Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

unwrapping a secrete key reveals actual key

8512e022-ad8e-48f8-b5ec-831ab5e613c0Sep 7 2018 — edited Sep 7 2018

I am trying to unwrap a secrete key (AES/DES) using Java APIs and SunPKCS11. Problem is that it reveals the value of unwrapped key (out of HSM) in the key object. Here is the code:

Key privateKey = keyStore.getKey("MyKeyId", keyStorePassword);  
Cipher cipher = Cipher.getInstance("RSA", "SunPKCS11-Safenet"); 
cipher.init(Cipher.UNWRAP_MODE, privateKey); 
// The unwrapped key is visible in below line in unwrappedKey object 
Key unwrappedKey = cipher.unwrap(wrappedKey, "AES", Cipher.SECRET_KEY);

How I can tell code to not to reveal the unwrapped key?

Do I have to add something in PKCS11 cfg file? I tried some combination in cfg file but none helped:

attributes(*,CKO_SECRET_KEY,*) = {

CKA_SENSITIVE=true

}

OR

attributes(*,CKO_SECRET_KEY,*) = {

CKA_PRIVATE=true

CKA_SENSITIVE=true

CKA_ENCRYPT=true

CKA_DECRYPT=true

CKA_WRAP=true

CKA_UNWRAP=true

}
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Oct 5 2018
Added on Sep 7 2018
#cryptography
0 comments
474 views