Generate AES key through IAIK PKCS#11 wrapper and show its value

Question

I would like to use PKCS#11 compatible cryptographic USB token to generate AES key and show its value on screen.

For that purpose I want to use IAIK PKCS#11 wrapper.

I tried to generate the key by the example provided with IAIK package but with no success. The key is generated but I can't see any value of key. What should I do to see the key value in order to show it on screen?

Here is my code:

Module pkcs11Module = null;
pkcs11Module = Module.getInstance("pkcs11.dll");

Session session = null;
pkcs11Module.initialize(null);

Slot[] slots = pkcs11Module.getSlotList(Module.SlotRequirement.TOKEN_PRESENT);

if (slots.length == 0) {
    output_.println("No slot with present token found!");
    throw new TokenException("No token found!");
}

Slot selectedSlot;
// slot 0
selectedSlot = slots[0];

Token token = selectedSlot.getToken();

session = token.openSession(Token.SessionType.SERIAL_SESSION, Token.SessionReadWriteBehavior.RW_SESSION, null, null);

session.login(Session.UserType.USER, "12345678".toCharArray());

Mechanism keyGenerationMechanism = Mechanism.get(PKCS11Constants.CKM_AES_KEY_GEN);

AESSecretKey aesKey = new AESSecretKey();
aesKey.getValueLen().setLongValue(new Long(32));

AESSecretKey aesKeyNew = (AESSecretKey) session.generateKey(keyGenerationMechanism, aesKey);
output_.println("the AES Key is: ");
output_.println(aesKeyNew.toString());

session.closeSession();
pkcs11Module.finalize(null);

The results is as follows:

the AES Key is: 
  Object Class: Secret Key
  Token: false
  Private: false
  Modifiable: true
  Label: <NULL_PTR>
  Key Type: AES
  ID: <NULL_PTR>
  Start Date: <NULL_PTR>
  End Date: <NULL_PTR>
  Derive: true
  Local: true
  Key Generation Mechanism: CKM_AES_KEY_GEN
  Allowed Mechanisms: <Attribute not present>
  Sensitive: false
  Encrypt: true
  Decrypt: true
  Sign: false
  Verify: false
  Wrap: true
  Unwrap: true
  Extractable: true
  Always Sensitive: false
  Never Extractable: true
  Check Value: <Attribute not present>
  Wrap With Trusted: <Attribute not present>
  Trusted: <Attribute not present>
  Wrap Template: <Attribute not present>
  Unwrap Template: <Attribute not present>
  Value (hex): <NULL_PTR>
  Value Length (dec): 0

There is Value (hex): that I want to see and show on screen. Is it about a specific configuration of cryptographic tokens? When I use different token then I see this value.

Answer 1

According to what you show us the PKCS#11 attribute CKA_SENSITIVE set to false indicates that you should be able to view the value. It is however likely that the token does not allow you to extract the value. Most of these kind of tokens do not fully implement PKCS#11 and only allow certain operations to take place. If this is true then it should not be possible to set CKA_SENSITIVE to false, but that's IT for you...

I would track down the manufacturer (or, if possible, the developer) of the token and ask for the specific functionality implemented by the token.