Menu
▾
▴
Re: [Ejbca-develop] Creation of a Token AES key when recovering a user key
|
From: Tomas G. <to...@pr...> - 2013-04-04 14:13:33
|
This is something that was fixed in EJBCA 5 some time ago. Due to differences in the underlying BC crypt library backporting to EJBCA 4 is not feasible (new version of BC needed to use different providers for signature and crypto operations). Cheers, Tomas ----- PrimeKey Solutions offers commercial EJBCA and SignServer support subscriptions and training courses. Please see www.primekey.se or contact in...@pr... for more information. http://www.primekey.se/Services/Support/ http://www.primekey.se/Services/Training/ On 04/04/2013 04:05 PM, Jean-Luc Chardon wrote: > Hi, > > We have performed integration tests between EJBCA 4.0.14 and a PKCS#11 > provider. We noticed the following behavior: > > When a user key is recovered, an AES key is created in the PKCS#11 token > with the following attributes: > > CKA_TOKEN: 01 > > CKA_CLASS: 04000000 > > CKA_KEY_TYPE: 1F000000 > > CKA_VALUE length=32 > > This key is used to decrypt the user key. > > The key is not deleted afterwards and remains in the PKCS#11 Token with > no CKA_LABEL and no CKA_ID. > > This generates a problem with the clientToolBox when it checks the > content of the key store. > > The questions are: > > -Why is this key created as a token key? > > -Is there a way to configure key recovery to avoid the creation of this key? > > Thanks. > > Jean-Luc Chardon > > > > ------------------------------------------------------------------------------ > Minimize network downtime and maximize team effectiveness. > Reduce network management and security costs.Learn how to hire > the most talented Cisco Certified professionals. Visit the > Employer Resources Portal > http://www.cisco.com/web/learning/employer_resources/index.html > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
