Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-139

It is not possible to use a HSM to sign a pkcs10 req to an external root CA.

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: EJBCA 3.1.3, EJBCA 3.2
    • Fix Version/s: EJBCA 3.2.1
    • Component/s: PKI core
    • Labels:
      None

      Description

      Hi Tomas,
      Thanks for the answer. We started evaluating an HSM and we succesfully implemented the required interface (IHardwareToken). Note that we use EJBCA 3.0.7
      We have setup a new CA using the new hardware token and successfully deployed it with a self-signed cert but
      we need to deploy this CA with an external root CA.
      We had to make a slight change in the code in order to sign the CSR using the HSM (CAAdminSessionBean.java line 675): we had to specify the HSM security provider instead of the hardcoded Bouncy Castle provider in the constructor of PKCS10CertificationRequest.
      After we redeployed we got to a different issue: we succesfully generate a CSR but when we try to import the signed cert back into EJBCA, we got an exception:

      2005-08-23 17:47:53,598 DEBUG [se.anatom.ejbca.ca.store.LocalCertificateStoreSessionBean] <storeCertificate()
      2005-08-23 17:47:53,599 DEBUG [se.anatom.ejbca.ca.caadmin.extendedcaservices.OCSPCAService] OCSPCAService : init
      2005-08-23 17:47:53,601 DEBUG [se.anatom.ejbca.util.KeyTools] >genKeys()
      2005-08-23 17:48:03,911 DEBUG [se.anatom.ejbca.util.KeyTools] Generated RSA keys with length 2048
      2005-08-23 17:48:03,911 DEBUG [se.anatom.ejbca.util.KeyTools] <genKeys()
      2005-08-23 17:48:03,916 DEBUG [se.anatom.ejbca.ca.caadmin.X509CA] X509CA : Setting STATUS OFFLINE Lin4SignedHSMCA
      2005-08-23 17:48:03,916 DEBUG [se.anatom.ejbca.ca.caadmin.X509CA] X509CA : New STATUS 5
      2005-08-23 17:48:03,917 DEBUG org.jboss.ejb.plugins.cmp.jdbc.JDBCFindByPrimaryKeyQuery.LogConfigurationData#findByPrimaryKey Executing SQL: SELECT t0_Lo
      gConfigurationData.id FROM LOGCONFIGURATIONDATA t0_LogConfigurationData WHERE t0_LogConfigurationData.id=?
      2005-08-23 17:48:03,919 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.LogConfigurationData] Executing SQL: SELECT logConfiguration, logEntry
      RowNumber FROM LOGCONFIGURATIONDATA WHERE (id=?)
      2005-08-23 17:48:03,921 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.LogConfigurationData] Executing SQL: SELECT logConfiguration, logEntry
      RowNumber FROM LOGCONFIGURATIONDATA WHERE (id=?)
      2005-08-23 17:48:03,923 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCCreateEntityCommand.LogEntryData] Executing SQL: SELECT COUNT FROM LOGENTRYDATA WHERE
      id=?
      2005-08-23 17:48:03,924 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCCreateEntityCommand.LogEntryData] Executing SQL: INSERT INTO LOGENTRYDATA (id, adminType
      , adminData, caId, module, time, username, certificateSNR, event, comment) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
      2005-08-23 17:48:03,926 ERROR [se.anatom.ejbca.log.Log4jLogDevice] August 23, 2005 5:48:03 PM EDT, CAId : 1956790483, CA, EVENT_ERROR_CACREATED, Administr
      ator : CLIENTCERT, Certificate SNR : 17ba5988fa14ee11, CN=HSMCA,O=Echoworx,C=CA, User : No User Involved, Certificate : No Certificate Involved, Comment
      : Couldn't Initialize ExternalCAService.
      2005-08-23 17:48:03,926 ERROR [se.anatom.ejbca.log.Log4jLogDevice] Exception :
      se.anatom.ejbca.ca.exception.CATokenOfflineException
      at se.anatom.ejbca.ca.caadmin.X509CA.generateCertificate(X509CA.java:336)
      at se.anatom.ejbca.ca.caadmin.extendedcaservices.OCSPCAService.init(OCSPCAService.java:157)
      at se.anatom.ejbca.ca.caadmin.CA.initExternalService(CA.java:354)
      at se.anatom.ejbca.ca.caadmin.CAAdminSessionBean.receiveResponse(CAAdminSessionBean.java:782)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:324)
      at org.jboss.invocation.Invocation.performCall(Invocation.java:345)
      at org.jboss.ejb.StatelessSessionContainer$ContainerInterceptor.invoke(StatelessSessionContainer.java:214)
      at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:185)
      at org.jboss.ejb.plugins.StatelessSessionInstanceInterceptor.invoke(StatelessSessionInstanceInterceptor.java:113)
      at org.jboss.webservice.server.ServiceEndpointInterceptor.invoke(ServiceEndpointInterceptor.java:51)

      From what I can see, the logic tries to access the public cert signing key from the HSM but the HSM is not yet initialized by EJBCA, therefore an exception is thrown. At the same time, we cannot activate this CA (we even tried to activate the HSM using "Basic Functions->View Information" then activate but we got a NullPointerException trying to to that.

      I know that ejbca version 3.1 is already integrating an HSM but we don't intend to upgrade unless necessary so I'd appreciate if you could assist us with this issue.

      florin

        Attachments

          Activity

            People

            Assignee:
            philip Philip Vendil (Inactive)
            Reporter:
            lars Lars Silvén
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: