search

harrison314 / BouncyHsm

Bouncy Hsm is a software simulator of HSM and smartcard simulator with HTML UI, REST API and PKCS#11 interface.
BSD 3-Clause "New" or "Revised" License
65 stars 4 forks source link

Error when generating key/certificate pair using java `keytool` #14

Open MaxFichtelmann opened 3 weeks ago

MaxFichtelmann commented 3 weeks ago

The keytool command provided by openjdk installations can be used with a PKCS#11 driver.

A configuration file is needed which points to the pkcs11 driver (and a name)

library=/path/to/BouncyHsm.Pkcs11Lib-x64.so
name=bouncy-hsm

the command to the generate a new private key and corresponding self-signed certificate:

keytool -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg java-pkcs11.cfg -genkey -keyalg RSA -keysize 2048 -dname cn=sample -alias sample-rsa

this fails with the following error message:

[12:33:51 INF] Executing operation CreateObject.
[12:33:51 ERR] Pkcs11 error during operation CreateObject with CKRV: CKR_ATTRIBUTE_VALUE_INVALID.
BouncyHsm.Core.Services.Contracts.RpcPkcs11Exception: Attribute CKA_SERIAL_NUMBER is not valid X509 Name in DER encoding.
 ---> System.ArgumentException: failed to construct integer from byte[]: unexpected end-of-contents marker
   at Org.BouncyCastle.Asn1.DerInteger.GetInstance(Object obj)
   at BouncyHsm.Core.Services.Contracts.Entities.CryptoObjectValueChecker.CheckDerInteger(CKA attributeType, Byte[] data, Boolean enableEmpty, Boolean mustByPositive)
   --- End of inner exception stack trace ---
   at BouncyHsm.Core.Services.Contracts.Entities.CryptoObjectValueChecker.CheckDerInteger(CKA attributeType, Byte[] data, Boolean enableEmpty, Boolean mustByPositive)
   at BouncyHsm.Core.Services.Contracts.Entities.X509CertificateObject.Validate()
   at BouncyHsm.Core.Services.P11Handlers.CreateObjectHandler.Handle(CreateObjectRequest request, CancellationToken cancellationToken)
   at BouncyHsm.Core.Rpc.RequestProcessor.ProcessRequestBody[TRequest,TResponse](IServiceProvider scopeProvider, String operation, ReadOnlyMemory`1 requestBody, Func`2 nonOkResponseFactory, ILogger logger, CancellationToken cancellationToken)
harrison314 commented 3 weeks ago

Thanks for reporting the bug.

I will need to replicate this. Which JDK version are you using? It is best if you write me the name of the package and the version.

harrison314 commented 3 weeks ago

@MaxFichtelmann try this build, it also logs the value of the problem attribute. https://github.com/harrison314/BouncyHsm/actions/runs/11578823608

Edit: Try version 1.1.1 https://github.com/harrison314/BouncyHsm/releases/tag/v1.1.1 with better logging,