Menu
▾
▴
Re: [Ejbca-develop] Error when creating an ECC key
|
From: Tomas G. <to...@pr...> - 2019-08-30 08:52:26
|
Hi, This seems to be a common bug specific to CentOS. You'll find many references (with other applications), for example: https://github.com/oracle/graal/issues/951 Perhaps editing the java.security file and removing SunEC helps? As suggested in the link above. I'm not able to help as I don't have a CentOS connected with an HSM, but I'd say it's a bug in CentOS, which probably does not happen on RHEL (or Ubuntu which I am running in development). Regards, Tomas On 2019-08-29 18:47, John Kemp wrote: > Thanks Tomas, > > I am running Centos 7.6. I did a yum update, which did update Java > packages, but still have the same error after a reboot + restart of EJBCA. > > How can I update NSS packages outside of yum, or what other packages > should I be looking at? > > - johnk > > On 8/28/19 2:07 AM, Tomas Gustavsson wrote: >> >> Hi, >> >> This error: >> "java.lang.RuntimeException: Cannot load SunEC provider" >> >> indicates an issue error with the JDK installation. We've had report of >> it before, We've seen it depend on non-updated NSS libraries on >> RHEL/CentOS. >> See here for example: >> https://jira.primekey.se/browse/ECA-5701 >> >> The solution is to upgrade all libraries in your system. Which CentOS >> are you running, the latest should be fine. >> >> Regards, >> Tomas >> >> >> On 2019-08-28 01:10, John Kemp wrote: >>> Hi, >>> >>> I am trying to create a P-256 EC key on my HSM using the >>> PKCS11HSMKeyTool, and this fails, although RSA keys are just fine. Any >>> hint on configuration here? >>> >>> EJBCA 6.15.2.1, OpenJDK 1.8.0.212, Safenet Luna 6 HSM running on >>> Centos 7. >>> >>> - johnk >>> >>> [johnk@foo clientToolBox]$ dzdo ./ejbcaClientToolBox.sh PKCS11HSMKeyTool >>> generate /usr/safenet/lunaclient/lib/libshim.so secp256r1 ecTEST 1 >>> >>> Using Slot Reference Type: Slot Number. >>> PKCS11 Token [SunPKCS11-libshim.so-slot1] Password: >>> Command could not be executed. See log for stack trace. >>> 2019-08-27 20:34:58,988 ERROR [org.ejbca.ui.cli.HSMKeyTool] Command >>> 'PKCS11HSMKeyTool generate /usr/safenet/lunaclient/lib/libshim.so >>> secp256r1 ecdsaTEST 1' could not be executed. >>> >>> java.lang.RuntimeException: Cannot load SunEC provider >>> at >>> sun.security.pkcs11.P11ECKeyFactory.getSunECProvider(P11ECKeyFactory.java:55) >>> >>> >>> at >>> sun.security.pkcs11.P11ECKeyFactory.getECParameterSpec(P11ECKeyFactory.java:71) >>> >>> >>> at >>> sun.security.pkcs11.P11KeyPairGenerator.initialize(P11KeyPairGenerator.java:154) >>> >>> >>> at >>> sun.security.pkcs11.P11KeyPairGenerator.<init>(P11KeyPairGenerator.java:140) >>> >>> >>> at >>> sun.security.pkcs11.SunPKCS11$P11Service.newInstance0(SunPKCS11.java:1004) >>> >>> at >>> sun.security.pkcs11.SunPKCS11$P11Service.newInstance(SunPKCS11.java:981) >>> at sun.security.jca.GetInstance.getInstance(GetInstance.java:236) >>> at sun.security.jca.GetInstance.getInstance(GetInstance.java:206) >>> at >>> java.security.KeyPairGenerator.getInstance(KeyPairGenerator.java:279) >>> at >>> org.cesecore.keys.util.KeyStoreTools.generateKeyPair(KeyStoreTools.java:409) >>> >>> >>> at >>> org.cesecore.keys.util.KeyStoreTools.generateEC(KeyStoreTools.java:250) >>> at >>> org.cesecore.keys.util.KeyStoreTools.generateKeyPair(KeyStoreTools.java:350) >>> >>> >>> at org.ejbca.ui.cli.HSMKeyTool.doIt(HSMKeyTool.java:243) >>> at org.ejbca.ui.cli.HSMKeyTool.execute(HSMKeyTool.java:723) >>> at >>> org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40) >>> at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:67) >>> >>> >>> _______________________________________________ >>> Ejbca-develop mailing list >>> Ejb...@li... >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> >> >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
