Cannot get PKCS#11 provider to work with the JCAPI SSL plug-in

Anonymous

Hi,

I recently opened the thread "Could not open certificate store". Since the problem I've encountered now is a new one I chosed to open a new thread.

I'm trying to make client authentication work with a smart card. I've modified the main method of demo class SSLClient so that the invokation of getSSLSocketFactory() takes the keystore alias of the cert on my smart card as the first parameter. I then get an exeption when calling the method. I've also set the debugging on and it says:
-----------------
JCAPI_SSL_LOG: Key manager will use the following PKCS#11 settings:
name = Posten_eID_v1_(identification)_1
library = C:\WINNT\system32\SmartP11.dll
slotListIndex = 1
---------------------
Isn't the value of 'name' quite strange? Shouldn't it be the name of the CSP, in this case "SmartTrust Cryptographic Service Provider"? It must be something that is set from JCAPI since the PKCS#11 provider isn't mentioned in the java.security file.

As I wrote in the other thread I'm using SmartTrust Personal 3.0.2 on Win2000 SP4 and is running the demo in IntelliJ IDEA 5. The Java platform is JDK1.5.0_06.

I would be very grateful for help with this. Below is the code and the result of the test.

Regards
Mattias

--------------------------------------------------
static public void main(String[] args)

{
String aliasOfMyCertInStore = "My|8CDuyGNSJkaFLVCffsJU4FKv2ak=";

try {
Security.addProvider(new JCAPIProvider());
String alias = getServerCertAlias();

//Get JCAPI SSL plug-in.
JCAPISSLFactory f = JCAPIProperties.getInstance().getSSLFactory();
if(f == null)
throw new Exception("The JCAPI SSL plug-in is not loaded into the JVM.");

//Get a JCAPI SSL configured SSL socket factory based on:
//1. Ignore (i.e. use JSSE's key manager instead) the key store
// since we'll not use client authentication.
//2. Tell JCAPI SSL socket factory to only consider the certificate
// associated with the given alias to be trusted.
//3. Use protocol "SSL".
//For more information about the JCAPI SSL plug-in, see the JCAPI
//Javadocs for interface 'JCAPISSLFactory'.
// SSLSocketFactory sf = f.getSSLSocketFactory(null, alias, "SSL");

f.setLogging(true);

SSLSocketFactory sf = f.getSSLSocketFactory(aliasOfMyCertInStore, alias, "SSL");

sendRequest(sf, "Hello");
sendRequest(sf, "Goodbye");
sendRequest(sf, "SHUTDOWN"); //Tell server to shutdown on next request.
sendRequest(sf, ""); //Just send a dummy request.
} catch(Throwable t) {
t.printStackTrace();
System.err.println("Test prog failed. Exiting...");
}
}
------------------------------------------------------------------------

-----------------------------------------------------
JCAPI_SSL_LOG: Key store alias given for SSL socket factory. Use JCAPI key store.
JCAPI_SSL_LOG: Key manager will use key entry with alias: My|8CDuyGNSJkaFLVCffsJU4FKv2ak=
JCAPI_SSL_LOG: Key manager will use the following key entry issuer: CN=Posten Sverige AB EID Rollkort CA v1, O=Posten Sverige AB, C=SE
JCAPI_SSL_LOG: Check if we shall use MS CAPI or PKCS#11 to access the private key.
JCAPI_SSL_LOG: Key manager will use PKCS#11 to access the private key.
JCAPI_SSL_LOG: Key manager will use the following PKCS#11 settings:
name = Posten_eID_v1_(identification)_1
library = C:\WINNT\system32\SmartP11.dll
slotListIndex = 1

JCAPI_SSL_LOG: Key manager adding PKCS#11 provider.
JCAPI_SSL_LOG: Error, key manager failed to initiate PKCS#11 provider.
JCAPI_SSL_LOG: Error configuring key entry in SSL key manager.
java.lang.RuntimeException: Could not initiate Java PKCS#11 provider.
at com.pheox.jcapi.plugins.ssl5.e.a(Unknown Source)
at com.pheox.jcapi.plugins.ssl5.e.<init>(Unknown Source)
at com.pheox.jcapi.plugins.ssl5.SSLKeyManager.<init>(Unknown Source)
at com.pheox.jcapi.plugins.ssl5.b.a(Unknown Source)
at com.pheox.jcapi.plugins.ssl5.SSLFactory.getSSLSocketFactory(Unknown Source)
at SSLClient.main(SSLClient.java:8

