2 Replies Latest reply: Nov 22, 2011 3:39 AM by 898851 RSS

    Unable to wrap key using SunPKCS11 Provider


      I'm trying to wrap a 3DES key, that is stored in a HSM, using the SunPKCS11 provider:
       Cipher wrapper = Cipher.getInstance("DESede/CBC/NOPADDING", getProviderName());
       wrapper.init(Cipher.WRAP_MODE, wrappingKey, new IvParameterSpec(iv));
       cText = wrapper.wrap(wrappedKey);
      The problem is that I'm obtaining the following exception:
      java.security.InvalidAlgorithmParameterException: Unsupported mode: 3
           at sun.security.pkcs11.P11Cipher.implInit(P11Cipher.java:316)
           at sun.security.pkcs11.P11Cipher.engineInit(P11Cipher.java:280)
           at javax.crypto.Cipher.init(DashoA13*..)
           at javax.crypto.Cipher.init(DashoA13*..)
      After searching for the source code, I've found that the provider only supports the ENCRYPT_MODE and DECRYPT_MODE
      // actual init() implementation
          private void implInit(int opmode, Key key, byte[] iv,
                  SecureRandom random)
                  throws InvalidKeyException, InvalidAlgorithmParameterException {
              switch (opmode) {
                  case Cipher.ENCRYPT_MODE:
                      encrypt = true;
                  case Cipher.DECRYPT_MODE:
                      encrypt = false;
                      throw new InvalidAlgorithmParameterException
                              ("Unsupported mode: " + opmode);
      The full source is available at http://javasourcecode.org/html/open-source/jdk/jdk-6u23/sun/security/pkcs11/P11Cipher.java.html

      So, I was wondering if is there a way to wrap a key, using the SunPKCS11 provider.

      Edited by: 895848 on 8/Nov/2011 3:01
        • 1. Re: Unable to wrap key using SunPKCS11 Provider
          Arshad Noor
          Unfortunately, most HSMs do not support the WRAP_MODE even with their native JCE Providers - let alone through the SunPKCS11 Bridge. At least two HSMs that we tested did not support it. We had to use the standard ENCRYPT_MODE and DECRYPT_MODEs, of the Cipher, treating the symmetric key like any other data-object to "wrap" the key with an asymmetric key in a hardware modul. As an aside, we're using the native JCE Provider from the HSM manufacturers - going through the P11 Bridge creates too many headaches wrt support - better to have just one head - the HSM manufacturer's - under the guillotine when resolving problems. :-)

          Arshad Noor
          StrongAuth, Inc.
          • 2. Re: Unable to wrap key using SunPKCS11 Provider
            Hello Arshad

            I've received an answer from Valerie (Yu-Ching) Peng, on which she says that there is an open issue (4898471 "Support for key wrapping and unwrapping") regarding this subject.
            For now, I'll have to use the native JCE Provider (I've already tested it and it's working), since the SunPKCS11 Provider does not support key wrapping.
            The thread can be seen here: http://web.archiveorange.com/archive/v/d4wYG2VpF9TPPlWC2Ng7

            Thank you for your time,

            Paulo Ricardo Ribeiro
            MULTICERT, SA