How to use PKCS#11 CKM_AES_KEY_WRAP mechanism in Java?

Question

I'm working with some PKCS#11 tokens that insist on using CKM_AES_KEY_WRAP for unwrapping AES-encrypted keys. On these tokens, CKM_AES_CBC and friends don't support unwrap.

At the other end of this system, I therefore need to wrap a key using a PKCS#11 token accessed via Java.

SunPKCS11 doesn't appear to support CKM_AES_KEY_WRAP. Neither does IAIK, as far as I can tell. Does anyone have any suggestions for achieving this in Java?

Answer 1

CKM_AES_KEY_WRAP is rather simple mechanism so you don't need your PKCS#11 wrapper library to provide nice constants or enum members to use it.

You should be fine as long as your PKCS#11 wrapper library allows you to specify wrapping mechanim as ulong and its parameters as byte[]. SunPKCS11 is quite limited so I would try with IAIK first.

Following code sample demonstrates the idea with Pkcs11Interop wrapper for .NET:

// Acquire handle to keys
ObjectHandle wrappingKey = new ObjectHandle();
ObjectHandle toBeWrappedKey = new ObjectHandle();

// Define mechanism yourself
ulong CKM_AES_KEY_WRAP = 0x00002109;
byte[] CKM_AES_KEY_WRAP_PARAM = new byte[] { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08 };
Mechanism mechanism = new Mechanism(CKM_AES_KEY_WRAP, CKM_AES_KEY_WRAP_PARAM);

// Perform wrapping
byte[] wrappedKey = session.WrapKey(mechanism, wrappingKey, toBeWrappedKey);