Can't unwrap key into NSS in FIPS mode

Sun, 21 Dec 2008 08:07:14 -0800 

Hi,

I'm working with NSS from JAVA (via JAVA 6 PKCS11 provider on RHEL 5).
My NSS database is  configured for FIPS-140 mode. And I try to wrap/
unwrap AES key with RSA public/private key pair as follows:

    // open NSS keystore
    char[] nssDBPassword = {'f', 'i', 'p', 's', '1', '4', '0', '-',
'2'};
    KeyStore ks = KeyStore.getInstance("PKCS11");
    ks.load(null, nssDBPassword);
    Provider p = ks.getProvider();

    // generate RSA key pair
    KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA",
p);
    KeyPair keyPair = keyPairGen.generateKeyPair();

    // generate AES key
    KeyGenerator keyGen = KeyGenerator.getInstance("AES", p);
    keyGen.init(128);
    Key rawKey = keyGen.generateKey();
    System.out.println("raw Key : " + rawKey);

    // wrap key
    Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding", p);
    cipher.init(Cipher.WRAP_MODE, keyPair.getPublic());
    byte[] wrappedData = cipher.wrap(rawKey);

    // unwrap key
    cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding", p);
    cipher.init(Cipher.UNWRAP_MODE, keyPair.getPrivate());
    unwrappedKey = cipher.unwrap(wrappedData, "AES",
Cipher.SECRET_KEY);

    // encode data
    cipher = Cipher.getInstance("AES/CBC/NoPadding", p);
    cipher.init(Cipher.ENCRYPT_MODE, unwrappedKey);

The wrap/unwrap code seems to work fine. But when I attempt to perform
encoding with the unwrapped key - I get the following exception
(which, as far as I understand, seems to suggest that key doesn't
reside inside NSS crypto token):

  raw Key : SunPKCS11-NSScrypto AES secret key, 128 bits (id 12,
session object, sensitive, extractable)
  java.security.InvalidKeyException: Could not create key
        at sun.security.pkcs11.P11SecretKeyFactory.createKey
(P11SecretKeyFactory.java:226)
        at sun.security.pkcs11.P11SecretKeyFactory.convertKey
(P11SecretKeyFactory.java:131)
        at sun.security.pkcs11.P11Cipher.engineGetKeySize(P11Cipher.java:582)
        at javax.crypto.Cipher.b(DashoA13*..)
        at javax.crypto.Cipher.a(DashoA13*..)
        at javax.crypto.Cipher.init(DashoA13*..)
        at javax.crypto.Cipher.init(DashoA13*..)
        at EncryptionTest.main(EncryptionTest.java:88)

Can anybody tell me what am I doing wrong? Or, may be, point me to
some working JAVA code that performs wrap/unwrap of the key in NSS
token?

Thank you in advance,
      Alex
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to