EldoS | Feel safer!

Software components for data protection, secure storage and transfer

TElMemoryCertStorage and TElX509Certificate in Mac OS, Linux..

Posted: 05/13/2014 07:43:47
by Vsevolod Ievgiienko (Team)

When using the OfficeBlackBox Sample of your 12th version, when I do _OfficeDocument.open("full_path.docx", false); it is thrown up an exception saying: "java.lang.StringIndexOutOfBoundsException: String index out of range: -1", regardless the file I choose.. In the 11th version, this error doesn't appear..

We've fixed the issue and the new build was uploaded to the server without changing the build number. You can download it here: https://www.eldos.com/sbb/download-pre...hp#product
Posted: 05/14/2014 06:25:48
by glinttgs sousa (Basic support level)
Joined: 02/27/2014
Posts: 51

Thank you for the fix.

By the way, I'm trying to use TElMemoryCertStorage.LoadFromFileJKS method, but it doesn't appear. I'm using the newest 12th version.. Do I need to include something more?
Posted: 05/14/2014 06:26:53
by Eugene Mayevski (Team)

It must be LoadFromStreamJKS , not LoadFromFileJKS.

Sincerely yours
Eugene Mayevski
Posted: 05/15/2014 05:20:30
by glinttgs sousa (Basic support level)
Joined: 02/27/2014
Posts: 51

Can you detail a little bit more how do I load a JKS file in Mac OSx or Linux?

The loadFromStreamJKS method requests an InputStream, String, int and TElJKSPasswordEvent.

I want to load all certificates in KeyChainStore (in OSx, for instance).
How do I get an inputStream from the certificates? And what are the meaning of the String, int and TElJKSPasswordEvent? What are the proper values of these parameters?
Posted: 05/15/2014 05:26:34
by Vsevolod Ievgiienko (Team)

Please refer to the documentation: https://www.eldos.com/documentation/sb...amjks.html

The stream can be created next way:

InputStream is = new FileInputStream("path_to_jks_file");
Posted: 05/15/2014 05:31:01
by glinttgs sousa (Basic support level)
Joined: 02/27/2014
Posts: 51

Do you know what is the path to the certificate store of Mac or Linux? Does it depend of the computer?
Posted: 05/15/2014 05:47:48
by Vsevolod Ievgiienko (Team)

Does it depend of the computer?

Yes it depends.

If talking about java key stores, then you can use next code as a template (works for Windows and Linux):

public class OS {
   public static final int OS_UNKNOWN = -1;
   public static final int OS_WINDOWS = 0;
   public static final int OS_MAC = 1;
   public static final int OS_LINUX = 2;
   public static final int OS_SOLARIS = 3;
   private static int detectOS() {
      String OS = System.getProperty("os.name").toLowerCase();
      if (OS.indexOf("win") >= 0)
         return OS_WINDOWS;
      else if (OS.indexOf("mac") >= 0)
         return OS_MAC;
      else if (OS.indexOf("nix") >= 0 || OS.indexOf("nux") >= 0 || OS.indexOf("aix") > 0 )
         return OS_LINUX;
      else if (OS.indexOf("sunos") >= 0)
         return OS_SOLARIS;
         return OS_UNKNOWN;
   public static String detectKeystorePath() {
      int os = detectOS();
      String home = System.getProperty("java.home");
      if (os == OS_WINDOWS) {
         return home + "\\lib\\security\\cacerts";
      } else if (os == OS_LINUX) {
         return home + "/lib/security/cacerts";
      } else
         return null;
Posted: 05/15/2014 06:20:12
by glinttgs sousa (Basic support level)
Joined: 02/27/2014
Posts: 51

Thank you.

I try a lot of ways, but I always get the exception:

"java.security.PrivilegedActionException: SecureBlackbox.XML.EElXMLSecurityError: RSA key data expected."

If I convert a Certificate in JKS to a TElX509Certificate and that certificate is a certificate of a smart card it is always thrown this exception.

I try to change all my local settings to have all kind of permissions, but still no luck.. I guess I'll have to use TElWinCertStorage.. But for Mac and Linux there is no other way to do this, right?
Posted: 05/15/2014 06:24:19
by Vsevolod Ievgiienko (Team)

But for Mac and Linux there is no other way to do this, right?

The 12th version of SecureBlackbox includes PKCS#11 support for Mac and Linux. You can access your smart cards directly on those systems.
Posted: 05/16/2014 05:17:49
by glinttgs sousa (Basic support level)
Joined: 02/27/2014
Posts: 51

I got a Java code that accesses to my certificate and requests smart card PIN to access the private key.

String hash = "ab13fab13h453d453ab13f453de";

String pkcs11config = "name=GemPC" + "\n"
                         + "library=C:/WINDOWS/system32/pteidpkcs11.dll";

                 byte[] pkcs11configBytes = pkcs11config.getBytes();
                 ByteArrayInputStream configStream = new ByteArrayInputStream(pkcs11configBytes);

                 Provider p = new SunPKCS11(configStream);
                 CallbackHandler cmdLineHdlr = new com.sun.security.auth.callback.TextCallbackHandler();
                 KeyStore.Builder builder = KeyStore.Builder.newInstance("PKCS11", p,
                                   new KeyStore.CallbackHandlerProtection(cmdLineHdlr));
                 KeyStore ks = builder.getKeyStore();
                 String assinaturaCertifLabel = "CITIZEN SIGNATURE CERTIFICATE";
                 Certificate[] chain = ks.getCertificateChain(assinaturaCertifLabel);
                 Key key = ks.getKey(assinaturaCertifLabel, null);
                 CK_MECHANISM mechanism = new CK_MECHANISM();
                 mechanism.mechanism = PKCS11Constants.CKM_RSA_PKCS;
                 mechanism.pParameter = null;

                 Signature sig = Signature.getInstance("SHA1withRSA",p);
                 sig.initSign((PrivateKey)key) ;  // --> REQUESTS SMARTCARD PIN!
                 byte[] signedHash = sig.sign();
                 return signedHash;

That's it for Windows. How can I integrate this kind of Signature with your library?
I want to obtain a TElX509Certificate that contains a private key.

Can you help me?



Topic viewed 3376 times

Number of guests: 2, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!