When trying to generate rsa key pair with sun PKCS11 provider, method generateKeyPair() throws ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
My code looks like this:
Provider prov = ... // initialize provider
KeyStore ks = KeyStore.getInstance("PKCS11", prov);
ks.load(null, "pass".toCharArray());
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA", prov);
keyGen.initialize(2048);
KeyPair kp = keyGen.generateKeyPair(); // exception thrown here
I tried using AuthProvider right after provider initialization like so:
AuthProvider aprov = (AuthProvider) prov;
aprov.login(null, callbacks -> {
log.error("@@@ Inside callbacks {}", callbacks.length);
});
aprov.setCallbackHandler(callbacks -> {
log.error("@@@ Inside setCallBackHandler {}", callbacks.length);
});
But I don't see any logging output, so that means lambdas are not executed.
The ultimate goal is to generate RSA key pair and store it in keystore (HSM) via PKCS11.
I tried openjdk 8 and oracle jdk 8. Also when listing aliases from keystore, I get an empty list, but I know there is one entry. Adding -Djava.security.debug=sunpkcs11 changed nothing.
The problem in my case was wrong slot number in provider configuration. The selected slot was labeled as "accelerator" which does not support the creation of "private objects" - from HSM documentation.
After switching to a different slot, key generation and storage into keystore works.