[Nitrokey HSM2] Get Nitrokey HSM working with Java and AES


I’m trying to use the NitroKey HSM2 with my Java App, my App needs to encrypt and decrypt data with AES through the HSM.

I tried several things :

  • Using the Sun PKCS11 Provider with opensc so file : connect well with my app but I can’t use this shared library as it doesn’t support AES.

  • I successfully built AES branch sc-hsm-embedded : I can use it with pkcs11-tool, I can list object, list mechanism … But when I run my Java App I get this error

    java.security.cert.CertificateException: Could not parse certificate: java.io.IOException: Empty input
    at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:115) ~[?:?]
    at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:355) ~[?:?]
    at sun.security.pkcs11.P11KeyStore.loadCert(P11KeyStore.java:1193) ~[jdk.crypto.cryptoki:?]
    at sun.security.pkcs11.P11KeyStore.mapLabels(P11KeyStore.java:2361) ~[jdk.crypto.cryptoki:?]
    at sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:769) ~[jdk.crypto.cryptoki:?]
    at java.security.KeyStore.load(KeyStore.java:1479) ~[?:?]
    at com.whiteseal.interfaceHSM.controller.P11.init(P11.java:60) ~[classes/:?]
    at com.whiteseal.interfaceHSM.controller.Crypto.run(Crypto.java:58) [classes/:?]
    at com.whiteseal.interfaceHSM.InterfaceHsmApplication.main(InterfaceHsmApplication.java:20) [classes/:?]
    Caused by: java.io.IOException: Empty input
    at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:111) ~[?:?]
    … 8 more

There is something strange with this library because when I run pkcs11-tool --module /usr/local/lib/libsc-hsm-pkcs11.so -O here is what it tells me :

pkcs11-tool --module /usr/local/lib/libsc-hsm-pkcs11.so -O
    Using slot 0 with a present token (0x1)
    Certificate Object; type = unknown cert type
      label:      C.DevAut
    warning: PKCS11 function C_GetAttributeValue(SUBJECT) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

    Certificate Object; type = unknown cert type
      label:      C.DICA
    warning: PKCS11 function C_GetAttributeValue(SUBJECT) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

But when I run pkcs11-tool -O (with the default OpenSC So) :
Using slot 0 with a present token (0x0)
There is no error

Please note that the HSM is freshly initialized and supposed to be empty.

  • I tried to use sc-hsm-jceprovider.

I successfully downloaded signed jarn sources and examples from CDN repo.
But I still don’t know how to use this library with AES (encrypt, decrypt, and generate symmetric key on the HSM). The only thing that I succeed with this piece of software is to login to the HSM.

Can someone help me to get one of theses method working to perform AES operations with Java and the Nitrokey HSM2 ?


I do not know the answer at the moment, but let me list similar threads in a hope they could be useful for you:

I see you have already visited the CDN.

Hi @szszszsz ,

Thanks for your answer but I’ve already read all this topics multiple times before opening this topic.

@sc-hsm Maybe you can help me with this issue, especially method with sc-hsm-jceprovider ? :slight_smile:

1 Like

I think this is hard to answer such a question without seeing your code. Maybe you can provide a minimal example that demostrates the problem (if you use Jython, example will be shorter…)