SATSA smartcards

Hi all,
I have developed an application using the JSR177 in order to generate a CSR and to sign some content from a WIM/PKCS#15 smartcard.
My code works right fine in the emulator (Sun Java Wireless Toolkit 2.5 Beta and cref as the smartcard emulator), but when I try to execute it on my Nokia E61 (generating a CSR), it fails.
A UserCredentialManagerException is thrown saying: "An appropriate security element can not be found" (error reason: SE_NOT_FOUND).
Section D.2.1.2 of the SATSA documentation says: "The securityElementID parameter is used to select the proper WIM. It should be compared with the WIM application label (tokenInfo.label)".
The problem seems to be from the smartcard side, because its tokenInfo.label is "WIM 1.01" and with that value for the securityElementID, there is no success.
This is the third card I test.
So my question is,
Does anybody know a smartcard that works with SATSA?
Any manufacturer, at least?
I mean smartcards already tested and well known, where it is sure that the JSR177 runs succesfully.
Many thanks in advance.

SATSA-APDU can be used to talk to any smart card for any purpose. PKCS #11 is specific to cryptographic smart cards.

Similar Messages

Using SATSA-CRYPTO

I'm using some calls to the SATSA Crypto package which work fine when run with an emulator and NetBeans, but which were getting a NoClassDefFoundError when run on an actual device.
It appears that none of these classes are in my Midlet's jar file. I tried forcing them into the jar, but that got me a java.lang.Error, instead.
When NetBeans runs an emulator, it apparently resolves this by having some extra jars that it searches. Is there a standard place on a device where such jars would normally go?
Michael D. Spence
Mockingbird Data Systems, Inc.

Actually, I'm not using a smartcard. My phone claims to support SATSA, but there's some issue with the myriad exception classes not being defined in the phone. Of course, I can't define them because they're in java.* or javax.*. The emulator that comes with NetBeans doesn't have this problem.
It appears that using the highest available level of obfuscation will often help in situations like these, because it hides the forbidden class names, so you can include them in the jar. In my particular case, this wasn't enough, so I switched to the bouncycastle library: http://www.bouncycastle.org. This works great with the emulator and my phone, and has more and better features than SATSA.

JSR177 (Satsa) problems

Hello!
I have a problem with the SATSA API. I'm trying to make a simple program for
resetting and retrieving the ATR byte from the SIM card. The compilation of my program works fine, without any errors. But when executing the application, I get the following error:
java.lang.NoClassDefFoundError: javax/microedition/apdu/APDUConnection
I have imported the APDUConnection class, and as I mentioned, compilation works without errors. But during runtime I get the above mentioned error.
Can anyone give me a hint what possibly could cause this error?
Jonny

Hello, and thank you for your answer!
I get the same error both on the phone and on the emulator. I know that my code can't work on the emulator, but I would expect another error message if the problem is that the connection cannot be set up. The problem is that I have no clue wether my phone (Nokia 6630) nor SIM card support jsr177 or not. That's actually what I'm trying to find out. But unfortunately my Java programming skills are not perfect and I'm not sure if I have done something wrong or if the mobile phone and/or SIM card does not support jsr177. My SIM is not a JavaCard, but if I have understood correctly it is possible to communicate with other smartcard application too, such as SAT (SIM Application Toolkit).
What I'm actually trying to find out is whether I can use JSR177 for generating digital signatures with the private key/keys embedded on my PKI compliant SIM card (Setec PKI SIM). My purpose is to make it possible to use a Mobile Phone as a wireless smartcard reader for my PC computer. This would elimineate the need for a separate smartcard reader and smartcard (wireless identiy card) for my PC.
I'm not sure at all if I'm on the right track, so I'm very grateful for any hint!
Jonny

SATSA without a JAVA CARD?

Hi all,
Im trying to connect an external application to a SmartCard using SATSA API.
I am not using a JavaCard and i don't have in my smartcard an application having a particular AID. I can only communicate with this smartcard using apdu to read and write its file system.
Using OpenCardFramework i do this by a PassThruCardService object but i have not found in SATSA a way to connect my application to my smartcard without using AID (APDUConnection).
If there is a way to do this, please help me :)
thanks in advance
Andrea

i have used OCF inside XletView .. it works...Great!
Did you make the OCF implementation yourself, something you'd like to share? Or what hardware/software did you use?
if you have just used satsa suggest me some tricks please :)I haven't used it yet, waiting for a box with an implementation. You'll probably see me posting questions when it's time ;-)
// b

How to run SmartCard Application on PC

hi,
i want to know how to convert class file into a CAP file and how to run on PC a smartCard Application. when i use converter use from command prompt then it will ask the AID how i get the AID at Conversion time. pls tell me the procedure for Convert and run the application on PC.
pls help me.

You can use the suggestions in the below blog to test your app on another PC.
http://blogs.msdn.com/b/patricka/archive/2012/11/05/how-do-i-deploy-a-windows-8-app-to-another-device-for-testing.aspx

I can�t decrypt a text encrypted (using RSA) with keys on smartcard.

I use a Cyberflex Access e-gate smartcard and I can encrypt and decrypt any text on the card but if I encrypt a text outside using the exported public key, card is not able to decrypt the message.
On the card side:
�
RSAPrivateCrtKey privateKey;
RSAPublicKey publicKey;
Cipher cipherRSA;
�
private MyIdentity (byte buffer[], short offset, byte length){
        // initialise PIN
        pin = new OwnerPIN(PinTryLimit, MaxPinSize);
        pin.resetAndUnblock();
        // Key Pair
        KeyPair kp = new KeyPair(KeyPair.ALG_RSA_CRT, (short)1024);
        kp.genKeyPair();
        privateKey = (RSAPrivateCrtKey) kp.getPrivate();
        publicKey = (RSAPublicKey) kp.getPublic();
        cipherRSA = Cipher.getInstance(Cipher.ALG_RSA_PKCS1, false);
        if (buffer[offset] == (byte)0) {
            register();
        } else {
            register(buffer, (short)(offset+1) ,(byte)(buffer[offset]));
    private void GetPublicKey (APDU apdu) {
        if (pin.isValidated()){
            byte apduBuffer[] = apdu.getBuffer();
            // short byteRead = (short)(apdu.setIncomingAndReceive());
               short bytesMod = publicKey.getModulus(apduBuffer, (short) 0);
               short bytesExp = publicKey.getExponent(apduBuffer,bytesMod);
               short outbytes = (short) (bytesMod + bytesExp);
                // Send results
             apdu.setOutgoing();
             // indicate the number of bytes in the data field
             apdu.setOutgoingLength((short)outbytes);
             // at offset 0 send 128 byte of data in the buffer
             apdu.sendBytesLong(apduBuffer, (short)APDUDATA, (short)outbytes);
        } else {
            ISOException.throwIt (ISO7816.SW_SECURITY_STATUS_NOT_SATISFIED);
     private void Decrypt (APDU apdu) {
        byte apduBuffer[] = apdu.getBuffer();
         short byteRead = (short)(apdu.setIncomingAndReceive());
        cipherRSA.init(privateKey, Cipher.MODE_DECRYPT);
          cipherRSA.doFinal(apduBuffer,(short)APDUDATA, byteRead, apduBuffer, (short)APDUDATA);
         // Send results
        apdu.setOutgoing();
        // indicate the number of bytes in the data field
        apdu.setOutgoingLength(byteRead);
        // at offset 0 send x byte of data in the buffer
        apdu.sendBytesLong(apduBuffer, (short)APDUDATA, byteRead);
     }Off the card, I have a java client:
public void getPublicKey () {
        int CLA, INS, P1, P2;
        int iArray[] = new int[0];
        short sArray[] = new short[0];
        String ss = new String("");
        String s;
        byte [] sBytes = null;
        byte [] myModulus = new byte[128];
        byte [] myExponent = new byte[3];
        try     {
            CLA = 0x68;
            INS = 0x78;
            P1 = 0;
            P2 = 0;
            sArray = iopCard.SendCardAPDU(CLA,INS,P1,P2,iArray,0x83);
            int iErrorCode = iopCard.GetLastErrorCode();
            if (iErrorCode != 0x9000)     {
                if (iErrorCode == 0x6300) {
                    System.out.println("Wrong PIN");
                } else {
                    s = iopCard.GetErrorMessage();
                    System.out.println("SendCardAPDU: " + s);
            } else {
                System.out.println("Getting Public Key...");
                if (sArray != null) {
                    sBytes = new byte[sArray.length];
                    for (int i = 0; i < sArray.length; i++) {
                        sBytes[i] = (byte)sArray;
ss = new String(sBytes);
System.out.println ("------ BEGIN PUBLIC KEY -------------------");
for (int i=0; i < sArray.length; i++){
System.out.print(Integer.toHexString(ss.charAt(i)).toUpperCase());
System.out.println ();
System.out.println ("------ END PUBLIC KEY -------------------");
} else {
System.out.println("Nothing.");
} catch (slbException b) {
s = b.getMessage();
System.out.println("Validate error: " + s);
for (int i=0; i<128; i++){
myModulus[i] = (byte) sArray[i];
for (int i=0; i<3; i++){
myExponent[i] = (byte) sArray[128+i];
BigInteger modulus = new BigInteger (1,myModulus);
BigInteger exponent = new BigInteger ("65537"); // there is a well-known bug in getExponent
RSAPublicKeySpec keySpec = new RSAPublicKeySpec(modulus, exponent);
KeyFactory keyFactory =null;
try {
keyFactory = KeyFactory.getInstance("RSA");
publicKey = keyFactory.generatePublic(keySpec);
} catch (NoSuchAlgorithmException e) {
System.out.println(e.getMessage ());
} catch (InvalidKeySpecException e) {
System.out.println(e.getMessage ());
System.out.println("------------------ BEGIN ------------------");
ss = new String(publicKey.getEncoded());
for (int i=0; i < publicKey.getEncoded().length; i++){
System.out.print(Integer.toHexString(ss.charAt(i)).toUpperCase());
System.out.println ();
System.out.println("------------------ END ------------------");
// to a file
try {
//Store in raw format
FileWriter fw = new FileWriter("public_raw.txt");
for (int i=0; i < publicKey.getEncoded().length; i++){
fw.write(Integer.toHexString(ss.charAt(i)).toUpperCase());
fw.close();
//could also store it as a Public key
System.out.println("Public key saved to file");
} catch(Exception e) {
System.out.println("Error opening and writing Public key to file : "+e.getMessage());
public void encrypt () {
byte cadena[] = {0x01,0x02,0x03,0x04};
byte resultado[] = new byte[256];
// Create Cipher
try {
cipherRSA.init(Cipher.ENCRYPT_MODE, publicKey);
resultado = cipherRSA.doFinal (cadena);
} catch (InvalidKeyException e) {
System.out.println(e.getMessage());
} catch (BadPaddingException e) {
System.out.println(e.getMessage());
} catch (IllegalBlockSizeException e) {
System.out.println(e.getMessage());
String ss = new String (resultado);
System.out.println("------------------ BEGIN 4 ------------------");
for (int i=0; i < resultado.length; i++){
System.out.print(Integer.toHexString(ss.charAt(i)).toUpperCase());
System.out.println ();
System.out.println("------------------ END 4 ------------------");
Another question is that I don�t understand why I get a constant length string when I encrypt a text on the card and variable length string when I encrypt off the card