Caused by: java.security.ProviderException: Error parsing configuration
at sun.security.pkcs11.Config.getConfig(Config.java:71)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:100)
... 6 more
Caused by: sun.security.pkcs11.ConfigurationException: Unexpected token: Token['('], line 1
at sun.security.pkcs11.Config.excToken(Config.java:269)
at sun.security.pkcs11.Config.parse(Config.java:286)
at sun.security.pkcs11.Config.<init>(Config.java:156)
at sun.security.pkcs11.Config.getConfig(Config.java:67)
... 7 more

java.lang.IllegalArgumentException: Could not get public key info for alias 'My|8CDuyGNSJkaFLVCffsJU4FKv2ak='.
at com.pheox.jcapi.plugins.ssl5.e.<init>(Unknown Source)
at com.pheox.jcapi.plugins.ssl5.SSLKeyManager.<init>(Unknown Source)
at com.pheox.jcapi.plugins.ssl5.b.a(Unknown Source)
at com.pheox.jcapi.plugins.ssl5.SSLFactory.getSSLSocketFactory(Unknown Source)
at SSLClient.main(SSLClient.java:8

Test prog failed. Exiting...
----------------------------------------------------

tommy

Hi again Mattias,

Thank you for starting a new thread to avoid mixing of non-related issues.

There seems to be a problem with SUN's PKCS#11 provider; its parser doesn't like parentheses (neither spaces) very much.

Regarding your question:

Isn't the value of 'name' quite strange? Shouldn't it be the name of the CSP, in this case "SmartTrust Cryptographic Service Provider"? It must be something that is set from JCAPI since the PKCS#11 provider isn't mentioned in the java.security file.

The name attribute is built up from the token label and the selected slot index from your hardware token i.e. the information is fetched from your HW token by JCAPI.

The problem was solved by Base 64 encoding the name attribute.

A new version (1.1.1.0 RC-1) of the JCAPI SSL plugin, containing this patch, has been compiled and can be downloaded below. Could you please verify that your problem is solved as well?

Regards,
Tommy

Anonymous

Hi Tommy,

I'm sorry to tell you that it still doesn't work. It doesn't seem to like '=' either. Below is the output.

Mattias

------------------------------------------------------------
JCAPI_SSL_LOG: Key store alias given for SSL socket factory. Use JCAPI key store.
JCAPI_SSL_LOG: Key manager will use key entry with alias: My|8CDuyGNSJkaFLVCffsJU4FKv2ak=
JCAPI_SSL_LOG: Key manager will use the following key entry issuer: CN=Posten Sverige AB EID Rollkort CA v1, O=Posten Sverige AB, C=SE
JCAPI_SSL_LOG: Check if we shall use MS CAPI or PKCS#11 to access the private key.
JCAPI_SSL_LOG: Key manager will use PKCS#11 to access the private key.
JCAPI_SSL_LOG: Key manager will use the following PKCS#11 settings:
name = UG9zdGVuIGVJRCB2MSAoaWRlbnRpZmljYXRpb24pXzE=

library = C:\WINNT\system32\SmartP11.dll
slotListIndex = 1

JCAPI_SSL_LOG: Key manager adding PKCS#11 provider.
JCAPI_SSL_LOG: Error, key manager failed to initiate PKCS#11 provider.
JCAPI_SSL_LOG: Error configuring key entry in SSL key manager.
java.lang.RuntimeException: Could not initiate Java PKCS#11 provider.
at com.pheox.jcapi.plugins.ssl5.e.a(Unknown Source)
at com.pheox.jcapi.plugins.ssl5.e.<init>(Unknown Source)
at com.pheox.jcapi.plugins.ssl5.SSLKeyManager.<init>(Unknown Source)
at com.pheox.jcapi.plugins.ssl5.b.a(Unknown Source)
at com.pheox.jcapi.plugins.ssl5.SSLFactory.getSSLSocketFactory(Unknown Source)
at SSLClient.main(SSLClient.java:8

