Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13359

P11RSAPrivateKey fails RSA key check.

    Details

    • Sprint:
      AM Sustaining Sprint 53, AM Sustaining Sprint 54
    • Story Points:
      3
    • Needs backport:
      Yes
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      Yes

      Description

      Bug description

      This is a subset of OPENAM-12801

      If a P11RSAPrivateKey is returned from the Java PKCS11 library the private key verification will fail

      How to reproduce the issue

      Configure AM 5.5 to use PKCS#11 (or SoftHSM, NSS, for example).
      https://backstage.forgerock.com/knowledge/kb/article/a56661000

      Example SoftHSM configuration:

      name = softHSM
       library = /home/fr/SoftHSMv2-develop/src/lib/.libs/libsofthsm2.so
       slot = 1167202963
       attributes(generate, *, *) =
       \{
       CKA_TOKEN = true
       }
       attributes(generate, CKO_CERTIFICATE, *) =
       \{
       CKA_PRIVATE = false
       }
       attributes(generate, CKO_PUBLIC_KEY, *) = \{
       CKA_PRIVATE = false
       }
      

      Configure OAuth2/OIDC and request an ID token to be signed by an RSA key on the HSM.

      EXPECTED BEHAVIOUR
      Get back a ID token signed by the HSM protected key.

      CURRENT BEHAVIOUR

      `{"error_description":"Signing algorithm is 'RS256' but the private key found is not an RSA private key","error":"invalid_request"}`
      

      Code Analysis

      See OPENAM-12801

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                chee-weng.chea C-Weng C
                Reporter:
                jonthomas Jonathan Thomas
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: