Thanks Tommy,

I will try first option, combined with a static checker to avoid too many dll loads (just add JCAPI provider again when a Crtl+F5 reload is done).

Second option will requiere a separate minimized window, as a frame in the same window will not do it (page reload will reload both main and applet frame, and it could even load home page in main frame, loosing previous navigation). I am not sure clients (or my project manager) would like that. Well, maybe I'll try that if I get too desperate

I am developing an applet to digitally sign files from a web application, using JCAPI. Initial tests work fine, but i have found that there is a problem with Internet Explorer, when the page that includes the applet, is reloaded with Ctrl+F5 (that is, bypassing browser cache). If page is reloaded that way, an Exception is thrown, saying that dll is already loaded by another class loader.

It happens just with IE (works fine on Firefox and Opera), and just with Ctrl-F5 reload (just pressing F5, works fine)

It seems than Internet Explorer unloads all Java classes, so when loaded again, static initializers are re-executed. I guess that JCAPI uses a boolean static atribute to check if dll has been loaded, and that static mark is setted to its original value.

Anyway, I have implemented my own checking, with a boolean static atribute, and a static method that executes "Security.addProvider(new JCAPIProvider())". Code is like this:

    private static boolean ini = false;



    public static void init() {

        if (! ini) {

            java.security.Security.addProvider(new com.pheox.jcapi.JCAPIProvider());

            ini= true;

        }

    }

Adding logging to this code, shows that when applet is reloaded in IE, when reeloading page with Ctrl+F5, private static boolean ini atribute is set to false again. But dll is already loaded by the JRE, so an Exception is thrown.

I have used a system property to avoid this (using java.lang.System.getProperty and java.lang.System.setProperty), checking and setting it when adding JCAPI provider. In this case, code is not executed when applet is reloaded with Crtl+F5, but then an exception is thrown when I try to use JCAPI after reload, saying than JCAPI provider has not been added.

I know that it seems to be an IE bug, not JCAPI bug, but ¿Is there any kind of workaround? If not ¿are there plans to make it possible (maybe allowing JCAPI to ignore dll load exceptions, if developer want to)?

FF. It seems that solution posted on previous post doesn't work on IE

JCAPI download link is broken, the from actually do not submit anything.

I was still able to download product by using http://pheox.com/download?productid=15
(looked into produced http://pheox.com/download html).

Please fix that.

We really would like to try out/by your products, but our managers prefer to work with "mature companies, which has non-broken download links"

It's trober again. I've been having trouble logging into the forum so I'll need to post anonymously.

Here's some background information to help answer the questions you asked.

1. We can get JCAPI to work correctly when run from a simple main line. When we involve JAX-WS it crashes consistantly. We believe the problem may be related to something happening with class loading carried out by JAX-WS, which in turn affects the operation of the JCAPI dll. We are still looking into this.

2. All the examples I have tried seem to work.

3. Sorry I didn't get around to trying an applet yet.

4. Here is the environment info is included below.

And regarding the jcapilog.txt, when we experience the VM crash, we are finding no log file is produced. (it is produced if we run the application from a mainline).

I can see that the DLL is extracted to the Documents and Settings Temp Directory though.


-------------- Environment info start --------------
JCAPI version: 1.2.2.0
JCAPI DLL version: 1.2.2.0

Certificate/system stores:
My
Root
Trust
CA
UserDS
TrustedPublisher
Disallowed
AuthRoot
TrustedPeople
ACRS
ADDRESSBOOK
REQUEST

Using cert entry store: ADDRESSBOOK
Using key entry store: My
Using intermediate cert store: CA
Using root cert store: Root
Using untrusted cert store: null

Available CSPs:
Gemplus GemSAFE Card CSP v1.0
Infineon SICRYPT Base Smart Card CSP
Microsoft Base Cryptographic Provider v1.0
Microsoft Base DSS and Diffie-Hellman Cryptographic Provider
Microsoft Base DSS Cryptographic Provider
Microsoft DH SChannel Cryptographic Provider
Microsoft Enhanced Cryptographic Provider v1.0
Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider
Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)
Microsoft RSA SChannel Cryptographic Provider
Microsoft Strong Cryptographic Provider
Schlumberger Cryptographic Service Provider

