PKCS #11 v2.11

Similar Messages

• Configure .p7b(PKCS #7 Certificates) in SOA Suite 11g - Enterprise Manager

  Hi,
  currently configured .jks file in em - weblogic domain - security - security provider configuration which is used by owsm policy to validate my incoming signed soap message.
  (incoming message is signed with the same jks file). so it is working fine.
  Now I got .p7b(PKCS #7 Certificates) file from customer, so I need to replace this with my existing .jks file. How can I do this?
  Appreciate your quick inputs.
  Thanks

  customer site is invoking my soa suite application,public portion of the certificate which I got from them I configured at my end(.p7b converted in to jks). with the private key (which I do not have with me) the customer site is signing the soap request and hitting my soa suite.
  Getting following error in my soa suite side(soa_server1-diagnosis):
  X509 Certificate will not be advertised due to underlying exception "oracle.wsm.security.SecurityException: WSM-00057 : The certificate, abc.org, is not retrieved. The following aliases are found in the keystore:- [defnet.org, klmca.org, abc.org, ]".
  while converting in to jks I gave alias, I do not know what value should I give. I found
  subject: CN=abc.org... in .p7b file, used the same name as alias.
  converted .p7b file in to .cer as suggested by anuj, .p7b file contains 3 certificates,so imported 3 times in to same key store file like this
  keytool -import -alias abc.org -file xyz.public.cer -keystore xyz-keystore.jks
  keytool -import -alias klmca.org -file klmca.public.cer -keystore xyz-keystore.jks
  keytool -import -alias defnet.org -file defnet.public.cer -keystore xyz-keystore.jks
  Where I am doing wrong here?
  Can I configure directly .p7b(PKCS #7 Certificates) file in enterprise manager (soa suite 11g ps3.). I converted in to jks file and configured but it is not working.
  Please suggest. This is urgent. Appreciate your quick help.
  Edited by: 798585 on May 20, 2011 12:00 AM

• Signing a Document using Custom PKCS#11 and Hardware Token

  I am using a custom PKCS#11 dynamic library and a hardware token to sign a document in Adobe Acrobat 10. I encountered this error when I used the Standard Text as the Appearance of the Signature.
  Creation of this signature could not be completed. Unknown error Support Information: CDSHandler-657
  If I use a custom appearance, the signing is successful.
  Do I need to set anything else before signing the document? Everything works fine on Adobe Acrobat 11. I am using a Mac OS X 10.9 machine. The same error is encountered in Windows 7.
  Is this a known issue in Adobe Acrobat 10?

  My bad, actually I was not using Adobe SDK. I just loaded my custom PKCS module and tried to sign the document. Have you encountered this error?

• Question about the personalization of BueZ PKCS#15

  hi, i use the IBM JCOP31 Card, with the Eclipse, now in the card , there is an app , named BlueZ PKCS#15, now i have transited its life cycle state to selectable , and next , i want to make it transite to personalized, but but when i send the command ,the reponse is 6A 85(security conditions of use not satisfied!), what wrong ?
  any help would be appreciated!
  thanks!!!

  and i also dowload a tool ,opensc ,which can be used for the pkcs#15 personalized, but I run the command pkcs15-init -E, the response is 'the card can't be erased', and the command 'pkcs15-init -C so-pin 123456 so-puk 123456,the response is 'the condition of use not satisfied', what wrong with me? if i want to do that , need the card be erasible?
  any help woud be appreciated! thanks!!!!!

• Problem with Sun PKCS#11 Provider and Ativcard smart card.

