Hi,
I'm a new incomer trying to handle keying material for NSS fips mode.
This is the case:
I am working with pkcs11 provider on Solaris 10, which is configured to work
with mozilla NSS provider.
This is my configuration file for pkcs11 provider:
name = NSScrypto
nssLibraryDirectory = /opt/nss/lib
nssSecmodDirectory = /opt/nss/fipsdb
nssModule = fips
I've created NSS Database and modified it to work in fips module:
certutil -N -d /opt/nss/fipsdb
modutil -fips true -dbdir /opt/nss/fipsdb
Then I created a key in the DB:
symkeyutil -K -n test1 -t des3 -d /opt/nss/fipsdb
Now let's get to my Java code which should retrieve the key from the DB and use
it as a SecretKey to encrypt/decrypt passwords.
This is a class which encrypts password:
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.DESedeKeySpec;
import javax.crypto.spec.DESKeySpec;
import javax.crypto.SecretKey;
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import java.security.*;
public class encryptPass
{
public static void main(String[] args)
{
try
{
String configFileName = "/opt/nss/pkcs11.cfg";
java.security.Provider nss = new
sun.security.pkcs11.SunPKCS11(configFileName);
java.security.Security.insertProviderAt(nss,1);
java.security.KeyStore ks =
java.security.KeyStore.getInstance("PKCS11", nss);
char[] nssDBPassword = {'f','i','p','s','1','4','0','-','2'};
ks.load(null, nssDBPassword);
SecretKey key = (SecretKey) ks.getKey("test1", nssDBPassword);
//iv for CBC mode - note, in practice you don't generate a random iv
for decryption :)
byte[] iv = new byte[8]; //64-bit block size for 3DES
SecureRandom sr = SecureRandom.getInstance("PKCS11", nss);
sr.nextBytes(iv);
IvParameterSpec params = new IvParameterSpec(iv);
Cipher encryptCipher = Cipher.getInstance("DESede/CBC/NoPadding",
nss);
encryptCipher.init(Cipher.ENCRYPT_MODE, key, params);
System.out.println("encryptCipher provider: " +
encryptCipher.getProvider().getName());
String password = "passwordString";
byte[] passBytes = password.getBytes();
byte[] passBytesEncrypt = encryptCipher.doFinal(passBytes);
}
catch (Exception ex)
{
ex.printStackTrace();
}
}
}
The output from the class execution is:
encryptCipher provider: SunPKCS11-NSScrypto
java.security.ProviderException: update() failed
at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:460)
at sun.security.pkcs11.P11Cipher.engineUpdate(P11Cipher.java:391)
at sun.security.pkcs11.P11Cipher.engineDoFinal(P11Cipher.java:422)
at sun.security.pkcs11.P11Cipher.engineDoFinal(P11Cipher.java:409)
at javax.crypto.Cipher.doFinal(DashoA13*..)
at encryptPass.main(encryptPass.java:48)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DEVICE_ERROR
at sun.security.pkcs11.wrapper.PKCS11.C_EncryptUpdate(Native Method)
at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:450)
... 5 more
>From the other hand I have a symmetric class which decrypts the passwords with
>the same doFinal method (the difference is that the cipher is initialized in
>DECRYPT_MODE) and it succeeds to run.
Any suggestions will be appreciated.
________________________________
This email and any files transmitted with it are confidential material. They
are intended solely for the use of the designated individual or entity to whom
they are addressed. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, use, distribution or
copying of this communication is strictly prohibited and may be unlawful.
If you have received this email in error please immediately notify the sender
and delete or destroy any copy of this message
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