Using CSP: Microsoft Enhanced Cryptographic Provider v1.0

Supported PKCS#11 CSPs:
FTSafe ePass2000 RSA Cryptographic Service Provider
eToken Base Cryptographic Provider
SmartTrust Cryptographic Service Provider
SI_CSP
SafeSign CSP Version 1.0
AR Base Cryptographic Provider
Athena ASECard Crypto CSP


User added PKCS#11 CSPs:

Loaded JCAPI plugins: No plugins loaded!
Registered JCE providers: SUN, version 1.5
JCAPI, version 1.22
SunRsaSign, version 1.5
SunJSSE, version 1.5
SunJCE, version 1.5
SunJGSS, version 1.0
SunSASL, version 1.5

java.version: 1.5.0_06
java.vendor: Sun Microsystems Inc.
java.vm.version: 1.5.0_06-b05
java.vm.vendor: Sun Microsystems Inc.
os.name: Windows XP
os.arch: x86
os.version: 5.1
java.library.path: C:\Program Files\Java\jdk1.5.0_06\bin;.;C:\WINDOWS\system32;C:\WINDOWS;C:\Program Files\Support Tools\;C:\Program Files\Java\jdk1.5.0_06\bin;C:\Program Files\Oracle\bin\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\ABS\Bin;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\lotus\notes\;C:\Documents and Settings\robeto\Notes;C:\Program Files\Microsoft Visual Studio .NET 2003\Common7\IDE;C:\Documents and Settings\robeto\Notes;\\Corp\Peopledfs\robeto\Notes6;C:\Program Files\lotus\notes\;C:\Data\maven-2.0.6\bin
-------------- Environment info end --------------

Thanks tommy!

I'll get to trying out those things you suggested and get back to you with more information when I can

I'm slowly starting to understand this.

So I'm trying to check to see if the Private Key is exportable from the card, but I don't think I'm doing something right. This is what I do, and it always tells me that I have no exportable keys. But it also never asks me for a pin.

Security.addProvider(new JCAPIProvider());

String keyEntryStore = JCAPIProperties.getInstance().getMSKeyEntryStoreName();

JCAPIProperties.getInstance().setMSCertStoreNames(new String[]{keyEntryStore});

JCAPIUtil.addPKCS11CSP("ActivCard", "acpkcs211.dll");

JCAPIProperties.getInstance().setPrivateKeyExportable(true);

KeyStore jks = KeyStore.getInstance("msks", "JCAPI");

jks.load(null, null);

			

String alias = null;

RSAPrivateKey privateKey = null;



for(java.util.Enumeration e = jks.aliases(); e.hasMoreElements(); )

{

     alias = (String)e.nextElement();

     if(jks.isKeyEntry(alias))

     {

           privateKey = (RSAPrivateKey)jks.getKey(alias, null);

           if(privateKey instanceof RSAPrivateCrtKey)

                 break; //Ok, key found.

           else

                 privateKey = null;

      }

}

if(privateKey == null)

     System.out.println("Sorry, no exportable RSA private key was found.");

else {

      System.out.println("Exportable RSA key found!");

      System.out.println("Alias: " + alias);

      System.out.println("Key: " + privateKey);

}

When I try to access the card through a PKCS11 KeyStore, it asks me for a pin.

StringBuffer sb = new StringBuffer();

sb.append("name=ActivCard\n");

		sb.append("library=c:\\Windows\\System32\\acpkcs211.dll\n");

ByteArrayInputStream bais = new ByteArrayInputStream(sb.toString().getBytes());

Provider p = new SunPKCS11(bais);

Security.addProvider(p);

KeyStore ks = KeyStore.getInstance("PKCS11");

ks.load(null, null); 

So I think I'm doing something wrong making JCAPI work with PKCS11. Any ideas?

I'm trying to use JCAPI to get the certificates out of the Microsoft Certificate Store and use them for client authentication to a Apache server.

