Forum Stats

  • 3,838,748 Users
  • 2,262,397 Discussions
  • 7,900,749 Comments

Discussions

Retrieving SecretKey data using SunPKCS11 with HSM

I need to create a symmetric key in the HSM that can be read completely in Java code. This key is going to be the source for Password-based encryption and hence the need for reading the bytes of the key.

I am using a Safenet HSM with a LunaSA client on windows with the SunPKCS11 provider in JDK to connect to the HSM. Per different documentation that I have read one needs to set CKA_SENSITIVE to false and CKA_EXTRACTABLE to true for the key data to be readable.

I have tried setting these attributes in the PKCS11 config file but I keep getting CKR_ATTRIBUTE_VALUE_INVALID when I use keytool to create the key -


<span class="pln">attributes</span><span class="pun">(*,</span><span class="pln">CKO_SECRET_KEY</span><span class="pun">,*)</span><span class="pln"> </span><span class="pun">=</span><span class="pln"> </span>

<span class="pln"></span><span class="pun">{</span><span class="pln"> </span>

<span class="pln">   CKA_EXTRACTABLE </span><span class="pun">=</span><span class="pln"> </span><span class="kwd">true</span><span class="pln"> </span>

<span class="pln">   CKA_SENSITIVE </span><span class="pun">=</span><span class="pln"> </span><span class="kwd">false</span><span class="pln"> </span>

<span class="pln"></span><span class="pun">}</span>


Here's the command I issue -

<span class="pln">keytool </span><span class="pun">-</span><span class="pln">v </span><span class="pun">-</span><span class="pln">keystore NONE </span><span class="pun">-</span><span class="pln">storetype PKCS11 </span><span class="pun">-</span><span class="pln">providerClass sun</span><span class="pun">.</span><span class="pln">security</span><span class="pun">.</span><span class="pln">pkcs11</span><span class="pun">.</span><span class="typ">SunPKCS11</span><span class="pln"> </span><span class="pun">-</span><span class="pln">providerArg pkcs11</span><span class="pun">.</span><span class="pln">cfg </span><span class="pun">-</span><span class="pln">genseckey </span><span class="pun">-</span><span class="pln">alias MY_COMMONKEY </span><span class="pun">-</span><span class="pln">keyalg </span><span class="typ">DESede</span><span class="pln"> </span><span class="pun">-</span><span class="pln">keysize </span><span class="lit">128</span>


And here is the error I get -

<span class="pln">keytool error</span><span class="pun">:</span><span class="pln"> java</span><span class="pun">.</span><span class="pln">security</span><span class="pun">.</span><span class="typ">ProviderException</span><span class="pun">:</span><span class="pln"> </span><span class="typ">Could</span><span class="pln"> not generate key java</span><span class="pun">.</span><span class="pln">security</span><span class="pun">.</span><span class="typ">ProviderException</span><span class="pun">:</span><span class="pln"> </span>

<span class="pln"></span><span class="typ">Could</span><span class="pln"> not generate key at sun</span><span class="pun">.</span><span class="pln">security</span><span class="pun">.</span><span class="pln">pkcs11</span><span class="pun">.</span><span class="pln">P11KeyGenerator</span><span class="pun">.</span><span class="pln">engineGenerateKey</span><span class="pun">(</span><span class="pln">P11KeyGenerator</span><span class="pun">.</span><span class="pln">java</span><span class="pun">:</span><span class="lit">260</span><span class="pun">)</span><span class="pln"> </span>

<span class="pln">at</span>

<span class="pln">javax</span><span class="pun">.</span><span class="pln">crypto</span><span class="pun">.</span><span class="typ">KeyGenerator</span><span class="pun">.</span><span class="pln">generateKey</span><span class="pun">(</span><span class="typ">DashoA13</span><span class="pun">*..)</span><span class="pln"> </span>

<span class="pln"></span><span class="pln">at sun</span><span class="pun">.</span><span class="pln">security</span><span class="pun">.</span><span class="pln">tools</span><span class="pun">.</span><span class="typ">KeyTool</span><span class="pun">.</span><span class="pln">doGenSecretKey</span><span class="pun">(</span><span class="typ">KeyTool</span><span class="pun">.</span><span class="pln">java</span><span class="pun">:</span><span class="lit">1099</span><span class="pun">)</span><span class="pln"> </span>

<span class="pln">at sun</span><span class="pun">.</span><span class="pln">security</span><span class="pun">.</span><span class="pln">tools</span><span class="pun">.</span><span class="typ">KeyTool</span><span class="pun">.</span><span class="pln">doCommands</span><span class="pun">(</span><span class="typ">KeyTool</span><span class="pun">.</span><span class="pln">java</span><span class="pun">:</span><span class="lit">792</span><span class="pun">)</span><span class="pln"> </span>

<span class="pln">at sun</span><span class="pun">.</span><span class="pln">security</span><span class="pun">.</span><span class="pln">tools</span><span class="pun">.</span><span class="typ">KeyTool</span><span class="pun">.</span><span class="pln">run</span><span class="pun">(</span><span class="typ">KeyTool</span><span class="pun">.</span><span class="pln">java</span><span class="pun">:</span><span class="lit">172</span><span class="pun">)</span><span class="pln"> </span>

<span class="pln">at sun</span><span class="pun">.</span><span class="pln">security</span><span class="pun">.</span><span class="pln">tools</span><span class="pun">.</span><span class="typ">KeyTool</span><span class="pun">.</span><span class="pln">main</span><span class="pun">(</span><span class="typ">KeyTool</span><span class="pun">.</span><span class="pln">java</span><span class="pun">:</span><span class="lit">166</span><span class="pun">)</span><span class="pln"> </span>

<span class="pln"></span><span class="typ">Caused</span><span class="pln"> by</span><span class="pun">:</span><span class="pln"> sun</span><span class="pun">.</span><span class="pln">security</span><span class="pun">.</span><span class="pln">pkcs11</span><span class="pun">.</span><span class="pln">wrapper</span><span class="pun">.</span><span class="pln">PKCS11Exception</span><span class="pun">:</span><span class="pln"> CKR_ATTRIBUTE_VALUE_INVALID </span>

<span class="pln">at sun</span><span class="pun">.</span><span class="pln">security</span><span class="pun">.</span><span class="pln">pkcs11</span><span class="pun">.</span><span class="pln">wrapper</span><span class="pun">.</span><span class="pln">PKCS11</span><span class="pun">.</span><span class="pln">C_GenerateKey</span><span class="pun">(</span><span class="typ">Native</span><span class="pln"> </span><span class="typ">Method</span><span class="pun">)</span><span class="pln"> </span>

<span class="pln">at sun</span><span class="pun">.</span><span class="pln">security</span><span class="pun">.</span><span class="pln">pkcs11</span><span class="pun">.</span><span class="pln">P11KeyGenerator</span><span class="pun">.</span><span class="pln">engineGenerateKey</span><span class="pun">(</span><span class="pln">P11KeyGenerator</span><span class="pun">.</span><span class="pln">java</span><span class="pun">:</span><span class="lit">255</span><span class="pun">)</span><span class="pln"> </span>

<span class="pln"></span><span class="pun">...</span><span class="pln"> </span><span class="lit">5</span><span class="pln"> more</span>

If I remove CKA_SENSITIVE from the attributes list the SecretKey generation works fine.

Any ideas what may be going on?

This discussion has been closed.