JDK-8255490 : HMAC not working with JCE PKCS11 wrapper
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.crypto:pkcs11
  • Affected Version: 8
  • Priority: P4
  • Status: Closed
  • Resolution: Duplicate
  • OS: generic
  • CPU: generic
  • Submitted: 2020-10-21
  • Updated: 2023-10-23
  • Resolved: 2023-10-23
Related Reports
Duplicate :  
JDK-8255407 - Support key generation for HMAC mechanisms
Description
A DESCRIPTION OF THE PROBLEM :
It seems there is an incompatibility in JCE regarding the PKCS11 standard.
For key generation only AES, RSA,EC,... is allowed. But for HMAC a key of type "CKK_SHA_1_HMAC " or "CKK_SHA_256_HMAC", ... is required.

I tested it with both Utimaco HSM and SoftHSM.

A key with "CKK_GENERIC_SECRET" would be possible to use with HMAC.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :

    Provider provider = Security.getProvider("SunPKCS11");
    provider = pkcs11Provider.configure("--name=Utimaco\nlibrary=C:/Utimaco/CryptoServer/Lib/cs_pkcs11_R2.dll");
    Security.addProvider(provider);

byte [] data = "Hallo Welt!".getBytes();
Mac hmacSun = Mac.getInstance(HmacSHA256, provider);
hmacSun.init(aesKey);
byte [] hmac1Sun = hmacSun.doFinal(data);
hmacSun.init(aesKey);
hmacSun.update(data); 
byte [] hmac = hmacSun.doFinal();

ACTUAL -
Mechanism CKM_SHA256_HMAC doesn’t fit key type

FREQUENCY : always
Comments
Closed as duplicate of JDK-8255407.
12-12-2020
Upon runtime, SunPKCS11 provider would create native CKK_GENERIC_SECRET key using the specified java key object. The description does not state how aesKey is generated nor whether this worked in past releases. Unless this worked in past releases, this is probably a dup of JDK-8255407 Support key generation for HMAC mechanisms
10-11-2020
Ask submitter whether this worked in the previous releases. Also recommended the submitter to check the Oracle JRE and JDK Cryptographic Roadmap, https://java.com/en/jre-jdk-cryptoroadmap.html.
30-10-2020
Requested the submitter to confirm the following result on Windows 10: Exception in thread "main" java.security.ProviderException: Initialization failed at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:376) at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:107) at JCESunProviderDemo.addProvider(JCESunProviderDemo.java:20) at JCESunProviderDemo.main(JCESunProviderDemo.java:28) Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_GENERAL_ERROR at sun.security.pkcs11.wrapper.PKCS11.C_Initialize(Native Method) at sun.security.pkcs11.wrapper.PKCS11$SynchronizedPKCS11.C_Initialize(PKCS11.java:1587) at sun.security.pkcs11.wrapper.PKCS11.getInstance(PKCS11.java:163) at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:330) ... 3 more
27-10-2020
More information from the submitter about initializing Slot 0 will with PIN "123456": You can use softhsm2 to initialize the token: softhsm2-util --init-token --slot 0 --label "Token-1" (as described for Ubuntu: https://urldefense.com/v3/__https://www.howtoforge.com/tutorial/how-to-install-and-use-softhsm-on-ubuntu-1604-lts/__;!!GqivPVa7Brio!PV7zv2dJ7mtuvSItrywi03R0jvASMbn_uz3h65AIjawI5-yGFgrCK_8cbPBaBoso86XM$ ) You also need bouncycastle to run the script. You can run the code by: javac -d /home/fse/ -cp bcprov-ext-jdk15on-166.jar:bcprov-jdk15on-166.jar:bcpkix-jdk15on-166.jar JCEUtimacoSunProviderDemo.java key_*.java && java -cp /home/fse/:bcprov-ext-jdk15on-166.jar:bcprov-jdk15on-166.jar:bcpkix-jdk15on-166.jar JCEUtimacoSunProviderDemo
27-10-2020
More information from the submitter: In this case I used SoftHSM (https://urldefense.com/v3/__https://www.opendnssec.org/download/__;!!GqivPVa7Brio!KzAwL0h-ef1hbrEzxURbReRWf3tu09YfJGtNT6QQns9FVfwSxUSxvUjJ23bbxrvfYTYu$ ). Install the SoftHSM as required. The Slot 0 will need to be initialized with PIN "123456". After that you can build the JCESunProviderDemo.java (which uses the other classes) The code will create and delete the keys on its own.
23-10-2020
Requested the complete reproducer from the submitter.
22-10-2020