Security.addProvider(new JCAPIProvider());

JCAPIProperties.setLogging(true);

JCAPIProperties.getInstance().setPrivateKeyExportable(true);

KeyStore jks = KeyStore.getInstance("msks", "JCAPI");

jks.load(null, null);



KeyStore ks2 = KeyStore.getInstance("msks", "JCAPI");

ks2.load(null, null);

	        JCAPIProperties.getInstance().setExclusiveMSCertStore(ks2,"Root");

KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());

kmf.init(jks, null);

TrustManagerFactory tmf = TrustManagerFactory.getInstance(

TrustManagerFactory.getDefaultAlgorithm());

tmf.init(ks2);

SecureRandom sr = SecureRandom.getInstance("RNG", "JCAPI");

sc = SSLContext.getInstance("TLS");

sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), sr);

	        

URLConnection con = url.openConnection();

			   ((HttpsURLConnection)con).setSSLSocketFactory(sc.getSocketFactory());

((HttpsURLConnection)con).setHostnameVerifier(new HostnameVerifier() {

	public boolean verify(String hostname, javax.net.ssl.SSLSession session) {

        	return true;

        }

});

When I do this i get-

Exception in thread "main" com.pheox.jcapi.JCAPIJNIRuntimeException: Exception raised in JCAPI.DLL:
JCAPIKeyStore_getKey() - Could not acquire a key container handle.
Keyset does not exist

Error code: 0x80090016
at com.pheox.jcapi.CoreKeyStoreJNI.getKey(Native Method)
at com.pheox.jcapi.j.f(Unknown Source)
at com.pheox.jcapi.JCAPIKeyStore.engineGetKey(Unknown Source)
at java.security.KeyStore.getKey(KeyStore.java:763)
at com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:113)
at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:4
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:239)
at syncadd.net.URLConnectionFactory.getCertificateURLConnection(URLConnectionFactory.java:122)
at syncadd.net.URLConnectionFactory.getCertificateURLConnection(URLConnectionFactory.java:89)
at syncadd.crypto.Card.run(Card.java:64)
at syncadd.crypto.Card.main(Card.java:101)


This exception happens on
kmf.init(jks, null);


If I get rid of the
JCAPIProperties.getInstance().setPrivateKeyExportable(true);
I get a little farther, but then I end up with-

... no IV used for this cipher
main, SEND TLSv1 ALERT: fatal, description = handshake_failure
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Error signing certificate verify

at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:449)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:817)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1029)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1056)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1040)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:405)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:981)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
at syncadd.crypto.Card.run(Card.java:70)
at syncadd.crypto.Card.main(Card.java:101)
Caused by: java.security.InvalidKeyException: Modulus is missing
at sun.security.rsa.RSAKeyFactory.checkKey(RSAKeyFactory.java:112)
at sun.security.rsa.RSAKeyFactory.toRSAKey(RSAKeyFactory.java:76)
at com.sun.crypto.provider.RSACipher.engineGetKeySize(DashoA13*..)
at javax.crypto.Cipher.b(DashoA13*..)
at javax.crypto.Cipher.a(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at java.security.Signature$CipherAdapter.engineInitSign(Signature.java:1202)
at java.security.Signature$Delegate.init(Signature.java:1076)
at java.security.Signature$Delegate.chooseProvider(Signature.java:1033)
at java.security.Signature$Delegate.engineInitSign(Signature.java:1106)
at java.security.Signature.initSign(Signature.java:49
at com.sun.net.ssl.internal.ssl.RSASignature.engineInitSign(RSASignature.java:10
at java.security.Signature$Delegate.engineInitSign(Signature.java:1104)
at java.security.Signature.initSign(Signature.java:49
at com.sun.net.ssl.internal.ssl.HandshakeMessage$CertificateVerify.<init>(HandshakeMessage.java:1213)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:715)
... 13 more


Any ideas?

Thanks for your kind help,

IpmPki32.dll
IpmPkilu.dll
IpmPkilc.dll

I haven't found dll, there are only pcsc dll.

2) I said this idea more time ago, my boss refused this option, because this key store have sensible data.

Seamless SSL support for JCAPI with hardware tokens without required PKCS#11 support is subject to version 2.0.

This is for me! I attend this version!!!

Regards
Marco

Thank you for your support and the Assembla team (I have used the same libraries for another project).
I use Java 1.6 because of its new features for smart keys and token.
Now I've tried Sun MSCAPI, but during handshake it popups a window for PIN request, but I don't like it because I need to automatize all the login process without manually inserting anything.

