[Ejbca-develop] Key recovery with force local key generation
doesn't work in EJBCA Community Edition
From: Moser B. <B....@co...> - 2021-11-12 14:01:59
|
Dear community users, We are struggling with the Key Recovery bug found in EJBCA Community Edition v6.10.1.2. We enabled "Force local key generation" in the "System Configuration -> Basic Configuration". We created an extra Crypto Token with a RSA key pair, because our CAs use ECC key pairs which cannot be used for key encryption. We add a new EE user with "Key Recovery" enabled. 1) When we try to enroll the user on RA Web with username and code we see a NullPointerException. In the server logs we find an AuthorizationDeniedException and the NullPointerException. 2021-11-12 10:53:28,809 DEBUG [org.ejbca.core.model.era.RaMasterApiProxyBean] (default task-31) Creating locally stored key pair for end entity 'keyrecovery-test-user' 2021-11-12 10:53:28,810 ERROR [org.jboss.as.ejb3.invocation] (default task-31) WFLYEJB0034: EJB Invocation failed on component RaMasterApiProxyBean for method public abstract byte[] org.ejbca.core.model.era.RaMasterApi.generateKeyStore(org.cesecore.authentication.tokens.AuthenticationToken,org.cesecore.certificates.endentity.EndEntityInformation) throws org.cesecore.authorization.AuthorizationDeniedException,org.ejbca.core.EjbcaException: javax.ejb.EJBException: java.lang.NullPointerException 2) When we try to enroll the user on Public Web with username and code we see that a key stores has been created. In the server logs we find an NoSuchAlgorithmException and cannot find provider supporting 1.2.840.10045.2.1. This is caused by selecting the wrong Crypto Token from Test issuing CA that only supports an ECC signkey. 2021-11-11 21:43:23,521 DEBUG [org.ejbca.core.ejb.ra.KeyStoreCreateSessionBean] (default task-2) Saving generated keys for recovery for user: keyrecovery-test-user 2021-11-11 21:43:23,521 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-2) 2021-11-11 21:43:23+01:00;ACCESS_CONTROL;SUCCESS;ACCESSCONTROL;CORE;172.31.31.132;;;;resource0=/ca/2073369223 2021-11-11 21:43:23,528 DEBUG [org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean] (default task-2) Extended service with request class 'org.ejbca.core.model.ca.caadmin.extendedcaservices.KeyRecoveryCAServiceRequest' called for CA ' Test Issuing CA' 2021-11-11 21:43:23,528 DEBUG [org.ejbca.core.model.ca.caadmin.extendedcaservices.KeyRecoveryCAService] (default task-2) Encrypting using alias 'signKey' from crypto token 1955349239 2021-11-11 21:43:23,530 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-2) 2021-11-11 21:43:23+01:00;KEYRECOVERY_ADDDATA;FAILURE;KEYRECOVERY;EJBCA;172.31.31.132;2073369223;5C9F72ACC846D322;keyrecovery-test-useryyyy;msg=Error when trying to add keyrecovery data for certificate with serial number 5c9f72acc846d322, issuer CN=commend-test-issuing-ca,OU=IMS,O=Commend International. 2021-11-11 21:43:23,534 ERROR [org.ejbca.core.ejb.keyrecovery.KeyRecoverySessionBean] (default task-2) Error when trying to add keyrecovery data for certificate with serial number 5c9f72acc846d322, issuer CN=commend-test-issuing-ca,OU=IMS,O=Commend International.: org.cesecore.certificates.ca.extendedservices.IllegalExtendedCAServiceRequestException: java.lang.IllegalStateException: Failed to encrypt keys: exception wrapping content key: cannot create cipher: Cannot find any provider supporting 1.2.840.10045.2.1 at org.ejbca.core.model.ca.caadmin.extendedcaservices.KeyRecoveryCAService.extendedService(KeyRecoveryCAService.java:126) at org.cesecore.certificates.ca.CA.extendedService(CA.java:1133) at org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean.extendedService(CAAdminSessionBean.java:3260) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) -- Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting 1.2.840.10045.2.1 at javax.crypto.Cipher.getInstance(Cipher.java:539) at org.bouncycastle.jcajce.util.DefaultJcaJceHelper.createCipher(Unknown Source) ... 