I would like to use PKCS#11 compatible cryptographic USB token to generate AES key and show its value on screen.
For that purpose I want to use IAIK PKCS#11 wrapper.
I tried to generate the key by the example provided with IAIK package but with no success. The key is generated but I can't see any value of key. What should I do to see the key value in order to show it on screen?
Here is my code:
Module pkcs11Module = null;
pkcs11Module = Module.getInstance("pkcs11.dll");
Session session = null;
pkcs11Module.initialize(null);
Slot[] slots = pkcs11Module.getSlotList(Module.SlotRequirement.TOKEN_PRESENT);
if (slots.length == 0) {
output_.println("No slot with present token found!");
throw new TokenException("No token found!");
}
Slot selectedSlot;
// slot 0
selectedSlot = slots[0];
Token token = selectedSlot.getToken();
session = token.openSession(Token.SessionType.SERIAL_SESSION, Token.SessionReadWriteBehavior.RW_SESSION, null, null);
session.login(Session.UserType.USER, "12345678".toCharArray());
Mechanism keyGenerationMechanism = Mechanism.get(PKCS11Constants.CKM_AES_KEY_GEN);
AESSecretKey aesKey = new AESSecretKey();
aesKey.getValueLen().setLongValue(new Long(32));
AESSecretKey aesKeyNew = (AESSecretKey) session.generateKey(keyGenerationMechanism, aesKey);
output_.println("the AES Key is: ");
output_.println(aesKeyNew.toString());
session.closeSession();
pkcs11Module.finalize(null);
The results is as follows:
the AES Key is:
Object Class: Secret Key
Token: false
Private: false
Modifiable: true
Label: <NULL_PTR>
Key Type: AES
ID: <NULL_PTR>
Start Date: <NULL_PTR>
End Date: <NULL_PTR>
Derive: true
Local: true
Key Generation Mechanism: CKM_AES_KEY_GEN
Allowed Mechanisms: <Attribute not present>
Sensitive: false
Encrypt: true
Decrypt: true
Sign: false
Verify: false
Wrap: true
Unwrap: true
Extractable: true
Always Sensitive: false
Never Extractable: true
Check Value: <Attribute not present>
Wrap With Trusted: <Attribute not present>
Trusted: <Attribute not present>
Wrap Template: <Attribute not present>
Unwrap Template: <Attribute not present>
Value (hex): <NULL_PTR>
Value Length (dec): 0
There is Value (hex): that I want to see and show on screen. Is it about a specific configuration of cryptographic tokens? When I use different token then I see this value.
According to what you show us the PKCS#11 attribute
CKA_SENSITIVEset to false indicates that you should be able to view the value. It is however likely that the token does not allow you to extract the value. Most of these kind of tokens do not fully implement PKCS#11 and only allow certain operations to take place. If this is true then it should not be possible to setCKA_SENSITIVEto false, but that's IT for you...I would track down the manufacturer (or, if possible, the developer) of the token and ask for the specific functionality implemented by the token.