Messages posted by: andre999

Does the JCAPI API version 1.x provide method to add CA cert into the MS CAPI's ROOT ?

If there is, would you point out the classes involved?

Thanks,
Andrew

Sure, no worries. I'm looking forward to the JCAPI 2.x next release.
Thanks.

Related to the above issue, after some research, here is the summary

The certificate+key is installed by JCAPI with administration right into the local machine's Trusted People. The current user or System account can export the public+private keys. However the other account user can't export the private key.

In comparison to p12 manual import with Windows 7 MMC, under local machine's Trusted People, the current user or System account can export the key. And the other account user can also export the private key.

Can JCAPI allow other account user to export the key? If yes, how do I go about it?

TIA

Hi Tommy,

After importing the keystore in the Windows "Trusted People", the cert is used by the Windows' WCF service. The private key is used for digitally signing an outbound message and decrypting an inbound message. However I got an error "keyset not found" when signing outgoing message.

Below is a set of code used for setting with JCAPI
----------------------------------------------------------------------------------
java.security.Security.addProvider(new JCAPIProvider());
JCAPIProperties.getInstance().setPrivateKeyExportable(true);
JCAPIProperties.getInstance().setMSRootCertStoreName(MSCertConstant.MS_TRUSTEDROOT_CERT_AUTH);
JCAPIProperties.getInstance().setMSKeyEntryStoreName(MSCertConstant.MS_TRUSTED_PEOPLE);

JCAPISystemStoreRegistryLocation locallocation = new JCAPISystemStoreRegistryLocation(
JCAPISystemStoreRegistryLocation.CERT_SYSTEM_STORE_LOCAL_MACHINE);
JCAPIProperties.getInstance().setSystemStoreRegistryLocation(locallocation);
-------------------------------------------------------------------------------------
I search on the error and I got the impression the issue is related to permission?

Can JCAPI handle Key storage flags; MachineKeySet or PersistKeySet? Exportable is one of them.

TIA

Hi,

I'm developing a small application that capable of importing a pfx (self signed CA from PKCS12) into MS store (MSKS) using JCAPI.
Is the JCAPI-1.2.5.1 able to make the private key exportable?
The following is the code that does the import. However the key is not exportable when using Windows CertMgr tool.

-----------------------------------------------------------
char[] pwd = "1".toCharArray();
FileInputStream fis = new FileInputStream(new File("a.pfx"));
java.security.KeyStore pkcsKeyStore = java.security.KeyStore.getInstance("PKCS12");
pkcsKeyStore.load(fis, pwd);
fis.close();

String alias = null;
Enumeration<String> e = pkcsKeyStore.aliases();
int numOfAliases = 0;
if (e.hasMoreElements()) {
alias = e.nextElement();

X509Certificate cert = (X509Certificate) pkcsKeyStore.getCertificate(alias);
}

Key key = pkcsKeyStore.getKey(alias, pwd);
Certificate[] certs = pkcsKeyStore.getCertificateChain(alias);

X509Certificate[] x509certs = new X509Certificate[certs.length];
for (int i = 0; i < certs.length; i++) {
x509certs[i] = (X509Certificate) certs[i];
}

java.security.Security.addProvider(new JCAPIProvider());
java.security.KeyStore msksKeyStore = java.security.KeyStore.getInstance("msks", "JCAPI");
msksKeyStore.load(null, null);

JCAPIProperties.getInstance().setPrivateKeyExportable(true);
JCAPIProperties.getInstance().setMSRootCertStoreName("ROOT");
JCAPIProperties.getInstance().setMSKeyEntryStoreName("MY");

java.security.KeyStore pkcsKeyStore = java.security.KeyStore.getInstance("PKCS12");

msksKeyStore.setKeyEntry(alias, key, pwd, x509certs);
--------------------------------------------------------------

Thanks,
Andrew