  Hi,
  I'm trying to make a signature with a smartcard.
  I have no problem signing with my card in applications such as Microsoft Office, Outlook (they probably use CAPICOM or MS CryptoAPI).
  There is only one certificate on my card with non extractable pair of keys.
  When I`m using Java based application I have the following problem:
  I have Java 1.5.0 installed, and according to the reference guide on:
  http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html
  I configured "Sun PKCS#11 Provider".
  In file:
  %JAVA_HOME%/lib/security/java.security I inserted the following lines:
  # Configuration for security providers 1..6 omitted
  security.provider.7=sun.security.pkcs11.SunPKCS11 C:/pkcs11.cfg
  In my case (I`m using ActivCard) The file "C:/pkcs11.cfg" contains:
  name = ActivCard
  library = c:\windows\system32\acpkcs211.dll
  After that I try tu use configured provider with keytool.exe from jsdk.
  In cmdline:
  c:\Program Files\Java\jdk1.5.0_06\bin>keytool.exe -keystore NONE -storetype PKCS11 -list
  Enter keystore password:  1111
  Keystore type: PKCS11
  Keystore provider: SunPKCS11-ActivCard
  Your keystore contains 1 entry
  Cinek's dp ID, keyEntry,
  Certificate fingerprint (MD5): 36:19:DD:01:2E:A2:C5:F6:51:44:03:74:14:D5:62:C0
  So till now everything looks ok. Certificate is accessible.
  But when I trying to use jarsigner.exe to sign something:
  c:\Program Files\Java\jdk1.5.0_06\bin>jarsigner.exe -keystore NONE -storetype PKCS11 D:\Applet.jar "Cinek's dp ID"
  Enter Passphrase for keystore: 1111
  jarsigner error: java.lang.NullPointerException
  I`ve got the java.lang.NullPointerException !
  To find reason of the exception I`ve written simple application, which signs a byte array:
  import java.security.KeyStore;
  import java.security.PrivateKey;
  import java.security.PublicKey;
  import java.security.Signature;
  import java.security.cert.Certificate;
  import java.util.Enumeration;
  public class Main {
       public static void main(String[] args) throws Exception {
            PrivateKey privkey = null;
            char[] pin = { '1', '1', '1', '1' };
            KeyStore smartCardKeyStore = KeyStore.getInstance("PKCS11");
            smartCardKeyStore.load(null, pin);
            Enumeration aliasesEnum = smartCardKeyStore.aliases();
            if (aliasesEnum.hasMoreElements()) {
                 String alias = (String) aliasesEnum.nextElement();
                 privkey = (PrivateKey) smartCardKeyStore.getKey(alias, null);
                 byte[] aDocument = new byte[100];
                 Signature signatureAlgorithm = Signature.getInstance("SHA1withRSA");
                 signatureAlgorithm.initSign(privkey);
                 signatureAlgorithm.update(aDocument);
                 byte[] digitalSignature = signatureAlgorithm.sign();
  When I`ve run this application in last line in method signatureAlgorithm.sign() I got:
  Exception in thread "main" java.lang.NullPointerException
       at java.math.BigInteger.modPow(Unknown Source)
       at sun.security.rsa.RSACore.crtCrypt(Unknown Source)
       at sun.security.rsa.RSACore.rsa(Unknown Source)
       at sun.security.rsa.RSASignature.engineSign(Unknown Source)
       at java.security.Signature$Delegate.engineSign(Unknown Source)
       at java.security.Signature.sign(Unknown Source)
       at Main.main(Main.java:31)
  In debug, before this exception variables are:
  alias= "Cinek's dp ID"
  privkey =
  SunPKCS11-ActivCard RSA private key, 1024 bits (id 192168768, token object, not sensitive, extractable)
    modulus:          112271510887039102410124262012976131016781096451891854145879061791454872222254764386718257162446565027910080375427552248069203548913907633164297672417327888344423061606707834842776634133861005271620794248782338105033496749719965719732501903618453514554701005390412127008091861831421936757053019877456102263703
    public exponent:  65537
    private exponent: null
    prime p:          null
    prime q:          null
    prime exponent p: null
    prime exponent q: null
    crt coefficient:  null
  As you can see, private key has extractable attribute set, what is wrong. Attribute is set and key has no values.
  I think that can be the reason of NullPointerException. (Maybe when extractable = true, sign() methods expects key values filled).
  So, I can not sign anything.
  I tryed to add some additional attributes to file "C:/pkcs11.cfg":
  attributes(*,CKO_PRIVATE_KEY,*) = {
    CKA_EXTRACTABLE = false
  but with no effect. Key was still extractable.
  Can you help me to solve this problem?
  PS. I`m using acpkcs211.dll (v3.2.102.0) as an implementation of PKCS#11. (Activcard says that it is PKCS#11 v2.11 implementation)
  PS2. Sorry for my english

  Can I ask you one question?
  Which driver did you specify? I mean the smarcard reader driver or the smartcard itself driver?
  If the second, does it come along with the card? because as far as I know I just got the smart card but no software at all (apart the smartcard reader driver).
  Can you help me out with this?
  thanks in advance,
  Marco

• What is the difference between a pki digital certificate received in pkcs7 format and what iplanet refers to as a pkcs#11 module?