I thought that exponent was 3 bytes long...
On the card I have the following code:
    private void GetExponent (APDU apdu) {
        if (pin.isValidated()){
            byte apduBuffer[] = apdu.getBuffer();
        short bytesExp = publicKey.getExponent(apduBuffer, (short) 0);
           // Send results
             apdu.setOutgoing();
             // indicate the number of bytes in the data field
             apdu.setOutgoingLength((short)bytesExp);
             // at offset 0 send 128 byte of data in the buffer
             apdu.sendBytesLong(apduBuffer, (short)APDUDATA, (short)bytesExp);
        } else {
            ISOException.throwIt (ISO7816.SW_SECURITY_STATUS_NOT_SATISFIED);
    }And if I don't send an APDU with length expected, I get the exception 6C03 (Correct Expected Length (Le) = 0x6C00) so I send APDU with 03 length and I receive the exponent. The problem is that there is a well know bug in getExponent and it returns 00 00 00... so I set it up to 65537 outside the card.

Digital Signatures with SmartCards.

Hi guys,
Has anyone implemented in R/3 digital signatures with smartcards?
Currently I'm at customer side trying to implement digital signatures within workflow processes using ABAP SSF functions. The smartcard devices are already installed, but I can't read the data inside the smartcard, moreover, I can't link the smartcard device with R/3 and I don't know how to do it
I read in some Weblogs and documents that it is necessary a SAP-certified external security product. I believe this external security product is the software that comes inside of smartcard drivers CD. It is something like a little application on which we can sign in data and put our fingerprint.
I guess it is not supposed to develop an interface application between smartcard and R/3! When I started these developments I thought that I only needed to configure some environment variables to connect these devices with R/3 and then develop the ABAP flow logic with SSF Functions - Am I right?
Can anyone provide me some guidelines for this issue?
Thanks in advance,
Ricardo.

The SmartCard device is present at the frontend PC - and that's the place where the digital signature operation has to take place. Important is the "What You See Is What You Sign" principle: it has to be ensured that the data that is to be signed (using the private key stored on the SmartCard) is exactly the same as the one that is displayed to the user.
Notice: there is a different scenario where the server is signing the data (after prompting the user for userID and password and validating that information).
The signed data is then transported back to the server where it is stored (to ensure auditibility); usually you'll have to keep the (archived) data for years; the public key need to be archived as well.
Notice: it is possible to attach the certificate (-> public key) which has been used to sign the data to the signed data.
Regards, Wolfgang

Smartcard and Sun Blade: How to use it

Hello,
We have received some Sun blade 100, with smartcard reader.
Does someone know how to program this reader ? I have found
include files in /usr/include name samrtcard.h and a directory
with the same name, but source code is a little bit fuzzy for me.
Someone has some example of hox to use this reader ?
Thank you

Apple Pay is US-only at this time.

SSF configuration for external Smartcard Readers

Hello colleagues,
I 'm working at a customer who is implementing a SAP project (R/3 4.6C SR2), in which is involved the goverment.
The goverment is forcing to the customer to implement digital signature in some steps of his business process, one of this steps is running on SAP R/3 system. The digital signature will be used with digital signature in order to "package" some critical data like "billing amount", for instance.
The goverment is imposing the smartcard encryption solution, that is hardware encryption.
I have been looking for information about it, so I understood the following:
1._ Some smartcards vendors are compliance with SAP.
2._ I need to install in the server running SAP the smartcard and the smartreader in order to manipulate and to access the encryption functionality.
3._ The smartcard is configured in SAP by transaction SSFA and other reports.
4._ The encryption functionality is accessed by SSF function group.
I downloaded the documents "SSF user guide", "security quick guide: digital signature" and "digital signature in FI".
I've found into a paper called "Digital Signatures
in SAP Applications - Web App.Server 6.40" the following:
1.3.1. SSF for the ABAP Stack
The SSF Library for the ABAP Stack is used in applications that are written in ABAP. It supports the functions for creating and verifying digital signatures (PKCS#7), and functions for encrypting and decrypting documents.
SSF requires an external security product to provide these functions. The SAP Security Library (SAPSECULIB) is delivered with the SAP system as the default product. However, the SAP Security Library only supports digital signatures without cryptographic hardware (SmartCards, SmartTokens, Cryptoboards). Instead of the SAPSECULIB, customers can also use the SAPCRYPTOLIB, which can be downloaded from the SAP Service Marketplace. The SAPSECULIB supports the DSA (Digital Signature Algorithm) algorithm, and the SAPCRYPTOLIB supports both the DSA and the RSA algorithms. The algorithm that you must use in your signature process depends on the CA that issues the certificate. Most CAs use the RSA algorithm. Note that country-specific export guidelines apply in the case of the SAPCRYPTOLIB. For more information, see SAP Note 397175.
For support for encrypting and decrypting documents, and for generating digital signatures using cryptographic hardware, an external security products from our partners is required. These security products use SAPs SSF interface and are certified for this by SAP. For a list of the certified products, see the SAP Service Marketplace under http://service.sap.com/securitypartners, and then choose the link Partner for Secure Store and Forward, digital signatures (SSF).
The SSF Library for the ABAP stack is available as of SAP Basis 4.0.
I don't undertand how is the relationship between SAPCRYPTOLIB and the SmartReader Card established/configured.
We think about the "Government of Chile" will deliver the customer a SmartCard Reader from Schlumberger (Cryptoflex 16K Card).
Should be great if you can provide me with any useful information in order to understand how to implement this configuration.
Best regards, Carlos
Message was edited by: Carlos Guevara
Message was edited by: Carlos Guevara
Message was edited by: Carlos Guevara

