I have exported a 3DES key from my SafeNet HSM to a file using a tool named KMU. This tool wraps the key before extraction using another 3DES key. I have access to the plain-text value of the second key.
The question is "how can I decrypt the wrapped file to obtain plain-text value of the wrapped key?"
Update:
FYI: The final exported file looks like this:
L1: 000001f4 000001a800000001000001a0
L2: 00000020 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
L3: 00000140 0000001b0000010300000001010100000162000000010101800001290000000101010000016500000001010000000164000000010100000000010000000101010000000200000001010100000170000000010101000000030000000f014949494949494949494949494949490000010c000000010101000001040000000101010000010a000000010101000001060000000101010000010500000001010100000108000000010101000001070000000101018000012b000000010100000001610000000401000000100000000000000004010000000400000100000000040100000014800001030000000000000001020000000000000001100000000000000001110000000000800001280000000101000000016300000001010080000102000000100132303131313232383136323032313030000000000000000000000000
L4: 00000010 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
L5: 00000020 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxx
L6: 00000020 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
L7: 00000020 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
The parts which are 'x' are the data which looks encrypted in the original file and so I replaced them with 'x'. Line numbers, spaces and new-lines are also added by me to make the content more readable!
See chapter "Key Backup Feature Tutorial" in the document Key Management Utility User (KMU) Reference for overall scheme description.
Unfortunately this document has not been updated to the last version of the scheme which uses AES tK and HMAC for M_mK.
As far as I remember it is possible to tell KMU to use the older DES3 scheme with the -3 command line option.
I have a working implementation but unfortunately can not provide the code.
Key restoration steps summary:
Check overall file structure (magic 0x000001f4 | varLen encoded payload | 4 byte MAC | varLen wrapped MAC key | varLen wrapped transport key)
unwrap AES transport key (using the wrap key and it's key type specific algorithm, e.g. CKM_RSA_PKCS)
unwrap generic secret MAC key (using AES transport key and CKM_AES_ECB. Length is 32)
verify MAC of encoded payload (using MAC key with CKM_SHA512_HMAC_GENERAL)
unwrap all backed-up keys from the payload (using AES transport key with CKM_WRAPKEY_AES_CBC and zero IV)
You might want to use PKCS#11 logger library (see PTK-C Programming Guide) and record the activity of the KMU utility during key restore to verify the fine details of the algorithm.
Good luck with your project!
EDIT> Overall structure of file (given your example data):
000001f4 // Magic
000001a8 // Length of encoded payload
00000001 // Number of keys
000001a0 // Wrapped key #1 length
xxxx...xxxx // Wrapped key #1 data for CKM_WRAPKEY_AES_CBC
xxxxxxxx // Payload MAC
00000020 // Wrapped MAC key cryptogram length
xxxx...xxxx // Wrapped MAC key cryptogram
00000020 // Wrapped transport key cryptogram length
xxxx...xxxx // // Wrapped transport key cryptogram
See CKM_WRAPKEY_AES_CBC and CKM_WRAPKEY_DES3_CBC for format used to encode individual exported key data (#1..#n) inside encoded payload.