SignServer 3.2 with LunaSA

[Massimiliano Ziccardi]

Hi all.
I'm having problem making SignServer 3.2 work with LunaSA.

In first instance, I created the keys using the LunaSA cmu command and imported the TSS certificate inside my HSM (using cmu).
This way I noticed that SignServer could not find the keys…
To understand what was happening, I've configured KeyTool to use the LunaSA as keystore and, effectively, while cmu was able to see the keys/certificate, keytool said the keystore was empty.

I tried then to create the keys using keytool with the following command:

keytool -keystore NONE -storetype PKCS11 -genkeypair -alias LUGLIO2011 -keyalg RSA -keysize 2048 -dname "c=it,o=myorg,cn=myCommonName" -storepass mypassword

but without luck: I always get an

sun.security.pkcs11.wrapper.PKCS11Exception: CKR_TEMPLATE_INCONSISTENT

error…

Looking through the documentation of SignServer, I found the generatekey command, so I tried:

bin/signserver.sh generatekey 1 -alias LUG2011 defaultKey -keyalg RSA -keyspec 2048

However, I keep getting the same error. Follows the stacktrace.
Do you have any idea? Do SignServer works with LunaSA?

0:35:34,199 ERROR [PKCS11CryptoToken] java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_TEMPLATE_INCONSISTENT
java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_TEMPLATE_INCONSISTENT
    at sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:305)
    at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:650)
    at org.ejbca.util.keystore.KeyStoreContainerBase.generate(KeyStoreContainerBase.java:256)
    at org.ejbca.util.keystore.KeyStoreContainerBase.generateRSA(KeyStoreContainerBase.java:175)
    at org.ejbca.util.keystore.KeyStoreContainerBase.generate(KeyStoreContainerBase.java:207)
    at org.signserver.server.cryptotokens.PKCS11CryptoToken.generateKey(PKCS11CryptoToken.java:185)
    at org.signserver.server.BaseProcessable.generateKey(BaseProcessable.java:228)
    at org.signserver.ejb.WorkerSessionBean.generateSignerKey(WorkerSessionBean.java:920)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:112)
    at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:166)
    at org.jboss.ejb3.interceptor.EJB3InterceptorsInterceptor.invoke(EJB3InterceptorsInterceptor.java:63)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
    at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:54)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
    at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
    at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:79)
    at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:191)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
    at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:95)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
    at org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:62)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
    at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:77)
    at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:110)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
    at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
    at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
    at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:304)
    at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:106)
    at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82)
    at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:809)
    at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:608)
    at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:406)
    at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:173)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_TEMPLATE_INCONSISTENT
    at sun.security.pkcs11.wrapper.PKCS11.C_GenerateKeyPair(Native Method)
    at sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:296)

[Markus Kilås]

To use the generatekey command you might have to specify an attributesfile by setting the path to it as a worker property for worker 1:

bin/signserver.sh setproperty 1 ATTRIBUTESFILE "/opt/signserver/p11attributes.cfg"
bin/signserver.sh reload 1

A sample attributes file is available in the manual:
http://www.signserver.org/manual/complete.en.html#PKCS11CryptoToken

Regards,
Markus

[Massimiliano Ziccardi]

Done, but no luck.

Here is the props.cfg file:

attributes(generate,*,*) = {
  CKA_TOKEN = true
}
attributes(generate,CKO_PUBLIC_KEY,*) = {
  CKA_ENCRYPT = true
  CKA_VERIFY = true
  CKA_WRAP = true
}
attributes(generate, CKO_PRIVATE_KEY,*) = {
  CKA_EXTRACTABLE = false
  CKA_DECRYPT = true
  CKA_SIGN = true
  CKA_UNWRAP = true
}

The commands I issued were:

bin/signserver.sh setproperty 1 ATTRIBUTESFILE "/tmp/props.cfg"
bin/signserver.sh reload 1
bin/signserver.sh generatekey 1 -alias LUG2011 defaultKey -keyalg RSA -keyspec 2048

But I got again the CKR_TEMPLATE_INCONSISTENT error.

One mor Info : I'm using LunaSA 4.1

[Massimiliano Ziccardi]

If it can be useful, below is my worker configuration:

