IAIK/NSS3.44

Thu, 11 Jul 2019 10:59:07 -0700 

Hello

Would appreciate any help related to the issue we are noticing. 

Our application uses IAIK PKCS#11 Wrapper 1.4 to connect to NSS. 

We had no issues with the below code when connecting to NSS3.39. However, in 
our testing with NSS3.44, we seem to encounter 
iaik.pkcs.pkcs11.wrapper.PKCS11Exception: CKR_GENERAL_ERROR when generating 
keypair via session.generateKeyPair API:


        // This function returns the public key handle only
        // Minimum key size is 2048-bit
        int keySize = 2048;
        Mechanism keyPairGenerationMechanism = Mechanism
                .get(PKCS11Constants.CKM_RSA_PKCS_KEY_PAIR_GEN);
        
        RSAPublicKey rsaPublicKeyTemplate = new RSAPublicKey();
        RSAPrivateKey rsaPrivateKeyTemplate = new RSAPrivateKey();
        
        String id = KeyPairHandleImpl.generateId();
        
rsaPublicKeyTemplate.getId().setByteArrayValue(id.getBytes(StandardCharsets.UTF_8));
        
rsaPrivateKeyTemplate.getId().setByteArrayValue(id.getBytes(StandardCharsets.UTF_8));
        
        // set the general attributes for the public key
        //
        rsaPublicKeyTemplate.getModulusBits().setLongValue(new Long(keySize));
        byte[] publicExponentBytes = { (byte)0x01, (byte)0x00, (byte)0x01 }; 
        
rsaPublicKeyTemplate.getPublicExponent().setByteArrayValue(publicExponentBytes);
        rsaPublicKeyTemplate.getToken().setBooleanValue(Boolean.TRUE);
        rsaPublicKeyTemplate.getLabel().setValue(component.toCharArray());
        rsaPublicKeyTemplate.getEncrypt().setBooleanValue(Boolean.TRUE);
        rsaPublicKeyTemplate.getWrap().setBooleanValue(Boolean.TRUE);
        rsaPublicKeyTemplate.getVerify().setBooleanValue(Boolean.TRUE);

        // set the general attributes for the private key
        //
        rsaPrivateKeyTemplate.getSensitive().setBooleanValue(Boolean.TRUE);
        rsaPrivateKeyTemplate.getToken().setBooleanValue(Boolean.TRUE);
        rsaPrivateKeyTemplate.getPrivate().setBooleanValue(Boolean.FALSE);
        rsaPrivateKeyTemplate.getLabel().setValue(component.toCharArray());
        rsaPrivateKeyTemplate.getDecrypt().setBooleanValue(Boolean.TRUE);
        rsaPrivateKeyTemplate.getUnwrap().setBooleanValue(Boolean.TRUE);
        rsaPrivateKeyTemplate.getSign().setBooleanValue(Boolean.TRUE);
        
        KeyPair generatedKeyPair;
        try
        {
            generatedKeyPair = 
session.generateKeyPair(keyPairGenerationMechanism,
                rsaPublicKeyTemplate, rsaPrivateKeyTemplate);
        }
        catch (TokenException e)
        {
            String msg = "Failed to generate RSA key pair on token: " + 
e.getMessage();
            log.error( msg );
            throw new Exception( msg, e );
        }

FYI, 
1) Configuration that our application uses to initialize PKCS11 module:
        library=softokn3.dll
        initializeArguments=configDir='sql:XXX/data/NSS/db' certPrefix='' 
keyPrefix='' secmod='' flags='readWrite' updatedir='' updateCertPrefix='' 
updateKeyPrefix='' updateTokenDescription=''
        pin=XXXX
        slot=1
        libPath=XXX/modules/NSS/lib
        
libList=libnspr4.dll,libplc4.dll,libplds4.dll,sqlite3.dll,nssutil3.dll,softokn3.dll


2) we intialize PKCS11 module based of the above configuration file:
            Module pkcs11Module;
            ...
            pkcs11Module = Module.getInstance( dll );

                // Most likely NSS
                DefaultInitializeArgs arguments = new DefaultInitializeArgs();
                byte[] reservedBytes = initArgs.getBytes( 
Charset.defaultCharset() );
                arguments.setReserved(reservedBytes);
                pkcs11Module.initialize(arguments);
                ....

3) we establish the session with NSS using below code and seems to login fine:
                        
            // Get all slots with token present
            Slot[] slots = 
pkcs11Module.getSlotList(Module.SlotRequirement.TOKEN_PRESENT);
            ...
            ..
            else
            {
                selectedSlot = slots[slot];
            }

            Token token = selectedSlot.getToken();
            if ( token == null )
            {
                throw new Exception( "Token is null for slot " + selectedSlot );
            }
            
            // More information may be needed such check for write protection
            TokenInfo tokenInfo = token.getTokenInfo();
            
            if(tokenInfo.isWriteProtected())
            {
                String msg = "Token is write protected!";
                log.error( msg );
                throw new Exception( msg, null );
            }

            // Open a read, write session
            session = token.openSession(Token.SessionType.SERIAL_SESSION,
                    Token.SessionReadWriteBehavior.RW_SESSION, null, null);
            
            .....
            
            session.login(Session.UserType.USER, 
Password.deobfuscate(pin).toCharArray());
            log.info( "PKCS#11 session login successful" );

Thanks..
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security

Reply via email to