Signing with Smart Card (PKCS#11)

Similar Messages

• PKCS#11 with Smart card

  Hi
  I'm new to smart card technologies. I need some help regarding this. I have to write a application which will store the keys in a smart card. I'm suppose to use pkcs# 11. I don't know from where to start. Can anyone tell me the what to do. I'm using REINER SCT cyberJack e-com USB card reader. Is there any sample code for PKCS11 to write to smart card.

  I receive the following error message when trying to sing a jar file using a PKI card:
  jarsigner: Certificate chain not found for: Random.  Random must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.This is the command line:
  "C:\Program Files\Java\jdk1.5.0_04\bin\jarsigner" -keystore NONE -storetype PKCS11 -signedjar D:\Work_Java\Random\sRandom.jar -verbose D:\Work_Java\Random\Random.jar RandomWhat does this mean?

• Digital Signatures with Smart Cards

  Hi folks,
  It is my first time with digital signatures on R/3 system. I’m at customer that uses smart cards (hardware cryptography). We are doing the SAPCRYPTOLIB and front end installations. After finish these tasks, we need to implement the signatures into 3 workflow processes. I already read the SSF programmers guide, API specifications and SSF user guide. But I still have some doubts:
  The SSF profile is stored into smart card with private key information, but where are the public keys stored? (PAB – Private Address Book of my trusted circle).
  Do I need the CRLs? Note: this is only for workflow processes that run inside of customer landscape; this is not a B2B scenario.
  We don’t have clear yet how we sign the data; we are thinking sign a BOR object. Create an attribute and use it to pass the signer data. Note: for the customer, the objective is user authenticity guarantee.
  The BOR object instance ends when the flows finish, so wee need to store the signed data for auditable reasons. A database table can be a good approach or there is another standard way?
  P.S.: anyone have documentation about this subject, something like how-to with guidelines?
  Thanks in advance,
  Ricardo.
  Message was edited by:
          Ricardo  Quintino

  The SmartCard device is present at the frontend PC - and that's the place where the digital signature operation has to take place. Important is the "What You See Is What You Sign" principle: it has to be ensured that the data that is to be signed (using the private key stored on the SmartCard) is exactly the same as the one that is displayed to the user.
  Notice: there is a different scenario where the server is signing the data (after prompting the user for userID and password and validating that information).
  The signed data is then transported back to the server where it is stored (to ensure auditibility); usually you'll have to keep the (archived) data for years; the public key need to be archived as well.
  Notice: it is possible to attach the certificate (-> public key) which has been used to sign the data to the signed data.
  Regards, Wolfgang

• Help with Smart Card (CAC) reader installation

  Need help connecting my smart card reader to my Mac Book Pro. Either using Fire Fox, Explorer using Parallels with windows XP, or safari. I downloaded all the documentation from the Army AKO and still have problems with my Card reader.

  Hi there, I have written a really good "How-to" on firefox and CAC and also Safari. You might also want to try VMware since Parallels and DoD really don't mix at this time. If yu have any question please let me know.
  Jonathan
  http://www.applemacgeniusville.com

• Controlling Access to OS with Smart Card

  Does any one know if there is a program built within OS X (Tiger) or either a third party program that will allow a machine running Tiger to be set up to only be accessed when using a "Smart Card" (similar to the system used on a lot of government machines)?
  Also, where would a person obtain the Smart Card to use with the program. Thanks!!!

  You might look into a hardware product called "SecuriKey":
  http://www.securikey.com/mac_security.html
  =
  There was a MacWorld review a few years ago of what might have been an earlier version:
  http://www.macworld.com/article/42927/2005/02/securikey.html

• Pls help me with smart card problem

  Hi,
  currently, i'm developing a system for my final year project. i've developed a webpage in PHP for clinic management. i also implement smart card in my system. the point of it is to make it easier for both parties - doctor and patient. each time patient comes to receive treatment, doc will check patient's smart card on previous drugs prescription. so then, doc will update it based on the treatment given on that day.
  the problem is, how i want to transmit the data from smart card to be displayed in the php page? maybe i should use applet but i don't know how.
  does anybody has applet source code on transmitting data from smart card to php page?
  i wud b really appreciate it...... thanks in advance.

  Have you checked the Schlumberger web site?
  What do you mean by "parsing from applet to php"? Parsing really isn't a data transfer method except maybe in a very tenuous sense.
  And do you really mean an applet (a small program run on the client and embedded in a web page) or are you using it as shorthand for any java program?
  If an applet, I suppose you could:
  1) use javascript to connect the applet to the web page, which would just happen to be created using PHP. So it would be all client-side operation.
  2) use HttpURLConnection (or, God help you, direct socket connections) to connect to a web server and interact with PHP to give/get data. In this case it would be client/server behavior, but the applet would have minimal interaction with the PHP page it's embedded in.
  3) Make it really fun (i.e.: complicated) by using javascript to connect to the page, and then use AJAX to connect to the server. I have no idea whether that's even possible using PHP.
  Maybe there are other options I haven't thought of.

• Login with smart card (PC/SC)

  HI all,
  I am building a J2EE application and I need to logon using an smart card with PC/SC standard, I dont know how can I do it.
  I have been reading in http://www.pcscworkgroup.com but It dosen't has documentation for java developers.
  I dont know if I need some libraries for PC/SC standards to acces to the card or anything else...
  Anyone knows how can i start?
  thanks in advande.

  Search the forum. This has been answered a million times

• Compiling rdesktop with Smart Card support?

  Hello,
  I've tried like the dikens to compile "rdesktop" (an open source solution to connect Windoze PCs using Microsoft RDP protocol). I can compile and run the source code, but I find it impossible to compile in smart card support. I've tried everything to get the "pcsc-lite" components to compile in - but I'm too much of a makefile noob I'm afraid.
  Anyone know how to do this?
  There's a related discussion at http://discussions.apple.com/thread.jspa?messageID=8652963.
  Any help appreciated
  ~Matt

  Hi,
  Thank you for posting in Windows Server Forum.
  In a Remote Desktop scenario, a user is using a remote server for running services, and the smart card is local to the computer that the user is using. In a smart card logon scenario, the smart card service on the remote server redirects to the smart card reader
  connected to the local computer where the user is trying to log on. You can refer following article for details.
  Smart Card and Remote Desktop Services
  http://technet.microsoft.com/en-us/library/ff404286(v=ws.10).aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support

• Logging into Windows Server 2012 from Remote Desktop requires "Connect with Smart Card"; how do I disable this?

  I am using pretty much the default setup. I cannot figure out how to disable this. I do not want to use smart cards.
  Any ideas?

  Does this mean you're trying to RDP from an XP box, therfore have the Remote Desktop feature on the server set to "less secure"? Sounds like thats what disables network authentication, prompting the Smart Card request.
  If you simply click to login as a different user, you can login without a smart card, to include the same user as was being prompted for the card.
  I expect if you choose the Remote Desktop feature requires network authentication on the server, the smart card requirement goes away, but you'll need to login from Win7 or newer clients. Not sure where Vista falls, probably okay too.

• Help with smart card.

  I just finished my 2nd semester of taking Java. I'm a decent program using GUI. I want to learn how to program smart card and start my own business like a gaming center.
  this is my question. What kind of teminal i need to get?
  will any terminal read any type of smart card?
  How do I start learning how to program smart card?
  any idea or suggesting are more than welcome thanks in advance.

  any idea?

• Wrong PIN when initializing RSACryptoServiceProvider with smart card

  I get a "wrong PIN" exception initializing RSACryptoServiceProvider this way in Visual Studio C++ 2012:
  array<System::Byte>^ Sign(array<System::Byte>^ BinDataToSign, X509Certificate2^ Certificate, String^ ProviderName)
  //Set Password
  System::Security::SecureString^ secString = gcnew System::Security::SecureString();
  secString->AppendChar(wchar_t("1"));
  secString->AppendChar(wchar_t("1"));
  secString->AppendChar(wchar_t("1"));
  secString->AppendChar(wchar_t("1"));
  System::Security::AccessControl::CryptoKeySecurity^ cryptoSecurityKey = gcnew System::Security::AccessControl::CryptoKeySecurity();
  CspParameters^ cspa = gcnew CspParameters(1, ProviderName, "8ed9f3ef2dffe62d154f2d82546c337521096e", cryptoSecurityKey, secString);
  RSACryptoServiceProvider^ csp = gcnew RSACryptoServiceProvider(cspa);
  That is not the actual pin in the example, but I have checked and verified that I am using the correct PIN. Maybe it has something to do with character type convertion when appending to the secure string?

  Maybe it has something to do with character type convertion when appending to the secure string?
  Hi Andrius, Why not set a breakpointer in your function and step by step debugging your code? So you could see the value of secString and any others variables. If you get a unexpect value, so you will know where make the problem in your code. Anything you
  want to know, please don't hesitate and post it here.
  Check this:
  https://msdn.microsoft.com/en-us/library/system.security.securestring.appendchar(v=vs.110).aspx
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Problem with Sun PKCS#11 Provider and Ativcard smart card.

