Re: [Opendnssec-user] Creating keys on SoftHSM with Java

[Adam Knight]

Thanks Rickard, and to Thomas Calderon for providing the patch.  I was able to write a key/certificate chain to SoftHSM using Java, with this patch in place.  I did need the CKA_TOKEN = true attribute in my configuration, so that the Java library didn't try and make a session key then copy it later - but that's fine.   Thanks for the great support, Adam On 15/04/2011, at 6:58 PM, Rickard Bellgrim wrote: SoftHSM does not currently support certificates (CKO_CERTIFICATE) that is why you get that message. However, there is a patch available that will add support for certificates. See: http://trac.opendnssec.org/ticket/100 It sounds to me that we should spend some time to integrate this work into SoftHSM, so that others can benefit from it. // Rickard On 14 apr 2011, at 22.37, Adam Knight wrote: I don't honestly know why the key isn't created as a token key in the first place.  When I put CKA_TOKEN = true into the SoftHSM configuration file, I get an "Object class not supported" error from C_CreateObject.  That is the default case in a switch statement that checks the key type - meaning that the object Java tries to create is not detected as a CKO_PUBLIC_KEY or CKO_PRIVATE_KEY.  When I print out oClass, it is set to 1 (CKO_CERTIFICATE).   The error in C_CreateObject does happen at the right place in the Java code though - when I try and set the private key into the key store.   X509Certificate[] chain = makeCertificateChain(keyPair); ks.setKeyEntry("ALIAS-GOES-HERE", pk, "1111".toCharArray(), chain);  // THIS LINE I suspect the CKO_CERTIFICATE oClass is caused by me calling setKeyEntry and passing in the certificate chain - Java associates Private Keys with Certificates - which of course have the Public Key.  I can try saving my key as a SecretKey rather than a PrivateKey, and see if that helps - then I won't have to store the certificate chain.  I think this will also fail though as a CKO_SECRET_KEY won't pass the switch statement in C_CreateObject. It sort of feels like we're working around the way Java just wants to do things -  http://download.oracle.com/javase/6/docs/api/index.html?java/security/KeyStore.html.  I mean having a common interface to a keystore is nice, but one that does what you want is much better :) ADAM_KNIGHT DEVELOPER M +64 21 88 00 03 P  +64 9 445 9196 LOFT 01 / 2 QUEENS PARADE THE WHARF PO BOX 32_131  DEVONPORT AUCKLAND NEW ZEALAND AOTEA.CO.NZ

_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user