Regards,
Marco

I have forgotten it.
I think that I have only handle of key...

hi tommy,
Thanks for you kindly assistance,
This is the point:
1) I have a smartkey reader usbr30 pkcs11 incompatible.
2) This smartkey reader is ok for access by i.e.
3) I have only pcsc driver
4) I can sign with this smartkey reader with jcapi.
5) Private key is not exportable.
6) JCAPIProperties.getInstance().setPrivateKeyExportable(true); doesn't work
because it isn't pkcs11.

Now After your last post, I have made a own keymanager class for export private key,
but I get this error in handshake:

Exception in thread "main" javax.net.ssl.SSLHandshakeException: Error signing certificate verify
Caused by: java.security.InvalidKeyException: You must use a RSA public key for encryption.
at se.assembla.jce.provider.ms.MSCipherRSAJNI.engineInit(Unknown Source)
at javax.crypto.Cipher.init(DashoA13*..)
at java.security.Signature$CipherAdapter.engineInitSign(Signature.java:1202)
at java.security.Signature$Delegate.init(Signature.java:1076)
at java.security.Signature$Delegate.chooseProvider(Signature.java:1033)
at java.security.Signature$Delegate.engineInitSign(Signature.java:1106)
at java.security.Signature.initSign(Signature.java:49
at com.sun.net.ssl.internal.ssl.RSASignature.engineInitSign(RSASignature.java:10
at java.security.Signature$Delegate.engineInitSign(Signature.java:1104)
at java.security.Signature.initSign(Signature.java:49
at com.sun.net.ssl.internal.ssl.HandshakeMessage$CertificateVerify.<init>(HandshakeMessage.java:1213)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:715)
... 16 more

this is the code for connection

KeyStore ks1 = KeyStore.getInstance("msks", "JCAPI");
ks1.load(null, null);

OwnKeyManager ownKeyManager=new OwnKeyManager(null, ks1, alias,"mypin");

X509Certificate[] cert=(X509Certificate[])ownKeyManager.getCertificateChain(alias);
KeyManager[] kmf2 = new KeyManager [] {ownKeyManager};

KeyStore serverKeyStore = KeyStore.getInstance("JKS");
System.out.println("done!");

serverKeyStore.load(null, "".toCharArray() );
System.out.println("done!");

KeyStore ks2 = KeyStore.getInstance("msks", "JCAPI");
ks2.load(null, null);
JCAPIProperties.getInstance().setExclusiveMSCertStore(ks2, "Root");
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ks2);
SSLContext c = SSLContext.getInstance( "SSL", "SunJSSE");
c.init(kmf2,tmf.getTrustManagers(), null);

My public key is rsa, and I don't understant this error.

Thanks in advance.
Marco

Hello, Tommy!

New jar file is quite bigger than the other one. Since I'll need it onan applet, and I'll use only part of its features, it will be possible to reduce a copy of the JAR to the smallest one?

Thank you very much
MN

Hello tommy,
I'm try to develop a soap using a jcapi library, but I have a problem: I think that jcapi can't get private key for signig in handshake..

Security.addProvider(new JCAPIProvider());
JCAPIProperties.setLogging(true);

Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());

KeyStore ks1 = KeyStore.getInstance("msks", "JCAPI");
ks1.load(null, null);

KeyStore ks2 = KeyStore.getInstance("msks", "JCAPI");
ks2.load(null, null);
JCAPIProperties.getInstance().setExclusiveMSCertStore(ks2, "Root");
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory
.getDefaultAlgorithm());
kmf.init(ks1, null);
TrustManagerFactory tmf = TrustManagerFactory
.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ks2);
SecureRandom sr = SecureRandom.getInstance("RNG", "JCAPI");
SSLContext c = SSLContext.getInstance("SSL");
c.init(kmf.getKeyManagers(), tmf.getTrustManagers(), sr);
SSLSocketFactory f = c.getSocketFactory();

HttpsURLConnection.setDefaultSSLSocketFactory(f);
URL url = new URL(endpoint);
HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
System.out
.println("HttpsURLConnection.getDefaultSSLSocketFactory()---->"
+ HttpsURLConnection.getDefaultSSLSocketFactory());

conn.setDoOutput(true);
conn.setDoInput(true);
conn.connect();
System.out.println("chiper suite------> " + conn.getCipherSuite());

