SunPKCS11 provider - write key on a  SmartCard

Similar Messages

• PKCS#11 provider - ECDSA key pair generation on token

  Hello,
  I want to generate ECDSA key pair on HSM (nCipher's netHSM) using SunPKCS11 provider and Java 6.
  After generation for all supported curve names (e.g. secp256r1) I try to call getEncoding method from PublicKey object (keyPair.getPublic().getEncoded()) and
  I get RuntimeException
  caused by java.io.IOException: "Point does not match field size"
  at sun.security.ec.ECParameters.decodePoint(ECParameters.java:75)
  at sun.security.pkcs11.P11ECKeyFactory.decodePoint(P11ECKeyFactory.java:61)
  at sun.security.pkcs11.P11Key$P11ECPublicKey.fetchValues(P11Key.java:1002)
  Keys are accessible on HSM.
  Everything is well configured and works fine with RSA keys.
  Using IAIK PKCS#11 provider I got proper values. Is it any bug in SunPKCS11 provider?
  Regards,
  MarcinP

  I recently had a problem with ECDSA and the PKCS#11 library of nCipher. Here's info from one of their engineers about the PKCS11 library:
  "There are two separate issues - one is that our current pkcs11
  release doesn't support ECDSA signature with SHA-2 hashes
  (the v11.00 firmware adds support for it, but the main release version of
  the pkcs11 library hasn't been updated to take advantage of it yet).
  There is a hotfix version that does support SHA-2 hashes with some
  restrictions, talk to [email protected] for details, and V11.10
  should be out soon and have that merged in.
  But the issue with setting CKA_SIGN is that our underlying HSM API
  allows elliptic curve keys to be either key exchange (ECDH) or
  signature (ECDSA) keys, but not both at one.
  At the PKCS #11 level, if you specify CKA_DERIVE=true and let
  CKA_SIGN default, it will default to false, and vice versa.
  If you specify both CKA_DERIVE=true and CKA_SIGN=true, then we
  return CKR_TEMPLATE_INCONSISTENT because we can't do both with
  the same key. (However, the tests using C_GetMechanismInfo will
  show that we can do both mechanisms, because we can - so long
  as you use different keys, even though they have the same PKCS#11
  type.)
  I can't comment on when or how that will be changed."
  I was using the PKCS#11 library through NSS when I ran into the problem, but I imagine Java would run into similar problems also using the PKCS#11 library. I was able to generate keypairs but not create a CSR (which required making a signature, which required SHA-2).
  Can you just use the java classes to speak to the netHSM? I've never directly written code to do so myself, but I have used Corestreet's OCSP product that uses the java classes to speak to the nCipher HSMs (though not using EC). It might work better than going through the PKCS#11 layer. There should be a java directory under NFAST_HOME that contains some jars.
  Please post back if you figure anything out as I'll probably be playing with this stuff myself soon.
  Dave

• The "write key" configurat​ion file vi use of "trim string" prior to writing the data can modify any string data written.

  I tried to use the config VIs to record some front-panel settings for later restoration, one of which could be a single space character (part of a string parsing system).
  I soon discovered that whenever I tried to save that single-space value to an INI file, only a null string was saved.
  After doing some digging I discovered that buried in the Write Key vi is a worker vi called Config Data Modify that uses Trim String on the string data before it is written to the file and that's what was eating my string character. I don't know whether this is a bug or a feature but there are at least three ways to fix it.
  1) Assuming you want to leave the library VIs alone, you can pre-process any stings sent to "write key" to replace all spaces with "\20" and then post-process all strings read using "read key" to replace all instances of \20 with spaces.
    and if you don't mind modifying the library VIs, either to save/use under a different name or to stick back into the library in a modified state (caution - can cause problems when you move code to another machine with an un-modified library) then...
  2) You can yank the trim-string out of the Config Data Modify vi and hope that it does not have any undesirable side effects with regards to the other routines that use Config Data Modify (so far I have not found any in my limited testing)
  or
  3)  You can modify the string pre-processing vi, Remove Unprintable Chars, to add the space character to the list of characters that get swapped out automatically.
  Note that both option #1 (as suggested above) and option #3 will produce an INI file data entry that looks like    key="\20Hello\20World\20"   while option #2 produces an entry that looks like   key=" Hello World "
  The attached PDF contains screenshots of all this.
  Attachments:
  Binder1.pdf ‏2507 KB

