[Opendnssec-user] Creating keys on SoftHSM with Java
rickard.bellgrim at iis.se
Fri Apr 15 06:58:25 UTC 2011
SoftHSM does not currently support certificates (CKO_CERTIFICATE) that is why you get that message. However, there is a patch available that will add support for certificates. See:
It sounds to me that we should spend some time to integrate this work into SoftHSM, so that others can benefit from it.
On 14 apr 2011, at 22.37, Adam Knight wrote:
I don't honestly know why the key isn't created as a token key in the first place. When I put CKA_TOKEN = true into the SoftHSM configuration file, I get an "Object class not supported" error from C_CreateObject. That is the default case in a switch statement that checks the key type - meaning that the object Java tries to create is not detected as a CKO_PUBLIC_KEY or CKO_PRIVATE_KEY. When I print out oClass, it is set to 1 (CKO_CERTIFICATE).
The error in C_CreateObject does happen at the right place in the Java code though - when I try and set the private key into the key store.
X509Certificate chain = makeCertificateChain(keyPair);
ks.setKeyEntry("ALIAS-GOES-HERE", pk, "1111".toCharArray(), chain); // THIS LINE
I suspect the CKO_CERTIFICATE oClass is caused by me calling setKeyEntry and passing in the certificate chain - Java associates Private Keys with Certificates - which of course have the Public Key. I can try saving my key as a SecretKey rather than a PrivateKey, and see if that helps - then I won't have to store the certificate chain. I think this will also fail though as a CKO_SECRET_KEY won't pass the switch statement in C_CreateObject.
It sort of feels like we're working around the way Java just wants to do things - http://download.oracle.com/javase/6/docs/api/index.html?java/security/KeyStore.html. I mean having a common interface to a keystore is nice, but one that does what you want is much better :)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Opendnssec-user