OutputStream out = conn.getOutputStream();
Writer wout = new OutputStreamWriter(out);
wout
.write("<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\" ");
wout.flush();
wout.close();

InputStream in = conn.getInputStream();
conn.disconnect();
System.out.println("fatto");

this is the output

main, called closeInternal(true)
Exception in thread "main" javax.net.ssl.SSLHandshakeException: Error signing certificate verify
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1520)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:182)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:719)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:197)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:511)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:449)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:817)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:679)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:21
at java.io.BufferedInputStream.read1(BufferedInputStream.java:25
at java.io.BufferedInputStream.read(BufferedInputStream.java:317)
at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:632)
at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:577)
at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:597)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1004)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
at SSLConection.main(SSLConection.java:86)
Caused by: java.security.InvalidKeyException: Modulus is missing
at sun.security.rsa.RSAKeyFactory.checkKey(RSAKeyFactory.java:112)
at sun.security.rsa.RSAKeyFactory.toRSAKey(RSAKeyFactory.java:76)
at com.sun.crypto.provider.RSACipher.engineGetKeySize(DashoA13*..)
at javax.crypto.Cipher.b(DashoA13*..)
at javax.crypto.Cipher.a(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at java.security.Signature$CipherAdapter.engineInitSign(Signature.java:1202)
at java.security.Signature$Delegate.init(Signature.java:1076)
at java.security.Signature$Delegate.chooseProvider(Signature.java:1033)
at java.security.Signature$Delegate.engineInitSign(Signature.java:1106)
at java.security.Signature.initSign(Signature.java:49
at com.sun.net.ssl.internal.ssl.RSASignature.engineInitSign(RSASignature.java:10
at java.security.Signature$Delegate.engineInitSign(Signature.java:1104)
at java.security.Signature.initSign(Signature.java:49
at com.sun.net.ssl.internal.ssl.HandshakeMessage$CertificateVerify.<init>(HandshakeMessage.java:1213)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:715)
... 15 more

Thanks in advance,
Marco

Hi,
we have removed all the certificates except that one of the smart key.
The output of the second test is as follow:

Open system store 'My'.
Ok, found CSP 'SysGillo Cryptographic Service Provider'.
Now, check if there exists any certificates managed by the CSP.
Start searching for certificates in system store.
Found a certificate.
JCAPI alias = My|F4uD2dj7GrPZ+13eLt3guZqO0oI=
The found certificate has an RSA private key used for decryption.
Key container: \\.\ACS USB 0\5c4b2e09-1b6a-48ef-978a-7c5e3ee3bcba
******** Key prov info ********
Container: \\.\ACS USB 0\5c4b2e09-1b6a-48ef-978a-7c5e3ee3bcba
Container len: 50
Provider: SysGillo Cryptographic Service Provider
Provider len: 39
ProvType: 1
Flags: 0
ProvParam: 0
KeySpec: 2
*******************************
Try to acquire context.
Acquire context succeeded.
Test creating a signature.
Time to sign the hash. This will require a private key and will this show a PIN
dialog.
Signature successfully created.
Found a certificate.
JCAPI alias = My|DKwk6QyVkiPGNxeFwg0NdVPePi8=
The found certificate has an RSA private key used for decryption.
Key container: \\.\ACS USB 0\DS0
******** Key prov info ********
Container: \\.\ACS USB 0\DS0
Container len: 17
Provider: SysGillo Cryptographic Service Provider
Provider len: 39
ProvType: 1
Flags: 0
ProvParam: 0
KeySpec: 2
*******************************
Try to acquire context.
Acquire context succeeded.
Test creating a signature.
Time to sign the hash. This will require a private key and will this show a PIN
dialog.
Signature successfully created.
End searching for certificates in system store.
Close system store 'My'.

This output doesn't show any error.
I used a software with SOAP over SSL connection using token with PKCS11 wrapper.
I have tried to use JCAPI instead of PKCS11 but in the handshake I got an error in the signing process.
Since the trial version of JCAPI that I downloaded ends on the 1st of March, we can't do any other test; is there any way to extends the trial time before buying it?