set and get DES key in java.security.KeyStore PKCS11

Question

I'm trying to encrypt using the loaded des key from KeyStore and I get:

Exception in thread "main" java.security.InvalidKeyException: No installed provider supports this key: sun.security.pkcs11.P11Key$P11SecretKey
    at javax.crypto.Cipher.chooseProvider(Cipher.java:878)
    at javax.crypto.Cipher.init(Cipher.java:1213)
    at javax.crypto.Cipher.init(Cipher.java:1153)

and this is my code:

public static void main(String[] args) throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException, IllegalBlockSizeException, InvalidKeyException, BadPaddingException, NoSuchPaddingException, IOException, CertificateException {
        Provider provider = new sun.security.pkcs11.SunPKCS11(DesSaveLoad.class.getClassLoader().getResourceAsStream("pkcs11.cfg"));
        Security.removeProvider(provider.getName());
        Security.insertProviderAt(provider, 1);
        KeyStore keyStore = KeyStore.getInstance("PKCS11", provider);
        keyStore.load(null, null);
        SecretKey desKey = desGenerateKey();
        keyStore.setKeyEntry("t1", desKey, null, null);
        SecretKey t1 = (SecretKey) keyStore.getKey("t1", null);
        byte[] messageBytes = "message".getBytes();
        desEncrypt(messageBytes, 0, messageBytes.length, desKey);
        desEncrypt(messageBytes, 0, messageBytes.length, t1);  //Exception is thrown here
    }

    public static SecretKey desGenerateKey() throws NoSuchAlgorithmException {
        KeyGenerator keygenerator = null;
        keygenerator = KeyGenerator.getInstance("DES");
        return keygenerator.generateKey();
    }

    public static byte[] desEncrypt(byte[] plainText, int offset, int size, SecretKey key) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, BadPaddingException, IllegalBlockSizeException {
        Cipher cipher;
        if (size % 8 != 0) {
            cipher = Cipher.getInstance("DES/ECB/PKCS5Padding");
        } else {
            cipher = Cipher.getInstance("DES/ECB/NoPadding");
        }
        cipher.init(Cipher.ENCRYPT_MODE, key);
        return cipher.doFinal(plainText, offset, size);
    }

As you can see there is no exception thrown when encrypting using generated des key.

When you're inserting a provider as a first one you may hide default Java providers. This may be gangerous and lead to error like the observed one. Do you realy need to insert your custom provider at the beginning of the provider list? — Jk1, Nov 02 '13 at 12:56
@Jk1 incorrect, that's not a custom provider, and it does play well with delayed provider selection (actually, it triggered the inclusion of delayed provider selection). — Maarten Bodewes, Nov 03 '13 at 15:05
@owlstead, thanks for noticing. That's a plain old SunPKCS11, my bad — Jk1, Nov 03 '13 at 15:32

Maarten Bodewes · Accepted Answer · 2013-11-03T13:39:16.183

If you perform encryption using a HSM then the encryption procedure is performed within the HSM, not in the software. Cipher does not implement the encryption procedure itself. The underlying CipherSpi of the PKCS#11 provider for Cipher is chosen using delayed provider selection depending on the key given during the call to init(). So although the desEncrypt() function seems to perform the same operations, in reality the functionality depends on the provider, and in your case, on the PKCS#11 wrapper, library and of course HSM.

Now PKCS#11 is an interface specification; not all mechanisms in PKCS#11 will be implemented in every token. It is likely that some encryption algorithms are too obscure or too unsafe. The latter is probably the case for DES ECB as that algorithm is extremely insecure. That does not mean that DES keys cannot be used in general - they could still play a role in e.g. MAC calculations. So please check the documentation of your HSM if DES ECB is supported (in the current setting).

You can get more information about the PKCS#11 method calls by adding -Djava.security.debug=sunpkcs11 to your call to the Java interpreter (java or javaw). If DES does not work, try the much safer and more common "AES/CBC/PKCS5Padding" or triple DES mechanism.

Thanks. Do you know what service a provider should have so I can save a DES key using KeyStore? — Mab, Nov 04 '13 at 07:15
Well, if your PKCS#11 lib does not accept it, you could try [JCEKS](http://stackoverflow.com/a/3027528/589259) (it seems) — Maarten Bodewes, Nov 04 '13 at 07:56

score -1 · Answer 2 · edited May 23 '17 at 12:29

-1

See if this post helps

Either the key is incorrect ~~(more likely)~~ or the given key is not supported by the provider.

KeyStore.getInstance("PKCS11", provider);

PS: Are you using a custom provider?

edited May 23 '17 at 12:29

Community

1
1

answered Nov 02 '13 at 12:46

Ravindra HV

2,558
1
17
26

I'm using sun.security.pkcs11.SunPKCS11 (oracle's). I tried to understand if the provider supports DES key, but I didn't find anything. – Mab Nov 02 '13 at 13:16
@MaziarAb - Perhaps I posted the 'answer' to your question too early. A keystore is used to store public key pairs (asymmetric). I should have asked you that first. If you are looking to generate a DES key [this](http://www.mkyong.com/java/jce-encryption-data-encryption-standard-des-tutorial/) should be of better help. – Ravindra HV Nov 02 '13 at 13:26
I want to store and retrieve DES key using KeyStore. For instance, I know it is possible using KeyStore.getInstance("JKS"), but in my case I need to use "PKCS11" as KeyStore type. – Mab Nov 02 '13 at 21:01
1

Keystores are not just for asymmetric keys (although the default JKS key store cannot handle secret keys up to Java 1.7), PKCS#11 is a known provider, and a DES tutorial is not useful in this case. This does not be about access conditions (as in your first link). – Maarten Bodewes Nov 03 '13 at 13:36
@owlstead I did look into it and indeed find that keystores can also be used for DES. The reference I found is [here](http://docs.oracle.com/javase/7/docs/technotes/tools/windows/keytool.html#OptionDefaults) – Ravindra HV Nov 03 '13 at 14:49
@MaziarAb Also as of JDK 1.7 there is no support for PKCS11 for 64 bit systems as noted [here](http://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html#Requirements). Are you using a 64 bit JDK? – Ravindra HV Nov 03 '13 at 14:58
@owlstead Just wanted to mention that the first link is not regarding DES. Also, I did check the [wiki](http://en.wikipedia.org/w/index.php?title=Keystore&oldid=570860709) entry before I wrote that. The comment is useful though. – Ravindra HV Nov 03 '13 at 15:12
I'm impressed how much you are going through to create an answer, Ravindra, but I'm afraid this has nothing to do with the access conditions mentioned in the first link. Note that I've written a some providers (including large parts of an alternate PKCS#11 provider) for the company I'm working for. – Maarten Bodewes Nov 03 '13 at 15:30

set and get DES key in java.security.KeyStore PKCS11

2 Answers2