Support for Elliptic Curve Cryptography Algorithm(EC)
Article ID: 232683
Updated On:
Products
Issue/Introduction
Importing the certificate with "ES" algorithm through WAMUI, the below error message is shown:
"System exception trying to load keystore entries. AGENTAPI_FAILURE
System error trying to complete import:One or more exceptions trying to commit keystore changes. Please consult the logs."
Environment
Policy Server Version: 12.8.06
Cause
Server.log
2022-01-19 10:56:43,909 [ERROR] com.ca.fedpki.api.remote.FedPkiKeyStore [] - **ERROR** com.ca.fedxps.api.remote.FedXPSException commiting keystore change for alias XXXX.
com.ca.fedxps.api.remote.FedXPSException: com.ca.federation.client.XPSException: Failed Object Operation : CA : XPS : sm-xpssvc-00120
at com.ca.fedxps.api.remote.FedXPSObjectStore.delete(Unknown Source) ~[fedremoteapi.jar:?]
at com.ca.fedpki.api.remote.FedPkiKeyStore.engineStore(Unknown Source) [fedremoteapi.jar:?]
at java.security.KeyStore.store(KeyStore.java:1406) [?:1.8.0_202]
at com.ca.federation.adminui.backingbean.keystore.KeyStoreImportBean.finish(KeyStoreImportBean.java:302) [fedmgr.jar:?]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_202]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_202]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_202]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_202]
cds.log
[Jan 19 2022 10:56:43,846] CertificateDataStore [ERROR] CertificateDataStoreImpl.addPrivateKeyToDB(alias,privateKey,certificate): An exception occurred while adding private key and certificate to the Certificate Data Store. Exception Message: Cannot identify XXX private key: org.bouncycastle.asn1.DEROctetString cannot be cast to org.bouncycastle.asn1.ASN1Integer.
com.ca.sso.smcert.SmCertLibException: Cannot identify XXX private key: org.bouncycastle.asn1.DEROctetString cannot be cast to org.bouncycastle.asn1.ASN1Integer
at com.ca.sso.smcert.bc.BCPrivateKey.signBytes(BCPrivateKey.java:164) ~[smcert.jar:?]
at com.ca.sso.smcert.SMPrivateKey.signString(SMPrivateKey.java:136) ~[smcert.jar:?]
at com.netegrity.smkeydatabase.db.CertificateDataStoreImpl.addPrivateKeyToDB(CertificateDataStoreImpl.java:560) [smkeydatabase.jar:?]
at com.netegrity.smkeydatabase.db.SMKeyDatabase.addPrivateKeyToDB(SMKeyDatabase.java:372) [smkeydatabase.jar:?]
at com.ca.siteminder.security.SMKeyDatabaseFacade.addPrivateKeyToDB(Unknown Source) [fedsecurity.jar:?]
at com.ca.siteminder.security.SMKeyDatabaseStore.store(Unknown Source) [fedsecurity.jar:?]
at com.ca.fedpki.api.remote.FedPkiKeyStore.engineStore(Unknown Source) [fedremoteapi.jar:?]
at java.security.KeyStore.store(KeyStore.java:1406) [?:1.8.0_202]
Resolution
The above error comes when certificate uses either ECDSA / EC algorithm. Which is not officially supported by SiteMinder.
Feedback
