PKCS11-keystore

Hello All;
This is a very urgent issue!
I have problem with this code part about the use of an HSM to encrypt some kind of data :
char pin[] = "PASSWORD".toCharArray();
ks = KeyStore.getInstance("pkcs11");
ks.load(null,pin);
The error generated is :
error 1 java.security.KeyStoreException: pkcs11 not found
Can you help me to debug this problem

Cross posted all over
http://www.java-forums.org/advanced-java/46390-change-sun-pkcs11-keystore-pin.html
http://www.java.net/forum/topic/jdk/java-se/change-sun-pkcs11-keystore-pin-0
http://www.coderanch.com/t/545173/Security/Change-Sun-Pkcs-PIN
db

Similar Messages

Unable to get jarsigner to sign jar file using pkcs11 smartcard

I'm using a JDK jdk1.6.0_14 with a datakey smartcard with the below info in pkcs11.cfg file:
name = DK330
library = c:\windows\system32\dkck232.dll
I have also configured the java.security file to include the security.provider.10=sun.security.pkcs11.SunPKCS11 c:/pkcs11.cfg
I have my environment set for the below to keep it simple as possible:
JAVA_HOME=C:\Program Files\Java\jdk1.6.0_14
CLASSPATH=C:\Program Files\Java\jdk1.6.0_14\lib
PATH=C:\Program Files\Java\jdk1.6.0_14\bin;c:\windows;c:\windows\system32
1) I am able to Confirm that the secret key is present in the keystore
keytool -v -list -keystore NONE -storetype PKCS11 -storepass xxxxxx
Keystore type: PKCS11
Keystore provider: SunPKCS11-DK330
Your keystore contains 1 entry
Alias name: CS.NOLSC.002's U.S. Government ID
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=CS.NOLSC.002, OU=USN, OU=PKI, OU=DoD, O=U.S. Government, C=US, OU=PKI, OU=DoD, O=U.S. Government, C=US
Issuer: CN=DOD CA-14, OU=PKI, OU=DoD, O=U.S. Government, C=US
Serial number: 3e8e
Valid from: Mon Feb 05 14:53:22 EST 2007 until: Thu Feb 04 14:53:22 EST 2010
Certificate fingerprints:
MD5: 9D:34:AF:D8:DE:18:15:78:D6:88:3D:37:83:FA:DC:E8
SHA1: 8A:BB:39:D5:2B:45:F7:CE:A3:93:C5:71:5C:36:DC:FE:3F:B4:7D:9A
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature etc
2) When I try to sign the applet using the below commands I get the same errors:
command 1:
jarsigner -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ${java.home}/lib/security/pkcs11.cfg sfilechooser.jar "CS.NOLSC.002's U.S. Government ID"
I get this error::
jarsigner error: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_TYPE_INVALID
command 2:
jarsigner -verbose -keystore NONE -storetype PKCS11 -storepass xxxxxx sfilechooser.jar "CS.NOLSC.002's U.S. Government ID"jarsigner error: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_TYPE_INVALID
I can also confirm the jar file that I'm trying to sign is unsigned using the below command without problem.
C:\Program Files\Java\jdk1.6.0_14\bin>jarsigner -verify -verbose -certs -keystore NONE -storetype PKCS11 sfilechooser.jar
Enter Passphrase for keystore:
0 Wed Jul 08 09:36:06 EDT 2009 META-INF/
71 Wed Jul 08 09:36:06 EDT 2009 META-INF/MANIFEST.MF
4227 Tue Jun 09 09:56:20 EDT 2009 DirList.class
0 Wed Jul 08 09:29:52 EDT 2009 FileChooserPackage/
4728 Tue Jun 09 09:56:20 EDT 2009 FileChooserPackage/DirUtil.class
809 Fri May 29 13:05:42 EDT 2009 FileChooserPackage/FileChooserBean$AWTFileDialogThread.class
765 Fri May 29 13:05:42 EDT 2009 FileChooserPackage/FileChooserBean$AWTSaveDialogThread.class
819 Tue Jun 09 09:56:20 EDT 2009 FileChooserPackage/FileChooserBean$FileChooserBeanThread.class
1015 Tue Jun 09 09:56:20 EDT 2009 FileChooserPackage/FileChooserBean$FormsDecoderException.class
815 Tue Jun 09 09:56:20 EDT 2009 FileChooserPackage/FileChooserBean$SaveFileChooserThread.class
17198 Tue Jun 09 09:56:20 EDT 2009 FileChooserPackage/FileChooserBean.class
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
jar is unsigned. (signatures missing or not parsable)
======================================
What could be my problem to get my applet signed? I'm at a loss.

I found the problem.
I was able to use jarsigner correctly after I backed off on the GemPlus driver version from v4.7.062 file name dkck232.dll to the previous version of dkck201.dll at v4.7.062.

Erroneous duplicate entries appearing in SunPKCS11 NSS KeyStore

Using the Java PKCS #11 NSS Based KeyStore API (SunPKCS11 provider) in OpenJDK 7, I am managing to get my NSS DB into a bad state:
certutil from NSS is showing that an alias is getting duplicated again and again on every attempt to overwrite an existing entry with new data:
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
sub-ca-node-mgmt u,u,u
root-ca u,u,u
sub-ca-endpoints u,u,u
sub-ca-node-mgmt ,,
I am only trying to delete the entry using deleteEntry (in this case sub-ca-node-mgmt), then store an updated version of it (you could imagine this as replacing an expired certificate with the updated version) using setKeyEntry. If I add additional code to reload the keyStore after deleting the entry, this does not make any difference in the result. If I rerun the code over again, I can get as many separate copies of sub-ca-node-mgmt as you could imagine. If I comment out the call to setKeyEntry, the problem stops happening.
Thus I suspect that setKeyEntry is either not working as advertised, or I am misusing the API. Does anyone have a working example of how to delete and overwrite an existing entry in the PKCS11 KeyStore?
Edited by: 989646 on Feb 21, 2013 6:44 PM

Found the root cause for this one. The code which generated the RSA key for the cert was not quite right, and mismatched the certs and keys. When this happened it broke the NSS DB, because the association between the keys and certs got damaged, and Java could not access the DB reliably anymore. However, Java is still part of the problem, because it fails to check if the CKA_ID (NSS / PKCS11 Key ID), which is calculated from the RSA modulus inside the public key / cert and the private key, are properly matching or not.

Use a different KeyStore type for the SSL keystore

i use SUN Application Server PE 8 (with the included JDK 1.4.2) on Windows XP.
i want to configure a HTTP listener in a way that it uses the private key and certificate for SSL from a different keystore. the keystore is a PKCS11 keystore from an IAIK PKCS#11 Provider.
i know how to configure a HTTP listener using SSL (HTTPS) in principle. i get it working using a JKS keystore, i.e. the format of the SUN file keystore.
i added a new JCE provider (i.e. the IAIK PKCS#11 Provider) to the underlying JDK in the java.security file (i am quite familiar with JCA/JCE stuff). i added it in a way which works with JSSE and Java 1.4 in other stand-alone applications.
then i modified the SSL settings of that listener to use the name of my private key in my keystore. the entry in the domain.xml looks like this.
<http-listener acceptor-threads="100" address="0.0.0.0" default-virtual-server="server" enabled="true" id="http-listener-2" port="1053" security-enabled="true" server-name="" xpowered-by="true">
<ssl cert-nickname="CN=testcomputer1,OU=Insitute for Applied Information Processing and Communications,O=GRAZ UNIVERSITY OF TECHNOLOGY,C=AT" client-auth-enabled="false" ssl2-enabled="false" ssl3-enabled="true" ssl3-tls-ciphers="+rsa_rc4_128_md5,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_des_56_sha,-rsa_rc4_56_sha" tls-enabled="true" tls-rollback-enabled="true"/>
</http-listener>
in addition i changed a JVM option and added two new ones to configure JSSE to use the correct key store
<jvm-options>-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/pkcs11keystore.p11</jvm-options>
<jvm-options>-Djavax.net.ssl.keyStorePassword=1234</jvm-options>
<jvm-options>-Djavax.net.ssl.keyStoreType=PKCS11</jvm-options>
when i tried to start the server, i got an error from the ORB. it looked like this:
[#|2005-08-12T10:39:53.615+0200|WARNUNG|sun-appserver-pe8.0.0_01|javax.enterprise.system.stream.err|_ThreadID=10;|java.lang.reflect.InvocationTargetException
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:324)
     at org.apache.commons.launcher.ChildMain.run(ChildMain.java:269)
Caused by: java.lang.ExceptionInInitializerError
     at com.sun.enterprise.iiop.IIOPSSLSocketFactory.init(IIOPSSLSocketFactory.java:216)
     at com.sun.enterprise.iiop.IIOPSSLSocketFactory.<init>(IIOPSSLSocketFactory.java:129)
     at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
     at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
     at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
     at java.lang.reflect.Constructor.newInstance(Constructor.java:274)
     at java.lang.Class.newInstance0(Class.java:308)
     at java.lang.Class.newInstance(Class.java:261)
     at com.sun.corba.ee.impl.orb.ParserTable$3.operate(ParserTable.java:460)
     at com.sun.corba.ee.impl.orb.NormalParserAction.apply(NormalParserAction.java:22)
     at com.sun.corba.ee.spi.orb.PropertyParser.parse(PropertyParser.java:52)
     at com.sun.corba.ee.spi.orb.ParserImplBase.init(ParserImplBase.java:56)
     at com.sun.corba.ee.impl.orb.ORBDataParserImpl.<init>(ORBDataParserImpl.java:339)
     at com.sun.corba.ee.impl.orb.ORBImpl.postInit(ORBImpl.java:421)
     at com.sun.corba.ee.impl.orb.ORBImpl.set_parameters(ORBImpl.java:498)
     at org.omg.CORBA.ORB.init(ORB.java:337)
     at com.sun.enterprise.util.ORBManager.createORB(ORBManager.java:343)
     at com.sun.enterprise.util.ORBManager.init(ORBManager.java:230)
     at com.sun.enterprise.server.J2EEServer.createORB(J2EEServer.java:336)
     at com.sun.enterprise.server.J2EEServer.run(J2EEServer.java:180)
     at com.sun.enterprise.server.J2EEServer.main(J2EEServer.java:600)
     at com.sun.enterprise.server.ApplicationServer.onInitialization(ApplicationServer.java:232)
     at com.sun.enterprise.server.PEMain.run(PEMain.java:210)
     at com.sun.enterprise.server.PEMain.main(PEMain.java:172)
     ... 5 more
Caused by: java.lang.IllegalStateException: Invalid keystore format
     at com.sun.enterprise.security.SSLUtils.<clinit>(SSLUtils.java:68)
     ... 29 more
|#]
i thought it uses the same keystore. thus, i changed the NickName in the SSL configuration of the ORB listeners to use the same key. this did not solve the problem. then i tried to remove all SSL-enabled listeners for the ORB. the ORB should not use SSL at all. however, this did not help either. i get the same error. it seems that there is some code involved here which prevents using a different key store type.
can anyone help solving this problem, or at least finding the actual reason? one does not need a hardawre keystore to reproduce this problem. using a PKCS#12 keystore produces the same error; i.e. change the keystore type to "PKCS12" (implemented in the SUN JSSE provider) and the keystore file and password accordingly. i tried this with the standard configuration of the JDK, i.e. without any additional JCE providers.
please tell me how i can use a different key store type for SSL (HTTPS).
Karl

