Extracting secret key out does't work in JBOSS EAP 7.1 from Luna Safenet HSM

Question

I have set the private key in HSM keystore, using ECDH key agreement I am trying to get the secret key out from JBOSS application server. The below code is working when I ran as standalone application but the same doesn't work in JBOSS EAP 7.1.

here is the code,

        LunaSlotManager manager = LunaSlotManager.getInstance();  
        manager.login(0, "pass");   
        KeyStore lunaStore = KeyStore.getInstance("Luna", "LunaProvider");        
        ByteArrayInputStream is1 = new ByteArrayInputStream(("slot:" + 0).getBytes());        
        lunaStore.load(is1, "crypto1".toCharArray());
        manager.setSecretKeysExtractable(true);         
        KeyAgreement keyAgreement = KeyAgreement.getInstance("ECDH", lunaStore.getProvider());                      
        keyAgreement.init((PrivateKey)lunaStore.getKey("TestPrivateKey", "crypto1".toCharArray()));

        String publicKey = "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXjx+yO+dCt5HGPlFncNSt3oTM0cBLbgqedBW/3HVraL8qiHmMB2PVDzyLiBHOYYuZNe07vZLpdBcT9RB+dzmiA==";
        X509EncodedKeySpec publicKeySpec = new X509EncodedKeySpec(Base64.decodeBase64(publicKey));  
        KeyFactory factory = KeyFactory.getInstance("EC");             
        keyAgreement.doPhase(factory.generatePublic(publicKeySpec), true);          
        byte[] secretKey = keyAgreement.generateSecret();

Error I am getting at when it executes the line at keyAgreement.generateSecret() from JBOSS but it is working from standalone application.

Here is the error I am getting while retrieving the secrete key out from HSM,

com.safenetinc.luna.exception.LunaException: Unable to derive secret key [2019-01-16 05:21:16 21916@USSY-6XLJ9N2-D default task-2 stdout write INFO] at com.safenetinc.luna.provider.keyagree.LunaKeyAgreementEcDh.engineGenerateSecretWantBytes(LunaKeyAgreementEcDh.java:355) [2019-01-16 05:21:16 21916@USSY-6XLJ9N2-D default task-2 stdout write INFO] at com.safenetinc.luna.provider.keyagree.LunaKeyAgreementEcDh.engineGenerateSecret(LunaKeyAgreementEcDh.java:393) [2019-01-16 05:21:16 21916@USSY-6XLJ9N2-D default task-2 stdout write INFO] at javax.crypto.KeyAgreement.generateSecret(KeyAgreement.java:586) [2019-01-16 05:21:16 21916@USSY-6XLJ9N2-D default task-2 stdout write INFO] at com.sjm.patientPortal.services.ngq.tool.HSMClinetServiceTool.validateHSM(HSMClinetServiceTool.java:103) [2019-01-16 05:21:16 21916@USSY-6XLJ9N2-D default task-2 stdout write INFO] at com.sjm.patientPortal.services.ngq.tool.HSMClinetServiceTool$$FastClassBySpringCGLIB$$1b5687a0.invoke() Caused by: com.safenetinc.luna.exception.LunaCryptokiException: function 'CA_DeriveKeyAndWrap' returns 0x6a on key=2305 [2019-01-16 05:21:16 21916@USSY-6XLJ9N2-D default task-2 stdout write INFO] at com.safenetinc.luna.exception.LunaCryptokiException.ThrowNew(LunaCryptokiException.java:91) [2019-01-16 05:21:16 21916@USSY-6XLJ9N2-D default task-2 stdout write INFO] at com.safenetinc.luna.LunaAPI.DeriveKeyAndWrapEcDh(Native Method) [2019-01-16 05:21:16 21916@USSY-6XLJ9N2-D default task-2 stdout write INFO] at com.safenetinc.luna.provider.keyagree.LunaKeyAgreementEcDh.engineGenerateSecretWantBytes(LunaKeyAgreementEcDh.java:320)

I have tried all the option. and need your help to fix this issue.

thanks

Answer 1

Two ways to resolve this problem :-

1. Add com.safenetinc.luna.provider.createExtractableSecretKeys=true in java.security. This option will mark all newly generated secret keys as extractable.

2. If you don't want all keys to have CKA_EXTRACTABLE set as true then you need to change your code like this... LunaSlotManager manager = LunaSlotManager.getInstance(); manager.setSecretKeysExtractable(true); manager.login(0, "pass");