Re: [Ejbca-develop] Key recovery with force local key generation doesn't work in EJBCA Community Ed

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi,

There is probably a misunderstanding of what the option "Force local key generation" means. This is an option that is solely used for when you have an External RA connected over Peers with the CA. This enables you to have a central CA, but a RA that is local to another organization (or department) and forcing key generation to happen, and recovery data to be stored, locally on the RA. Say for extra secretive departments that don't want the CA to keep their keys. the External RA using Peers is an "Enterprise only" feature and thus not available. The option should have been hidden in Community, this was an oversight.
I created this issue: https://jira.primekey.se/browse/ECA-10401

Just run key recovery without the option enabled and it should work as expected, with key recovery data stored in, and recoverable from, the CA.

Regards,
Tomas
________________________________
From: Moser Benjamin <B....@co...>
Sent: Friday, November 12, 2021 12:28 PM
To: ejb...@li... <ejb...@li...>
Subject: [Ejbca-develop] Key recovery with force local key generation doesn't work in EJBCA Community Edition

CAUTION: External Sender - Be cautious when clicking links or opening attachments. Please email In...@ke... with any questions.

Dear community users,

We are struggling with the Key Recovery bug found in EJBCA Community Edition v6.10.1.2. We enabled "Force local key generation" in the "System Configuration -> Basic Configuration".
We created an extra Crypto Token with a RSA key pair, because our CAs use ECC key pairs which cannot be used for key encryption. We add a new EE user with "Key Recovery" enabled.

1) When we try to enroll the user on RA Web with username and code we see a NullPointerException.
In the server logs we find an AuthorizationDeniedException and the NullPointerException.

2021-11-12 10:53:28,809 DEBUG [org.ejbca.core.model.era.RaMasterApiProxyBean] (default task-31) Creating locally stored key pair for end entity 'keyrecovery-test-user'
2021-11-12 10:53:28,810 ERROR [org.jboss.as.ejb3.invocation] (default task-31) WFLYEJB0034: EJB Invocation failed on component RaMasterApiProxyBean for method public abstract byte[] org.ejbca.core.model.era.RaMasterApi.generateKeyStore(org.cesecore.authentication.tokens.AuthenticationToken,org.cesecore.certificates.endentity.EndEntityInformation) throws org.cesecore.authorization.AuthorizationDeniedException,org.ejbca.core.EjbcaException: javax.ejb.EJBException: java.lang.NullPointerException

2) When we try to enroll the user on Public Web with username and code we see that a key stores has been created.
In the server logs we find an NoSuchAlgorithmException and cannot find provider supporting 1.2.840.10045.2.1.
This is caused by selecting the wrong Crypto Token from Test issuing CA that only supports an ECC signkey.

2021-11-11 21:43:23,521 DEBUG [org.ejbca.core.ejb.ra.KeyStoreCreateSessionBean] (default task-2) Saving generated keys for recovery for user: keyrecovery-test-user
2021-11-11 21:43:23,521 INFO  [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-2) 2021-11-11 21:43:23+01:00;ACCESS_CONTROL;SUCCESS;ACCESSCONTROL;CORE;172.31.31.132;;;;resource0=/ca/2073369223
2021-11-11 21:43:23,528 DEBUG [org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean] (default task-2) Extended service with request class 'org.ejbca.core.model.ca.caadmin.extendedcaservices.KeyRecoveryCAServiceRequest' called for CA ' Test Issuing CA'

2021-11-11 21:43:23,528 DEBUG [org.ejbca.core.model.ca.caadmin.extendedcaservices.KeyRecoveryCAService] (default task-2) Encrypting using alias 'signKey' from crypto token 1955349239
2021-11-11 21:43:23,530 INFO  [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-2) 2021-11-11 21:43:23+01:00;KEYRECOVERY_ADDDATA;FAILURE;KEYRECOVERY;EJBCA;172.31.31.132;2073369223;5C9F72ACC846D322;keyrecovery-test-useryyyy;msg=Error when trying to add keyrecovery data for certificate with serial number 5c9f72acc846d322, issuer CN=commend-test-issuing-ca,OU=IMS,O=Commend International.
2021-11-11 21:43:23,534 ERROR [org.ejbca.core.ejb.keyrecovery.KeyRecoverySessionBean] (default task-2) Error when trying to add keyrecovery data for certificate with serial number 5c9f72acc846d322, issuer CN=commend-test-issuing-ca,OU=IMS,O=Commend International.: org.cesecore.certificates.ca.extendedservices.IllegalExtendedCAServiceRequestException: java.lang.IllegalStateException: Failed to encrypt keys: exception wrapping content key: cannot create cipher: Cannot find any provider supporting 1.2.840.10045.2.1
        at org.ejbca.core.model.ca.caadmin.extendedcaservices.KeyRecoveryCAService.extendedService(KeyRecoveryCAService.java:126)
        at org.cesecore.certificates.ca.CA.extendedService(CA.java:1133)
        at org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean.extendedService(CAAdminSessionBean.java:3260)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
--
Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting 1.2.840.10045.2.1
        at javax.crypto.Cipher.getInstance(Cipher.java:539)
        at org.bouncycastle.jcajce.util.DefaultJcaJceHelper.createCipher(Unknown Source)
        ... 257 more

Use Case: We need to enable key recovery for ECC signing certificates that are used for secure boot on long-running embedded devices. The keyEncryptKey is immutable on existing CAs, hence we enabled the "Force local key generation" with a new Crypto Token.
This seems to be two bug, which were neither raised nor fixed until now:
ad 1) RA Web cannot be used to enroll a user with key recovery enabled
Ad 2) Public Web always uses CA Crypto Token to enroll a user with key recovery enabled

Your feed is appreciated and with best regards

Benjamin Moser
Lead Security Architect and OSS Officer

Commend International GmbH
5020 Salzburg, Saalachstrasse 51
T +43-662-85 62 25
F +43-662-85 62 26

b....@co...
https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.commend.com%2F&amp;data=04%7C01%7Ctomas.gustavsson%40primekey.com%7C877a191ce34f45494f1008d9a5e53284%7Cc9ed4b459f70418aaa58f04c80848ca9%7C0%7C0%7C637723226939382190%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=JHkBxj3sCboTlvP2UOIYo6y1iuY34dqOOipJ8fWDgEs%3D&amp;reserved=0

Security and Communication by Commend

FN 178618z / LG Salzburg

_______________________________________________
Ejbca-develop mailing list
Ejb...@li...
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fejbca-develop&amp;data=04%7C01%7Ctomas.gustavsson%40primekey.com%7C877a191ce34f45494f1008d9a5e53284%7Cc9ed4b459f70418aaa58f04c80848ca9%7C0%7C0%7C637723226939382190%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=ZMiBEjl7vp6MliCb9kVwIxcNRwlGVtiajOohf3tG%2Beo%3D&amp;reserved=0

Re: [Ejbca-develop] Key recovery with force local key generation doesn't work in EJBCA Community Ed

Re: [Ejbca-develop] Key recovery with force local key generation doesn't work in EJBCA Community Edition