   

  A lot of NSS-related jargon is defined on mozilla.org, including the different PKCS standards:
  http://mozilla.org/docs/jargon.html#PKCS5
  To summarize (and simplify), PKCS #7 is a standard for digital certificates while PKCS #11 is a standard for communicating with cryptographic devices (e.g. SSL hardware accelerators).

• Converting Signature data into PKCS#7 format

  Hi All,
  Is there any java api available to convert signature bytes in to PKCS#7 format.
  Here is the scenario.
  downloaded a trail digital id(abc.pfx) file from verisign site.
  then retrieved the private key, certificate and public key information from the pfx file.
  with the help of private key and pdf data, digital signature created.
  Sample code:
  KeyStore keyStore = KeyStore.getInstance("PKCS12");
  // aa.pfx is the Digital ID got from VeriSign
  keyStore.load(new FileInputStream("aa.pfx"), storepswd);
  for(Enumeration e = keyStore.aliases() ; e.hasMoreElements() ;) {
  alias = e.nextElement().toString();
  PrivateKey privKey = (PrivateKey)keyStore.getKey(alias, storepswd);
  java.security.cert.Certificate cert = keyStore.getCertificate(alias);
  PublicKey pubKey = cert.getPublicKey();
  Signature rsa = Signature.getInstance("MD5withRSA");
  rsa.initSign(privKey);
  /* Update and sign the data */
  FileInputStream fis = new FileInputStream("Testing.pdf");
  BufferedInputStream bufin = new BufferedInputStream(fis);
  byte[] buffer = new byte[1024];
  int len;
  while (bufin.available() != 0) {
  len = bufin.read(buffer);
  rsa.update(buffer, 0, len);
  bufin.close();
  /* Returns the signature of all the data updated*/
  byte[] rsaSign = rsa.sign();
  now i want to convert this signature(rsaSign bytes) in to PKCS#7 format and embed in to pdf file. so acrobat reader can verify the signature in pdf file.
  I've found the PdfSignature class in the iText lib. But it is poor.
  so plz let me know if any body know how to convert signature in to PKCS#7 format. any sample code or any URL.
  Thanks in Advance.
  Subhani.

  Use BouncyCastle provider
  http://www.bouncycastle.org/docs/mdocs1.4/index.html
  The package: org.bouncycastle.cms
  Download the package and get the examples in the package org.bouncycastle.cms.test .
  (CMS stands for Cryptographic Message Syntax and is defined in RFC 3369, and is an evolution of PKCS#7 v. 1.5, that is defined in RFC 2315. )

• Problem creating PKCS# 12 Digital Signature in Adobe Reader X - where do I confirm the Password?

  I cannot create a PKCS# 12 Digital Signature in Adobe Reader X. It says the passwords don't match when I create it. The problem is, I never was asked to confirm the P/W when I created it. It asked once for the P/W and then the only thing I can do is click "Finish" and then it says my P/W don't match. I am able to create a DS on my other computer using Reader 9 (and it did ask me to confirm the P/W when creating). I have re-booted my computer and still it will not work.

  You'll need to ask in the Acrobat Pro forum. There are people there with expertise who can answer this. I use Acrobat myself, but I'm a novice when it comes to signature settings.

• Is PKCS#7 format supported by Mac OS X 10.6 to 10.7?

  Hi,
  Couple of questions on Mac OS X 10.6 to 10.7.
  1) Can a Mac OS X 10.6 to 10.7 version supports PKCS#7 format for SSL certificate installation?
  2) If PKCS#7 format is supported, is the file extension .p7b file?
  Thanks!
  J

  SSL certificates are a function of the browser and its support.   Are you trying to to add one to Safari, or a different browser?

• Is PKCS#7 format supported by Mac OS X 10.6 server or above?