257 more Use Case: We need to enable key recovery for ECC signing certificates that are used for secure boot on long-running embedded devices. The keyEncryptKey is immutable on existing CAs, hence we enabled the "Force local key generation" with a new Crypto Token. This seems to be two bug, which were neither raised nor fixed until now: ad 1) RA Web cannot be used to enroll a user with key recovery enabled Ad 2) Public Web always uses CA Crypto Token to enroll a user with key recovery enabled Your feed is appreciated and with best regards Benjamin Moser Lead Security Architect and OSS Officer Commend International GmbH 5020 Salzburg, Saalachstrasse 51 T +43-662-85 62 25 F +43-662-85 62 26 b....@co... www.commend.com Security and Communication by Commend FN 178618z / LG Salzburg |
From: Tomas G. <tom...@pr...> - 2021-11-15 09:17:11
|
Hi, There is probably a misunderstanding of what the option "Force local key generation" means. This is an option that is solely used for when you have an External RA connected over Peers with the CA. This enables you to have a central CA, but a RA that is local to another organization (or department) and forcing key generation to happen, and recovery data to be stored, locally on the RA. Say for extra secretive departments that don't want the CA to keep their keys. the External RA using Peers is an "Enterprise only" feature and thus not available. The option should have been hidden in Community, this was an oversight. I created this issue: https://jira.primekey.se/browse/ECA-10401 Just run key recovery without the option enabled and it should work as expected, with key recovery data stored in, and recoverable from, the CA. Regards, Tomas ________________________________ From: Moser Benjamin <B....@co...> Sent: Friday, November 12, 2021 12:28 PM To: ejb...@li... <ejb...@li...> Subject: [Ejbca-develop] Key recovery with force local key generation doesn't work in EJBCA Community Edition CAUTION: External Sender - Be cautious when clicking links or opening attachments. Please email In...@ke... with any questions. Dear community users, We are struggling with the Key Recovery bug found in EJBCA Community Edition v6.10.1.2. We enabled "Force local key generation" in the "System Configuration -> Basic Configuration". We created an extra Crypto Token with a RSA key pair, because our CAs use ECC key pairs which cannot be used for key encryption. We add a new EE user with "Key Recovery" enabled. 1) When we try to enroll the user on RA Web with username and code we see a NullPointerException. In the server logs we find an AuthorizationDeniedException and the NullPointerException. 2021-11-12 10:53:28,809 DEBUG [org.ejbca.core.model.era.RaMasterApiProxyBean] (default task-31) Creating locally stored key pair for end entity 'keyrecovery-test-user' 2021-11-12 10:53:28,810 ERROR [org.jboss.as.ejb3.invocation] (default task-31) WFLYEJB0034: EJB Invocation failed on component RaMasterApiProxyBean for method public abstract byte[] org.ejbca.core.model.era.RaMasterApi.generateKeyStore(org.cesecore.authentication.tokens.AuthenticationToken,org.cesecore.certificates.endentity.EndEntityInformation) throws org.cesecore.authorization.AuthorizationDeniedException,org.ejbca.core.EjbcaException: javax.ejb.EJBException: java.lang.NullPointerException 2) When we try to enroll the user on Public Web with username and code we see that a key stores has been created. In the server logs we find an NoSuchAlgorithmException and cannot find provider supporting 1.2.840.10045.2.1. This is caused by selecting the wrong Crypto Token from Test issuing CA that only supports an ECC signkey. 