Application Server PE only supports "JKS" format. If you are interested in support for other formats, please submit a request for enhancement on project glassfish (Open Source application server) http://glassfish.dev.java.net.
If you have time, you might want to checkout and look at the source in glassfish/appserv-core/src/java/com/sun/enterprise/security/SecuritySupportImpl.java.
You should be able to fix it on your own.
Hope this helps,

KeyStore.deleteEntry deletes CA certs that are used in other entries

I think there is a problem with KeyStore deleteEntry wher it deletes more certs than it should do. I have a keystore (in this case a PKCS11 although I expect it will apply to file based keystores as well) with 2 entries:
IFMPROD_SIGN_008
IFMPROD_SIGN_007
all key entries are under the same CA hierarchy (issuing and root CA). I can use keytool to list with verbose and in each case see a nice 2 cert chain for each entry. I then use the deleteAlias to remove IFMPROD_SIGN_007 (either within a Java app or by running keytool -delete -alias). Then when I list my keystore again, IFMPROD_SIGN_008 is still there but the cert chain is missing i.e. each cert is shown on its own without the issuing and root CA certs. Using low leve tools I can see tha tthese CA certs have been removed.
Now this causes issues when trying to use these entries with e.g. SunJSSE client auth because the server hello mesage specifies the trusted root but the client hasn't got the full chain in the HSM anymore and bombs the ssl neg.
So I thought well I guesss I just need to import each ca cert on its own - except you cant do that with PKCS11 because root CA certs cannot be imported on their own into the HSM using keytool (although you can import them as a cert chain but thats a different story......
Here I have recreated it using keytool alone.
keytool -keystore NONE -storepass 123456 -storetype PKCS11 -list -v
Keystore type: PKCS11
Keystore provider: SunPKCS11-BTHSM
Your keystore contains 2 entries
Alias name: IFMPROD_SIGN_007
Entry type: keyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=CUS-GW-2002.intra.ifm.bt.com, OU=MSM, O=SMITHSBANK
Issuer: CN=TESTISSCA, OU=MSM, O=BT
Serial number: 1bc9d9a30000000002e6
Valid from: Fri Apr 30 08:37:17 GMT 2010 until: Sat Apr 30 08:37:17 GMT 2011
Certificate fingerprints:
MD5: 7A:77:2F:64:BB:CA:31:E7:55:5B:4E:8D:04:93:6B:21
SHA1: B5:0D:F5:A7:6F:11:31:12:00:CA:A1:B8:F5:DC:7B:6B:13:CD:68:36
Certificate[2]:
Owner: CN=TESTISSCA, OU=MSM, O=BT......
Issuer: CN=DEVROOTCA, OU=IFM, O=BT Syntegra, L=Fleet, ST=Hants, C=GB, EMAILADDRE
[email protected]
Serial number: 51e90a42000100000012
Valid from: Mon Nov 17 13:48:12 GMT 2008 until: Sun Mar 17 12:18:55 GMT 2024
Certificate fingerprints:
MD5: 66:E1:25:FA:CC:02:74:95:E9:A7:E6:A7:E9:32:DF:F1
SHA1: 07:47:3B:06:FB:11:E9:F5:94:99:1E:6E:7F:67:81:E1:63:A3:46:21
Certificate[3]:
Owner: CN=DEVROOTCA, OU=IFM, O=BT Syntegra, L=Fleet, ST=Hants, C=GB, EMAILADDRES
[email protected]
Issuer: CN=DEVROOTCA, OU=IFM, O=BT Syntegra, L=Fleet, ST=Hants, C=GB, EMAILADDRE
[email protected]
Serial number: 5c3ad550252cd1804d9b9d256ed9cbbd
Valid from: Wed Mar 17 12:03:38 GMT 2004 until: Sun Mar 17 12:18:55 GMT 2024
Certificate fingerprints:
MD5: 19:98:5A:49:6F:E6:94:73:B1:06:3F:07:E0:08:F0:D9
SHA1: 28:14:A1:F7:8B:89:2D:1A:A1:AB:AE:C7:17:01:BF:60:06:32:D6:1F
Alias name: IFMPROD_SIGN_008
Entry type: keyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=CUS-GW-2002.intra.ifm.bt.com, OU=MSM, O=SMITHSBANK
Issuer: CN=TESTISSCA, OU=MSM, O=BT
