supporting EJBCA

[nponsard]

No description provided.

[nponsard]

Current blocking problems:

• After generating a key, it tries to rename it using C_SetAttributeValue()
• When generating an EC key, it tries to sign data of an invalid length

[nponsard]

Need to find a way to fix the key renaming, maybe the PKCS11 java lib ?

[nponsard]

It seems like the EC key problems are fixed by changes in main.

[nponsard]

The problem seems to come from the Java library.
It uses the java.security.Security class to get the Sun pkc11 provider.
This 'security' library imposes a pattern where a key generation is in 3 steps :

• generate a key
• generate a certificate
• store both the key and the certificate

As the key is generated on the device, it uses the device to sign the certificate. Also in the storing part the key is already on the device so it renames it.

example code :

package com.example;

import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.PublicKey;
import java.security.Security;
import java.security.Signature;
import java.security.cert.Certificate;
import java.util.Base64;
import java.util.Map;

public class App {
    public static void main(String[] args) throws Exception {
        // Load the PKCS#11 provider
        String pkcs11Config = "/opt/pkcs-test/pkcs11.cfg";

        Provider provider = Security.getProvider("SunPKCS11");

        provider = provider.configure(pkcs11Config);
        Security.addProvider(provider);

        // Initialize a session
        char[] pin = "123456".toCharArray();
        KeyStore keyStore = KeyStore.getInstance("PKCS11", provider);
        keyStore.load(null, pin);

        // generate a rsa key pair
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", provider);
        keyPairGenerator.initialize(2048);
        KeyPair keyPair = keyPairGenerator.generateKeyPair();

        Certificate certificate = generateCertificate(keyPair,provider);

        keyStore.setKeyEntry("your_key_alias", keyPair.getPrivate(), pin, certificate);
    }
}

pkcs11.cfg :

name = PKCS11SPY
library = /usr/lib/pkcs11-spy.so

[nponsard]

New error when clicking 'test' on EC keys : Error: Exception testing key: error decoding signature bytes.

[nponsard]

Generating a P-384 EC key now works, there is still problem for the other EC key sizes

[nponsard]

The ECDSA problems are now solved

[nponsard]

#85 would be a partial fix

[jans23]

Potentially PKCS#11 NG would be a solution.