Re: [SignServer-develop] SunEC setup issue

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi.

I Use hsm utimaco and for ECDSA and use clientToolBox for generate

example (ejbca):

ejbcaClientToolBox.sh PKCS11HSMKeyTool generate
/etc/utimaco/libcs_pkcs11_R2.so secp384r1 secp384r1Alias 0

where  "secp384r1"   is information provider for DOC  of hsm.

On Fri, Feb 3, 2017 at 9:52 AM, Blum, Jon <jon...@or...> wrote:

> Hello all --
>
> I'm able to generate RSA keys through the SignServer CLI, but I get
> "Cannot load SunEC provider" errors if I try to generate an ECDSA key.
> What should I check for in my setup?
>
> An example:
>
> [jon@localhost lib]$ bin/signserver generatekey CryptoTokenP11 -keyalg
> ECDSA -keyspec prime192v3 -alias 2017_06
> (...)
> Caused by: java.lang.RuntimeException: Cannot load SunEC provider
>     at sun.security.pkcs11.P11ECKeyFactory.getSunECProvider(
> P11ECKeyFactory.java:55)
>     at sun.security.pkcs11.P11ECKeyFactory.getECParameterSpec(
> P11ECKeyFactory.java:71)
>     at sun.security.pkcs11.P11KeyPairGenerator.initialize(
> P11KeyPairGenerator.java:146)
>     at sun.security.pkcs11.P11KeyPairGenerator.<init>(
> P11KeyPairGenerator.java:133)
>     at sun.security.pkcs11.SunPKCS11$P11Service.newInstance0(
> SunPKCS11.java:1014)
>     at sun.security.pkcs11.SunPKCS11$P11Service.newInstance(
> SunPKCS11.java:991)
>     at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
>     at sun.security.jca.GetInstance.getInstance(GetInstance.java:206)
>     at java.security.KeyPairGenerator.getInstance(
> KeyPairGenerator.java:279)
>     at org.cesecore.keys.util.KeyStoreTools.generateEC(
> KeyStoreTools.java:175)
>     at org.cesecore.keys.util.KeyStoreTools.generateKeyPair(
> KeyStoreTools.java:320)
>     at org.cesecore.keys.token.PKCS11CryptoToken.generateKeyPair(
> PKCS11CryptoToken.java:212)
>     at org.signserver.server.cryptotokens.PKCS11CryptoToken.generateKey(
> PKCS11CryptoToken.java:515)
>     at org.signserver.server.cryptotokens.PKCS11CryptoToken.generateKey(
> PKCS11CryptoToken.java:527)
>     at org.signserver.server.BaseProcessable.generateKey(
> BaseProcessable.java:1059)
>
> For the record, this is SignServer 3.7.0, under JDK 8, running on Wildfly
> 10, talking to a Luna SA HSM.   The system's been functioning fine for
> months with RSA keys.
>
> I've tried generating ECDSA with a variety of different keyspecs.  I've
> checked that sunec.jar exists on my system, in /usr/java/latest/jre/lib/ext/sunec.jar;
> is it possible that SignServer could be running somehow without this in its
> path?  Do I need to copy it locally into my Wildfly installation?
>
>
> I've also confirmed that SunEC is in the provider list in java.security:
> security.provider.1=sun.security.provider.Sun
> security.provider.2=sun.security.pkcs11.SunPKCS11
> ${java.home}/lib/security/luna.cfg
> security.provider.3=sun.security.rsa.SunRsaSign
> security.provider.4=sun.security.ec.SunEC
> (etc)
>
>
> Whatever the problem is, it appears to be P11CryptoToken-specific.  If I
> try running with a P12CryptoToken, I get a different error, which indicates
> that it's apparently found the crypto provider it needs but not the named
> curve I'm looking for:
>
> [jon@localhost signserver]$ bin/signserver generatekey CryptoTokenP12
> -keyalg ECDSA -keyspec P-224 -alias 2017_06
> (...)
> Caused by: java.security.cert.CertificateParsingException:
> java.io.IOException: Unknown named curve: 1.3.132.0.33
>     at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
>     at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1804)
>     at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195)
>     at sun.security.provider.X509Factory.engineGenerateCertificate(
> X509Factory.java:102)
>     at java.security.cert.CertificateFactory.generateCertificate(
> CertificateFactory.java:339)
>     at org.bouncycastle.cert.jcajce.JcaX509CertificateConverter.getCertificate(Unknown
> Source)
>     at org.signserver.server.cryptotokens.CryptoTokenHelper.
> getSelfCertificate(CryptoTokenHelper.java:499)
>     at org.signserver.server.cryptotokens.CryptoTokenHelper.
> createDummyCertificate(CryptoTokenHelper.java:471)
>     at org.signserver.server.cryptotokens.KeystoreCryptoToken.generateKey(
> KeystoreCryptoToken.java:475)
>     at org.signserver.server.BaseProcessable.generateKey(
> BaseProcessable.java:1059)
>
>
> But that's a secondary issue; my actual solution has to use the
> CryptoTokenP11.
>
> Any suggestions welcome!
>
> Cheers,
> Jon Blum
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li...
> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>
>

-- 
#############################
#   Sistema Operativo: Debian      #
#        Caracas, Venezuela          #
#############################