AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Rsa pkcs encrypt operation received firmware error: The key used does not support the requested operation

0

Failed to create CMS signature using cloudHSM asymmetric key from my local machine connected over vpn. I'm trying to sign the CMS signature using a RSA key generated I am able to sign the CSR but when using the same key for CMS signing it throws the following exception

[cloudhsm_provider::hsm1::session::rsa_pkcs::encrypt_decrypt::error] Rsa pkcs encrypt operation received firmware error: The key used does not support the requested operation. iaik.tsp.TspSigningException: Can't sign TimeStampToken: java.security.NoSuchAlgorithmException: Error computing signature value: iaik.cms.CMSException: Unable to calculate signature: java.security.SignatureException: Cannot calculate RSA siganture: com.amazonaws.cloudhsm.jce.jni.exception.KeyUsageException: An attempt has been made to use a key for a cryptographic purpose that the key's attributes are not set to allow it to do. at iaik.tsp.TimeStampToken.signTimeStampToken(SourceFile:967) at iaik.tsp.TimeStampToken.signTimeStampToken(SourceFile:859) at iaik.tsp.TimeStampToken.signTimeStampToken(SourceFile:1024) I am using following key attributes while generating the key

publicKeyAttrsMap.put(KeyAttribute.LABEL, label + ":Public"); publicKeyAttrsMap.put(KeyAttribute.MODULUS_BITS, keySizeInBits); publicKeyAttrsMap.put(KeyAttribute.PUBLIC_EXPONENT, new BigInteger("65537").toByteArray()); publicKeyAttrsMap.put(KeyAttribute.TOKEN, Boolean.TRUE); publicKeyAttrsMap.put(KeyAttribute.VERIFY, Boolean.TRUE);

privateKeyAttrsMap.put(KeyAttribute.LABEL, label + ":Private"); privateKeyAttrsMap.put(KeyAttribute.TOKEN, Boolean.TRUE); privateKeyAttrsMap.put(KeyAttribute.SIGN, Boolean.TRUE);

Any clue whey this exception occur. The same sample code when run on EC2 linux machine its works.

  • rePost-User-0096215
    일 년 전

    I have tested two use cases, creating a self-signed certificate using AWS CloudHsm RSA key it works on EC2 Linux and EC2 Windows Server 2019 both instances. Creating CMS signature failed on EC2 Windows instance and same code working on EC2 Linux instance. Possibly this can be the issue with windows native dll.

주제
보안, 신원 및 규정 준수네트워킹 및 콘텐츠 전송
태그
AWS CloudHSMAWS 클라이언트 VPN
언어
English
rePost-User-0096215
질문됨 일 년 전272회 조회
1개 답변
0

This issue resolve by overriding the JCE provider method for signature calculation

timeStampToken.getSignedData().setSecurityProvider(new SecurityProvider(authProvider1) {
            @Override
            public byte[] calculateSignatureFromSignedAttributes(AlgorithmID signatureAlgorithm,
                    AlgorithmID digestAlgorithm, PrivateKey privateKey, byte[] signedAttributes)
                    throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
                byte[] sigValue = null;
                try {
                    java.security.Signature signature = Signature.getInstance("SHA256withRSA", CloudHsmProvider.PROVIDER_NAME);
                    signature.initSign(privateKey);
                    signature.update(signedAttributes);
                    sigValue = signature.sign();
                } catch (NoSuchProviderException ex) {
                    throw new SignatureException(ex);
                }
}
rePost-User-0096215
답변함 일 년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