Hi All,
We were able to build NSS-3.49 on Windows and reproduce the issue with the
sample testclient:
java.lang.Exception: Failed to generate RSA key pair on token:
CKR_GENERAL_ERROR
at GenerateKeyPair.main(GenerateKeyPair.java:274)
Caused by: iaik.pkcs.pkcs11.wrapper.PKCS11Exception: CKR_GENERAL_ERROR
at
iaik.pkcs.pkcs11.wrapper.PKCS11Implementation.C_GetAttributeValue(Native
Method)
at
iaik.pkcs.pkcs11.objects.Object.getAttributeValue(Object.java:716)
at iaik.pkcs.pkcs11.objects.Key.readAttributes(Key.java:622)
at
iaik.pkcs.pkcs11.objects.PublicKey.readAttributes(PublicKey.java:398)
at
iaik.pkcs.pkcs11.objects.RSAPublicKey.readAttributes(RSAPublicKey.java:242)
at iaik.pkcs.pkcs11.objects.Object.<init>(Object.java:223)
at iaik.pkcs.pkcs11.objects.Storage.<init>(Storage.java:105)
at iaik.pkcs.pkcs11.objects.Key.<init>(Key.java:321)
at iaik.pkcs.pkcs11.objects.PublicKey.<init>(PublicKey.java:119)
at
iaik.pkcs.pkcs11.objects.RSAPublicKey.<init>(RSAPublicKey.java:96)
at
iaik.pkcs.pkcs11.objects.RSAPublicKey.getInstance(RSAPublicKey.java:118)
at
iaik.pkcs.pkcs11.objects.PublicKey.getInstance(PublicKey.java:156)
at iaik.pkcs.pkcs11.objects.Object.getInstance(Object.java:262)
at iaik.pkcs.pkcs11.Session.generateKeyPair(Session.java:1260)
at demo.pkcs.pkcs11.GenerateKeyPair.main(GenerateKeyPair.java:269)
################################################################################
Below is an excerpt of the sample client that connects to NSS via IAIK
PKCS#11 Wrapper :
public static void main(String[] args) {
String pkcs11NSSPropertiesFilePath = args[0];
Module pkcs11Module = null;
Session session = null;
try {
Properties config = loadKeyPkcs11Config(
pkcs11NSSPropertiesFilePath );
pkcs11Module = initializeModule( config );
session = getSession( config, pkcs11Module );
System.out.println("################################################################################");
System.out.println("Generating new 2048 bit RSA key-pair... ");
String component = "KMRootCA";
int keySize = 2048;
Mechanism keyPairGenerationMechanism =
Mechanism.get(PKCS11Constants.CKM_RSA_PKCS_KEY_PAIR_GEN);
RSAPublicKey rsaPublicKeyTemplate = new RSAPublicKey();
RSAPrivateKey rsaPrivateKeyTemplate = new RSAPrivateKey();
String id = generateId();
rsaPublicKeyTemplate.getId().setByteArrayValue(id.getBytes(StandardCharsets.UTF_8));
rsaPrivateKeyTemplate.getId().setByteArrayValue(id.getBytes(StandardCharsets.UTF_8));
// set the general attributes for the public key
throw new Exception( msg, e );
}
......
It looks like when we create token objects as highlighted above, we see the
exception. But, if we modify the code to not create token objects ( as
shown below ) everything looks good. Please note this was not an issue in
3.42.1 NSS version.
rsaPublicKeyTemplate.getToken().setBooleanValue(Boolean.TRUE);
....
rsaPrivateKeyTemplate.getToken().setBooleanValue(Boolean.TRUE);
Output :
################################################################################
Information of Token:
################################################################################
PKCS#11 session login successful
################################################################################
Generating new 2048 bit RSA key-pair...
################################################################################
Output KeyPair...