  Couple of questions on Mac OS X 10.6 server or above.
  1) Can a Mac OS X 10.6 server or above version supports PKCS#7 format for SSL certificate installation?
  2) If PKCS#7 format is supported, is the file extension .p7b file?
  Thank you!
  J

  Try it.  Unfortunately, sometimes certificates can be mis-generated or can become corrupted.
  X.509 is the overarching standard, and comprises various formats including PKCS7.   I'd usually want a PEM format certificate file, though OS X 10.6 does support various formats.  Including PKCS7. 
  Depending on exactly what you're up to here with OS X and OS X Server and these certificates, there might be Server Admin.app or Server.app service-specific steps required; additional general info here here or here.
  If these are your own servers, clients and your own family and friends accessing these systems, then there's no need for a purchased certificate.  Self-generated certificates work just as well and are just as secure as purchased certificates (if you have a trusted and secure way to perform the initial load), and — if you're inclined, and want to learn a little about OS X and certificates — you can set up your own certificate authority and load your own root certificate, and then your own client certificates are automatically honored.

• Copying the PKCS#11 wrapper dll to the client machine in a signed applet

  Hello,
  I'm implementing in a signed Java Applet using the IAIK PKCS#11 Wrapper and the PKCS#11 module of my hardware token to communicate with it.
  I have to copy the pkcs11wrapper.dll to the client machine. All things works perfectly under Windows XP but when the client have Windows Vista as OS, it's not possible to copy the needed dll.
  Thank You for any help
  Nizar

  Use JNLP for this.

• PKCS support in Java, especially PKCS#7 encoding and decoding

  Hi,
  Is there anybody knowing about PKCS support in JDK2 ?
  I'd like to store a signature encoded in PKCS#7 format and read it back and decrypt it.
  As far as I understood there is no such API I can use.
  Thanx in advance
  andras

  hi ,
  my problem that i have signed my file using MD5withRSA algorithm
  i have stored the signature in another file (file signed) and the public key in another file too.
  so a have 3 files: the source file which it was signed, the signature file and the public key file.
  i want to store all this structure in ( only) one file in pkcs#7 format .
  later i wuil verify the signature another time.
  please if you can help me for the storage of the signed file in pkcs7 format ( the java code for storage, if possible)
  thanks

• PKCS#11 support in J2SE 1.4

  Hello All,
  First of all I am quite new to Java PKCS#11 support (only couple hours into it :) ). I found out that J2SE 1.5 has the sun PKCS#11 provider pre-configured into it. However, I want to use the PKCS#11 provider with J2SE 1.4 as well, but I am unable to get a hold of the sun implementation for it, as well as the driver DLL.
  So my question is this:-
  Is PKCS#11 provider even available for J2SE 1.4? and if yes, where can I download it?.
  Thanks a TON in advance :)

  Forgive me, this is bound to have a simple answer, but I took all Saturday to do this and I'm no further forward.
  OK, I got a servlet.jar from another installation and copied that into my j2se lib and bin directories (I didn't know which one). That didn't work.
  So I thought maybe the file I used was somehow tied to the OS that machine was using rather than mine, so I downloaded Tomcat and used that servlet.jar in the same way. No joy. So I set the classpath to the Tomcat directory. No joy there either.
  So then I downloaded j2ee, but that looks like an awfully complex sledgehammer to crack this particular nut.
  WTF is going wrong?
  Here's the gubbins:
  This is in my autoexec.bat (W95)
  SET Java=d:\progra~1\jdk14~1.1\bin
  SET tomcat=d:\progra~1\apache~1\tomcat~1.1\common\lib
  SET tomcatB=d:\programfiles\Apache Group\Tomcat 4.1\common\lib
  SET j2ee=s:\progra~1\j2sdke~1.4\
  SET CLASSPATH=%Java%;%tomcat%;%tomcatB%;.;
  Here's my code:
  import java.io.*;
  import javax.servlet.*;
  import javax.servlet.http.*;
  public class ServletTester extends HttpServlet
       protected void doGet (HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException
            res.setContentType("text/html");
            PrintWriter out = res.getWriter();
            out.println("<html><head><title>Hello world</title></head><body><p>Hello world</p></body></html>");
            out.close();
       } // end of doGet
  } // end of ServletTester
  Here are the first errors (out of nine):
  D:\temp\ServletTester.java:6: package javax.servlet does not exist
  import javax.servlet.*;
  ^
  D:\temp\ServletTester.java:7: package javax.servlet.http does not exist
  import javax.servlet.http.*;
  Any clues would be gratefully received. How can I check my classpath command is working for a start?
  Cheers
  J

