Failed to generate Symmetric Key in HSM due to error "Unsupported default key size"

Hi Support,

I am using Acala HSM simulator to generate Master, Base and Symmetric Key from key manager service. The Acala HSM simulator is fips enabled. I’m able to generate Master and Base key. But when try to generate the Symmetric key " IDENTITY_CACHE" in HSM it throws following exception

{"@timestamp":"2024-09-04T17:43:55.491+05:00","@version":"1","message":"Exception Root Cause:","logger_name":"io.mosip.kernel.core.exception.ExceptionUtils","thread_name":"http-nio-8088-exec-3","level":"DEBUG","level_value":10000,"stack_trace":"java.security.ProviderException: Unsupported default key size\r\n\tat jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyGenerator.setDefaultKeySize(P11KeyGenerator.java:207)\r\n\tat jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyGenerator.<init>(P11KeyGenerator.java:167)\r\n\tat jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$P11Service.newInstance0(SunPKCS11.java:1186)\r\n\tat jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$P11Service.newInstance(SunPKCS11.java:1128)\r\n\tat java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:236)\r\n\tat java.base/javax.crypto.JceSecurity.getInstance(JceSecurity.java:144)\r\n\tat java.base/javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:326)\r\n\tat io.mosip.kernel.keymanager.hsm.impl.pkcs.PKCS11KeyStoreImpl.generateSymmetricKey(PKCS11KeyStoreImpl.java:529)\r\n\tat io.mosip.kernel.keymanager.hsm.impl.pkcs.PKCS11KeyStoreImpl.generateAndStoreSymmetricKey(PKCS11KeyStoreImpl.java:502)\r\n\tat io.mosip.kernel.keymanager.hsm.impl.KeyStoreImpl.generateAndStoreSymmetricKey(KeyStoreImpl.java:300)\r\n\tat io.mosip.kernel.keymanagerservice.service.impl.KeymanagerServiceImpl.generateAndBuildResponse(KeymanagerServiceImpl.java:1009)\r\n\tat io.mosip.kernel.keymanagerservice.service.impl.KeymanagerServiceImpl.generateSymmetricKey(KeymanagerServiceImpl.java:995)\r\n\tat io.mosip.kernel.keymanagerservice.service.impl.KeymanagerServiceImpl$$FastClassBySpringCGLIB$$37c188ac.invoke(<generated>)\r\n\tat org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)\r\n\tat org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:746)\r\n\tat org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)\r\n\tat org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:294)\r\n\tat org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:98)\r\n\tat org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:185)\r\n\tat org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:688)\r\n\tat io.mosip.kernel.keymanagerservice.service.impl.KeymanagerServiceImpl$$EnhancerBySpringCGLIB$$cb15dbd9.generateSymmetricKey(<generated>)\r\n\tat io.mosip.kernel.keymanagerservice.controller.KeymanagerController.generateSymmetricKey(KeymanagerController.java:203)\r\n\tat java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\r\n\tat java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)\r\n\tat java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\r\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:566)\r\n\tat org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:209)\r\n\tat org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:136)\r\n\tat org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:102)\r\n\tat org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:877)\r\n\tat org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:783)\r\n\tat org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)\r\n\tat org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:991)\r\n\tat org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:925)\r\n\tat org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:974)\r\n\tat org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:877)\r\n\tat javax.servlet.http.HttpServlet.service(HttpServlet.java:660)\r\n\tat org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:851)\r\n\tat javax.servlet.http.HttpServlet.service(HttpServlet.java:741)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\r\n\tat org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\r\n\tat ch.qos.logback.classic.helpers.MDCInsertingServletFilter.doFilter(MDCInsertingServletFilter.java:49)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\r\n\tat org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.filterAndRecordMetrics(WebMvcMetricsFilter.java:158)\r\n\tat org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.filterAndRecordMetrics(WebMvcMetricsFilter.java:126)\r\n\tat org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:111)\r\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\r\n\tat org.springframework.boot.actuate.web.trace.servlet.HttpTraceFilter.doFilterInternal(HttpTraceFilter.java:84)\r\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\r\n\tat io.mosip.kernel.keymanagerservice.config.ReqResFilter.doFilter(ReqResFilter.java:45)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:320)\r\n\tat org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:127)\r\n\tat org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66)\r\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)\r\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\r\n\tat org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)\r\n\tat org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)\r\n\tat org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)\r\n\tat org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\r\n\tat org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)\r\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\r\n\tat org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:109)\r\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\r\n\tat org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81)\r\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\r\n\tat org.springframework.cloud.sleuth.instrument.web.ExceptionLoggingFilter.doFilter(ExceptionLoggingFilter.java:48)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\r\n\tat brave.servlet.TracingFilter.doFilter(TracingFilter.java:86)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\r\n\tat org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200)\r\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\r\n\tat org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)\r\n\tat org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)\r\n\tat org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:543)\r\n\tat io.mosip.kernel.core.logger.config.SleuthValve.invoke(SleuthValve.java:36)\r\n\tat org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)\r\n\tat org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)\r\n\tat org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)\r\n\tat org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)\r\n\tat org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:615)\r\n\tat org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)\r\n\tat org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:818)\r\n\tat org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1627)\r\n\tat org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)\r\n\tat java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)\r\n\tat java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)\r\n\tat org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\r\n\tat java.base/java.lang.Thread.run(Thread.java:829)\r\nCaused by: java.security.InvalidAlgorithmParameterException: Key length must be between 1024 and 2048 bits\r\n\tat jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyGenerator.checkKeySize(P11KeyGenerator.java:133)\r\n\tat jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyGenerator.setDefaultKeySize(P11KeyGenerator.java:205)\r\n\t... 130 common frames omitted\r\n","appName":"kernel-keymanager-service","traceId":"88d572164de9970c","spanExportable":"false","req.requestURI":"/v1/keymanager/generateSymmetricKey","X-Span-Export":"false","req.method":"POST","req.userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","spanId":"88d572164de9970c","X-B3-SpanId":"88d572164de9970c","X-B3-TraceId":"88d572164de9970c","req.remoteHost":"192.168.18.248","req.requestURL":"http://192.168.18.248:8088/v1/keymanager/generateSymmetricKey"}

