Managing Smart Cards (alladin + crypto provider)
hi
Does anyone know how to get work cards Aladdin, with crypto provider (CryptoPro (http://www.cryptopro.ru/) or signal-com (http://signal-com.ru/)) in windows 2003r2 or 2008r2?
Hi,
when you work with one smartcard reader only usually you address the slot -1 that means "the first found".
But to deal with multiple readers you have to use slots of course since one reader will be slot 0, next reader will be slot 1 and so on...
So a credential object will be identified on a system by a couple
<slot,alias>
After that, the way to address slots (I mean the syntax) depends on the classes you are using...
Bye
Similar Messages
-
Need advice for an application that restricts access to other applications using a smart card
Hello everybody,
I am developing a system that uses a smart card reader attached to a USB port of a PC.
What the system should provide is:
When computer boots up and shows the users login screen, a user, previously registered, can use his smart card to access the system, instead of entering his password
Once the user is logged in, when he tries to launch an application, which has previously marked as "secured", a dialog box is shown indicating that the user has to present his smart card. If the smart card has access to the application, the application
is launched, otherwise an error message is shown to the user and the application is not executed.
I develop in C++ and C#. I have already created a library (in Visual C++) that manages the smart card reader and provides the card presented to it.
Now I am developing the applicastion (in C#) that will configure the security (assigning cards to users and applications).
Concerning this, I have 2 questions regarding each point above:
Is it possible to create the centralized application that lists all users and allows to assign cards to them? Then, when the users login screen is shown, the system must access that data before logging in, so that it can check which card was presented and
what user it corresponds to. I have seen in laptops, that have embedded fingerprint readers, a user must login to his account first and then he can register his fingerprints. In fact, what I need to do is something similar but with smart card reader instead
of fingerprint reader. So, perhaps, user must login into his account first and then he will be able to add his card and store that information somewhere (in windows registry maybe).
How can I launch my application when other application is executed but before its interface is actually shown? this is similar to what antivirus programs do, because they check the executable before it is actually ran. What is the best method to address
the application? by executable file name? process name? or other? if the best is by process name, how can I know the process name without actually running the application?
Well, that is all what I need to do. Please advice regarding this subject.
I look forward to hearing from you,
Best regards,
Jaime
Powered by C++> what was the guidance?
1. Research other software that does similar things (not just exactly the same) as you need. If you like something in their solutions, copy it :)
The only software I know that does that is an antivirus, but I am unlucky to find some code in c++ that allows to intercept the program execution before actually executing it.
2. If a kernel driver would fit in your solution, go for it (google for what is available for free, or find a consultant to write it for you).
There are a lot of information about kernel drivers, but the question is, is that really the solution?
Otherwise, you can just hide the application from user's reach and substitute the executable in shortcuts, etc. to run your program instead.
Definetly this is not the way to go
What is the best method to address the application? by executable file name? process name? or other?
By executable file name, like in the Windows Applocker, I think. Processes do not have names (they are artifact of Task manager and debugging tools, to represent the processes for user somehow). Or, only by the filename part of the full path.
I agree with that
if the best is by process name, how can I know the process name without actually running the application?
When the user runs the application, the driver will detect this and do its magic.
I have found this page: http://stackoverflow.com/questions/3556048/how-to-detect-win32-process-creation-termination-in-c. They mention WMI, but I will study it tommorow... it is so late for today :-)
Regards,
-- pa
Regards
Jaime
Powered by C++ -
Provider problem by building a secure transmission to a Smart Card
Hi
I have this problem:
I must accomplish a secure transmission with a smart card,
So the transmission is RSA coded.
A RSA key is generated, without any problems I think because the modulus is printed out.
And because he write the key to the card.
But when the transmission with the card begin the program breaks with the error message it could not find any RSA Provider
I use :
- Java 1.4.1
- bcprov-jdk14-117.jar
- jce unrestricted policy files
- cryptix-jce-20030102-snap
- FlexiFullProvider-1.1.3.signed.jar
- OCF1.2
The Programm code with causes the Error :
Line 78
public boolean enableSecureMessaging(CardFilePath path, byte keyNumber)
throws NoSuchAlgorithmException,
InvalidKeyException,
CardServiceException,
CardTerminalException {
KeyPairGenerator rsaKeyPairGenerator;
KeyPair rsaKeyPair;
RSAPubKey rsaPublicKey;
RSAPrivCrtKey rsaPrivateKey;
RSAPrivateKeySpec rsaPrivateKeySpec;
DESedeKeySpec desKeySpec;
IV iv;
byte[] modulus;
byte[] exponent;
byte[] privateExponent;
byte[] modulusRecord;
byte[] exponentRecord;
byte[] sessionKey;
CredentialBag credentialBag;
TCOS2CredentialStore credentialStore;
