On Nov 3, 12:34 pm, "morris.d...@gmail.com" <morris.d...@gmail.com> wrote: > On Nov 2, 8:13 pm, Glen Beasley <glen.beas...@sun.com> wrote: > > > > > morris.d...@gmail.com wrote: > > > >>>> I ran into issues creating the secmod database: > > > before moving on to Java/SunPKCS11-NSSFIPS issue you should first get > > your configuration correct > > so that running the modutil command will work correctly. Copying the > > databases from a working system to > > a system that is unable to correctly run "modutil -fips true -dbdir ." > > makes no sense. > > > In an attempt to recreate your problem, I wrote a test program and some > > rough notes that > > should hopefully help. The program/notes are rough as I don't have much > > time to spend on this issue. > > > I had a clean window 7 box so I: > > > downloaded NSPR > > 4.6.4https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.6.4/msvc6.0/... > > downloaded NSS > > 3.11.4https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_1... > > installed java version "1.6.0_16": > > > 2) set the PATH for NSS/NSPR libraries/chk files/binaries and Java bin > > directory > > > 3) created the NSS db's and configured for FIPS mode: > > > certutil -N -d . > > modutil -fips true -dbdir . > > > 4) created the following nss.cfg file: > > > name = NSSFIPS > > nssLibraryDirectory = ./lib > > nssSecmodDirectory = . > > nssDbMode = readWrite > > nssModule = fips > > > 5) created the attached test program sunpkcs11nss.java > > > 6) javac javac sunpkcs11nss.java > > 7) java sunpkcs11nss nss.cfg <password> > > Initializing sunpkcs11-NSS nss.cfg > > Initialized sunpkcs11-NSS > > Provider 0: SunPKCS11-NSSFIPS > > Provider 1: SUN > > Provider 2: SunRsaSign > > Provider 3: SunJSSE > > Provider 4: SunJCE > > Provider 5: SunJGSS > > Provider 6: SunSASL > > Provider 7: XMLDSig > > Provider 8: SunPCSC > > Provider 9: SunMSCAPI > > Key generation done by SunPKCS11-NSSFIPS version 1.6 > > encrypt op done by SunPKCS11-NSSFIPS version 1.6 > > decrypt op done by SunPKCS11-NSSFIPS version 1.6 > > recovered bytes equal the original plaintext > > > Hopefully the above will help you solve your issue, or at least aid in > > creating a bug with a provided testcase. > > > -glen > > > [sunpkcs11nss.java4K ] > > > import java.security.AlgorithmParameters; > > import java.security.Provider; > > import java.security.Security; > > import javax.crypto.Cipher; > > import javax.crypto.KeyGenerator; > > import java.security.KeyStore; > > > //glen.beas...@sun.com > > //This is a sample test program > > //the nss.cfg file > > //name = NSSFIPS > > //nssLibraryDirectory = ./lib > > //nssSecmodDirectory = . > > //nssDbMode = readWrite > > //nssModule = fips > > // > > //http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.... > > > public class sunpkcs11nss { > > > public static void main(String args[]) { > > try { > > // pass in nss.cfg file and "password" for the NSS databases > > String nssConfig = args[0]; > > System.out.println("Initializing sunpkcs11-NSS " + nssConfig); > > Provider pkcs11NSS = new > > sun.security.pkcs11.SunPKCS11(nssConfig); > > Security.insertProviderAt(pkcs11NSS, 1); > > System.out.println("Initialized sunpkcs11-NSS"); > > > Provider[] providers = Security.getProviders(); > > for (int i = 0; i < providers.length; i++) { > > System.out.println("Provider " + i + ": " + > > providers[i].getName()); > > } > > > // Login > > KeyStore ks = KeyStore.getInstance("PKCS11", pkcs11NSS); > > // this is test code, please mask the password > > ks.load(null, args[1].toCharArray()); > > > javax.crypto.SecretKey skey = null; > > javax.crypto.KeyGenerator kg = null; > > > kg = KeyGenerator.getInstance("AES", > > pkcs11NSS); > > kg.init(128); > > skey = kg.generateKey(); > > > System.out.println("Key generation done by " + > > kg.getProvider().toString()); > > > String algFamily = "AES"; > > String algType = "AES/CBC/PKCS5Padding"; > > > byte[] plaintext = "testing NSS in FIPS MODE".getBytes(); > > Cipher cipher = Cipher.getInstance(algType, pkcs11NSS); > > AlgorithmParameters ap = null; > > byte[] encodedAlgParams = null; > > > cipher.init(Cipher.ENCRYPT_MODE, skey); > > //generate the algorithm Parameters; they need to be > > //the same for encrypt/decrypt if they are needed. > > ap = cipher.getParameters(); > > if (ap != null) { > > //get parameters to store away as example. > > encodedAlgParams = ap.getEncoded(); > > } > > byte[] ciphertext = > > new byte[cipher.getOutputSize(plaintext.length)]; > > int cLen = cipher.update(plaintext, 0, plaintext.length, > > ciphertext, 0); > > cLen += cipher.doFinal(ciphertext, cLen); > > > System.out.println("encrypt op done by " + > > cipher.getProvider().toString()); > > > //decrypt > > cipher = Cipher.getInstance(algType, pkcs11NSS); > > if (encodedAlgParams == null) { > > cipher.init(Cipher.DECRYPT_MODE, skey); > > } else { > > //retrieve the algorithmParameters from the encoded array > > AlgorithmParameters aps = > > AlgorithmParameters.getInstance(algFamily); > > aps.init(encodedAlgParams); > > cipher.init(Cipher.DECRYPT_MODE, skey, aps); > > } > > System.out.println("decrypt op done by " + > > cipher.getProvider().toString()); > > > byte[] recovered = new byte[cLen]; > > int rLen = cipher.update(ciphertext, 0, cLen, recovered, 0); > > rLen += cipher.doFinal(recovered, rLen); > > > //ensure the recovered bytes equals the orginal plaintext > > boolean isEqual = true; > > for (int i = 0; i < plaintext.length; i++) { > > if (plaintext[i] != recovered[i]) { > > isEqual = false; > > break; > > } > > } > > if (isEqual) System.out.println("recovered bytes equal " + > > "the original plaintext\n"); > > > } catch (Exception ex) { > > ex.printStackTrace(); > > } > > } > > > } > > Glen, > > Uninstalling ActiveClient also fixed the exception ("The specified > version of NSS is incompatible, 3.7 or later required"). Not entirely > sure why the libraries/binaries included in the Windows PATH would be > used by the JVM with higher priority than the configured value in > nss.cfg, "nssLibraryDirectory = ./lib". Nevertheless, I now know what > the issue is and can work around it-- thank you for the assistance. > > Drew Morris > Technical Lead, Software Developer > CDM Technologies, Inc. (http://www.cdmtech.com)
Hi Glen, I finally got all the other problems solved, and ran into this problem when trying to run your code. When attempting to actually generate the key, I get this exception: java.security.ProviderException: Could not generate key at sun.security.pkcs11.P11KeyGenerator.engineGenerateKey (P11KeyGenerator.java:260) at javax.crypto.KeyGenerator.generateKey(DashoA13*..) at test.SunPKCS11NSS.main(SunPKCS11NSS.java:53) Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_VALUE_INVALID at sun.security.pkcs11.wrapper.PKCS11.C_GenerateKey(Native Method) at sun.security.pkcs11.P11KeyGenerator.engineGenerateKey (P11KeyGenerator.java:255) ... 2 more Anyway, thanks very much for all your help so far. Kevin Oberlies Student Software Developer CDM Technologies, Inc. (http://www.cdmtech.com) -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto