IAIK/NSS3.44

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

IAIK/NSS3.44

cryptonewbie
Hello

Would appreciate any help related to the issue we are noticing.

Our application uses IAIK PKCS#11 Wrapper 1.4 to connect to NSS.

We had no issues with the below code when connecting to NSS3.39. However, in our testing with NSS3.44, we seem to encounter iaik.pkcs.pkcs11.wrapper.PKCS11Exception: CKR_GENERAL_ERROR when generating keypair via session.generateKeyPair API:


        // This function returns the public key handle only
        // Minimum key size is 2048-bit
        int keySize = 2048;
        Mechanism keyPairGenerationMechanism = Mechanism
                .get(PKCS11Constants.CKM_RSA_PKCS_KEY_PAIR_GEN);
       
        RSAPublicKey rsaPublicKeyTemplate = new RSAPublicKey();
        RSAPrivateKey rsaPrivateKeyTemplate = new RSAPrivateKey();
       
        String id = KeyPairHandleImpl.generateId();
        rsaPublicKeyTemplate.getId().setByteArrayValue(id.getBytes(StandardCharsets.UTF_8));
        rsaPrivateKeyTemplate.getId().setByteArrayValue(id.getBytes(StandardCharsets.UTF_8));
       
        // set the general attributes for the public key
        //
        rsaPublicKeyTemplate.getModulusBits().setLongValue(new Long(keySize));
        byte[] publicExponentBytes = { (byte)0x01, (byte)0x00, (byte)0x01 };
        rsaPublicKeyTemplate.getPublicExponent().setByteArrayValue(publicExponentBytes);
        rsaPublicKeyTemplate.getToken().setBooleanValue(Boolean.TRUE);
        rsaPublicKeyTemplate.getLabel().setValue(component.toCharArray());
        rsaPublicKeyTemplate.getEncrypt().setBooleanValue(Boolean.TRUE);
        rsaPublicKeyTemplate.getWrap().setBooleanValue(Boolean.TRUE);
        rsaPublicKeyTemplate.getVerify().setBooleanValue(Boolean.TRUE);

        // set the general attributes for the private key
        //
        rsaPrivateKeyTemplate.getSensitive().setBooleanValue(Boolean.TRUE);
        rsaPrivateKeyTemplate.getToken().setBooleanValue(Boolean.TRUE);
        rsaPrivateKeyTemplate.getPrivate().setBooleanValue(Boolean.FALSE);
        rsaPrivateKeyTemplate.getLabel().setValue(component.toCharArray());
        rsaPrivateKeyTemplate.getDecrypt().setBooleanValue(Boolean.TRUE);
        rsaPrivateKeyTemplate.getUnwrap().setBooleanValue(Boolean.TRUE);
        rsaPrivateKeyTemplate.getSign().setBooleanValue(Boolean.TRUE);
       
        KeyPair generatedKeyPair;
        try
        {
            generatedKeyPair = session.generateKeyPair(keyPairGenerationMechanism,
                rsaPublicKeyTemplate, rsaPrivateKeyTemplate);
        }
        catch (TokenException e)
        {
            String msg = "Failed to generate RSA key pair on token: " + e.getMessage();
            log.error( msg );
            throw new Exception( msg, e );
        }

FYI,
1) Configuration that our application uses to initialize PKCS11 module:
        library=softokn3.dll
        initializeArguments=configDir='sql:XXX/data/NSS/db' certPrefix='' keyPrefix='' secmod='' flags='readWrite' updatedir='' updateCertPrefix='' updateKeyPrefix='' updateTokenDescription=''
        pin=XXXX
        slot=1
        libPath=XXX/modules/NSS/lib
        libList=libnspr4.dll,libplc4.dll,libplds4.dll,sqlite3.dll,nssutil3.dll,softokn3.dll


2) we intialize PKCS11 module based of the above configuration file:
            Module pkcs11Module;
            ...
            pkcs11Module = Module.getInstance( dll );

                // Most likely NSS
                DefaultInitializeArgs arguments = new DefaultInitializeArgs();
                byte[] reservedBytes = initArgs.getBytes( Charset.defaultCharset() );
                arguments.setReserved(reservedBytes);
                pkcs11Module.initialize(arguments);
                ....

3) we establish the session with NSS using below code and seems to login fine:
                       
            // Get all slots with token present
            Slot[] slots = pkcs11Module.getSlotList(Module.SlotRequirement.TOKEN_PRESENT);
            ...
            ..
            else
            {
                selectedSlot = slots[slot];
            }

            Token token = selectedSlot.getToken();
            if ( token == null )
            {
                throw new Exception( "Token is null for slot " + selectedSlot );
            }
           
            // More information may be needed such check for write protection
            TokenInfo tokenInfo = token.getTokenInfo();
           
            if(tokenInfo.isWriteProtected())
            {
                String msg = "Token is write protected!";
                log.error( msg );
                throw new Exception( msg, null );
            }

            // Open a read, write session
            session = token.openSession(Token.SessionType.SERIAL_SESSION,
                    Token.SessionReadWriteBehavior.RW_SESSION, null, null);
           
            .....
           
            session.login(Session.UserType.USER, Password.deobfuscate(pin).toCharArray());
            log.info( "PKCS#11 session login successful" );

Thanks..
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security