I am trying to unwrap a secrete key (AES/DES) using Java APIs and SunPKCS11. Problem is that it reveals the value of unwrapped key (out of HSM) in the key object. Here is the code:
Key privateKey = keyStore.getKey("MyKeyId", keyStorePassword);
Cipher cipher = Cipher.getInstance("RSA", "SunPKCS11-Safenet");
cipher.init(Cipher.UNWRAP_MODE, privateKey);
// The unwrapped key is visible in below line in unwrappedKey object
Key unwrappedKey = cipher.unwrap(wrappedKey, "AES", Cipher.SECRET_KEY);
How I can tell code to not to reveal the unwrapped key?
Do I have to add something in PKCS11 cfg file? I tried some combination in cfg file but none helped:
attributes(*,CKO_SECRET_KEY,*) = {
CKA_SENSITIVE=true
}
OR
attributes(*,CKO_SECRET_KEY,*) = {
CKA_PRIVATE=true
CKA_SENSITIVE=true
CKA_ENCRYPT=true
CKA_DECRYPT=true
CKA_WRAP=true
CKA_UNWRAP=true
}