Wrox Programmer Forums
Go Back   Wrox Programmer Forums > Java > Other Java > BOOK: Beginning Cryptography with Java
|
BOOK: Beginning Cryptography with Java
This is the forum to discuss the Wrox book Beginning Cryptography with Java by David Hook; ISBN: 9780764596339
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: Beginning Cryptography with Java section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old April 19th, 2009, 12:22 PM
Registered User
 
Join Date: Apr 2009
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Question Question regarding RSA Encryption and Token

Hello,

first of all: thanks for this _great_ book! I learned a lot from it!

I am currently trying to interact with an Aladdin eToken via PKCS11.
The PKCS11 provider is setup and I can read the 3 stored certificates and the key.

Setup file contains:
name = eTokenPKCS11
library = C:/windows/system32/eTPKCS11.dll
description = Aladdin eToken Pro PKCS11 Provider

Code:
char[] pin = "mypassword".toCharArray();
KeyStore ks = KeyStore.getInstance("PKCS11");
        
ks.load(null,pin);        
System.out.println("Token contains " + ks.size() + " entries.");
while (enumerator.hasMoreElements()) {
   String alias = enumerator.nextElement();
     Key privKey = ks.getKey(alias, null);
     ...
privKey.getAlgorithm() returns "RSA". privKey.getEncoded() returns null.

privKey is defined as
"SunPKCS11-eTokenPKCS11 RSA private key, 2048 bits (id 43450373, token object, sensitive, unextractable)" in Eclipse's variable inspector (it is unextractable because I cannot get it from the token of course)

---
Now I want to perform some tests:
Code:
Cipher cipher = Cipher.getInstance("RSA/None/NoPadding","BC");
cipher.init(Cipher.ENCRYPT_MODE, c1.getPublicKey()); // c1 = Certificate for Key "privKey"
byte[] output = cipher.doFinal(input);

cipher.init(Cipher.DECRYPT_MODE, privKey);           
byte[] plain = cipher.doFinal(output);
The code breaks at "cipher.init(DECRYPT_MODE, privKey") with "unknown key type passed to RSA".
I've alreasy tried to cast it to "RSAPrivateKey" but the cast was "invalid"..

---

Then I tried to sign something:
Code:
Signature sig = Signature.getInstance("DSA", "BC");
sig.initSign((PrivateKey) privKey);
sig.update(input);
    
Again I get "Can't identify DSA private key"...

What am I doing wrong?

How do I use my token for encryption/decryption, signing of data?
After all: Do I actually use "getInstance("XYZ/....")" with the provider BC?? I mean: The cryptographic operation is performed by the token not the BC code, isn't it? But "getInstance("XYZ/...", "PKCS11")" failes with "No such provider"

Thanks for your help!
 
Old April 19th, 2009, 02:49 PM
Registered User
 
Join Date: Apr 2009
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Smile

I figured it out!

I needed to use the provider name "SunPKCS11-<MyName>", which is "SunPKCS11-eTokenPKCS11" in my case according to the config.
Afterwards I then can use e.g.

Code:
public void encryptTest(byte[] data, PrivateKey privKey, PublicKey pubKey) throws Exception {
        // Encrypting using RSA
        Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding","SunPKCS11-eTokenPKCS11");
        cipher.init(Cipher.ENCRYPT_MODE, pubKey);
        byte[] output = cipher.doFinal(data);
        System.out.println("Encrypted: " + Utils.toHex(output));
        
        cipher.init(Cipher.DECRYPT_MODE, privKey);
        
        byte[] plain = cipher.doFinal(output);
        System.out.println("Decrypted: " + Utils.toString(plain));
    }
with the keys obtained from the KeyStore.

Remember to have a look at the provider capabilities, e.g. via:
Code:
Provider p = new sun.security.pkcs11.SunPKCS11(eTokenconfigName);
        Security.addProvider(p);
        
        List arrayList = new ArrayList();
            
        Iterator<Object> it = p.keySet().iterator();
        
        while (it.hasNext()) {
            String entry = (String) it.next();
            if (entry.startsWith("Alg.Alias.")) {
                entry = entry.substring("Alg.Alias.".length());
            }
            
            String factoryClass = entry.substring(0, entry.indexOf('.'));
            String name = entry.substring(factoryClass.length() + 1);
            arrayList.add(factoryClass + ": " + name);
        
        }
        Collections.sort(arrayList);
        Iterator<String> is = arrayList.iterator();
        while (is.hasNext()) {
            System.out.println(is.next());
        }
An Aladdin eToken Pro Java 72k offers the following capabilities for example:

