xipki / pkcs11wrapper Goto Github PK

Unable to load PKCS11Library.dll

Getting below error when try to load library.
java11_error.txt

> It worked fine with oracle jre 8.

Thank you!

Hi Xipki, i would like to use a private key in my HSM Safenet into an SSL Connection, i saw that should use
Provider p = new SunPKCS11("/home/test/pkcs11.cfg")

should i use libcryptoki.so of Safenet or could also use pkcs11wrapper ? I haven't found some examples.
Could you help me ?

Hi,
i trying to use CKM_RSA_PKCS_OAEP to decrypt using an RSA private key. I using this parameters:

Mechanism mech = new Mechanism(PKCS11Constants.CKM_RSA_PKCS_OAEP);

RSAPkcsOaepParameters params = new RSAPkcsOaepParameters(
    PKCS11Constants.CKM_SHA_1, 
    PKCS11Constants.CKG_MGF1_SHA1,
    PKCS11Constants.CKZ_SALT_SPECIFIED, 
    null);

mech.setParameters(params);

but when i try to

session.decryptInit(mech, keyToUse);

i receive always

Unsupported Parameters iaik.pkcs.pkcs11.parameters.RSAPkcsOaepParameters

i tested feature using the same parameters with a .Net PKCS11Interop and it work only using
Net.Pkcs11Interop.HighLevelAPI80.MechanismParams.CkRsaPkcsOaepParams

could you help me ?

Hi Xipki,
i trying to pass CKA_VALUE for a CKK_DES2 test key but i receive always:
Unsupported attribute 0x11 for iaik.pkcs.pkcs11.objects.SecretKey.

I use:

byte[] keyValue = new byte[] { ... };
SecretKey key_template = SecretKey();
((SecretKey) key_template).getLabel().setValue("TESTKEY-LABEL".toCharArray());
key_template.putAttribute(PKCS11Constants.CKA_TOKEN, true);
key_template.putAttribute(PKCS11Constants.CKA_KEY_TYPE, PKCS11Constants.CKK_DES2);
...
key_template.putAttribute(PKCS11Constants.CKA_VALUE, keyValue);

((Session) session).createObject(key_template);

Could you help me ?

When performing any PKCS11 cryptographic operation using Java 11, I'm getting similar warnings in the console: (example is for GCM encryption)

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by iaik.pkcs.pkcs11.parameters.GCMParameters (file:/C:/Users/{user}/.m2/repository/org/xipki/iaik/sunpkcs11-wrapper/1.4.7/sunpkcs11-wrapper-1.4.7.jar) to constructor sun.security.pkcs11.wrapper.CK_GCM_PARAMS(int,byte[],byte[])
WARNING: Please consider reporting this to the maintainers of iaik.pkcs.pkcs11.parameters.GCMParameters
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

The operation is nevertheless successful, but from the message it looks like it might eventually stop working for newer versions of Java.

Java version: openjdk 11.0.10 2021-01-19

Hi Xipki, i would like to implement a right pattern in case of restart hsm necessary.
I saw that, after i restarted hsm, i received this error on next use
Unknwon mechanism with code: 0x0000000080000384

Which should be a right pattern ?

• Is there a method to check module state ? So i could try to check state before perform operations.
• If there is a specific exception, i could try to manage exception and launch reinit module (should i finalize and initialize in this case ?)
• i could try to use getInfo() to detect if module state is no good ?
• Should i shutdown and restart application completely ?

Hi Xipki,
i trying to generate signature using mechanism PKCS11Constants.CKM_SHA256_RSA_PKCS_PSS and params:

iaik.pkcs.pkcs11.parameters.Parameters mechParams = new RSAPkcsPssParameters(Mechanism.get(PKCS11Constants.CKM_SHA256),
		PKCS11Constants.CKG_MGF1_SHA256, new SHA256Digest().getDigestSize());

but i receive always CKR_MECHANISM_INVALID

i saw also that RSAPkcsPssParameters was deprecated but i doesn't found any new pattern.

Could you help me ?

While

Hi Xipki,
i tring to generate an AES CMAC using a 128 bit key but i receive a 64 bit MAC instead 128 bit. I saw that

...References [NIST SP800-38B] and [RFC 4493] recommend that the output MAC is not truncated to less
than 64 bits. The MAC length must be specified before the communication starts, and must not be
changed during the lifetime of the key...

i use a simple code to generate mac but i don't konw how specify MAC length, seems that CKM_AES_CMAC have not parameter

Mechanism mech = new Mechanism(PKCS11Constants.CKM_AES_CMAC);
((Session) session).signInit(mech, (Key) key);
byte[] signedData = ((Session) session).sign(data);

could you help me ?

2021-09-29 update: seems that could be an HSM bug, SafeNet ProtectServer appliance. I opened a case on Thales Customer Support system. I will keep the post updated.

i'm try to cast the keypair generated from the library to java keypair but it throws error casting, because i need to generate csr with the generated keypair from this library

Hello,

Currently I work on a cryptography project where we implement all communication with HSM using sunPKCS11, however in the most current versions of Java the sunPKCS11 package is no longer directly accessible, and being encapsulated in a provider, something that limits a lot of our work, especially the use of DES2 keys among other functions.

This project also directly accesses the sunPKCS11 classes (ex. import sun.security.pkcs11.wrapper.PKCS11). I would like to know if you already have any idea how this will be solved using Java version 11 for example.

All the best, thank you.

https://github.com/xipki/pkcs11wrapper/blob/sunpkcs11/src/java/src/iaik/pkcs/pkcs11/Token.java#L451 is commented out for some reason.
Could you please provide background for its removal or fix it?

Hi xipki,
i trying to use your wrapper instead mikma but i saw that some objects are missing:
iaik.pkcs.pkcs11.objects.AESSecretKey
iaik.pkcs.pkcs11.objects.ECDSAPrivateKey
iaik.pkcs.pkcs11.objects.ECDSAPublicKey
iaik.pkcs.pkcs11.objects.Object
iaik.pkcs.pkcs11.parameters.Parameters
iaik.pkcs.pkcs11.wrapper.PKCS11Constants
iaik.pkcs.pkcs11.wrapper.Functions

and some methods:
Token.closeAllSessions()
Session.destroyObject(PKCS11Object)

have you planning a roadmap for porting ?

regards
Armando