I want to finish a class to encrypt and decrypt by using HSM and SUN PKCS11 Provider,so I choose opensc to be my PKCS11 driver and use PKCS15 tool to initial my HSM.And I create a pair of RSA key and certificate,then import them to my HSM using openSC. Here HSM I choose ePass2003. Then I got:
java.security.NoSuchAlgorithmException: No such algorithm: RSA/ECB/PKCS1Padding at java.base/javax.crypto.Cipher.getInstance(Cipher.java:723) at EncryptionModule.decryptUsingPrivateKey(EncryptionModule.java:69) at TestPkcs11.testEncryptAndDecrypt(TestPkcs11.java:26) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:59) at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12) at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:56) at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17) at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:305) at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100) at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:365) at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103) at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:63) at org.junit.runners.ParentRunner$4.run(ParentRunner.java:330) at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:78) at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:328) at org.junit.runners.ParentRunner.access$100(ParentRunner.java:65) at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:292) at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:305) at org.junit.runners.ParentRunner.run(ParentRunner.java:412) at org.junit.runner.JUnitCore.run(JUnitCore.java:137) at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:69) at com.intellij.rt.junit.IdeaTestRunner$Repeater$1.execute(IdeaTestRunner.java:38) at com.intellij.rt.execution.junit.TestsRepeater.repeat(TestsRepeater.java:11) at com.intellij.rt.junit.IdeaTestRunner$Repeater.startRunnerWithArgs(IdeaTestRunner.java:35) at com.intellij.rt.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:232) at com.intellij.rt.junit.JUnitStarter.main(JUnitStarter.java:55)
So I have some guess:
- SUN PKCS11 Provider don't support RSA/ECB/PKCS1Padding;
- The device I choose don't support this algorithm;
- The dll from opensc can not support this algorithm.
For my first guess,I look up JAVA11 Security Developer’s Guide.And it says:"The SunPKCS11 provider itself does not contain cryptographic functionality, it is simply a conduit between the Java environment and the native PKCS11 providers."And I test it with SoftHSM2,proved the service of SUN PKCS11 Provider depends on dll it use.Hence,my first guess proved wrong.
For my second guess,I look up the document of epass2003,it says epass2003 could encrypt and decrypt using RSA and support PKCS11.So I guess my second guess is also wrong.But I couldn't prove it cause I have make epass2003 a PKCS15 device.
For my third guess,I try to use softhsm and opensc to redo what I do to epass 2003 but it couldn't work because opensc could not recognize softhsm then it couldn't use pkcs15 tool to initial it(my guess.).
So my question is Why it shows “do not have RSA/ECB/PKCS1Padding algorithm” when using PCKS11 Provider with opensc in this situation? Also,could opensc use with hsm?
I would be appreciate if any idea or solution to my question.
Here is my code:
public class EncryptionModule {
private static KeyStore keyStore;
private static EncryptionModule encryptionModule;
private Provider pkcs11Provider;
private EncryptionModule() throws KeyStoreException, CertificateException, IOException, NoSuchAlgorithmException {
if(keyStore==null){
pkcs11Provider = Security.getProvider("SunPKCS11");
pkcs11Provider = pkcs11Provider.configure("pkcs11Config.txt");
Security.addProvider(pkcs11Provider);
keyStore = KeyStore.getInstance("PKCS11");
keyStore.load(null,"12345678".toCharArray());
}
}
public static EncryptionModule getEncryptionModule() throws CertificateException, KeyStoreException, IOException, NoSuchAlgorithmException {
if(encryptionModule==null){
encryptionModule = new EncryptionModule();
}
return encryptionModule;
}
public X509Certificate generateSelfSignedCertificate(KeyPair keyPair, String dn, long validity) throws GeneralSecurityException, IOException {
Date from = new Date();
Date to = new Date(from.getTime() + validity);
BigInteger serialNumber = new BigInteger(64, new SecureRandom());
X509CertInfo certInfo = new X509CertInfo();
certInfo.set(X509CertInfo.VALIDITY, new CertificateValidity(from, to));
certInfo.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(serialNumber));
certInfo.set(X509CertInfo.SUBJECT, new X500Name(dn));
certInfo.set(X509CertInfo.ISSUER, new X500Name(dn));
certInfo.set(X509CertInfo.KEY, new CertificateX509Key(keyPair.getPublic()));
certInfo.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
AlgorithmId algo = AlgorithmId.get("SHA256withRSA");
certInfo.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));
X509CertImpl cert = new X509CertImpl(certInfo);
cert.sign(keyPair.getPrivate(), "SHA256withRSA");
return cert;
}
public byte[] encryptUsingPublicKey(String id,byte[] data) throws KeyStoreException, NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
PublicKey publicKey = keyStore.getCertificate(id).getPublicKey();
Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
cipher.init(Cipher.ENCRYPT_MODE, publicKey);
return cipher.doFinal(data);
}
public byte[] decryptUsingPrivateKey(String id,byte[] data) throws UnrecoverableEntryException, KeyStoreException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException, SignatureException, NoSuchProviderException {
System.out.println(pkcs11Provider.getName());
for (Provider.Service service : pkcs11Provider.getServices()) {
System.out.println(service.getType() + ": " + service.getAlgorithm());
}
PrivateKey privateKey = (PrivateKey) keyStore.getKey(id, null);
System.out.println(privateKey.getAlgorithm());
Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding",pkcs11Provider);
cipher.init(Cipher.DECRYPT_MODE, privateKey);
return cipher.doFinal(data);
}
}
Here is my config file:
name = HSMProvider library = opensc-pkcs11.dll slotListIndex = 0
This what I do to epass2003:
pkcs15-init -E -T pkcs15-init —create-pkcs15 -T -p pkcs15+onepin —pin 12345678 pkcs15-init --generate-key rsa/2048 -l "test" --auth-id 1