I investigate the issue JCE validate the AES key algorithm with default key size of 128 and then delegate to provider to generate key. The Acala provider no support the 128 bit key which throws exception. Is there any workaround for the HSM simulator which not support AES 128 length of key generation.

JCE

Dear @maliksajidhussain ,

Thank you for reaching out, We are looking into your query and one of our expert collegues will respond here.

Best Regards
Team MOSIP

Hi @keshavs Thanks waiting for response…

Regards

Hi @maliksajidhussain

MOSIP Keymanager service uses 256 bits as default key size for AES algorithm. As per your comments in the ticket the Acala HSM is running with FIPS, to do Keymanager service integration with FIPS enabled HSM there is a need of custom KeyStore Interface implementation. Have you done the custom implementation?

If the custom implementation has been done, Please check what is the key size mention during key generation.

If custom implementation has not done, please refer sample implementations of other HSMs in this URL hsm-ref-impl/hsm-keystore-impl at master · mosip/hsm-ref-impl · GitHub

Thanks,
Mahammed Taheer

Hi @mahammedtaheer Thanks for your response. I didn’t implement any custom implementation. Asymetric keys are generated inside Acala. The point I’m trying to convey this is limitation of the openJDK11 JCE which use the default key size of 128 for AES keys before initializing keystore with the provided key length of 256. The key manager can run with OpenJDK17 in eclipse IDE? I’m not able to compile as some of the dependencies version support OpenJDK11.

Hi @maliksajidhussain

KeyManager service will not be able to run with OpenJDK17. Not sure why it’s behaving differently with Acala HSM, because the keymanager service is able to generate AES key in other HSMs without any issue.

One alternate you can try is, if there is any utility provided by Acala HSM to generate keys, use the utility to generate the AES key in the HSM and add the details in DB directly. KeyManager will pick the key alias from DB and use it for encryption/decryption.

Thanks,
Mahammed Taheer