tommy, how can jcapi use csp(not pkcs#11) to generate signature

Anonymous

tommy, our usb-key vendor didn't provide a pkcs#11 impl. So with their csp(just a dll), how can i use jcapi to generate the signature.

our csp name is "esafe csp version 1.0"
our csp dll is "z_csp_ms6.dll"
the private key is not exportable, and suppose i know the alias is:
aaaaaaaaaa

can you provide an example that proved how to use jcapi to generate the signature with CallbackforPIN module?

tommy

Hello,

If your vendor has only supplied you with an MS CAPI driver, then you can just install the driver and use JCAPI as usual. You don't have to add the CSP explicitly for JCAPI in this case (this is only required for PKCS#11 CSPs).

the private key is not exportable, and suppose i know the alias is:
aaaaaaaaaa

Your given alias is not a valid JCAPI alias. Please see the example code below for an explanation.

can you provide an example that proved how to use jcapi to generate the signature with CallbackforPIN module?

What's a CallbackforPIN module?
If you mean the JCAPIPINCallback interface, then you have to add a PKCS#11 driver for your hardware token into JCAPI. Otherwise the CSP's own native PIN code dialog will be shown instead of the Java Swing based one provided by JCAPI.
I'm a bit surprised that your vendor has not supplied you with a PKCS#11 DLL. If you want to use your own Java based PIN code callback for your hardware key, then you have to use a PKCS#11 DLL for your key with JCAPI. Ask your vendor for such a driver.

Ok, here's an example of how to create a signature with JCAPI:


import java.security.*;

import java.security.interfaces.RSAPrivateKey;



import com.pheox.jcapi.*;



public class SignTest

{

    static public void main(String[] args)

    {

        try {

            Security.addProvider(new JCAPIProvider());



            //Init JCAPI key store.

            KeyStore ks = KeyStore.getInstance("msks", "JCAPI");

            ks.load(null, null);



            //Sign data using JCAPI.

            byte[] dataToSign = {1,2,3,4,5};

            Signature s = Signature.getInstance("SHA1withRSA", "JCAPI");

            //The alias below will not work since a JCAPI alias is built

            //from <system store name>|<base 64 encoded hash value of certificate>

            //For example: MY|dTrrUZrdV/ULrLFH7iqLdFUKNOA=

            String alias = "aaaaaaaaaa";

            RSAPrivateKey privateKey = (RSAPrivateKey)ks.getKey(alias, null);

            if(privateKey == null)

                throw new Exception("No private key found for given alias.");

            s.initSign(privateKey);

            s.update(dataToSign);

            byte[] signature = s.sign();



            System.out.println("Signature = " + new String(signature));

        } catch(Throwable t) {

            t.printStackTrace();

            System.err.println("Test prog failed. Exiting...");

        }

    }

}

Did this answear your questions? If not, please provide some more detailed information about what you want to achieve and I'll try to get you some good answears

Regards,
Tommy

Anonymous

tommy, thanks a lot.
You catch my point correctly. you are right.
My Conditions:
1, i really don't have the pkcs#11 csp.
2, the alias is RT28iT1+oiX2MQYlhvx4LQ== and it is locate in My
3, the private key(RSA1024) in my hardware usb-key is not exportable.

My Questions:
1, what's done behind the statement(from the example you give me) below:

RSAPrivateKey privateKey = (RSAPrivateKey)ks.getKey(alias, null);
do you mean that JCAPI is going to extract the privatekey from my usbkey? but my privatekey is not exportable

so perhaps the statement
s.initSign(privateKey);
will get the null privateKey?

thx tommy.

Anonymous

tommy, when i run your example SignTest, the exception throws:

java.lang.Exception: No private key found for given alias.
at example.SignTest.main(SignTest.java:29)
Test prog failed. Exiting...

the alias below is get through a cryptoapi program written by c++.
MY|NTIEYiB0+lgtobUkbTHAEeKvxjI=

but the
RSAPrivateKey privateKey = (RSAPrivateKey)ks.getKey(alias, null);
get the null key.

So i guess it can't get my privatekey from my usbkey correctly.

Anonymous

tommy, I guess the answer, i should provider a csp provider to JCAPI, right?

And when i run the example, ...., JCAPI get the private key and a pin-code prompt windows open(vendor's impl), and insert the usb-key, type the pin-password, and the exception throws:

Exception in thread "main" com.pheox.jcapi.JCAPIJNIRuntimeException: Exception raised in JCAPI.DLL:
JCAPIKeyStore_getKey() - Could not get private key blob length.
Invalid type specified.
at com.pheox.jcapi.CoreKeyStoreJNI.getKey(Native Method)

What should i do?

Anonymous

Anonymous wrote:tommy, I guess the answer, i should provider a csp provider to JCAPI, right?

And when i run the example, ...., JCAPI get the private key and a pin-code prompt windows open(vendor's impl), then i insert the usb-key, type the pin-password, and the exception throws:

Exception in thread "main" com.pheox.jcapi.JCAPIJNIRuntimeException: Exception raised in JCAPI.DLL:
JCAPIKeyStore_getKey() - Could not get private key blob length.
Invalid type specified.
at com.pheox.jcapi.CoreKeyStoreJNI.getKey(Native Method)

What should i do?

tommy

Hi,

I'm a bit confused here. The only way that you can get the error message "JCAPIKeyStore_getKey() - Could not get private key blob length." is if you have forced JCAPI to export your private key (which of course is not possible through your hardware token) by calling the method:


JCAPIProperties.getInstance().setPrivateKeyExportable(true);

So, the exception that is thrown from the JCAPI DLL can only occur if you have forced JCAPI to export the private key and when the MS CAPI function CryptExportKey() doesn't return a NTE_BAD_KEY_STATE (which is the normal case when a private key is not allowed to be exported). In your case NTE_BAD_TYPE was returned and thus causing the exception.

I would like you to try the following two items:
1. What error do you get if you don't force JCAPI to export the private key i.e remove the line: JCAPIProperties.getInstance().setPrivateKeyExportable(true);
2. I have patched the JCAPI DLL to also accept the NTE_BAD_TYPE code as a valid state (see file below) when you force JCAPI to export the key (just in order for you to get a JCAPIRSAPrivateKey for signing). Replace your current JCAPI DLL with this one, run your code again, and please report the result.

Regards,
Tommy

Anonymous

thx to tommy, you dll seems have some questions, when i run my module,
it throws the following exceptions:

Exception in thread "main" com.pheox.jcapi.JCAPIJNIRuntimeException: Exception raised in JCAPI.DLL:
You have already evaluated this version of JCAPI twice before. Your are not allowed to perform another evaluation.

tommy

Sorry about that. The patched DLL was compiled from the development branch which caused the DLL to get another version number.

Use the new DLL below.

Regards,
Tommy

Anonymous

tommy?after replace the dll, my problem solved, thx again.

tommy

Updated information!

This problem has now been fixed in JCAPI v1.1.1.

Regards,
Tommy