hello,
Your chosen set of operations to be performed is: "DESede/CBC/NoPadding"
DESede is a block cipher and operates on 8-byte blocks. Thus, input to
DESede Cipher with CBC mode and "NoPadding"
scheme should be in multiple of 8 bytes for the encryption/decryption to
succeed.
I was able to get your program working by adding two bytes to the
following line.
String password = "passwordString!!"; //16 bytes
If you need to have variable lengths of input you need to first pad your
data, then encrypt.
After you decrypt you need to remove the pad.
some links for your review:
http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html
http://tools.ietf.org/html/rfc2898
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java
have a good day,
glen
Yevgeniy Gubenko wrote:
>
> Hi,
>
> I'm a new incomer trying to handle keying material for NSS fips mode.
> This is the case:
> I am working with pkcs11 provider on Solaris 10, which is configured
> to work with mozilla NSS provider.
> This is my configuration file for pkcs11 provider :
> name = NSScrypto
> nssLibraryDirectory = /opt/nss/lib
> nssSecmodDirectory = /opt/nss/fipsdb
> nssModule = fips
>
> I've created NSS Database and modified it to work in fips module:
> certutil -N -d /opt/nss/fipsdb
> modutil -fips true -dbdir /opt/nss/fipsdb
>
> Then I created a key in the DB:
> symkeyutil -K -n test1 -t des3 -d /opt/nss/fipsdb
>
> Now let's get to my Java code which should retrieve the key from the
> DB and use it as a SecretKey to encrypt/decrypt passwords.
> This is a class which encrypts password:
>
> import javax.crypto.SecretKeyFactory;
>
> import javax.crypto.spec.DESedeKeySpec;
>
> import javax.crypto.spec.DESKeySpec;
>
> import javax.crypto.SecretKey;
>
> import javax.crypto.Cipher;
>
> import javax.crypto.spec.IvParameterSpec;
>
> import java.security.*;
>
>
>
> public class encryptPass
>
> {
>
> public static void main(String[] args)
>
> {
>
> try
>
> {
>
> String configFileName = "/opt/nss/pkcs11.cfg";
>
> java.security.Provider nss = new
> sun.security.pkcs11.SunPKCS11(configFileName);
>
> java.security.Security.insertProviderAt(nss,1);
>
> java.security.KeyStore ks =
> java.security.KeyStore.getInstance("PKCS11", nss);
>
> char[] nssDBPassword = {'f','i','p','s','1','4','0','-','2'};
>
> ks.load(null, nssDBPassword);
>
> SecretKey key = (SecretKey) ks.getKey("test1", nssDBPassword);
>
>
>
>
>
> //iv for CBC mode - note, in practice you don't generate a
> random iv for decryption :)
>
> byte[] iv = new byte[8]; //64-bit block size for 3DES
>
> SecureRandom sr = SecureRandom.getInstance("PKCS11", nss);
>
> sr.nextBytes(iv);
>
> IvParameterSpec params = new IvParameterSpec(iv);
>
>
>
>
>
> Cipher encryptCipher =
> Cipher.getInstance("DESede/CBC/NoPadding", nss);
>
> encryptCipher.init(Cipher.ENCRYPT_MODE, key, params);
>
> System.out.println("encryptCipher provider: " +
> encryptCipher.getProvider().getName());
>
> String password = "passwordString";
>
> byte[] passBytes = password.getBytes();
>
> byte[] passBytesEncrypt = encryptCipher.doFinal(passBytes);
>
> }
>
> catch (Exception ex)
>
> {
>
> ex.printStackTrace();
>
> }
>
> }
>
> }
>
>
>
> The output from the class execution is:
>
>
> encryptCipher provider: SunPKCS11-NSScrypto
>
> java.security.ProviderException: update() failed
>
> at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:460)
>
> at sun.security.pkcs11.P11Cipher.engineUpdate(P11Cipher.java:391)
>
> at
> sun.security.pkcs11.P11Cipher.engineDoFinal(P11Cipher.java:422)
>
> at
> sun.security.pkcs11.P11Cipher.engineDoFinal(P11Cipher.java:409)
>
> at javax.crypto.Cipher.doFinal(DashoA13*..)
>
> at encryptPass.main(encryptPass.java:48)
>
> Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DEVICE_ERROR
>
> at sun.security.pkcs11.wrapper.PKCS11.C_EncryptUpdate(Native
> Method)
>
> at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:450)
>
> ... 5 more
>
>
>
> From the other hand I have a symmetric class which decrypts the
> passwords with the same doFinal method (the difference is that the
> cipher is initialized in DECRYPT_MODE) and it succeeds to run.
> Any suggestions will be appreciated.
>
>
>
>
>
>
> This email and any files transmitted with it are confidential
> material. They are intended solely for the use of the designated
> individual or entity to whom they are addressed. If the reader of this
> message is not the intended recipient, you are hereby notified that
> any dissemination, use, distribution or copying of this communication
> is strictly prohibited and may be unlawful.
>
> If you have received this email in error please immediately notify the
> sender and delete or destroy any copy of this message
> ------------------------------------------------------------------------
>
> _______________________________________________
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
