[Ejbca-develop] Creation of a Token AES key when recovering a user key

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi,

We have performed integration tests between EJBCA 4.0.14 and a PKCS#11 provider. We noticed the following behavior:

When a user key is recovered, an AES key is created in the PKCS#11 token with the following attributes:
CKA_TOKEN: 01
CKA_CLASS: 04000000
CKA_KEY_TYPE: 1F000000
CKA_VALUE  length=32
This key is used to decrypt the user key.

The key is not deleted afterwards and remains in the PKCS#11 Token with no CKA_LABEL and no CKA_ID.

This generates a problem with the clientToolBox when it checks the content of the key store.

The questions are:

-          Why is this key created as a token key?

-          Is there a way to configure key recovery to avoid the creation of this key?

Thanks.
Jean-Luc Chardon