• Pkcs#11 certificate does not appear with Tomcat / IIS ok

  Hi all,
  I am trying to use SmartCard client authentication (pkcs#11, JDK 1.5.0_3, SafeSign for Starcos 1.0.9, SCR531 card controller, Tomcat 5.5.12 with clientAuth=true).
  When I access the protected site, the browser plugin (which is installed by SafeSign) shows a window that allows to choose one of the certificates that are installed.
  The problem is that the SmartCard (correctly inserted in the controller) certificate is not showed at this window.
  All JSSE (java.security file entries and so on) and JVM configurations (-Dsecurity.manager, -Djavax.net.ssl.keyStore=NONE, -Djavax.net.ssl.keyStoreType=pkcs11, -Djavax.net.ssl.keyStoreProvider=SunPKCS11-StarCOS) are in place (in fact, the command "keytool ... -list" works just fine).
  P.S.: the certificate shows ok on IIS 5.1/6.0 configured to ask for client authentication.
  Has someone got the same problem?
  Thanks for your attention.

  If you are sure it is not a client side problem, as your statement about deployment on IIS suggests, do some debugging on the client side and compare the trust store and supported Ciphersuites from successful and failed deployments.
  Maybe your configuration on the servers (resp. the default conf of servers) is different in a sort that the key on the card will not meet the requirements proposed by the server (e.g. trusted set ).

• Sun's PKCS#11 Bridge to access LunaSA HSM

  Hi,
  I'm working to access keys/certificates on LunaSA HSM through Sun's Java PKCS#11 Bridge. By
  ks = KeyStore.getInstance("pkcs11");
  ks.load(null,pin);
  I can access credentials on the HSM, but only "part" of them -- Only the certificates that have keys also on the HSM can be identified by their aliases.
  For example, if on the HSM are a trusted certificate, whose alias is 'trustedcert', a user certificate and its private key (whose aliases are 'mycert' and 'mykey'), by
  ks.aliases();
  I got 'mykey' and 'mycert' only, but not 'trustedcert'. I got the same problem when I tried with "keytool".
  Is there a solution to this problem, or did I miss something? Thanks for your advice.

  Doesn't even begin to look right. See the [Java PKCS#11 Reference Guide|http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html#Config]:
  - Valid values for operation are generate, import, and *. You have nothing.
  - Valid values for keytype are CKO_PUBLIC_KEY, CKO_PRIVATE_KEY, and CKO_SECRET_KEY. You have CKO_CERTIFICATE.
  - Valid values for keyalgorithm are one of the CKK_xxx constants from the PKCS#11 specification, or * to match keys of any algorithm. You have nothing.

• PKCS#11 - JAVA - Hardware crypto with custom algorithm!??

  Hello!
  I'm wondering if it is possible to use the SUN provider in JDK1.5.0 for PKCS#11 with a hardware based crypto card which does not use any of the algorithms specified in the field guide of PKCS#11 for jdk1.5.0. Instead a custom algorithm that is implemented on this card will be used for encryption/decryption.
  It should be transparent for the application what kind of algorithm that is used to encrypt/decrypt since I will send the data that will be encrypted/decrypted to this hardware card.
  If it is not supported by the sun provider. What would be necessary to do to get this to work?
  The card I'm about to use has an PKCS#11 API.

  At this moment I don't really know the specifics on these hardware accelerators, hence my question. If it not is an algorithm that is in the refrence guide for PKCS#11, then I would like to know if there's any way to use the algorithm anyway using the PKCS#11 "wrapper" in jdk1.5.0.....
  And a follow question, If it is not supported what would be the easiest way to use the PKCS#11 API of the hw -card.... I suppose to write some JNI code to send in the data to be encrypted and get the encrypted answer back?
  /Henrik