使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

Rsa pkcs encrypt operation received firmware error: The key used does not support the requested operation

0

Failed to create CMS signature using cloudHSM asymmetric key from my local machine connected over vpn. I'm trying to sign the CMS signature using a RSA key generated I am able to sign the CSR but when using the same key for CMS signing it throws the following exception

[cloudhsm_provider::hsm1::session::rsa_pkcs::encrypt_decrypt::error] Rsa pkcs encrypt operation received firmware error: The key used does not support the requested operation. iaik.tsp.TspSigningException: Can't sign TimeStampToken: java.security.NoSuchAlgorithmException: Error computing signature value: iaik.cms.CMSException: Unable to calculate signature: java.security.SignatureException: Cannot calculate RSA siganture: com.amazonaws.cloudhsm.jce.jni.exception.KeyUsageException: An attempt has been made to use a key for a cryptographic purpose that the key's attributes are not set to allow it to do. at iaik.tsp.TimeStampToken.signTimeStampToken(SourceFile:967) at iaik.tsp.TimeStampToken.signTimeStampToken(SourceFile:859) at iaik.tsp.TimeStampToken.signTimeStampToken(SourceFile:1024) I am using following key attributes while generating the key

publicKeyAttrsMap.put(KeyAttribute.LABEL, label + ":Public"); publicKeyAttrsMap.put(KeyAttribute.MODULUS_BITS, keySizeInBits); publicKeyAttrsMap.put(KeyAttribute.PUBLIC_EXPONENT, new BigInteger("65537").toByteArray()); publicKeyAttrsMap.put(KeyAttribute.TOKEN, Boolean.TRUE); publicKeyAttrsMap.put(KeyAttribute.VERIFY, Boolean.TRUE);

privateKeyAttrsMap.put(KeyAttribute.LABEL, label + ":Private"); privateKeyAttrsMap.put(KeyAttribute.TOKEN, Boolean.TRUE); privateKeyAttrsMap.put(KeyAttribute.SIGN, Boolean.TRUE);

Any clue whey this exception occur. The same sample code when run on EC2 linux machine its works.

  • rePost-User-0096215
    1 年前

    I have tested two use cases, creating a self-signed certificate using AWS CloudHsm RSA key it works on EC2 Linux and EC2 Windows Server 2019 both instances. Creating CMS signature failed on EC2 Windows instance and same code working on EC2 Linux instance. Possibly this can be the issue with windows native dll.

主题
安全、身份和合规性网络和内容交付
标签
AWS CloudHSMAWS Client VPN
语言
English
rePost-User-0096215
已提问 1 年前272 查看次数
1 回答
0

This issue resolve by overriding the JCE provider method for signature calculation

timeStampToken.getSignedData().setSecurityProvider(new SecurityProvider(authProvider1) {
            @Override
            public byte[] calculateSignatureFromSignedAttributes(AlgorithmID signatureAlgorithm,
                    AlgorithmID digestAlgorithm, PrivateKey privateKey, byte[] signedAttributes)
                    throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
                byte[] sigValue = null;
                try {
                    java.security.Signature signature = Signature.getInstance("SHA256withRSA", CloudHsmProvider.PROVIDER_NAME);
                    signature.initSign(privateKey);
                    signature.update(signedAttributes);
                    sigValue = signature.sign();
                } catch (NoSuchProviderException ex) {
                    throw new SignatureException(ex);
                }
}
rePost-User-0096215
已回答 1 年前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容