  Hi Warren,
  there's a 4th option:
  Simply set the "write raw string" input of the write key function to TRUE
  This option only appears when a string is wired to that function!
  Just re-checked:
  I think it's a limitation of the config file format. It's text based and (leading) spaces in the value are "overseen" as whitespaces. So your next option would be to use quotes around your string with spaces...
  Message Edited by GerdW on 05-02-2009 08:32 PM
  Best regards,
  GerdW
  CLAD, using 2009SP1 + LV2011SP1 + LV2014SP1 on WinXP+Win7+cRIO
  Kudos are welcome

• Read Key and Write Key not working as expected with paths on RT

  The configuration file VIs Read Key (Path) and Write Key (Path) don't seem to work as expected (at least not as I was expecting them to) on an RT target.
  When working on my WinXP PC with these two VIs, paths are translated to what looks like is supposed to be a device-independent format before being written to disk. The path C:\dir\file.txt becomes /C/dir/file.txt when writing and vice versa when reading. On my RT target, however, that same path is written to disk as C:\dir\file.txt, unchanged from the native format.
  The translaton of a native path to and from the device-independent format appears to be the responsibility of Specific Path to Common Path and Common Path to Specific Path. These both use the App.TargetOS property to determine the operating system. In the case structure for these two VIs, however, there is no case for PharLap or RTX. (My RT hardware is runnng PharLap; I don't know enough about RTX to comment.) This means that the results of String to Path or Path to String are used without translating between the device-independent format to the native path format.
  This isn't a problem if you create a configuration file on one machine and use it on that same machine. I noticed this only when tranferring a config file from my PC to the RT target, where the target would not open the file paths it loaded from the configuration file.
  This occurs on 7.1.1 and 8.0.  I don't have 8.20 to see if happens there, too.

  In LV 8.2, this was fixed.
  The problem is App.TargetOS returns "Pharlap" on RT systems, and "Pharlap" is handled by the default case ("invalid OS target") in LV 8.0.  In LV 8.2 the default case is "Windows 95/NT", however.  The reason you could write and read an .ini file on RT in LV 8.0 and earlier is because these two VIs (listed below) were both running the default case of "invalid OS target".
  vi.lib\Utility\config.llb\Common Path to Specific Path.vi
  vi.lib\Utility\config.llb\Specific Path to Common Path.vi
  As you saw, this fails when you perform one operation in Pharlap but the other in Windows.  You can fix this by modifying the two VIs listed above.  Just go to the case structure and make "Windows 95/NT" the default case.

• Using ini-files with write-key/read-key (double) and defined accurarcy

  Hello,
  in a popup the user can insert a numeric-double-value.
  This value is saved in a ini-file using the Write-key-vi with Type = double. Works fine.
  What do i have to do to set the values after the comma?
  So if user inserts 1,532 i want to round to two digits after comma and save it. (-> 1,53)
  Thx
  Solved!
  Go to Solution.

  I don't know how LV deals with different decimal seperators (e.g. comma instead of point), I guess it 'just works' depending on the system locale.
  A few different options are available as follows...
  The Write Key function has a 'precision' input which will set the number of decimal places to save the DBL to (in your case, set this to 2):
  If you are using a numeric field, you can set the 'increment' property with 'coerce to nearest' to prevent them from entering more precision than is available:
  The obvious method for post-rounding the input is to scale up the number, round to the nearest integer and then divide again to limit the precision:
  I couldn't see anything in the numeric/math palettes that does this.
  Certified LabVIEW Architect, Certified TestStand Developer
  NI Days (and A&DF): 2010, 2011, 2013, 2014
  NI Week: 2012, 2014
  Knowledgeable in all things Giant Tetris and WebSockets

• Use of Write Key VI with an array of cluster

  Hi,
  I wanted to use an array of clusters to define some configuration parameters for an application. Unfortunately, "Write Key VI" doesn't support the cluster type. Has anybody modified this function ("Write Key VI") to support cluster and array of cluster? If not, any clue to keep it as simple as possible?
  My clusters include boolean, path, U32 and string.
  Thank you,
  Olivier 
  Solved!
  Go to Solution.

  OD wrote:
  Couldn't log to this website. Any alternative ?
  Sure see this Nugget.
  I have links for other methods included but the Nugget does exactly what you are asking to do. I wrote th Nugget to entertain other developers, but in the end is serves as an example why you may want to find another approach. You'll understand what I mean once you look at that Nugget.
  Parapharisng from Jurrasic Park "Just because could do something does not mean we should."
  Ben
  Ben Rayner
  I am currently active on.. MainStream Preppers
  Rayner's Ridge is under construction

• Config write key outputs data in Notepad++ with equal to sign

  Hi,
  I have a situation where I am trying to write data in Notepad++ using Write key VI in labview library. 
  THe data which I get is in the following format 
  but what i want want the output to be is this way 
  The probelm here is when we wire something to "value", it writes it with double quotes and if is it blank than it writes with =" ". Just to clear it "Class" and "Jammer Input MB/HB BPF" goes to the "key" wire.
  I dont understand how to get rid of those quotes and equal sign.

  Yamaeda wrote:
  Strings are usually written with citation marks to handle spaces. You can deactivate that by wiring True to "write raw string".
  /Y
  I forgot all about that, since I haven't ever cared how it went in or came out.  Nice.
  Bill
  (Mid-Level minion.)
  My support system ensures that I don't look totally incompetent.
  Proud to say that I've progressed beyond knowing just enough to be dangerous. I now know enough to know that I have no clue about anything at all.

• Problem with write key VIs (config-file)

  Hi
  My problem is this: when I use the write key VIs to write to an ini-file, the values are not written/updated in the ini-file. Does
  anybody has a solution???
  thank YOU!!!
  Attachments:
  writetest.vi ‏32 KB

  astroboy wrote:
  Hi Dennis, writing key updates or add lines, but the problem is that it also causes all lines to be clumped together, making it unreadable.
  What's the better way?
  Clement
  I was complaining about the poor formatting of the .ini files myself a couple years ago in this thread. http://forums.ni.com/ni/board/message?board.id=170&message.id=273552
  I found the offending piece of code was buried pretty deep in the Config File VI hierarchy.
  One idea is to go back after the file is written and find where all the section headers are and insert your own blank lines.
  Also look at this thread http://forums.ni.com/ni/board/message?board.id=170&view=by_date_ascending&message.id=408776
  You may also want to add kudoes to the config file idea in the Idea board.  http://forums.ni.com/t5/LabVIEW-Idea-Exchange/Comments-in-configuration-file-ini/idi-p/927874#A614 
  Message Edited by Ravens Fan on 09-17-2009 10:29 PM

• Inclusion of SunPKCS11 provider in java 6 release for win64 platform

  Are there plans on including a win64 version of the SunPKCS11 provider in an upcoming Java 6 jdk/jre release? I know it is not available in the 1.6.0_16 release, and I don’t believe it was added to the 1.6.0_17 release. (Another forum member posted a similar question to the cryptography topic in June of last year , but no one responded.)

  I agree! The two files that are missing are SunPKCS11.jar and the native dll j2pkcs11.dll.
  I guess it requires the build process to compile the j2pkcs11.dll for Win64.