Serial number: 1be98fcd0000000002e8
Valid from: Fri Apr 30 09:11:55 GMT 2010 until: Sat Apr 30 09:11:55 GMT 2011
Certificate fingerprints:
MD5: 30:7B:7A:8A:4F:A0:5E:42:87:C6:ED:B3:A9:08:6A:74
SHA1: 82:C9:DB:66:DF:12:DB:5A:ED:46:B9:79:3B:20:68:83:97:8A:57:EC
Certificate[2]:
Owner: CN=TESTISSCA, OU=MSM, O=BT
Issuer: CN=DEVROOTCA, OU=IFM, O=BT Syntegra, L=Fleet, ST=Hants, C=GB, EMAILADDRE
[email protected]
Serial number: 51e90a42000100000012
Valid from: Mon Nov 17 13:48:12 GMT 2008 until: Sun Mar 17 12:18:55 GMT 2024
Certificate fingerprints:
MD5: 66:E1:25:FA:CC:02:74:95:E9:A7:E6:A7:E9:32:DF:F1
SHA1: 07:47:3B:06:FB:11:E9:F5:94:99:1E:6E:7F:67:81:E1:63:A3:46:21
Certificate[3]:
Owner: CN=DEVROOTCA, OU=IFM, O=BT Syntegra, L=Fleet, ST=Hants, C=GB, EMAILADDRES
[email protected]
Issuer: CN=DEVROOTCA, OU=IFM, O=BT Syntegra, L=Fleet, ST=Hants, C=GB, EMAILADDRE
[email protected]
Serial number: 5c3ad550252cd1804d9b9d256ed9cbbd
Valid from: Wed Mar 17 12:03:38 GMT 2004 until: Sun Mar 17 12:18:55 GMT 2024
Certificate fingerprints:
MD5: 19:98:5A:49:6F:E6:94:73:B1:06:3F:07:E0:08:F0:D9
SHA1: 28:14:A1:F7:8B:89:2D:1A:A1:AB:AE:C7:17:01:BF:60:06:32:D6:1F
keytool -debug -keystore NONE -storepass 123456 -storetype PKCS11 -delete -alias IFMPROD_SIGN_007
keytool -keystore NONE -storepass 123456 -storetype PKCS11 -list -v
Keystore type: PKCS11
Keystore provider: SunPKCS11-BTHSM
Your keystore contains 1 entry
Alias name: IFMPROD_SIGN_008
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=CUS-GW-2002.intra.ifm.bt.com, OU=MSM, O=SMITHSBANK
Issuer: CN=TESTISSCA, OU=MSM, O=BT
Serial number: 1be98fcd0000000002e8
Valid from: Fri Apr 30 09:11:55 GMT 2010 until: Sat Apr 30 09:11:55 GMT 2011
Certificate fingerprints:
MD5: 30:7B:7A:8A:4F:A0:5E:42:87:C6:ED:B3:A9:08:6A:74
SHA1: 82:C9:DB:66:DF:12:DB:5A:ED:46:B9:79:3B:20:68:83:97:8A:57:EC
JRE is 1.5.0_22 but 1.6.0_13 also does the same thing.
I think that it should check the usage of each cert in the chain and if it is used elsewhere then leave it in place. What my app does is annually generate new RSA keys and gt them recertified and while thats happeneing the system can continue to use the old key+cert until the new one has been issued by the CA and can be loaded. I then import the new entry (as a cert chain) then if that looks good I then remove the old entry. The problem is that by removing the old entry it blows the cet chain away for the new netry and you end up with bustd keystore that hasn't got the cert chain in there.

Hi,
Firstly, I’d like to explain, the issuer name is the local CA name not must be your Exchange server name. only one certificate can deploy to the IIS services in one environment. In Exchange 2013, there is an empty certificate which deploy none:
http://exchangeserverpro.com/exchange-server-2013-ssl-certificates/
Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make
sure that you completely understand the risk before retrieving any suggestions from the above link.
For ease of administration, as well as for lower costs, it is recommended to provision as few certificates as possible. As long as all needed names are added in the certificate, we can install one certificate in one organization.
And here is the minimized namespace which we need to add in our certificate:
Autodiscover.domain.com
The host name in all URLs of IIS services and Outlook Anywhere
Legacy.domain.com
If you have any question, please feel free to let me know.
Thanks,
If you have feedback for TechNet Subscriber Support, contact
[email protected]
Angela Shi
TechNet Community Support