ReceiveRSACommunicationCredential rsaCommunicationCredential;
DESedeCommunicationCredential desCommunicationCredential;
PassThruCommunicationCredential passThruCommunicationCredential;
// - RSA KeyPairGenerator initialisieren und ein Schl�sselpaar mit
// 512 Bit erstellen
rsaKeyPairGenerator = KeyPairGenerator.getInstance("RSA");
rsaKeyPairGenerator.initialize(0x200);
rsaKeyPair = rsaKeyPairGenerator.generateKeyPair();
//::B::
Provider[] providern =java.security.Security.getProviders();
for (int i = 0; i<providern.length;i++)
System.out.println(providern.getName());
System.out.println(providern[i].getInfo());
System.out.println("----------*******----------");
//::E::
// - Public und Private Key aus dem Schl�sselpaar extrahieren
System.out.println(rsaKeyPair);
rsaPublicKey = (RSAPubKey)rsaKeyPair.getPublic();
System.out.println(rsaPublicKey.toString());
rsaPrivateKey = (RSAPrivCrtKey)rsaKeyPair.getPrivate();
modulus = rsaPublicKey.getModulus().toByteArray();
exponent = rsaPublicKey.getPublicExponent().toByteArray();
privateExponent = rsaPrivateKey.getPrivateExponent().toByteArray();
// - Komponenten des Public Key f�r die recordbasierte Speicherung in ein
// Bytearray schreiben
modulusRecord = new byte[0x43];
exponentRecord = new byte[0x06];
modulusRecord[0x00] = (byte)0x01;
modulusRecord[0x01] = (byte)0x41;
exponentRecord[0x00] = (byte)0x02;
exponentRecord[0x01] = (byte)0x04;
System.arraycopy(modulus, 0x00, modulusRecord, 0x43-modulus.length, modulus.length);
System.arraycopy(exponent, 0x00, exponentRecord, 0x06-exponent.length, exponent.length);
// - Komponenten des Public Key auf die Karte schreiben
// Dieser Public Key wird anschlie�end benutzt, um den SessionKey f�r die
// �bertragung zu verschl�sseln
fscs.writeRecord(path, 0x01, modulusRecord);
fscs.writeRecord(path, 0x02, exponentRecord);
// - Private Key in einer KeySpec speichern
rsaPrivateKeySpec = new RSAPrivateKeySpec(rsaPrivateKey.getModulus(),
rsaPrivateKey.getPrivateExponent());
// - Credential f�r die KommuniKation mit der Karte erstellen
// Verschl�sselt wird die RAPDU von der Karte zum PC mit dem zuvor in der
// Karte abgelegten Public Key
credentialBag = new CredentialBag();
credentialStore = new TCOS2CredentialStore();
rsaCommunicationCredential = new ReceiveRSACommunicationCredential();
System.out.println("Hier bricht die Sau ab!! [Martin, hat nat�rlich recht]");
//THIS LINE CAUSES THE ERROR AS YOU SEE
rsaCommunicationCredential.initCipher(rsaPrivateKeySpec, keyNumber, null); System.out.println("Das Schwein i weiter unten!! [Amir]");
credentialStore.storeCredential(0x00, rsaCommunicationCredential);
credentialBag.addCredentialStore(credentialStore);
Debug Message::
Bitte Karte einlegen
[INFO ] de.telesec.opencard.tcos20.service.TCOS2CardServiceFactory.getCardType
--- message TCOS 2.0 Release 3 smart card detected
--- thread Thread[main,5,main]
--- source class de.telesec.opencard.tcos20.service.TCOS2CardServiceFactory
[DEBUG ] de.telesec.opencard.tcos20.service.TCOS2BaseCardService.initialize
--- message
--- thread Thread[main,5,main]
--- source class de.telesec.opencard.tcos20.service.TCOS2BaseCardService
[DEBUG ] de.telesec.opencard.tcos20.service.TCOS2BaseCardService.initialize
--- message
--- thread Thread[main,5,main]
--- source class de.telesec.opencard.tcos20.service.TCOS2BaseCardService
[DEBUG ] de.telesec.opencard.tcos20.service.TCOS2BaseCardService.initialize
--- message
--- thread Thread[main,5,main]
--- source class de.telesec.opencard.tcos20.service.TCOS2BaseCardService
[DEBUG ] de.telesec.opencard.tcos20.service.TCOS2BaseCardService.initialize
--- message
--- thread Thread[main,5,main]
--- source class de.telesec.opencard.tcos20.service.TCOS2BaseCardService
[DEBUG ] de.telesec.opencard.tcos20.service.TCOS2BaseCardService.initialize
--- message
--- thread Thread[main,5,main]
--- source class de.telesec.opencard.tcos20.service.TCOS2BaseCardService
FlexiCore
SunJSSE
Sun JSSE provider(implements RSA Signatures, PKCS12, SunX509 key/trust factories, SSLv3, TLSv1)
SunJCE
SunJCE Provider (implements DES, Triple DES, Blowfish, PBE, Diffie-Hellman, HMAC-MD5, HMAC-SHA1)
SunRsaSign
SUN's provider for RSA signatures
SUN
SUN (DSA key/parameter generation; DSA signing; SHA-1, MD5 digests; SecureRandom; X.509 certificates; JKS keystore; PKIX CertPathValidator; PKIX CertPathBuilder; LDAP, Collection CertStores)
SunJGSS
Sun (Kerberos v5)
CryptixCrypto
Cryptix JCE Strong Crypto Provider
BC
BouncyCastle Security Provider v1.17
java.security.KeyPair@80fa6f
modulus n: 0x4fa8e0ef3fba114c9a4fa74848007f611e01dc4b9ecde00dce08bcf86643a7385a82b4fb8206c6bf28ed82ce69e1541947c7a91e4528e10dc5c06c1142e10a91
exponent e: 0x10001
[DEBUG ] de.telesec.opencard.tcos20.service.TCOS2BaseCardService.tcosSelect
--- message mode: 8 response mode: 0 data: DF 01 45 C1
--- thread Thread[main,5,main]
--- source class de.telesec.opencard.tcos20.service.TCOS2BaseCardService
[DEBUG ] de.telesec.opencard.tcos20.service.TCOS2BaseCardService.buildAndSendCommandAPDU
--- message cla ins p1 p2 data le
--- thread Thread[main,5,main]
--- source class de.telesec.opencard.tcos20.service.TCOS2BaseCardService
[DEBUG ] de.telesec.opencard.tcos20.service.TCOS2BaseCardService.buildAndSendCommandAPDU
--- message cred: null
--- thread Thread[main,5,main]
--- source class de.telesec.opencard.tcos20.service.TCOS2BaseCardService
[INFO ] de.telesec.opencard.tcos20.service.TCOS2BaseCardService.sendCommandAPDU
--- message Command: APDU_Buffer = 00A4080004DF0145C100 (hex) | lc = 4 | le = 0
--- thread Thread[main,5,main]
--- source class de.telesec.opencard.tcos20.service.TCOS2BaseCardService
[INFO ] de.telesec.opencard.tcos20.service.TCOS2BaseCardService.sendCommandAPDU
--- message Response: opencard.core.terminal.ResponseAPDU@1b9ce4b
0000: 6F 2F 83 02 45 C1 81 02 00 50 82 03 05 41 43 85 o/..E....P...AC.