2021-11-11 21:43:23,521 DEBUG [org.ejbca.core.ejb.ra.KeyStoreCreateSessionBean] (default task-2) Saving generated keys for recovery for user: keyrecovery-test-user 2021-11-11 21:43:23,521 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-2) 2021-11-11 21:43:23+01:00;ACCESS_CONTROL;SUCCESS;ACCESSCONTROL;CORE;172.31.31.132;;;;resource0=/ca/2073369223 2021-11-11 21:43:23,528 DEBUG [org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean] (default task-2) Extended service with request class 'org.ejbca.core.model.ca.caadmin.extendedcaservices.KeyRecoveryCAServiceRequest' called for CA ' Test Issuing CA' 2021-11-11 21:43:23,528 DEBUG [org.ejbca.core.model.ca.caadmin.extendedcaservices.KeyRecoveryCAService] (default task-2) Encrypting using alias 'signKey' from crypto token 1955349239 2021-11-11 21:43:23,530 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-2) 2021-11-11 21:43:23+01:00;KEYRECOVERY_ADDDATA;FAILURE;KEYRECOVERY;EJBCA;172.31.31.132;2073369223;5C9F72ACC846D322;keyrecovery-test-useryyyy;msg=Error when trying to add keyrecovery data for certificate with serial number 5c9f72acc846d322, issuer CN=commend-test-issuing-ca,OU=IMS,O=Commend International. 2021-11-11 21:43:23,534 ERROR [org.ejbca.core.ejb.keyrecovery.KeyRecoverySessionBean] (default task-2) Error when trying to add keyrecovery data for certificate with serial number 5c9f72acc846d322, issuer CN=commend-test-issuing-ca,OU=IMS,O=Commend International.: org.cesecore.certificates.ca.extendedservices.IllegalExtendedCAServiceRequestException: java.lang.IllegalStateException: Failed to encrypt keys: exception wrapping content key: cannot create cipher: Cannot find any provider supporting 1.2.840.10045.2.1 at org.ejbca.core.model.ca.caadmin.extendedcaservices.KeyRecoveryCAService.extendedService(KeyRecoveryCAService.java:126) at org.cesecore.certificates.ca.CA.extendedService(CA.java:1133) at org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean.extendedService(CAAdminSessionBean.java:3260) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) -- Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting 1.2.840.10045.2.1 at javax.crypto.Cipher.getInstance(Cipher.java:539) at org.bouncycastle.jcajce.util.DefaultJcaJceHelper.createCipher(Unknown Source) ... 257 more Use Case: We need to enable key recovery for ECC signing certificates that are used for secure boot on long-running embedded devices. The keyEncryptKey is immutable on existing CAs, hence we enabled the "Force local key generation" with a new Crypto Token. This seems to be two bug, which were neither raised nor fixed until now: ad 1) RA Web cannot be used to enroll a user with key recovery enabled Ad 2) Public Web always uses CA Crypto Token to enroll a user with key recovery enabled Your feed is appreciated and with best regards Benjamin Moser Lead Security Architect and OSS Officer Commend International GmbH 5020 Salzburg, Saalachstrasse 51 T +43-662-85 62 25 F +43-662-85 62 26 b....@co... https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.commend.com%2F&data=04%7C01%7Ctomas.gustavsson%40primekey.com%7C877a191ce34f45494f1008d9a5e53284%7Cc9ed4b459f70418aaa58f04c80848ca9%7C0%7C0%7C637723226939382190%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=JHkBxj3sCboTlvP2UOIYo6y1iuY34dqOOipJ8fWDgEs%3D&reserved=0 Security and Communication by Commend FN 178618z / LG Salzburg _______________________________________________ Ejbca-develop mailing list Ejb...@li... https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fejbca-develop&data=04%7C01%7Ctomas.gustavsson%40primekey.com%7C877a191ce34f45494f1008d9a5e53284%7Cc9ed4b459f70418aaa58f04c80848ca9%7C0%7C0%7C637723226939382190%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ZMiBEjl7vp6MliCb9kVwIxcNRwlGVtiajOohf3tG%2Beo%3D&reserved=0 |
