I need to create a symmetric key in the HSM that can be read completely in Java code. This key is going to be the source for Password-based encryption and hence the need for reading the bytes of the key. I am using a Safenet HSM with a LunaSA client on windows with the SunPKCS11 provider in JDK to connect to the HSM. Per different documentation that I have read one needs to set CKA_SENSITIVE to false and CKA_EXTRACTABLE to true for the key data to be readable. I have tried setting these attributes in the PKCS11 config file but I keep getting CKR_ATTRIBUTE_VALUE_INVALID when I use keytool to create the key -
attributes(*,CKO_SECRET_KEY,*) =
{
CKA_EXTRACTABLE = true
CKA_SENSITIVE = false
}
Here's the command I issue - keytool -v -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg pkcs11.cfg -genseckey -alias MY_COMMONKEY -keyalg DESede -keysize 128
And here is the error I get - keytool error: java.security.ProviderException: Could not generate key java.security.ProviderException:
Could not generate key at sun.security.pkcs11.P11KeyGenerator.engineGenerateKey(P11KeyGenerator.java:260)
at
javax.crypto.KeyGenerator.generateKey(DashoA13*..)
at sun.security.tools.KeyTool.doGenSecretKey(KeyTool.java:1099)
at sun.security.tools.KeyTool.doCommands(KeyTool.java:792)
at sun.security.tools.KeyTool.run(KeyTool.java:172)
at sun.security.tools.KeyTool.main(KeyTool.java:166)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_VALUE_INVALID
at sun.security.pkcs11.wrapper.PKCS11.C_GenerateKey(Native Method)
at sun.security.pkcs11.P11KeyGenerator.engineGenerateKey(P11KeyGenerator.java:255)
... 5 more
If I remove CKA_SENSITIVE from the attributes list the SecretKey generation works fine. Any ideas what may be going on? |