PKCS11 not found

While getting PKCS11 Instance from the keystore i am getting the following error
java.security.KeyStoreException:PKCS11 not found
i am using the following code
try {
String pkcs11ConfigSettings = "name = SmartCard\n" + "library = " + "C:/WINDOWS/system32/dkck201.dll";
byte[] pkcs11ConfigBytes = pkcs11ConfigSettings.getBytes();
ByteArrayInputStream confStream = new ByteArrayInputStream(pkcs11ConfigBytes);
Class sunPkcs11Class = Class.forName("sun.security.pkcs11.SunPKCS11");
Constructor pkcs11Constr = sunPkcs11Class.getConstructor(new Class[] {java.io.InputStream.class});
Provider pkcs11Provider = (Provider) pkcs11Constr.newInstance(new Object[] {confStream});
Security.addProvider(pkcs11Provider);
String aSmartCardPIN = "PASSWORD";
char[] pin = aSmartCardPIN.toCharArray();
KeyStore keyStore = KeyStore.getInstance("PKCS11");
keyStore.load(null, pin);
} catch (Throwable th) {th.printStackTrace();
Help me to solve this problem

Mizar,
I have the same problem with PKCS11 Keystore type.
any solution????
bye
Luciano

Problem with Sun PKCS#11 Provider and Ativcard smart card.

Hi,
I'm trying to make a signature with a smartcard.
I have no problem signing with my card in applications such as Microsoft Office, Outlook (they probably use CAPICOM or MS CryptoAPI).
There is only one certificate on my card with non extractable pair of keys.
When I`m using Java based application I have the following problem:
I have Java 1.5.0 installed, and according to the reference guide on:
http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html
I configured "Sun PKCS#11 Provider".
In file:
%JAVA_HOME%/lib/security/java.security I inserted the following lines:
# Configuration for security providers 1..6 omitted
security.provider.7=sun.security.pkcs11.SunPKCS11 C:/pkcs11.cfg
In my case (I`m using ActivCard) The file "C:/pkcs11.cfg" contains:
name = ActivCard
library = c:\windows\system32\acpkcs211.dll
After that I try tu use configured provider with keytool.exe from jsdk.
In cmdline:
c:\Program Files\Java\jdk1.5.0_06\bin>keytool.exe -keystore NONE -storetype PKCS11 -list
Enter keystore password: 1111
Keystore type: PKCS11
Keystore provider: SunPKCS11-ActivCard
Your keystore contains 1 entry
Cinek's dp ID, keyEntry,
Certificate fingerprint (MD5): 36:19:DD:01:2E:A2:C5:F6:51:44:03:74:14:D5:62:C0
So till now everything looks ok. Certificate is accessible.
But when I trying to use jarsigner.exe to sign something:
c:\Program Files\Java\jdk1.5.0_06\bin>jarsigner.exe -keystore NONE -storetype PKCS11 D:\Applet.jar "Cinek's dp ID"
Enter Passphrase for keystore: 1111
jarsigner error: java.lang.NullPointerException
I`ve got the java.lang.NullPointerException !
To find reason of the exception I`ve written simple application, which signs a byte array:
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.Certificate;
import java.util.Enumeration;
public class Main {
     public static void main(String[] args) throws Exception {
          PrivateKey privkey = null;
          char[] pin = { '1', '1', '1', '1' };
          KeyStore smartCardKeyStore = KeyStore.getInstance("PKCS11");
          smartCardKeyStore.load(null, pin);
          Enumeration aliasesEnum = smartCardKeyStore.aliases();
          if (aliasesEnum.hasMoreElements()) {
               String alias = (String) aliasesEnum.nextElement();
               privkey = (PrivateKey) smartCardKeyStore.getKey(alias, null);
               byte[] aDocument = new byte[100];
               Signature signatureAlgorithm = Signature.getInstance("SHA1withRSA");
               signatureAlgorithm.initSign(privkey);
               signatureAlgorithm.update(aDocument);
               byte[] digitalSignature = signatureAlgorithm.sign();
When I`ve run this application in last line in method signatureAlgorithm.sign() I got:
Exception in thread "main" java.lang.NullPointerException
     at java.math.BigInteger.modPow(Unknown Source)
     at sun.security.rsa.RSACore.crtCrypt(Unknown Source)
     at sun.security.rsa.RSACore.rsa(Unknown Source)
     at sun.security.rsa.RSASignature.engineSign(Unknown Source)
     at java.security.Signature$Delegate.engineSign(Unknown Source)
     at java.security.Signature.sign(Unknown Source)
     at Main.main(Main.java:31)
In debug, before this exception variables are:
alias= "Cinek's dp ID"
privkey =
SunPKCS11-ActivCard RSA private key, 1024 bits (id 192168768, token object, not sensitive, extractable)
modulus:          112271510887039102410124262012976131016781096451891854145879061791454872222254764386718257162446565027910080375427552248069203548913907633164297672417327888344423061606707834842776634133861005271620794248782338105033496749719965719732501903618453514554701005390412127008091861831421936757053019877456102263703
public exponent: 65537
private exponent: null
prime p:          null
prime q:          null
prime exponent p: null
prime exponent q: null
crt coefficient: null
As you can see, private key has extractable attribute set, what is wrong. Attribute is set and key has no values.
I think that can be the reason of NullPointerException. (Maybe when extractable = true, sign() methods expects key values filled).
So, I can not sign anything.
I tryed to add some additional attributes to file "C:/pkcs11.cfg":
attributes(*,CKO_PRIVATE_KEY,*) = {
CKA_EXTRACTABLE = false
but with no effect. Key was still extractable.
Can you help me to solve this problem?
PS. I`m using acpkcs211.dll (v3.2.102.0) as an implementation of PKCS#11. (Activcard says that it is PKCS#11 v2.11 implementation)
PS2. Sorry for my english

Can I ask you one question?
Which driver did you specify? I mean the smarcard reader driver or the smartcard itself driver?
If the second, does it come along with the card? because as far as I know I just got the smart card but no software at all (apart the smartcard reader driver).
Can you help me out with this?
thanks in advance,
Marco

PKCS#11 with NSS

Hello to ALL Saviours,
From past 5 days i am struggling with cryptography problem. Let me explain my problem statement.
I have to test Intel AES-NI feature on Westmere EP series processor with a JAVA Application.
My Environment Setup:-
Application server: Apache Tomcat 6.0.33
Database: Derby
Application: JPetStore
JAVA: jdk1.6.0_23
Network Security Services(NSS): 3.12.10
OS: CentOS 6.0 x86-64
Steps i have followed to make it work.
1. Setup the application running perfectly fine on 8443 port. Created a key using "keytool -genkey -alias tomcat -keyalg RSA".
2. Checked the property of page of my application. Output is "TLS 1.0, AES with 128 bit encryption (High); RSA with 1024 bit exchange".
3. I have compiled the NSS and put all *.so files into the existing JDK ($JAVA_HOME/jre/lib/amd64).
4. Update jre/lib/security/java.security AS "security.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg"
5. put nss.cfg to ($JAVA_HOME/jre/lib/security).
#Content of nss.cfg
name=NSS
nssLibraryDirectory=${java.home}/lib/amd64
nssDbMode=noDb
attributes=compatibility
6. Started the Application again. Application running fine without any error in CATALINA.out.
Problem Statement:-
I have generated a load of 20 virtual users and collected the Throughput. In both the cases (With and Without PKCS#11-NSS Implemented) i am getting same Results.
I am not sure whether i am missing some steps or done something mis-configuration.
Help is appreciated because i am in need of it badly.
Please suggest your views.

handat wrote:
NSS doesn't use the JKS store file but instead uses either a hardware token or its own softstore (cert8.db & key3.db). You need to generate the certificate using the certutil tool and update Tomcat server.xml config and set keystoreType.
Edited by: handat on Nov 18, 2011 1:13 PM
Edited by: handat on Nov 18, 2011 1:24 PMI am using keytool to generate the PKCS11 keystore, but it is giving some error "keytool error: java.security.KeyStoreException: token write-protected".
I have used nssDbMode=noDb option in nss.cfg file. so do i have to still generate the db file.
Can you please give me snapshot of server.xml file in tomcat.
I have configured it as:-
<Connector port="8443"
minSpareThreads="5"
maxSpareThreads="75"
enableLookups="true"
disableUploadTimeout="true"
acceptCount="100"
maxThreads="200"
scheme="https"
secure="true"
SSLEnabled="true"
clientAuth="false"
sslProtocol="TLS"
keystoreType="PKCS11"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA"
/>
Appreciate for the response.

Pktool errors with KMF_ERR_ENCODING

Hi - does anyone know what the above error might relate to? I can't find anything out about it at all and am a bit stumped as to what it means.
I'm trying to import 3 certificates with keys into a pkcs11 keystore on a Sun T2000 server for cryptographic offloading - two of them have imported fine but this one fails. All of them have first been converted from PEM to PCKS12 format using openssl - this works fine and I can query the cert details with openssl to check this is fine.
However when I run the following command for this last one it fails:
pktool import keystore=pkcs11 infile=filename.p12 label=mylabel
Enter password to use for accessing the PKCS12 file:
Enter pin for Sun Software PKCS#11 softtoken :
Found 1 certificate(s) and 1 key(s) in filename.p12
Error importing objects:
libkmf error: KMF_ERR_ENCODING
Usage:
etc.
I've done this same procedure for about a dozen websites across three servers and never seen this before.
Any help / advise would be appreciated.
Julian.
Edited by: 799786 on 08-Mar-2011 04:03

Thanks - the only difference is this cert is a self signed one but its nothing fancy just used standard openssl commands to create it, it imports into ikeyman just fine and makes use of 3des which is supported by pktool.
Julian.

Kmail sasl issue

When trying to send an email, I get
Failed to transport message. An error occurred during authentication: SASL(-4): no mechanism available: No worthy mechs found
and the other person just receives a blank email or no email. I have installed libsasl, gsasl, cyrus-sasl-sql, cyrus-sasl-ldap, cyrus-sasl-gssapi, and cyrus-sasl

Hope this helps someone in the future...
I was able to successfully bind to RedHat Directory Server using a cert off a PKCS11 token today. I found 2 problems and fixing one or the other would probably take care of it.
I turned on debugging output and was following the SSL handshake between the server and my application. I noticed for PKCS11 keystore it only showed 1 cert in the chain but for PKCS12 keystore it showed the full chain of 3 certificates. Later in the handshake the server gives the client a list of trusted CA's which on my server was the top-most root. Because the PKCS12 token was able to chain the user cert back up to that root it knew to present the user certificate to the server and could connect successfully. The PKCS11 token was missing the intermediate CA and so effectively didn't realize that the one cert on the card was usable and never offered it to the CA. Some of this was getting masked by the fact that we had "allow client authentication" instead of "require client authentication" on the ldap server. Before it was only "working" because when we did a PKCS11 login it fell back to just plain old SSL and because of the way I had the ACI's set up on the server (very open) we thought it was still working fine.
So in short....I fixed the issue by adding the intermediate CA as an explicitly trusted CA on the server.
Good luck.

