Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-8386

Cannot renew a CV certificate using the WS API - Key spec not recognized

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Not able to fix
    • Affects Version/s: EJBCA 6.14.0, EJBCA 7.2.1
    • Fix Version/s: None
    • Component/s: PKI core
    • Labels:
    • Issue discovered during:
      Customer

      Description

      A customer is trying to renew a IS certificate using the web service API, but the issuance of the certificate fails with the following error message:

      2019-08-01 14:08:58,310 WARN  [org.ejbca.core.ejb.ca.sign.SignSessionBean] (default task-25) Verification of outer signature in CVC request failed for holderRef 'CN=IS01,C=XX'. Message: key spec not recognized.: java.security.spec.InvalidKeySpecException: key spec not recognized
      	at org.bouncycastle.jcajce.provider.asymmetric.util.BaseKeyFactorySpi.engineGeneratePublic(Unknown Source)
      	at org.bouncycastle.jcajce.provider.asymmetric.ec.KeyFactorySpi.engineGeneratePublic(Unknown Source)
      	at java.security.KeyFactory.generatePublic(KeyFactory.java:328)
      	at org.cesecore.keys.util.KeyTools.getECPublicKeyWithParams(KeyTools.java:341)
      	at org.ejbca.core.ejb.ca.sign.SignSessionBean.getCVPublicKey(SignSessionBean.java:820)
      	at org.ejbca.core.ejb.ca.sign.SignSessionBean.createCardVerifiableCertificateWS(SignSessionBean.java:629) [...]
      

      The authenticated CVC request being sent from the inspection system looks like this:

      67 REQ_AUTHENTICATION
         7f21 CV_CERTIFICATE
            7f4e CERTIFICATE_BODY
               5f29 PROFILE_IDENTIFIER  0
               42 CA_REFERENCE  XX/DVCA/00030
               7f49 PUBLIC_KEY
                  6 OID  0.4.0.127.0.7.2.2.2.2.3
                  81 MODULUS
      A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377
                  82 COEFFICIENT_A
      7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9
                  83 COEFFICIENT_B
      26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6
                  84 BASE_POINT_G
      048BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997
                  85 BASE_POINT_R_ORDER
      A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7
                  86 PUBLIC_POINT_Y
      043DB758BAA898F3A621320BF23D2E11A03B1561E98B842AE6828CD8EF91A6965F517F4088A368204A9D674F84B0DFAFC734DF6D93355E19F648F04376C425B1DA
                  87 COFACTOR_F  1
               5f20 HOLDER_REFERENCE  XX/IS01/00001
            5f37 SIGNATURE
      5E7AE16AAC89B82F5EB54BBEB7DC7F5B1E862CBC8E809DD2C0351997CDCF7C6E68DDBB008867A3723D70ED17C964B2350A107F991A20233AE04061599EF90365
         42 CA_REFERENCE  XX/IS01/00000
         5f37 SIGNATURE
      9827C1380C8604A91446628BFD2B77784C650883F30F64A34C52E7101731E5FA21F4499476EE331AEB1C24947D395DC9B1D1426F90DE68727538471E1AEA5DB4
      

      InvalidKeySpecException is thrown by Bouncy Castle when KeyTools.getECPublicKeyWithParams generates a public key with key parameters from the CVCA.

        Attachments

          Activity

            People

            • Assignee:
              bastianf Bastian Fredriksson
              Reporter:
              bastianf Bastian Fredriksson
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 2 days
                2d
                Remaining:
                Time Spent - 3 hours, 30 minutes Remaining Estimate - 1 day, 4 hours, 30 minutes
                1d 4h 30m
                Logged:
                Time Spent - 3 hours, 30 minutes Remaining Estimate - 1 day, 4 hours, 30 minutes
                3h 30m