alex.agra...@gmail.com wrote, On 2008-12-21 08:02: > I'm working with NSS from JAVA (via JAVA 6 PKCS11 provider on RHEL 5). > My NSS database is configured for FIPS-140 mode. And I try to wrap/ > unwrap AES key with RSA public/private key pair as follows: > > // open NSS keystore > char[] nssDBPassword = {'f', 'i', 'p', 's', '1', '4', '0', '-', '2'}; > KeyStore ks = KeyStore.getInstance("PKCS11"); > ks.load(null, nssDBPassword); > Provider p = ks.getProvider(); > > // generate RSA key pair > KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA", p); > KeyPair keyPair = keyPairGen.generateKeyPair(); > > // generate AES key > KeyGenerator keyGen = KeyGenerator.getInstance("AES", p); > keyGen.init(128); > Key rawKey = keyGen.generateKey(); > System.out.println("raw Key : " + rawKey); > > // wrap key > Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding", p); > cipher.init(Cipher.WRAP_MODE, keyPair.getPublic()); > byte[] wrappedData = cipher.wrap(rawKey); > > // unwrap key > cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding", p); > cipher.init(Cipher.UNWRAP_MODE, keyPair.getPrivate()); > unwrappedKey = cipher.unwrap(wrappedData, "AES", Cipher.SECRET_KEY); > > // encode data > cipher = Cipher.getInstance("AES/CBC/NoPadding", p); > cipher.init(Cipher.ENCRYPT_MODE, unwrappedKey); > > The wrap/unwrap code seems to work fine. But when I attempt to perform > encoding with the unwrapped key - I get the following exception > (which, as far as I understand, seems to suggest that key doesn't > reside inside NSS crypto token): > > raw Key : SunPKCS11-NSScrypto AES secret key, 128 bits (id 12, session > object, sensitive, extractable) > java.security.InvalidKeyException: Could not create key > at sun.security.pkcs11.P11SecretKeyFactory.createKey > (P11SecretKeyFactory.java:226) > at sun.security.pkcs11.P11SecretKeyFactory.convertKey > (P11SecretKeyFactory.java:131) > at sun.security.pkcs11.P11Cipher.engineGetKeySize(P11Cipher.java:582) > at javax.crypto.Cipher.b(DashoA13*..) > at javax.crypto.Cipher.a(DashoA13*..) > at javax.crypto.Cipher.init(DashoA13*..) > at javax.crypto.Cipher.init(DashoA13*..) > at EncryptionTest.main(EncryptionTest.java:88)
Are you sure this is not coming from the cipher.unwrap call? If you add a line of code to print info about the unwrapped key, does it show that key to be in the NSS token? > Can anybody tell me what am I doing wrong? Or, may be, point me to > some working JAVA code that performs wrap/unwrap of the key in NSS > token? Maybe one of our seasoned Java veterans can help with those questions. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto