Description of problem: When attached to an nethsm to generate EC key pairs, certutil fails with the following error: certutil: unable to generate key(s) : security library: received bad data. Version-Release number of selected component (if applicable): nss-3.12.10 How reproducible: always Steps to Reproduce: 1. Install Thales nethsm Connect per HSM vendor instruction; attach nethsm on client: modutil -dbdir . -nocertdb -add nfast -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so 2. create password file and random file (e.g. cfu_pwfile, cfu_ran) 3. generate EC CSR with certutil: certutil -d . -h NHSM6000-OCS -f cfu_pwfile -R -s "cn=Christian Fu ECC test" -k ec -q nistp256 -a -z cfu_ran> cfu.csr Actual results: certutil: unable to generate key(s) : security library: received bad data. Expected results: should work (it works for certicom) Additional info: Further investigation shows that certutil calls PK11_GenerateKeyPair() with hardcoded isSensitive flag set to true. I think to get it to work we need to call PK11_GenerateKeyPairWithOpFlags() as what I did with JSS for our Java based subsystems so we can pass in the values that will enable nethsm to work. I also know that lunasa would need a different set of values for isSensitive and extractability. I think certutil should expose "temporary", "sensitive", "extractable" and the op flags and mask. in order to support various hsms.
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux.
This is the kind of bug that needs work to be done at the upstream project. I would like to ask that you please file an enhancement request at bugzilla.mozilla.org and add a reference here to that new upstream bug. And someone needs to contribute a patch. Christina, I believe you already understand what needs to be done, would you like to propose a patch in an upstream bug? I think this issue hasn't yet been worked on, so it won't make rhel 5.9, it needs to be moved forward to a future release.
Please get the patch done first, only afterwards does it make sense to request new flags. You'll probably want to target 5.9.z after that's done.
Created attachment 600161 [details] a java tool that can do this This is a java tool that can generate EC pkcs10 requests. It's converted from an RSA tool PKCS10Client, and it's a bit hacky.
Created attachment 600184 [details] Adds ability to specify opFlags and attrFlags in certutil Here's the patch I wrote do do this. Christina, you'll still have to play with the flags, something like: Certutil -R ..... --keyAttrFlags token,private
Verification failed. It seems both "extractable" and "unextractable" are treated as "extractable" and yield the same result ... Here was what I did : ===== [pkiuserecc5@glyph alias]$ certutil -d . -h "NHSM6000-OCS" -f passwd -R --keyAttrFlags "token,private,sensitive,unextractable" --keyOpFlagsOff derive -s "cn=cfutestHSM" -k ec -q nistp256 -a -z passwd > cfutestHSM.req parsing flags <derive> parsing flags <token,private,sensitive,unextractable> Generating key. This may take a few moments... 2012-08-09 07:58:41 [10136] t306c570d462b0000: pkcs11-sam: 000008cd Application error: Key type CKK_EC 2012-08-09 07:58:41 [10136] t306c570d462b0000: pkcs11-sam: 000008cd Application error: Insecure key should be marked as such; set CKNFAST_OVERRIDE_SECURITY_ASSURANCES=explicitness to allow extractable but sensititive certutil: unable to generate key(s) : security library: received bad data. ===== [pkiuserecc5@glyph alias]$ certutil -d . -h "NHSM6000-OCS" -f passwd -R --keyAttrFlags "token,private,sensitive,extractable" --keyOpFlagsOff derive -s "cn=cfutestHSM" -k ec -q nistp256 -a -z passwd > cfutestHSM.req parsing flags <derive> parsing flags <token,private,sensitive,extractable> Generating key. This may take a few moments... 2012-08-09 07:59:52 [10137] t308ceed17f2b0000: pkcs11-sam: 000008cd Application error: Key type CKK_EC 2012-08-09 07:59:52 [10137] t308ceed17f2b0000: pkcs11-sam: 000008cd Application error: Insecure key should be marked as such; set CKNFAST_OVERRIDE_SECURITY_ASSURANCES=explicitness to allow extractable but sensititive certutil: unable to generate key(s) : security library: received bad data.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0081.html