0010: 06 01 C4 06 10 00 00 86 18 B2 00 00 00 FF FF DC ................
0020: 00 00 00 FF FF 2A 00 00 00 FF FF EE 00 00 00 FF .....*..........
0030: FF 90 00 ...
--- thread Thread[main,5,main]
--- source class de.telesec.opencard.tcos20.service.TCOS2BaseCardService
[DEBUG ] de.telesec.opencard.tcos20.isofs.fileinfo.TCOS2CardFileInfo.TCOS2CardFileInfo
--- message Data: 0000: 6F 2F 83 02 45 C1 81 02 00 50 82 03 05 41 43 85 o/..E....P...AC.
0010: 06 01 C4 06 10 00 00 86 18 B2 00 00 00 FF FF DC ................
0020: 00 00 00 FF FF 2A 00 00 00 FF FF EE 00 00 00 FF .....*..........
0030: FF .
--- thread Thread[main,5,main]
--- source class de.telesec.opencard.tcos20.isofs.fileinfo.TCOS2CardFileInfo
[DEBUG ] de.telesec.opencard.tcos20.service.TCOS2BaseCardService.tcosUpdateRecord
--- message SFI: -1 Mode: 4 Record Number: 1 Data: 0000: 01 41 00 4F A8 E0 EF 3F BA 11 4C 9A 4F A7 48 48 .A.O...?..L.O.HH
0010: 00 7F 61 1E 01 DC 4B 9E CD E0 0D CE 08 BC F8 66 ..a...K........f
0020: 43 A7 38 5A 82 B4 FB 82 06 C6 BF 28 ED 82 CE 69 C.8Z.......(...i
0030: E1 54 19 47 C7 A9 1E 45 28 E1 0D C5 C0 6C 11 42 .T.G...E(....l.B
0040: E1 0A 91 ...
--- thread Thread[main,5,main]
--- source class de.telesec.opencard.tcos20.service.TCOS2BaseCardService
[DEBUG ] de.telesec.opencard.tcos20.service.TCOS2BaseCardService.buildAndSendCommandAPDU
--- message cla ins p1 p2 data
--- thread Thread[main,5,main]
--- source class de.telesec.opencard.tcos20.service.TCOS2BaseCardService
[DEBUG ] de.telesec.opencard.tcos20.service.TCOS2BaseCardService.buildAndSendCommandAPDU
--- message cred: null
--- thread Thread[main,5,main]
--- source class de.telesec.opencard.tcos20.service.TCOS2BaseCardService
[INFO ] de.telesec.opencard.tcos20.service.TCOS2BaseCardService.sendCommandAPDU
--- message Command: APDU_Buffer = 00DC0104430141004FA8E0EF3FBA114C9A4FA74848007F611E01DC4B9ECDE00DCE08BCF86643A7385A82B4FB8206C6BF28ED82CE69E1541947C7A91E4528E10DC5C06C1142E10A91 (hex) | lc = 67 | le = -1
--- thread Thread[main,5,main]
--- source class de.telesec.opencard.tcos20.service.TCOS2BaseCardService
[INFO ] de.telesec.opencard.tcos20.service.TCOS2BaseCardService.sendCommandAPDU
--- message Response: opencard.core.terminal.ResponseAPDU@1292d26
0000: 90 00 ..
--- thread Thread[main,5,main]
--- source class de.telesec.opencard.tcos20.service.TCOS2BaseCardService
[DEBUG ] de.telesec.opencard.tcos20.service.TCOS2BaseCardService.tcosUpdateRecord
--- message SFI: -1 Mode: 4 Record Number: 2 Data: 0000: 02 04 00 01 00 01 ......
--- thread Thread[main,5,main]
--- source class de.telesec.opencard.tcos20.service.TCOS2BaseCardService
[DEBUG ] de.telesec.opencard.tcos20.service.TCOS2BaseCardService.buildAndSendCommandAPDU
--- message cla ins p1 p2 data
--- thread Thread[main,5,main]
--- source class de.telesec.opencard.tcos20.service.TCOS2BaseCardService
[DEBUG ] de.telesec.opencard.tcos20.service.TCOS2BaseCardService.buildAndSendCommandAPDU
--- message cred: null
--- thread Thread[main,5,main]
--- source class de.telesec.opencard.tcos20.service.TCOS2BaseCardService
[INFO ] de.telesec.opencard.tcos20.service.TCOS2BaseCardService.sendCommandAPDU
--- message Command: APDU_Buffer = 00DC020406020400010001 (hex) | lc = 6 | le = -1
--- thread Thread[main,5,main]
--- source class de.telesec.opencard.tcos20.service.TCOS2BaseCardService
[INFO ] de.telesec.opencard.tcos20.service.TCOS2BaseCardService.sendCommandAPDU
--- message Response: opencard.core.terminal.ResponseAPDU@5329c5
0000: 90 00 ..
--- thread Thread[main,5,main]
--- source class de.telesec.opencard.tcos20.service.TCOS2BaseCardService
Hier bricht die Sau ab!! [Martin, hat nat�rlich recht]
java.lang.RuntimeException: Cannot find any provider supporting RSA
at de.telesec.opencard.tcos20.security.credential.ReceiveRSACommunicationCredential.initCipher(ReceiveRSACommunicationCredential.java:132)
at sample.enableSecureMessaging(sample.java:160)
at sample.start(sample.java:522)
at sample.main(sample.java:564)
Process sample finished
I hope you can help me !Ok i have solved the Problem by myself, the solution is to do :
-rsaKeyPairGenerator = KeyPairGenerator.getInstance("RSA");
but the cipher musst be
- cipher = Cipher.getInstance("RSA/ECB/PKCS#1");
in the Java-Security all Providers have to disable be adding a # bevor each line
only this line has to put in
- security.provider.1=sun.security.provider.Sun
and last you have to load the Flexi Core and the cryptix Providers dynamicly
-Security.addProvider(new de.flexiprovider.core.FlexiCoreProvider());
-Security.addProvider(new cryptix.jce.provider.CryptixCrypto()); -
Error encountered while signing. Windows cryptographic service provider reported an error. Object not found. Error code:2148073489. Windows 7, Adobe Reader XI, Symantec PKI, Smart Card and CAC. I have seen other threads for this error but none have a resolution. Any help would be appreciated.
