Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-75

SCEP not working with Hard token CAs (HSMs)

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: EJBCA 3.0.7, EJBCA 3.1
    • Fix Version/s: EJBCA 3.1.3
    • Component/s: PKI core
    • Labels:
      None

      Description

      RSASignSessionBean line 726 (in 3.1):
      req.setKeyInfo((X509Certificate)ca.getCACertificate(), catoken.getPrivateKey(SecConst.CAKEYPURPOSE_CERTSIGN));

      Sends the CAs private sign key to ScepRequestMessage for decrypting the request sent by the client. ScepRequestMessage on line 294 does:
      decBytes = recipient.getContent(privateKey, "BC");

      i.e. using the BC provider to decrypt. If the CAs key is in hardware we must use the hardware provider.

      We must also document that the hardware provider must support the decryption algorithm done in BC for this (using the private key) for SCEP to work with a HSM based CA.

        Attachments

          Activity

            People

            Assignee:
            tomas Tomas Gustavsson
            Reporter:
            tomas Tomas Gustavsson
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: