Question regarding RSA Encryption and Token

daubsi · April 19th, 2009, 12:22 PM

Hello,

first of all: thanks for this _great_ book! I learned a lot from it!

I am currently trying to interact with an Aladdin eToken via PKCS11.
The PKCS11 provider is setup and I can read the 3 stored certificates and the key.

Setup file contains:
name = eTokenPKCS11
library = C:/windows/system32/eTPKCS11.dll
description = Aladdin eToken Pro PKCS11 Provider

Code:

char[] pin = "mypassword".toCharArray();
KeyStore ks = KeyStore.getInstance("PKCS11");
        
ks.load(null,pin);        
System.out.println("Token contains " + ks.size() + " entries.");
while (enumerator.hasMoreElements()) {
   String alias = enumerator.nextElement();
     Key privKey = ks.getKey(alias, null);
     ...

privKey.getAlgorithm() returns "RSA". privKey.getEncoded() returns null.

privKey is defined as
"SunPKCS11-eTokenPKCS11 RSA private key, 2048 bits (id 43450373, token object, sensitive, unextractable)" in Eclipse's variable inspector (it is unextractable because I cannot get it from the token of course)

---
Now I want to perform some tests:

Code:

Cipher cipher = Cipher.getInstance("RSA/None/NoPadding","BC");
cipher.init(Cipher.ENCRYPT_MODE, c1.getPublicKey()); // c1 = Certificate for Key "privKey"
byte[] output = cipher.doFinal(input);

cipher.init(Cipher.DECRYPT_MODE, privKey);           
byte[] plain = cipher.doFinal(output);

The code breaks at "cipher.init(DECRYPT_MODE, privKey") with "unknown key type passed to RSA".
I've alreasy tried to cast it to "RSAPrivateKey" but the cast was "invalid"..

---

Then I tried to sign something:

Code:

Signature sig = Signature.getInstance("DSA", "BC");
sig.initSign((PrivateKey) privKey);
sig.update(input);

Again I get "Can't identify DSA private key"...

What am I doing wrong?

How do I use my token for encryption/decryption, signing of data?
After all: Do I actually use "getInstance("XYZ/....")" with the provider BC?? I mean: The cryptographic operation is performed by the token not the BC code, isn't it? But "getInstance("XYZ/...", "PKCS11")" failes with "No such provider"

Thanks for your help!

daubsi · April 19th, 2009, 02:49 PM

I figured it out!

I needed to use the provider name "SunPKCS11-<MyName>", which is "SunPKCS11-eTokenPKCS11" in my case according to the config.
Afterwards I then can use e.g.

Code:

public void encryptTest(byte[] data, PrivateKey privKey, PublicKey pubKey) throws Exception {
        // Encrypting using RSA
        Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding","SunPKCS11-eTokenPKCS11");
        cipher.init(Cipher.ENCRYPT_MODE, pubKey);
        byte[] output = cipher.doFinal(data);
        System.out.println("Encrypted: " + Utils.toHex(output));
        
        cipher.init(Cipher.DECRYPT_MODE, privKey);
        
        byte[] plain = cipher.doFinal(output);
        System.out.println("Decrypted: " + Utils.toString(plain));
    }

with the keys obtained from the KeyStore.

Remember to have a look at the provider capabilities, e.g. via:

Code:

Provider p = new sun.security.pkcs11.SunPKCS11(eTokenconfigName);
        Security.addProvider(p);
        
        List arrayList = new ArrayList();
            
        Iterator<Object> it = p.keySet().iterator();
        
        while (it.hasNext()) {
            String entry = (String) it.next();
            if (entry.startsWith("Alg.Alias.")) {
                entry = entry.substring("Alg.Alias.".length());
            }
            
            String factoryClass = entry.substring(0, entry.indexOf('.'));
            String name = entry.substring(factoryClass.length() + 1);
            arrayList.add(factoryClass + ": " + name);
        
        }
        Collections.sort(arrayList);
        Iterator<String> is = arrayList.iterator();
        while (is.hasNext()) {
            System.out.println(is.next());
        }

