PKCS#11 Example ???

Similar Messages

• Converting Signature data into PKCS#7 format

  Hi All,
  Is there any java api available to convert signature bytes in to PKCS#7 format.
  Here is the scenario.
  downloaded a trail digital id(abc.pfx) file from verisign site.
  then retrieved the private key, certificate and public key information from the pfx file.
  with the help of private key and pdf data, digital signature created.
  Sample code:
  KeyStore keyStore = KeyStore.getInstance("PKCS12");
  // aa.pfx is the Digital ID got from VeriSign
  keyStore.load(new FileInputStream("aa.pfx"), storepswd);
  for(Enumeration e = keyStore.aliases() ; e.hasMoreElements() ;) {
  alias = e.nextElement().toString();
  PrivateKey privKey = (PrivateKey)keyStore.getKey(alias, storepswd);
  java.security.cert.Certificate cert = keyStore.getCertificate(alias);
  PublicKey pubKey = cert.getPublicKey();
  Signature rsa = Signature.getInstance("MD5withRSA");
  rsa.initSign(privKey);
  /* Update and sign the data */
  FileInputStream fis = new FileInputStream("Testing.pdf");
  BufferedInputStream bufin = new BufferedInputStream(fis);
  byte[] buffer = new byte[1024];
  int len;
  while (bufin.available() != 0) {
  len = bufin.read(buffer);
  rsa.update(buffer, 0, len);
  bufin.close();
  /* Returns the signature of all the data updated*/
  byte[] rsaSign = rsa.sign();
  now i want to convert this signature(rsaSign bytes) in to PKCS#7 format and embed in to pdf file. so acrobat reader can verify the signature in pdf file.
  I've found the PdfSignature class in the iText lib. But it is poor.
  so plz let me know if any body know how to convert signature in to PKCS#7 format. any sample code or any URL.
  Thanks in Advance.
  Subhani.

  Use BouncyCastle provider
  http://www.bouncycastle.org/docs/mdocs1.4/index.html
  The package: org.bouncycastle.cms
  Download the package and get the examples in the package org.bouncycastle.cms.test .
  (CMS stands for Cryptographic Message Syntax and is defined in RFC 3369, and is an evolution of PKCS#7 v. 1.5, that is defined in RFC 2315. )

• Sun's PKCS#11 Bridge to access LunaSA HSM

  Hi,
  I'm working to access keys/certificates on LunaSA HSM through Sun's Java PKCS#11 Bridge. By
  ks = KeyStore.getInstance("pkcs11");
  ks.load(null,pin);
  I can access credentials on the HSM, but only "part" of them -- Only the certificates that have keys also on the HSM can be identified by their aliases.
  For example, if on the HSM are a trusted certificate, whose alias is 'trustedcert', a user certificate and its private key (whose aliases are 'mycert' and 'mykey'), by
  ks.aliases();
  I got 'mykey' and 'mycert' only, but not 'trustedcert'. I got the same problem when I tried with "keytool".
  Is there a solution to this problem, or did I miss something? Thanks for your advice.

  Doesn't even begin to look right. See the [Java PKCS#11 Reference Guide|http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html#Config]:
  - Valid values for operation are generate, import, and *. You have nothing.
  - Valid values for keytype are CKO_PUBLIC_KEY, CKO_PRIVATE_KEY, and CKO_SECRET_KEY. You have CKO_CERTIFICATE.
  - Valid values for keyalgorithm are one of the CKK_xxx constants from the PKCS#11 specification, or * to match keys of any algorithm. You have nothing.

• PKCS#11 authentication fails with sec_error_token_not_logged_in

  I am using a smart card (CAC) to login to a website. Logging out of the website and trying to log back in causes firefox to show the sec_error_token_not_logged_in error instead of asking for my pin.
  Steps to reproduce:
  1. Use smart card to login to a PKCS#11 secured website. e.g. http://www.sldcada.disa.mil/ Firefox will correctly ask for the smart card pin and authenticate.
  2. logout and remove smart card
  3. insert smart card and attempt to login again. Firefox will display the above error.
  Expected Behavior:
  At step 3 firefox will ask for my smart card pin to unlock the token and then authenticate with the website.
  Workaround:
  2.5 Edit > Preferences > Advanced > Encryption > View Certificates. Enter pin when prompted. Close the preferences windows. Step 3 will now work as expected because the smart card has been unlocked.

  Can you determine whether this is site-specific? For example, if at step 3, you were to visit another site that requires the CAC, will Firefox still fail to ask for a PIN?
  Regarding the same site problem, does it make any difference if, at step 3, you:
  (1) reload the page bypassing the cache (Ctrl+Shift+r)?
  (2) remove the site's cookies and then reload the page?
  You can selectively remove a single site's cookies this way: While viewing a page on the site:
  * right-click and choose View Page Info > Security > "View Cookies"
  * Alt+t (open the classic Tools menu) > Page Info > Security > "View Cookies"

• Eracom CSA 8000 and SUN PKCS#11 API

  I'm trying to use Eracom as a cryptographic accelerator for using with JSSE in establishment of SSL connections. I'm using its software version that I haven't installed the hardware but they both have the same functionalities and both uses PKCS11 as their interface to actual operations. The problem is that I have a token contains many entries includes secret keys, Private keys and certificates. But when I construct a keystore in my program in does not contain any entries. I looked at the log created by Eracom and noticed that it does not log in at all. However some of those entries are public and can be seen with Cryptoki Token Browser a GUI for working with tokens.
  I used that graphical interface and logged in as security officer. Then I generated a RSA keypair with subject set to 'CN=myserver'. I used Derive Key on public key to generate a certificate request and in turn prepared a certificate based on that request and imported that certificate using Create Object option. In this case it works it lists it as an entry and uses it in SSL server.

  You need to use the trustanchors nssModule, read the JavaTM PKCS#11 Reference Guide at --
  http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html#Config
  For example, you can write your config file like this --
  name=NSS
  nssSecmodDirectory=path_of_your_dbs
  nssLibraryDirectory=path_of_dll_or_so
  nssModule=trustanchors

• Signing web form data with a PKCS#11 Smart Card

  Hi,
  I would like to know what is the best solution to sign a web form using a PKCS#11 Smart card.
  I already read some examples where is used an applet based on the Sun PKCS#11 Provider.
  The problem that i found in this solution is the need of java 5.0 and the need to know the filename that have the implementation of the native library.
  My problem is that the web form is to be available in internet and can be sign with more than one smart card reader, so i didn't like to impose the java 5.0 and i don't have any way of knowing the implementation filename.
  Thanks in advanced,
  Ricardo Constantino
  Accenture

  Can I ask you one question?
  Which driver did you specify? I mean the smarcard reader driver or the smartcard itself driver?
  If the second, does it come along with the card? because as far as I know I just got the smart card but no software at all (apart the smartcard reader driver).
  Can you help me out with this?
  thanks in advance,
  Marco

• Sun PKCS#11 NSS Problem with CA Certificates

  There appears to be a problem with the Sun PKCS#11 provider's NSS specific functionality.
  If Firefox 2.x based KeyStore is loaded which contains CA Certificates which have been imported into the the standard "Software Security Device" (and are therefore not in the root store) they are not visible as Certificate Entries when enumerating the KeyStore aliases.
  If a personal key/cert pair is present then the corresponding CA Certs can be obtained via KeyStore.getCertificateChain(alias) but this doesn't help when I have other CA's present that need to be accessed.
  These additional CA Certificates are visible via the FireFox "Certificate Manager" and via the JSS API's - anyone aware of this problem ?

  You need to use the trustanchors nssModule, read the JavaTM PKCS#11 Reference Guide at --
  http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html#Config
  For example, you can write your config file like this --
  name=NSS
  nssSecmodDirectory=path_of_your_dbs
  nssLibraryDirectory=path_of_dll_or_so
  nssModule=trustanchors

• Generating key pair on PKCS#11token and save it there

  Hello,
  again i'm completely lost in this PKCS11 jungle.
  What i want to do:
  Generating key pair on crypto pkcs11 token and store it there.
  In the moment i've tried eg:
  sun.security.pkcs11.SunPKCS11 p = new sun.security.pkcs11.SunPKCS11(configName);
  Security.addProvider(p);
  Builder builder = KeyStore.Builder.newInstance("PKCS11", p, new KeyStore.CallbackHandlerProtection(new UserInputDialog(new JDialog(),"test","test")));
  KeyStore ks = builder.getKeyStore();
  ks.load(null,null);
  KeyPairGenerator gen = KeyPairGenerator.getInstance("RSA", p);
  gen.initialize(1024);
  KeyPair kp = gen.generateKeyPair();
             Here access to token works. The callback PIN dialog comes up and i can login.
  But i'm not sure whether the key are generated on this PKCS11. And they are not stored there.
  How i can generate keys are stored there.
  (like with keytool -genkeys ). In keytool case a certificate is stored.
  ... every little hint, also to some documentation i've not seen, is very welcome ...
  Thank You !
  Regards
  Thomas
  .

  First, you need to get a KeyStore representation of the PKCS#11 token with code similar to this, I'm using NSS as the PKCS#11 token in this example:
  Provider nss = new sun.security.pkcs11.SunPKCS11(configFile);
  Security.insertProviderAt(nss, 1);  //you may not want it at highest priority
  KeyStore ks = KeyStore.getInstance("PKCS11", nss);
  ks.load(null, password);From the testing I've done in the past with various tokens, when you generate an asymmetric keypair (e.g. RSA like you are) specifying the PKCS11 provider, it creates it right on the token automatically and code like below is not needed.
  To store the key in the keystore, use code similar to this, I'm using NSS again and storing a symmetric key:
  KeyGenerator kg = KeyGenerator.getInstance("DESede",nss);
  SecretKey tripleDesKey = kg.generateKey();
  KeyStore.SecretKeyEntry skEntry = new KeyStore.SecretKeyEntry(tripleDesKey);
  ks.setEntry(randAlias, skEntry, new KeyStore.PasswordProtection(password));

• How to use PKCS related classes?

  Hi,
  I am happening to deal with PKCS7. The client will send me (the server) a PKCS7 envelope and I need to decrypt and/or get data like certificate, etc from the PKCS7 envelope. Are the required/related classes not part of Java API? We use 1.4.2_06. Do I have to use/buy/download any special API to deal with pkcs?
  This link http://java.sun.com/products/jce/jce122_providers.html says one needs to buy one of the listed Cryptographic Service Providers. Did any one deal with PKCS? If so what did you use/buy/download? Is there any information on net on how to use those APIs - examples, samplex, documentation, etc?
  Thanks in advance for help,
  -Pramodh

  You can use the BouncyCastle JCE provider to use PKCS7 objects. It is free. David Hook's book "Cryptography in Java" provides numerous examples of how to use the BC libraries with PKCS objects.

• Some clarification needed on PKCS #5 PBE

  Hi all,
  This is my first time posting on SUN Forums. Hope to be able to get your assistance in the programming field.
  I have questions about PKCS #5, as I couldn't understand how it can help improve security when using salt and iteration count.
  PKCS #5 states that salt and iteration count does not need to be kept secret as it is normally appended with the encrypted data.
  To my understanding,
  On encryption side, user will input a password and salt will be appended to the password, followed by a hashing algorithm.
  key[1] = SHA-1(password+salt)
  Iteration count addeds to key strengthening by:
  Key [1] = SHA-1(password+salt)
  key[2] = SHA-1(Key[1])
  Key[i] = SHA-1 (Key[i-1]
  Encrypted Data will then be obtained by:
  Ciphertext = AES(Key[i] and Plaintext)
  Hence the data payload will be as follows:
  || Encrypted Data+Salt+Iteration Count ||.
  When the receiver receives the message, the decryption is similar.
  key[1]= (password+obtained salt) from Payload
  Key[i] will then be obtained depends on the Iteration Count,
  and encrypted Data will be decrypted with Key.
  My lack of understanding here is how does using salt increases security when the salt is public?
  If a 56bit salt is used and only available to the receiver, any attacker who wants to decrypt the message might need to try 2^56 possible keys using a SINGLE password.
  But if the salt is public, the only difference from adding salt and not adding salt is the key strengthening process.
  How is password based encryption safer when comparing to AES-128 when the password the user input maybe commonly 48 bits?
  Thank you all in advance! Hope to receive replies!
  Regards,
  Brandon

  barnnod wrote:
  Hi Sabre150,
  Thank you for your suggestion. My application is enterprise based hence I think it is okay that the password is made known to employees only. (E.g one password per day, different department deploys different password each day). So each day each department has to distribute it's daily password to each department it needs to communicate with. So not just once every now and then do you have a key distribution problem you have one every day.
  >
  My actual scenario given by the school is:
  "An organisation's daily operations involve frequent data messaging among mobile devices. The data transmitted are confidential and recently it has been observed that there is an increased number of incidents involving unauthorised tapping of data signals from unknown sources. Due to the sensitivity of data, the senior management has commissioned its IT security team to propose a prototype for a secured messaging application to enhance data transmittion security. The solution must also fufil operational needs such as response time and peak traffic tranmission."
  I am very glad that you are helping me in this. What kind of encryption scheme do you think I can adopt? As I said. I would use Public Key cryptography probably using RSA.
  What I have thought about is:
  1) PBE I view PBE as suitable for personal use only. For example - if I want to encrypt data just for myself then using a password based approach makes sense since I don't have to distribute the key. I just keep it in my head.
  2) PKCSYou would need to elaborate on this since PKCS is a broad brush.
  3) Create a messaging server who can help distribute public keys. (But I left with 3 weeks upon completion and im not very confident of this because i dont know how to :( )Public Key distribution is fairly easy since you want everybody to have access to your public key. The public key could be broadcast as an SMS message or posted on a web server for people to download. I publish my public key on my web server.
  So as what I derived from your post, the key distribution problem can be solved using asymmetric key algorithm. Pretty much so but not completely. One needs to be able to verify that a particular public key belongs to who you think it does. This process is normally done by distributing a certificate that contains the Public Key. The certificate is signed by a Certification Authority who does checks to make sure the purported owner is actually the owner. Since this is for internal use, rather than paying a fortune to a third party CA, one can use one of the free ones. You might want to take a look at [http://www.devx.com/Java/Article/10185|http://www.devx.com/Java/Article/10185] but there are others out there.
  >
  Meaning the Sender A uses Receiver A's public key and using RSA(randomly generated symmetric key), and send the ciphertext over to Receiver A. Receiver A uses it's own private key to decrypt the ciphertext, and obtain the private symmetric key between Sender A and Receiver A. Sender A and Receiver A .That is the way I would do it
  then can securely do messaging from then on. The session keys would not be used more than once. Each message would use a different random session key.
  But I do not know how can I derive the Receiver A's public key. I guess the use of a messaging server can solve this.Yes. Or a simple Web server. An admin person just publishes the public keys for each user and each user just sends his public key to the admin person just once.
  >
  Please advice!
  Thank you :)You background makes doing the whole thing in 3 weeks a bit tight so you should leverage any third party software you can.
  Since this is a school/university project you might just want to use PBE for the moment and then in your report explain the key distribution problem and explain how to a more comprehensive and secure system could be achieved. That way you get to do the work and to show your examiners that you have thought about the problems associated with your naive PBE based solution and can propose a better solution. In your position I would ask my Tutor for advice on this - it could save you a load of effort.
  I don't work with Mobile devices so I don't know what libraries are available. I suspect you may need design your solution around what tools you have available.
  Edited by: sabre150 on Sep 27, 2009 12:45 PM

• Pkcs#11: store data in usb token

  Hi,
  can the pkcs#11 be used to store data on a usb token? For example storing an id?
  Thanks

  Hi,
  can the pkcs#11 be used to store data on a usb token? For example storing an id?
  Thanks

• Pkcs#11:store data in usb token (marked as q)

