The Aladdin eToken is a great little security device when you have sensitive private key information. They are a great USB solution in that they support all major operating-systems with a PKCS#11 driver. This means they also integrate with Java on all major platforms (through the SunPKCS11 Security Provider).
The one problem we have come across with the device is trying to create keys on it using the standard Java keytool application. There are two errors you’ll almost certainly face, both in the form of a sun.security.pkcs11.wrapper.PKCS11Exception.
Error 1: CKR_ATTRIBUTE_TYPE_INVALID
This error (we found) pops up when you don’t specify the key algorithm on the command line. You need to specify “-keyalg RSA” to ensure that an RSA key (instead of the default DSA) is generated for the eToken.
Error 2: CKR_TEMPLATE_INCONSISTENT
This one is a little more nasty. It’s not well documented, but effectively the keytool doesn’t generate signatures that the eToken’s PKCS#11 implementation likes (we couldn’t find any tool other than the eToken software that did). Under Windows you need a registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Aladdin\eToken\MIDDLEWARE\GENERAL
The key is a DWORD attribute: “TolerantX509Attributes” with a value of “1″. But what about Mac and Linux. You’ll need to look for the eToken config file: /etc/eToken.conf, then under the “[GENERAL]” section of the file add the line:
TolerantX509Attributes=1
This will allow keytool (and other PKCS#11 tools) to generate and store keypairs on your USB eToken.
A Command Line Example
keytool -v -genkeypair -keyalg RSA -alias myKey -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /home/me/pkcs11.conf
