Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Key Operations

Wrap Key

search

Please Note:

Wrap Key

Wrapping a key enables secure transfer of the key from one place to another. CADP for Java provider wraps an NAEKey object by encrypting it with a specified NAEPublicKey. CADP for Java Provider also supports wrapping of a symmetric/asymmetric key by encrypting it with a specified AES key.

Wrap NAEKey with NAEPublicKey

  1. First create a CADP for Java Cipher object as you would for any encryption using the IngrianProvider.

    Cipher cipher = Cipher.getInstance("RSA", "IngrianProvider");

    It generates an RSA Cipher because you will wrap the key with an NAEPublicKey.

  2. Initialize the cipher object in WRAP_MODE using an NAEParameterSpec. The NAEParameterSpec is required to communicate with the session.

    cipher.init(Cipher.WRAP_MODE, publicKey, spec);

Wrap key with NAEPublicKey with PKCS#1v2.1 padding

To wrap the key with an NAEPublicKey with PKCS#1v2.1 padding, use the following steps:

  1. NAEParameterSpec spec = new NAEParameterSpec(keyToWrap, false, false,session);

  2. spec.setWrapPaddingFormat(WrapFormatPadding.SHA512);

The supported padding formats are SHA1, SHA256, SHA384, and SHA512.

Use the wrap() method of the Cipher class to encrypt and export the Secret Key using the provided NAEPublicKey. Note that you can wrap a Private Key or a Secret Key. This generates an XML key export request, specifying key wrapping using the WrapPublicKey tag, and is performed within the IngrianProvider when the wrap is called. A byte array of the wrapped (encrypted) key binary is returned from the wrap() method.

byte[] wrappedKey = cipher.wrap(keyToBeWrapped)

The key can be unwrapped using the corresponding Private Key. Other providers provide key unwrapping, and by using the corresponding Private Key the key can be unwrapped using the CADP for Java provider and a Cipher initialized in UNWRAP_MODE.

Wrap symmetric key with AES key

  1. Create a CADP for Java Cipher object and then initialize it in WRAP_MODE using AES key.

    Cipher cipher = Cipher.getInstance("AESWrap", "IngrianProvider");
cipher.init(Cipher.WRAP_MODE, wrappingKey);

  2. A byte array of the wrapped (encrypted) key binary is returned from the wrap() method.

    byte[] wrappedKey = cipher.wrap(keyToBeWrapped)

    The length of the wrapped key binary:

    • For input key-size of 128 is 24

    • For input key-size of 196 is 32

    • For input key-size of 256 is 40

    To wrap a specific version of a symmetric key, provide #<version number of key> with the key name. And to wrap all versions of the key, provide #all with the key name.

Wrap an asymmetric key with an AES key

  1. Create a CADP for Java Cipher object and then initialize it in WRAP_MODE using an AES key of 256 bits.

    Cipher cipher = Cipher.getInstance("AESWrap", "IngrianProvider");

  2. Wrap an asymmetric key using the following code.

    NAEParameterSpec spec = new NAEParameterSpec(keyToWrapName, true, true, 256, session);
    spec.setWrapPaddingFormat(WrapFormatPadding.SHA1);

  3. Set the output format, if required.

    spec.setWrapFormat(WrapFormat.PKCS8);

  4. Pass the spec in cipher.init as shown below.

    cipher.init(Cipher.WRAP_MODE, wrappingKey, spec);

To wrap a specific version of an asymmetric key, provide #<version number of key> with the key name. And to wrap all versions of the key, provide #all with the key name.

Note

  • Only AES keys of 256-bits can be used for wrapping an asymmetric key.

  • For EC keys default format is SEC#1 and for RSA keys default format is PKCS#1.

Unwrap Key using OpenSSL

  1. The wrap() method generates output in byte array. To unwrap the key, write the Base64 encoded wrapped key to file as shown here.

    Base64.encodeToFile(wrappedKey, <filePathWhereBase64EncodedWrappedKeyIsWritten>);

  2. Based on the padding scheme, run the following command.

    openssl enc -in <filePathWhereBase64EncodedWrappedKeyIsWritten> -out <filepathForbinarytext> -d -a
openssl rsautl -decrypt -in <filepathForbinarytext> -out <filePathToUnwrappedKey> -inkey <pemFilePathToPrivKey>

    openssl enc -in <filePathWhereBase64EncodedWrappedKeyIsWritten> -out <filepathForbinarytext> -d -a 
openssl pkeyutl -decrypt -inkey <pemFilePathToPrivKey> -in <filepathForbinarytext> -out <filePathToUnwrappedKey> -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256

  3. Read the unwrapped key bytes from the file as shown here. 

    byte keyArr[]=Files.readAllBytes(Paths.get(<filePathToUnwrappedKey>);

On this page