[P11 - ERR 21:10:53.246143] util_pkcs11.c:4593 (parse_rsa_generate_template): Boolean truth check failed for attribute 0x1 [P11 - ERR 21:10:53.246154] yubihsm_pkcs11.c:5248 (C_GenerateKeyPair): Unable to parse generation template #391
Comments
|
If possible, run this with debugging active, which can be done by adding setting to the config file or by setting an environment variable, see here https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/hsm2-pkcs11-guide.html#configuration |
|
It looks like the application (meaning the client of yubihsm_pkcs11, which in this case also includes the Java pkcs11 wrapper) is setting CKA_TOKEN to CK_FALSE which isn't supported - all objects on the YubiHSM are created on the token. yubihsm_pkcs11 disallows that to avoid misleading users that objects can be created as session objects. |
|
what do you recommend in this case? I am implementing Yubihsm2 to ejbca. |
|
This is something that would need some configuration in ejbca, I know we have tested with it. Let me see If I can find some info. |
|
@Jmacea I just tried to generate an RSA2048 keypair in the Crypto Token view on EJBCA and did not run into problems. The key showed up when I listed the content of the YubiHSM using a separate tool and I could use the key to sign a certificate on EJBCA. Since you have proper log from the yubihsm_pkcs11 module, I assume the configuration in conf/web.properties is correct so I'm suspecting it's a configuration issue elsewhere. What is the version of the yubihsm_pkcs11 you are running? How are you generating the key? What does your Crypto Token configuration look like? |
Hi, I am having problems creating a crypto token in ejbca with YubiHSM2.
the error is the following :
[P11 - ERR 21:10:53.246143] util_pkcs11.c:4593 (parse_rsa_generate_template): Boolean truth check failed for attribute 0x1
[P11 - ERR 21:10:53.246154] yubihsm_pkcs11.c:5248 (C_GenerateKeyPair): Unable to parse generation template
Command could not be executed. See log for stack trace.
2024-02-29 21:10:53,247 ERROR [org.ejbca.ui.cli.HSMKeyTool] Command 'PKCS11HSMKeyTool generate /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so 2048 defaultKey 0' could not be executed.
java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_VALUE_INVALID
at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:422)
at java.base/java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:722)
at org.cesecore.keys.util.KeyStoreTools.generateKeyPair(KeyStoreTools.java:453)
at org.cesecore.keys.util.KeyStoreTools.generateRSA(KeyStoreTools.java:302)
at org.cesecore.keys.util.KeyStoreTools.generateKeyPair(KeyStoreTools.java:362)
at org.ejbca.ui.cli.HSMKeyTool.doIt(HSMKeyTool.java:243)
at org.ejbca.ui.cli.HSMKeyTool.execute(HSMKeyTool.java:730)
at org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40)
at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:70)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_VALUE_INVALID
at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_GenerateKeyPair(Native Method)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:414)
... 8 more
The text was updated successfully, but these errors were encountered: