Generating a certification signing request

Hi all,
I am currently writting a Java Card application and I would like to create a CSR but my private key shouldn't leave the card. However, for signing a CSR I need a private key. In Java Card API I found no suport for something like this. Any idea how to solve this problem? Btw. I am using a JCOP 41 card for development.
Thanks,
erno
Edited by: sect0r1 on Mar 27, 2010 6:11 AM

Hi Shane,
thank you for your reply!
I think is the fifth step which I do not understand:
safarmer wrote:
5. Build a DigestInfo structure (BER encoded TLV that you can get from the PKCS#1 standard) that contains the message digest generated in the previous step What I do is create the message digest and send it to the card to be signed. But when I try to sign the csr with openssl, the following error appears: "Signature did not match the certificate request"
As you told me the applet only encrypt the hashcode:
RSACipher.init(PrivateKey,Cipher.MODE_ENCRYPT); 
RSACipher.doFinal(CSR,(short)0,(short)CSR.length,CSRSigned,(short)0);And the off-card code for preparing the CSR after getting the public key is the following:
        private static void prepareEncCSR (CadT1Client cad){
         byte [] encCSR = null;
         Signature signature = null;
     // signature is not initialized because CSR is not going to be signed here; if not on the card.
     signature = Signature.getInstance("SHA1withRSA");
     // Build the info.
     String info = "CN=cn, OU=ou, O=o, C=cn, ST=city";
         X500Principal x500 = new X500Principal(info);
         X500Name x500name = null;
     x500name = new X500Name(x500.getEncoded());
     X500Signer x500signer = new X500Signer(signature, x500name);
         // Build an instance of pkcs10 with the public key from the card.
         PKCS10 pkcs10 = new PKCS10(PubKey);
     // Encode and sign the certificate request.
     encCSR = encodeAndSign(x500signer, pkcs10, cad);
     FileOutputStream certfos = null;
     // Create the file where the certification request will be stored.
     certfos = new FileOutputStream("CertReq.pem");
         PrintStream ps = new PrintStream(certfos);
         // Encode the CSR properly using base 64 code.
         BASE64Encoder   encoder = new BASE64Encoder();
         ps.println("-----BEGIN NEW CERTIFICATE REQUEST-----");
     encoder.encodeBuffer(encCSR, ps);
     ps.println("-----END NEW CERTIFICATE REQUEST-----");
         ps.close();
     certfos.close();
    public static byte [] encodeAndSign(X500Signer requester, PKCS10 pkcs10, CadT1Client cad)
    throws CertificateException, IOException, SignatureException
            DerOutputStream out, scratch;
            byte [] certificateRequestInfo;
            byte [] sig;
            byte [] encCSR;
            X500Name subject = requester.getSigner();
            // Encode CSR info, wrap in a sequence for being signed.           
            scratch = new DerOutputStream();
            // PKCS #10 v1.0.
            scratch.putInteger(BigInteger.ZERO);
            // X.500 name.
            subject.encode(scratch);
            // Public key.
            Key subjectPublicKeyInfo = pkcs10.getSubjectPublicKeyInfo();
               scratch.write(subjectPublicKeyInfo.getEncoded());
            PKCS10Attributes attributeSet = new PKCS10Attributes();
               attributeSet.encode(scratch);
            out = new DerOutputStream();
            // Wrap it.
            out.write(DerValue.tag_Sequence, scratch);
            certificateRequestInfo = out.toByteArray();
            scratch = out;
            // Send certificateRequestInfo to the card in order to be signed by the private key.
            // Create a SHA1 hash of the CSR
            MessageDigest csrMD = null;
            csrMD = MessageDigest.getInstance("SHA");
            csrMD.update(certificateRequestInfo);
            byte[] hashCodeCSR = csrMD.digest();
            // Send APDU command to the smart card to ask it for signing the request.
             Apdu apdu = new Apdu();
             prepareAPDU (apdu, PROCESS_SIGN_CERT_REQUEST_INS);
            // Add hash code to be signed to the APDU data.
             apdu.setDataIn(hashCodeCSR);
             exchangeAPDUs (apdu, cad);
             checkAPDUStatus (apdu, "Error asking for signing CSR");
             // Get the data sent in the APDU response.
             sig = apdu.getDataOut();
             // Add signature algorithm.
            requester.getAlgorithmId().encode(scratch);
            // Add signature and marshals DER bit string.
            scratch.putBitString(sig);
            // Wrap those guts in a sequence.
            out = new DerOutputStream();
            out.write(DerValue.tag_Sequence, scratch);
            encCSR = out.toByteArray();
            return encCSR;
    }The encodeAndSign is similar to this encodeAndSign , but modified to be adapted to what I need.
I do not understand which is the problem at all, could you help me? Taking in account the openssl's reply, I think the problem is in the way to sign.
Thank you in advance,
E_L

Similar Messages

  • Generate a Certificate Signing Request

    Hey guys, I'm new to the Safari developer program and I'm having problems with the Generate a Certificate Signing Request for my PC. It worked fine on my Mac but not on my windows 7 PC. I follow the steps, saving the file then opening "CMD.exe" and type in the request and place "" with  the path of the file saved in step one but once I hit enter it gives me a

    Requires a Mac and your keychain.

  • How to generate CSR (certificate signing request) in PKCS#10 format

    Hi,
    First, I am a novice in security issues.
    Problem:
    I know how to generate CSR using PKCS#10 format with keytool. However I need to implement this functionality in my application. Unfortunately I can't find any docs describing this issue.
    Do anybody know about some API where I just pass data and it will generate CSR for me?
    Many Thanks,
    Miso

    Hi again,
    After a long research I am finally able to generate PKCS#10 cert. request files:
    public static void generatePKCS10() throws Exception {
            // generate PKCS10 certificate request
            KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
            String sigAlg = "MD5WithRSA";
            // generate private key - use java.util.SecureRandom for entropy
            keyGen.initialize(1024, new SecureRandom());
            KeyPair keypair = keyGen.generateKeyPair();
            PublicKey publicKey = keypair.getPublic();
            PrivateKey privateKey = keypair.getPrivate();
            PKCS10 pkcs10 = new PKCS10(publicKey);
            Signature signature = Signature.getInstance(sigAlg);
            signature.initSign(privateKey);
                 //common, orgUnit, org, locality, state, country
            X500Name x500Name = new X500Name(
                      "CName",               // CN
                      "OUnit",               // OU
                      "Organization",          // O
                      "Bratislava",          // L
                      "Slovakia",               // S
                      "SK");               // C
            pkcs10.encodeAndSign(new X500Signer(signature, x500Name));
            // PKCS10 request generated
            pkcs10.print(System.out);
    Problem 1:
    However, this generates only a request with X500 subject's name ("CN, OU, O, ..."). But I also want to specify other things like "Key Usage" (example: "Digital Signature, Key Encipherment, etc.") or "Generic IA5 String" (example: "Only for test purposes."). How to do that?
    Problem 2:
    I'm also having trouble to find javadoc for "sun.security" package. As you can see, I'm using "sun.security.pkcs.PKCS10" class for generating CSR in PKCS10 format, but can't find any javadoc for it.
    Many thanks,
    Miso

  • How do I generate a Certificate Signing Request (CSR)?

    If I buy an SSL in godaddy, how do I generate the CSR? If my site is hosted in BC, who is the web server? I've had a few sites search for the name of the web server and it comes up as unknown every time.

    Hi
    You can not host your own SSL certificate on Business Catalyst at this stage.
    When you upgrade your site with an online store and shopping cart, you don't need to worry about purchasing a SSL certificate. In fact, this system does not support SSL certificates from third-party vendors because each SSL certificate is set to a single server, and the hosting servers for the live site are built in large clusters; purchasing a certificate for every server would be cost prohibitive.
    When a customer purchases items from you, the system utilizes the secure URL that is included with every site to ensure that the customer's credit card number and other personal information entered ion a live site are protected using Secure Socket Layers (SSL) technology.
    More Details :
    http://forums.adobe.com/thread/984496
    http://kb.worldsecuresystems.com/kb/secure-urls.html
    If you need an update or more depth information regarding same, please get in touch with BC support team and they will help you out.
    Thanks,
    Sanjit

  • Generating a certificate signing request

    This question was posted in response to the following article: http://help.adobe.com/en_US/as3/iphone/WS144092a96ffef7cc-371badff126abc17b1f-8000.html

    Having a problem in Windows 7 with:
        unable to write 'random state'...
    try typing and executing this in the cmd window:
        set RANDFILE=.rnd
    Fixed it for me

  • Generating Certificate signing request (CSR)

    Hello,
    We need to buy https digital certificate for our LIVE Enterprise Portal
    (http://<host>:<port>/irj/portal) which would be hosted on the
    Internet.
    Please let me know how to generate a certificate signing request (CSR)
    for the same.
    Thanks & Regards,
    Ratish

    Hi rathish,
    Have a look at this [Blog|http://www.sdn.sap.com/irj/scn/weblogs;jsessionid=(J2EE3417100)ID1193319850DB11798871903065480805End?blog=/pub/wlg/2586] .It might help you.
    Regards,
    Krishna kattu.

  • Certificate signing request with subject alternative names?

    Has anyone been successful at generating a certificate signing request for a certificate that uses subject alternative names via the Server Manager GUI? It seems to skip the entire X509 section of the CSR for me.
    Command line via openssl works but I'd like to stick with the GUI for the encryption on the certificates.

    I just checked the documentation and found that your code is incorrect. IAlternativeName::StrValue contains value for an email address, a Domain Name System (DNS) name, a URL, a registered object identifier (OID), or a user principal name (UPN). It doesn't
    contain string value for directory name (and other non-mentioned types). Instead, you need to instantiate an IX500DistinguishedName interface and initialize it from an alternative name value:
    class Program {
    static void Main(string[] args) {
    String RequestString = "Base64-encoded request");
    CX509CertificateRequestPkcs10 request = new CX509CertificateRequestPkcs10();
    request.InitializeDecode(RequestString, EncodingType.XCN_CRYPT_STRING_BASE64_ANY);
    Console.WriteLine("Subject: {0}", request.Subject.Name);
    foreach (IX509Extension ext in request.X509Extensions) {
    if (ext.ObjectId.Name == CERTENROLL_OBJECTID.XCN_OID_SUBJECT_ALT_NAME2) {
    CX509ExtensionAlternativeNames extensionAlternativeNames = new CX509ExtensionAlternativeNames();
    string rawData = ext.RawData[EncodingType.XCN_CRYPT_STRING_BASE64];
    extensionAlternativeNames.InitializeDecode(EncodingType.XCN_CRYPT_STRING_BASE64, rawData);
    foreach (CAlternativeName alternativeName in extensionAlternativeNames.AlternativeNames) {
    switch (alternativeName.Type) {
    case AlternativeNameType.XCN_CERT_ALT_NAME_DIRECTORY_NAME:
    IX500DistinguishedName DN = new CX500DistinguishedName();
    DN.Decode(alternativeName.RawData[EncodingType.XCN_CRYPT_STRING_BASE64]);
    Console.WriteLine("SAN: {0}", DN.Name);
    break;
    default:
    Console.WriteLine("SAN: {0}", alternativeName.strValue);
    break;
    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new:
    PowerShell FCIV tool.

  • Certificate Signing request on Wireless LAN controller

    Does anyone know how to generate a Certificate Signing Request on 5508 controllers running 7.0.116??

    it can't be done on the WLC itself, you need to have OpenSSL on a seperate device.  Check the following link for a walk through
    http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml
    Steve

  • How to sign a certificate signing request

    Hi all,
    In the PKI process, a client generates a PKCS#10 [certificate signing request|http://en.wikipedia.org/wiki/Certificate_signing_request] (CSR see [sun.security.pkcs.PKCS10|http://www.docjar.com/docs/api/sun/security/pkcs/PKCS10.html] ), sends it to the certification authority (CA), & once the identity has been checked by the CA, the client retrieves his X.509 certificate (signed by the CA), sometimes along with the CA X.509 self-signed certificate.
    I am acting as a CA, the current only way I know to transform a CSR to a X.509 certificate is by using OpenSSL :
    openssl ca -config X509CA/openssl.cnf -days 365 -in CertName_csr.pem -out CertName.pem (see here ).
    Is there any keytool way or even better any sun.security.* way to do that operation programmatically using Java code ?
    Thanks for your feedback.
    Edited by: Le_Sage on 19 avr. 2010 12:12

    That's right, found the doc here : [keytool -gencert|http://download.java.net/jdk7/docs/technotes/tools/windows/keytool.html#gencertCmd] .
    I guess the underlying code must be found under sun.security.* or com.sun.* code. I'll try to have a look.
    Thanks for your feedback.

  • Generation of 1024 bits key certificate signing request-sun one app srvr 7

    Kindly help to generate 1024 bits key certificate signing request in sun one application server 7. The problem faced by me is that during csr generation the key lengh is 512 as this is the default value.Now i would like to change this default value and would like to generate a key with length 1024.Kindly help me.
    Thanks in advance
    Vishnu Priyan

    OK, post a new Topic, title it Need help with self-signed certificate
    Before you post, search the forums for the problem. Do the footwork.
    Then, take your time, post exactly which of these steps you have taken, what the results were, and exactly where you are having problems, what the exact problem is (error message, whatever).
    You are going to have much better response if someone can easily figure out what the problem you are having is. If you look at this thread, you will see "I have tried these 10 steps and they don't work". You are going to get nowhere with that.
    I have to sleep now, good luck.

  • Certificate Signing Request CSR

    Hi All,
    Anyone knew how to generate Certificate Signing Request (CSR) from Oracle OC4J Application server?
    I'm using this command
    "keytool -genkey -keyalg RSA -keystore.jks -storepass 123456"
    Then I just complete the details before got this error
    "keytool error: java.lang.IllegalStateException: masked envelope"
    Am I doing the correct things or not?
    TQ For your help.

    Sorry, it's my fault actually because run it in the wrong directory. I run it in ORACLE_HOME directory it should be in ORACLE_HOME/j2ee directory...
    But if you use Oracle Wallet Manager, it's easier...

  • How to create a certificate signing request that works with Microsoft CA

    Hi, I have created a certificate signing request file with keytool. When I try to create a certificate from it with CertReq (I use a Microsoft CA) I get the following error message:
    Certificate not issued (Denied) Denied by Policy Module The request does not contain a certificate template extension or the CertificateTemplate request attribute. (The request contains no certificate template information. 0x80094801 (-214687 5391)) Certificate Request Processor: The request contains no certificate template information. 0x80094801 (-2146875391) Denied by Policy Module The request does not contain a certificate template extension or the CertificateTemplate request attribute.
    How do I create a certificate signing request file so that a Microsoft CA will accept it and create a certificate from it. Thanks, Linh.

    I'm writing a applecation about x509 to deal with certificate and certificate request.
    I found that DER format certificate request create by sun's software with no extensions.
    I think this cause your error.My be MS CA can't identify such a request!So it's difficult to solve this problem unless MS or Sun change their codes.
    JStranger

  • Generating a content location request

    Hi,
    I'd like to generate a content location request from within a task sequence using my .net code. Assuming these are the correct classes; can anyone give me an exampe of using the
    ContentLocationRequest etc from the messaging SDK. Thanks.
    Simon Burbidge

    Why do you want to re-invent something that's already built into the product? What's the reason behind it? Answering that question would help to understand what you are trying to achieve ...
    Torsten Meringer | http://www.mssccmfaq.de

  • CF 9.0.2 and Oracle - On update returns error "Auto-generated keys were not requested..."

    We have a simple update statement to Oracle 11g Database. When running the statement the data is not getting updated and we are getting an error "Auto-generated keys were not requested, or the SQL was not a simple INSERT statement. ErrorCode=0 SQLState=HY000". We found this error by dumping the SQL to a file.
    But most other Update statements are working fine.
    Also, the same statment works for Oracle 10g and Coldfusion 9.0.0.
    Any idea if this is a problem with Coldfusion or Oracle? Is there any resolution.
    I found the CF 8 had a similar issue and was fixed in a hotfix (http://helpx.adobe.com/coldfusion/kb/error-auto-generated-keys-requested.html).

    Hi,
    Thanks. I compiled my code using JDeveloper 10.1.2, didn't dare to use the latest. It works in 10g apps server. When I deployed to 9ias apps server, those weird errors showed up. Unfornately, our dev environment is at a newer version than the production one.
    So, you think the error is generated because I referenced some newer technologies that was not provided by 9ias?
    Jia

  • Certificate Signing Request never arrives

    I have created a CA using Certificate Assistant and have managed to create two certificates for myself locally and get Mail to recognise the keys and certificates for those email accounts. Everything works as expected.
    However, when I send a CSR (Certificate Signing Request) from Certificate Assistant on another computer, nothing ever shows up in my inbox for me to sign.
    What happened to the CSR? I'm pretty sure it left because I locked the keychain with my email password on first and Certificate Assistant asked me to unlock it, presumably to send the message as there's nothing else on that keychain (I've been trying to debug this for a couple of hours now). Regular email sent from the second computer arrives almost instantaneously at the first.
    Any ideas / similar experiences?

    tried the same thing, same issue. there is not even anything about sending mail in the logs. I wonder ... is this actually implemented?
    Apple help!

Maybe you are looking for

  • Internal Frames problem

    Hi, I am writing a piece of code where I want to able to choose from a menu a screen that displays multiple graphs (using Internal frames.) I am using cardlayout to bring up the various options I choose from the menu. I have simplified my program as

  • Remote system state

    i want to know whether the remote system state on or off. any body help me to find remote system on or off state using java.net package. no need to use RMI concepts.

  • How do I install mountain lion over maverick

    how do I install mountain lion over maverick

  • .htaccess doesn't work on Snow Leopard

    Hi, I was googling a lot and found a lot of solutions but nothing seems to work. I've already changed AllowOverride to All in Apache2/users/username.conf file but .htaccess doesn't work. This is a sample of my .htaccess file: +RewriteEngine on+ +Rewr

  • Fonts for Interstate highways in Maps look like picture symbols.

    Fonts for Interstate highways in Maps look like picture symbols. Mavericks 10.9.4. Using FontAgentPro. Is there a font that has to be activated? Or even a conflicting font that has to be deactivated like in Chrome? Thanx.