  Hi,
  I'm trying to make a signature with a smartcard.
  I have no problem signing with my card in applications such as Microsoft Office, Outlook (they probably use CAPICOM or MS CryptoAPI).
  There is only one certificate on my card with non extractable pair of keys.
  When I`m using Java based application I have the following problem:
  I have Java 1.5.0 installed, and according to the reference guide on:
  http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html
  I configured "Sun PKCS#11 Provider".
  In file:
  %JAVA_HOME%/lib/security/java.security I inserted the following lines:
  # Configuration for security providers 1..6 omitted
  security.provider.7=sun.security.pkcs11.SunPKCS11 C:/pkcs11.cfg
  In my case (I`m using ActivCard) The file "C:/pkcs11.cfg" contains:
  name = ActivCard
  library = c:\windows\system32\acpkcs211.dll
  After that I try tu use configured provider with keytool.exe from jsdk.
  In cmdline:
  c:\Program Files\Java\jdk1.5.0_06\bin>keytool.exe -keystore NONE -storetype PKCS11 -list
  Enter keystore password:  1111
  Keystore type: PKCS11
  Keystore provider: SunPKCS11-ActivCard
  Your keystore contains 1 entry
  Cinek's dp ID, keyEntry,
  Certificate fingerprint (MD5): 36:19:DD:01:2E:A2:C5:F6:51:44:03:74:14:D5:62:C0
  So till now everything looks ok. Certificate is accessible.
  But when I trying to use jarsigner.exe to sign something:
  c:\Program Files\Java\jdk1.5.0_06\bin>jarsigner.exe -keystore NONE -storetype PKCS11 D:\Applet.jar "Cinek's dp ID"
  Enter Passphrase for keystore: 1111
  jarsigner error: java.lang.NullPointerException
  I`ve got the java.lang.NullPointerException !
  To find reason of the exception I`ve written simple application, which signs a byte array:
  import java.security.KeyStore;
  import java.security.PrivateKey;
  import java.security.PublicKey;
  import java.security.Signature;
  import java.security.cert.Certificate;
  import java.util.Enumeration;
  public class Main {
       public static void main(String[] args) throws Exception {
            PrivateKey privkey = null;
            char[] pin = { '1', '1', '1', '1' };
            KeyStore smartCardKeyStore = KeyStore.getInstance("PKCS11");
            smartCardKeyStore.load(null, pin);
            Enumeration aliasesEnum = smartCardKeyStore.aliases();
            if (aliasesEnum.hasMoreElements()) {
                 String alias = (String) aliasesEnum.nextElement();
                 privkey = (PrivateKey) smartCardKeyStore.getKey(alias, null);
                 byte[] aDocument = new byte[100];
                 Signature signatureAlgorithm = Signature.getInstance("SHA1withRSA");
                 signatureAlgorithm.initSign(privkey);
                 signatureAlgorithm.update(aDocument);
                 byte[] digitalSignature = signatureAlgorithm.sign();
  When I`ve run this application in last line in method signatureAlgorithm.sign() I got:
  Exception in thread "main" java.lang.NullPointerException
       at java.math.BigInteger.modPow(Unknown Source)
       at sun.security.rsa.RSACore.crtCrypt(Unknown Source)
       at sun.security.rsa.RSACore.rsa(Unknown Source)
       at sun.security.rsa.RSASignature.engineSign(Unknown Source)
       at java.security.Signature$Delegate.engineSign(Unknown Source)
       at java.security.Signature.sign(Unknown Source)
       at Main.main(Main.java:31)
  In debug, before this exception variables are:
  alias= "Cinek's dp ID"
  privkey =
  SunPKCS11-ActivCard RSA private key, 1024 bits (id 192168768, token object, not sensitive, extractable)
    modulus:          112271510887039102410124262012976131016781096451891854145879061791454872222254764386718257162446565027910080375427552248069203548913907633164297672417327888344423061606707834842776634133861005271620794248782338105033496749719965719732501903618453514554701005390412127008091861831421936757053019877456102263703
    public exponent:  65537
    private exponent: null
    prime p:          null
    prime q:          null
    prime exponent p: null
    prime exponent q: null
    crt coefficient:  null
  As you can see, private key has extractable attribute set, what is wrong. Attribute is set and key has no values.
  I think that can be the reason of NullPointerException. (Maybe when extractable = true, sign() methods expects key values filled).
  So, I can not sign anything.
  I tryed to add some additional attributes to file "C:/pkcs11.cfg":
  attributes(*,CKO_PRIVATE_KEY,*) = {
    CKA_EXTRACTABLE = false
  but with no effect. Key was still extractable.
  Can you help me to solve this problem?
  PS. I`m using acpkcs211.dll (v3.2.102.0) as an implementation of PKCS#11. (Activcard says that it is PKCS#11 v2.11 implementation)
  PS2. Sorry for my english

