Menu
▾
▴
Re: [Ejbca-develop] Error when creating an ECC key
|
From: John K. <sta...@gm...> - 2019-08-30 19:28:45
|
Thank you very much for researching this Tomas. 1. We cannot remove SunEC from the java.security file since it is hardcoded in the SunPKCS11 provider that it MUST call SunEC (I checked in the OpenJDK code) - so unless there's a way to avoid the SunPKCS11 provider and still use our PKCS11 lib, I can't see how to do this. 2. I see the native libsunec.so file in both my Centos installation (/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.222.b10-0.el7_6.x86_64/jre/lib/amd64/libsunec.so) and my Ubuntu laptop (/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64/libsunec.so) I have tried explicitly adding the native lib location to both LD_LIBRARY_PATH and (in the clientToolBox sh file) the -Djava.library.path and this does not work. Note also that I don't see the warning that the native lib could not be loaded in any of my log files. I could setup my Ubuntu-based dev laptop to connect to the HSM, but right now, I have no good evidence that doing so would fix this issue. - johnk On 8/30/19 4:52 AM, Tomas Gustavsson wrote: > > Hi, > > This seems to be a common bug specific to CentOS. You'll find many > references (with other applications), for example: > https://github.com/oracle/graal/issues/951 > > Perhaps editing the java.security file and removing SunEC helps? As > suggested in the link above. > > I'm not able to help as I don't have a CentOS connected with an HSM, but > I'd say it's a bug in CentOS, which probably does not happen on RHEL (or > Ubuntu which I am running in development). > > Regards, > Tomas > On 2019-08-29 18:47, John Kemp wrote: >> Thanks Tomas, >> >> I am running Centos 7.6. I did a yum update, which did update Java >> packages, but still have the same error after a reboot + restart of EJBCA. >> >> How can I update NSS packages outside of yum, or what other packages >> should I be looking at? >> >> - johnk >> >> On 8/28/19 2:07 AM, Tomas Gustavsson wrote: >>> >>> Hi, >>> >>> This error: >>> "java.lang.RuntimeException: Cannot load SunEC provider" >>> >>> indicates an issue error with the JDK installation. We've had report of >>> it before, We've seen it depend on non-updated NSS libraries on >>> RHEL/CentOS. >>> See here for example: >>> https://jira.primekey.se/browse/ECA-5701 >>> >>> The solution is to upgrade all libraries in your system. Which CentOS >>> are you running, the latest should be fine. >>> >>> Regards, >>> Tomas >>> >>> >>> On 2019-08-28 01:10, John Kemp wrote: >>>> Hi, >>>> >>>> I am trying to create a P-256 EC key on my HSM using the >>>> PKCS11HSMKeyTool, and this fails, although RSA keys are just fine. Any >>>> hint on configuration here? >>>> >>>> EJBCA 6.15.2.1, OpenJDK 1.8.0.212, Safenet Luna 6 HSM running on >>>> Centos 7. >>>> >>>> - johnk >>>> >>>> [johnk@foo clientToolBox]$ dzdo ./ejbcaClientToolBox.sh PKCS11HSMKeyTool >>>> generate /usr/safenet/lunaclient/lib/libshim.so secp256r1 ecTEST 1 >>>> >>>> Using Slot Reference Type: Slot Number. >>>> PKCS11 Token [SunPKCS11-libshim.so-slot1] Password: >>>> Command could not be executed. See log for stack trace. >>>> 2019-08-27 20:34:58,988 ERROR [org.ejbca.ui.cli.HSMKeyTool] Command >>>> 'PKCS11HSMKeyTool generate /usr/safenet/lunaclient/lib/libshim.so >>>> secp256r1 ecdsaTEST 1' could not be executed. >>>> >>>> java.lang.RuntimeException: Cannot load SunEC provider >>>> at >>>> sun.security.pkcs11.P11ECKeyFactory.getSunECProvider(P11ECKeyFactory.java:55) >>>> >>>> >>>> at >>>> sun.security.pkcs11.P11ECKeyFactory.getECParameterSpec(P11ECKeyFactory.java:71) >>>> >>>> >>>> at >>>> sun.security.pkcs11.P11KeyPairGenerator.initialize(P11KeyPairGenerator.java:154) >>>> >>>> >>>> at >>>> sun.security.pkcs11.P11KeyPairGenerator.<init>(P11KeyPairGenerator.java:140) >>>> >>>> >>>> at >>>> sun.security.pkcs11.SunPKCS11$P11Service.newInstance0(SunPKCS11.java:1004) >>>> >>>> at >>>> sun.security.pkcs11.SunPKCS11$P11Service.newInstance(SunPKCS11.java:981) >>>> at sun.security.jca.GetInstance.getInstance(GetInstance.java:236) >>>> at sun.security.jca.GetInstance.getInstance(GetInstance.java:206) >>>> at >>>> java.security.KeyPairGenerator.getInstance(KeyPairGenerator.java:279) >>>> at >>>> org.cesecore.keys.util.KeyStoreTools.generateKeyPair(KeyStoreTools.java:409) >>>> >>>> >>>> at >>>> org.cesecore.keys.util.KeyStoreTools.generateEC(KeyStoreTools.java:250) >>>> at >>>> org.cesecore.keys.util.KeyStoreTools.generateKeyPair(KeyStoreTools.java:350) >>>> >>>> >>>> at org.ejbca.ui.cli.HSMKeyTool.doIt(HSMKeyTool.java:243) >>>> at org.ejbca.ui.cli.HSMKeyTool.execute(HSMKeyTool.java:723) >>>> at >>>> org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40) >>>> at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:67) >>>> >>>> >>>> _______________________________________________ >>>> Ejbca-develop mailing list >>>> Ejb...@li... >>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>> >>> >>> _______________________________________________ >>> Ejbca-develop mailing list >>> Ejb...@li... >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>> >> >> >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