Sorry for the long title, first time poster here.This thread is pretty old, are you still having this issue?
-
Problem with Sun PKCS#11 Provider and Ativcard smart card.
Hi,
I'm trying to make a signature with a smartcard.
I have no problem signing with my card in applications such as Microsoft Office, Outlook (they probably use CAPICOM or MS CryptoAPI).
There is only one certificate on my card with non extractable pair of keys.
When I`m using Java based application I have the following problem:
I have Java 1.5.0 installed, and according to the reference guide on:
http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html
I configured "Sun PKCS#11 Provider".
In file:
%JAVA_HOME%/lib/security/java.security I inserted the following lines:
# Configuration for security providers 1..6 omitted
security.provider.7=sun.security.pkcs11.SunPKCS11 C:/pkcs11.cfg
In my case (I`m using ActivCard) The file "C:/pkcs11.cfg" contains:
name = ActivCard
library = c:\windows\system32\acpkcs211.dll
After that I try tu use configured provider with keytool.exe from jsdk.
In cmdline:
c:\Program Files\Java\jdk1.5.0_06\bin>keytool.exe -keystore NONE -storetype PKCS11 -list
Enter keystore password: 1111
Keystore type: PKCS11
Keystore provider: SunPKCS11-ActivCard
Your keystore contains 1 entry
Cinek's dp ID, keyEntry,
Certificate fingerprint (MD5): 36:19:DD:01:2E:A2:C5:F6:51:44:03:74:14:D5:62:C0
So till now everything looks ok. Certificate is accessible.
But when I trying to use jarsigner.exe to sign something:
c:\Program Files\Java\jdk1.5.0_06\bin>jarsigner.exe -keystore NONE -storetype PKCS11 D:\Applet.jar "Cinek's dp ID"
Enter Passphrase for keystore: 1111
jarsigner error: java.lang.NullPointerException
I`ve got the java.lang.NullPointerException !
To find reason of the exception I`ve written simple application, which signs a byte array:
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.Certificate;
import java.util.Enumeration;
public class Main {
public static void main(String[] args) throws Exception {
PrivateKey privkey = null;
char[] pin = { '1', '1', '1', '1' };
KeyStore smartCardKeyStore = KeyStore.getInstance("PKCS11");
smartCardKeyStore.load(null, pin);
Enumeration aliasesEnum = smartCardKeyStore.aliases();
if (aliasesEnum.hasMoreElements()) {
String alias = (String) aliasesEnum.nextElement();
privkey = (PrivateKey) smartCardKeyStore.getKey(alias, null);
byte[] aDocument = new byte[100];
Signature signatureAlgorithm = Signature.getInstance("SHA1withRSA");
signatureAlgorithm.initSign(privkey);
signatureAlgorithm.update(aDocument);
byte[] digitalSignature = signatureAlgorithm.sign();
When I`ve run this application in last line in method signatureAlgorithm.sign() I got:
Exception in thread "main" java.lang.NullPointerException
at java.math.BigInteger.modPow(Unknown Source)
at sun.security.rsa.RSACore.crtCrypt(Unknown Source)
at sun.security.rsa.RSACore.rsa(Unknown Source)
at sun.security.rsa.RSASignature.engineSign(Unknown Source)
at java.security.Signature$Delegate.engineSign(Unknown Source)
at java.security.Signature.sign(Unknown Source)
at Main.main(Main.java:31)
In debug, before this exception variables are:
alias= "Cinek's dp ID"
privkey =
SunPKCS11-ActivCard RSA private key, 1024 bits (id 192168768, token object, not sensitive, extractable)
modulus: 112271510887039102410124262012976131016781096451891854145879061791454872222254764386718257162446565027910080375427552248069203548913907633164297672417327888344423061606707834842776634133861005271620794248782338105033496749719965719732501903618453514554701005390412127008091861831421936757053019877456102263703
public exponent: 65537
private exponent: null
prime p: null
prime q: null
prime exponent p: null
prime exponent q: null
crt coefficient: null
As you can see, private key has extractable attribute set, what is wrong. Attribute is set and key has no values.
I think that can be the reason of NullPointerException. (Maybe when extractable = true, sign() methods expects key values filled).
So, I can not sign anything.
I tryed to add some additional attributes to file "C:/pkcs11.cfg":
attributes(*,CKO_PRIVATE_KEY,*) = {
CKA_EXTRACTABLE = false
but with no effect. Key was still extractable.
Can you help me to solve this problem?
PS. I`m using acpkcs211.dll (v3.2.102.0) as an implementation of PKCS#11. (Activcard says that it is PKCS#11 v2.11 implementation)
PS2. Sorry for my englishCan I ask you one question?
Which driver did you specify? I mean the smarcard reader driver or the smartcard itself driver?
If the second, does it come along with the card? because as far as I know I just got the smart card but no software at all (apart the smartcard reader driver).
Can you help me out with this?
thanks in advance,
Marco -
Token management for Integrated Smart Card
I'm trying to move a digital identity/digital signature from my laptop keystore to a smart card on my T61p with Vista 64. I've tried the Raaksign Token Management Utility Version 2.3.0.19. When I launch that utlity I run into an issue where the "Transfer ID to token" is greyed out. I know that the utility may or may not be supported on Vista 64. If this doesn't work, how do I transfer a digital ID to a token?
Thanks!
Mblasto
Message Edited by mblasto on 07-06-2008 07:08 PMHi, exclusive4job
I would make sure the the BIOS is up to date for your system, which can be found here. Following that, I would enter the BIOS by pressing Enter at the splash screen and then pressing F1. Once here, navigate to Security ► I/O Port Access. Make sure the Smart Card Reader is set to Enabled here.
