Menu
▾
▴
[Ejbca-develop] Generating ECDSA brainpool keys in Luna SA HSM
|
From: Luis F. <lui...@mu...> - 2009-05-11 23:29:54
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000000">
Hi,<br>
<br>
I have been trying to generate an ECDSA keypair in a Luna SA HSM using
the ejbcaClientToolBox application with PKCS11HSMKeyTool.<br>
So far I was able to generate RSA keys and ECDSA with secp* keyspecs
without any problem. The problem I have is when I try to generate ECDSA
keypairs using a different key spec. Whenever I use another key spec
(like, for instance, brainpolP224r1) I get an exception like:<br>
<blockquote>0 [main] INFO org.ejbca.util.keystore.KeyTools - Using
SUN PKCS11 provider: sun.security.pkcs11.SunPKCS11<br>
219 [main] DEBUG org.ejbca.util.keystore.KeyStoreContainerP11 -
Adding provider with name: SunPKCS11-Luna<br>
PKCS11 Token [SunPKCS11-Luna] Password: <br>
4972 [main] TRACE org.ejbca.util.keystore.KeyStoreContainerBase -
>generate EC: curve name brainpoolP224r1, keyEntryName
KeyAliasBrp224_001<br>
4977 [main] DEBUG org.ejbca.util.keystore.KeyStoreContainerBase - EC
name brainpoolP224r1 not supported.<br>
java.security.InvalidAlgorithmParameterException: Unknown curve name:
brainpoolP224r1<br>
at
sun.security.pkcs11.P11KeyPairGenerator.initialize(P11KeyPairGenerator.java:142)<br>
at
java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:620)<br>
at
java.security.KeyPairGenerator.initialize(KeyPairGenerator.java:369)<br>
at
org.ejbca.util.keystore.KeyStoreContainerBase.generateEC(KeyStoreContainerBase.java:158)<br>
at
org.ejbca.util.keystore.KeyStoreContainerBase.generate(KeyStoreContainerBase.java:195)<br>
at org.ejbca.ui.cli.HSMKeyTool.execute(HSMKeyTool.java:127)<br>
at
org.ejbca.ui.cli.PKCS11HSMKeyTool.execute(PKCS11HSMKeyTool.java:46)<br>
at
org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:38)<br>
at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:51)<br>
</blockquote>
I'm trying to create the keys with the following command:<br>
<blockquote>#> ./ejbcaClientToolBox.sh PKCS11HSMKeyTool generate
./lunapkcs11.cfg brainpoolP224r1 KeyAliasBrp224_001<br>
</blockquote>
and my 'lunapkcs11.cfg' file has the following content:<br>
<blockquote>name=Luna<br>
library=/usr/lunasa/lib/libCryptoki2.so<br>
slot=1<br>
attributes(generate,*,*) = {<br>
CKA_TOKEN = true<br>
}<br>
attributes(generate,CKO_PUBLIC_KEY,*) = {<br>
CKA_ENCRYPT = true<br>
CKA_VERIFY = true<br>
CKA_WRAP = true<br>
}<br>
attributes(generate,CKO_PRIVATE_KEY,*) = {<br>
CKA_EXTRACTABLE = false<br>
CKA_DECRYPT = true<br>
CKA_SIGN = true<br>
CKA_UNWRAP = true<br>
}<br>
</blockquote>
I am able to create keypairs and certificate requests with the above
keyspecs when I use the ejbcawscli/cvcwscli, so it seems to me that
with soft providers everything is working correctly and my problem
should probably be somewhere in between the interaction with the HSM
module, but right now I'm a little bit lost as to how to correct it...<br>
<br>
I am using EJBCA 3.8.2 with JDK1.6.0_12 in a Red Hat 5.3 server with
version 4.3 of the Luna libraries...<br>
<br>
Thanks in advance !!<br>
<br>
Best Regards,<br>
<br>
Luis Felix<br>
<br>
<pre class="moz-signature" cols="72">--
_______________________________________________
Luis Felix
<a class="moz-txt-link-abbreviated" href="mailto:lui...@mu...">lui...@mu...</a>
MULTICERT S.A <a class="moz-txt-link-rfc2396E" href="http://www.multicert.com/"><http://www.multicert.com/></a>
Avenida Sidónio Pais, 379
Edificio B, Piso -1, Sala C5
4100-468 Porto
Tel: +351 223391810 Fax: +351 223391811
_______________________________________________
</pre>
</body>
</html>
|