SoftHSM does not currently support certificates (CKO_CERTIFICATE) that is why
you get that message. However, there is a patch available that will add support
for certificates. See:
http://trac.opendnssec.org/ticket/100
It sounds to me that we should spend some time to integrate this work into
SoftHSM, so that others can benefit from it.
// Rickard
On 14 apr 2011, at 22.37, Adam Knight wrote:
I don't honestly know why the key isn't created as a token key in the first
place. When I put CKA_TOKEN = true into the SoftHSM configuration file, I get
an "Object class not supported" error from C_CreateObject. That is the default
case in a switch statement that checks the key type - meaning that the object
Java tries to create is not detected as a CKO_PUBLIC_KEY or CKO_PRIVATE_KEY.
When I print out oClass, it is set to 1 (CKO_CERTIFICATE).
The error in C_CreateObject does happen at the right place in the Java code
though - when I try and set the private key into the key store.
X509Certificate[] chain = makeCertificateChain(keyPair);
ks.setKeyEntry("ALIAS-GOES-HERE", pk, "1111".toCharArray(), chain); // THIS
LINE
I suspect the CKO_CERTIFICATE oClass is caused by me calling setKeyEntry and
passing in the certificate chain - Java associates Private Keys with
Certificates - which of course have the Public Key. I can try saving my key as
a SecretKey rather than a PrivateKey, and see if that helps - then I won't have
to store the certificate chain. I think this will also fail though as a
CKO_SECRET_KEY won't pass the switch statement in C_CreateObject.
It sort of feels like we're working around the way Java just wants to do things
-
http://download.oracle.com/javase/6/docs/api/index.html?java/security/KeyStore.html.
I mean having a common interface to a keystore is nice, but one that does
what you want is much better :)
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
