Reputation: 69339
How to use PKCS#11 CKM_AES_KEY_WRAP mechanism in Java?
I'm working with some PKCS#11 tokens that insist on using CKM_AES_KEY_WRAP for unwrapping AES-encrypted keys. On these tokens, CKM_AES_CBC and friends don't support unwrap.
At the other end of this system, I therefore need to wrap a key using a PKCS#11 token accessed via Java.
SunPKCS11 doesn't appear to support CKM_AES_KEY_WRAP. Neither does IAIK, as far as I can tell. Does anyone have any suggestions for achieving this in Java?
Upvotes: 0
Views: 1979
Answers (1)
Reputation: 12108
CKM_AES_KEY_WRAP is rather simple mechanism so you don't need your PKCS#11 wrapper library to provide nice constants or enum members to use it.
You should be fine as long as your PKCS#11 wrapper library allows you to specify wrapping mechanim as ulong and its parameters as byte[]. SunPKCS11 is quite limited so I would try with IAIK first.
Following code sample demonstrates the idea with Pkcs11Interop wrapper for .NET:
// Acquire handle to keys
ObjectHandle wrappingKey = new ObjectHandle();
ObjectHandle toBeWrappedKey = new ObjectHandle();
// Define mechanism yourself
ulong CKM_AES_KEY_WRAP = 0x00002109;
byte[] CKM_AES_KEY_WRAP_PARAM = new byte[] { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08 };
Mechanism mechanism = new Mechanism(CKM_AES_KEY_WRAP, CKM_AES_KEY_WRAP_PARAM);
// Perform wrapping
byte[] wrappedKey = session.WrapKey(mechanism, wrappingKey, toBeWrappedKey);
Upvotes: 1
Related Questions
- Extract key Value form HSM
- RFC 5649 Key wrapping with SunJCE provider
- pkcs11 cmac calculation in java
- how to switch to CKM_AES_KEY_WRAP_PAD during key wrapping in SOFTHSM2 using JAVA PKCS11 IAIK
- IAIK PKCS#11 Wrapper: ECDH KeyAgreement Example
- Java IAIK Pkcs11 Wrapper generated key is not persisted
- IAIK PKCS#11 wrapper fails to initialize
- PKCS11 format key using Java keytool
- Getting java IAIK PKCS11 wrapper work for nfast
- PKCS11Exception: CKR_KEY_FUNCTION_NOT_PERMITTED