[Opendnssec-user] Creating keys on SoftHSM with Java

Adam Knight adam at aotea.co.nz
Thu Apr 14 20:37:18 UTC 2011

I don't honestly know why the key isn't created as a token key in the first place.  When I put CKA_TOKEN = true into the SoftHSM configuration file, I get an "Object class not supported" error from C_CreateObject.  That is the default case in a switch statement that checks the key type - meaning that the object Java tries to create is not detected as a CKO_PUBLIC_KEY or CKO_PRIVATE_KEY.  When I print out oClass, it is set to 1 (CKO_CERTIFICATE).  

The error in C_CreateObject does happen at the right place in the Java code though - when I try and set the private key into the key store.  

X509Certificate[] chain = makeCertificateChain(keyPair);
ks.setKeyEntry("ALIAS-GOES-HERE", pk, "1111".toCharArray(), chain);  // THIS LINE

I suspect the CKO_CERTIFICATE oClass is caused by me calling setKeyEntry and passing in the certificate chain - Java associates Private Keys with Certificates - which of course have the Public Key.  I can try saving my key as a SecretKey rather than a PrivateKey, and see if that helps - then I won't have to store the certificate chain.  I think this will also fail though as a CKO_SECRET_KEY won't pass the switch statement in C_CreateObject.

It sort of feels like we're working around the way Java just wants to do things -  http://download.oracle.com/javase/6/docs/api/index.html?java/security/KeyStore.html.  I mean having a common interface to a keystore is nice, but one that does what you want is much better :)

Thanks for your help!

On 15/04/2011, at 2:49 AM, Rickard Bellgrim wrote:

> On 14 apr 2011, at 01.15, Adam Knight wrote:
>> So my questions are, has anyone successfully created an RSA key on SoftHSM using Java?  Am I missing anything?  Is there a reason C_CopyObject isn't implemented (I suspect it's just not a core function and OpenDNSSEC works fine without it)?
> Yes, that function is not needed by OpenDNSSEC. But could be implemented by SoftHSM.
> How come they do not create a token object from the beginning?
> // Rickard

M +64 21 88 00 03
P  +64 9 445 9196

PO BOX 32_131 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20110415/75ecd265/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.jpg
Type: image/jpeg
Size: 9147 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20110415/75ecd265/attachment.jpg>

More information about the Opendnssec-user mailing list