bin/signserver.sh getconfig 1
Assuming JBoss JNDI provider...
===========================================
  Executing Command on host : localhost
===========================================
OBSERVE that this command displays the current configuration which
doesn't have to be the same as the active configuration.
Configurations are activated with the reload command. 
The current configuration of worker with id : 1 is :
  ATTRIBUTESFILE=/tmp/props.cfg
  SIGNERCERTCHAIN=Subject: CN=TSTEST,O=Intesa S.p.A.,C=IT
Issuer: CN=Intesa Technical CA,O=INTESA S.p.A.,C=IT
-----BEGIN CERTIFICATE-----
MIIDcDCCAligAwIBAgIIJZvjLzB3F2swDQYJKoZIhvcNAQELBQAwQzEcMBoGA1UE
AwwTSW50ZXNhIFRlY2huaWNhbCBDQTEWMBQGA1UECgwNSU5URVNBIFMucC5BLjEL
MAkGA1UEBhMCSVQwHhcNMTEwNzA2MTMzNDQwWhcNMTMwNzA1MTMzNDQwWjA2MQ8w
DQYDVQQDDAZUU1RFU1QxFjAUBgNVBAoMDUludGVzYSBTLnAuQS4xCzAJBgNVBAYT
AklUMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtFpgXjOtXFkofbDD
0amv4vubLbv7kNJR2FzR7py6ZuieQRBuRDwtvVRolrBzzyuwY6Px8D6LAXzQCd1T
jKx9vqcpw7a2vrRZJ8dPN54pzKTNEo2N/8TYDItQ0bh+850fkLcrCUSWT4VU5SoH
PyV67YcOBovkNfyq0b0Q7LSq3cHJzCNy1CKDxM6z3qfdia6GVzzZF1HL4tbS6Ih6
TZib7dNIj2Y5G113TMew76Sb7UlkmIdB7IcwM2/3MZ/Ttc8EmHvlf9qrPmrdiA0m
Va5xLsAZyOG33iDHLLnyiWOEcj8mVvj1cVdiJT9fILk2kGSY9VXF9W+anfldg5zz
BP6RxQIDAQABo3UwczAdBgNVHQ4EFgQUEMiIhVIOBpU1ScrIhHFkfwYvdJYwDAYD
VR0TAQH/BAIwADAfBgNVHSMEGDAWgBRE1VRTRTIB0iobsbk9WhTXDPJ4PTAOBgNV
HQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwgwDQYJKoZIhvcNAQELBQAD
ggEBAFtk0NOVL6VUCsdsKsTf0209A2LNS9IHtrXZpLphtlphyyXBjJnyXeaWer1b
WSzEGf+ImyJW/3p9uH3mpuGLekmXqquZETU6Y4p5vxog//Wnk3sundABGBJJXa9x
Z//vZJUG5dMWmBo+1fr4BOp3R1Ts4mprGrVHB3DYVoiXWzIdKfYGENRv02eRDtqE
1BWZgunO+gt5zChCsyQj8JFtiXN484Vy1EsoD3NHCQHzayt16jN5SEKOM/IXcNsq
K4oX5hKShrE9f7eeIHNxPc/mxWfdReDdn2Unv+qDzDzLT1Me4C5qVp7I5U08qBZO
m/sp2hCakTF3yR2VxUaokmKO8tc=
-----END CERTIFICATE-----
Subject: CN=Intesa Technical CA,O=INTESA S.p.A.,C=IT
Issuer: CN=Intesa Technical CA,O=INTESA S.p.A.,C=IT
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIIX7Al/MJCPC4wDQYJKoZIhvcNAQEFBQAwQzEcMBoGA1UE
AwwTSW50ZXNhIFRlY2huaWNhbCBDQTEWMBQGA1UECgwNSU5URVNBIFMucC5BLjEL
MAkGA1UEBhMCSVQwHhcNMTAwOTIyMDkxMzA5WhcNMjAwOTIyMDkxMzA5WjBDMRww
GgYDVQQDDBNJbnRlc2EgVGVjaG5pY2FsIENBMRYwFAYDVQQKDA1JTlRFU0EgUy5w
LkEuMQswCQYDVQQGEwJJVDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJ0hoARDAGem37FOjjf4vp3KiHBUKNnqpqTXQSDxrJ2kb2ASCCfPT2wGwW0FgDVc
gJP+kIwqeGdusPSKCvsy5hNQtmZY8vL53V9OsZjs9Jh4vbTURiy2g7kJguGV8XyA
xmt5LZaatpB/1LbGzpB9y/SuqHD6AMPA14I7UThFY76XxmpuuS3rBODmOAD6eQGI
Ruul1Oov8/twIs2ZF72dZv1YxiffZ5cRzgY8vVHxjy2/TxG1SuFAXjgmcjuDGuyc
blo/UPj6IzqMeB/CFrb3Y/4BYzXpvUuGqKLROWKFa0eZwnNhPpojp2BIhSF9mEK+
DddKruhrfKLo9xcQl/EW4tUCAwEAAaNjMGEwHQYDVR0OBBYEFETVVFNFMgHSKhux
uT1aFNcM8ng9MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAURNVUU0UyAdIq
G7G5PVoU1wzyeD0wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBBQUAA4IBAQB1