From: Moser B. <B....@co...> - 2021-11-15 15:04:07
|
Hi Tomas, Thank you for clarification and for the bug report. Anyway the option with "force local key generation" will not work for us, because our existing productive CA has ECC keys for signing and the defaultKey has not been defined. This is why we wanted to use another Cryto Token with an new RSA key for Key recovery. If I do understand your response, then there is not a solution for our problem. Right? With best regards Benjamin Moser Lead Security Architect and OSS Officer Commend International GmbH 5020 Salzburg, Saalachstrasse 51 T +43-662-85 62 25 F +43-662-85 62 26 b....@co...<mailto:b....@co...> www.commend.com<http://www.commend.com/> Security and Communication by Commend FN 178618z / LG Salzburg Von: Tomas Gustavsson via Ejbca-develop <ejb...@li...> Gesendet: Montag, 15. November 2021 09:43 An: ejb...@li... Cc: Tomas Gustavsson <tom...@pr...> Betreff: [External] Re: [Ejbca-develop] Key recovery with force local key generation doesn't work in EJBCA Community Edition CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hi, There is probably a misunderstanding of what the option "Force local key generation" means. This is an option that is solely used for when you have an External RA connected over Peers with the CA. This enables you to have a central CA, but a RA that is local to another organization (or department) and forcing key generation to happen, and recovery data to be stored, locally on the RA. Say for extra secretive departments that don't want the CA to keep their keys. the External RA using Peers is an "Enterprise only" feature and thus not available. The option should have been hidden in Community, this was an oversight. I created this issue: https://jira.primekey.se/browse/ECA-10401<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fjira.primekey.se%2Fbrowse%2FECA-10401&data=04%7C01%7Cb.moser%40commend.com%7C4149e3eb286f45a3247a08d9a818ce99%7C13b1ddb756454e7fbe663171548559da%7C0%7C0%7C637725646775423063%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ZuSDVSZrWRXcKobkvU41JBHt3scU2BlyP%2FPrTYZZ4z4%3D&reserved=0> Just run key recovery without the option enabled and it should work as expected, with key recovery data stored in, and recoverable from, the CA. Regards, Tomas ________________________________ From: Moser Benjamin <B....@co...<mailto:B....@co...>> Sent: Friday, November 12, 2021 12:28 PM To: ejb...@li...<mailto:ejb...@li...> <ejb...@li...<mailto:ejb...@li...>> Subject: [Ejbca-develop] Key recovery with force local key generation doesn't work in EJBCA Community Edition CAUTION: External Sender - Be cautious when clicking links or opening attachments. Please email In...@ke...<mailto:In...@ke...> with any questions. Dear community users, We are struggling with the Key Recovery bug found in EJBCA Community Edition v6.10.1.2. We enabled "Force local key generation" in the "System Configuration -> Basic Configuration". We created an extra Crypto Token with a RSA key pair, because our CAs use ECC key pairs which cannot be used for key encryption. We add a new EE user with "Key Recovery" enabled. 1) When we try to enroll the user on RA Web with username and code we see a NullPointerException. In the server logs we find an AuthorizationDeniedException and the NullPointerException. 