Hi,
Thanks a lot for your answer. I have more questions:
As I mentioned before, the Government office will provide a SmartCard reader to the customer: it's "Cryptoflex 16K card from Schlumberger". You can take a look to its features here:
http://www.cryptoflex.com/Products/Cryptoflex_Features/cryptoflex_features.html#
There, you can see the following:
Supported Applications and Platforms
Integrates with PC/SC
Integrates with PKSC#11 >>> (*)
Entrust Ready
Plug & Play with Windows 2000 and Windows XP
Axalto SDK
In the document about Digital Signatures "DigSig_Netweaver_BestPractices_en.doc", you can see the following:
1.2.1 PKCS#7
PKCS#7 stands for Public-Key Cryptography Standard # 7. The PKCS standards are specifications that were developed by RSA Security for secure information exchange using the Internet. PKCS#7 is currently a format established in the market. It describes a wrapper format, meaning that the output format does not correspond to the input format. If, for example, a PKCS#7 signature is attached to a PDF document, the document is then in PKCS#7 format. This format is a binary format, which in turn means that direct display is not very good, and is not suitable for a user. A special tool (viewer) must therefore be used for display. Unfortunately, usable PKCS#7 viewers are not currently available on the market. This format is very suitable for purely automatic processing (without a display component for the user).
SAP offers the PKCS#7 signature on the ABAP platform (as of SAP Basis 4.0B) and on the Java platform (as of SAP Web AS 6.30).
So here are my questions:
1) From above, can you tell me if I'm wrong, or this SmartCard ("Cryptoflex 16K card from Schlumberger") is incompatible with SAP Digital Signature implementation (the Smartcard uses PKCS#11 -see (*) above- and SAP uses PKCS#7)?
2) I didn't find to Schlumberger as a certified partner into the SAP link for Certified Partners for Digital Signatures:
http://www50.sap.com/softwarepartnerdir/products/certify/prod_def.asp?DescID=259&ProdDesc=Digital%20Signatures%2C%20Encryption%20and%20SSF
Does it mean that this partner can't provide SSF compatibility?
3) Can you provide me any kind of documentation in order to understand what are the whole configurations that need to be done from the "basis" side (if questions 1 and 2 are false) in order to configure this arquitecture?
4) Can you explain a little bit how the SAPCRYPTOLIB is used in this context? I mean, should we need it in order to encrypt/decrypt digital signatures/envelopes?
Best Regards, Carlos

LOADING APPLET TO SMARTCARD

How do I load my applet (cap file) to my smartcard using JCOPToolkit ????
Also how do you send APDUs to test the applet?
Kind regards
Saeed

are you want to use JCShell to load applet to the smartcard?
just set the shell properties to (PC/SC)
1.initialize
2.authenticate
3.load package
4.install applet
or you can type the apdu by yourself
you also can tyep "help"
to check how to use install
just type install, you can see such '-p'
is set the applet have pin-change privilege

SmartCard reader not working on EliteBook 6930p

Driver sp41982 installed. XP Pro SP3 OS. Any SD card inserted is not detected. Laptop is leased so could this be a
service call?

Am having similar problem with DV7-1232nr, smartcard reader won't access a 2GB micro-SD card with adapter--it sees & reads it, but won't open or copy files despite admin permissions/ownership/login/etc. The driver DL doesn't help since it's same version installed on LT--had hoped there was a NEWER driver to fix this!
Hoping your solution will be similar to mine. Good luck finding answers, either way!
Gina

