EJBCA does not honour cesecore.properties setting for HSM support

[sadgeeknz]

Name and Version

bitnami/ejbca:latest

What architecture are you using?

amd64

What steps will reproduce the bug?

Clone bitnami/containers.git on a fresh Ubuntu 22.04 with Smartcard-HSM machine, add opensc to EJBCA Dockerfile, build and run docker image. Configure PKCS#11-based HSM Crypto Token in EJBCA. Attempt to generate RSA key.

This results in the error described in Keyfactor/ejbca-ce#281 (reply in thread), with a suggested workaround of enabling pkcs11.disableHashingSignMechanisms=false in the cesecore.properties file.

However, attempting to set that flag in various locations (including /opt/bitnami/ejbca/conf/cesecore.properties and /opt/bitnami/ejbca/conf/ejbca.properties) in the Bitnami installation does not honor the setting. Raising this issue with EJBCA got me referred back to here.

How does one set pkcs11.disableHashingSignMechanisms=false in the Bitnami docker image of EJBCA?

What is the expected behavior?

Successful key generation.

What do you see instead?

04:53:07,878 INFO  [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-7) 2024-09-03 04:53:07+00:00;ACCESS_CONTROL;SUCCESS;ACCESSCONTROL;CORE;UID=c-1fPoCCHW8Jh81FuTIh2d1Y5sUBSpwIJH,CN=SuperAdmin,O=Example CA,C=SE;;;;resource0=/cryptotoken/keys/generate/-1588100092
04:53:11,073 INFO  [com.keyfactor.util.keys.SignWithWorkingAlgorithm] (default task-7) Signature algorithm 'SHA256WithRSA' not working for provider 'SunPKCS11-opensc-pkcs11.so-slot0 version 11'. Exception: Signing certificate failed: cannot create signer: no such algorithm: SHA256WITHRSA for provider SunPKCS11-opensc-pkcs11.so-slot0
04:53:11,197 INFO  [com.keyfactor.util.keys.SignWithWorkingAlgorithm] (default task-7) Signature algorithm 'SHA256withRSAandMGF1' working for provider 'SunPKCS11-opensc-pkcs11.so-slot0 version 11'.
04:53:11,564 INFO  [com.keyfactor.util.keys.SignWithWorkingAlgorithm] (default task-7) Signature algorithm 'SHA1WithRSA' not working for provider 'SunPKCS11-opensc-pkcs11.so-slot0 version 11'. Exception: Signing of data failed: no such algorithm: SHA1WithRSA for provider SunPKCS11-opensc-pkcs11.so-slot0
04:53:11,564 INFO  [com.keyfactor.util.keys.SignWithWorkingAlgorithm] (default task-7) Signature algorithm 'SHA256WithRSA' not working for provider 'SunPKCS11-opensc-pkcs11.so-slot0 version 11'. Exception: Signing of data failed: no such algorithm: SHA256WithRSA for provider SunPKCS11-opensc-pkcs11.so-slot0
04:53:11,564 INFO  [com.keyfactor.util.keys.SignWithWorkingAlgorithm] (default task-7) Signature algorithm 'SHA384withRSAandMGF1' not working for provider 'SunPKCS11-opensc-pkcs11.so-slot0 version 11'. Exception: Signing of data failed: no such algorithm: SHA384withRSAandMGF1 for provider SunPKCS11-opensc-pkcs11.so-slot0
04:53:11,564 INFO  [com.keyfactor.util.keys.SignWithWorkingAlgorithm] (default task-7) Signature algorithm 'SHA3-512withRSA' not working for provider 'SunPKCS11-opensc-pkcs11.so-slot0 version 11'. Exception: Signing of data failed: no such algorithm: SHA3-512withRSA for provider SunPKCS11-opensc-pkcs11.so-slot0
04:53:11,565 INFO  [com.keyfactor.util.keys.SignWithWorkingAlgorithm] (default task-7) Signature algorithm 'SHA1withRSAandMGF1' not working for provider 'SunPKCS11-opensc-pkcs11.so-slot0 version 11'. Exception: Signing of data failed: no such algorithm: SHA1withRSAandMGF1 for provider SunPKCS11-opensc-pkcs11.so-slot0
04:53:11,565 INFO  [com.keyfactor.util.keys.SignWithWorkingAlgorithm] (default task-7) Signature algorithm 'SHA3-256withRSA' not working for provider 'SunPKCS11-opensc-pkcs11.so-slot0 version 11'. Exception: Signing of data failed: no such algorithm: SHA3-256withRSA for provider SunPKCS11-opensc-pkcs11.so-slot0
04:53:11,565 INFO  [com.keyfactor.util.keys.SignWithWorkingAlgorithm] (default task-7) Signature algorithm 'SHA256withRSAandMGF1' not working for provider 'SunPKCS11-opensc-pkcs11.so-slot0 version 11'. Exception: Signing of data failed: no such algorithm: SHA256withRSAandMGF1 for provider SunPKCS11-opensc-pkcs11.so-slot0
04:53:11,565 INFO  [com.keyfactor.util.keys.SignWithWorkingAlgorithm] (default task-7) Signature algorithm 'SHA512WithRSA' not working for provider 'SunPKCS11-opensc-pkcs11.so-slot0 version 11'. Exception: Signing of data failed: no such algorithm: SHA512WithRSA for provider SunPKCS11-opensc-pkcs11.so-slot0
04:53:11,565 INFO  [com.keyfactor.util.keys.SignWithWorkingAlgorithm] (default task-7) Signature algorithm 'SHA512withRSAandMGF1' not working for provider 'SunPKCS11-opensc-pkcs11.so-slot0 version 11'. Exception: Signing of data failed: no such algorithm: SHA512withRSAandMGF1 for provider SunPKCS11-opensc-pkcs11.so-slot0
04:53:11,566 INFO  [com.keyfactor.util.keys.SignWithWorkingAlgorithm] (default task-7) Signature algorithm 'SHA3-384withRSA' not working for provider 'SunPKCS11-opensc-pkcs11.so-slot0 version 11'. Exception: Signing of data failed: no such algorithm: SHA3-384withRSA for provider SunPKCS11-opensc-pkcs11.so-slot0
04:53:11,566 INFO  [com.keyfactor.util.keys.SignWithWorkingAlgorithm] (default task-7) Signature algorithm 'SHA384WithRSA' not working for provider 'SunPKCS11-opensc-pkcs11.so-slot0 version 11'. Exception: Signing of data failed: no such algorithm: SHA384WithRSA for provider SunPKCS11-opensc-pkcs11.so-slot0
04:53:11,566 INFO  [com.keyfactor.util.keys.SignWithWorkingAlgorithm] (default task-7) No valid signing algorithm found for the provider 'SunPKCS11-opensc-pkcs11.so-slot0 version 11'.

[dgomezleon]

Hi @sadgeeknz ,

If I'm not wrong, we are not configuring conf/cesecore.properties file by default. Per the issue linked above, the parameter should be added there.
As a workaround, you could create a initialization script (to cp conf/cesecore.properties.sample to conf/cesecore.properties) and locate it in /docker-entrypoint-init.d directory.
I hope it helps

[sadgeeknz]

Hi @dgomezleon ,

Unfortunately, that does not seem to work. I had tried the following addition to the Dockerfile previously:

+RUN echo -e "\npkcs11.disableHashingSignMechanisms=false\n" >> /opt/bitnami/ejbca/conf/cesecore.properties
+RUN echo -e "\npkcs11.disableHashingSignMechanisms=false\n" >> /opt/bitnami/ejbca/conf.default/cesecore.properties
+RUN echo -e "\npkcs11.disableHashingSignMechanisms=false\n" >> /opt/bitnami/ejbca/conf/ejbca.properties
+RUN echo -e "\npkcs11.disableHashingSignMechanisms=false\n" >> /opt/bitnami/ejbca/conf.default/ejbca.properties

(Not a clean approach, so I'll file your suggestion away, thank you.)

This does result in the conf/cesecore.properties file existing in the resultant Docker image (confirmed via docker exec), but I'm not seeing any change of behaviour in EJBCA. It is unclear to me why a change to ejbca.properties, in particular, isn't showing any impact.

[dgomezleon]

Hi @sadgeeknz,

Thanks for confirming it. I will create an internal task to check it.

[rriemann]

I have the same issue. I use kubernetes and have this in my deployment:

          image: docker.io/bitnami/ejbca:8.3.2-debian-12-r2
          imagePullPolicy: "IfNotPresent"
          lifecycle:
            postStart:
              exec:
                command:
                  - "/bin/sh"
                  - "-c"
                  - |
                    echo "web.reqcert=false" >> /opt/bitnami/ejbca/conf/web.properties
          env:
            - name: BITNAMI_DEBUG
              value: "false"

The change in the file web.properties does not show any effect.