Hello
Our application connects to software security plugin like NSS via PKCS#11
IAIK Wrapper 1.4. We had no issue when IAIK1.4 was connecting with NSS
3.42.1. However, we are upgrading NSS to 3.47.1 and we are encountering
issues with keypair generation. (above NSS 3.43 seems to be an issue)
Below is the excerpt of code for KeyPair generation :
public KeyPairHandle generateWrappingKeyPair(String component) throws
Exception
{
// This function returns the public key handle only
// Minimum key size is 2048-bit
int keySize = 2048;
Mechanism keyPairGenerationMechanism = Mechanism
.get(PKCS11Constants.CKM_RSA_PKCS_KEY_PAIR_GEN);
RSAPublicKey rsaPublicKeyTemplate = new RSAPublicKey();
RSAPrivateKey rsaPrivateKeyTemplate = new RSAPrivateKey();
String id = KeyPairHandleImpl.generateId();
rsaPublicKeyTemplate.getId().setByteArrayValue(id.getBytes(StandardCharsets.UTF_8));
rsaPrivateKeyTemplate.getId().setByteArrayValue(id.getBytes(StandardCharsets.UTF_8));
// set the general attributes for the public key
//
rsaPublicKeyTemplate.getModulusBits().setLongValue(new
Long(keySize));
byte[] publicExponentBytes = { (byte)0x01, (byte)0x00, (byte)0x01 };
rsaPublicKeyTemplate.getPublicExponent().setByteArrayValue(publicExponentBytes);
rsaPublicKeyTemplate.getToken().setBooleanValue(Boolean.TRUE);
rsaPublicKeyTemplate.getLabel().setValue(component.toCharArray());
rsaPublicKeyTemplate.getEncrypt().setBooleanValue(Boolean.TRUE);
rsaPublicKeyTemplate.getWrap().setBooleanValue(Boolean.TRUE);
rsaPublicKeyTemplate.getVerify().setBooleanValue(Boolean.TRUE);
// set the general attributes for the private key
//
rsaPrivateKeyTemplate.getSensitive().setBooleanValue(Boolean.TRUE);
rsaPrivateKeyTemplate.getToken().setBooleanValue(Boolean.TRUE);
rsaPrivateKeyTemplate.getPrivate().setBooleanValue(Boolean.FALSE);
rsaPrivateKeyTemplate.getLabel().setValue(component.toCharArray());
rsaPrivateKeyTemplate.getDecrypt().setBooleanValue(Boolean.TRUE);
rsaPrivateKeyTemplate.getUnwrap().setBooleanValue(Boolean.TRUE);
rsaPrivateKeyTemplate.getSign().setBooleanValue(Boolean.TRUE);
KeyPair generatedKeyPair;
try
{
generatedKeyPair =
session.generateKeyPair(keyPairGenerationMechanism,
rsaPublicKeyTemplate, rsaPrivateKeyTemplate);
}
catch (TokenException e)
{
String msg = "Failed to generate RSA key pair on token: " +
e.getMessage();
log.error( msg );
throw new XXException( msg, e );
}
We get below exception:
iaik.pkcs.pkcs11.wrapper.PKCS11Exception: CKR_GENERAL_ERROR
I establish session with the NSS via IAIK wrapper fine:
Slot :
Slot ID: 0x2
Module: Module Name: softokn3.dll
Token info:
Label: NSS Certificate DB
Manufacturer ID: Mozilla Foundation
Model: NSS 3
Serial Number: 0000000000000000
Random Number Generator: true
Write protected: false
Login required: true
User PIN initialized: true
Restore Key not needed: false
Clock on Token: false
Protected Authentication Path: false
Dual Crypto Operations: true
Token initialized: true
Secondary Authentication: false
User PIN-Count low: false
User PIN final Try: false
User PIN locked: false
User PIN to be changed: false
Security Officer PIN-Count low: false
Security Officer PIN final Try: false
Security Officer PIN locked: false
Security Officer PIN to be changed: false
Maximum Session Count: <effectively infinite>
Session Count: 0
Maximum Read/Write Session Count: <effectively infinite>
Read/Write Session Count: 0
Maximum PIN Length: 500
Minimum PIN Length: 0
Total Public Memory: 1
Free Public Memory: 1
Total Private Memory: 1
Free Private Memory: 1
Hardware Version: 0.00
Firmware Version: 0.00
Time: Sat Nov 29 18:00:00 CST 2
capturing information of the variables :
rsaPublicKeyTemplate info:
Object Class: Public Key
Token: true
Private: <Attribute not present>
Modifiable: <Attribute not present>
Label: XXX
Key Type: RSA
ID:
64626639363437362d313639302d343766642d393161392d6433623138346134613135323b31353735393138303336323139
Start Date: <Attribute not present>
End Date: <Attribute not present>
Derive: <Attribute not present>
Local: <Attribute not present>
Key Generation Mechanism: <Attribute not present>
Allowed Mechanisms: <Attribute not present>
Subject (DER, hex): <Attribute not present>
Encrypt: true
Verify: true
Verify Recover: <Attribute not present>
Wrap: true
Trusted: <Attribute not present>
Wrap Template: <Attribute not present>
Modulus (hex): <Attribute not present>
Public Exponent (hex): 010001
Modulus Bits (dec): 2048
rsaPrivateKeyTemplate info:
Object Class: Private Key
Token: true
Private: false
Modifiable: <Attribute not present>
Label: XXX
Key Type: RSA
ID:
64626639363437362d313639302d343766642d393161392d6433623138346134613135323b31353735393138303336323139
Start Date: <Attribute not present>
End Date: <Attribute not present>
Derive: <Attribute not present>
Local: <Attribute not present>
Key Generation Mechanism: <Attribute not present>
Allowed Mechanisms: <Attribute not present>
Subject (DER, hex): <Attribute not present>
Sensitive: true
Secondary Authentication: <Attribute not present>
Secondary Authentication PIN Flags: <Attribute not present>
Decrypt: true
Sign: true
Sign Recover: <Attribute not present>
Unwrap: true
Extractable: <Attribute not present>
Always Sensitive: <Attribute not present>
Never Extractable: <Attribute not present>
Wrap With Trusted: <Attribute not present>
Unwrap Template: <Attribute not present>
Always Authenticate: <Attribute not present>
Modulus (hex): <Attribute not present>
Public Exponent (hex): <Attribute not present>
Private Exponent (hex): <Attribute not present>
Prime 1 (hex): <Attribute not present>
Prime 2 (hex): <Attribute not present>
Exponent 1 (hex): <Attribute not present>
Exponent 2 (hex): <Attribute not present>
Coefficient (hex): <Attribute not present>
I can create keypair fine using NSS tool certutil but can't do so via our
application.
Is there a compatibility issue by any chance ?
Any help greatly appreciated.
Thanks..
Usha
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
