EJBCA and Utimaco CryptoServer HSM on FIPS mode

[Jorge Pizarro]

Hi,

We have some issues with the following configuration:

EJBCA Community v7.4.3.2
Utimaco CriptoServer Se2 Series with FIPS mode ON

This configuration works great with NO FIPS mode.
When we configure Utimaco HSM with FIPS mode ON, you must create a special PKCS11 Attribute File.
On FIPS mode we create the Crypto Token, but we can not "Genertae a newKey Pair".
We enable debud mode for ejbca and cesecore.
The extract of the log files is when we try to "Genertae a newKey Pair".:

20:34:07,206 INFO [org.cesecore.keys.util.SignWithWorkingAlgorithm] (default task-1) Signature algorithm 'SHA256WithRSA' not working for provider 'SunPKCS11-libcs_pkcs11_R2.so-slot2 version 11'. Exception: Initialization failed
20:34:07,208 INFO [org.cesecore.keys.util.SignWithWorkingAlgorithm] (default task-1) Signature algorithm 'SHA256withRSAandMGF1' not working for provider 'SunPKCS11-libcs_pkcs11_R2.so-slot2 version 11'. Exception: Signing certificate failed: cannot create signer: no such algorithm: SHA256WITHRSAANDMGF1 for provider SunPKCS11-libcs_pkcs11_R2.so-slot2
20:34:07,208 INFO [org.cesecore.keys.util.SignWithWorkingAlgorithm] (default task-1) Signature algorithm 'SHA384withRSAandMGF1' not working for provider 'SunPKCS11-libcs_pkcs11_R2.so-slot2 version 11'. Exception: Signing certificate failed: cannot create signer: no such algorithm: SHA384WITHRSAANDMGF1 for provider SunPKCS11-libcs_pkcs11_R2.so-slot2
20:34:07,208 INFO [org.cesecore.keys.util.SignWithWorkingAlgorithm] (default task-1) Signature algorithm 'SHA512withRSAandMGF1' not working for provider 'SunPKCS11-libcs_pkcs11_R2.so-slot2 version 11'. Exception: Signing certificate failed: cannot create signer: no such algorithm: SHA512WITHRSAANDMGF1 for provider SunPKCS11-libcs_pkcs11_R2.so-slot2
20:34:07,210 INFO [org.cesecore.keys.util.SignWithWorkingAlgorithm] (default task-1) Signature algorithm 'SHA384WithRSA' not working for provider 'SunPKCS11-libcs_pkcs11_R2.so-slot2 version 11'. Exception: Initialization failed
20:34:07,212 INFO [org.cesecore.keys.util.SignWithWorkingAlgorithm] (default task-1) Signature algorithm 'SHA512WithRSA' not working for provider 'SunPKCS11-libcs_pkcs11_R2.so-slot2 version 11'. Exception: Initialization failed
20:34:07,213 INFO [org.cesecore.keys.util.SignWithWorkingAlgorithm] (default task-1) Signature algorithm 'SHA3-256withRSA' not working for provider 'SunPKCS11-libcs_pkcs11_R2.so-slot2 version 11'. Exception: Signing certificate failed: cannot create signer: no such algorithm: 2.16.840.1.101.3.4.3.14 for provider SunPKCS11-libcs_pkcs11_R2.so-slot2
20:34:07,213 INFO [org.cesecore.keys.util.SignWithWorkingAlgorithm] (default task-1) Signature algorithm 'SHA3-384withRSA' not working for provider 'SunPKCS11-libcs_pkcs11_R2.so-slot2 version 11'. Exception: Signing certificate failed: cannot create signer: no such algorithm: 2.16.840.1.101.3.4.3.15 for provider SunPKCS11-libcs_pkcs11_R2.so-slot2
20:34:07,213 INFO [org.cesecore.keys.util.SignWithWorkingAlgorithm] (default task-1) Signature algorithm 'SHA3-512withRSA' not working for provider 'SunPKCS11-libcs_pkcs11_R2.so-slot2 version 11'. Exception: Signing certificate failed: cannot create signer: no such algorithm: 2.16.840.1.101.3.4.3.16 for provider SunPKCS11-libcs_pkcs11_R2.so-slot2

What we see on Utimaco HSM on FIPS mode, only the following SHA-RSA algorithms are enabled:

CKM_SHA256_RSA_PKCS_PSS
CKM_SHA384_RSA_PKCS_PSS
CKM_SHA512_RSA_PKCS_PSS

Our questions is if there are some configuration file where we can enable the use of CKM_SHA256_RSA_PKCS_PSS algorithm on EJBCA or other recommendation for "Key Generation" using Utimaco HSM on FIPS mode?

Regards,
J

[Tomas Gustavsson]

SHA256withRSAandMGF1 is RSA-PSS.

Try the latest release of EJBCA.