SSL Server using Hardware Accelerator through a IBMPKCS11Impl provider

This example shows the server side of a secure socket using the hardware accelerator card to provide bulk encryption, if the card supports it. The key and trusted certificates will come from a JKS keystore. The server will request client authentication. See the IBM PKCS11 Implementation Provider for details on using the IBMPKCS11Impl provider and obtaining the proper configuration file for your specific hardware cryptographic device.

Set up to use the IBMPKCS11Impl provider using the configuration file and then add to the Java™ Provider List. The creation of the key on the hardware cryptography card is not shown.

//***************************************************************************
// Substitute actual hardware and configuration information
String password = "12345678";
String dlllocation = "/usr/lib/pkcs11/PKCS11_API.so";
String slotnumber = 0;
String configname = "/home/test/cfg/4960.cfg";
//*****************************************************************************
// Set up Crypto Card hardware provider.
com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl p1 = new com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl(configname);

// Must add the hardware crypto provider before IBMJCE in the Java Provider List
// but after the Oracle provider on Solaris and HP systems.

Security.insertProviderAt(p1,2);

// Add the IBMJSSE2 Provider to the Java Provider list
Security.addProvider(new com.ibm.jsse2.IBMJSSEProvider2());

// Login to the card
char [] passwd = new char[password.length()];
password.getChars(0,password.length(),passwd,0);
NullPrompter np = new NullPrompter(dlllocation + ":" + slotnumber,passwd);
p1.login(null,np);

// Get a keystore of type JKS.

KeyStore ks = KeyStore.getInstance("JKS");
ks.load("testkeys","passphrase".toCharArray());

// Create a KeyManagerFactory that implements the X.509 key management
// algorithm using the IBMJSSE2 provider.
KeyManagerFactory kmf = KeyManagerFactory.getInstance("IbmX509","IBMJSSE2");

// Load the keystore with the appropriate password
kmf.init(ks, "passphrase".toCharArray());

// Create a TrustManagerFactory that implements the X.509 key
// management algorithm using the IBMJSSE2 provider.
TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX","IBMJSSE2");

// Because client authentication will be requested,
// the server must be able to trust the client.
tmf.init(ks);

// Initialize the SSLContext with the KeyManagerFactory and the
// TrustManagerFactory. "SSL" will allow the server to handshake
// using "SSLv3".
sslContext = SSLContext.getInstance("SSL","IBMJSSE2");
sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
// Create an SSL socket over port 8050
SSLServerSocketFactory factory = sslContext.getServerSocketFactory();
SSLServerSocket ssl_server_sock = (SSLServerSocket)factory.createServerSocket(8050);
// Require client authentication
ssl_server_sock.setNeedClientAuth(true);
// rest not shown

// Sample class to get the password
public class NullPrompter implements javax.security.auth.callback.CallbackHandler {
	private String userName;
	private char[] authenticator;
	private NullPrompter() {
		// hide the null constructor, since we're not prompting!
	}

	public NullPrompter(String userName, char authenticator[]) {
		this.userName = userName;
		this.authenticator = authenticator;
	}

	public void handle(Callback[] callbacks)
		throws IOException, UnsupportedCallbackException {
		for (int i = 0; i < callbacks.length; i++) {
			if (callbacks[i] instanceof TextOutputCallback) {
			} else if (callbacks[i] instanceof TextInputCallback) {
				((TextInputCallback)callbacks[i]).setText(userName);
			} else if (callbacks[i] instanceof PasswordCallback) {
				((PasswordCallback)callbacks[i]).setPassword(authenticator);
			} else {
				throw new UnsupportedCallbackException
					(callbacks[i], "Unrecognized Callback");
			}
		}
	}
}