I can list either private certification or trust certification by using the example code 'ListAllCerts'

But I always happen to an error when trying to startHandshake
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Untrusted certificate chain.

Here's my code
SSLSocketFactory sf = f.getSSLSocketFactory(privateKeyAlias, trustKeyAlias, "SSL");
sslsocket = (SSLSocket)sf.createSocket(host, port);
sslsocket.startHandshake();

Please give some help.

Hi Joyce,

It is not possible to use a hardware token for SSL. The reason is that the JSSE layer (the javax.net.ssl.X509KeyManager interface) require the private key to be exported from the key store (that key is not exportable from a hardware token). The guys at SUN have been thinking about this and thus released (in Java 5) a new PKCS#11 provider, please see:
http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html

If you want to use your PKCS#11 enabled hardware token in SSL, then follow the instructions given at "3.5 Tokens as JSSE Keystore and Trust Stores" in the above mentioned link.

However, the exception you got is very strange. If you have used a hardware token when using the JCAPI SSL plugin, then you would have gotten the following exception:
javax.net.ssl.SSLHandshakeException: Error signing certificate verify

Could you please enable the JCAPI SSL logging and send us the result in order for us to track the cause of your exception? Here is how to enable logging:

JCAPISSLFactory f = JCAPIProperties.getInstance().getSSLFactory();

f.setLogging(true); //Use this for SSL logging.

Cheers,
Tommy

Hi Tommy,

Thanks for your kind advice.
I opened the log, here comes the exception popped up in command console.
It shows the failure occurs when 'checkServerTrusted'.
I tried to rewrite SSL plugin to get more detailed information, but always fail to load it. As it is mention in JCAPI java doc. The description of interface of JCAPIPlugin is 'All plug-ins in JCAPI must implement this interface. Currently, plug-ins cannot be created by external parties. '
Does it means I can not program a customized SSL plugin .

Timeout guard, handling exception: javax.net.ssl.SSLHandshakeException: java.sec
urity.cert.CertificateException: Untrusted certificate chain.
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Untrusted certificate chain.
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)

at com.octasoft.mib.net.JCAPISSLSocketFactory.createSocket(Unknown Source)
at org.apache.commons.httpclient.HttpConnection$1.doit(HttpConnection.java:660)
at org.apache.commons.httpclient.HttpConnection$SocketTask.run(HttpConnection.java:1291)
at java.lang.Thread.run(Thread.java:536)
Caused by: java.security.cert.CertificateException: Untrusted certificate chain.

at com.pheox.jcapi.plugins.ssl.SSLTrustManager.checkServerTrusted(Unknown Source)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(
DashoA6275)
... 10 more

Hi,

That's correct, you cannot write your own plug-in for JCAPI since it has to be signed with our code signing certificate. The signature of the plug-in is always verified before the JAR is loaded.

What you have to do is to write your own SSL manager code (it does not have to be a JCAPI plug-in). Our SSL plug-in uses the JCAPI key store, while you want to use a PKCS#11 key store.

Regards,
Tommy

Hi Tommy,

According to your suggestion, I tried to construct my own SSL manager. But it can not be successfully executed.

First, I replaced the SSL manager classes which packaged in JCAPISSLplugin.jar. It caused the error 'fail to load plugin'.

Second, I tried to place my new SSL manager classes ahead of JCAPISSLplugin.jar in classpath setting.
But happened to another error:
java.lang.SecurityException: class "com.pheox.jcapi.plugins.ssl.SSLKeyManager"'s signer information does not match signer information of other classes in the same package

How can I implement my own SSL manager?

Hi Tommy,

I've successfully implemented my own SSLmanager via re-configure SSLContext.

SSLContext context = SSLContext.getInstance("SSL");
context.init(kms, tms, new java.security.SecureRandom());
SSLSocketFactory sf = context.getSocketFactory();
sslsocket = (SSLSocket)sf.createSocket(host, port);

But when I try to export the native data of a private key, I got this kind of exception.
Failed to get private key:
com.pheox.jcapi.JCAPIJNIRuntimeException: Exception raised in JCAPI.DLL:
JCAPIKeyStore_getKey() - Could not get private key blob length.
Bad UID.

Many thanks for your suggestion.

Best Regards
Joyce

Hi Joyce,

Currently, you have two disjoint problems:

Problem 1:

The private key stored on your hardware token cannot, for some reason, be referenced at all (that's the reason for you getting the JCAPIJNIRuntimeException). That's a serious problem. Therefore I have to get the following information from you:
1. What hardware token are you using? Vendor? Model?
2. Is your hardware token PKCS#11 compliant? If yes, what PKCS#11 Cryptographic Service Provider (CSP) does it use?

Please note that JCAPI do only support four PKCS#11 CSPs by default (please read "Supported PKCS#11 CSPs" in the JCAPI User's Guide). If your CSP is not supported by default, then you have to manually add it to JCAPI (please read "Managing the PKCS#11 CSPs" in the JCAPI User's Guide) in order for it to work.

The reason for my questions regarding the PKCS#11 support for your hardware token, is that some providers do not implement the MS CAPI functions required by JCAPI when accessing the private key. In these occasions, this restriction can be circumvented by using the PKCS#11 layer instead of the MS CAPI layer, but this will require that there exist a PKCS#11 provider (a DLL file) for your hardware token.


Problem 2:

As I mentioned before, the JCAPI key store cannot be used for SSL when the private key is not exportable, simply because SSL (JSSE) require the native private key, but this native key cannot be exported from a hardware token.
In other words, you have to implement the SSL support yourself. Java 5 includes support for a PKCS#11 provider that can be used for this.

We can of course implement support for this in our JCAPI SSL plugin, but it will require some effort, and this functionality is not part of our current product road map. So, we cannot tell when this functionality will be available.

Regards,
Tommy

Updated information!

It has, after a technical analysis of the problem, been decided to include support for the new (Java 5) PKCS#11 provider in the JCAPI SSL plugin. It will be included with the current development of JCAPI version 1.1 since it requires som new support functions from the JCAPI PKCS#11 module.

Regards,
Tommy

Updated information!

The new PKCS#11 provider included in Java 5 is now supported by the JCAPI SSL plugin, see the following news.

Regards,
Tommy