I am making use of SoftHSM to generate isometric keys in Java. Currently, I need to wrap private keys using the wrapKey function provided in IAIK PKCS11 library (JAVA) and I'm having a problem with the key wrapping operation in cipher.getInstance(). The application throws CKR_MECHANISM_INVALID and all existing information on the net doesn't seem to give a suitable answer on how to fix this.
Currently, it seems that this is a problem to do with the mechanism of IAIK as it is currently making use of CKM_AES_CBC_PAD algorithm for key wrapping.
It is unclear how to switch between CKM_AES_CBC_PAD and the ones suggested in the github issue created for the problem on SoftHSM's github page see: https://github.com/opendnssec/SoftHSMv2/issues/229 and https://github.com/opendnssec/SoftHSMv2/issues/405.
Two things that are clear is that this is a known issue and the authors suggest to use CKM_AES_KEY_WRAP, CKM_AES_KEY_WRAP_PAD, CKM_RSA_PKCS, or CKM_RSA_PKCS_OAEP. however, I am unable to find samples using the suggested options and after hours of digging through the libraries, I think its easier to just ask here.
Initial Question: I would like to switch mechanism from CKM_AES_CBC_PAD to CKM_AES_KEY_WRAP during keywrap
Update: After further debugging, it seems the issue may be even more complex than switching between mechanism. Due to this, i would prefer to know instead:
New Question: What is the best way to implement key wrapping using the above listed technologies in JAVA
We found that it does not work with Cipher interface because IAIK by default tries to use method that is not supported by soft hsm. We had to use low level IAIK methods to wrap and unwrap. In low level method you can change mechanism like this:
mechanism = CKM_AES_KEY_WRAP_PAD;
session.wrapKey(mechanism, secretKetObject, privateKeyObject);