An Aladdin eToken Pro Java 72k offers the following capabilities for example:

Cipher: AES/CBC/NoPadding
Cipher: ARCFOUR
Cipher: DES/CBC/NoPadding
Cipher: DESede/CBC/NoPadding
Cipher: RC4
Cipher: RSA/ECB/PKCS1Padding
KeyFactory: RSA
KeyGenerator: AES
KeyGenerator: ARCFOUR
KeyGenerator: DES
KeyGenerator: DESede
KeyGenerator: RC4
KeyPairGenerator: RSA
KeyStore: PKCS11
KeyStore: PKCS11-eTokenPKCS11
Mac: HmacMD5
Mac: HmacSHA1
MessageDigest: MD5
MessageDigest: SHA
MessageDigest: SHA-1
MessageDigest: SHA-256
MessageDigest: SHA1
SecretKeyFactory: AES
SecretKeyFactory: ARCFOUR
SecretKeyFactory: DES
SecretKeyFactory: DESede
SecretKeyFactory: RC4
SecureRandom: PKCS11
Signature: MD2withRSA
Signature: MD5withRSA
Signature: SHA1withRSA
Signature: SHA256withRSA
Signature: SHA384withRSA
Signature: SHA512withRSA

dgh · April 28th, 2009, 06:52 PM

You can only use the PKCS11 provider in this context. Normally the key material is restricted to the hardware, so is not visible to a software provider like BC.

Regards,

David

murthybn99 · October 15th, 2012, 02:53 PM

I am currently trying to establish SSL connectivity using eToken via PKCS11.
The PKCS11 provider is setup and I can read the 3 stored certificates as a key Store Object.
But I am getting the following exception while trying to establish SSL connectivity.
I am using JDK 6.0(java version "1.6.0_31-rev).

at java.lang.Thread.run(Unknown Source)
Caused by: java.security.InvalidKeyException: Unsupported key type: SunPKCS11-aladdin-0 RSA private key, 2048 bits (id 147980297, token object, sensitive, unextractable)
at sun.security.mscapi.RSACipher.engineGetKeySize(RSA Cipher.java:384)
at javax.crypto.Cipher.b(DashoA13*..)
at javax.crypto.Cipher.a(DashoA13*..)

Code:
-----
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
KeyStore keyStore = getClientKeyStore(); //read Smart Card Token to get the Certificate
kmf.init(keyStore, "mycardPin".toCharArray()); //#### hard coded the i/p parms

TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
KeyStore trustStore = KeyStore.getInstance("JKS");
trustStore.load(new FileInputStream("C:\\Users\\usr1\\Desktop\\Certifi cates\\mycertca.jks"), "mycardPin".toCharArray());
tmf.init(trustStore);

SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
factory = sslContext.getSocketFactory();
sslClient = (SSLSocket) factory.createSocket(host, port);
sslClient.startHandshake(); //<--- code is breaking here with the above exception

I am struggling like anything for the last 4 days to get rid of this issue. Pls let me know is there any work-around to fix this issue.
I really appreciate your help.

dgh · October 15th, 2012, 06:43 PM

You'll only see if this if you are using the wrong provider for the key type (as in the key is created with one provider, but then you try and use it with another). You need to make sure the SSL layer is using the PKCS11 provider as well.

Regards,

David

debabrata.s4du · December 30th, 2012, 08:24 AM

while i am trying to encrypt using private key then i got the error "Private key must be instance of RSA Private(Crt)Key or have PKCS#8 encoding" can anyone say where is the problem my private key is RSAPrivateKey [size=2048 bits, type=Exchange, container=le-a556d7eb-3a7a-432c-97b3-4216c463aba6]

dgh · January 1st, 2013, 08:13 PM

If you are seeing this error it means you are trying to use a PrivateKey from one provider with a Cipher for different provider. You need to make sure the Cipher is instanced from the same provider, or that you are able to use a KeyFactory to convert the PrivateKey into one that is appropriate for the provider that owns the Cipher.

Regards,

David