Discussion:
[Ejbca-develop] Importing keys to ncipher hsm with pkcs11 interface
Leonardo L. P. da Mata
2009-02-20 19:17:21 UTC
Permalink
Hello,


I'm trying to use the pkcs11 interface to import keys into the ncipher
HSM for use with ejbca, since i have a secure way to create a key
externally. I was perfectly able to import keys into the hsm and see
those keys using the pkcs11 interface, but those keys are not
available when i use EJBCA. What happens is that EJBCA keys needs an
certificate.

In KeyStoreContainerBase.java, the generate method creates a keypair:
final KeyPair keyPair = kpg.generateKeyPair();
and then a certificate with this keypair:
chain[0] = getSelfCertificate("CN=some guy, L=around, C=US",
(long)30*24*60*60*365, sigAlgName, keyPair);

I don't know exactly what to do to use an external KeyPair from a file
and then generate the certificate.

I'm thinking about 3 possible solutions:
1-import the key into the HSM, externally generate a certificate
signed with this key and then import this certificate to HSM using
"PKCS11HSMKeyTool importcert"
2-create "PKCS11HSMKeyTool importkey" to get a keypair from a file,
import this key to the hsm and than import the certificate to hsm.
3-create "PKCS11HSMKeyTool generatecert" to read an imported keypair
from the hsm, and use this keypair to generate the certificate, so the
keypair become available to ejbca.

How hard is to implement one of these solutions? Can you show me the
path to build these solutions myself?

Besides security issues, what's the problem to use imported keys with
ejbca, since PKCS11HSMKeyTool doesn't have an import key tool
implemented ?

Why does generated keys with pkcs11 interface needs a certificate?
--
Leonardo Luiz Padovani da Mata
***@gmail.com

"May the force be with you, always"
"Nerd Pride... eu tenho. Voce tem?"
Leonardo L. P. da Mata
2009-02-20 19:44:05 UTC
Permalink
Hello,

Why does generated keys with pkcs11 interface needs a certificate?

I'm trying to use the pkcs11 interface to import keys into the ncipher
HSM for use with ejbca, since i have a secure way to create a key
externally. I was perfectly abble to import keys into the hsm and see
those keys using the pkcs11 interface, but those keys are not
available when i use EJBCA. What happens is that EJBCA keys needs an
certificate.

In KeyStoreContainerBase.java, the generate method creates a keypair:
final KeyPair keyPair = kpg.generateKeyPair();
and then a certificate with this keypair:
chain[0] = getSelfCertificate("CN=some guy, L=around, C=US",
(long)30*24*60*60*365, sigAlgName, keyPair);

I don't know exactly what to do to use an external KeyPair from a file
and then generate the certificate.

I'm thinkking about 3 possible sollutions:
1-import the key into the HSM, generate a certificate signed with this
key and than import this certificate to HSM using PKCS11HSMKeyTool
importcert
2-create PKCS11HSMKeyTool importkey to get a keypair from a file,
import this key to the hsm and than import the certificate to hsm.
3-create PKCS11HSMKeyTool generatecert to read an imported keypair
from the hsm, and use this keypair to generate the certificate.

How hard is to implement one of these solutions?

Besides security issues, what's the problem to use imported keys with
ejbca,since PKCS11HSMKeyTool doen't have an import key tool
implemented ?
--
Leonardo Luiz Padovani da Mata
***@gmail.com

"May the force be with you, always"
"Nerd Pride... eu tenho. Voce tem?"
Lars Silvén
2009-02-21 12:55:24 UTC
Permalink
Leonardo,

There are no secure ways of generating the key externally and then
import it to the HSM. For you it might be secure if you make sure that
the original key is deleted after it has been stored on the HSM. But
consider everyone else in the world that have not been with you when the
key was generated transferred to the HSM and then deleted on the
original medium. They will never know if you have made copies of your
key.

If you still want to do it I will comment the your alternatives:
1. could not be done. This requires an old cert on the HSM for the key.
This old cert (some guy) will will be replaced.
2. might be possible depending on the p11 implementation.
3. you got a problem to get key from the java keystore (created by the
sun p11 wrapper). The wrapper requires that you got a key associated
with it

Easiest way ought to be if your HSM has some tool to import a
certificate for a key.

