EPass2000 token + Sun PKCS#11 JCE provider

Hello,
I am trying to programatically control ePass2000 USB crypto token: http://www.ftsafe.com/products/viewproduct.php?p=epass2k
Unfortunately, I am having serious problems communicating with
ePass2000 token from Java. I have found no documentation on doing it
properly, but I have tried using Sun's PKCS11 JCE interface and
ep2pk11.dll like this:
in java.security:
security.provider.7=sun.security.pkcs11.SunPKCS11
${java.home}/lib/security/pkcs11.cfg
pkcs11.cfg:
name = epass_token
library = c:\windows\system32\ep2pk11.dll
Now using
keytool -keystore NONE -storetype PKCS11 �list
or
keytool -keystore NONE -storetype PKCS11 -storepass 1234 �list
should show me list of certificates on token. (if this works, that
means, that JCE API sees the token and can communicate with it). I got only:
keytool error: java.security.ProviderException: Initialization failed
What is a proper way of accessing and using ePass2000 from Java?
Does the error mean, that there's something wrong with the dll? The dll itself
works from firefox as PKCS#11 provider, so I believe it should work with Java
too. I am using Java 1.5.0_06.
If anyone has played with this or similiar token from Java, I'd be glad to hear
about your experiences. Right now, I can only try to write my own JNI wrapper for
the native library :(.
Juraj.

I've never tried that token, but I'm accessing a smart card using SunPKCS11 ( never with the keytool, but from code)
The problem could be the backslashes with which you specify the library: try \\ or / instead, so something like
c:/windows/system32/ep2pk11.dll

Similar Messages

How to retrieve public/ private from iKey token using Sun PKCS#11 provider

Dear all,
I'm trying to access one rainbow iKey 2032 token in Java 1.5 (Windows Environment) using Sun PKCS#11 provider. Token is stored with certificate. There is no problem to logging into the token using java.
     Provider p = new sun.security.pkcs11.SunPKCS11(configName);
     Security.addProvider(p);
     KeyStore ks = null;
     try{
          char[] pin = {'P','A','S','S','W','O','R','D'};
          ks = KeyStore.getInstance("pkcs11");
          ks.load(null,pin);
catch(Exception e) {}
Now I am wondering how to retrieve a public and private from token, so that I can encrypt and decrypt a plain text file. Could anyone give me a sample program for this?
Your help is very much appreciated!!

Hi Fred13
1. I have the same pkcs.cfg and get the following trace. Can you help me understand? Does this imply a bad dkck201.dll? I would really like to get this working for my implementation. tia.
lException in thread "main" java.security.ProviderException: Initialization failed
     at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:175)
     at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:76)
     at com.mkp.jce.chap1.ProviderDetail.main(ProviderDetail.java:38)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_TOKEN_NOT_RECOGNIZED
     at sun.security.pkcs11.wrapper.PKCS11.C_GetTokenInfo(Native Method)
     at sun.security.pkcs11.Token.<init>(Token.java:105)
     at sun.security.pkcs11.SunPKCS11.initToken(SunPKCS11.java:555)
     at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:169)
2. (If I can be so indulgent of your time) Can you provide more information on cbp? I have done a search and there is little on it. It appears to be a new authentication framework tied in with sasl unique to 1.5. Any links for self education would be appreciated.

Problem with Sun PKCS#11 Provider and Ativcard smart card.

Hi,
I'm trying to make a signature with a smartcard.
I have no problem signing with my card in applications such as Microsoft Office, Outlook (they probably use CAPICOM or MS CryptoAPI).
There is only one certificate on my card with non extractable pair of keys.
When I`m using Java based application I have the following problem:
I have Java 1.5.0 installed, and according to the reference guide on:
http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html
I configured "Sun PKCS#11 Provider".
In file:
%JAVA_HOME%/lib/security/java.security I inserted the following lines:
# Configuration for security providers 1..6 omitted
security.provider.7=sun.security.pkcs11.SunPKCS11 C:/pkcs11.cfg
In my case (I`m using ActivCard) The file "C:/pkcs11.cfg" contains:
name = ActivCard
library = c:\windows\system32\acpkcs211.dll
After that I try tu use configured provider with keytool.exe from jsdk.
In cmdline:
c:\Program Files\Java\jdk1.5.0_06\bin>keytool.exe -keystore NONE -storetype PKCS11 -list
Enter keystore password: 1111
Keystore type: PKCS11
Keystore provider: SunPKCS11-ActivCard
Your keystore contains 1 entry
Cinek's dp ID, keyEntry,
Certificate fingerprint (MD5): 36:19:DD:01:2E:A2:C5:F6:51:44:03:74:14:D5:62:C0
So till now everything looks ok. Certificate is accessible.
But when I trying to use jarsigner.exe to sign something:
c:\Program Files\Java\jdk1.5.0_06\bin>jarsigner.exe -keystore NONE -storetype PKCS11 D:\Applet.jar "Cinek's dp ID"
Enter Passphrase for keystore: 1111
jarsigner error: java.lang.NullPointerException
I`ve got the java.lang.NullPointerException !
To find reason of the exception I`ve written simple application, which signs a byte array:
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.Certificate;
import java.util.Enumeration;
public class Main {
     public static void main(String[] args) throws Exception {
          PrivateKey privkey = null;
          char[] pin = { '1', '1', '1', '1' };
          KeyStore smartCardKeyStore = KeyStore.getInstance("PKCS11");
          smartCardKeyStore.load(null, pin);
          Enumeration aliasesEnum = smartCardKeyStore.aliases();
          if (aliasesEnum.hasMoreElements()) {
               String alias = (String) aliasesEnum.nextElement();
               privkey = (PrivateKey) smartCardKeyStore.getKey(alias, null);
               byte[] aDocument = new byte[100];
               Signature signatureAlgorithm = Signature.getInstance("SHA1withRSA");
               signatureAlgorithm.initSign(privkey);
               signatureAlgorithm.update(aDocument);
               byte[] digitalSignature = signatureAlgorithm.sign();
When I`ve run this application in last line in method signatureAlgorithm.sign() I got:
Exception in thread "main" java.lang.NullPointerException
     at java.math.BigInteger.modPow(Unknown Source)
     at sun.security.rsa.RSACore.crtCrypt(Unknown Source)
     at sun.security.rsa.RSACore.rsa(Unknown Source)
     at sun.security.rsa.RSASignature.engineSign(Unknown Source)
     at java.security.Signature$Delegate.engineSign(Unknown Source)
     at java.security.Signature.sign(Unknown Source)
     at Main.main(Main.java:31)
In debug, before this exception variables are:
alias= "Cinek's dp ID"
privkey =
SunPKCS11-ActivCard RSA private key, 1024 bits (id 192168768, token object, not sensitive, extractable)
modulus:          112271510887039102410124262012976131016781096451891854145879061791454872222254764386718257162446565027910080375427552248069203548913907633164297672417327888344423061606707834842776634133861005271620794248782338105033496749719965719732501903618453514554701005390412127008091861831421936757053019877456102263703
public exponent: 65537
private exponent: null
prime p:          null
prime q:          null
prime exponent p: null
prime exponent q: null
crt coefficient: null
As you can see, private key has extractable attribute set, what is wrong. Attribute is set and key has no values.
I think that can be the reason of NullPointerException. (Maybe when extractable = true, sign() methods expects key values filled).
So, I can not sign anything.
I tryed to add some additional attributes to file "C:/pkcs11.cfg":
attributes(*,CKO_PRIVATE_KEY,*) = {
CKA_EXTRACTABLE = false
but with no effect. Key was still extractable.
Can you help me to solve this problem?
PS. I`m using acpkcs211.dll (v3.2.102.0) as an implementation of PKCS#11. (Activcard says that it is PKCS#11 v2.11 implementation)
PS2. Sorry for my english

Can I ask you one question?
Which driver did you specify? I mean the smarcard reader driver or the smartcard itself driver?
If the second, does it come along with the card? because as far as I know I just got the smart card but no software at all (apart the smartcard reader driver).
Can you help me out with this?
thanks in advance,
Marco

Problem working with Sun PKCS#11 provider - CKR_USER_NOT_LOGGED_IN

Hi I was trying out the new Sun PKCS#11 provider in J2SE1.5 RC, I am not able to generate RSA certificate and store into the pkcs#11 device (HSM) keystore.
Bellow is the command I gave
java sun.security.tools.KeyTool -genkey -keystore NONE -storetype PKCS11 -genkey -v -alias "acs_visa_server" -keyalg "RSA" -sigalg "SHA1WithRSA" -keysize "1024" -validity "800" -dname "cn=192.168.1.1,ou=Test Technology,o=Test Ltd.,l=Test,S=Test,c=IN"
The output is like this
Enter keystore password: 1234
Generating 1,024 bit RSA key pair and self-signed certificate (SHA1WithRSA)
for: CN=192.168.1.1, OU=Test Technology, O=Test Ltd., L=Test, ST=Test, C=IN
keytool error: java.security.KeyStoreException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
And is there a way to manage Private Keys i.e., store/delete/exprot to keystore using java code. Thanks in advance for the help.

I am a developer :-), The hsm vendor has just implemented the pkcs#11 dll compliant with PKCS#11 V 2.10. And I am able to access the tokens and generate the keys using there tools written in c++.
It looks like I need to give the user�s pin for the slot and don't know how to provide it. I even tried to do programmatically. Bellow is the code
//--------------- main code -----
char pin[] = "1234".toCharArray();
          KeyStore ks = KeyStore.getInstance("PKCS11", providerName);
          ks.load(null, pin);
          try {
               MyGuiCallbackHandler mcb = new MyGuiCallbackHandler();
               AuthProvider aprov = (AuthProvider)Security.getProvider("SunPKCS11");
               aprov.login(null, mcb);
          } catch (Exception e) {
               System.out.println("Error in login : "+e);
               //return;
String args1[] = new String[]{"-genkey", "-keystore", "NONE", "-storetype", "PKCS11",
               "-genkey", "-v", "-alias", "cert_alias", "-keyalg", "RSA", "-sigalg", "SHA1WithRSA",
               "-keysize", "1024", "-validity", "800", "-dname",
               "cn=192.168.1.1,ou=test,o=test Ltd.,l=test,S=test,c=IN"};
          sun.security.tools.KeyTool.main(args1);
//--------------- help class -----
class MyGuiCallbackHandler implements CallbackHandler {
     public void handle(Callback[] callbacks)
               throws IOException, UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof TextOutputCallback) {
// display the message according to the specified type
TextOutputCallback toc = (TextOutputCallback)callbacks;
switch (toc.getMessageType()) {
case TextOutputCallback.INFORMATION:
System.out.println(toc.getMessage());
break;
case TextOutputCallback.ERROR:
System.out.println("ERROR: " + toc.getMessage());
break;
case TextOutputCallback.WARNING:
System.out.println("WARNING: " + toc.getMessage());
break;
default:
throw new IOException("Unsupported message type: " +
toc.getMessageType());
} else if (callbacks[i] instanceof NameCallback) {
// prompt the user for a username
NameCallback nc = (NameCallback)callbacks[i];
// ignore the provided defaultName
System.err.print(nc.getPrompt());
System.err.flush();
nc.setName((new BufferedReader
(new InputStreamReader(System.in))).readLine());
} else if (callbacks[i] instanceof PasswordCallback) {
// prompt the user for sensitive information
PasswordCallback pc = (PasswordCallback)callbacks[i];
System.err.print(pc.getPrompt());
System.err.flush();
pc.setPassword(readPassword(System.in));
} else {
throw new UnsupportedCallbackException
(callbacks[i], "Unrecognized Callback");
     // Reads user password from given input stream.
     private char[] readPassword(InputStream in) throws IOException {
System.out.println(:"Sending pin has 9876");
return "9876".toCharArray();
And this is the output
Error in login : java.lang.NullPointerException
Generating 1,024 bit RSA key pair and self-signed certificate (SHA1WithRSA)
for: CN=192.168.1.1, OU=test, O=test., L=test, ST=test, C=IN
keytool error: java.security.KeyStoreException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
Thanks again

Sun PKCS#11 provider ignores the PIN while loading keystore in Windows JRE

We are using smart card based login in our GUI application. We use active client for Card reader. We are using sun PKCS#11 provider to read certificate from the CARD. In the code we are passing PIN while loading the keystore. It seems the pin is getting ignored and we get active client pin dialog.
PS: In linux JRE the pin passed while loading keystore is working properly.
Below is the code snippet that i used for testing.
public static void main(String arg[]) throws Exception
       try
         //Create our certificates from our CAC Card
        String configName = "card.config";
         Provider p = new sun.security.pkcs11.SunPKCS11(configName);
         Security.addProvider(p);
         char[] pin = { '1', '2', '3', '4', '5', '6' };
         KeyStore cac = null;
         cac = KeyStore.getInstance("PKCS11");
         cac.load(null, pin);
         showInfoAboutCAC(cac);
      catch(Exception ex)
         ex.printStackTrace();
         System.exit(0);
   public static void showInfoAboutCAC(KeyStore ks) throws KeyStoreException, CertificateException, FileNotFoundException, IOException
      Enumeration<String> aliases = ks.aliases();
       int count = 0;
      while (aliases.hasMoreElements())
         String alias = aliases.nextElement();
         X509Certificate[] cchain = (X509Certificate[]) ks.getCertificateChain(alias);
         if (cchain != null){
         System.out.println("Certificate Chain for : " + alias);
         for (int i = 0; i < cchain.length; i ++)
            System.out.println(i + " SubjectDN: " + cchain.getSubjectDN());
System.out.println(i + " IssuerDN: " + cchain[i].getIssuerDN());
content of card.config is
name = myConfig
library = C:\\WINDOWS\\system32\\acpkcs211.dll
Alternative we can see the same behaviour if we run the following command
keytool -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg "E:\work1\card.config" -list
This command will ask ping in the command line and again active client PIN diaolog will be prompted.
Please let me know if this a bug in Sun PKCS#11 provider in Windows and is there any work around to fix the issue.
Enviornmnet Details::
OS Win XP sp3
Java version "1.6.0_17"
Active client library version :
P11 Library:
Name: acpkcs211.dll
Version: 4-0-0-12
Thanks in advanced
Ruhul

The program is just to simulate the issue. I understand that user have to pass the pin. In our GUI we have our own dialog to get the pin from user and pass it to the PKCS#11 provider that uses the pin while loading the keystore.
cac.load(null, pin); // the pin passed in load method is not used at all
My problem here is even after the proper pin is supplied by the user the active client PIN dialog is prompted. Whereas in LInux JRE this works fine.
We have a command line application where active client dialog popup is not acceptable. We need to get the PIN from user as command argument and load the keystore.
Please let me know if this clarifies the confusion.
Thanks,
Ruhul

Sun PKCS#11 provider is caching PIN in applets

I am coding an applet which uses Sun PKCS#11 provider to encrypt data. But There I am getting a strange problem of PIN caching.
My Scenario_
1. User login: User enters correct pin and Password is encrypted and sent to server.
2. After log off button click, Login screen is displayed again. Now user enters wrong PIN.
3. STRANGE Behavior: The encryption works well with the wrong key.
1. I have removed the provider and readded it again.
2. Created KeyStore again,
But all this results in same problem.

The program is just to simulate the issue. I understand that user have to pass the pin. In our GUI we have our own dialog to get the pin from user and pass it to the PKCS#11 provider that uses the pin while loading the keystore.
cac.load(null, pin); // the pin passed in load method is not used at all
My problem here is even after the proper pin is supplied by the user the active client PIN dialog is prompted. Whereas in LInux JRE this works fine.
We have a command line application where active client dialog popup is not acceptable. We need to get the PIN from user as command argument and load the keystore.
Please let me know if this clarifies the confusion.
Thanks,
Ruhul

AccessControlException with third party JCE provider

Hi,
I have a third party cryptographic provider that I must use.
I can't tell if the provider is failing to load or if actual operations are denied. All I do know is that everytime it tries to actually do anything it fails with (the class that subclasses Provider is called IAIK):
Caused by: java.security.AccessControlException: access denied (java.security.SecurityPermission putProviderProperty.IAIK)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:270)
at java.security.AccessController.checkPermission(AccessController.java:401)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
at java.lang.SecurityManager.checkSecurityAccess(SecurityManager.java:1698)
at java.security.Provider.check(Provider.java:341)
at java.security.Provider.put(Provider.java:303)
at iaik.security.provider.IAIK.a(Unknown Source)
at iaik.security.provider.IAIK.<init>(Unknown Source)
It seems to me that the provider is trying to programmatically load and register itself. Obviously I have to grant permission to do this, but I don't know how, because I don't know exactly what its trying to do.
I did find something in the JDK docs mentioning doing something like this to the server.policy:
grant codeBase "file:C:/Sun/AppServer7/domains/domain1/server1/lib/*" {
permission java.security.SecurityPermission "putProviderProperty.IAIK"
But this not only doesn't work, I also need to understand it.
I've tried using it as a standard extension and it still doesn't work.
Would appreciate any pointers here
Thanks
Sam

Hi ,
I am using SUN ONE application server and I have a third party cryptographic provider that I must use(BouncyCastleProvide). I've modified server.policy, java.policy files but nothing helped.
// These permissions apply to the RD application
grant codeBase "file:C:/Sun/AppServer7/domains/domain1/server1/lib/*" {
permission java.security.AllPermission;
Please help.
Thanks
INFO: CORE3282: stdout: [02/Mar/2005 14:22:08:866] error: |AESEncryption|prepareMap|1|oSecretKey_file: /WEB-INF/config
/secret_asn1.key
INFO: CORE3282: stdout: [02/Mar/2005 14:22:08:866] error: |AESEncryption|prepareMap|1|oGenrateKeys: no
INFO: CORE3282: stdout: [02/Mar/2005 14:22:08:897] error: |AESEncryption|AESEncryption::Constructor|1|java.security.Ac
cessControlException: access denied (java.security.SecurityPermission putProviderProperty.BC)
INFO: CORE3282: stdout: at java.security.AccessControlContext.checkPermission(AccessControlContext.java:270)
INFO: CORE3282: stdout: at java.security.AccessController.checkPermission(AccessController.java:401)
INFO: CORE3282: stdout: at java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
INFO: CORE3282: stdout: at java.lang.SecurityManager.checkSecurityAccess(SecurityManager.java:1698)
INFO: CORE3282: stdout: at java.security.Provider.check(Provider.java:384)
INFO: CORE3282: stdout: at java.security.Provider.put(Provider.java:339)
INFO: CORE3282: stdout: at org.bouncycastle.jce.provider.BouncyCastleProvider.<init>(BouncyCastleProvider.java:52)
INFO: CORE3282: stdout: at com.sp.fwk.golden.encryption.AESEncryption.<init>(AESEncryption.java:48)
INFO: CORE3282: stdout: at com.sp.fwk.golden.encryption.AESEncryption.getInstance(AESEncryption.java:71)
INFO: CORE3282: stdout: at com.sp.fwk.golden.presentation.FwkServlet.init(FwkServlet.java:72)
INFO: CORE3282: stdout: at javax.servlet.GenericServlet.init(GenericServlet.java:258)
INFO: CORE3282: stdout: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:921)
INFO: CORE3282: stdout: at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:658)
INFO: CORE3282: stdout: at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:229)
INFO: CORE3282: stdout: at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:505)
INFO: CORE3282: stdout: at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:212)
INFO: CORE3282: stdout: at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:505)
INFO: CORE3282: stdout: at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:203)
INFO: CORE3282: stdout: at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:505)
INFO: CORE3282: stdout: at com.iplanet.ias.web.connector.nsapi.NSAPIProcessor.process(NSAPIProcessor.java:157)
INFO: CORE3282: stdout: at com.iplanet.ias.web.WebContainer.service(WebContainer.java:598)

XML Digital Signature and sun PKCS#11

Hi,
I am trying to use xmldsig/xmlsec from Java Web Services Developer's Pack to do signing of XML documents. My goal is to use the keys from the card via sunpkcs11 to perform this signature.
At this stage, i'm able to get the correct key from the card via sun pkcs 11 (J2SE 5) and able to sign some data with it.
However, when i try to sign a xml document via xmldsig, i get the error which i believe to occur while trying to read the private key from the card as a string, which results in a "not a byte[]" exception.
At this stage, are there any ways to configure the xmldsig/xmlsec to use the pkcs11 provider?
I understand that the current implementation of XML Digital signature is using apache XML libraries. Is the source code for the wsdp downloadable from SUN?
If not, will it be possible to make use of the open-source apache XML jars, set it up for pkcs11 and use it instead?
Finally, has anyone done what I'm trying to do? Will be glad to know
Thank u in advance,
Louis

Hello
Did you resolve yout problem, because i have the same when i try to sign message
String testData = "Hello World";
p11KeyStore = KeyStore.getInstance("PKCS11");
p11KeyStore.load(null, new char[] {'1', '2', '3', '4'});
sig = Signature.getInstance("SHA1withRSA");
sig.initSign( (PrivateKey) p11KeyStore.getKey(myAlias, null));
sig.update(testData.getBytes());
signatureBytes = sig.sign()
This code fails and i get java.lang.RuntimeException: Not a byte[]
at sun.security.pkcs11.wrapper.CK_ATTRIBUTE.getBigInteger(CK_ATTRIBUTE.java:168)
at sun.security.pkcs11.P11Key$P11RSAPrivateKey.fetchValues(P11Key.java:419)

Sun PKCS#11 NSS Problem with CA Certificates

There appears to be a problem with the Sun PKCS#11 provider's NSS specific functionality.
If Firefox 2.x based KeyStore is loaded which contains CA Certificates which have been imported into the the standard "Software Security Device" (and are therefore not in the root store) they are not visible as Certificate Entries when enumerating the KeyStore aliases.
If a personal key/cert pair is present then the corresponding CA Certs can be obtained via KeyStore.getCertificateChain(alias) but this doesn't help when I have other CA's present that need to be accessed.
These additional CA Certificates are visible via the FireFox "Certificate Manager" and via the JSS API's - anyone aware of this problem ?

You need to use the trustanchors nssModule, read the JavaTM PKCS#11 Reference Guide at --
http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html#Config
For example, you can write your config file like this --
name=NSS
nssSecmodDirectory=path_of_your_dbs
nssLibraryDirectory=path_of_dll_or_so
nssModule=trustanchors

Multiple Signers/ JCE Provider

When I try to deploy application with more then one party signed jar, JWS reports problem and rejects application starting. JCE 1.2.1 requires provider's jar to be signed to work. So I need to have two signers: my own signed application jar and JCE provider JAR. This problem is very serious !!!

In your JNLP file resources section, put a line that looks like this in there in place of the references to the JCE jars:
<extension name="Java Cryptography Extension" href="crypto.jnlp"/>
Then, in a file called crypto.jnlp (or whatever), put entries like:
<?xml version="1.0" encoding="utf-8"?>
<jnlp spec="1.0+"
codebase="http://your.url.goes.here"
href="crypto.jnlp">
<information>
<title>Java Cryptography Extension</title>
<vendor>Sun Microsystems</vendor>
<offline-allowed/>
</information>
<security>
<all-permissions/>
</security>
<resources>
<jar href="jce1_2_1.jar" download="eager"/>
<jar href="sunjce_provider.jar" download="eager"/>
</resources>
<component-desc/>
</jnlp>

Use JCE Provider for JSSE

As far as I know, it is not possible to use a jce provider for the cryptographic operations of the jsse reference implementation. The sun implementation uses the algorithms implemented in the jsse provider.
There was a statement from sun, that this may change with the integration of jsse in the jdk 1.4, but with the current beta this is not the case.
Does anybody know a jsse implementation which supports the use of a third party jce provider? Actually we want to use our own smart card based jce provider to provide a jsse compatible java ssl implementation.

You might want to check out a product called iSaSiLk from iaik http://jcewww.iaik.at.
I have used this product in the past. Seemed to be quite openly designed.
iSaSiLk supports the use of third party JCE provider.
However, they do not claim the product to be compiant with the JSSE standard.

Kerberos says JCE provider may not be installed

I am using the Krb5LoginModule from JDK1.4.2_04 (deployed with BEA Weblogic 8.1) to authenticate against Active Directory. Have been looking at this for an age. Initial issues were due to case sensitive user names (something I didn't expect since because windows login doesn't care).
Anyway the current issues is as follows:
Authentication failed:
JCE provider may not be installed. Cannot find any provider supporting DES/CBC/NoPadding
javax.security.auth.login.LoginException: JCE provider may not be installed. Cannot find any provider supporting DES/CBC/NoPadding
     at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:585)
     at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:475)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:324)
     at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
     at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
     at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
     at java.security.AccessController.doPrivileged(Native Method)
     at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
     at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
     at ADLoginTest.main(ADLoginTest.java:45)
Caused by: KrbException: JCE provider may not be installed. Cannot find any provider supporting DES/CBC/NoPadding
     at sun.security.krb5.internal.crypto.a0.a(DashoA6275:285)
     at sun.security.krb5.internal.crypto.a0.a(DashoA6275:258)
     at sun.security.krb5.internal.crypto.a0.a(DashoA6275:335)
     at sun.security.krb5.EncryptionKey.<init>(DashoA6275:198)
     at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:569)
     ... 12 more
Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting DES/CBC/NoPadding
     at javax.crypto.Cipher.getInstance(DashoA6275)
     at sun.security.krb5.internal.crypto.a0.a(DashoA6275:283)
     ... 16 moreIn the Kerberos configuration file, specified on the command line I have the following authentication mechanism specified:
[libdefaults]
    default_realm = <removed/>
    default_tkt_enctypes = DES-CBC-MD5 DES-CBC-CRC
    default_tgs_enctypes = DES-CBC-MD5 DES-CBC-CRCThe funny thing is this worked previously, and has only come up today. The following jars are all on the classpath (inside eclipse JRE definition) rt.jar, jce.jar, sunjce_provider.jar and java.security appears to be configured correctly:
security.provider.1=sun.security.provider.Sun
security.provider.2=com.sun.net.ssl.internal.ssl.Provider
security.provider.3=com.sun.rsajca.Provider
security.provider.4=com.sun.crypto.provider.SunJCE
security.provider.5=sun.security.jgss.SunProviderAny ideas what could be the problem? I even tried to reboot just in case. Does this seem like an issue with the Java application(client) or on the Active Directory (server)?
Any help greatly appreciated ...

This worked for me!! <p>I had the same problem, it was working and I was trying various things (e.g. bouncy castle provider) to try and get RC4-HMAC(NT) encryption to work. And then the DES mode stopped working - I must have switched from the JDK to the JRE at some point. Both the JRE and the JDK have the same list of providers in the security policy file java.security - so why using the JDK works and the JRE doesn't is weird. Hopefully it is just an eclipse thing - I'll have to deploy this stuff to clients with only the JRE one day.
<p>
Thanks for that tip!

Oracle 10g + Bouncy Castle JCE provider

Hi all,
I'm trying to deploy Bouncy Castle JCE provider into Oracle environment. I've
tried several choices but no one works.
My environment:
- Oracle 10.2.0.1.0 with Java version 1.4.2_08
- Java app deployed into Oracle uses $ORACLE_HOME/javavm as $JAVA_HOME
- I'm using bcprov-jdk14-124.jar.
I've deployed this library into Oracle (using loadjava), I've tried to copy
into $JAVA_HOME/lib/ext and edit $JAVA_HOME/lib/security/java.security (added
line 'security.provider.6=org.bouncycastle.jce.provider.BouncyCastleProvider'),
I've tried to copy it into $ORACLE_HOME/jdk/jre/lib/ext and edit appropriate
java.security file, but nothing works. I'm still getting Exception with 'The
provider BC may not be signed by a trusted party'.
Is anyone successfully using bcprov library in Oracle?
Thanks a lot
Antonin Faltynek

Hi,
See Michael's post in the following thread Re: loadjava sunrsasign.jar
Kuassi http://db360.blogspot.com

Light Weight JCE Provider with RSA implementation

Hi all,
I'm working on an applet that requires RSA encryption, but I have size constraints so I canno tuse the BouncyCastle provider (891 KBs)
Does anyone know where to find a light weight JCE provider with an implementation of RSA, I've been searching for a while but without any luck!
Thank you in advance

You can use the lw-apis from BC and drop the JCE part. The JCE for BC is just a facade to the lw-apis anyway. And if you use the lw-apis you don't have to worry about any signing issues with the applet.
Cheers,
--- jon

An doubt about Sun PKCS#11

Hi , everyone
I had an doubt when I read "Sun PKCS#11 Reference Guide". here is the url: http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html
I found these codes:
KeyStore.Builder builder = new KeyStore.Builder("PKCS11"); the question is I cannot found such a constructor in class KeyStore.Builder. so, why? is that a mistake ? or something I don`t know?
is there anybody know about this? please tell me, thank you.

Can I ask you one question?
Which driver did you specify? I mean the smarcard reader driver or the smartcard itself driver?
If the second, does it come along with the card? because as far as I know I just got the smart card but no software at all (apart the smartcard reader driver).
Can you help me out with this?
thanks in advance,
Marco

EPass2000 token + Sun PKCS#11 JCE provider

Similar Messages

Maybe you are looking for