Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

Problem getting private key from PKCS#11 device

843811Apr 3 2009 — edited Apr 8 2009
Hello all,

I'm having a Java application that loads various PKCS#11 providers, for example NSS and eID. I want to be able to generate PKCS#1 signatures using the keys stored on those tokens. I've used the following test code:
        Provider p2 = new sun.security.pkcs11.SunPKCS11(configBeid);
        Security.addProvider(p2);

        Provider[] providers = Security.getProviders();
        for (int i = 0; i < providers.length; i++) {
            System.out.println("Provider " + i + ": " + providers.getName());

}



try {

KeyStore ks = KeyStore.getInstance("PKCS11", p1);

ks.load(null, null);

System.out.println("The algorithm " + ks.getType());

System.out.println("The provider " + ks.getProvider());

System.out.println("the number of certs " + ks.size());



X509Certificate x509Cert = null;

Certificate c;



for (Enumeration list = ks.aliases(); list.hasMoreElements();) {

String alias = (String) list.nextElement();

System.out.println(alias);

c = ks.getCertificate(alias);

//System.out.println(c.toString());

x509Cert = (X509Certificate) c;

System.out.println("--> Subject: " + x509Cert.getSubjectDN().getName());

System.out.println("--> Issuer: " + x509Cert.getIssuerDN().getName());

System.out.println("--> NotBefore: " + x509Cert.getNotBefore().toString());

System.out.println("--> NotAfter: " + x509Cert.getNotAfter().toString());

}



//Signing test

String hash = "67Vz7or3fAge1eo0ahO/S1YiCmo=";

byte[] sha1_data = new BASE64Decoder().decodeBuffer(hash); //I know i shouldn't use this decoder, but it's for testing purposes only



//Manier 2:

// Encrypt digest

Cipher cipher = Cipher.getInstance("RSA");

cipher.init(Cipher.ENCRYPT_MODE, (PrivateKey) ks.getKey("Signature", null)); //This is where it crashes

byte[] signature = cipher.doFinal(sha1_data);



My code crashes on the cipher.init line with the following error:

java.security.InvalidKeyException: No installed provider supports this key: sun.security.pkcs11.P11Key$P11PrivateKey
        at javax.crypto.Cipher.a(DashoA13*..)
        at javax.crypto.Cipher.init(DashoA13*..)
        at javax.crypto.Cipher.init(DashoA13*..)

When I also load the BouncyCastle provider: Security.addProvider(new BouncyCastleProvider()); the following error occurs:

java.lang.IllegalArgumentException: not an RSA key!
        at org.bouncycastle.jce.provider.JCERSACipher.engineGetKeySize(Unknown Source)
        at javax.crypto.Cipher.b(DashoA13*..)

So I'd like to know how I can convert a P11Key$P11PrivateKey to an RSAPrivateKey, or another solution that will make this code work.

Thanks in advance to anyone who's trying to help!
Stephanie
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on May 6 2009
Added on Apr 3 2009
#cryptography
8 comments
6,532 views