Cheers,
Lars
Post by Leonardo L. P. da Mata
Hello,
Why does generated keys with pkcs11 interface needs a certificate?
I'm trying to use the pkcs11 interface to import keys into the ncipher
HSM for use with ejbca, since i have a secure way to create a key
externally. I was perfectly abble to import keys into the hsm and see
those keys using the pkcs11 interface, but those keys are not
available when i use EJBCA. What happens is that EJBCA keys needs an
certificate.
final KeyPair keyPair = kpg.generateKeyPair();
chain[0] = getSelfCertificate("CN=some guy, L=around, C=US",
(long)30*24*60*60*365, sigAlgName, keyPair);
I don't know exactly what to do to use an external KeyPair from a file
and then generate the certificate.
1-import the key into the HSM, generate a certificate signed with this
key and than import this certificate to HSM using PKCS11HSMKeyTool
importcert
2-create PKCS11HSMKeyTool importkey to get a keypair from a file,
import this key to the hsm and than import the certificate to hsm.
3-create PKCS11HSMKeyTool generatecert to read an imported keypair
from the hsm, and use this keypair to generate the certificate.
How hard is to implement one of these solutions?
Besides security issues, what's the problem to use imported keys with
ejbca,since PKCS11HSMKeyTool doen't have an import key tool
implemented ?
--
PrimeKey Solutions offers a commercial EJBCA support subscription and
training for EJBCA. Please see www.primekey.se or contact
***@primekey.se for more information.
http://download.primekey.se/documents/ejbca_subscription.pdf http://download.primekey.se/documents/ejbca_training.pdf
Tomas Gustavsson
2009-02-22 16:36:14 UTC
Permalink
Hi Leonardo,

The certificate is needed because this is how Javas keystore mmodel works.

There are nCipher commands to associate a certificate with a key.

ckcerttool is the command. We've used this when converting keys from RSA
Keon CA to EJBCA. It looks something like this:
-----
C:\nfast\bin>ckcerttool.exe -c oper -f c:\ca\kca.pem -k
uc3126f2b3cf7d9d53e3ba278a081ef471644298f8-628484d430c6c0502fdb1a520fb84b9dc73c8372
-L kcaSign

Certificate found, processing...

Please enter the passphrase for "oper" token (No echo set).
Passphrase:
Certificate successfully imported.
Run cklist to view your certificate object.
OK
-----

We have imported keys from OpenSSL CAs to nCipher as well. See the User
Guide at ejbca.org, "Importing an existing CA or sub-CA to EJBCA".

Cheers,
Tomas
-----
PrimeKey Solutions offers a commercial EJBCA support subscription and
training for EJBCA. Please see www.primekey.se or contact
***@primekey.se for more information.
http://download.primekey.se/documents/ejbca_subscription.pdf
http://download.primekey.se/documents/ejbca_training.pdf
Post by Lars Silvén
Leonardo,
There are no secure ways of generating the key externally and then
import it to the HSM. For you it might be secure if you make sure that
the original key is deleted after it has been stored on the HSM. But
consider everyone else in the world that have not been with you when the
key was generated transferred to the HSM and then deleted on the
original medium. They will never know if you have made copies of your
key.
1. could not be done. This requires an old cert on the HSM for the key.
This old cert (some guy) will will be replaced.
2. might be possible depending on the p11 implementation.
3. you got a problem to get key from the java keystore (created by the
sun p11 wrapper). The wrapper requires that you got a key associated
with it
Easiest way ought to be if your HSM has some tool to import a
certificate for a key.
Cheers,
Lars
Post by Leonardo L. P. da Mata
Hello,
Why does generated keys with pkcs11 interface needs a certificate?
I'm trying to use the pkcs11 interface to import keys into the ncipher
HSM for use with ejbca, since i have a secure way to create a key
externally. I was perfectly abble to import keys into the hsm and see
those keys using the pkcs11 interface, but those keys are not
available when i use EJBCA. What happens is that EJBCA keys needs an
certificate.
final KeyPair keyPair = kpg.generateKeyPair();
chain[0] = getSelfCertificate("CN=some guy, L=around, C=US",
(long)30*24*60*60*365, sigAlgName, keyPair);
I don't know exactly what to do to use an external KeyPair from a file
and then generate the certificate.
1-import the key into the HSM, generate a certificate signed with this
key and than import this certificate to HSM using PKCS11HSMKeyTool
importcert
2-create PKCS11HSMKeyTool importkey to get a keypair from a file,
import this key to the hsm and than import the certificate to hsm.
3-create PKCS11HSMKeyTool generatecert to read an imported keypair
from the hsm, and use this keypair to generate the certificate.
How hard is to implement one of these solutions?
Besides security issues, what's the problem to use imported keys with
ejbca,since PKCS11HSMKeyTool doen't have an import key tool
implemented ?
Leonardo L. P. da Mata
2009-02-26 14:15:42 UTC
Permalink
Hello Lars and Tomas,