The public key is
_______________________________________________________________________________
Object Class: Public Key
Token: false
Private: false
Modifiable: true
Label: KMRootCA
Key Type: RSA
ID:
39616130393234332d643635312d343835662d613430632d6164613936343365323434653b31353739353437363034343534
Start Date: <NULL_PTR>
End Date: <NULL_PTR>
Derive: false
Local: false
Key Generation Mechanism: <Attribute not present>
Allowed Mechanisms: <Attribute not present>
Subject (DER, hex): <NULL_PTR>
Encrypt: true
Verify: true
Verify Recover: true
Wrap: true
Trusted: <Attribute not present>
Wrap Template: <Attribute not present>
Modulus (hex):
d5a3c3265e3fa3be258565fab165ac9f694dab04b79eee4e749870a6e0b9251267855fe72aa8bd21fac910336a07cf710a533a7681657e25869260bee261b3b67c7a7706fdb43a50d311213e48a488958c8d77873889fbfa8cbf0b4476ed7cee78aebd195b241da986750f4099d6849b872e2d08953a4ba4c1583ebfcbde614e8601d99c31d384c7ea9735e986f913cf9691b2e6868031999ac01e6a85712a9af94ac589c6c79e7e8246ff8aed45eb46d14c916549a35299a0a7621f45a94d54b0d1fdee80972a514216063aef6f59326a27bf0695f01592a1c7382d1beadf8c81dde13d20b18324ddce62627baa95028a04ddd1a4928cc5a5b4bf0db15fc3d7
Public Exponent (hex): 010001
Modulus Bits (dec): <Attribute not present>
_______________________________________________________________________________
The private key is
_______________________________________________________________________________
Object Class: Private Key
Token: false
Private: true
Modifiable: true
Label: KMRootCA
Key Type: RSA
ID:
39616130393234332d643635312d343835662d613430632d6164613936343365323434653b31353739353437363034343534
Start Date: <NULL_PTR>
End Date: <NULL_PTR>
Derive: false
Local: false
Key Generation Mechanism: <Attribute not present>
Allowed Mechanisms: <Attribute not present>
Subject (DER, hex): <NULL_PTR>
Sensitive: true
Secondary Authentication: <Attribute not present>
Secondary Authentication PIN Flags: <Attribute not present>
Decrypt: true
Sign: true
Sign Recover: true
Unwrap: true
Extractable: true
Always Sensitive: true
Never Extractable: false
Wrap With Trusted: <Attribute not present>
Unwrap Template: <Attribute not present>
Always Authenticate: <Attribute not present>
Modulus (hex):
d5a3c3265e3fa3be258565fab165ac9f694dab04b79eee4e749870a6e0b9251267855fe72aa8bd21fac910336a07cf710a533a7681657e25869260bee261b3b67c7a7706fdb43a50d311213e48a488958c8d77873889fbfa8cbf0b4476ed7cee78aebd195b241da986750f4099d6849b872e2d08953a4ba4c1583ebfcbde614e8601d99c31d384c7ea9735e986f913cf9691b2e6868031999ac01e6a85712a9af94ac589c6c79e7e8246ff8aed45eb46d14c916549a35299a0a7621f45a94d54b0d1fdee80972a514216063aef6f59326a27bf0695f01592a1c7382d1beadf8c81dde13d20b18324ddce62627baa95028a04ddd1a4928cc5a5b4bf0db15fc3d7
Public Exponent (hex): 010001
Private Exponent (hex): <Value is sensitive>
Prime 1 (hex): <Value is sensitive>
Prime 2 (hex): <Value is sensitive>
Exponent 1 (hex): <Value is sensitive>
Exponent 2 (hex): <Value is sensitive>
Coefficient (hex): <Value is sensitive>
_____________________________________________
Would appreciate help ...
Thanks..
Usha
> _______________________________________________
> dev-security mailing list
>
dev-se...@lists.mozilla.org
>
https://lists.mozilla.org/listinfo/dev-security
>