• How to save pictures with the config file "Write Key.vi"

  hi all,
  On my front panel I've few controls pictures containing photos (JPG type) . The user can select the photo he wants using the classic file dialog box.
  Usally I use the config files VI's to save the control values from one run to another one. In the config files VIs, I use the polymorphic "write Key.vi" wich accept only booean, I32, U32, path, and string dada type, but no picture !
  I've tried the "flatten to string" fonction (picture --> flatten to string --> writekey.vi) , no broken wire but the conversion is very very too long and to heavy (20Mo a key!).
  another way, would be to write in a xml file, I've also tried but I've always get the 1104 error: No end tag was found for an XML start/end tag pair.
  can someone help me.
  what is the best way for  retrieving controls pictures with photos

  Hi GerdW
  Many thanks for your quick answer. Always happy to get advises from fellow programmers.
  You suggest to use the "path" input of the "write key.vi" (configuration file utilities) to retrieve photos that a user would have selected in a previous run. Could be a good solution in a number of applications but what I would like to do is like in a excel or word file. Once a photo has been embeded in one xls file for ex., I find it back each time i open this xls file, even if the original photo's file has been deleted or if my application runs on another computer.
  xml file looks interesting for that purpose (i mean used as config file). I can easily store in a xml file a labview picture (like a colored rectangle e.g.) but when i try with a photo (wich is a also a picture) labview returns always the error 1104.
  How to fixe this error, or maybe  there is another way to store photos in a config file without passing through xml,
  kind regards.

• "Write Key.vi" wont work after build

  I am having dificulty with the "Write Key.vi"  I am using it to save calibration values to an .ini file. This works fine when running in development mode but after I build it into a standalone exe it doesn't work. It will create the file in the correct folder but it is empty. I have no idea how to start figuing this one out. Any help would be greatly appreciated.
  Here is the code that saves the configuration values into the .ini file. I am using LabVIEW 8.0
  Solved!
  Go to Solution.

  smercurio_fc wrote:
  Why Does My Executable Not Work When Using the Current VI's Path Constant? - KnowledgeBase - Support...
  One other thing to mention is that KB is for LabVIEW 8.2.  In 2009 and 2010 a built EXE by default may have VIs referenced deeper than just one level.  You can keep stripping the path until a directory is found, or an easier solution is to check the box in the Advanced section that is "Use LabVIEW 8.x file layout" which then makes that KB valid again.
  Unofficial Forum Rules and Guidelines - Hooovahh - LabVIEW Overlord
  If 10 out of 10 experts in any field say something is bad, you should probably take their opinion seriously.

• Smart Card based ssl connection not possible with SunPKCS11 Provider?

  Dear all
  We use jsse connections with file based Pkcs12 Keystores for longer time.
  Now we d'like to replace these .p12 files with SmartCards.
  While the jsse 5 reference guide suggests:
  "To use a Smartcard as a keystore or trust store, set the javax.net.ssl.keyStoreType and javax.net.ssl.trustStoreType system properties, respectively, to "pkcs11", and set the javax.net.ssl.keyStore and javax.net.ssl.trustStore system properties, respectively, to NONE. To specify the use of a specific provider, use the javax.net.ssl.keyStoreProvider and javax.net.ssl.trustStoreProvider system properties (e.g., "SunPKCS11-joe"). By using these properties, you can configure an application that previously depended on these properties to access a file-based keystore to use a Smartcard keystore with no changes to the application."
  this does not work!
  In the following Code sequence we get a
  java.net.SocketException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_TYPE_INVALID
  System.setProperty("javax.net.ssl.trustStoreType", "pkcs11");
  System.setProperty("javax.net.ssl.trustStore", "NONE");
  System.setProperty("javax.net.ssl.trustStorePassword", pin);
  System.setProperty("javax.net.ssl.trustStoreProvider", "SunPKCS11-ACOSTOKEN");
  System.setProperty("javax.net.ssl.keyStoreType", "pkcs11");
  System.setProperty("javax.net.ssl.keyStore", "NONE");
  System.setProperty("javax.net.ssl.keyStorePassword", pin);
  System.setProperty("javax.net.ssl.keyStoreProvider", "SunPKCS11-ACOSTOKEN");
  SSLSocketFactory factory = (SSLSocketFactory) SSLSocketFactory.getDefault();
  SSLSocket socket = (SSLSocket)factory.createSocket(host, 443); // Exception here --> CKR_ATTRIBUTE_TYPE_INVALID
  socket.startHandshake();
  .Because the SmartCard with the KeyMaterial on it is working with
  - IAIK package (JCE + PKCS11Wrapper + SSL)
  - FireFox 2
  I suggest we do something wrong here.
  Has anyone an idea what it might be?
  Thanks for yout help
  Marcel

