Hi,
I’m trying to use the NitroKey HSM2 with my Java App, my App needs to encrypt and decrypt data with AES through the HSM.
I tried several things :
-
Using the Sun PKCS11 Provider with opensc so file : connect well with my app but I can’t use this shared library as it doesn’t support AES.
-
I successfully built AES branch sc-hsm-embedded : I can use it with pkcs11-tool, I can list object, list mechanism … But when I run my Java App I get this error
java.security.cert.CertificateException: Could not parse certificate: java.io.IOException: Empty input
at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:115) ~[?:?]
at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:355) ~[?:?]
at sun.security.pkcs11.P11KeyStore.loadCert(P11KeyStore.java:1193) ~[jdk.crypto.cryptoki:?]
at sun.security.pkcs11.P11KeyStore.mapLabels(P11KeyStore.java:2361) ~[jdk.crypto.cryptoki:?]
at sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:769) ~[jdk.crypto.cryptoki:?]
at java.security.KeyStore.load(KeyStore.java:1479) ~[?:?]
at com.whiteseal.interfaceHSM.controller.P11.init(P11.java:60) ~[classes/:?]
at com.whiteseal.interfaceHSM.controller.Crypto.run(Crypto.java:58) [classes/:?]
at com.whiteseal.interfaceHSM.InterfaceHsmApplication.main(InterfaceHsmApplication.java:20) [classes/:?]
Caused by: java.io.IOException: Empty input
at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:111) ~[?:?]
… 8 more
There is something strange with this library because when I run pkcs11-tool --module /usr/local/lib/libsc-hsm-pkcs11.so -O
here is what it tells me :
pkcs11-tool --module /usr/local/lib/libsc-hsm-pkcs11.so -O
Using slot 0 with a present token (0x1)
Certificate Object; type = unknown cert type
label: C.DevAut
warning: PKCS11 function C_GetAttributeValue(SUBJECT) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
Certificate Object; type = unknown cert type
label: C.DICA
warning: PKCS11 function C_GetAttributeValue(SUBJECT) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
But when I run pkcs11-tool -O
(with the default OpenSC So) :
Using slot 0 with a present token (0x0)
There is no error
Please note that the HSM is freshly initialized and supposed to be empty.
- I tried to use sc-hsm-jceprovider.
I successfully downloaded signed jarn sources and examples from CDN repo.
But I still don’t know how to use this library with AES (encrypt, decrypt, and generate symmetric key on the HSM). The only thing that I succeed with this piece of software is to login to the HSM.
Can someone help me to get one of theses method working to perform AES operations with Java and the Nitrokey HSM2 ?