CKR_KEY_TYPE_INCONSISTENT: when deriving signing key in FIPS mode using SunPKCS11 with NSS
Question
Environment details: Java: openjdk-1.8.0.312 OS: RHEL8
Following are the security providers configured. SunPKCS11-NSS-FIPS, SUN 1.8, SunEC 1.8, SunJSSE 1.8
Note:
The issue disappears when added a new JCE. Worked when added SunJCE or BouncyCastleFipsProvider security provider.
Have confirmed unlimited strength crypto availabel (via Cipher.getMaxAllowedKeyLength("AES") =~ large number)
Caused by: java.security.InvalidKeyException: init() failed at sun.security.pkcs11.P11Mac.engineInit(P11Mac.java:208) at javax.crypto.Mac.chooseProvider(Mac.java:350) at javax.crypto.Mac.init(Mac.java:415) at com.amazonaws.auth.AbstractAWSSigner.sign(AbstractAWSSigner.java:127) ... 36 common frames omitted Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_KEY_TYPE_INCONSISTENT at sun.security.pkcs11.wrapper.PKCS11.C_SignInit(Native Method) at sun.security.pkcs11.P11Mac.initialize(P11Mac.java:177) at sun.security.pkcs11.P11Mac.engineInit(P11Mac.java:206) ... 39 common frames omitted
Any pointers please?
1 answers
solution1
0 2022-06-30 12:23:37
事实证明这是 RHEL8 + OpenJDK1.8 的问题,提到了解决方案/解决方法 - https://access.redhat.com/solutions/6778751
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.