import java.security.AlgorithmParameters; import java.security.Provider; import java.security.Security; import javax.crypto.Cipher; import javax.crypto.KeyGenerator; import java.security.KeyStore; //glen.beasley@sun.com //This is a sample test program //the nss.cfg file //name = NSSFIPS //nssLibraryDirectory = ./lib //nssSecmodDirectory = . //nssDbMode = readWrite //nssModule = fips // //http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html public class sunpkcs11nss { public static void main(String args[]) { try { // pass in nss.cfg file and "password" for the NSS databases String nssConfig = args[0]; System.out.println("Initializing sunpkcs11-NSS " + nssConfig); Provider pkcs11NSS = new sun.security.pkcs11.SunPKCS11(nssConfig); Security.insertProviderAt(pkcs11NSS, 1); System.out.println("Initialized sunpkcs11-NSS"); Provider[] providers = Security.getProviders(); for (int i = 0; i < providers.length; i++) { System.out.println("Provider " + i + ": " + providers[i].getName()); } // Login KeyStore ks = KeyStore.getInstance("PKCS11", pkcs11NSS); // this is test code, please mask the password ks.load(null, args[1].toCharArray()); javax.crypto.SecretKey skey = null; javax.crypto.KeyGenerator kg = null; kg = KeyGenerator.getInstance("AES", pkcs11NSS); kg.init(128); skey = kg.generateKey(); System.out.println("Key generation done by " + kg.getProvider().toString()); String algFamily = "AES"; String algType = "AES/CBC/PKCS5Padding"; byte[] plaintext = "testing NSS in FIPS MODE".getBytes(); Cipher cipher = Cipher.getInstance(algType, pkcs11NSS); AlgorithmParameters ap = null; byte[] encodedAlgParams = null; cipher.init(Cipher.ENCRYPT_MODE, skey); //generate the algorithm Parameters; they need to be //the same for encrypt/decrypt if they are needed. ap = cipher.getParameters(); if (ap != null) { //get parameters to store away as example. encodedAlgParams = ap.getEncoded(); } byte[] ciphertext = new byte[cipher.getOutputSize(plaintext.length)]; int cLen = cipher.update(plaintext, 0, plaintext.length, ciphertext, 0); cLen += cipher.doFinal(ciphertext, cLen); System.out.println("encrypt op done by " + cipher.getProvider().toString()); //decrypt cipher = Cipher.getInstance(algType, pkcs11NSS); if (encodedAlgParams == null) { cipher.init(Cipher.DECRYPT_MODE, skey); } else { //retrieve the algorithmParameters from the encoded array AlgorithmParameters aps = AlgorithmParameters.getInstance(algFamily); aps.init(encodedAlgParams); cipher.init(Cipher.DECRYPT_MODE, skey, aps); } System.out.println("decrypt op done by " + cipher.getProvider().toString()); byte[] recovered = new byte[cLen]; int rLen = cipher.update(ciphertext, 0, cLen, recovered, 0); rLen += cipher.doFinal(recovered, rLen); //ensure the recovered bytes equals the orginal plaintext boolean isEqual = true; for (int i = 0; i < plaintext.length; i++) { if (plaintext[i] != recovered[i]) { isEqual = false; break; } } if (isEqual) System.out.println("recovered bytes equal " + "the original plaintext\n"); } catch (Exception ex) { ex.printStackTrace(); } } }