Discussions
Categories
- 196.9K All Categories
- 2.2K Data
- 239 Big Data Appliance
- 1.9K Data Science
- 450.4K Databases
- 221.7K General Database Discussions
- 3.8K Java and JavaScript in the Database
- 31 Multilingual Engine
- 550 MySQL Community Space
- 478 NoSQL Database
- 7.9K Oracle Database Express Edition (XE)
- 3K ORDS, SODA & JSON in the Database
- 546 SQLcl
- 4K SQL Developer Data Modeler
- 187K SQL & PL/SQL
- 21.3K SQL Developer
- 295.9K Development
- 17 Developer Projects
- 138 Programming Languages
- 292.6K Development Tools
- 107 DevOps
- 3.1K QA/Testing
- 646K Java
- 28 Java Learning Subscription
- 37K Database Connectivity
- 155 Java Community Process
- 105 Java 25
- 22.1K Java APIs
- 138.1K Java Development Tools
- 165.3K Java EE (Java Enterprise Edition)
- 18 Java Essentials
- 160 Java 8 Questions
- 86K Java Programming
- 80 Java Puzzle Ball
- 65.1K New To Java
- 1.7K Training / Learning / Certification
- 13.8K Java HotSpot Virtual Machine
- 94.3K Java SE
- 13.8K Java Security
- 204 Java User Groups
- 24 JavaScript - Nashorn
- Programs
- 442 LiveLabs
- 38 Workshops
- 10.2K Software
- 6.7K Berkeley DB Family
- 3.5K JHeadstart
- 5.7K Other Languages
- 2.3K Chinese
- 171 Deutsche Oracle Community
- 1.1K Español
- 1.9K Japanese
- 232 Portuguese
PKCS11 token, receiving error CKR_ATTRIBUTE_TYPE_INVALID when executing keystore.getKey()
Best Answer
-
Longmai(the token vendor) provided new DLL and problem is solved
Answers
-
The error is generated in the native dll code and the Java wrapper is just propagating the error back. You need to use some tools like https://github.com/Pkcs11Interop/pkcs11-logger to be able to troubleshoot the source of your problem. My guess would be that one of your keys does not have an ID associated with it since I've seen that happening before, but you will need to get more details using some PKCS11 logger tools to find what the cause of your issue is.
-
Thank you, I installed pkcs11 loggier and I found out that the problem is at the attribute CKA_MODULUS.
But I have no ideea what to do next. Can I fix this?
This is the end of the log file:
0x00001940 : 0x000018ac : ****************************** 2018-02-19 08:53:54 ***0x00001940 : 0x000018ac : Calling C_GetAttributeValue0x00001940 : 0x000018ac : Input0x00001940 : 0x000018ac : hSession: 3594684000x00001940 : 0x000018ac : hObject: 3594690480x00001940 : 0x000018ac : pTemplate: 1505A5480x00001940 : 0x000018ac : ulCount: 10x00001940 : 0x000018ac : *** Begin attribute template ***0x00001940 : 0x000018ac : Attribute 00x00001940 : 0x000018ac : Attribute: 288 (CKA_MODULUS)0x00001940 : 0x000018ac : pValue: 000000000x00001940 : 0x000018ac : ulValueLen: 00x00001940 : 0x000018ac : *** End attribute template ***0x00001940 : 0x000018ac : Output0x00001940 : 0x000018ac : pTemplate: 1505A5480x00001940 : 0x000018ac : ulCount: 10x00001940 : 0x000018ac : *** Begin attribute template ***0x00001940 : 0x000018ac : Attribute 00x00001940 : 0x000018ac : Attribute: 288 (CKA_MODULUS)0x00001940 : 0x000018ac : pValue: 000000000x00001940 : 0x000018ac : ulValueLen: 42949672950x00001940 : 0x000018ac : *** End attribute template ***0x00001940 : 0x000018ac : Returning 18 (CKR_ATTRIBUTE_TYPE_INVALID)
-
What type of key is it? Is it a RSA key or some other type of key? I think if I remember correctly, CKA_MODULUS is mandatory for RSA key. Maybe you try it with another type of key and see how it responds?
-
Key is a RSA, 2048bits. This key is not written by me, this certificate is brought from a certificate authority and delivered directly on this token.
Here is the full output of the pkcs11 logger: http://cc123.caido.ro/pkcs11.txt
I generated a new test certificate with private and public keys RSA 2048 and I imported it on the USB token.
Now when I run the application I receive CKR_ATTRIBUTE_TYPE_INVALID on another line: "keystorePkcs11.load(null, pass);"
The attribute that generates this error is now CKA_ID. Does this means that my new generated certificate has something missing(I made a mistake when I generated it)?
0x00000fc8 : 0x00000ffc : ****************************** 2018-02-19 10:23:56 ***0x00000fc8 : 0x00000ffc : Calling C_GetAttributeValue0x00000fc8 : 0x00000ffc : Input0x00000fc8 : 0x00000ffc : hSession: 3596650080x00000fc8 : 0x00000ffc : hObject: 3614019040x00000fc8 : 0x00000ffc : pTemplate: 151E19000x00000fc8 : 0x00000ffc : ulCount: 10x00000fc8 : 0x00000ffc : *** Begin attribute template ***0x00000fc8 : 0x00000ffc : Attribute 00x00000fc8 : 0x00000ffc : Attribute: 258 (CKA_ID)0x00000fc8 : 0x00000ffc : pValue: 000000000x00000fc8 : 0x00000ffc : ulValueLen: 00x00000fc8 : 0x00000ffc : *** End attribute template ***0x00000fc8 : 0x00000ffc : Output0x00000fc8 : 0x00000ffc : pTemplate: 151E19000x00000fc8 : 0x00000ffc : ulCount: 10x00000fc8 : 0x00000ffc : *** Begin attribute template ***0x00000fc8 : 0x00000ffc : Attribute 00x00000fc8 : 0x00000ffc : Attribute: 258 (CKA_ID)0x00000fc8 : 0x00000ffc : pValue: 000000000x00000fc8 : 0x00000ffc : ulValueLen: 42949672950x00000fc8 : 0x00000ffc : *** End attribute template ***0x00000fc8 : 0x00000ffc : Returning 18 (CKR_ATTRIBUTE_TYPE_INVALID)
-
I fixed the CKA_ID error, now I receive the same error on the test certificate(the error that is coused by the CKA_MODULUS attribute).
When I imported my test certificate there were also auto imoprted another 2 certificates for the authority and intermediate authority. These 2 had no CKA_ID. I deleted them from the certificate and CKA_ID attribute was no longer a problem..
Could I write on the USB token the CKA_MODULUS attribute to fix the problem?
-
I used OpenSC and using this application I can successfully crypt and decrypt using vendors DLL.
So the solution sould be in Java as long as this DLL(cryptoide_pkcs11.dll) is working fine with openSC.
Maybe there is a solution in the vendor DLL but I don't have acces to this source code.
-
Longmai(the token vendor) provided new DLL and problem is solved