Hello again
the key, on the HSM is flagged as "Extractable", but, since the only
way to actually extract it is by wrapping it, for now it is
impossible to do it.
For now I'll have to use the vendor's "Proprietary API", but I'm
glad to hear that this issue will be solved in jdk7 update.
Thanks for your time,
Paulo Ricardo
On 21-11-2011 19:25, Valerie (Yu-Ching) Peng wrote:
The support for key wrapping and unwrapping is tracked under
4898471 "Support for key wrapping and unwrapping"
I assume that the 3DES key is unextractable? If yes, I am afraid
that
this would require that 4898471 be fixed.
I'll fix this in jdk7 update and later releases.
Thanks,
Valerie
On 11/08/11 03:16, Paulo Ricardo Ribeiro wrote:
Hello
I'm trying to wrap a 3DES key, that is stored in a HSM, using
the
SunPKCS11 provider:
Cipher wrapper = Cipher.getInstance("DESede/CBC/NOPADDING", getProviderName());
wrapper.init(Cipher.WRAP_MODE, wrappingKey, new IvParameterSpec(iv));
cText = wrapper.wrap(wrappedKey);
The problem is that I'm obtaining the following exception:
java.security.InvalidAlgorithmParameterException: Unsupported mode: 3
at sun.security.pkcs11.P11Cipher.implInit(P11Cipher.java:316)
at sun.security.pkcs11.P11Cipher.engineInit(P11Cipher.java:280)
at javax.crypto.Cipher.init(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
After searching for the source code, I've found that the
provider only
supports the ENCRYPT_MODE and DECRYPT_MODE
// actual init() implementation
private void implInit(int opmode, Key key, byte[] iv,
SecureRandom random)
throws InvalidKeyException, InvalidAlgorithmParameterException {
cancelOperation();
switch (opmode) {
case Cipher.ENCRYPT_MODE:
encrypt = true;
break;
case Cipher.DECRYPT_MODE:
encrypt = false;
break;
default:
throw new InvalidAlgorithmParameterException
("Unsupported mode: " + opmode);
}
(...)
}
The full source is available at http://javasourcecode.org/html/open-source/jdk/jdk-6u23/sun/security/pkcs11/P11Cipher.java.html
So, I was wondering if is there a way to wrap a key, using the
SunPKCS11 provider.
--
Paulo
Ricardo Ribeiro
Departamento
de Integração e Desenvolvimento
MULTICERT
- Serviços de Certificação Electrónica, S.A.
www.multicert.com
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
Para
obter direcções para as nossas instalações carregue
aqui
Porto:
Av. Sidónio Pais, 379, Edifício B, Piso 1, Sala 5 –
4100–468 Porto –
Portugal
T:
+351 223 391 810 | F: +351
223 391 811
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
--
Paulo Ricardo Ribeiro
Departamento
de Integração e Desenvolvimento
MULTICERT - Serviços de Certificação
Electrónica, S.A.
www.multicert.com
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
Para obter direcções para as
nossas instalações carregue aqui
Porto: Av. Sidónio Pais, 379, Edifício B, Piso
1, Sala 5 – 4100–468 Porto – Portugal
T: +351 223 391 810 | F: +351 223 391 811
M: +351 925 770 081 | Email: [email protected]
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
|
smime.p7s