Best of luck. Let me know how it goes,
Adam
Did someone help you today? Press the star on the left to thank them with a Kudo!
If you find a post helpful and it answers your question, please mark it as an "Accepted Solution!" This will help the rest of the community with similar issues identify the verified solution and benefit from it. -
FIM 2010 CM deployment for Smart Card Management
I have FIM installed and was initially getting an Object does not exist on server error whenever i went to Manage Profile Tepmplates or with a user accoutn tried the request a smart card link..
I enabled verbose logging and this is the error
Error loading all profile templates. Container path: CN=Profile Templates,CN=Publik Key Services,CN=Services,CN=Configuration,DC=Company,DC=Com
I validated that the container does not exist. I manually created it and now i get past the error but all lists of profiles are empty as the container is empty.
At what point should this have been created/populated?
AaronThe container is created when a member of the Enterprise Admins group *successfully* runs the FIM CM Configuration wizard. It appears you have either not run the wizard, or never completed it successfully.
Brian -
W520 Smart Card reader does not show up in Device Manager
W520 Smart Card reader does not show up in Device Manager.
It was working before and now nothing. Nothing happens when SD card plugges in.
Could my smart card reader stop working or is this a configuration issue?
Any thoughts?
thanks
IanHi Ian,
Welcome to the community, and thanks for the post.
The issue is related with software, to resolve this you need to re-install the card reader driver from the below mentioned web link.
http://support.lenovo.com/en_SG/downloads/default.page?
After that check if the issue get resolved.
Regards,
Sameer
Did someone help you today? Press the star on the left to thank them with a Kudo!
If you find a post helpful and it answers your question, please mark it as an "Accepted Solution".! This will help the rest of the Community with similar issues identify the verified solution and benefit from it.
Follow @LenovoForums on Twitter! -
Disabling normal login and only using smart card login?
I've managed to setup login using BELPIC (Belgian Identity Card (smart card). However I can still login using username/password. Is it possible to restrict the system only using smart card login? (maybe via tweaking the authorize file?)
ThanksThe problem isn't with the provider part of the code - it has to do with security privleges. Java code running from the command line has full access to the file-system. Servlets running inside a container do not.
In order to access cryptographic keystores, the JVM must allow the servlet code to access local files (and through them, the device drivers to the crypto token). Servlet code running inside a web/application server container, by design, are restricted in their ability to access local files on the servlet container machine (other than configuration files and application code under the servlet context root).
In order to continue with my project, I had to temporarily provide the servlet full access to the machine's file-system in the java.policy file for your JVM, along the lines of the following:
grant {
permission java.security.SecurityPermission "authProvider.SunPKCS11-NSS", "getSignerPrivateKey";
I hope to go back and restrict this access so that only the specific security grants are available to the servlet to access the private key (the above is too lenient).
You will need to do something similar to your JVM's java.policy to allow the servlet to access the private key. Substitute the "authProvider.SunPKCS11-NSS" with the driver for your own token. -
Problem signing PDF from smart card - BouncyCastle, IAIK Wrapper, iText
Hello!
I need to sign and timestamp a PDF document with a smartcard. I'm using Java 1.6, iText to manage PDF, BouncyCastle to deal with cryptography and the free IAIK WRAPPER to access the smartcard.
I've already searched the Internet to solve my problem, read the PDF specifications about the signature and followed snippets that should've worked, but after a couple of weeks I still don't have working code, not even for the signature. All the tries I made yield messages like "Signature has been corrupted" or "Invalid signature" (I can't remember the exact messages, but they're not in English anyway :D ) when I verify the signature in Adobe Reader.
My first goal was to use an encapsulated signature, using filter Adobe.PPKLITE, subfilter adbe.pkcs7.sha1 and a DER-Encoded PKCS#7 object as content.
Among the tries I made, I used code such as (I don't include all modifications, just the ones I deem closer to the right approach):
// COMMON - START
///// selectedKey is a iaik.pkcs.pkcs11.objects.Key instance of the private key I'm taking from the SC
RSAPrivateKey signerPrivKey=(RSAPrivateKey)selectedKey;
CertificateFactory certificateFactory=CertificateFactory.getInstance("X.509");
///// correspondingCertificate is a iaik.pkcs.pkcs11.objects.X509PublicKeyCertificate instance of the certificate I'm taking from the SC
byte[] derEncodedCertificate=correspondingCertificate.getValue().getByteArrayValue();
X509Certificate signerCert=(X509Certificate)certificateFactory.generateCertificate(new ByteArrayInputStream(derEncodedCertificate));
Provider provider=new BouncyCastleProvider();
Security.addProvider(provider);
///// session is an instance of iaik.pkcs.pkcs11.Session
session.signInit(Mechanism.SHA1_RSA_PKCS, signerPrivKey);
File theFile = new File("C:\\toSign.pdf");
FileInputStream fis = new FileInputStream(theFile);
byte[] contentData = new byte[(int) theFile.length()];
fis.read(contentData);
fis.close();
PdfReader reader = new PdfReader(contentData);
ByteArrayOutputStream baos = new ByteArrayOutputStream();
PdfStamper stp = PdfStamper.createSignature(reader, baos, '\0');
PdfSignatureAppearance sap = stp.getSignatureAppearance();
// COMMON - END
java.security.cert.X509Certificate[] certs=new java.security.cert.X509Certificate[1];
CertificateFactory factory=CertificateFactory.getInstance("X.509");
certs[0]=(X509Certificate)factory.generateCertificate(new ByteArrayInputStream(correspondingCertificate.getValue().getByteArrayValue()));
sap.setSignDate(new GregorianCalendar());
sap.setCrypto(null, certs, null, null);
sap.setReason("This is the reason");
sap.setLocation("This is the Location");
sap.setContact("This is the Contact");
sap.setAcro6Layers(true);
PdfSignature dic = new PdfSignature(PdfName.ADOBE_PPKLITE, PdfName.ADBE_PKCS7_SHA1);
dic.setDate(new PdfDate(sap.getSignDate()));
dic.setName(PdfPKCS7.getSubjectFields((X509Certificate)certs[0]).getField("CN"));
sap.setCryptoDictionary(dic);
int csize = 4000;
HashMap exc = new HashMap();
exc.put(PdfName.CONTENTS, new Integer(csize * 2 + 2));
sap.preClose(exc);
MessageDigest md = MessageDigest.getInstance("SHA1");
InputStream s = sap.getRangeStream();
int read = 0;
byte[] buff = new byte[8192];
while ((read = s.read(buff, 0, 8192)) > 0)
md.update(buff, 0, read);
byte[] signature=session.sign(buff);
CMSSignedDataGenerator generator = new CMSSignedDataGenerator();
ArrayList list = new ArrayList();
for (int i = 0; i < certs.length; i++)
list.add(certs);
CertStore chainStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(list), provider);
generator.addCertificatesAndCRLs(chainStore);
CMSProcessable content = new CMSProcessableByteArray(md.digest());
CMSSignedData signedData = generator.generate(CMSSignedDataGenerator.ENCRYPTION_RSA, content, true, provider);
byte[] pk = signedData.getEncoded();
byte[] outc = new byte[csize];
PdfDictionary dic2 = new PdfDictionary();
System.arraycopy(pk, 0, outc, 0, pk.length);
dic2.put(PdfName.CONTENTS, new PdfString(outc).setHexWriting(true));
sap.close(dic2);
File newOne = new File("C:\\signed.pdf");
FileOutputStream fos = new FileOutputStream(newOne);
fos.write(baos.toByteArray());
fos.close();
I figured this is the right approach, but I need a way to generate the CMSSignedData instance, which can't be done using addSigner (the only documented way I found), since the private key is not extractable from a smart card...
Then I decided to give up and try with a detached signature:
// COMMON - START
// Same as above
// COMMON - END
sap.setSignDate(new GregorianCalendar());
java.security.cert.X509Certificate[] certs=new java.security.cert.X509Certificate[1];
CertificateFactory factory=CertificateFactory.getInstance("X.509");
certs[0]=(X509Certificate)factory.generateCertificate(new ByteArrayInputStream(correspondingCertificate.getValue().getByteArrayValue()));
sap.setCrypto(null, certs, null, PdfSignatureAppearance.SELF_SIGNED);
sap.setSignDate(java.util.Calendar.getInstance());
sap.setExternalDigest (new byte[8192], new byte[20], "RSA");
sap.preClose();
MessageDigest messageDigest = MessageDigest.getInstance ("SHA1");
byte buff[] = new byte[8192];
int n;
InputStream inp = sap.getRangeStream ();
while ((n = inp.read (buff)) > 0)
messageDigest.update (buff, 0, n);
byte hash[] = messageDigest.digest();
byte[] signature=session.sign(hash);
PdfSigGenericPKCS sg = sap.getSigStandard ();
PdfLiteral slit = (PdfLiteral)sg.get (PdfName.CONTENTS);
byte[] outc = new byte[(slit.getPosLength () - 2) / 2];
PdfPKCS7 sig = sg.getSigner ();
sig.setExternalDigest (session.sign(hash), hash, "RSA");
PdfDictionary dic = new PdfDictionary ();
byte[] ssig = sig.getEncodedPKCS7();
System.arraycopy (ssig, 0, outc, 0, ssig.length);
dic.put (PdfName.CONTENTS, new PdfString (outc).setHexWriting(true));
sap.close (dic);
File newOne = new File("C:\\signed.pdf");
FileOutputStream fos = new FileOutputStream(newOne);
fos.write(baos.toByteArray());
fos.close();
I'm still stuck to the signature process, can anyone please tell me what I'm doing wrong and help me (snippets would be deeply appreciated), maybe even changing approach in order to be able to add a digital timestamp?
Thank you very much in advance!
PS: I had also tried to use the SunPKCS11 provider to access the smart card, I gave up for similar problems, but if someone has suggestions using it, they're welcome! :DHello!
I need to sign and timestamp a PDF document with a smartcard. I'm using Java 1.6, iText to manage PDF, BouncyCastle to deal with cryptography and the free IAIK WRAPPER to access the smartcard.
I've already searched the Internet to solve my problem, read the PDF specifications about the signature and followed snippets that should've worked, but after a couple of weeks I still don't have working code, not even for the signature. All the tries I made yield messages like "Signature has been corrupted" or "Invalid signature" (I can't remember the exact messages, but they're not in English anyway :D ) when I verify the signature in Adobe Reader.
My first goal was to use an encapsulated signature, using filter Adobe.PPKLITE, subfilter adbe.pkcs7.sha1 and a DER-Encoded PKCS#7 object as content.
Among the tries I made, I used code such as (I don't include all modifications, just the ones I deem closer to the right approach):
// COMMON - START
///// selectedKey is a iaik.pkcs.pkcs11.objects.Key instance of the private key I'm taking from the SC
RSAPrivateKey signerPrivKey=(RSAPrivateKey)selectedKey;
CertificateFactory certificateFactory=CertificateFactory.getInstance("X.509");
///// correspondingCertificate is a iaik.pkcs.pkcs11.objects.X509PublicKeyCertificate instance of the certificate I'm taking from the SC
byte[] derEncodedCertificate=correspondingCertificate.getValue().getByteArrayValue();
X509Certificate signerCert=(X509Certificate)certificateFactory.generateCertificate(new ByteArrayInputStream(derEncodedCertificate));
Provider provider=new BouncyCastleProvider();
Security.addProvider(provider);
///// session is an instance of iaik.pkcs.pkcs11.Session
session.signInit(Mechanism.SHA1_RSA_PKCS, signerPrivKey);
File theFile = new File("C:\\toSign.pdf");
FileInputStream fis = new FileInputStream(theFile);
byte[] contentData = new byte[(int) theFile.length()];
fis.read(contentData);
fis.close();
PdfReader reader = new PdfReader(contentData);
ByteArrayOutputStream baos = new ByteArrayOutputStream();
PdfStamper stp = PdfStamper.createSignature(reader, baos, '\0');
PdfSignatureAppearance sap = stp.getSignatureAppearance();
// COMMON - END
java.security.cert.X509Certificate[] certs=new java.security.cert.X509Certificate[1];
CertificateFactory factory=CertificateFactory.getInstance("X.509");
certs[0]=(X509Certificate)factory.generateCertificate(new ByteArrayInputStream(correspondingCertificate.getValue().getByteArrayValue()));
sap.setSignDate(new GregorianCalendar());
sap.setCrypto(null, certs, null, null);
sap.setReason("This is the reason");
sap.setLocation("This is the Location");
sap.setContact("This is the Contact");
sap.setAcro6Layers(true);
PdfSignature dic = new PdfSignature(PdfName.ADOBE_PPKLITE, PdfName.ADBE_PKCS7_SHA1);
dic.setDate(new PdfDate(sap.getSignDate()));
dic.setName(PdfPKCS7.getSubjectFields((X509Certificate)certs[0]).getField("CN"));
sap.setCryptoDictionary(dic);
int csize = 4000;
HashMap exc = new HashMap();
exc.put(PdfName.CONTENTS, new Integer(csize * 2 + 2));
sap.preClose(exc);
MessageDigest md = MessageDigest.getInstance("SHA1");
InputStream s = sap.getRangeStream();
int read = 0;
byte[] buff = new byte[8192];
while ((read = s.read(buff, 0, 8192)) > 0)
md.update(buff, 0, read);
byte[] signature=session.sign(buff);
CMSSignedDataGenerator generator = new CMSSignedDataGenerator();
ArrayList list = new ArrayList();
for (int i = 0; i < certs.length; i++)
list.add(certs);
CertStore chainStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(list), provider);
generator.addCertificatesAndCRLs(chainStore);
CMSProcessable content = new CMSProcessableByteArray(md.digest());
CMSSignedData signedData = generator.generate(CMSSignedDataGenerator.ENCRYPTION_RSA, content, true, provider);
byte[] pk = signedData.getEncoded();
byte[] outc = new byte[csize];
PdfDictionary dic2 = new PdfDictionary();
System.arraycopy(pk, 0, outc, 0, pk.length);
dic2.put(PdfName.CONTENTS, new PdfString(outc).setHexWriting(true));
sap.close(dic2);
File newOne = new File("C:\\signed.pdf");
FileOutputStream fos = new FileOutputStream(newOne);
fos.write(baos.toByteArray());
fos.close();
I figured this is the right approach, but I need a way to generate the CMSSignedData instance, which can't be done using addSigner (the only documented way I found), since the private key is not extractable from a smart card...
Then I decided to give up and try with a detached signature:
// COMMON - START
// Same as above
// COMMON - END
sap.setSignDate(new GregorianCalendar());
java.security.cert.X509Certificate[] certs=new java.security.cert.X509Certificate[1];
CertificateFactory factory=CertificateFactory.getInstance("X.509");
certs[0]=(X509Certificate)factory.generateCertificate(new ByteArrayInputStream(correspondingCertificate.getValue().getByteArrayValue()));
sap.setCrypto(null, certs, null, PdfSignatureAppearance.SELF_SIGNED);
sap.setSignDate(java.util.Calendar.getInstance());
sap.setExternalDigest (new byte[8192], new byte[20], "RSA");
sap.preClose();
MessageDigest messageDigest = MessageDigest.getInstance ("SHA1");
byte buff[] = new byte[8192];
int n;
InputStream inp = sap.getRangeStream ();
while ((n = inp.read (buff)) > 0)
messageDigest.update (buff, 0, n);
byte hash[] = messageDigest.digest();
byte[] signature=session.sign(hash);
PdfSigGenericPKCS sg = sap.getSigStandard ();
PdfLiteral slit = (PdfLiteral)sg.get (PdfName.CONTENTS);
byte[] outc = new byte[(slit.getPosLength () - 2) / 2];
PdfPKCS7 sig = sg.getSigner ();
sig.setExternalDigest (session.sign(hash), hash, "RSA");
PdfDictionary dic = new PdfDictionary ();
byte[] ssig = sig.getEncodedPKCS7();
System.arraycopy (ssig, 0, outc, 0, ssig.length);
dic.put (PdfName.CONTENTS, new PdfString (outc).setHexWriting(true));
sap.close (dic);
File newOne = new File("C:\\signed.pdf");
FileOutputStream fos = new FileOutputStream(newOne);
fos.write(baos.toByteArray());
fos.close();
I'm still stuck to the signature process, can anyone please tell me what I'm doing wrong and help me (snippets would be deeply appreciated), maybe even changing approach in order to be able to add a digital timestamp?
Thank you very much in advance!
PS: I had also tried to use the SunPKCS11 provider to access the smart card, I gave up for similar problems, but if someone has suggestions using it, they're welcome! :D -
Hello! This is the same topic I posted on the cryptography forum, but nobody there seems to reply, so here it is again!
I'm developing an application to sign pdf documents with smart cards. I'm using the PKCS#11 Sun Provider to manage the smart card and IText to sign the document. I don't need to support other OS's than Windows.
Everything works fine with one smart card, but I need to support two readers: they should be connected and active at the same time, on the same machine, they are exactly the same (apart from the smart card they hold) and the smart cards are from the same providers, thus use the same DLL.
I know my problem has a solution (I saw applications managing these cases), but my question is: If it can be done with the Sun PKCS11 provider, what should I do? (I saw that you can configure 'slots', but I don't know if it has to do with my problem!) Otherwise, should I recur to C++ to work at a lower level?
Any help is appreciated, even just a link to some documentation!
Thank you very much!Hi,
when you work with one smartcard reader only usually you address the slot -1 that means "the first found".
But to deal with multiple readers you have to use slots of course since one reader will be slot 0, next reader will be slot 1 and so on...
So a credential object will be identified on a system by a couple
<slot,alias>
After that, the way to address slots (I mean the syntax) depends on the classes you are using...
