search

aws-samples / aws-cloudhsm-jce-examples

Sample applications demonstrating how to use the CloudHSM JCE
MIT No Attribution
36 stars 56 forks source link

Failing to Sign with Key created in AWS Cloud HSM Token #69

Closed maliksajidhussain closed 1 year ago

maliksajidhussain commented 1 year ago

I am Creating the RSA Keypair in AWS Cloud HSM with the following attribute KeyAttributesMap publicKeyAttributesMap = new KeyAttributesMap(); KeyAttributesMap privateKeyAttributesMap = new KeyAttributesMap(); privateKeyAttributesMap.put(KeyAttribute.TOKEN, Boolean.TRUE); privateKeyAttributesMap.put(KeyAttribute.SIGN, Boolean.TRUE); publicKeyAttributesMap.put(KeyAttribute.TOKEN, Boolean.TRUE); publicKeyAttributesMap.put(KeyAttribute.VERIFY, Boolean.TRUE);

I can use this private key to create a self signed certificate. But When I am trying to create a CMS Signature I got the following exception iaik.tsp.TspSigningException: Can't sign TimeStampToken: java.security.NoSuchAlgorithmException: Error computing signature value: iaik.cms.CMSException: Unable to calculate signature: java.security.SignatureException: Cannot calculate RSA siganture: com.amazonaws.cloudhsm.jce.jni.exception.KeyUsageException: An attempt has been made to use a key for a cryptographic purpose that the key's attributes are not set to allow it to do. at iaik.tsp.TimeStampToken.signTimeStampToken(SourceFile:967) at iaik.tsp.TimeStampToken.signTimeStampToken(SourceFile:859) at iaik.tsp.TimeStampToken.signTimeStampToken(SourceFile:1024)

I check the AWS documentation but there is not such attribute that defining private key purpose. No similar question found on AWS.

What causing to stop private key to sign CMS

maliksajidhussain commented 1 year ago

@team Can any team member give any clue if any thing wrong in the sample

rday commented 1 year ago

Hi @maliksajidhussain ,

The samples are built and tested with our releases, and after a quick look everything seems ok.

Unfortunately I'm not able to find any information about the iaik.tsp package you are using. I'm not sure what that library is attempting to do with the key prior to signing. To address these particular problems, you could reach out to AWS Developer Support, or post on re:Post with the "AWS CloudHSM" tag. You will receive better support for your custom workflow using those methods.