Hi, >From what I can tell, a failure seems to occur when C_GetAttributeValue is called from sun.security.pkcs11.P11KeyStore.loadSkey.
I took a look at this code at http://hg.openjdk.java.net/jdk7/jsn/jdk/file/66c2b0cfc896/src/share/classes/sun/security/pkcs11/P11KeyStore.java . Hopefully this is the code, but anyway there are 2 places C_GetAttributeValue is called for loadSkey, one time it is trying to get CKA_KEY_TYPE and another time, CKA_VALUE_LEN. The fact that either one of these have failed may indicate that something is wrong with the object handle passed to it. It could not either find the CKA_KEY_TYPE attribute to see what kind of key it is or it could not find CKA_VALUE_LEN to get the key's length. We do not test with sun provider so I can only speculate, - The key is not being generated in a pkcs#11 object familiar to opencryptoki. Who is the default provider in your config? - I do not know your sun provider config, keystore config, etc... regards, Joy Gideon Knocke <gideonknocke@goo glemail.com> To Joy Latten/Austin/IBM@IBMUS, 08/09/2012 02:19 cc PM opencryptoki-users@lists.sourceforg e.net Subject Re: [opencryptoki-users] Opencryptoki and Java JCA Hi, I was wondering if somone has already investigated the problem? Gideon 2012/6/29 Joy Latten <lat...@us.ibm.com>: > Ok, I will take a look at this as soon as I can. > > Thanks! > > regards, > Joy > > Gideon Knocke <gideonkno...@googlemail.com> wrote on 06/29/2012 07:37:08 AM: > >> Gideon Knocke <gideonkno...@googlemail.com> >> 06/29/2012 07:37 AM >> >> To >> >> opencryptoki-users@lists.sourceforge.net, >> >> cc >> >> Subject >> >> Re: [opencryptoki-users] Opencryptoki and Java JCA >> >> Here is what I did to generate the key: >> >> /usr/lib/jvm/jdk1.7.0/bin/keytool -genseckey -keystore NONE -storetype >> PKCS11 -keyalg AES -keysize 256 -alias test >> >> I had expected that an error like this would occur while storing the >> key, not when I try to read the key. >> >> I tried to perform the same task in Java: >> >> //Initialize and login >> char[] pin = {'1','2','3','4','5','6'}; >> KeyStore ks = KeyStore.getInstance("PKCS11"); >> ks.load(null, pin); >> //Generate the key >> KeyGenerator keygen = KeyGenerator.getInstance("AES"); >> keygen.init(256); >> SecretKey secretKey = keygen.generateKey(); >> //Write the secret key to the token >> KeyStore.SecretKeyEntry keyEntry = new >> KeyStore.SecretKeyEntry(secretKey); >> ks.setEntry(args[0], keyEntry, new >> KeyStore.PasswordProtection(pin)); >> >> But the problem is still the same. >> >> In this case the key is generated with the RNG of the TPM and then >> stored in the token. >> >> Gideon >> >> 2012/6/26 Joy Latten <lat...@us.ibm.com>: >> > Let me make sure I understand. >> > Are you trying to store an externally generated AES key ? >> > If so, how are you creating the pkcs#11 secret key object? >> > >> > regards, >> > Joy >> > >> > Gideon Knocke <gideonkno...@googlemail.com> wrote on 06/25/2012 08:30:40 >> > AM: >> > >> >> Gideon Knocke <gideonkno...@googlemail.com> >> >> 06/25/2012 08:30 AM >> >> >> >> To >> >> >> >> opencryptoki-users@lists.sourceforge.net, >> >> >> >> cc >> >> >> >> Subject >> >> >> >> [opencryptoki-users] Opencryptoki and Java JCA >> >> >> >> Hi, >> >> >> >> I'm trying to use the Sun PKCS#11 provider to manage my TPM token. I >> >> can use stored symmetric keys within a Java program but I'm not able >> >> to store an AES key in the token. In fact I can store the key but I am >> >> not able to read the stored key. The same problem occurs when I use >> >> keytool to generate and store a secret key. This is the error which >> >> occurs when I try to read the secret key: >> >> >> >> Exception in thread "main" java.security.ProviderException: >> >> sun.security.pkcs11.wrapper.PKCS11Exception: >> >> CKR_ATTRIBUTE_TYPE_INVALID >> >> at sun.security.pkcs11.P11KeyStore.engineGetKey (P11KeyStore.java:335) >> >> at java.security.KeyStore.getKey(KeyStore.java:792) >> >> at Java4.main(Java4.java:16) >> >> Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: >> >> CKR_ATTRIBUTE_TYPE_INVALID >> >> at sun.security.pkcs11.wrapper.PKCS11.C_GetAttributeValue(Native >> >> Method) >> >> at sun.security.pkcs11.P11KeyStore.loadSkey(P11KeyStore.java:1306) >> >> at sun.security.pkcs11.P11KeyStore.engineGetKey (P11KeyStore.java:328) >> >> ... 2 more >> >> >> >> I haven't specified any additional Attibutes. The problem does not >> >> occur if the key is generated with "tpmtoken_protect". >> >> The used software is Java 1.7 and Opencryptoki 2.4.2 >> >> >> >> Thanks! >> >> >> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> Live Security Virtual Conference >> >> Exclusive live event will cover all the ways today's security and >> >> threat landscape has changed and how IT managers can respond. >> >> Discussions >> >> will include endpoint security, mobile security and the latest in >> >> malware >> >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> >> _______________________________________________ >> >> opencryptoki-users mailing list >> >> opencryptoki-users@lists.sourceforge.net >> >> https://lists.sourceforge.net/lists/listinfo/opencryptoki-users >> >> >> >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> opencryptoki-users mailing list >> opencryptoki-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/opencryptoki-users
<<inline: graycol.gif>>
<<inline: pic29797.gif>>
<<inline: ecblank.gif>>
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ opencryptoki-users mailing list opencryptoki-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/opencryptoki-users
