CKR_KEY_TYPE_INCONSISTENT: when deriving signing key in FIPS mode using SunPKCS11 with NSS

837 Views Asked by Kedarnath At 28 June 2022 at 15:46

Environment details: Java: openjdk-1.8.0.312 OS: RHEL8

Following are the security providers configured. SunPKCS11-NSS-FIPS, SUN 1.8, SunEC 1.8, SunJSSE 1.8

Note:

The issue disappears when added a new JCE. Worked when added SunJCE or BouncyCastleFipsProvider security provider.
Have confirmed unlimited strength crypto availabel (via Cipher.getMaxAllowedKeyLength("AES") =~ large number)

Caused by: java.security.InvalidKeyException: init() failed
    at sun.security.pkcs11.P11Mac.engineInit(P11Mac.java:208)
    at javax.crypto.Mac.chooseProvider(Mac.java:350)
    at javax.crypto.Mac.init(Mac.java:415)
    at com.amazonaws.auth.AbstractAWSSigner.sign(AbstractAWSSigner.java:127)
    ... 36 common frames omitted
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_KEY_TYPE_INCONSISTENT
    at sun.security.pkcs11.wrapper.PKCS11.C_SignInit(Native Method)
    at sun.security.pkcs11.P11Mac.initialize(P11Mac.java:177)
    at sun.security.pkcs11.P11Mac.engineInit(P11Mac.java:206)
    ... 39 common frames omitted

Any pointers please?

Original Q&A

There are 1 best solutions below

Kedarnath On 30 June 2022 at 12:23

This turned out to be an issue with RHEL8 + OpenJDK1.8, resolutions/workarounds mentioned - https://access.redhat.com/solutions/6778751

CKR_KEY_TYPE_INCONSISTENT: when deriving signing key in FIPS mode using SunPKCS11 with NSS

There are 1 best solutions below

Related Questions in JAVA

Related Questions in AWS-SDK

Related Questions in JCE

Related Questions in FIPS

Related Questions in NSS

Trending Questions

Popular # Hahtags

Popular Questions