From: Luis F. <lui...@mu...> - 2009-05-11 23:29:54
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> </head> <body bgcolor="#ffffff" text="#000000"> Hi,<br> <br> I have been trying to generate an ECDSA keypair in a Luna SA HSM using the ejbcaClientToolBox application with PKCS11HSMKeyTool.<br> So far I was able to generate RSA keys and ECDSA with secp* keyspecs without any problem. The problem I have is when I try to generate ECDSA keypairs using a different key spec. Whenever I use another key spec (like, for instance, brainpolP224r1) I get an exception like:<br> <blockquote>0 [main] INFO org.ejbca.util.keystore.KeyTools - Using SUN PKCS11 provider: sun.security.pkcs11.SunPKCS11<br> 219 [main] DEBUG org.ejbca.util.keystore.KeyStoreContainerP11 - Adding provider with name: SunPKCS11-Luna<br> PKCS11 Token [SunPKCS11-Luna] Password: <br> 4972 [main] TRACE org.ejbca.util.keystore.KeyStoreContainerBase - >generate EC: curve name brainpoolP224r1, keyEntryName KeyAliasBrp224_001<br> 4977 [main] DEBUG org.ejbca.util.keystore.KeyStoreContainerBase - EC name brainpoolP224r1 not supported.<br> java.security.InvalidAlgorithmParameterException: Unknown curve name: brainpoolP224r1<br> at sun.security.pkcs11.P11KeyPairGenerator.initialize(P11KeyPairGenerator.java:142)<br> at java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:620)<br> at java.security.KeyPairGenerator.initialize(KeyPairGenerator.java:369)<br> at org.ejbca.util.keystore.KeyStoreContainerBase.generateEC(KeyStoreContainerBase.java:158)<br> at org.ejbca.util.keystore.KeyStoreContainerBase.generate(KeyStoreContainerBase.java:195)<br> at org.ejbca.ui.cli.HSMKeyTool.execute(HSMKeyTool.java:127)<br> at org.ejbca.ui.cli.PKCS11HSMKeyTool.execute(PKCS11HSMKeyTool.java:46)<br> at org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:38)<br> at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:51)<br> </blockquote> I'm trying to create the keys with the following command:<br> <blockquote>#> ./ejbcaClientToolBox.sh PKCS11HSMKeyTool generate ./lunapkcs11.cfg brainpoolP224r1 KeyAliasBrp224_001<br> </blockquote> and my 'lunapkcs11.cfg' file has the following content:<br> <blockquote>name=Luna<br> library=/usr/lunasa/lib/libCryptoki2.so<br> slot=1<br> attributes(generate,*,*) = {<br> CKA_TOKEN = true<br> }<br> attributes(generate,CKO_PUBLIC_KEY,*) = {<br> CKA_ENCRYPT = true<br> CKA_VERIFY = true<br> CKA_WRAP = true<br> }<br> attributes(generate,CKO_PRIVATE_KEY,*) = {<br> CKA_EXTRACTABLE = false<br> CKA_DECRYPT = true<br> CKA_SIGN = true<br> CKA_UNWRAP = true<br> }<br> </blockquote> I am able to create keypairs and certificate requests with the above keyspecs when I use the ejbcawscli/cvcwscli, so it seems to me that with soft providers everything is working correctly and my problem should probably be somewhere in between the interaction with the HSM module, but right now I'm a little bit lost as to how to correct it...<br> <br> I am using EJBCA 3.8.2 with JDK1.6.0_12 in a Red Hat 5.3 server with version 4.3 of the Luna libraries...<br> <br> Thanks in advance !!<br> <br> Best Regards,<br> <br> Luis Felix<br> <br> <pre class="moz-signature" cols="72">-- _______________________________________________ Luis Felix <a class="moz-txt-link-abbreviated" href="mailto:lui...@mu...">lui...@mu...</a> MULTICERT S.A <a class="moz-txt-link-rfc2396E" href="http://www.multicert.com/"><http://www.multicert.com/></a> Avenida Sidónio Pais, 379 Edificio B, Piso -1, Sala C5 4100-468 Porto Tel: +351 223391810 Fax: +351 223391811 _______________________________________________ </pre> </body> </html> |