[P11 - ERR 21:10:53.246143] util_pkcs11.c:4593 (parse_rsa_generate_template): Boolean truth check failed for attribute 0x1 [P11 - ERR 21:10:53.246154] yubihsm_pkcs11.c:5248 (C_GenerateKeyPair): Unable to parse generation template

[Jmacea]

Hi, I am having problems creating a crypto token in ejbca with YubiHSM2.

the error is the following :

[P11 - ERR 21:10:53.246143] util_pkcs11.c:4593 (parse_rsa_generate_template): Boolean truth check failed for attribute 0x1 [P11 - ERR 21:10:53.246154] yubihsm_pkcs11.c:5248 (C_GenerateKeyPair): Unable to parse generation template Command could not be executed. See log for stack trace. 2024-02-29 21:10:53,247 ERROR [org.ejbca.ui.cli.HSMKeyTool] Command 'PKCS11HSMKeyTool generate /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so 2048 defaultKey 0' could not be executed. java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_VALUE_INVALID at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:422) at java.base/java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:722) at org.cesecore.keys.util.KeyStoreTools.generateKeyPair(KeyStoreTools.java:453) at org.cesecore.keys.util.KeyStoreTools.generateRSA(KeyStoreTools.java:302) at org.cesecore.keys.util.KeyStoreTools.generateKeyPair(KeyStoreTools.java:362) at org.ejbca.ui.cli.HSMKeyTool.doIt(HSMKeyTool.java:243) at org.ejbca.ui.cli.HSMKeyTool.execute(HSMKeyTool.java:730) at org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40) at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:70) Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_VALUE_INVALID at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_GenerateKeyPair(Native Method) at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:414) ... 8 more

[qpernil]

If possible, run this with debugging active, which can be done by adding setting to the config file or by setting an environment variable, see here https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/hsm2-pkcs11-guide.html#configuration

[qpernil]

It looks like the application (meaning the client of yubihsm_pkcs11, which in this case also includes the Java pkcs11 wrapper) is setting CKA_TOKEN to CK_FALSE which isn't supported - all objects on the YubiHSM are created on the token. yubihsm_pkcs11 disallows that to avoid misleading users that objects can be created as session objects.

[Jmacea]

what do you recommend in this case? I am implementing Yubihsm2 to ejbca.

[qpernil]

This is something that would need some configuration in ejbca, I know we have tested with it. Let me see If I can find some info.

[aveenismail]

@Jmacea I just tried to generate an RSA2048 keypair in the Crypto Token view on EJBCA and did not run into problems. The key showed up when I listed the content of the YubiHSM using a separate tool and I could use the key to sign a certificate on EJBCA.

Since you have proper log from the yubihsm_pkcs11 module, I assume the configuration in conf/web.properties is correct so I'm suspecting it's a configuration issue elsewhere.

What is the version of the yubihsm_pkcs11 you are running? How are you generating the key? What does your Crypto Token configuration look like?