Hi,
we’re currently trying to integrate the EdgeLock SE050 Secure Element into our embedded yocto system. We’re using T1oI2C and the Plug & Trust MW (v4.02). To access the SE050 from a java environment, we want to use the PKCS11 implementation of the MW (over the libsss_pkcs11.so library) and the java SunPKCS11 provider. In order for the java keystore to recognize the stored key pairs of the SE050, it requires the private key and the corresponding self-signed certificate (containing the public key) to be stored with the same CKA_ID attribute value. This is also the recommended behavior by the PKCS11 standard (although not enforced).
However when we try to create a corresponding key/certificate pair with the java keytool on the SE050, the private key receives a different ID than specified by the tool and therefore the java keystore won’t recognize it. When we try to manually insert the key and the certificate with the same ID over the ssscli command line or the pkcs11-tool, we get a message that the ID already exists and the object therefore cannot be inserted.
The MW documentation states that the internal keyID of the SE050 is not to be confused with the PKCS11 CKA_ID attribute, but all approaches we’ve been looking so far seem to interpret the internal keyID as the CKA_ID, which prevents us from inserting a key and a certificate with the same value.
So our question therefore is whether it is possible to set the same CKA_ID value for multiple objects in the SE050 (and how to do it) and access the values from the java keystore or whether we have to look for an alternative approach?
Regards,
Stefan
