
mechanism
- the mechanismattributes
- the LunaPkcs11Attribute that is being setCopyright 2014-2018 SafeNet. All rights reserved.