Thanks for the help, that was i'm looking for.

I will test and keep you informed. looks like this is the way to use a
quorum larger than 1/X to import keys with ncipher HSM.

:-)
Post by Tomas Gustavsson
Hi Leonardo,
The certificate is needed because this is how Javas keystore mmodel works.
There are nCipher commands to associate a certificate with a key.
ckcerttool is the command. We've used this when converting keys from RSA
-----
C:\nfast\bin>ckcerttool.exe -c oper -f c:\ca\kca.pem -k
uc3126f2b3cf7d9d53e3ba278a081ef471644298f8-628484d430c6c0502fdb1a520fb84b9dc73c8372
-L kcaSign
Certificate found, processing...
Please enter the passphrase for "oper" token (No echo set).
Certificate successfully imported.
Run cklist to view your certificate object.
OK
-----
We have imported keys from OpenSSL CAs to nCipher as well. See the User
Guide at ejbca.org, "Importing an existing CA or sub-CA to EJBCA".
Cheers,
Tomas
-----
PrimeKey Solutions offers a commercial EJBCA support subscription and
training for EJBCA. Please see www.primekey.se or contact
http://download.primekey.se/documents/ejbca_subscription.pdf
http://download.primekey.se/documents/ejbca_training.pdf
Post by Lars Silvén
Leonardo,
There are no secure ways of generating the key externally and then
import it to the HSM. For you it might be secure if you make sure that
the original key is deleted after it has been stored on the HSM. But
consider everyone else in the world that have not been with you when the
key was generated transferred to the HSM and then deleted on the
original medium. They will never know if you have made copies of your
key.
1. could not be done. This requires an old cert on the HSM for the key.
This old cert (some guy) will will be replaced.
2. might be possible depending on the p11 implementation.
3. you got a problem to get key from the java keystore (created by the
sun p11 wrapper). The wrapper requires that you got a key associated
with it
Easiest way ought to be if your HSM has some tool to import a
certificate for a key.
Cheers,
Lars
Post by Leonardo L. P. da Mata
Hello,
Why does generated keys with pkcs11 interface needs a certificate?
I'm trying to use the pkcs11 interface to import keys into the ncipher
HSM for use with ejbca, since i have a secure way to create a key
externally. I was perfectly abble to import keys into the hsm and see
those keys using the pkcs11 interface, but those keys are not
available when i use EJBCA. What happens is that EJBCA keys needs an
certificate.
  final KeyPair keyPair = kpg.generateKeyPair();
chain[0] = getSelfCertificate("CN=some guy, L=around, C=US",
(long)30*24*60*60*365, sigAlgName, keyPair);
I don't know exactly what to do to use an external KeyPair from a file
and then generate the certificate.
1-import the key into the HSM, generate a certificate signed with this
key and than import this certificate to HSM using PKCS11HSMKeyTool
importcert
2-create PKCS11HSMKeyTool importkey to get a keypair from a file,
import this key to the hsm and than import the certificate to hsm.
3-create PKCS11HSMKeyTool generatecert to read an imported keypair
from the hsm, and use this keypair to generate the certificate.
How hard is to implement one of these solutions?
Besides security issues, what's the problem to use imported keys with
ejbca,since  PKCS11HSMKeyTool doen't have an import key tool
implemented ?
------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
--
Leonardo Luiz Padovani da Mata
***@gmail.com

"May the force be with you, always"
"Nerd Pride... eu tenho. Voce tem?"
Loading...