cOH86afAVUNTxuOxtvySzdOMm1nkNLbtwsusPKr2UGNvZrHxGkUhYoTS+NvfKM1z
Z8vPC3EcXM2SbCmXEm7l6QfqGVLSfO1jeKGzcn3R7MaYMkMJx1d1KR2EidnENTQa
f0abRoHB6fihOEoQrhJQJBrRcbB7daljaK9sbce1/6TsFObGaXiE4K4DthN2YtcC
i19tt5hxXaIFNRR1qAU3mn9FQ24k+UVDF+axkNeHURNMnra45eBFJXoZgKPJ3MeS
cchtErHQYZL0FLHv7LE6tsjYEGhqhlxvfrgtkd7JmfUgQK3hFP5dseGA033l3Tcb
k3D44Ze30Rj5w3splCIs
-----END CERTIFICATE-----
  DEFAULTTSAPOLICYOID=1.2.3
  SLOT=1
  SIGNERCERT=Subject: CN=TSTEST,O=Intesa S.p.A.,C=IT
Issuer: CN=Intesa Technical CA,O=INTESA S.p.A.,C=IT
-----BEGIN CERTIFICATE-----
MIIDcDCCAligAwIBAgIIJZvjLzB3F2swDQYJKoZIhvcNAQELBQAwQzEcMBoGA1UE
AwwTSW50ZXNhIFRlY2huaWNhbCBDQTEWMBQGA1UECgwNSU5URVNBIFMucC5BLjEL
MAkGA1UEBhMCSVQwHhcNMTEwNzA2MTMzNDQwWhcNMTMwNzA1MTMzNDQwWjA2MQ8w
DQYDVQQDDAZUU1RFU1QxFjAUBgNVBAoMDUludGVzYSBTLnAuQS4xCzAJBgNVBAYT
AklUMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtFpgXjOtXFkofbDD
0amv4vubLbv7kNJR2FzR7py6ZuieQRBuRDwtvVRolrBzzyuwY6Px8D6LAXzQCd1T
jKx9vqcpw7a2vrRZJ8dPN54pzKTNEo2N/8TYDItQ0bh+850fkLcrCUSWT4VU5SoH
PyV67YcOBovkNfyq0b0Q7LSq3cHJzCNy1CKDxM6z3qfdia6GVzzZF1HL4tbS6Ih6
TZib7dNIj2Y5G113TMew76Sb7UlkmIdB7IcwM2/3MZ/Ttc8EmHvlf9qrPmrdiA0m
Va5xLsAZyOG33iDHLLnyiWOEcj8mVvj1cVdiJT9fILk2kGSY9VXF9W+anfldg5zz
BP6RxQIDAQABo3UwczAdBgNVHQ4EFgQUEMiIhVIOBpU1ScrIhHFkfwYvdJYwDAYD
VR0TAQH/BAIwADAfBgNVHSMEGDAWgBRE1VRTRTIB0iobsbk9WhTXDPJ4PTAOBgNV
HQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwgwDQYJKoZIhvcNAQELBQAD
ggEBAFtk0NOVL6VUCsdsKsTf0209A2LNS9IHtrXZpLphtlphyyXBjJnyXeaWer1b
WSzEGf+ImyJW/3p9uH3mpuGLekmXqquZETU6Y4p5vxog//Wnk3sundABGBJJXa9x
Z//vZJUG5dMWmBo+1fr4BOp3R1Ts4mprGrVHB3DYVoiXWzIdKfYGENRv02eRDtqE
1BWZgunO+gt5zChCsyQj8JFtiXN484Vy1EsoD3NHCQHzayt16jN5SEKOM/IXcNsq
K4oX5hKShrE9f7eeIHNxPc/mxWfdReDdn2Unv+qDzDzLT1Me4C5qVp7I5U08qBZO
m/sp2hCakTF3yR2VxUaokmKO8tc=
-----END CERTIFICATE-----
  PIN=Intesa1.
  NAME=TimeStampSigner
  SHAREDLIBRARY=/usr/lunasa/lib/libCryptoki2.so
  AUTHTYPE=NOAUTH
  CLASSPATH=org.signserver.common.ProcessableConfig
  ACCEPTEDALGORITHMS=SHA1;SHA224;SHA256;SHA384;SHA512
  DEFAULTKEY=LUGLIO2011--cert0
 The current configuration use the following signer certificate : 
DN : CN=TSTEST,O=Intesa S.p.A.,C=IT
SerialNumber : 259be32f3077176b
Issuer DN : CN=Intesa Technical CA,O=INTESA S.p.A.,C=IT
Valid from :6-lug-2011
Valid to : 5-lug-2013

[Markus Kilås]

If you already have keys generated in the partition that can not be read by Java then maybe you have to remove them first.

Are you able to list the keys either using "bin/signserver.sh testkey 1 all" or using the EJBCA ClientToolbox HSMKeyTool?

Regards,
Markus

[Massimiliano Ziccardi]

I removed the key before I tried the generatekey command: now the HSM is empty….

I really have no idea what can be wrong…

[Tomas Gustavsson]

After you set the attributesfile property, you need to restart jboss.

Cheers,
Tomas

[Massimiliano Ziccardi]

Thank you both a lot for your support!

Now it works!

Regards,
Massimiliano