Does EJBCA-CE support HSM features on TPM 2.0?

[goroyal]

TPM: Trusted Platform Module
EJBCA-CE version: 8.3.2
Wildfly version: 26.1.3
Ubuntu version: 22.04.3 LTS

The TPM 2.0 has tpm2_pkcs11 to adopt PKCS#11 standard, whose .so file is /usr/lib/x86_64-linux-gnu/libtpm2_pkcs11.so.
I tried to integrate with TPM 2.0 in EJBCA-CE, and I created crypto token successfully in EJBCA-CE, however, I failed to generate key pair in the crypto token. The failure is like:

Caused by: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_VALUE_INVALID
        at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:422)
        at java.base/java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:722)
        at deployment.ejbca.ear//com.keyfactor.util.keys.KeyStoreTools.generateKeyPair(KeyStoreTools.java:463)
        at deployment.ejbca.ear//com.keyfactor.util.keys.KeyStoreTools.generateEC(KeyStoreTools.java:246)
        at deployment.ejbca.ear//com.keyfactor.util.keys.KeyStoreTools.generateKeyPair(KeyStoreTools.java:350)
        at deployment.ejbca.ear//org.cesecore.keys.token.PKCS11CryptoToken.generateKeyPair(PKCS11CryptoToken.java:256)
        at deployment.ejbca.ear//org.cesecore.keys.token.PKCS11CryptoToken.generateKeyPair(PKCS11CryptoToken.java:247)
        at deployment.ejbca.ear.cesecore-ejb.jar//org.cesecore.keys.token.CryptoTokenManagementSessionBean.createKeyPair(CryptoTokenManagementSessionBean.java:920)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at [email protected]//org.jboss.as.ee.component.ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptor.java:52)
        at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
        at [email protected]//org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:509)
        at [email protected]//org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.delegateInterception(Jsr299BindingsInterceptor.java:79)
        at [email protected]//org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.doMethodInterception(Jsr299BindingsInterceptor.java:89)
        at [email protected]//org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.processInvocation(Jsr299BindingsInterceptor.java:102)
        at [email protected]//org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:63)
        at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
        at [email protected]//org.jboss.as.ejb3.component.invocationmetrics.ExecutionTimeInterceptor.processInvocation(ExecutionTimeInterceptor.java:43)
        at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
        at [email protected]//org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:47)
        at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
        at [email protected]//org.jboss.as.ee.concurrent.ConcurrentContextInterceptor.processInvocation(ConcurrentContextInterceptor.java:45)
        at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
        at [email protected]//org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:40)
        at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
        at [email protected]//org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)
        at [email protected]//org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:52)
        at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
        at [email protected]//org.jboss.as.ejb3.component.pool.PooledInstanceInterceptor.processInvocation(PooledInstanceInterceptor.java:51)
        at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
        at [email protected]//org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:56)
        at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
        at [email protected]//org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:254)
        ... 47 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_VALUE_INVALID
        at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_GenerateKeyPair(Native Method)
        at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:414)
        ... 82 more

When I tried to integrate with SoftHSMv2, these is no such problem.

EJBCA-CE does not explicitly mention support for TPM 2.0 in its documentation. However, EJBCA generally supports hardware security modules (HSMs) that provide a decent PKCS#11 implementation.
Since TPM 2.0 can implement PKCS#11, how well does EJBCA-CE support TPM?

[primetomas]

I would instead ask how well the TPM supports PKCS#11 for EC key generation. I see you generate an EC key, which works on all other HSMs tried. So it's likely something with the TPM PKCS#11 implementation. You can use one of the PKCS11 call loggers documented tro trace the exact calls, and then use that to debug the TPM PKCS#11 library.
https://docs.keyfactor.com/ejbca/latest/hardware-security-modules-hsm#id-(9.2)HardwareSecurityModules(HSM)-PKCS11CallLogging