I can't get my private key

Hi Marco,

I'm very interested for jcapi library, and I would like to known about to pay it, and the licence.

Thanks for your interest.
The JCAPI license can be found here:
http://pheox.com/products/jcapi/license.txt
You can also find information about our license in the JCAPI FAQ
http://pheox.com/products/jcapi/faq.html#FA.17
When you feel ready to purchase JCAPI, then just send an e-mail to sales@pheox.com and we'll gladly help you through the buying process.

Ok, regarding your problem and given info:
1. The error code "2148532266" is a "SCARD_E_INVALID_CHV" error, which shortly means that the supplied PIN is incorrect. That error is returned by the SysGillo CSP when we want to calculate the size of the buffer required to hold the signature array to be generated, and your CSP should not return an error since access to the private key is not required during that operation (since the buffer size can be calculated from the public key's modulus). A question; did you enter the wrong PIN code for that operation or was there no PIN dialog shown at all?
2. It is very hard to determine your root problem since the test programs that failed initially did fail when JCAPI tried to acquire a context, but after running my new tests, these errors suddenly vanishes and everything seem to work fine except for the last certificate in test (i.e MY|AhP5uoI6cz6/BMbFhCH1FcYXpjs=) and that one fails for a totally different reason. Do you know if that certificate (and private key) functions correctly (creating signatures & decryption) in other crypto software?

It's a tough situation trying to debug your problem without required hardware. I would suggest that we (Pheox) will try to get hold of a similar card as yours in order for us to (hopefully) re-generate the same errors as you have encountered.
Could you please send us the software I mentioned earlier (just send it to support@pheox.com)? Please make sure that it is ok to distribute them to us (copyright legal stuff).

Regards,
Tommy

Hi,
we have removed all the certificates except that one of the smart key.
The output of the second test is as follow:

Open system store 'My'.
Ok, found CSP 'SysGillo Cryptographic Service Provider'.
Now, check if there exists any certificates managed by the CSP.
Start searching for certificates in system store.
Found a certificate.
JCAPI alias = My|F4uD2dj7GrPZ+13eLt3guZqO0oI=
The found certificate has an RSA private key used for decryption.
Key container: \\.\ACS USB 0\5c4b2e09-1b6a-48ef-978a-7c5e3ee3bcba
******** Key prov info ********
Container: \\.\ACS USB 0\5c4b2e09-1b6a-48ef-978a-7c5e3ee3bcba
Container len: 50
Provider: SysGillo Cryptographic Service Provider
Provider len: 39
ProvType: 1
Flags: 0
ProvParam: 0
KeySpec: 2
*******************************
Try to acquire context.
Acquire context succeeded.
Test creating a signature.
Time to sign the hash. This will require a private key and will this show a PIN
dialog.
Signature successfully created.
Found a certificate.
JCAPI alias = My|DKwk6QyVkiPGNxeFwg0NdVPePi8=
The found certificate has an RSA private key used for decryption.
Key container: \\.\ACS USB 0\DS0
******** Key prov info ********
Container: \\.\ACS USB 0\DS0
Container len: 17
Provider: SysGillo Cryptographic Service Provider
Provider len: 39
ProvType: 1
Flags: 0
ProvParam: 0
KeySpec: 2
*******************************
Try to acquire context.
Acquire context succeeded.
Test creating a signature.
Time to sign the hash. This will require a private key and will this show a PIN
dialog.
Signature successfully created.
End searching for certificates in system store.
Close system store 'My'.

This output doesn't show any error.
I used a software with SOAP over SSL connection using token with PKCS11 wrapper.
I have tried to use JCAPI instead of PKCS11 but in the handshake I got an error in the signing process.
Since the trial version of JCAPI that I downloaded ends on the 1st of March, we can't do any other test; is there any way to extends the trial time before buying it?

Hello,

This output doesn't show any error.

That one looks better indeed

Since the trial version of JCAPI that I downloaded ends on the 1st of March, we can't do any other test; is there any way to extends the trial time before buying it?

Since JCAPI 1.2.0, we have changed the process of how the product can be evaluated. You can download JCAPI 1.2.0 and evaluate it for 60 days extra. After the 60 days have passed, you can still download and evaluate JCAPI when a new version of JCAPI is released (see the JCAPI FAQ). So, don't you worry about your current expiration date.

Regards,
Tommy

Hello tommy,
I'm try to develop a soap using a jcapi library, but I have a problem: I think that jcapi can't get private key for signig in handshake..

