set and get DES key in java.security.KeyStore PKCS11

Question

I'm trying to encrypt using the loaded des key from KeyStore and I get:

Exception in thread "main" java.security.InvalidKeyException: No installed provider supports this key: sun.security.pkcs11.P11Key$P11SecretKey
    at javax.crypto.Cipher.chooseProvider(Cipher.java:878)
    at javax.crypto.Cipher.init(Cipher.java:1213)
    at javax.crypto.Cipher.init(Cipher.java:1153)

and this is my code:

public static void main(String[] args) throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException, IllegalBlockSizeException, InvalidKeyException, BadPaddingException, NoSuchPaddingException, IOException, CertificateException {
        Provider provider = new sun.security.pkcs11.SunPKCS11(DesSaveLoad.class.getClassLoader().getResourceAsStream("pkcs11.cfg"));
        Security.removeProvider(provider.getName());
        Security.insertProviderAt(provider, 1);
        KeyStore keyStore = KeyStore.getInstance("PKCS11", provider);
        keyStore.load(null, null);
        SecretKey desKey = desGenerateKey();
        keyStore.setKeyEntry("t1", desKey, null, null);
        SecretKey t1 = (SecretKey) keyStore.getKey("t1", null);
        byte[] messageBytes = "message".getBytes();
        desEncrypt(messageBytes, 0, messageBytes.length, desKey);
        desEncrypt(messageBytes, 0, messageBytes.length, t1);  //Exception is thrown here
    }

    public static SecretKey desGenerateKey() throws NoSuchAlgorithmException {
        KeyGenerator keygenerator = null;
        keygenerator = KeyGenerator.getInstance("DES");
        return keygenerator.generateKey();
    }

    public static byte[] desEncrypt(byte[] plainText, int offset, int size, SecretKey key) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, BadPaddingException, IllegalBlockSizeException {
        Cipher cipher;
        if (size % 8 != 0) {
            cipher = Cipher.getInstance("DES/ECB/PKCS5Padding");
        } else {
            cipher = Cipher.getInstance("DES/ECB/NoPadding");
        }
        cipher.init(Cipher.ENCRYPT_MODE, key);
        return cipher.doFinal(plainText, offset, size);
    }

As you can see there is no exception thrown when encrypting using generated des key.

Answer 1

If you perform encryption using a HSM then the encryption procedure is performed within the HSM, not in the software. Cipher does not implement the encryption procedure itself. The underlying CipherSpi of the PKCS#11 provider for Cipher is chosen using delayed provider selection depending on the key given during the call to init(). So although the desEncrypt() function seems to perform the same operations, in reality the functionality depends on the provider, and in your case, on the PKCS#11 wrapper, library and of course HSM.

Now PKCS#11 is an interface specification; not all mechanisms in PKCS#11 will be implemented in every token. It is likely that some encryption algorithms are too obscure or too unsafe. The latter is probably the case for DES ECB as that algorithm is extremely insecure. That does not mean that DES keys cannot be used in general - they could still play a role in e.g. MAC calculations. So please check the documentation of your HSM if DES ECB is supported (in the current setting).

You can get more information about the PKCS#11 method calls by adding -Djava.security.debug=sunpkcs11 to your call to the Java interpreter (java or javaw). If DES does not work, try the much safer and more common "AES/CBC/PKCS5Padding" or triple DES mechanism.

Answer 2

See if this post helps

Either the key is incorrect (more likely) or the given key is not supported by the provider.

KeyStore.getInstance("PKCS11", provider);

PS: Are you using a custom provider?