Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

unable to generate the ECC keys using ejbcaClientToolBox.sh on LunaHSM

2013-10-14
2013-10-15
  • Hi,

    I am trying to generate the EC keys on LunaHSM but getting the errors.

    ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /usr/lunasa/lib/libCryptoki2_64.so secp160r1 secp160r1_1 1
    2013-10-14 03:04:56,238 INFO [org.ejbca.util.keystore.KeyTools] Using SUN PKCS11 provider: sun.security.pkcs11.SunPKCS11
    PKCS11 Token [SunPKCS11-libCryptoki2_64.so-slot1] Password:
    Command could not be executed. See log for stack trace.
    2013-10-14 03:05:03,708 ERROR [org.ejbca.ui.cli.HSMKeyTool] Command 'PKCS11HSMKeyTool generate /usr/lunasa/lib/libCryptoki2_64.so null pkcs11 secp160r1 secp160r1_1 1' could not be executed.
    java.lang.IllegalArgumentException: unable to process key - java.lang.RuntimeException: Could not parse key values
    at org.bouncycastle.x509.X509V3CertificateGenerator.setPublicKey(Unknown Source)
    at org.ejbca.util.keystore.KeyStoreContainerBase.getSelfCertificate(KeyStoreContainerBase.java:140)
    at org.ejbca.util.keystore.KeyStoreContainerBase.generate(KeyStoreContainerBase.java:285)
    at org.ejbca.util.keystore.KeyStoreContainerBase.generateEC(KeyStoreContainerBase.java:185)
    at org.ejbca.util.keystore.KeyStoreContainerBase.generate(KeyStoreContainerBase.java:236)
    at org.ejbca.ui.cli.HSMKeyTool.doIt(HSMKeyTool.java:139)
    at org.ejbca.ui.cli.HSMKeyTool.execute(HSMKeyTool.java:290)
    at org.ejbca.ui.cli.PKCS11HSMKeyTool.execute(PKCS11HSMKeyTool.java:47)
    at org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40)
    at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:70)

    Regards,
    San

     
  • Thanks Tomas,

    The above link says, the patch is already in openjdk u21
    I am using 1.6.0.0-1.28

    [root@ca-user-centos sanaullah]# yum list java-1.6.0-openjdk.x86_64 Loaded plugins: security
    rightscale-epel | 951 B 00:00
    Installed Packages
    java-1.6.0-openjdk.x86_64 1:1.6.0.0-1.28.1.10.10.el5_8 installed

     
  • java -version

     
  • java -version
    java version "1.6.0_31"
    Java(TM) SE Runtime Environment (build 1.6.0_31-b04)
    Java HotSpot(TM) 64-Bit Server VM (build 20.6-b01, mixed mode)

     
  • The I don't know what is wrong. Try another key secp256r1, that we have used many many times with Luna.

     
  • its the same..even with prime256v1
    [root@ca-user-centos sanaullah]# /vol/pki/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /usr/lunasa/lib/libCryptoki2_64.so secp256r1 secp256r1_1 1
    2013-10-14 04:44:58,088 INFO [org.ejbca.util.keystore.KeyTools] Using SUN PKCS11 provider: sun.security.pkcs11.SunPKCS11
    PKCS11 Token [SunPKCS11-libCryptoki2_64.so-slot1] Password:
    Command could not be executed. See log for stack trace.
    2013-10-14 04:45:13,465 ERROR [org.ejbca.ui.cli.HSMKeyTool] Command 'PKCS11HSMKeyTool generate /usr/lunasa/lib/libCryptoki2_64.so null pkcs11 secp256r1 secp256r1_1 1' could not be executed.
    java.lang.IllegalArgumentException: unable to process key - java.lang.RuntimeException: Could not parse key values
    at org.bouncycastle.x509.X509V3CertificateGenerator.setPublicKey(Unknown Source)
    at org.ejbca.util.keystore.KeyStoreContainerBase.getSelfCertificate(KeyStoreContainerBase.java:140)
    at org.ejbca.util.keystore.KeyStoreContainerBase.generate(KeyStoreContainerBase.java:285)
    at org.ejbca.util.keystore.KeyStoreContainerBase.generateEC(KeyStoreContainerBase.java:185)
    at org.ejbca.util.keystore.KeyStoreContainerBase.generate(KeyStoreContainerBase.java:236)
    at org.ejbca.ui.cli.HSMKeyTool.doIt(HSMKeyTool.java:139)
    at org.ejbca.ui.cli.HSMKeyTool.execute(HSMKeyTool.java:290)
    at org.ejbca.ui.cli.PKCS11HSMKeyTool.execute(PKCS11HSMKeyTool.java:47)
    at org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40)
    at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:70)

     
  • is there any issue if i am using the same slot where i have already stored RSA keys ?

     
  • I have setup everything from centos 5.8 to centos 6.4 SEC curves are generated on HSM.
    but all other NIST and X9.62 curves are getting unknown.
    java -version
    java version "1.6.0_24"
    OpenJDK Runtime Environment (IcedTea6 1.11.13) (rhel-1.65.1.11.13.el6_4-x86_64)
    OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)

    [root@ca-user-new ejbca]# /vol/pki/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /usr/lunasa/lib/libCryptoki2_64.so prime256v1 prime256v1_3 1
    2013-10-15 08:55:30,278 INFO [org.ejbca.util.keystore.KeyTools] Using SUN PKCS11 provider: sun.security.pkcs11.SunPKCS11
    PKCS11 Token [SunPKCS11-libCryptoki2_64.so-slot1] Password:
    Command could not be executed. See log for stack trace.
    2013-10-15 08:55:37,196 ERROR [org.ejbca.ui.cli.HSMKeyTool] Command 'PKCS11HSMKeyTool generate /usr/lunasa/lib/libCryptoki2_64.so null pkcs11 prime256v1 prime256v1_3 1' could not be executed.
    java.security.InvalidAlgorithmParameterException: Unknown curve name: prime256v1
    at sun.security.pkcs11.P11KeyPairGenerator.initialize(P11KeyPairGenerator.java:161)
    at java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:637)
    at java.security.KeyPairGenerator.initialize(KeyPairGenerator.java:386)
    at org.ejbca.util.keystore.KeyStoreContainerBase.generateEC(KeyStoreContainerBase.java:179)
    at org.ejbca.util.keystore.KeyStoreContainerBase.generate(KeyStoreContainerBase.java:236)
    at org.ejbca.ui.cli.HSMKeyTool.doIt(HSMKeyTool.java:139)
    at org.ejbca.ui.cli.HSMKeyTool.execute(HSMKeyTool.java:290)
    at org.ejbca.ui.cli.PKCS11HSMKeyTool.execute(PKCS11HSMKeyTool.java:47)
    at org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40)
    at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:70)

     
  • secp256r1 is the same curve. Different HSMs use different curve names.