Caused by: java.security.ProviderException: Error parsing configuration
at sun.security.pkcs11.Config.getConfig(Config.java:71)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:100)
... 6 more
Caused by: sun.security.pkcs11.ConfigurationException: Unexpected token: Token['='], line 1
at sun.security.pkcs11.Config.excToken(Config.java:269)
at sun.security.pkcs11.Config.parse(Config.java:286)
at sun.security.pkcs11.Config.<init>(Config.java:156)
at sun.security.pkcs11.Config.getConfig(Config.java:67)
... 7 more

java.lang.IllegalArgumentException: Could not get public key info for alias 'My|8CDuyGNSJkaFLVCffsJU4FKv2ak='.
at com.pheox.jcapi.plugins.ssl5.e.<init>(Unknown Source)
at com.pheox.jcapi.plugins.ssl5.SSLKeyManager.<init>(Unknown Source)
at com.pheox.jcapi.plugins.ssl5.b.a(Unknown Source)
at com.pheox.jcapi.plugins.ssl5.SSLFactory.getSSLSocketFactory(Unknown Source)
at SSLClient.main(SSLClient.java:8

Test prog failed. Exiting...

tommy

Sorry, I should have seen that one coming.
The token labels of both certificates used during the test did not contain the equal sign after encoding.

I've fixed this in version 1.1.1.0 RC-2. Please download it and report your results.

Thanks,
Tommy

Anonymous

Hi Tommy,

The very demo works this time but it seems to be because the SSL plug-in is using MS CAPI instead of PKCS#11. One might wonder what's happening since I don't have to give my PIN for the private key.

If I try with a file (test) cert from Telia which I've imported into Personal the PIN dialog comes up and I have to provide the PIN. The following is the output:
-----------------------------------
JCAPI_SSL_LOG: Key store alias given for SSL socket factory. Use JCAPI key store.
JCAPI_SSL_LOG: Key manager will use key entry with alias: My|+hpKchUe3yncMUiYuDrbE28hdTY=
JCAPI_SSL_LOG: Key manager will use the following key entry issuer: CN=Telia Medborgarcertifikat TEST, OU=165562288976, OU=For test purpose only, O=Telia, C=SE
JCAPI_SSL_LOG: Check if we shall use MS CAPI or PKCS#11 to access the private key.
JCAPI_SSL_LOG: Key manager will use PKCS#11 to access the private key.
JCAPI_SSL_LOG: PKCS#11 token label is: testcert
JCAPI_SSL_LOG: Key manager will use the following PKCS#11 settings:
name = 8175abea
library = C:\WINNT\system32\SmartP11.dll
slotListIndex = 3

JCAPI_SSL_LOG: Key manager adding PKCS#11 provider.
JCAPI_SSL_LOG: Key manager creating PKCS#11 key store. This will probably require a PIN code.
JCAPI_SSL_LOG: Key manager will use PKCS#11 key entry with alias: 0x01000000
JCAPI_SSL_LOG: Trust store alias given for SSL socket factory. Use JCAPI key store.
JCAPI_SSL_LOG: Trust Manager will use alias: My|9lQjPR9D40uJUD2TTnC0WkFE1ps=
-------------------------------------------

With my cert on the smart card the output is the following:
--------------------------------------------
JCAPI_SSL_LOG: Key store alias given for SSL socket factory. Use JCAPI key store.
JCAPI_SSL_LOG: Key manager will use key entry with alias: My|8CDuyGNSJkaFLVCffsJU4FKv2ak=
JCAPI_SSL_LOG: Key manager will use the following key entry issuer: CN=Posten Sverige AB EID Rollkort CA v1, O=Posten Sverige AB, C=SE
JCAPI_SSL_LOG: Check if we shall use MS CAPI or PKCS#11 to access the private key.
JCAPI_SSL_LOG: Key manager will use MS CAPI to access the private key.
JCAPI_SSL_LOG: Trust store alias given for SSL socket factory. Use JCAPI key store.
JCAPI_SSL_LOG: Trust Manager will use alias: My|9lQjPR9D40uJUD2TTnC0WkFE1ps=
---------------------------------------------------

I thought MS CAPI wasn't suitable for accessing pivate keys on smart cards. And is the private key at all used since no PIN is required?

