Unable to wrap key using SunPKCS11 Provider

Valerie (Yu-Ching) Peng valerie.peng at oracle.com
Mon Nov 21 19:25:51 UTC 2011


The support for key wrapping and unwrapping is tracked under
4898471 "Support for key wrapping and unwrapping"

I assume that the 3DES key is unextractable? If yes, I am afraid that 
this would require that 4898471 be fixed.
I'll fix this in jdk7 update and later releases.
Thanks,
Valerie

On 11/08/11 03:16, Paulo Ricardo Ribeiro wrote:
> Hello
>
> I'm trying to wrap a 3DES key, that is stored in a HSM, using the 
> SunPKCS11 provider:
>
> | Cipher wrapper = Cipher.getInstance("DESede/CBC/NOPADDING", getProviderName());
>  wrapper.init(Cipher.WRAP_MODE, wrappingKey, *new* IvParameterSpec(iv));
>  cText = wrapper.wrap(wrappedKey);
> |
>
>
> The problem is that I'm obtaining the following exception:
> |java.security.InvalidAlgorithmParameterException: Unsupported mode: 3
> 	at sun.security.pkcs11.P11Cipher.implInit(P11Cipher.java:316)
> 	at sun.security.pkcs11.P11Cipher.engineInit(P11Cipher.java:280)
> 	at javax.crypto.Cipher.init(DashoA13*..)
> 	at javax.crypto.Cipher.init(DashoA13*..)
>  
> |
>
> After searching for the source code, I've found that the provider only 
> supports the ENCRYPT_MODE and DECRYPT_MODE
>
> |// actual init() implementation
>     *private* *void* implInit(*int* opmode, Key key, *byte*[] iv,
>             SecureRandom random)
>             *throws* InvalidKeyException, InvalidAlgorithmParameterException {
>         cancelOperation();
>         *switch* (opmode) {
>             *case* Cipher.ENCRYPT_MODE:
>                 encrypt = *true*;
>                 *break*;
>             *case* Cipher.DECRYPT_MODE:
>                 encrypt = *false*;
>                 *break*;
>             *default*:
>                 *throw* *new* InvalidAlgorithmParameterException
>                         ("Unsupported mode: " + opmode);
>         }
>       (...)
>     }
> |
>
> The full source is available at 
> http://javasourcecode.org/html/open-source/jdk/jdk-6u23/sun/security/pkcs11/P11Cipher.java.html
>
> So, I was wondering if is there a way to wrap a key, using the 
> SunPKCS11 provider.
>
> -- 
>
> *Paulo Ricardo Ribeiro*
> Departamento de Integração e Desenvolvimento
>
> *MULTICERT - Serviços de Certificação Electrónica, S.A.*
> www.multicert.com
> –––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
> *Para obter direcções para as nossas instalações carregue aqui* 
> <http://maps.google.com/maps/ms?hl=en&ie=UTF8&view=map&msa=33&msid=112591748211978202235.00046047b74420975b193&abauth=b4c6c23a:Myc_CjSd9TJJt9sLpXutsU40-CI>
> *Porto:* Av. Sidónio Pais, 379, Edifício B, Piso 1, Sala 5 – 4100–468 
> Porto – Portugal
> *T:* +351 223 391 810 | *F: *+351 223 391 811
> –––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20111121/5cf23cee/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 7530 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20111121/5cf23cee/attachment.png>


More information about the security-dev mailing list