2021-11-12 10:53:28,809 DEBUG [org.ejbca.core.model.era.RaMasterApiProxyBean] (default task-31) Creating locally stored key pair for end entity 'keyrecovery-test-user' 2021-11-12 10:53:28,810 ERROR [org.jboss.as.ejb3.invocation] (default task-31) WFLYEJB0034: EJB Invocation failed on component RaMasterApiProxyBean for method public abstract byte[] org.ejbca.core.model.era.RaMasterApi.generateKeyStore(org.cesecore.authentication.tokens.AuthenticationToken,org.cesecore.certificates.endentity.EndEntityInformation) throws org.cesecore.authorization.AuthorizationDeniedException,org.ejbca.core.EjbcaException: javax.ejb.EJBException: java.lang.NullPointerException 2) When we try to enroll the user on Public Web with username and code we see that a key stores has been created. In the server logs we find an NoSuchAlgorithmException and cannot find provider supporting 1.2.840.10045.2.1. This is caused by selecting the wrong Crypto Token from Test issuing CA that only supports an ECC signkey. 2021-11-11 21:43:23,521 DEBUG [org.ejbca.core.ejb.ra.KeyStoreCreateSessionBean] (default task-2) Saving generated keys for recovery for user: keyrecovery-test-user 2021-11-11 21:43:23,521 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-2) 2021-11-11 21:43:23+01:00;ACCESS_CONTROL;SUCCESS;ACCESSCONTROL;CORE;172.31.31.132;;;;resource0=/ca/2073369223 2021-11-11 21:43:23,528 DEBUG [org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean] (default task-2) Extended service with request class 'org.ejbca.core.model.ca.caadmin.extendedcaservices.KeyRecoveryCAServiceRequest' called for CA ' Test Issuing CA' 2021-11-11 21:43:23,528 DEBUG [org.ejbca.core.model.ca.caadmin.extendedcaservices.KeyRecoveryCAService] (default task-2) Encrypting using alias 'signKey' from crypto token 1955349239 2021-11-11 21:43:23,530 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-2) 2021-11-11 21:43:23+01:00;KEYRECOVERY_ADDDATA;FAILURE;KEYRECOVERY;EJBCA;172.31.31.132;2073369223;5C9F72ACC846D322;keyrecovery-test-useryyyy;msg=Error when trying to add keyrecovery data for certificate with serial number 5c9f72acc846d322, issuer CN=commend-test-issuing-ca,OU=IMS,O=Commend International. 2021-11-11 21:43:23,534 ERROR [org.ejbca.core.ejb.keyrecovery.KeyRecoverySessionBean] (default task-2) Error when trying to add keyrecovery data for certificate with serial number 5c9f72acc846d322, issuer CN=commend-test-issuing-ca,OU=IMS,O=Commend International.: org.cesecore.certificates.ca.extendedservices.IllegalExtendedCAServiceRequestException: java.lang.IllegalStateException: Failed to encrypt keys: exception wrapping content key: cannot create cipher: Cannot find any provider supporting 1.2.840.10045.2.1 at org.ejbca.core.model.ca.caadmin.extendedcaservices.KeyRecoveryCAService.extendedService(KeyRecoveryCAService.java:126) at org.cesecore.certificates.ca.CA.extendedService(CA.java:1133) at org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean.extendedService(CAAdminSessionBean.java:3260) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) -- Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting 1.2.840.10045.2.1 at javax.crypto.Cipher.getInstance(Cipher.java:539) at org.bouncycastle.jcajce.util.DefaultJcaJceHelper.createCipher(Unknown Source) ... 257 more Use Case: We need to enable key recovery for ECC signing certificates that are used for secure boot on long-running embedded devices. The keyEncryptKey is immutable on existing CAs, hence we enabled the "Force local key generation" with a new Crypto Token. This seems to be two bug, which were neither raised nor fixed until now: ad 1) RA Web cannot be used to enroll a user with key recovery enabled Ad 2) Public Web always uses CA Crypto Token to enroll a user with key recovery enabled Your feed is appreciated and with best regards Benjamin Moser Lead Security Architect and OSS Officer Commend International GmbH 5020 Salzburg, Saalachstrasse 51 T +43-662-85 62 25 F +43-662-85 62 26 b....@co...<mailto:b....@co...