Re: [SignServer-develop] SunEC setup issue

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On 02/03/2017 02:52 PM, Blum, Jon wrote:
> Hello all --
> 
> I'm able to generate RSA keys through the SignServer CLI, but I get
> "Cannot load SunEC provider" errors if I try to generate an ECDSA key. 
> What should I check for in my setup?
> 
> An example:
> 
> [jon@localhost lib]$ bin/signserver generatekey CryptoTokenP11 -keyalg
> ECDSA -keyspec prime192v3 -alias 2017_06
> (...)
> Caused by: java.lang.RuntimeException: Cannot load SunEC provider
>     at
> sun.security.pkcs11.P11ECKeyFactory.getSunECProvider(P11ECKeyFactory.java:55)
>     at
> sun.security.pkcs11.P11ECKeyFactory.getECParameterSpec(P11ECKeyFactory.java:71)
>     at
> sun.security.pkcs11.P11KeyPairGenerator.initialize(P11KeyPairGenerator.java:146)
>     at
> sun.security.pkcs11.P11KeyPairGenerator.<init>(P11KeyPairGenerator.java:133)
>     at
> sun.security.pkcs11.SunPKCS11$P11Service.newInstance0(SunPKCS11.java:1014)
>     at
> sun.security.pkcs11.SunPKCS11$P11Service.newInstance(SunPKCS11.java:991)
>     at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
>     at sun.security.jca.GetInstance.getInstance(GetInstance.java:206)
>     at java.security.KeyPairGenerator.getInstance(KeyPairGenerator.java:279)
>     at
> org.cesecore.keys.util.KeyStoreTools.generateEC(KeyStoreTools.java:175)
>     at
> org.cesecore.keys.util.KeyStoreTools.generateKeyPair(KeyStoreTools.java:320)
>     at
> org.cesecore.keys.token.PKCS11CryptoToken.generateKeyPair(PKCS11CryptoToken.java:212)
>     at
> org.signserver.server.cryptotokens.PKCS11CryptoToken.generateKey(PKCS11CryptoToken.java:515)
>     at
> org.signserver.server.cryptotokens.PKCS11CryptoToken.generateKey(PKCS11CryptoToken.java:527)
>     at
> org.signserver.server.BaseProcessable.generateKey(BaseProcessable.java:1059)
> 
> For the record, this is SignServer 3.7.0, under JDK 8, running on
> Wildfly 10, talking to a Luna SA HSM.   The system's been functioning
> fine for months with RSA keys.
> 
> I've tried generating ECDSA with a variety of different keyspecs.  I've
> checked that sunec.jar exists on my system, in
> /usr/java/latest/jre/lib/ext/sunec.jar; is it possible that SignServer
> could be running somehow without this in its path?  Do I need to copy it
> locally into my Wildfly installation?
> 
> 
> I've also confirmed that SunEC is in the provider list in java.security:
> security.provider.1=sun.security.provider.Sun
> security.provider.2=sun.security.pkcs11.SunPKCS11
> ${java.home}/lib/security/luna.cfg
> security.provider.3=sun.security.rsa.SunRsaSign
> security.provider.4=sun.security.ec.SunEC
> (etc)
> 
> 
> Whatever the problem is, it appears to be P11CryptoToken-specific.  If I
> try running with a P12CryptoToken, I get a different error, which
> indicates that it's apparently found the crypto provider it needs but
> not the named curve I'm looking for:
> 
> [jon@localhost signserver]$ bin/signserver generatekey CryptoTokenP12
> -keyalg ECDSA -keyspec P-224 -alias 2017_06
> (...)
> Caused by: java.security.cert.CertificateParsingException:
> java.io.IOException: Unknown named curve: 1.3.132.0.33
>     at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
>     at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1804)
>     at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195)
>     at
> sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:102)
>     at
> java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339)
>     at
> org.bouncycastle.cert.jcajce.JcaX509CertificateConverter.getCertificate(Unknown
> Source)
>     at
> org.signserver.server.cryptotokens.CryptoTokenHelper.getSelfCertificate(CryptoTokenHelper.java:499)
>     at
> org.signserver.server.cryptotokens.CryptoTokenHelper.createDummyCertificate(CryptoTokenHelper.java:471)
>     at
> org.signserver.server.cryptotokens.KeystoreCryptoToken.generateKey(KeystoreCryptoToken.java:475)
>     at
> org.signserver.server.BaseProcessable.generateKey(BaseProcessable.java:1059)
> 
> 
> But that's a secondary issue; my actual solution has to use the
> CryptoTokenP11.
> 
> Any suggestions welcome!

Hi Jon,

I'm getting unknown curve when specifying prime192v3 but the SunEC issue
could be a different one.

What version of Java are you using?
$ java -version

Does it work if you specify the more common "P-256" curve?

Cheers,
Markus
PrimeKey Solutions

RSA(R) Conference 2017
----------------------
San Francisco | February 13-17 | Moscone Center

Come visit us in booth #627 at RSA Conference 2017!
Want a free expo pass? Click
https://www.rsaconference.com/events/us17/register and use the code:
XE7PRMKEY