Messages posted by: tommy

Hi Mattias,

First, regarding your conclusion:

I can add that I've tried the corresponding demo class ListCerts of Assembla JCE Provider under the same conditions AND IT WORKS!

As far as I recall, the Assembla JCE is hardcoded to only search through the Other People (ADDRESSBOOK) and the Personal (MY) certificate stores, while JCAPI will search through all certificate stores that are defined/available for the current user. It shortly means that the problem cannot be trigged by the Assembla JCE provider since your UserDS certificate store is never accessed by the Assembla JCE provider.

You can patch your problem by excluding the UserDS certificate store in JCAPI i.e. you can use the following at the beginning of your program:


String[] certStores = JCAPIProperties.getInstance().getMSCertStoreNames();

ArrayList<String> al = new ArrayList<String>(Arrays.asList(certStores));

al.remove("UserDS");

certStores = al.toArray(new String[0]);

JCAPIProperties.getInstance().setMSCertStoreNames(certStores);

However, the code above will only solve your problem temporarily. So, in order to solve it correctly, we'll need some more information from you. Please supply answers to the following questions:
1. Do you have the same problem if you remove the smart card from your reader?
2. Do you have any certificates in your UserDS certificate store? Hint: start the mmc program and add the certificates snap-in (File -> Add/Remove snap-in.. -> Add -> Certificates), then check if there are any certificates in the Active Directory User Object folder.
3. Do you use the smart card to login on your system?

Regards,
Tommy

Hello Anonymous,

Of course you can use JCAPI within an applet.
Perhaps you can extend your problem description with more detailed information?

I have made a test applet for you to try out, see applettest.zip. If it doesn't work for you, then please inform us about the problem, and please include the stack trace from your Java console.

Cheers,
Tommy

JCAPI version 1.1.0 has been released today.

New main features are:

Supporting three new MS CAPI & PKCS#11 CSPs tested on hardware tokens provided by Eutron:
- SI_CSP
- SafeSign CSP Version 1.0
- AR Base Cryptographic Provider
Extended JCAPI SSL plugin now supporting PKCS#11 from Java 5 with automatic configuration of hardware token.
Supporting removal of PKCS#11 CSPs (both natively supported and user-added).
Get and set friendly names for certificates in MS CAPI.
Get friendly names for system stores in MS CAPI.
Added support for cipher wrapping/unwrapping of asymmetric keys.
New class available for gathering data about a plugged in hardware PKCS#11 token.

For a complete list of enhancements and bug fixes made, please read the version history.

Our customers can download the commercial (unrestricted) version from the customers download page. Others are welcome to download the evaluation version from our public download page.

Hi,

That's a never ending question

Well, how do we want to identify a specific certificate in order to get its JCAPI alias? There many ways, for example by its public key, by its issuer distinguished name + serial number, by its DER encoded X.509 representation etc. Personally, I prefer to select the certificate through its issuer DN and serial number since these properties makes it unique.

Here's an example of how to do it:


import java.security.cert.*;

import java.security.*;

import javax.security.auth.x500.X500Principal;

import com.pheox.jcapi.*;



public class FindCert

{

    static public void main(String[] args)

    {

        try {

            Security.addProvider(new JCAPIProvider());

            KeyStore ks = KeyStore.getInstance("msks", "JCAPI");

            ks.load(null, null);



            String alias = null;

            X509Certificate cert = null;

            boolean foundCert = false;

            X500Principal issuerDN = new X500Principal("O = C&W HKT SecureNet CA SGC Root, C = hk");

            int serialNum = 0;

            for(java.util.Enumeration e = ks.aliases(); e.hasMoreElements(); )

                {

                    alias = (String)e.nextElement();

                    cert = (X509Certificate)ks.getCertificate(alias);

                    if(cert.getIssuerX500Principal().equals(issuerDN) &&

                       cert.getSerialNumber().intValue() == serialNum)

                        {

                            foundCert = true;

                            break;

                        }

                }

            if(foundCert)

                {

                    System.out.println("I found your certificate with JCAPI alias '" + alias + "':");

                    System.out.println(cert);

                }

            else

                System.out.println("Sorry, couldn't find your certificate.");



        } catch(Throwable t) {

            t.printStackTrace();

            System.err.println("Test prog failed. Exiting...");

        }

    }

}

You can find the issuer DN and serial number for your specific certificate through Internet Explorer:
1. Press menu item: Tools -> Internet Options...
2. Press tab: Content
3. Press button: Certificates...
4. Press the tab where you certificate is stored e.g: Personal
5. Select your certificate from the list.
6. Press button: View
7. Press tab: Details
8. Now you can examine your certificate's issuer DN and serial number.

Btw, please note that the alias thing is not a JCAPI specific requirement. It's a requirement enforced by the (Java Cryptography Extension) JCE framework.

Regards,
Tommy

Updated information!

The new PKCS#11 provider included in Java 5 is now supported by the JCAPI SSL plugin, see the following news.

Regards,
Tommy

The first release candidate for JCAPI version 1.1.0 has been released today.