Problem using SmartCard with 2 Certificates stored and SunPKCS11

Hi,
I'm trying to access one SmartCard token in Java 1.5 using SunPKCS11 provider for crypt, decrypt and digital signature operations.
I have 2 certificates stored on Token:
- CertA;
- CertB.
There are also 2 PIN:
- PIN1;
- PIN2.
I use:
- PIN1 for logging into the token;
- PIN1 for operation involving CertA;
- PIN2 for operation involving CertB;
There is no problem to logging into the token using Java and, without any troubles, I can read certificates and key from the
cryptographic card.
There is no problem using CertA for all my operation, but every attempt of using Private Key of CertB (for the same operations) returns with an Exception:
java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DEVICE_ERROR
Here there's an extract of my source code.
public void loginToken() {
Provider UserProvider = new sun.security.pkcs11.SunPKCS11(C:\\pkcs11.cfg);
Security.addProvider(UserProvider);
try {
KeyStore ks = null;
X509Certificate UserCert = null;
PrivateKey UserCertPrivKey = null;
PublicKey UserCertPubKey = null;
//PIN
char PIN1[] = "11111".toCharArray();
char PIN2[] = "22222".toCharArray();
//logging into token
ks = KeyStore.getInstance("PKCS11", UserProvider);
ks.load(null, PIN1);
//enumeration alias
String alias = "";
Enumeration e = ks.aliases();
while (e.hasMoreElements()) {
alias = (String) e.nextElement();
//Certificate
UserCert = (X509Certificate) ks.getCertificate(alias);
//PublicKey
UserCertPubKey = (PublicKey) ks.getCertificate(alias).getPublicKey();
if (alias.compareToIgnoreCase("Cert1") == 0) {
     //PrivateKey reference
UserCertPrivKey = (PrivateKey) ks.getKey(alias, PIN1);
} else if (alias.compareToIgnoreCase("Cert2") == 0) {
//PrivateKey reference
UserCertPrivKey = (PrivateKey) ks.getKey(alias, PIN2);
} else {
System.out.println("ALIAS UNKNOW");
System.exit(1);
//Signature Test
if (!MakeSignature(UserCertPrivKey, UserProvider))
System.out.println(" *** SIGNATURE OK *** ");
else
System.out.println(" *** SIGNATURE KO *** ");
catch (Exception ex) {
System.out.println("ERROR: " + ex);
public boolean MakeSign(PrivateKey PrivKey, Provider p) {
try {
//File I/O
FileInputStream txtfis = new FileInputStream("C:\\Test.txt");
FileOutputStream sigfos = new FileOutputStream("C:\\Test_Signature.txt");
//Signature Obj init
Signature dsa = Signature.getInstance("SHA1withRSA", p.getName());
dsa.initSign(PrivKey);
//Update data
BufferedInputStream bufin = new BufferedInputStream(txtfis);
byte[] buffer = new byte[1024];
int len;
while (bufin.available() != 0) {
len = bufin.read(buffer);
dsa.update(buffer, 0, len);
bufin.close();
//Make signature
byte[] realSig = dsa.sign();
//save signature on file
sigfos.write(realSig);
sigfos.close();
return true;
catch (Exception ex) {
System.out.println("ERROR: " + ex);
return false;
Any help would be grateful...
Thanks in advance.
P.S. Sorry for my English

This is the same my initial problem.
I resolved it using IAIK-PKCS#11Wrapper (it is FREE) insted of sun.security.pkcs11.SunPKCS11.
You can find it here:
http://jce.iaik.tugraz.at/sic/products/core_crypto_toolkits/pkcs_11_wrapper
Here an exemple of code.
The main class:
import iaik.pkcs.pkcs11.Module;
import iaik.pkcs.pkcs11.DefaultInitializeArgs;
import java.util.Hashtable;
import iaik.pkcs.pkcs11.Token;
import iaik.pkcs.pkcs11.Slot;
import iaik.pkcs.pkcs11.Session;
import iaik.pkcs.pkcs11.objects.RSAPrivateKey;
import java.util.Vector;
import iaik.pkcs.pkcs11.objects.PrivateKey;
import iaik.pkcs.pkcs11.objects.X509PublicKeyCertificate;
import java.util.Enumeration;
import iaik.pkcs.pkcs11.objects.Key;
import java.security.cert.CertificateFactory;
import java.io.ByteArrayInputStream;
import iaik.pkcs.pkcs11.Mechanism;
import java.security.Security;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import java.io.File;
import java.io.FileInputStream;
import org.bouncycastle.cms.CMSSignedDataGenerator;
import org.bouncycastle.cms.CMSProcessableByteArray;
import java.util.ArrayList;
import java.security.cert.CertStore;
import java.security.cert.CollectionCertStoreParameters;
import org.bouncycastle.cms.CMSSignedData;
import java.io.FileOutputStream;
import java.security.cert.X509Certificate;
import iaik.pkcs.pkcs11.TokenInfo;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
public class MakeSignature {
public static void main(String[] args) {
     String USER_PIN = "12345678";
     String DLL_NAME = "C:\\windows\\system32\\dll_P11_name.dll";
     String OBJ_LABEL1 = "CNS0"; //this is the label of my 1th cert
     String OBJ_LABEL2 = "CNS1"; //this is the label of my 2th cert
     String INPUT_FILE = "C:\\Temp\\test.txt";
     String OUTPUT_FILE = "C:\\Temp\\test.p7m";
    try {
       // ********** INITIALIZE PKCS#11 MODULE WITH DEFAULT PARAMETERS **********
      Module pkcs11Module = Module.getInstance(DLL_NAME);
      pkcs11Module.initialize(new DefaultInitializeArgs());
       // ********** SELECT TOKEN **********
      Slot[] slotsWithToken = pkcs11Module.getSlotList(Module.SlotRequirement.TOKEN_PRESENT);
      Token[] tokens = new Token[slotsWithToken.length];
      Hashtable tokenIDtoToken = new Hashtable(tokens.length);
      long tokenID = -1;
      Token tokenUsed = null;
      //enum readers
      for (int i = 0; i < slotsWithToken.length; i++) {
        tokens[i] = slotsWithToken.getToken();
tokenID = tokens[i].getTokenID();
tokenIDtoToken.put(new Long(tokenID), tokens[i]);
System.out.println("Active tokens:");
System.out.println("Token ID: " + tokenID);
if (tokens.length == 0) { //No SC found
System.out.println("No SC presents");
else {
System.out.println("Using token: " + tokens[0].getTokenID());
tokenUsed = tokens[0];
     //Note: if you have more reader and more SC inserted, you have to write
     //here the code for select the right token
     // ********** OPEN SESSION VS THE TOKEN AND IF REQUIRED SUBMIT PIN **********
TokenInfo tokenInfo = tokenUsed.getTokenInfo();
Session session = tokenUsed.openSession(Token.SessionType.SERIAL_SESSION, false, null, null);
if (tokenInfo.isLoginRequired()) {
session.login(Session.UserType.USER, USER_PIN.toCharArray());
     // ********** SET SEARCH TEMPLATE FOR THE P11 OBJECT **********
RSAPrivateKey privateSignatureKeyTemplate = new RSAPrivateKey();
privateSignatureKeyTemplate.getSign().setBooleanValue(Boolean.TRUE);
privateSignatureKeyTemplate.getLabel().setCharArrayValue(OBJ_LABEL2.toCharArray());
     // ********** SEARCH P11 OBJECT USING TEMPLATE **********
Vector keyList = new Vector(4);
session.findObjectsInit(privateSignatureKeyTemplate);
Object[] matchingKeys;
while ( (matchingKeys = session.findObjects(1)).length > 0) {
keyList.addElement(matchingKeys[0]);
session.findObjectsFinal();
     //Try to find the corresponding certificates for the signature keys
Hashtable keyToCertificateTable = new Hashtable(4);
Enumeration keyListEnumeration = keyList.elements();
while (keyListEnumeration.hasMoreElements()) {
PrivateKey signatureKey = (PrivateKey) keyListEnumeration.nextElement();
byte[] keyID = signatureKey.getId().getByteArrayValue();
X509PublicKeyCertificate certificateTemplate = new X509PublicKeyCertificate();
certificateTemplate.getId().setByteArrayValue(keyID);
session.findObjectsInit(certificateTemplate);
Object[] correspondingCertificates = session.findObjects(1);
if (correspondingCertificates.length > 0) {
keyToCertificateTable.put(signatureKey, correspondingCertificates[0]);
session.findObjectsFinal();
     //There are three cases now: 1 no obj found; 2 found only one obj, 3 found more obj
Key selectedKey = null;
X509PublicKeyCertificate correspondingCertificate = null;
//no object found for template
if (keyList.size() == 0) {
System.out.println("No object found for template");
throw new Exception("No object found for template");
//Founf only one object
else if (keyList.size() == 1) {
selectedKey = (Key) keyList.elementAt(0);
// create a IAIK JCE certificate from the PKCS11 certificate
          correspondingCertificate = (X509PublicKeyCertificate)keyToCertificateTable.get(selectedKey);
System.out.println("One object Found");
//Found more object ... user can select one
else {
     System.out.println("Many obj found!!!");
//write here the code for select the right object
     // ********** GET THE OBJECT **********
RSAPrivateKey signerPriKey = (RSAPrivateKey) selectedKey;
java.security.cert.CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
byte[] derEncodedCertificate = correspondingCertificate.getValue().getByteArrayValue();
//Cast to java.security.cert.X509Certificate
java.security.cert.X509Certificate signerCert = (java.security.cert.X509Certificate) certificateFactory.
generateCertificate(new ByteArrayInputStream(derEncodedCertificate));
     // ********** SIGNATURE OPERATION **********
//Add BouncyCastle as provider
Security.addProvider(new BouncyCastleProvider());
//initialize signature operation
session.signInit(Mechanism.RSA_PKCS, (PrivateKey) signerPriKey);
//get input data
File src = new File(INPUT_FILE);
int sizecontent = ( (int) src.length());
byte[] contentData = new byte[sizecontent];
FileInputStream freader = new FileInputStream(src);
freader.read(contentData, 0, sizecontent);
freader.close();
     //calculate digest of the input data
byte[] toEncrypt = buildBits(contentData); //I've already posted the code for this function
//make signature
byte[] signature = session.sign(toEncrypt);
     // ********** MAKE P7 WELL FORMAT DOCUMENT **********
//CMSSignedDataGenerator fact = new CMSSignedDataGenerator();
Signature2CMSSignedData fact = new Signature2CMSSignedData();
CMSProcessableByteArray content = new CMSProcessableByteArray(contentData);
//Creation of BC CertStore
ArrayList certList = new ArrayList();
certList.add(signerCert);
CertStore certs = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList), "BC");
//Signature Alg
String algorithm = CMSSignedDataGenerator.DIGEST_SHA1;
//add element to P7
fact.addSignature(signature, signerCert, algorithm);
fact.addCertificatesAndCRLs(certs);
//generate enveloped using Bouncycastle provider
     CMSSignedData envdata = fact.generate(PKCSObjectIdentifiers.data.getId(), content, true);
byte[] enveloped = envdata.getEncoded();
//Write P7 file
FileOutputStream efos = new FileOutputStream(OUTPUT_FILE);
efos.write(enveloped);
efos.close();
// ********** END **********
session.closeSession();
pkcs11Module.finalize(null);
catch (Exception ex) {
ex.printStackTrace();
}Main class uses buildBits function (already posted in this topic) and Signature2CMSSignedData class.import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.security.cert.CertStore;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.BERConstructedOctetString;
import org.bouncycastle.asn1.DEREncodable;
import org.bouncycastle.asn1.DERNull;
import org.bouncycastle.asn1.DERObject;
import org.bouncycastle.asn1.DERObjectIdentifier;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERSet;
import org.bouncycastle.asn1.cms.ContentInfo;
import org.bouncycastle.asn1.cms.IssuerAndSerialNumber;
import org.bouncycastle.asn1.cms.SignedData;
import org.bouncycastle.asn1.cms.SignerIdentifier;
import org.bouncycastle.asn1.cms.SignerInfo;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.CertificateList;
import org.bouncycastle.asn1.x509.TBSCertificateStructure;
import org.bouncycastle.asn1.x509.X509CertificateStructure;
import org.bouncycastle.cms.CMSProcessable;
import org.bouncycastle.cms.CMSSignedData;
* class for generating a RSA pkcs7-signature message.
public class Signature2CMSSignedData2 {
CertStore certStore;
List certs = new ArrayList();
List crls = new ArrayList();
List signerInfs = new ArrayList();
List signers = new ArrayList();
public static final String DATA = PKCSObjectIdentifiers.data.getId();
public static final String ENCRYPTION_RSA = "1.2.840.113549.1.1.1";
private byte[] signatureData = null;
private X509Certificate cert = null;
private String digestOID = null;
private String encOID = null;
public Signature2CMSSignedData2() {
public void addSignature(byte[] signatureData, X509Certificate cert, String digestOID) {
this.signatureData = signatureData;
this.cert = cert;
this.digestOID = digestOID;
this.encOID = ENCRYPTION_RSA;
public void addCertificatesAndCRLs(CertStore certStore) throws Exception{
try {
Iterator it = certStore.getCertificates(null).iterator();
while (it.hasNext()) {
X509Certificate c = (X509Certificate) it.next();
certs.add(new X509CertificateStructure((ASN1Sequence) makeObj(c.getEncoded())));
Iterator it2 = certStore.getCRLs(null).iterator();
while (it2.hasNext()) {
X509CRL c = (X509CRL) it2.next();
crls.add(new CertificateList((ASN1Sequence) makeObj(c.getEncoded())));
catch (Exception e) {
throw new Exception(e.getMessage());
private DERObject makeObj(byte[] encoding) throws Exception {
if (encoding == null) {
return null;
ByteArrayInputStream bIn = new ByteArrayInputStream(encoding);
ASN1InputStream aIn = new ASN1InputStream(bIn);
return aIn.readObject();
public CMSSignedData generate(String signedContentType, CMSProcessable content, boolean encapsulate) throws Exception {
try {
ASN1EncodableVector digestAlgs = new ASN1EncodableVector();
ASN1EncodableVector signerInfos = new ASN1EncodableVector();
DERObjectIdentifier contentTypeOID = new DERObjectIdentifier(signedContentType);
// add the SignerInfo objects
Iterator it = signerInfs.iterator();
AlgorithmIdentifier digAlgId = new AlgorithmIdentifier(new DERObjectIdentifier(digestOID), new DERNull());
AlgorithmIdentifier encAlgId;
encAlgId = new AlgorithmIdentifier(new DERObjectIdentifier(encOID), new DERNull());
digestAlgs.add(digAlgId);
ASN1Set signedAttr = null;
ASN1Set unsignedAttr = null;
ASN1OctetString encDigest = new DEROctetString(signatureData);
ByteArrayInputStream bIn = new ByteArrayInputStream(cert.getTBSCertificate());
ASN1InputStream aIn = new ASN1InputStream(bIn);
TBSCertificateStructure tbs = TBSCertificateStructure.getInstance(aIn.readObject());
IssuerAndSerialNumber encSid = new IssuerAndSerialNumber(tbs.getIssuer(), tbs.getSerialNumber().getValue());
signerInfos.add(new SignerInfo(new SignerIdentifier(encSid), digAlgId, signedAttr, encAlgId, encDigest, unsignedAttr));
ASN1Set certificates = null;
if (certs.size() != 0) {
ASN1EncodableVector v = new ASN1EncodableVector();
it = certs.iterator();
while (it.hasNext()) {
v.add( (DEREncodable) it.next());
certificates = new DERSet(v);
ASN1Set certrevlist = null;
if (crls.size() != 0) {
ASN1EncodableVector v = new ASN1EncodableVector();
it = crls.iterator();
while (it.hasNext()) {
v.add( (DEREncodable) it.next());
certrevlist = new DERSet(v);
ContentInfo encInfo;
if (encapsulate) {
ByteArrayOutputStream bOut = new ByteArrayOutputStream();
content.write(bOut);
ASN1OctetString octs = new BERConstructedOctetString(bOut.toByteArray());
encInfo = new ContentInfo(contentTypeOID, octs);
else {
encInfo = new ContentInfo(contentTypeOID, null);
SignedData sd = new SignedData(new DERSet(digestAlgs), encInfo, certificates, certrevlist, new DERSet(signerInfos));
ContentInfo contentInfo = new ContentInfo(PKCSObjectIdentifiers.signedData, sd);
return new CMSSignedData(content, contentInfo);
catch (Exception e) {
throw new Exception(e.getMessage());
}Bye.

