CKR_DOMAIN_PARAMS_INVALID error with startssl pkcs12 cert

MikeM
2013-08-04
2013-08-25
  • MikeM

    MikeM - 2013-08-04

    Hi --

    I seem to be getting the same error as reported here: https://sourceforge.net/mailarchive/message.php?msg_id=30355554

    There was no resolution to that problem, so I'm asking again.

    That is, I've installed a signed certificate in order to try to get gmail to access davmail over secure POP, but I'm getting an error:

    2013-08-04 11:29:50,198 ERROR [PopConnection-62052] davmail - java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
    javax.net.ssl.SSLException: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1715)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1678)
    at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1661)
    at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1587)
    at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:124)
    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
    at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
    at davmail.AbstractConnection.sendClient(AbstractConnection.java:183)
    at davmail.pop.PopConnection.sendOK(PopConnection.java:293)
    at davmail.pop.PopConnection.run(PopConnection.java:98)
    Caused by: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
    at sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:323)
    at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:673)
    at sun.security.ssl.ECDHCrypt.<init>(ECDHCrypt.java:63)
    at sun.security.ssl.ServerHandshaker.setupEphemeralECDHKeys(ServerHandshaker.java:993)
    at sun.security.ssl.ServerHandshaker.trySetCipherSuite(ServerHandshaker.java:874)
    at sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:803)
    at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:578)
    at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:170)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:609)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:545)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:963)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1208)
    at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:674)
    at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:119)
    ... 5 more
    Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
    at sun.security.pkcs11.wrapper.PKCS11.C_GenerateKeyPair(Native Method)
    at sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:314)
    ... 18 more

    I had a functioning davmail install working previous to this with a self-signed certificate. That is, I could send and receive email over secure IMAP from Thunderbird, after manually accepting the self-signed certificate.

    I'm using one of the free startssl certificates. I made the PKCS12 (.p12) file using the "Create PKCS#12 (PFX) File" from the startssl Tool Box.

    Here are the relevant section of my davmail.properties file. This is the only thing I've changed upon installing the signed certificate file.

    davmail.ssl.keystoreType=PKCS12
    davmail.ssl.keystoreFile=/etc/davmail/6GAQHo5cCrKzn8Dv.p12
    davmail.ssl.keystorePass=password
    davmail.ssl.keyPass=password

    I also tried converting my p12 file to a jks file following these instructions (). I updated davmail.ssl.keystoreType to "JKS" and davmail.ssl.keystoreFile to the name of the JKS file. That yielded the same error in the logfile when I tried to add secure POP3 access via gmail.

    Thanks, Mike

     
    Last edit: MikeM 2013-08-04

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks