I'm decrypting a p7m file trough BouncyCastle api ,backed by Luna HSM. In a single istance all works like a charm.If i deploy the same code in a Jboss in domain mode or two single node i get the following: "LunaException: Unable to inject key" and function 'C_UnwrapKey' returns 0x110 on key=xxxxxxx"
Note that the key handle doesn't exist on the hsm
I've tried to use the LunaProvider.jar as a system global module in order to avoid classloader problems, and also tried without. The client is configured correctly. If i run the application with two Boot instances on the two fisical nodes separately all works.Running in standalone tomcat also works
CMSEnvelopedData envelopedData = new CMSEnvelopedData(encEnvelopedData);
log.info("get recipient infos");
RecipientInformationStore recipients = envelopedData.getRecipientInfos();
log.info("get recipients size:{}",recipients==null?"null":recipients.size());
//avoid assigning keys to java attributes since the operations are on the hsm
RecipientInformation recipient = recipients.get(new JceKeyTransRecipientId((java.security.cert.X509Certificate)jcaProvider.getKeystore().getCertificate(alias)));
if (recipient != null) {
JceKeyTransEnvelopedRecipient trans=new JceKeyTransEnvelopedRecipient((PrivateKey)jcaProvider.getKeystore().getKey(alias,jcaProvider.getPwd().toCharArray()));
trans.setProvider("LunaProvider");
CMSTypedStream cmsTs= recipient.getContentStream(trans);
return cmsTs.getContentStream();
You need to have set the key as extractable in order to work. This is due to the fact the translated key is temporarily stored on the hsm.
To do so one can either:
Sample of code for the slot manager class:
slotManager = LunaSlotManager.getInstance();
slotManager.login(user, pwd);
slotManager.setSecretKeysExtractable(true);