How to generate key in HSM with IAIK PKCS11 library

Question

I am using the IAIK wrapper to send pkcs11 requests to my Bull HSM. My objective is to generate a consistent key (token = true). The problem is that I always have this error code:

Exception in thread "main" iaik.pkcs.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_READ_ONLY

I can't understand why it's read-only? To initialize my Session I do so (using the RW_SESSION option):

import iaik.pkcs.pkcs11.Mechanism;
import iaik.pkcs.pkcs11.Module;
import iaik.pkcs.pkcs11.Session;
import iaik.pkcs.pkcs11.Token;
import iaik.pkcs.pkcs11.TokenException;
import iaik.pkcs.pkcs11.objects.AESSecretKey;
import iaik.pkcs.pkcs11.wrapper.PKCS11Constants;

...

static String libP11 = "nethsm.dll";
static String hsmPassword = "123456";
static int hsmSlotId = 1;

private static void initHSM() throws IOException, TokenException{
    Module module = Module.getInstance(libP11);
    module.initialize(null);
    Token token = module.getSlotList(Module.SlotRequirement.TOKEN_PRESENT)[hsmSlotId - 1].getToken();
    session = token.openSession(Token.SessionType.SERIAL_SESSION, Token.SessionReadWriteBehavior.RW_SESSION, null,
                null);

    session.login(Session.UserType.USER, hsmPassword.toCharArray());

}

My function to generate the key is the following:

private static AESSecretKey generateAESKey(byte[] keyValue, String label, int keyLength, boolean token) throws TokenException {
    Mechanism keyGenerationMechanism = Mechanism.get(PKCS11Constants.CKM_AES_KEY_GEN);

    AESSecretKey secretKeyTemplate = new AESSecretKey();
    secretKeyTemplate.getValueLen().setLongValue(new Long(keyLength));
    secretKeyTemplate.getLabel().setCharArrayValue(label.toCharArray());
    secretKeyTemplate.getToken().setBooleanValue(token);
    secretKeyTemplate.getSensitive().setBooleanValue(Boolean.FALSE);
    secretKeyTemplate.getExtractable().setBooleanValue(Boolean.TRUE);
    secretKeyTemplate.getDerive().setBooleanValue(Boolean.TRUE);
    secretKeyTemplate.getModifiable().setBooleanValue(Boolean.TRUE);
    secretKeyTemplate.getEncrypt().setBooleanValue(Boolean.TRUE);
    secretKeyTemplate.getDecrypt().setBooleanValue(Boolean.TRUE);
    secretKeyTemplate.getUnwrap().setBooleanValue(Boolean.TRUE);
    secretKeyTemplate.getWrap().setBooleanValue(Boolean.TRUE);
    secretKeyTemplate.getSign().setBooleanValue(Boolean.TRUE);
    secretKeyTemplate.getVerify().setBooleanValue(Boolean.TRUE);

    secretKeyTemplate.getValue().setByteArrayValue(keyValue);

    return (AESSecretKey) session.generateKey(keyGenerationMechanism, secretKeyTemplate);
}

Any solutions please?

Answer 1

It does not make sense to use:

secretKeyTemplate.getValue().setByteArrayValue(keyValue)

to set key value (CKA_VALUE in PKCS#11) while generating new key -- HSM will generate key value for you. Remove this line.

---

Note: If you want to create key with a given value try C_CreateObject (Session.createObject in IAIK Wrapper) instead -- but not all HSMs support this way. If you fail to create key with a known value using this method you will have to use C_UnwrapKey to import encrypted key value which usually works.

Good luck with your project!