I have a mozilla NSSDB PKCS11, it includes one of three things. Certificates, keys, and SecretKeyEntry. I would like to know the content of a SecretKeyEntry with the alias "StoreXKey". Firstly, is extracting the plaintext of a SecretKeyEntry possible? I seem to think so because of links: https://technosock.blogspot.com/2007/12/token-knowledge.html and https://docs.oracle.com/javase/8/docs/api/java/security/KeyStore.SecretKeyEntry.html#getSecretKey
First link gives a way to do it ( which doesn't work for me ) the second link gives us a few methods, namely .getEncoded() which can supposedly be called on a SecretKeyEntry to get the byte array information.
Here is my code thus far, all results hit a null pointer exception when using the getEncoded message. I am sure the SecretKeyEntry exists in the NSSDB.
String configFile = "config.cfg";Any help / advice or links are appreciated.
I have a mozilla NSSDB PKCS11, it includes one of three things. Certificates, keys, and SecretKeyEntry. I would like to know the content of a SecretKeyEntry with the alias "StoreXKey". Firstly, is extracting the plaintext of a SecretKeyEntry possible? I seem to think so because of links: https://technosock.blogspot.com/2007/12/token-knowledge.html and https://docs.oracle.com/javase/8/docs/api/java/security/KeyStore.SecretKeyEntry.html#getSecretKey
The answer is: "sort of, it's discouraged." In general NSS avoids giving application access to any cryptographically sensitive value. These include, secret keys, private keys, and internal RNG states. NSS does allow these things to be exported when wrapped with another secret key, so the application can transport and store these values, but not examine them.
The reason for this is two fold: 1) NSS is trying to preserve
semantics between it's software key store and various hardware
cryptographic token. The idea is we want NSS application to work
with hardware tokens by just 'dropping it in' without extra work
in the application. 2) when operating in FIPS mode, NSS manages
all the FIPS requirements on the lifecycle (including the need to
clear) this sensitive data. 3) Usually applications don't actually
need to extract a key. I always ask the question, "Why do you need
this?". In all the time I've worked on NSS (decades), I've only
had 2 legitimate cases where it was necessary (one was key
exchange with the kernel, the other was the key wasn't really a
key, but a hash and NSS didn't provide an interface to access the
hash as a hash). If this is a key exchange issue (you need to put
the key in another provider), then I would suggest using a
keyExchange algorithm and move the key encrypted between the two
providers.
Preliminaries done, NSS provides a way to access secret keys
using PK11_GetKeyData(). This function may return NULL if you are
using a hardware token, or your NSS token is in FIPS mode. There
are tricks to get around this, but it looks like you aren't using
NSS directly, but trying to access softoken through the Jave Sun
PKCS11 provider....
First link gives a way to do it ( which doesn't work for me ) the second link gives us a few methods, namely .getEncoded() which can supposedly be called on a SecretKeyEntry to get the byte array information.
Here is my code thus far, all results hit a null pointer exception when using the getEncoded message. I am sure the SecretKeyEntry exists in the NSSDB.
String configFile = "config.cfg";Provider provider = Security.getProvider("SunPKCS11"); // I am confused on how to incorporate the config file as well./* provider = provider.configure(configFile); // Does not work */ Security.addProvider(provider);
String defaultPIN = "--.--.--.--.----.-...-.--";try{KeyStore ks = KeyStore.getInstance("PKCS11");ks.load(null, defaultPIN.toCharArray());KeyStore.SecretKeyEntry skEntry = (KeyStore.SecretKeyEntry)ks.getEntry("StoreXKey",null); // Do I need a password protector here?System.out.println(new String(skEntry.getSecretKey().getEncoded())); <-- Error is thrown here.
If you are in FIPS mode, even with the Java PKCS11 provider properly initialized, This will likely fail because Java won't be able to access the secretKey directly, so getEncoded() will never work.
Again, I ask: what do you need the plaintext key for?
bob
}catch (Exception e){ e.printStackTrace(); }Any help / advice or links are appreciated.
--
You received this message because you are subscribed to the Google Groups "dev-tec...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-tech-cryp...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/ee327174-46a8-4392-a3a5-8fdf76b3c984n%40mozilla.org.