Bye -
received my T410 last week, played around, but noticed that the smart card reader is not working correctly.
In Device Manager, the driver is installed correctly as integrated smart card reader.
But when I insert a smart card, it asked to install driver and failed.
any advise?
Thanks.
VictorThis is a known problem and i have seen the same thing using Omnikey PCMCIA and USB smartcard readers. I would rather blame the provider of the smartcard and not Lenovo or the manufacturer of the smartcard reader.
You can read more about the smartcard minidrivers here:
http://support.microsoft.com/kb/976832
There are also some workarounds to be found in that article. Take a look at the part that describe how to disable smartcard plug and play using group policy and the part that describe how to disable smartcard plug and play for a specific smartcard.
-gan -
Broadcom USB Smart Card reader not working
After upgrading my Vista Business SP2 (32-bit) to Windows 7 Ultimate RC (32-bit) my Broadcom USB smart card reader does not work any longer (Dell Latitude E6400 with built in smart card reader).
The newest available driver from dell support was already tested (Broadcom, driver date 09/23/2008, version 1.0.0.1, digitally signed WHQL, released by dell in March 09), but the device can not start (Error code 10) with Windows 7.
With the Microsoft WUDF Driver (Usbccid, driver date 06/21/2006, version 6.1.7100.0) the device starts but whenever I insert my smart card an additional device is detected (other device - smart card) but no driver found - Error message is: The drivers for this device are not installed. (Code 28).
What else can I try to get this reader working again (with vista sp2 the smart card reader was working fine with the broadcom driver)?I have also an USB card reader that works fine on XP PCs but Win7 does not recognise it, can msft make a sd reader driver that works pls.
Hi
Sorry, but the way the industry works is that Microsoft develops Windows and Hardware manufacturers develop drivers for their products. Microsoft does maintain a complete division (MSDN) that is dedicated to assisting hardware and software manufacturers in developing their products for compatibility with Windows.
All of the drivers that are contained on the Windows installation disk and on Windows Update are placed there by the manufacturers of the devices. This is a service that Microsoft provides to help these manufacturers to distribute their drivers.
What you can do.
1. Check with the computer manufacturer for updated drivers for that device. This is your best source, since the computer manufacturer builds, tests, and sometimes develops their own, custom drivers to work with the hardware on their PCs.
2. Try to determine the name and manufacturer of the device using Device Manager and MSInfo32. Once this information is found, try to find that manufacturers website and look for the latest compatible drivers.
3. Check to see if there are any users forums on the PC manufacturers or device manufacturers websites. Ask there about any known issues with this particular hardware device or if the device is no longer supported.
4. If the drivers are found but are only available for previous versions of Windows, install the drivers using the Windows Compatibility Mode. HOW TO: Install a Hardware Device Driver using Compatibility Mode
Right now, we are in a unique situation since we are using an operating system that is still in the pre-release phase. Many hardware/software manufacturers will be ofrficially supporting their products for Windows 7 until after the General Availability date of October 22, 2009.
Hope this helps.
Thank You for using Windows 7
Ronnie Vernon MVP -
Smart card and Account Lockout Policies Issue
I have enabled "Interactive logon: Require smart" card and "Account Lockout threshold: 3 invalid logon attempts". The lockout policy works fine with normal passwords. However, when I try to use the smart card and entering wrong PIN 4
times, the lockout policy does not work.
Can anyone please help with this issue?Hi,
the validity of the PIN is managed by the smartcard itself, not by windows. Windows just logs in of the smartcard gives the right certificates/keys. the smartcard will only do so when it is provided a valid PIN.
Also note an account should not be locked out to avoid brute forcing the PIN. instead, the smartcard should lock.
http://technet.microsoft.com/en-us/library/cc962052.aspx
http://technet.microsoft.com/en-us/library/ff404290(v=ws.10).aspx
MCP/MCSA/MCTS/MCITP -
are any plans to support S-MIME and smart card functionality. We are pertucarly interested to encrypt and decrypt messages via Web Mail. We know that already some other web cliiens (like Lotus iNotes) provide this
Kind Regards,
K. HairopoulosThere's no current plan to implement S/MIME and SmartCard support for WAC, although we have the technical expertise in-house to do it, I think. Three years ago we implemented a prototype of S/MIME enabled OCS WebMail capable of reading private keys stored on a SmartCard. That project did not turn into product features.
The big difficulty with implementing and deploying S/MIME is the availability of an underlying public key infrastructure (for public key lookup, for example). IMHO the fact that we don't have S/MIME in Webmail or WAC reflects that OCS customers either don't have the infrastructure or don't require S/MIME beyond SSO. If that assumption is false, and there is a demand for S/MIME enabled WAC, please communicate the need through the usual product management channels.
Thanks,
Thomas
Maybe you are looking for
-
Hi, When i look at the standard delivery note print program. I found there are number of structure: VBCO3, "Communicationarea for view VBDKL, "Headerview VBDPL, "Itemv
-
How to implement S/W countdown timer in TestStand
I would like to implement several timers that will be started at different point of TestStand sequence execution. These are to be long timeouts - so resolution of 1 sec will be enough. One timeout will be set to say 5 sec, another 20 sec, yet another
-
Hey, I've bought ALOT of music on iTunes and suddenly, I have trouble trying to download purchased stuff. Podcasts are fine, only music. I had to restart my computer in the middle of downloading songs then when i go Store<Check for Purchases, it won'
-
When I open email it goes to a site called casual games beta instead of my email
WHEN i OPEN MY EMAIL AND CLICK ON THE SENDER IT GOES TO A SITE CALLED CASUAL GAMES BETA POWERED BY YAHOO AND i CAN'T READ MY EMAILS
-
Mac desktop duplicates and turns blue
I'm using a new Mac Powerbook with 10.6, latest updates. I'm also using a secondary screen hooked up via a Plugable brand dock. Clamshell mode doesn't work (Apple problem) , so I have to leave the MacBook open, but screen mirroring generally works we