I can't create a cryptotoken with yubihsm #245
Replies: 4 comments 9 replies
-
|
CKR_ATTRIBUTE_VALUE_INVALID is a message from the PKCS#11 driver/device. Did you try with RSA keys? |
Beta Was this translation helpful? Give feedback.
-
|
but does it give problems with ecdsa keys? i try with rsa keys but say that is not posible crypto with this key |
Beta Was this translation helpful? Give feedback.
-
|
You tried EDCDA above. "secp256r1" is ECDSA. Can you give output from the same command with "2048" instead. |
Beta Was this translation helpful? Give feedback.
-
|
oh I also forgot the test, I did a test on the keys and here is the result no if the message "No encryption possible with this key" could be the error. root@criptografia:/opt/ejbca_ce_7_4_3_2/dist/clientToolBox# ./ejbcaClientToolBox.sh PKCS11HSMKeyTool test /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so 0 Testing of key: my_key_alias |
Beta Was this translation helpful? Give feedback.
-
|
That is normal, because ECDSA keys can not be used for encryption, it is as it should be. If you generate RSA keys with the Yubi tool it should work for encryption as well. |
Beta Was this translation helpful? Give feedback.
-
|
Hi @primetomas, Look, I'm trying to generate an rsa key and it appears "Can not generate EC curve, no OID and no ECParameters found: rsa2048" I don't understand why it appears that it is going to generate a curve root@criptografia:/opt/ejbca_ce_7_4_3_2/dist/clientToolBox# ./ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so rsa2048 defaultKey 0 |
Beta Was this translation helpful? Give feedback.
-
|
and if I do the test it shows this root@criptografia:/opt/ejbca_ce_7_4_3_2/dist/clientToolBox# ./ejbcaClientToolBox.sh PKCS11HSMKeyTool test /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so 0 Testing of key: my_key_alias |
Beta Was this translation helpful? Give feedback.
-
|
For generate key with RSA it should be "2048" not "rsa2048" |
Beta Was this translation helpful? Give feedback.
-
|
CKR_DEVICE_ERROR is an error from the HSM, and it's from the call by Java. It can be hard to debug, but it seems Yubico has done something to the driver making it not work with the Java PKCS#10 provider by default? Unless there is some configuration, or something when generating the key. I haven't played with the YubiHSM in a long while, can you specify usage of the key, i.e. signature/encryption when generating the keys? |
Beta Was this translation helpful? Give feedback.
-
|
Well, it is a key that they ask me to believe that I am guiding myself as such from here, since on the yubico page they are not so specific regarding the characteristics of the key https://medium.com/ringit/using-yubihsm-2-with-pkcs-11-in-java-for-rsa-decryption-8689a3b1321d |
Beta Was this translation helpful? Give feedback.
-
|
I hope nobody minds Yubico crashing this ticket :) As @primetomas mentioned, this could be an issue with the PKCS11 module. @edubolivar Feel free to open a ticket in https://github.com/Yubico/yubihsm-shell/issues. In the meantime, are you using the latest version of the yubihsm_pkcs11 module (the one that comes with yubihsm-shell 2.4.0)? If it's not, try the ejbcaClientToolBox command with the latest version*? With 2.4.0, there should no longer be a need for the yubihsm-setup step anymore, so generating keys with eibcaClientToolBox or the EJBCA interface directly should just work. If that still fails, turn on debug logging and copy in the output in the ticket. In the file pointed at by YUBIHSM_PKCS11_CONF, add the following three lines: Then run the command again (you don't need to rebuild anything)
|
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
I already created the asymmetric key, and the attestation certificate with the requested capabilities, I already included the library in the ejbca configuration file so that I can see the library when creating the crypto token but when I am going to create it following the steps as is it gives me an error.
I also tried to create it with clientool box and i have the next error
root@criptografia:/opt/ejbca_ce_7_4_3_2/dist/clientToolBox# ./ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so secp256r1 defaultKey 0
Using Slot Reference Type: Slot Number.
Contraseña del Token PKCS11 [SunPKCS11-yubihsm_pkcs11.so-slot0]:
Command could not be executed. See log for stack trace.
2023-02-15 15:24:04,803 ERROR [org.ejbca.ui.cli.HSMKeyTool] Command 'PKCS11HSMKeyTool generate /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so secp256r1 defaultKey 0' could not be executed.
java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_VALUE_INVALID
at sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:424)
at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:697)
at org.cesecore.keys.util.KeyStoreTools.generateKeyPair(KeyStoreTools.java:453)
at org.cesecore.keys.util.KeyStoreTools.generateEC(KeyStoreTools.java:252)
at org.cesecore.keys.util.KeyStoreTools.generateKeyPair(KeyStoreTools.java:364)
at org.ejbca.ui.cli.HSMKeyTool.doIt(HSMKeyTool.java:243)
at org.ejbca.ui.cli.HSMKeyTool.execute(HSMKeyTool.java:730)
at org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40)
at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:70)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_VALUE_INVALID
at sun.security.pkcs11.wrapper.PKCS11.C_GenerateKeyPair(Native Method)
at sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:416)
... 8 more
Beta Was this translation helpful? Give feedback.
All reactions