I'm sorry if I've got it all wrong.

Mattias

Anonymous

Hi again,

I'm sorry but I didn't notice that I had my NetID client running on my computer during the testing in my last message. If I disable it, the PIN dialog is shown by the SSL plug-in and after giving the PIN for my private key on the smart card the following output is the result:
-----------------------------------------------------
JCAPI_SSL_LOG: Key store alias given for SSL socket factory. Use JCAPI key store.
JCAPI_SSL_LOG: Key manager will use key entry with alias: My|8CDuyGNSJkaFLVCffsJU4FKv2ak=
JCAPI_SSL_LOG: Key manager will use the following key entry issuer: CN=Posten Sverige AB EID Rollkort CA v1, O=Posten Sverige AB, C=SE
JCAPI_SSL_LOG: Check if we shall use MS CAPI or PKCS#11 to access the private key.
JCAPI_SSL_LOG: Key manager will use PKCS#11 to access the private key.
JCAPI_SSL_LOG: PKCS#11 token label is: Posten eID v1 (identification)
JCAPI_SSL_LOG: Key manager will use the following PKCS#11 settings:
name = 76cbf733
library = C:\WINNT\system32\SmartP11.dll
slotListIndex = 1

JCAPI_SSL_LOG: Key manager adding PKCS#11 provider.
JCAPI_SSL_LOG: Key manager creating PKCS#11 key store. This will probably require a PIN code.
JCAPI_SSL_LOG: Key manager will use PKCS#11 key entry with alias: eID aut + enc
JCAPI_SSL_LOG: Trust store alias given for SSL socket factory. Use JCAPI key store.
JCAPI_SSL_LOG: Trust Manager will use alias: My|9lQjPR9D40uJUD2TTnC0WkFE1ps=
----------------------------------------------

The question is still why it works without giving PIN when running with NetID. I certainly want it to work properly with at least both Personal and NetID as provider (I guess client authentication doesn't work with the latter and the private key isn't used).

Mattias

tommy

Hi Mattias,

From your logging output, it's obvious that you have not activated client authentication on your server. Client authentication cannot be requested by the client, it's a choice determined by the server that must be fulfilled by all clients.
When client authentication is used, the JCAPI key manager (in your client) will log/print the issuer's distinguished name for each trusted certificate that is sent from the server to your client during the handshake. In your output there's none present.

Regarding your question:

The question is still why it works without giving PIN when running with NetID. I certainly want it to work properly with at least both Personal and NetID as provider (I guess client authentication doesn't work with the latter and the private key isn't used).

You are correct since there's no client authentication requsted by the server. The reason that you have to give a PIN for Personal is that SUN's keystore builder will login on your token when the java.security.KeyStore instance is created which in turn will require a PIN.
Why a PIN is not needed for NetID, I don't know since I have no experience with NetID. Probably its credentials are put on individual objects instead such as the private key, which should make it work anyway in the end. So, in conclusion, you don't give a PIN to access the private key, it's for login on your token.
Hint: you can see when JCAPI is accessing a private key on your token through PKCS#11 (you have to turn on logging). If the key can be successfully referenced, it will print:
JCAPI_SSL_LOG: Good, the private key can be accessed for alias: <alias>

Ok, to lace it up.
To activate client authentication on your server, you have to call method setNeedClientAuth(true) on your SSLServerSocket instance. You also have to define what certificates (trusted issuers) that the server shall send to the clients (use parameter trustStoreAlias in method JCAPISSLFactory.getSSLServerSocketFactory()).

To make a clean start, I've updated the JCAPI SSL client/server example programs to support client authentication with a self-signed certificate. Please study them and the logging output to get a better understanding of JCAPI and the contract between the client and the server. Then update them for your configuration (you have to change the parameters in methods getSSLServerSocketFactory() and getSSLSocketFactory()).
If you stumble into more problems, then try to supply as much information as possible about your configuration such as what kind of server certificate is used? Is is it chained or self-signed? Is it a "soft" certificate stored in MS CAPI or is it stored on a hardware token? Is the client and server running on the same machine etc?

Please let me know if more problems arise.

Regards,
Tommy

tommy

Updated information!

The problem with illegal characters in the name attribute has now been fixed in JCAPI v1.1.1.

Regards,
Tommy