  Can I ask you one question?
  Which driver did you specify? I mean the smarcard reader driver or the smartcard itself driver?
  If the second, does it come along with the card? because as far as I know I just got the smart card but no software at all (apart the smartcard reader driver).
  Can you help me out with this?
  thanks in advance,
  Marco

• Pkcs#11 and smart card reader

  Hi everybody,
  In my applet code
  i'm trying to implement "attached signature" reading keystore from a smartcard.
  I'm using SunPKCS11 provider and infocamere smart card, so i load SunPKCS11.dll for PKCS#11 standard.
  my code is:
  String pkcs11ConfigFile = "c:\\smartcards\\config\\SI_PKCS11.cfg";
  Provider pkcs11Provider = new sun.security.pkcs11.SunPKCS11(pkcs11ConfigFile);
  Security.addProvider(pkcs11Provider);
  where SI_PKCS11.cfg file contains 2 lines like follow:
  name = test
  library = C:\WINNT\system32\SI_PKCS11.dll
  when I try to sign without smart card in the device reader i catch "PKCS#11 not found" exception, while when I try with smart card inside the device the applet stop on loading the provider and it doesn't continue without any errors in java console. Can anyone help me?
  thanks a lot for every answer
  best reagards

  I should add that I am using Windows 7 and my CSS version is 8.3, I can also verify my smart card works for other applications, only thinkvantage CSS 8.3 does not work.

• Set smart card as default "sign-in option"?

  Just wondering if anyone knows if its possible to set the default logon prompt as smart card?
  Currently, it prompts you with the last used method (i.e. username and password or smart card and pin).
  I know that you can force smart card only logon by "scforce" Group Policy (Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Option), but I want to keep the options and just make it a default option.
  I also tried changing the "LastLoggedOnProvider" in the to the smartcard option here "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" and here "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData",
  but this did not make any difference.

  Hi Karen. I would like user to be presented with "smart card sign-in" as the default option. Sorry, I cannot final a relevant image on-line of what this looks like in 8.1. But I also want the option of username and password to still be available.
  This can be done by clicking on "sign-in options".
  For example in the W7 image below, you can see what the smartcard default logon looks like. But you still have the "switch user" button which gives the option of alternative logon methods.
  As stated earlier, I don't want the GP to force "Interactive logon: Require smart card", as this will mean smartcard is the ONLY method available of logging in.

• Smart card logon with third party CA combined with ADFS to Office 365

  Greetings,
  I've been trying figure out how to implement ADFS to Office 365 in MS cloud in our environment, with little luck. I have a working 2012 domain and we are already using smart card logon on Windows 7/8 workstations. Certificates on smart cards are issued by
  3rd party CA. This far every thing is fine and working, necessary root certificates are added to trusted Trusted Root Certification Authorities, UPN suffixes and users' UPNs are set according to UPN on the certificates and users successfully log on to
  workstations with smart cards.
  Now I face the requirement to enable SSOto Office 365 with accounts from our AD. I've been told by our MS partner and Dr. Google that in order to do that user account name (upn) in AD and in O365 need to match. Now the fact that account UPN in our AD is
  not usable in O365 (because it is set to match 3rd party certificate UPN) and I have not found a way to enable smart card log on without changing UPN in AD. 
  Does anyone has experience of such a configuration? Is it possible to use AD federation to O365 at all in our case?
  Best regards, and thanks in advance
  Timo

  On Fri, 25 Apr 2014 09:27:05 +0000, Timo Kallioniemi wrote:
  Now I face the requirement to enable SSOto Office 365 with accounts from our AD. I've been told by our MS partner and Dr. Google that in order to do that user account name (upn) in AD and in O365 need to match. Now the fact that account UPN in our AD
  is not usable in O365 (because it is set to match 3rd party certificate UPN) and I have not found a way to enable smart card log on without changing UPN in AD. 
  Does anyone has experience of such a configuration? Is it possible to use AD federation to O365 at all in our case?
  This is not a general Windows server security issue. You should post your
  question in an O365 support forum.
  http://community.office365.com/en-us/f/default.aspx
  Paul Adare - FIM CM MVP
  Technology is dominated by two types of people: Those who understand
  what they do not manage. Those who manage what they do not understand.
  -- Putt's Law