How to convert iaik.pkcs.pkcs11.objects.GenericSecretKey as java.security key

Question

I want to convert iaik.pkcs.pkcs11.objects.GenericSecretKey(AES) as java.security key.

Answer 1

This is probably not possible, but let's explore some posibilities none-the-less.

Note that it depends on the token type and software / provider if these possibilities are supported at all, but you can certainly try.

---

Directly using the reference is probably not possible, as you must be able to use the HSM operations. So even though you can possibly embed the key in a SecretKey object, you'd still not be able to use it. You would need a provider specific API to pull that off. Hey, maybe it exists.

---

PKCS#11 objects, including keys, are generally stored on a HSM or other security token. Secret keys can generally not be extracted easily.

You can also sometimes make the keys extractable by setting the attribute CKA_EXTRACTABLE to true (and CKA_SENSITIVE to false during generation. This will of course also have a negative influence on the security of the key. If you can get this to work (depending on the PKCS#11 token implementation) then you should be able to copy the key value to memory.

You may also be able to wrap the key with a wrapping key known by you and the HSM extract the keys that way.

It should be easy to simply call a SecretKeySpec constructor with the value once you've been able to obtain it to convert it to SecretKey.

---

Generally it is easier to generate the keys locally (using the HSM's random number generator of the token, where required and available). Then you can import them and set CKA_SENSITIVE to true afterwards. Of course, CKA_ALWAYS_SENSITIVE will stay set to false (and CKA_NEVER_EXTRACTABLE will stay set to true) if you do so.

---

By far the easiest and most secure way to do this is to generate the key using a provider supplied KeyGenerator, forgoing the GenericSecretKey method in the question, where available. However, this side-steps the question.