1

When I try to import a secp256k1 private key into my CloudHSM instance, I get the error "java.security.InvalidKeyException: The key is an instance of CaviumKey and cannot be imported." Importing a secp256r1 private key works fine.

I'm using the provided examples as guidance (https://github.com/aws-samples/aws-cloudhsm-jce-examples ) and it seems that the exportKey method doesn't convert the key to a privateKey, but returns a CaviumKey instead (I've linked to the line in the method below).

https://github.com/aws-samples/aws-cloudhsm-jce-examples/blob/master/src/main/java/com/amazonaws/cloudhsm/examples/KeyUtilitiesRunner.java#L278 

/**
 * Export an existing persisted key.
 * @param handle The key handle in the HSM.
 * @return Key object
 */
private static Key exportKey(long handle) {
    try {
        byte[] keyAttribute = Util.getKeyAttributes(handle);
        CaviumKeyAttributes cka = new CaviumKeyAttributes(keyAttribute);
        System.out.println(cka.isExtractable());
        byte[] encoded = Util.exportKey( handle);
        if(cka.getKeyType() == CaviumKeyAttributes.KEY_TYPE_AES) {
            Key aesKey = new SecretKeySpec(encoded, 0, encoded.length, "AES");
            return aesKey;
        }
        else if(cka.getKeyType() == CaviumKeyAttributes.KEY_TYPE_RSA && cka.getKeyClass() == CaviumKeyAttributes.CLASS_PRIVATE_KEY) {
            PrivateKey privateKey = KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(encoded));
            return privateKey;
        }
        else if(cka.getKeyType() == CaviumKeyAttributes.KEY_TYPE_RSA && cka.getKeyClass() == CaviumKeyAttributes.CLASS_PUBLIC_KEY) {
            PublicKey publicKey = KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(encoded));
            return publicKey;
        } else if(cka.getKeyType() == CaviumKeyAttributes.KEY_TYPE_EC && cka.getKeyClass() == CaviumKeyAttributes.CLASS_PRIVATE_KEY) {
            PrivateKey privateKey = KeyFactory.getInstance("EC").generatePrivate(new PKCS8EncodedKeySpec(encoded));
            return privateKey;
        }
        else if(cka.getKeyType() == CaviumKeyAttributes.KEY_TYPE_EC && cka.getKeyClass() == CaviumKeyAttributes.CLASS_PUBLIC_KEY) {
            PublicKey publicKey = KeyFactory.getInstance("EC").generatePublic(new X509EncodedKeySpec(encoded));
            return publicKey;
        }
    } catch (BadPaddingException | CFM2Exception e) {
        e.printStackTrace();
    } catch (InvalidKeySpecException e) {
        e.printStackTrace();
    } catch (NoSuchAlgorithmException e) {
        e.printStackTrace();
    }
    return null;
}

This function returns a PrivateKey that is still an instance of CaviumKey, which throws an error when trying to import into the HSM via the Cavium libraries.

Does anyone have an idea of why this is happening or how I could fix this?

John Quiwa
  • 11
  • 1
  • Probably the Cavium library is simply the highest provider that provides the given services (KeyFactories). Explicitly using another provider or moving the Cavium provider further down the list would do the trick. – Maarten Bodewes Jul 25 '19 at 15:24

1 Answers1

0

Instead of EC, did you tried with CaviumKeyAttributes.KEY_TYPE_ECDSA ?

SurendraKumar Jaiswal
  • 192
  • 1
  • 17