search

Nitrokey / nethsm-pkcs11

PKCS#11 module for NetHSM
Other
36 stars 10 forks source link

supporting EJBCA #63

Open nponsard opened 1 year ago

nponsard commented 1 year ago

Current blocking problems:

nponsard commented 1 year ago

Need to find a way to fix the key renaming, maybe the PKCS11 java lib ?

nponsard commented 1 year ago

It seems like the EC key problems are fixed by changes in main.

nponsard commented 1 year ago

The problem seems to come from the Java library. It uses the java.security.Security class to get the Sun pkc11 provider. This 'security' library imposes a pattern where a key generation is in 3 steps :

As the key is generated on the device, it uses the device to sign the certificate. Also in the storing part the key is already on the device so it renames it.

example code : 

package com.example;

import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.PublicKey;
import java.security.Security;
import java.security.Signature;
import java.security.cert.Certificate;
import java.util.Base64;
import java.util.Map;

public class App {
    public static void main(String[] args) throws Exception {
        // Load the PKCS#11 provider
        String pkcs11Config = "/opt/pkcs-test/pkcs11.cfg";

        Provider provider = Security.getProvider("SunPKCS11");

        provider = provider.configure(pkcs11Config);
        Security.addProvider(provider);

        // Initialize a session
        char[] pin = "123456".toCharArray();
        KeyStore keyStore = KeyStore.getInstance("PKCS11", provider);
        keyStore.load(null, pin);

        // generate a rsa key pair
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", provider);
        keyPairGenerator.initialize(2048);
        KeyPair keyPair = keyPairGenerator.generateKeyPair();

        Certificate certificate = generateCertificate(keyPair,provider);

        keyStore.setKeyEntry("your_key_alias", keyPair.getPrivate(), pin, certificate);
    }
}

pkcs11.cfg : 

name = PKCS11SPY
library = /usr/lib/pkcs11-spy.so
nponsard commented 1 year ago

New error when clicking 'test' on EC keys : Error: Exception testing key: error decoding signature bytes.

nponsard commented 1 year ago

Generating a P-384 EC key now works, there is still problem for the other EC key sizes

nponsard commented 1 year ago

The ECDSA problems are now solved

nponsard commented 1 year ago

85 would be a partial fix

jans23 commented 1 year ago

Potentially PKCS#11 NG would be a solution.