  Hi,
  can the pkcs#11 be used to store data on a usb token? For example storing an id?
  Thanks
  PS: What is this "mark as question" thing?
  Edited by: uig on Oct 26, 2007 1:51 AM

  Thanks.
  for the sake of the record I fixed this by specifying a METHOD_DATA and DIRECTORY in sqlnet.ora like in
  ENCRYPTION_WALLET_LOCATION=
  (SOURCE=(METHOD=HSM)(METHOD_DATA=
  (DIRECTORY=/app/oracle/admin/SID1/wallet)))
  where the directory exists, as opposed to just
  ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSM))
  as it says in the doco...
  I have a new issue, which I'll start a new thread for.

• Java Card and PKCS#11 or MS CSP

  Does anybody have any idea how Java Card could be integrated in an standard e-mail signing application, i.e. with Outlook, S/Mime, MS CSP and PC/SC or Netscape with PKCS#11 and PC/SC?
  My understanding is that with standard ISO Cards the connection e-mail client and smart card looks like this:
  | e-mail client | <-> | PKCS#11/MS CSP | <-> | ICC Service Providers | <-> | ICC Resource Manager | <-> | Interface Device Handler | <-> | Interface Device (SC reader) | <-> | Smart Card |
  How does this scenario look like with java cards?

  Hello,
  Thank you for the replay. I'm sorry for the delay, but I wasn't in my office a long time.
  Do you have any further informations about that scenario? It would help me a lot.
  I wand to know for example, how exactly the interface between MS CPS and the JAVA card app (the javacardx.crypto(Enc) packages) is implemented. Thank's in advance
  kay.

• Kssl configuration with Sun Software PKCS#11 softtoken

  I need to understand what changed in Solaris 10 10/08 s10s_u6wos_07b SPARC with regard to the crypto framework.
  I want to configure kernel SSL proxy (kssl) to use the certificate stored in the PKCS#11 keystore. First, I generated a certificate labelled "mycert" with the pktool command. Next I ran the ksslcfg command as follows:
  ksslcfg create -f pkcs11 -C "mycert" -T "Sun Software PKCS#11 softtoken" -x 51000 -p /tmp/pwd 443
  The service log indicated :
  "no matching PKCS#11 token found"
  I had to dig through the kssladm source code in OpenSolaris to find this piece:
  http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm_create.c?&r=898.
  The code iterates through the list of tokens, then compares labels with the one provided by the user. Since I specified what the Sun documentation says "Sun Software PKCS#11 softtoken" I would expect it to find it, but it does not. Pktool indicates that the label is present:
  % pktool tokens
  Token Label Manuf ID Serial No PIN State
  Sun Software PKCS#11 softtoken Sun Microsystem user set
  I then ran the kssladm manually and specified the -v (verbose) option, so it would print the labels it actually found. It turned out that the only token it finds has a label "Sun Metaslot ".
  My question is: is this now the recommended label to be used instead of the "Sun Software PKCS#11 softtoken"? If it is then why does pktool still shows it? Is this a bug in this particular Solaris release? Would appreciate any insight.
  Thanks
  Leonti

  You need to use the trustanchors nssModule, read the JavaTM PKCS#11 Reference Guide at --
  http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html#Config
  For example, you can write your config file like this --
  name=NSS
  nssSecmodDirectory=path_of_your_dbs
  nssLibraryDirectory=path_of_dll_or_so
  nssModule=trustanchors

• Pin for Sun Software PKCS#11 softtoken

  Hello, I am studying the Solaris Security Essential SUN's book for university examination and I have a problem with pktool command in chapter 8. For example when I try to run the follows command:
  $pktool list keystore=pkcs11 objtype=both
  the command line asks me:
  Enter pin for Sun Software PKCS#11 softtoken
  end for all chapter exercise is required this pin.
  but where i can find this pin?
  thanks

  Thanks - the only difference is this cert is a self signed one but its nothing fancy just used standard openssl commands to create it, it imports into ikeyman just fine and makes use of 3des which is supported by pktool.
  Julian.