Security.addProvider(new JCAPIProvider());
JCAPIProperties.setLogging(true);

Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());

KeyStore ks1 = KeyStore.getInstance("msks", "JCAPI");
ks1.load(null, null);

KeyStore ks2 = KeyStore.getInstance("msks", "JCAPI");
ks2.load(null, null);
JCAPIProperties.getInstance().setExclusiveMSCertStore(ks2, "Root");
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory
.getDefaultAlgorithm());
kmf.init(ks1, null);
TrustManagerFactory tmf = TrustManagerFactory
.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ks2);
SecureRandom sr = SecureRandom.getInstance("RNG", "JCAPI");
SSLContext c = SSLContext.getInstance("SSL");
c.init(kmf.getKeyManagers(), tmf.getTrustManagers(), sr);
SSLSocketFactory f = c.getSocketFactory();

HttpsURLConnection.setDefaultSSLSocketFactory(f);
URL url = new URL(endpoint);
HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
System.out
.println("HttpsURLConnection.getDefaultSSLSocketFactory()---->"
+ HttpsURLConnection.getDefaultSSLSocketFactory());

conn.setDoOutput(true);
conn.setDoInput(true);
conn.connect();
System.out.println("chiper suite------> " + conn.getCipherSuite());

OutputStream out = conn.getOutputStream();
Writer wout = new OutputStreamWriter(out);
wout
.write("<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\" ");
wout.flush();
wout.close();

InputStream in = conn.getInputStream();
conn.disconnect();
System.out.println("fatto");

this is the output

main, called closeInternal(true)
Exception in thread "main" javax.net.ssl.SSLHandshakeException: Error signing certificate verify
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1520)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:182)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:719)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:197)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:511)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:449)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:817)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:679)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:21

at java.io.BufferedInputStream.read1(BufferedInputStream.java:25

at java.io.BufferedInputStream.read(BufferedInputStream.java:317)
at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:632)
at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:577)
at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:597)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1004)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
at SSLConection.main(SSLConection.java:86)
Caused by: java.security.InvalidKeyException: Modulus is missing
at sun.security.rsa.RSAKeyFactory.checkKey(RSAKeyFactory.java:112)
at sun.security.rsa.RSAKeyFactory.toRSAKey(RSAKeyFactory.java:76)
at com.sun.crypto.provider.RSACipher.engineGetKeySize(DashoA13*..)
at javax.crypto.Cipher.b(DashoA13*..)
at javax.crypto.Cipher.a(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at java.security.Signature$CipherAdapter.engineInitSign(Signature.java:1202)
at java.security.Signature$Delegate.init(Signature.java:1076)
at java.security.Signature$Delegate.chooseProvider(Signature.java:1033)
at java.security.Signature$Delegate.engineInitSign(Signature.java:1106)
at java.security.Signature.initSign(Signature.java:49

at com.sun.net.ssl.internal.ssl.RSASignature.engineInitSign(RSASignature.java:10

at java.security.Signature$Delegate.engineInitSign(Signature.java:1104)
at java.security.Signature.initSign(Signature.java:49

at com.sun.net.ssl.internal.ssl.HandshakeMessage$CertificateVerify.<init>(HandshakeMessage.java:1213)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:715)
... 15 more

Thanks in advance,
Marco

Hi Marco,

When you are not using the JCAPI SSL plugin, and instead uses the default key- and trust managers, then the following rules apply:
1. If JCAPI is required to export a private key, then JCAPI must be configured to export it i.e use the following code (see example program C:\JCAPI\examples\ssl\httpsclient\noclientauth\HTTPSClient.java):


JCAPIProperties.getInstance().setPrivateKeyExportable(true);

2. Only private keys that are exportable can be used i.e you cannot export private keys that are stored on a hardware token, nor can you export a key from MS CAPI that is marked as non-exportable.

If you want to use a hardware token with SSL than you can either use the JCAPI SSL plugin (which require Java 5 or higher since it uses SUN's PKCS#11 provider) or you can use SUN's PKCS#11 provider directly and use it together with the default key- and trust managers.

If you prefer the JCAPI SSL plugin, then please remember that you have to manually add your PKCS#11 supported CSP to JCAPI if the CSP is not supported by default, for example:


String cspName = "FooBar Cryptographic Service Provider";

String pkcs11FileName = "foobar.dll";

JCAPIUtil().addPKCS11CSP(cspName, pkcs11FileName);

Regards,
Tommy