  Hi all, I'm experiencing a problem using SunPKCS11 as a keystore provider for SSL.
  String pkcs11config = "name = " + "bit4id" + "\nlibrary = " + "c:/windows/system32/bit4p11.dll";
  byte[] pkcs11configBytes = pkcs11config.getBytes();
  ByteArrayInputStream configStream = new ByteArrayInputStream(
  pkcs11configBytes);
  AuthProvider pkcs11Provider = new sun.security.pkcs11.SunPKCS11(
  configStream);
  pkcs11Provider.setCallbackHandler(new MyGuiCallbackHandler());
  if (Security.getProvider(pkcs11Provider.getName()) != null) {
  Security.removeProvider(pkcs11Provider.getName());
  Security.insertProviderAt(pkcs11Provider, 2);
  //Security.insertProviderAt(pkcs11Provider, 1);
  System.setProperty("javax.net.ssl.keyStoreProvider",
  pkcs11Provider.getName());
  System.setProperty("javax.net.ssl.keyStoreType",
  "PKCS11");
  System.setProperty("javax.net.ssl.keyStore",
  "NONE");
  SSLContext sslcont = SSLContext.getInstance("SSL");
  sslcont.init(null/*KM*/, tmS, rng);
  If i use KM (KeyManager[] containing a KeyStore.getInstance("PKCS11")) everything works fine, but if I try to initialize the sslcontext using the default keyStoreProvider (just commenting out KM, and without any other modification to the code), it uses SUN instead of PKCS11, even if I set the system property javax.net.ssl.keyStore* (as you can see in my code)
  Can anyone help me?
  Masimaybe you an past the piece of code where you initialize things?
  Thank's in advance and happy new year,
  Patrizio

• I am trying to install Camera Raw 6.7 plug in to photoshop CS5 to be able to read my D800 NEF file but I get note "Unable to write at locate '/Users/ds/Library/Application Support/Adobe'. Please provide write permission to this location and try again. Wha

  Prior to this, I installed newest version of Adobe App Mgr as suggested by pop up note.

  What do I do to provide the write permission to the location?

• Please Provide a Key for SAP Predictive Analysis 1.15 32-bit

  please provide a needed a key for SAP Predictive Analysis 1.15 32-bit to be used in University Lab computers.

  Hi Ye,
  I am afraid but the only way today is to delete your document without PA / Lumira.
  By default, local files are stored at :
  User/Documents/SAP Lumira Documents
  In this folder you'll see the list of all the documents you have created with SAP Lumira or SAP PA.
  Delete the document that you don't want anymore and (re)start SAP PA.
  The delete functionnality from the desktop tool is an idea accepted by the Labs (Delete Files in Lumira Desktop : View Idea), but not implemented yet.
  Hope it helps,
  Edouard

• How to get material and plant by providing control key as input ?

  How to get the material and plant info based on control key values using a function module?
  kindly help..

  Hi,
  Check the FM
  K_VALID_PLANTS_OF_MATERIAL.
  Sandeep Kaushik