"java.security.InvalidKeyException: Could not create key" when using the SunPKCS11-NSS-FIPS provider
Issue
-
When using OpenJDK on RHEL with FIPS enabled (see the attached example.java), the following error is thrown:
java.security.InvalidKeyException: Could not create key at sun.security.pkcs11.P11SecretKeyFactory.createKey(P11SecretKeyFactory.java:274) at sun.security.pkcs11.P11SecretKeyFactory.convertKey(P11SecretKeyFactory.java:179) at sun.security.pkcs11.P11SecretKeyFactory.convertKey(P11SecretKeyFactory.java:111) at sun.security.pkcs11.P11Cipher.implInit(P11Cipher.java:409) at sun.security.pkcs11.P11Cipher.engineInit(P11Cipher.java:311) at javax.crypto.Cipher.init(Cipher.java:1249) at javax.crypto.Cipher.init(Cipher.java:1189) at example.main(example.java:32) Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_VALUE_INVALID at sun.security.pkcs11.wrapper.PKCS11.C_CreateObject(Native Method) at sun.security.pkcs11.P11SecretKeyFactory.createKey(P11SecretKeyFactory.java:269) ... 7 more
Environment
- RHEL
- 8.3 with FIPS enabled (OpenJDK is not supported in FIPS mode in prior RHEL versions)
- OpenJDK
- 8 (1.8.0-302)
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.