> https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.commend.com%2F&data=04%7C01%7Ctomas.gustavsson%40primekey.com%7C877a191ce34f45494f1008d9a5e53284%7Cc9ed4b459f70418aaa58f04c80848ca9%7C0%7C0%7C637723226939382190%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=JHkBxj3sCboTlvP2UOIYo6y1iuY34dqOOipJ8fWDgEs%3D&reserved=0<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.commend.com%2F&data=04%7C01%7Cb.moser%40commend.com%7C4149e3eb286f45a3247a08d9a818ce99%7C13b1ddb756454e7fbe663171548559da%7C0%7C0%7C637725646775433055%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=MeLs0U7BAnjjw4vmaRy57I4JuKxPYBN5UcHC8Xui%2Bfs%3D&reserved=0> Security and Communication by Commend FN 178618z / LG Salzburg _______________________________________________ Ejbca-develop mailing list Ejb...@li...<mailto:Ejb...@li...> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fejbca-develop&data=04%7C01%7Ctomas.gustavsson%40primekey.com%7C877a191ce34f45494f1008d9a5e53284%7Cc9ed4b459f70418aaa58f04c80848ca9%7C0%7C0%7C637723226939382190%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ZMiBEjl7vp6MliCb9kVwIxcNRwlGVtiajOohf3tG%2Beo%3D&reserved=0<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fejbca-develop&data=04%7C01%7Cb.moser%40commend.com%7C4149e3eb286f45a3247a08d9a818ce99%7C13b1ddb756454e7fbe663171548559da%7C0%7C0%7C637725646775433055%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=xNjZKRd41U6XgH13JHPITLhh%2FoCkD9pZ6mof4wHF4aU%3D&reserved=0> |
From: Tomas G. <tom...@pr...> - 2021-11-15 14:54:00
|
Correct, you can't specify a separate crypto token for that. What you can easily do is to generate a RSA key in your CAs crypto token and configure the keyEncrypt key in the CA. The keyEncrypt key will then be used to encrypt key recovery data. Setting the keyEncrypt key is not possible in the Web UI after CA creation, I know that, but there is a CLI command specifically for this ??. Cheers, Tomas ________________________________ From: Moser Benjamin <B....@co...> Sent: Monday, November 15, 2021 3:31 PM To: ejb...@li... <ejb...@li...> Cc: Tomas Gustavsson <tom...@pr...> Subject: AW: [External] Re: [Ejbca-develop] Key recovery with force local key generation doesn't work in EJBCA Community Edition CAUTION: External Sender - Be cautious when clicking links or opening attachments. Please email In...@ke... with any questions. Hi Tomas, Thank you for clarification and for the bug report. Anyway the option with “force local key generation” will not work for us, because our existing productive CA has ECC keys for signing and the defaultKey has not been defined. This is why we wanted to use another Cryto Token with an new RSA key for Key recovery. If I do understand your response, then there is not a solution for our problem. Right? With best regards Benjamin Moser Lead Security Architect and OSS Officer Commend International GmbH 5020 Salzburg, Saalachstrasse 51 T +43-662-85 62 25 F +43-662-85 62 26 b....@co...<mailto:b....@co...> www.commend.com<https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.commend.com%2F&data=04%7C01%7Ctomas.gustavsson%40primekey.com%7C342a285c639c41b21de708d9a844a11d%7Cc9ed4b459f70418aaa58f04c80848ca9%7C0%7C0%7C637725836121578971%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=%2FcEsxOZ5E%2BfvtmmGCQ5yKbGxdJaGXZwchsB%2BUJW%2Fd10%3D&reserved=0> Security and Communication by Commend FN 178618z / LG Salzburg Von: Tomas Gustavsson via Ejbca-develop <ejb...@li...> Gesendet: Montag, 15. November 2021 09:43 An: ejb...@li... Cc: Tomas Gustavsson <tom...@pr...