Problem while generating an entry for a keystore on SCA-6000

Hi everybody,
this is my first message.....
i need to develop a sw to adding entry on a keystore that is on a SCA-6000
when i try to add an entry witn method KeyStore.setKeyEntry i have this error:
java.security.KeyStoreException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_TEMPLATE_INCONSISTENT
at sun.security.pkcs11.P11KeyStore.engineSetEntry(P11KeyStore.java:1067)
at sun.security.pkcs11.P11KeyStore.engineSetKeyEntry(P11KeyStore.java:443)
at java.security.KeyStore.setKeyEntry(KeyStore.java:848)
at TestProvider.main(TestProvider.java:160)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_TEMPLATE_INCONSISTENT
at sun.security.pkcs11.wrapper.PKCS11.C_CopyObject(Native Method)
at sun.security.pkcs11.P11KeyStore.updateP11Pkey(P11KeyStore.java:1518)
at sun.security.pkcs11.P11KeyStore.storePkey(P11KeyStore.java:1678)
at sun.security.pkcs11.P11KeyStore.engineSetEntry(P11KeyStore.java:1063)
i don't find anything on documentation.....
this is my code:
Provider pkcs11Provider = new sun.security.pkcs11.SunPKCS11(fis);
Security.addProvider(pkcs11Provider);
char [] pin = args[1].toCharArray();
KeyStore smartCardKeyStore;
smartCardKeyStore = KeyStore.getInstance("PKCS11");
smartCardKeyStore.load(null, pin); //ALL OK
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", pkcs11Provider);
kpg.initialize(1024);
KeyPair kp = kpg.generateKeyPair();
Certificate[] cc = {cer};
smartCardKeyStore.setKeyEntry("[email protected]", kp.getPrivate(), "dlozzi".toCharArray(), cc);PS fis is an FileInputStream that is the file for configuring SunPKCS11 and this is
name = SunCryptoAccelerator6000
library = /usr/lib/libpkcs11.so
thanks for your help
Ad Maiora,
Daniele Lozzi

"IN UPDATE TASK" resolved by myself. The one should explicitly call 'COMMIT WORK' from Z-program after CALL FUNCTION '...' IN UPDATE TASK in order to get changes in the CDHDR/CDPOS commited. The key in this issue for me was to check the documentation of CALL FUNCTION :-).
Regards,
Ivo

Issues with calling more than one PKCS11 instance

Hi all,
I've more or less identified exactly what the problem is, so I'm wondering if this is a bug that will be fixed. I have multiple PKCS11 providers, one that uses NSS in fips mode and one that uses a library for a smart card. This is the sample code I'm using:
KeyStore ks = KeyStore.getInstance("PKCS11","SunPKCS11-smartcard");
KeyStore ts = KeyStore.getInstance("PKCS11","SunPKCS11-NSSfips");
ks.load(null,"12345");
ts.load(null,"12345abcd");
What a lot of debugging has shown me is that when I make that first ks.load call, in the P11KeyStore class, a static variable, CKA_TRUSTED_SUPPORTED gets set to false, which prevents me from loading trusted certs in the second call (ts.load). It's fine if I call them in reverse order, because that static variable gets set after I get all my trusted certs but later in the program another class makes that call and fails. I think this should be a bug. The CKA_TRUSTED_SUPPORTED variable never gets reset to true even if it is a valid attribute.
Edited by: 929934 on Apr 24, 2012 11:16 AM

Please disregard.
I placed the function filter() in the event.result as a
second line in the function that load the arraycollection for my
datagrid.

Problem in accessing 2 certificates in smart card using Sun PKCS11 Provider

I have stored 2 certificates in iKey. To acess and use them in Java I am using Sun PKCS11 Provider.
The program is .
1. The keyStore.aliases() is returning 1 alias only(instead of 2).
2. Throwing following error when accessing the private key using
code: PrivateKey pvt = keyStore.getKey(alias, null);
Error Message Detail:
"KeyStoreException: invalid KeyStore state: found 2 private keys sharing CKA_ID 0x00"
at Sun .. P11KeyStore.getTokenObject(P11KeyStore.java:2135)
at ...P11KeyStore.engineGetKey(P11KeyStore.java:292

Did you look at this, Does it help you, Since no one has answered all day, and I will assume you searched for that error first, perhaps you could provide some more detail?
http://forum.java.sun.com/thread.jspa?threadID=5195275&tstart=15
Message was edited by:
mdares