Cipher: AES/CBC/NoPadding
Cipher: ARCFOUR
Cipher: DES/CBC/NoPadding
Cipher: DESede/CBC/NoPadding
Cipher: RC4
Cipher: RSA/ECB/PKCS1Padding
KeyFactory: RSA
KeyGenerator: AES
KeyGenerator: ARCFOUR
KeyGenerator: DES
KeyGenerator: DESede
KeyGenerator: RC4
KeyPairGenerator: RSA
KeyStore: PKCS11
KeyStore: PKCS11-eTokenPKCS11
Mac: HmacMD5
Mac: HmacSHA1
MessageDigest: MD5
MessageDigest: SHA
MessageDigest: SHA-1
MessageDigest: SHA-256
MessageDigest: SHA1
SecretKeyFactory: AES
SecretKeyFactory: ARCFOUR
SecretKeyFactory: DES
SecretKeyFactory: DESede
SecretKeyFactory: RC4
SecureRandom: PKCS11
Signature: MD2withRSA
Signature: MD5withRSA
Signature: SHA1withRSA
Signature: SHA256withRSA
Signature: SHA384withRSA
Signature: SHA512withRSA
 
Old April 28th, 2009, 06:52 PM
dgh dgh is offline
Wrox Author
 
Join Date: Aug 2005
Posts: 206
Thanks: 0
Thanked 20 Times in 20 Posts
Default

You can only use the PKCS11 provider in this context. Normally the key material is restricted to the hardware, so is not visible to a software provider like BC.

Regards,

David
 
Old October 15th, 2012, 02:53 PM
Registered User
 
Join Date: Oct 2012
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default SSL handshake issue using Java PKCS11

I am currently trying to establish SSL connectivity using eToken via PKCS11.
The PKCS11 provider is setup and I can read the 3 stored certificates as a key Store Object.
But I am getting the following exception while trying to establish SSL connectivity.
I am using JDK 6.0(java version "1.6.0_31-rev).

at java.lang.Thread.run(Unknown Source)
Caused by: java.security.InvalidKeyException: Unsupported key type: SunPKCS11-aladdin-0 RSA private key, 2048 bits (id 147980297, token object, sensitive, unextractable)
at sun.security.mscapi.RSACipher.engineGetKeySize(RSA Cipher.java:384)
at javax.crypto.Cipher.b(DashoA13*..)
at javax.crypto.Cipher.a(DashoA13*..)

Code:
-----
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
KeyStore keyStore = getClientKeyStore(); //read Smart Card Token to get the Certificate
kmf.init(keyStore, "mycardPin".toCharArray()); //#### hard coded the i/p parms


TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
KeyStore trustStore = KeyStore.getInstance("JKS");
trustStore.load(new FileInputStream("C:\\Users\\usr1\\Desktop\\Certifi cates\\mycertca.jks"), "mycardPin".toCharArray());
tmf.init(trustStore);

SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
factory = sslContext.getSocketFactory();
sslClient = (SSLSocket) factory.createSocket(host, port);
sslClient.startHandshake(); //<--- code is breaking here with the above exception

I am struggling like anything for the last 4 days to get rid of this issue. Pls let me know is there any work-around to fix this issue.
I really appreciate your help.
 
Old October 15th, 2012, 06:43 PM
dgh dgh is offline
Wrox Author
 
Join Date: Aug 2005
Posts: 206
Thanks: 0
Thanked 20 Times in 20 Posts
Default

You'll only see if this if you are using the wrong provider for the key type (as in the key is created with one provider, but then you try and use it with another). You need to make sure the SSL layer is using the PKCS11 provider as well.

Regards,

David
 
Old December 30th, 2012, 08:24 AM
Registered User
 
Join Date: Dec 2012
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default Private key must be instance of RSA Private(Crt)Key or have PKCS#8 encoding

while i am trying to encrypt using private key then i got the error "Private key must be instance of RSA Private(Crt)Key or have PKCS#8 encoding" can anyone say where is the problem my private key is RSAPrivateKey [size=2048 bits, type=Exchange, container=le-a556d7eb-3a7a-432c-97b3-4216c463aba6]
 
Old January 1st, 2013, 08:13 PM
dgh dgh is offline
Wrox Author
 
Join Date: Aug 2005
Posts: 206
Thanks: 0
Thanked 20 Times in 20 Posts
Default

If you are seeing this error it means you are trying to use a PrivateKey from one provider with a Cipher for different provider. You need to make sure the Cipher is instanced from the same provider, or that you are able to use a KeyFactory to convert the PrivateKey into one that is appropriate for the provider that owns the Cipher.

Regards,

David





Similar Threads
Thread Thread Starter Forum Replies Last Post
Invalid Token sani723 XSLT 2 December 25th, 2007 01:42 AM
XPath Invalid token Hughesie78 XSLT 13 November 29th, 2007 12:59 PM
RSA and multiple block encryption chadmichael BOOK: Beginning Cryptography with Java 8 June 5th, 2007 03:51 AM
Encryption question Warbird General .NET 2 May 31st, 2005 03:24 PM
RSA ajm235 C++ Programming 1 August 19th, 2004 01:41 PM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.