Unable to wrap key using SunPKCS11 Provider

Paulo Ricardo Ribeiro paulo.ribeiro at multicert.com
Tue Nov 22 09:11:47 UTC 2011 

Hello again

the key, on the HSM is flagged as "Extractable", but, since the only way 
to actually extract it is by wrapping it, for now it is impossible to do it.
For now I'll have to use the vendor's "Proprietary API", but I'm glad to 
hear that this issue will be solved in jdk7 update.

Thanks for your time,

Paulo Ricardo


On 21-11-2011 19:25, Valerie (Yu-Ching) Peng wrote:
>
> The support for key wrapping and unwrapping is tracked under
> 4898471 "Support for key wrapping and unwrapping"
>
> I assume that the 3DES key is unextractable? If yes, I am afraid that 
> this would require that 4898471 be fixed.
> I'll fix this in jdk7 update and later releases.
> Thanks,
> Valerie
>
> On 11/08/11 03:16, Paulo Ricardo Ribeiro wrote:
>> Hello
>>
>> I'm trying to wrap a 3DES key, that is stored in a HSM, using the 
>> SunPKCS11 provider:
>>
>> |  Cipher wrapper = Cipher.getInstance("DESede/CBC/NOPADDING", getProviderName());
>>   wrapper.init(Cipher.WRAP_MODE, wrappingKey,*new*  IvParameterSpec(iv));
>>   cText = wrapper.wrap(wrappedKey);
>> |
>>
>>
>> The problem is that I'm obtaining the following exception:
>> |java.security.InvalidAlgorithmParameterException: Unsupported mode: 3
>> 	at sun.security.pkcs11.P11Cipher.implInit(P11Cipher.java:316)
>> 	at sun.security.pkcs11.P11Cipher.engineInit(P11Cipher.java:280)
>> 	at javax.crypto.Cipher.init(DashoA13*..)
>> 	at javax.crypto.Cipher.init(DashoA13*..)
>>
>> |
>>
>> After searching for the source code, I've found that the provider 
>> only supports the ENCRYPT_MODE and DECRYPT_MODE
>>
>> |// actual init() implementation
>>      *private*  *void*  implInit(*int*  opmode, Key key,*byte*[] iv,
>>              SecureRandom random)
>>              *throws*  InvalidKeyException, InvalidAlgorithmParameterException{
>>          cancelOperation();
>>          *switch*  (opmode){
>>              *case*  Cipher.ENCRYPT_MODE:
>>                  encrypt =*true*;
>>                  *break*;
>>              *case*  Cipher.DECRYPT_MODE:
>>                  encrypt =*false*;
>>                  *break*;
>>              *default*:
>>                  *throw*  *new*  InvalidAlgorithmParameterException
>>                          ("Unsupported mode:"  + opmode);
>>          }
>>        (...)
>>      }
>> |
>>
>> The full source is available at 
>> http://javasourcecode.org/html/open-source/jdk/jdk-6u23/sun/security/pkcs11/P11Cipher.java.html
>>
>> So, I was wondering if is there a way to wrap a key, using the 
>> SunPKCS11 provider.
>>
>> -- 
>>
>> *Paulo Ricardo Ribeiro*
>> Departamento de Integração e Desenvolvimento
>>
>> *MULTICERT - Serviços de Certificação Electrónica, S.A.*
>> www.multicert.com
>> –––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
>> *Para obter direcções para as nossas instalações carregue aqui* 
>> <http://maps.google.com/maps/ms?hl=en&ie=UTF8&view=map&msa=33&msid=112591748211978202235.00046047b74420975b193&abauth=b4c6c23a:Myc_CjSd9TJJt9sLpXutsU40-CI>
>> *Porto:*Av. Sidónio Pais, 379, Edifício B, Piso 1, Sala 5 – 4100–468 
>> Porto – Portugal
>> *T:*+351 223 391 810 | *F: *+351 223 391 811
>> –––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
>>
>

-- 

*Paulo Ricardo Ribeiro*
Departamento de Integração e Desenvolvimento

*MULTICERT - Serviços de Certificação Electrónica, S.A.*
www.multicert.com
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
*Para obter direcções para as nossas instalações carregue aqui* 
<http://maps.google.com/maps/ms?hl=en&ie=UTF8&view=map&msa=33&msid=112591748211978202235.00046047b74420975b193&abauth=b4c6c23a:Myc_CjSd9TJJt9sLpXutsU40-CI>
*Porto:*Av. Sidónio Pais, 379, Edifício B, Piso 1, Sala 5 – 4100–468 
Porto – Portugal
*T:*+351 223 391 810 | *F: *+351 223 391 811

*M:*+351 925 770 081 | *Email:*paulo.ribeiro at multicert.com 
<mailto:paulo.ribeiro at multicert.com>
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20111122/63c39900/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 7530 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20111122/63c39900/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gafaicdi.png
Type: image/png
Size: 7530 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20111122/63c39900/gafaicdi.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3482 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20111122/63c39900/smime.p7s>

More information about the security-dev mailing list