> Betreff: [External] Re: [Ejbca-develop] Key recovery with force local key generation doesn't work in EJBCA Community Edition CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hi, There is probably a misunderstanding of what the option "Force local key generation" means. This is an option that is solely used for when you have an External RA connected over Peers with the CA. This enables you to have a central CA, but a RA that is local to another organization (or department) and forcing key generation to happen, and recovery data to be stored, locally on the RA. Say for extra secretive departments that don't want the CA to keep their keys. the External RA using Peers is an "Enterprise only" feature and thus not available. The option should have been hidden in Community, this was an oversight. I created this issue: https://jira.primekey.se/browse/ECA-10401<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fjira.primekey.se%2Fbrowse%2FECA-10401&data=04%7C01%7Ctomas.gustavsson%40primekey.com%7C342a285c639c41b21de708d9a844a11d%7Cc9ed4b459f70418aaa58f04c80848ca9%7C0%7C0%7C637725836121578971%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=pnNO9phgtnGXbxqXHkhlHrxtSYOCwZioRar9y8sHeSg%3D&reserved=0> Just run key recovery without the option enabled and it should work as expected, with key recovery data stored in, and recoverable from, the CA. Regards, Tomas ________________________________ From: Moser Benjamin <B....@co...<mailto:B....@co...>> Sent: Friday, November 12, 2021 12:28 PM To: ejb...@li...<mailto:ejb...@li...> <ejb...@li...<mailto:ejb...@li...>> Subject: [Ejbca-develop] Key recovery with force local key generation doesn't work in EJBCA Community Edition CAUTION: External Sender - Be cautious when clicking links or opening attachments. Please email In...@ke...<mailto:In...@ke...> with any questions. Dear community users, We are struggling with the Key Recovery bug found in EJBCA Community Edition v6.10.1.2. We enabled "Force local key generation" in the "System Configuration -> Basic Configuration". We created an extra Crypto Token with a RSA key pair, because our CAs use ECC key pairs which cannot be used for key encryption. We add a new EE user with "Key Recovery" enabled. 1) When we try to enroll the user on RA Web with username and code we see a NullPointerException. In the server logs we find an AuthorizationDeniedException and the NullPointerException. 2021-11-12 10:53:28,809 DEBUG [org.ejbca.core.model.era.RaMasterApiProxyBean] (default task-31) Creating locally stored key pair for end entity 'keyrecovery-test-user' 2021-11-12 10:53:28,810 ERROR [org.jboss.as.ejb3.invocation] (default task-31) WFLYEJB0034: EJB Invocation failed on component RaMasterApiProxyBean for method public abstract byte[] org.ejbca.core.model.era.RaMasterApi.generateKeyStore(org.cesecore.authentication.tokens.AuthenticationToken,org.cesecore.certificates.endentity.EndEntityInformation) throws org.cesecore.authorization.AuthorizationDeniedException,org.ejbca.core.EjbcaException: javax.ejb.EJBException: java.lang.NullPointerException 2) When we try to enroll the user on Public Web with username and code we see that a key stores has been created. In the server logs we find an NoSuchAlgorithmException and cannot find provider supporting 1.2.840.10045.2.1. This is caused by selecting the wrong Crypto Token from Test issuing CA that only supports an ECC signkey. 2021-11-11 21:43:23,521 DEBUG [org.ejbca.core.ejb.ra.KeyStoreCreateSessionBean] (default task-2) Saving generated keys for recovery for user: keyrecovery-test-user 2021-11-11 21:43:23,521 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-2) 2021-11-11 21:43:23+01:00;ACCESS_CONTROL;SUCCESS;ACCESSCONTROL;CORE;172.31.31.132;;;;resource0=/ca/2073369223 2021-11-11 21:43:23,528 DEBUG [org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean] (default task-2) Extended service with request class 'org.ejbca.core.model.ca.caadmin.extendedcaservices.KeyRecoveryCAServiceRequest' called for CA ' Test Issuing CA' 2021-11-11 21:43:23,528 DEBUG [org.ejbca.core.model.ca.caadmin.extendedcaservices.KeyRecoveryCAService] (default task-2) Encrypting using alias 'signKey' from crypto token 1955349239 2021-11-11 21:43:23,530 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-2) 2021-11-11 21:43:23+01:00;KEYRECOVERY_ADDDATA;FAILURE;KEYRECOVERY;EJBCA;172.31.31.132;2073369223;5C9F72ACC846D322;keyrecovery-test-useryyyy;msg=Error when trying to add keyrecovery data for certificate with serial number 5c9f72acc846d322, issuer CN=commend-test-issuing-ca,OU=IMS,O=Commend International. 