New main features are:

Supporting three new MS CAPI & PKCS#11 CSPs tested on hardware tokens provided by Eutron:
- SI_CSP
- SafeSign CSP Version 1.0
- AR Base Cryptographic Provider
Extended JCAPI SSL plugin now supporting PKCS#11 from Java 5 with automatic configuration of hardware token.
Supporting removal of PKCS#11 CSPs (both natively supported and user-added).
Get and set friendly names for certificates in MS CAPI.
Get friendly names for system stores in MS CAPI.
Added support for cipher wrapping/unwrapping of asymmetric keys.
New class available for gathering data about a plugged in hardware PKCS#11 token.

Please note that a release candidate is a version whose functionality has been set, implemented and unit tested, but not yet system tested. If you don't feel confident with such a release, then please wait for the sharp version of JCAPI v1.1 to be released.

Our customers can download the commercial (unrestricted) version from the release candidates page. Others are welcome to download the evaluation version from our public download page.

Updated information!

It has, after a technical analysis of the problem, been decided to include support for the new (Java 5) PKCS#11 provider in the JCAPI SSL plugin. It will be included with the current development of JCAPI version 1.1 since it requires som new support functions from the JCAPI PKCS#11 module.

Regards,
Tommy

Hi Joyce,

Currently, you have two disjoint problems:

Problem 1:

The private key stored on your hardware token cannot, for some reason, be referenced at all (that's the reason for you getting the JCAPIJNIRuntimeException). That's a serious problem. Therefore I have to get the following information from you:
1. What hardware token are you using? Vendor? Model?
2. Is your hardware token PKCS#11 compliant? If yes, what PKCS#11 Cryptographic Service Provider (CSP) does it use?

Please note that JCAPI do only support four PKCS#11 CSPs by default (please read "Supported PKCS#11 CSPs" in the JCAPI User's Guide). If your CSP is not supported by default, then you have to manually add it to JCAPI (please read "Managing the PKCS#11 CSPs" in the JCAPI User's Guide) in order for it to work.

The reason for my questions regarding the PKCS#11 support for your hardware token, is that some providers do not implement the MS CAPI functions required by JCAPI when accessing the private key. In these occasions, this restriction can be circumvented by using the PKCS#11 layer instead of the MS CAPI layer, but this will require that there exist a PKCS#11 provider (a DLL file) for your hardware token.

Problem 2:

As I mentioned before, the JCAPI key store cannot be used for SSL when the private key is not exportable, simply because SSL (JSSE) require the native private key, but this native key cannot be exported from a hardware token.
In other words, you have to implement the SSL support yourself. Java 5 includes support for a PKCS#11 provider that can be used for this.

We can of course implement support for this in our JCAPI SSL plugin, but it will require some effort, and this functionality is not part of our current product road map. So, we cannot tell when this functionality will be available.

Regards,
Tommy

Hi,

That's correct, you cannot write your own plug-in for JCAPI since it has to be signed with our code signing certificate. The signature of the plug-in is always verified before the JAR is loaded.

What you have to do is to write your own SSL manager code (it does not have to be a JCAPI plug-in). Our SSL plug-in uses the JCAPI key store, while you want to use a PKCS#11 key store.

Regards,
Tommy

Hi Joyce,

It is not possible to use a hardware token for SSL. The reason is that the JSSE layer (the javax.net.ssl.X509KeyManager interface) require the private key to be exported from the key store (that key is not exportable from a hardware token). The guys at SUN have been thinking about this and thus released (in Java 5) a new PKCS#11 provider, please see:
http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html

If you want to use your PKCS#11 enabled hardware token in SSL, then follow the instructions given at "3.5 Tokens as JSSE Keystore and Trust Stores" in the above mentioned link.

However, the exception you got is very strange. If you have used a hardware token when using the JCAPI SSL plugin, then you would have gotten the following exception:
javax.net.ssl.SSLHandshakeException: Error signing certificate verify

Could you please enable the JCAPI SSL logging and send us the result in order for us to track the cause of your exception? Here is how to enable logging:


JCAPISSLFactory f = JCAPIProperties.getInstance().getSSLFactory();

f.setLogging(true); //Use this for SSL logging.

Cheers,
Tommy

Hi,

We must be able to reproduce your error condition in order to solve it.
Could you please provide us with a minimal WAR file that triggers your error?
If not, you have to give more information about your environment such as: where did you put the JCAPI JAR file (common/lib, shared/lib, <webapp>/WEB-INF/lib etc), did you unjar the JCAPI jar file, is our provider added in a static context etc?

Regards,
Tommy

A new version of JCAPI SSL Plugin has been released.

Version 1.0.2 (2005-09-23):
BUGFIX: During client authentication, some certificate issuers received from a SSL enabled server was incorrectly considered invalid by the JCAPI SSL Plugin.

You can download the latest version from our download page.
The JCAPI SSL Plugin v1.0.2 will be included in the next release of JCAPI (current JCAPI release is 1.0.1).

Regards,
Tommy

A minor but still important upgrade of JCAPI has been released.

Version 1.0.1 (2005-06-30):
ENHANCEMENT: JCAPI and all plugins are now signed with a qualified code signing certificate issued by a CA that is trusted by all modern web browsers.

Regards,
Tommy

Today, the Pheox JCAPI JCE provider was released for the first time.

Regards,
Tommy