I use Safenet HSM in my software for generate and keep the the key. After each time run the software generate key in HSM but after each time the key is same. The HSM generate same key for Infinite run the software. Why? I use this attribute for HSM in software :
library=/usr/lunasa/lib/libCryptoki2.so slot=1 attributes(generate, *, ) = { CKA_TOKEN = true } attributes(, CKO_PUBLIC_KEY, ) = { CKA_ENCRYPT = true CKA_VERIFY = true CKA_WRAP = true } attributes(, CKO_PRIVATE_KEY, *) = { CKA_PRIVATE = true
CKA_EXTRACTABLE = false CKA_SIGN = true CKA_UNWRAP = true }
I shall be use random seed for generate random RSA key any time in HSM? This picture show attribute in config file of HSM.hsm.properties And in source code I use this code
protected KeyPair generateKeyPair(int purpose, String keyPairAlias) throws ManagerException, SQLException {
PreparedStatement stmt;
int iType;
String name = device.name().toLowerCase();
if (name.equals("software")) {
iType = 0;
} else if (name.equals("hsm")) {
iType = 1;
} else {
throw new IllegalArgumentException("key manager type not recognised.");
}
String alg = parameters.getProperty("keypair_alg", "rsa").toLowerCase();
KeyManager.KEY_PAIR_ALG keyalg;
if (alg.equals("rsa")) {
keyalg = KeyManager.KEY_PAIR_ALG.RSA;
} else if (alg.equals("dsa")) {
keyalg = KeyManager.KEY_PAIR_ALG.DSA;
} else {
throw new IllegalArgumentException("key pair algorithm not recognised.");
}
int size = Integer.parseInt(parameters.getProperty("root_key_length", "1024"));
String alias = parameters.getProperty("keypair_alias", keyPairAlias);
KeyManager manager = new KeyManager(device);
if((manager.containsAlias(alias))&&(device==CryptoSettings.CRYPTO_DEVICE.HSM)){
manager.deleteEntry(alias);
}
keyPair = manager.generateKeyPair(keyalg, size);
String sql = "insert into " + schema + ".keys";
sql += "(id, status, alias, algorithm, length, type1, usage, usagenote, storagetype) values(";
sql += "nextval('" + schema + ".seq_" + schema + "_keys_id'),1,?,?,?,?,?,?,?)";
stmt = cnn.prepareStatement(sql);
//perpare to insert public key
stmt.setString(1, alias + "_pub");
stmt.setString(2, alg.toUpperCase());
stmt.setInt(3, size);
stmt.setInt(4, 1); //public key
stmt.setInt(5, purpose); //key pair will be used for external signature purposes.
stmt.setString(6, "This key will be used for external signature generation purpose.");
stmt.setInt(7, iType);
stmt.execute();
stmt = cnn.prepareStatement(sql);
//perpare to insert private key
stmt.setString(1, alias + "_prv");
stmt.setString(2, alg.toUpperCase());
stmt.setInt(3, size);
stmt.setInt(4, 2); //private key
stmt.setInt(5, purpose); //key pair will be used for external signature purposes.
stmt.setString(6, "This key will be used for external signature verification purpose.");
stmt.setInt(7, iType);
stmt.execute();
sql = "insert into " + schema + ".keypair(id, publickeyid, privatekeyid) " +
"values(nextval('" + schema + ".seq_" + schema + "_keypair_id')," +
"currval('" + schema + ".seq_" + schema + "_keys_id')-1,currval('" + schema + ".seq_" + schema + "_keys_id'))";
System.out.println(sql);
stmt = cnn.prepareStatement(sql);
stmt.execute();
if (device == CryptoSettings.CRYPTO_DEVICE.HSM) {
manager.save(keyPair, alias);
} else {
sql = "insert into keystore(id,keyid,rawdata) values(seq_" + schema + "_keystore_id.nextval," +
"seq_" + schema + "_key_id.currval-1,?)";
stmt = cnn.prepareStatement(sql);
stmt.setBytes(1, keyPair.getPublic().getEncoded());
stmt.execute();
sql = "insert into keystore(id,keyid,rawdata) values(seq_" + schema + "_keystore_id.nextval," +
"seq_" + schema + "_key_id.currval,?)";
stmt = cnn.prepareStatement(sql);
stmt.setBytes(1, keyPair.getPrivate().getEncoded());
stmt.execute();
}
return keyPair;
}
and this
public KeyPair generateKeyPair(KEY_PAIR_ALG alg, int size) throws ManagerException {
KeyPair result = null;
try {
java.security.KeyPairGenerator keygen;
keygen = java.security.KeyPairGenerator.getInstance(alg.name(), Settings.getProvider(type));
keygen.initialize(size);
java.security.KeyPair keypair = keygen.generateKeyPair();
result = KeyPairImpl.getInstance(keypair, type);
} catch (Throwable t) {
throw new ManagerException(t);
}
return result;
}
and Provider code is
public static Provider getProvider(CryptoSettings.CRYPTO_DEVICE type) {
Provider result = null;
switch (type) {
case Software:
result = bcProvider;
break;
case HSM:
result = hsmprovider;
break;
case AdminToken:
result = adminTokenProvider;
break;
case UserToken:
result = userTokenProvider;
break;
}
Why have same key in any time?