2021-11-11 21:43:23,534 ERROR [org.ejbca.core.ejb.keyrecovery.KeyRecoverySessionBean] (default task-2) Error when trying to add keyrecovery data for certificate with serial number 5c9f72acc846d322, issuer CN=commend-test-issuing-ca,OU=IMS,O=Commend International.: org.cesecore.certificates.ca.extendedservices.IllegalExtendedCAServiceRequestException: java.lang.IllegalStateException: Failed to encrypt keys: exception wrapping content key: cannot create cipher: Cannot find any provider supporting 1.2.840.10045.2.1 at org.ejbca.core.model.ca.caadmin.extendedcaservices.KeyRecoveryCAService.extendedService(KeyRecoveryCAService.java:126) at org.cesecore.certificates.ca.CA.extendedService(CA.java:1133) at org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean.extendedService(CAAdminSessionBean.java:3260) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) -- Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting 1.2.840.10045.2.1 at javax.crypto.Cipher.getInstance(Cipher.java:539) at org.bouncycastle.jcajce.util.DefaultJcaJceHelper.createCipher(Unknown Source) ... 257 more Use Case: We need to enable key recovery for ECC signing certificates that are used for secure boot on long-running embedded devices. The keyEncryptKey is immutable on existing CAs, hence we enabled the "Force local key generation" with a new Crypto Token. This seems to be two bug, which were neither raised nor fixed until now: ad 1) RA Web cannot be used to enroll a user with key recovery enabled Ad 2) Public Web always uses CA Crypto Token to enroll a user with key recovery enabled Your feed is appreciated and with best regards Benjamin Moser Lead Security Architect and OSS Officer Commend International GmbH 5020 Salzburg, Saalachstrasse 51 T +43-662-85 62 25 F +43-662-85 62 26 b....@co...<mailto:b....@co...> https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.commend.com%2F&data=04%7C01%7Ctomas.gustavsson%40primekey.com%7C877a191ce34f45494f1008d9a5e53284%7Cc9ed4b459f70418aaa58f04c80848ca9%7C0%7C0%7C637723226939382190%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=JHkBxj3sCboTlvP2UOIYo6y1iuY34dqOOipJ8fWDgEs%3D&reserved=0<https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.commend.com%2F&data=04%7C01%7Ctomas.gustavsson%40primekey.com%7C342a285c639c41b21de708d9a844a11d%7Cc9ed4b459f70418aaa58f04c80848ca9%7C0%7C0%7C637725836121588924%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=NylY9WbnTAjaAWKXgp3u9UiQNKBClh7pQWLH0uBz%2Bq0%3D&reserved=0> Security and Communication by Commend FN 178618z / LG Salzburg _______________________________________________ Ejbca-develop mailing list Ejb...@li...<mailto:Ejb...@li...> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fejbca-develop&data=04%7C01%7Ctomas.gustavsson%40primekey.com%7C877a191ce34f45494f1008d9a5e53284%7Cc9ed4b459f70418aaa58f04c80848ca9%7C0%7C0%7C637723226939382190%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ZMiBEjl7vp6MliCb9kVwIxcNRwlGVtiajOohf3tG%2Beo%3D&reserved=0<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fejbca-develop&data=04%7C01%7Ctomas.gustavsson%40primekey.com%7C342a285c639c41b21de708d9a844a11d%7Cc9ed4b459f70418aaa58f04c80848ca9%7C0%7C0%7C637725836121588924%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=6cUuYWFbrgIrwCVLk9QVMATDG1GOSxi%2B9upddRk4Lek%3D&reserved=0> |