Sun PKCS#11 provider ignores the PIN while loading keystore in Windows JRE

We are using smart card based login in our GUI application. We use active client for Card reader. We are using sun PKCS#11 provider to read certificate from the CARD. In the code we are passing PIN while loading the keystore. It seems the pin is getting ignored and we get active client pin dialog.
PS: In linux JRE the pin passed while loading keystore is working properly.
Below is the code snippet that i used for testing.
public static void main(String arg[]) throws Exception
       try
         //Create our certificates from our CAC Card
        String configName = "card.config";
         Provider p = new sun.security.pkcs11.SunPKCS11(configName);
         Security.addProvider(p);
         char[] pin = { '1', '2', '3', '4', '5', '6' };
         KeyStore cac = null;
         cac = KeyStore.getInstance("PKCS11");
         cac.load(null, pin);
         showInfoAboutCAC(cac);
      catch(Exception ex)
         ex.printStackTrace();
         System.exit(0);
   public static void showInfoAboutCAC(KeyStore ks) throws KeyStoreException, CertificateException, FileNotFoundException, IOException
      Enumeration<String> aliases = ks.aliases();
       int count = 0;
      while (aliases.hasMoreElements())
         String alias = aliases.nextElement();
         X509Certificate[] cchain = (X509Certificate[]) ks.getCertificateChain(alias);
         if (cchain != null){
         System.out.println("Certificate Chain for : " + alias);
         for (int i = 0; i < cchain.length; i ++)
            System.out.println(i + " SubjectDN: " + cchain.getSubjectDN());
System.out.println(i + " IssuerDN: " + cchain[i].getIssuerDN());
content of card.config is
name = myConfig
library = C:\\WINDOWS\\system32\\acpkcs211.dll
Alternative we can see the same behaviour if we run the following command
keytool -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg "E:\work1\card.config" -list
This command will ask ping in the command line and again active client PIN diaolog will be prompted.
Please let me know if this a bug in Sun PKCS#11 provider in Windows and is there any work around to fix the issue.
Enviornmnet Details::
OS Win XP sp3
Java version "1.6.0_17"
Active client library version :
P11 Library:
Name: acpkcs211.dll
Version: 4-0-0-12
Thanks in advanced
Ruhul

The program is just to simulate the issue. I understand that user have to pass the pin. In our GUI we have our own dialog to get the pin from user and pass it to the PKCS#11 provider that uses the pin while loading the keystore.
cac.load(null, pin); // the pin passed in load method is not used at all
My problem here is even after the proper pin is supplied by the user the active client PIN dialog is prompted. Whereas in LInux JRE this works fine.
We have a command line application where active client dialog popup is not acceptable. We need to get the PIN from user as command argument and load the keystore.
Please let me know if this clarifies the confusion.
Thanks,
Ruhul

Pkcs11 and Sign Problem

hi:
i have a usbkey and use it do the sign work with the PKCS11 .
the programme is below:
import java.lang.*;
import java.security.*;
import java.security.cert.*;
import sun.misc.BASE64Encoder;
import javax.crypto.spec.SecretKeySpec;
import java.util.*;
public class TestPkcs11 {
public static void main(String[] args) throws Exception {
String configName = "pkcs11.cfg";
Provider p = new sun.security.pkcs11.SunPKCS11(configName);
Security.addProvider(p);
String pin = "1234";
KeyStore ks = KeyStore.getInstance("PKCS11");
ks.load(null, pin.toCharArray());
java.security.cert.Certificate certs[]=null;
Enumeration e = ks.aliases();
int i=0;
String alias[]=new String[2];
PrivateKey pKey[]=new PrivateKey[2];
java.security.cert.Certificate cert=null;
while (e.hasMoreElements())
     alias[i] = String.valueOf(e.nextElement());
     cert=ks.getCertificate(alias);
     pKey[i]=(PrivateKey)ks.getKey(alias[i],pin.toCharArray());
     i++;
Signature sig = Signature.getInstance("MD5withRSA",p);
sig.initSign(pKey[0]);//Problem is here;
String s = "Hello World";
sig.update(s.getBytes());
System.out.println("signning�I");
byte[] sigBytes = sig.sign();
System.out.println(s +
"signned byte�F" +
new BASE64Encoder().encode(sigBytes));
System.out.println("Verifying�I");
sig.initVerify(cert.getPublicKey());
sig.update(s.getBytes());
if (sig.verify(sigBytes))
System.out.println( "success�I");
Exception in thread "main" java.security.InvalidKeyException: Private key must be instance of RSAPrivate(Crt)Key or have PKCS#8 encoding
at sun.security.pkcs11.P11RSAKeyFactory.implTranslatePrivateKey(P11RSAKeFactory.java:82)
at sun.security.pkcs11.P11KeyFactory.engineTranslateKey(P11KeyFactory.java:115)
at sun.security.pkcs11.P11KeyFactory.convertKey(P11KeyFactory.java:48)
at sun.security.pkcs11.P11Signature.engineInitSign(P11Signature.java:273)
at java.security.Signature$Delegate.engineInitSign(Signature.java:1098)
at java.security.Signature.initSign(Signature.java:485)
at TestPkcs11.main(TestPkcs11.java:50)
it is urgent! Help!!!!!!!!!!!

In the Print dialog, select "Document and Stamps" in the "Comments and Forms" dropdown.
Otherwise, you can flatten the comments so they become regular page contents. You can do this with Preflight, PDF Optimizer, or JavaScript (flattenPages method). Here's a JavaScript based utility that can do this: http://www.uvsar.com/projects/acrobat/flattener/

PKCS11-keystore

Similar Messages

Maybe you are looking for