Hello Would appreciate any help related to the issue we are noticing.
Our application uses IAIK PKCS#11 Wrapper 1.4 to connect to NSS. We had no issues with the below code when connecting to NSS3.39. However, in our testing with NSS3.44, we seem to encounter iaik.pkcs.pkcs11.wrapper.PKCS11Exception: CKR_GENERAL_ERROR when generating keypair via session.generateKeyPair API: // This function returns the public key handle only // Minimum key size is 2048-bit int keySize = 2048; Mechanism keyPairGenerationMechanism = Mechanism .get(PKCS11Constants.CKM_RSA_PKCS_KEY_PAIR_GEN); RSAPublicKey rsaPublicKeyTemplate = new RSAPublicKey(); RSAPrivateKey rsaPrivateKeyTemplate = new RSAPrivateKey(); String id = KeyPairHandleImpl.generateId(); rsaPublicKeyTemplate.getId().setByteArrayValue(id.getBytes(StandardCharsets.UTF_8)); rsaPrivateKeyTemplate.getId().setByteArrayValue(id.getBytes(StandardCharsets.UTF_8)); // set the general attributes for the public key // rsaPublicKeyTemplate.getModulusBits().setLongValue(new Long(keySize)); byte[] publicExponentBytes = { (byte)0x01, (byte)0x00, (byte)0x01 }; rsaPublicKeyTemplate.getPublicExponent().setByteArrayValue(publicExponentBytes); rsaPublicKeyTemplate.getToken().setBooleanValue(Boolean.TRUE); rsaPublicKeyTemplate.getLabel().setValue(component.toCharArray()); rsaPublicKeyTemplate.getEncrypt().setBooleanValue(Boolean.TRUE); rsaPublicKeyTemplate.getWrap().setBooleanValue(Boolean.TRUE); rsaPublicKeyTemplate.getVerify().setBooleanValue(Boolean.TRUE); // set the general attributes for the private key // rsaPrivateKeyTemplate.getSensitive().setBooleanValue(Boolean.TRUE); rsaPrivateKeyTemplate.getToken().setBooleanValue(Boolean.TRUE); rsaPrivateKeyTemplate.getPrivate().setBooleanValue(Boolean.FALSE); rsaPrivateKeyTemplate.getLabel().setValue(component.toCharArray()); rsaPrivateKeyTemplate.getDecrypt().setBooleanValue(Boolean.TRUE); rsaPrivateKeyTemplate.getUnwrap().setBooleanValue(Boolean.TRUE); rsaPrivateKeyTemplate.getSign().setBooleanValue(Boolean.TRUE); KeyPair generatedKeyPair; try { generatedKeyPair = session.generateKeyPair(keyPairGenerationMechanism, rsaPublicKeyTemplate, rsaPrivateKeyTemplate); } catch (TokenException e) { String msg = "Failed to generate RSA key pair on token: " + e.getMessage(); log.error( msg ); throw new Exception( msg, e ); } FYI, 1) Configuration that our application uses to initialize PKCS11 module: library=softokn3.dll initializeArguments=configDir='sql:XXX/data/NSS/db' certPrefix='' keyPrefix='' secmod='' flags='readWrite' updatedir='' updateCertPrefix='' updateKeyPrefix='' updateTokenDescription='' pin=XXXX slot=1 libPath=XXX/modules/NSS/lib libList=libnspr4.dll,libplc4.dll,libplds4.dll,sqlite3.dll,nssutil3.dll,softokn3.dll 2) we intialize PKCS11 module based of the above configuration file: Module pkcs11Module; ... pkcs11Module = Module.getInstance( dll ); // Most likely NSS DefaultInitializeArgs arguments = new DefaultInitializeArgs(); byte[] reservedBytes = initArgs.getBytes( Charset.defaultCharset() ); arguments.setReserved(reservedBytes); pkcs11Module.initialize(arguments); .... 3) we establish the session with NSS using below code and seems to login fine: // Get all slots with token present Slot[] slots = pkcs11Module.getSlotList(Module.SlotRequirement.TOKEN_PRESENT); ... .. else { selectedSlot = slots[slot]; } Token token = selectedSlot.getToken(); if ( token == null ) { throw new Exception( "Token is null for slot " + selectedSlot ); } // More information may be needed such check for write protection TokenInfo tokenInfo = token.getTokenInfo(); if(tokenInfo.isWriteProtected()) { String msg = "Token is write protected!"; log.error( msg ); throw new Exception( msg, null ); } // Open a read, write session session = token.openSession(Token.SessionType.SERIAL_SESSION, Token.SessionReadWriteBehavior.RW_SESSION, null, null); ..... session.login(Session.UserType.USER, Password.deobfuscate(pin).toCharArray()); log.info( "PKCS#11 session login successful" ); Thanks.. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security