Unable to get jarsigner to sign jar file using pkcs11 smartcard

I'm using a JDK jdk1.6.0_14 with a datakey smartcard with the below info in pkcs11.cfg file:
name = DK330
library = c:\windows\system32\dkck232.dll
I have also configured the java.security file to include the security.provider.10=sun.security.pkcs11.SunPKCS11 c:/pkcs11.cfg
I have my environment set for the below to keep it simple as possible:
JAVA_HOME=C:\Program Files\Java\jdk1.6.0_14
CLASSPATH=C:\Program Files\Java\jdk1.6.0_14\lib
PATH=C:\Program Files\Java\jdk1.6.0_14\bin;c:\windows;c:\windows\system32
1) I am able to Confirm that the secret key is present in the keystore
keytool -v -list -keystore NONE -storetype PKCS11 -storepass xxxxxx
Keystore type: PKCS11
Keystore provider: SunPKCS11-DK330
Your keystore contains 1 entry
Alias name: CS.NOLSC.002's U.S. Government ID
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=CS.NOLSC.002, OU=USN, OU=PKI, OU=DoD, O=U.S. Government, C=US, OU=PKI, OU=DoD, O=U.S. Government, C=US
Issuer: CN=DOD CA-14, OU=PKI, OU=DoD, O=U.S. Government, C=US
Serial number: 3e8e
Valid from: Mon Feb 05 14:53:22 EST 2007 until: Thu Feb 04 14:53:22 EST 2010
Certificate fingerprints:
MD5: 9D:34:AF:D8:DE:18:15:78:D6:88:3D:37:83:FA:DC:E8
SHA1: 8A:BB:39:D5:2B:45:F7:CE:A3:93:C5:71:5C:36:DC:FE:3F:B4:7D:9A
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature etc
2) When I try to sign the applet using the below commands I get the same errors:
command 1:
jarsigner -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ${java.home}/lib/security/pkcs11.cfg sfilechooser.jar "CS.NOLSC.002's U.S. Government ID"
I get this error::
jarsigner error: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_TYPE_INVALID
command 2:
jarsigner -verbose -keystore NONE -storetype PKCS11 -storepass xxxxxx sfilechooser.jar "CS.NOLSC.002's U.S. Government ID"jarsigner error: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_TYPE_INVALID
I can also confirm the jar file that I'm trying to sign is unsigned using the below command without problem.
C:\Program Files\Java\jdk1.6.0_14\bin>jarsigner -verify -verbose -certs -keystore NONE -storetype PKCS11 sfilechooser.jar
Enter Passphrase for keystore:
0 Wed Jul 08 09:36:06 EDT 2009 META-INF/
71 Wed Jul 08 09:36:06 EDT 2009 META-INF/MANIFEST.MF
4227 Tue Jun 09 09:56:20 EDT 2009 DirList.class
0 Wed Jul 08 09:29:52 EDT 2009 FileChooserPackage/
4728 Tue Jun 09 09:56:20 EDT 2009 FileChooserPackage/DirUtil.class
809 Fri May 29 13:05:42 EDT 2009 FileChooserPackage/FileChooserBean$AWTFileDialogThread.class
765 Fri May 29 13:05:42 EDT 2009 FileChooserPackage/FileChooserBean$AWTSaveDialogThread.class
819 Tue Jun 09 09:56:20 EDT 2009 FileChooserPackage/FileChooserBean$FileChooserBeanThread.class
1015 Tue Jun 09 09:56:20 EDT 2009 FileChooserPackage/FileChooserBean$FormsDecoderException.class
815 Tue Jun 09 09:56:20 EDT 2009 FileChooserPackage/FileChooserBean$SaveFileChooserThread.class
17198 Tue Jun 09 09:56:20 EDT 2009 FileChooserPackage/FileChooserBean.class
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
jar is unsigned. (signatures missing or not parsable)
======================================
What could be my problem to get my applet signed? I'm at a loss.

I found the problem.
I was able to use jarsigner correctly after I backed off on the GemPlus driver version from v4.7.062 file name dkck232.dll to the previous version of dkck201.dll at v4.7.062.

What is default contents of smartcard and SIM cards

hello
plz tell me what is the default data on smartcards.(smartcard unique number and whatelse..)
what is the difference between SIM card and SmartCards other than physical size.
what is the default data we find on SIM cards.
thanks in advance

hi,
To answer the first question, what kind of smart card you are talking about ?
A credit card, a SIM card, a SAM card, a ID card, a cash card ?
Smart card is a generic name to define any plastic card sized as a credit card and embedding a microchip. For more information about what is a smart card, i advise you to google or read ISO7816 standard.
Your second question is answered above.
For the data that you can find in a SIM card, i will advise you to read GSM 11.11 specification that you can find for free on internet.
Thomas
http://jaccal.sourceforge.net/

Authentucated smartcard user session is terminated immediatedly when card is removed, regardless of httpd SSLSessionCacheTimeout (default 300) setting. Why?

I have installed security device in FF option/advanced tab. Then using smart card to log into my server. The smartcard user is authenticated and secure connection is going smoothly. When the card is removed from the card reader, the connection is immediately terminated, regardless of SSLSessionCacheTimeout settings. Mine is set to 300.
I did same thing with IE, it keeps the connection until the SSLSessionCacheTimeout expires.
It is FF-specific-designed feature? Or I need to do sth specific to FF browser to keep my secure connection based on SSLSessionCacheTimeout setting?
Thanks

Hey,
To answer your question: [https://developer.mozilla.org/en-US/docs/JavaScript_crypto] this link includes how a developer can control the event handlers upon a smartcard removal. These will only work in FIrefox and may be changed in the furture, this only worked in Firefox 21, so this may not be ideal for you.
<blockquote>
Web sites can make themselves more SmartCard friendly by listening for SmartCard insertion and removal events. To enable your document to receive these events, you must first tell the crypto system you are interested by setting window.crypto.enableSmartCardEvents to true. You can then register event handlers for these events with the document.addEventListener() method.
</blockquote>
Old threads to where this code lives : [http://forums.mozillazine.org/viewtopic.php?f=42&t=2708147] I could not find any recent implementations though, it looks like this event is something that happens only serverside?

SATSA smartcards

Similar Messages

Maybe you are looking for