0 Replies Latest reply on Sep 7, 2018 2:25 PM by 8512e022-ad8e-48f8-b5ec-831ab5e613c0

    unwrapping a secrete key reveals actual key

    8512e022-ad8e-48f8-b5ec-831ab5e613c0

      I am trying to unwrap a secrete key (AES/DES) using Java APIs and SunPKCS11. Problem is that it reveals the value of unwrapped key (out of HSM) in the key object. Here is the code:

      Key privateKey = keyStore.getKey("MyKeyId", keyStorePassword);  
      Cipher cipher = Cipher.getInstance("RSA", "SunPKCS11-Safenet");
      cipher
      .init(Cipher.UNWRAP_MODE, privateKey);
      // The unwrapped key is visible in below line in unwrappedKey object
      Key unwrappedKey = cipher.unwrap(wrappedKey, "AES", Cipher.SECRET_KEY);

      How I can tell code to not to reveal the unwrapped key?

      Do I have to add something in PKCS11 cfg file? I tried some combination in cfg file but none helped:

      attributes(*,CKO_SECRET_KEY,*) = {

      CKA_SENSITIVE=true

      }

       

      OR

       

      attributes(*,CKO_SECRET_KEY,*) = {

      CKA_PRIVATE=true

      CKA_SENSITIVE=true

      CKA_ENCRYPT=true

      CKA_DECRYPT=true

      CKA_WRAP=true

      CKA_UNWRAP=true

      }