By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Rsa pkcs encrypt operation received firmware error: The key used does not support the requested operation

0

Failed to create CMS signature using cloudHSM asymmetric key from my local machine connected over vpn. I'm trying to sign the CMS signature using a RSA key generated I am able to sign the CSR but when using the same key for CMS signing it throws the following exception

[cloudhsm_provider::hsm1::session::rsa_pkcs::encrypt_decrypt::error] Rsa pkcs encrypt operation received firmware error: The key used does not support the requested operation. iaik.tsp.TspSigningException: Can't sign TimeStampToken: java.security.NoSuchAlgorithmException: Error computing signature value: iaik.cms.CMSException: Unable to calculate signature: java.security.SignatureException: Cannot calculate RSA siganture: com.amazonaws.cloudhsm.jce.jni.exception.KeyUsageException: An attempt has been made to use a key for a cryptographic purpose that the key's attributes are not set to allow it to do. at iaik.tsp.TimeStampToken.signTimeStampToken(SourceFile:967) at iaik.tsp.TimeStampToken.signTimeStampToken(SourceFile:859) at iaik.tsp.TimeStampToken.signTimeStampToken(SourceFile:1024) I am using following key attributes while generating the key

publicKeyAttrsMap.put(KeyAttribute.LABEL, label + ":Public"); publicKeyAttrsMap.put(KeyAttribute.MODULUS_BITS, keySizeInBits); publicKeyAttrsMap.put(KeyAttribute.PUBLIC_EXPONENT, new BigInteger("65537").toByteArray()); publicKeyAttrsMap.put(KeyAttribute.TOKEN, Boolean.TRUE); publicKeyAttrsMap.put(KeyAttribute.VERIFY, Boolean.TRUE);

privateKeyAttrsMap.put(KeyAttribute.LABEL, label + ":Private"); privateKeyAttrsMap.put(KeyAttribute.TOKEN, Boolean.TRUE); privateKeyAttrsMap.put(KeyAttribute.SIGN, Boolean.TRUE);

Any clue whey this exception occur. The same sample code when run on EC2 linux machine its works.

  • rePost-User-0096215
    a year ago

    I have tested two use cases, creating a self-signed certificate using AWS CloudHsm RSA key it works on EC2 Linux and EC2 Windows Server 2019 both instances. Creating CMS signature failed on EC2 Windows instance and same code working on EC2 Linux instance. Possibly this can be the issue with windows native dll.

Topics
Security, Identity, & ComplianceNetworking & Content Delivery
Tags
AWS CloudHSMAWS Client VPN
Language
English
rePost-User-0096215
asked a year ago253 views
1 Answer
0

This issue resolve by overriding the JCE provider method for signature calculation

timeStampToken.getSignedData().setSecurityProvider(new SecurityProvider(authProvider1) {
            @Override
            public byte[] calculateSignatureFromSignedAttributes(AlgorithmID signatureAlgorithm,
                    AlgorithmID digestAlgorithm, PrivateKey privateKey, byte[] signedAttributes)
                    throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
                byte[] sigValue = null;
                try {
                    java.security.Signature signature = Signature.getInstance("SHA256withRSA", CloudHsmProvider.PROVIDER_NAME);
                    signature.initSign(privateKey);
                    signature.update(signedAttributes);
                    sigValue = signature.sign();
                } catch (NoSuchProviderException ex) {
                    throw new SignatureException(ex);
                }
}
rePost-User-0096215
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content