[SignServer-develop] SunEC setup issue

[Blum, J. <jon...@or...>]

Hello all --

I'm able to generate RSA keys through the SignServer CLI, but I get "Cannot
load SunEC provider" errors if I try to generate an ECDSA key.  What should
I check for in my setup?

An example:

[jon@localhost lib]$ bin/signserver generatekey CryptoTokenP11 -keyalg
ECDSA -keyspec prime192v3 -alias 2017_06
(...)
Caused by: java.lang.RuntimeException: Cannot load SunEC provider
    at
sun.security.pkcs11.P11ECKeyFactory.getSunECProvider(P11ECKeyFactory.java:55)
    at
sun.security.pkcs11.P11ECKeyFactory.getECParameterSpec(P11ECKeyFactory.java:71)
    at
sun.security.pkcs11.P11KeyPairGenerator.initialize(P11KeyPairGenerator.java:146)
    at
sun.security.pkcs11.P11KeyPairGenerator.<init>(P11KeyPairGenerator.java:133)
    at
sun.security.pkcs11.SunPKCS11$P11Service.newInstance0(SunPKCS11.java:1014)
    at
sun.security.pkcs11.SunPKCS11$P11Service.newInstance(SunPKCS11.java:991)
    at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
    at sun.security.jca.GetInstance.getInstance(GetInstance.java:206)
    at java.security.KeyPairGenerator.getInstance(KeyPairGenerator.java:279)
    at
org.cesecore.keys.util.KeyStoreTools.generateEC(KeyStoreTools.java:175)
    at
org.cesecore.keys.util.KeyStoreTools.generateKeyPair(KeyStoreTools.java:320)
    at
org.cesecore.keys.token.PKCS11CryptoToken.generateKeyPair(PKCS11CryptoToken.java:212)
    at
org.signserver.server.cryptotokens.PKCS11CryptoToken.generateKey(PKCS11CryptoToken.java:515)
    at
org.signserver.server.cryptotokens.PKCS11CryptoToken.generateKey(PKCS11CryptoToken.java:527)
    at
org.signserver.server.BaseProcessable.generateKey(BaseProcessable.java:1059)

For the record, this is SignServer 3.7.0, under JDK 8, running on Wildfly
10, talking to a Luna SA HSM.   The system's been functioning fine for
months with RSA keys.

I've tried generating ECDSA with a variety of different keyspecs.  I've
checked that sunec.jar exists on my system, in
/usr/java/latest/jre/lib/ext/sunec.jar; is it possible that SignServer
could be running somehow without this in its path?  Do I need to copy it
locally into my Wildfly installation?


I've also confirmed that SunEC is in the provider list in java.security:
security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.pkcs11.SunPKCS11
${java.home}/lib/security/luna.cfg
security.provider.3=sun.security.rsa.SunRsaSign
security.provider.4=sun.security.ec.SunEC
(etc)


Whatever the problem is, it appears to be P11CryptoToken-specific.  If I
try running with a P12CryptoToken, I get a different error, which indicates
that it's apparently found the crypto provider it needs but not the named
curve I'm looking for:

[jon@localhost signserver]$ bin/signserver generatekey CryptoTokenP12
-keyalg ECDSA -keyspec P-224 -alias 2017_06
(...)
Caused by: java.security.cert.CertificateParsingException:
java.io.IOException: Unknown named curve: 1.3.132.0.33
    at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
    at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1804)
    at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195)
    at
sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:102)
    at
java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339)
    at
org.bouncycastle.cert.jcajce.JcaX509CertificateConverter.getCertificate(Unknown
Source)
    at
org.signserver.server.cryptotokens.CryptoTokenHelper.getSelfCertificate(CryptoTokenHelper.java:499)
    at
org.signserver.server.cryptotokens.CryptoTokenHelper.createDummyCertificate(CryptoTokenHelper.java:471)
    at
org.signserver.server.cryptotokens.KeystoreCryptoToken.generateKey(KeystoreCryptoToken.java:475)
    at
org.signserver.server.BaseProcessable.generateKey(BaseProcessable.java:1059)


But that's a secondary issue; my actual solution has to use the
CryptoTokenP11.

Any suggestions welcome!

Cheers,
Jon Blum