Skip to Main Content

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

unwrapping a secrete key reveals actual key

8512e022-ad8e-48f8-b5ec-831ab5e613c0Sep 7 2018 — edited Sep 7 2018

I am trying to unwrap a secrete key (AES/DES) using Java APIs and SunPKCS11. Problem is that it reveals the value of unwrapped key (out of HSM) in the key object. Here is the code:

Key privateKey = keyStore.getKey("MyKeyId", keyStorePassword);  
Cipher cipher = Cipher.getInstance("RSA", "SunPKCS11-Safenet");
cipher
.init(Cipher.UNWRAP_MODE, privateKey);
// The unwrapped key is visible in below line in unwrappedKey object
Key unwrappedKey = cipher.unwrap(wrappedKey, "AES", Cipher.SECRET_KEY);

How I can tell code to not to reveal the unwrapped key?

Do I have to add something in PKCS11 cfg file? I tried some combination in cfg file but none helped:

attributes(*,CKO_SECRET_KEY,*) = {

CKA_SENSITIVE=true

}

OR

attributes(*,CKO_SECRET_KEY,*) = {

CKA_PRIVATE=true

CKA_SENSITIVE=true

CKA_ENCRYPT=true

CKA_DECRYPT=true

CKA_WRAP=true

CKA_UNWRAP=true

}

Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Oct 5 2018
Added on Sep 7 2018
0 comments
331 views