EldoS | Feel safer!

Software components for data protection, secure storage and transfer

[Java] Use PKCS11 to get certificate on USB token

Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.
#35955
Posted: 02/22/2016 04:39:06
by Mickaël Bénès (Standard support level)
Joined: 02/26/2013
Posts: 74

Hello.

I'm trying to sign a document with a certificate from USB token. So I used TElPKCS11CertStorage and from the sample I've seen, open a session and log into the token with PIN code. But when I try to perform a CAdES signature, I've got an error saying there's no private key :
Quote
SecureBlackbox.PKI.EElCMSError: Private key not found
at SecureBlackbox.PKI.TElCMSSignature.internalSign(SBCMS.pas:4282)
at SecureBlackbox.PKI.TElCMSSignature.sign(SBCMS.pas:4329)
at SecureBlackbox.PKI.TElCAdESSignatureProcessor.sign(SBCAdES.pas:1470)
at SecureBlackbox.PKI.TElCAdESSignatureProcessor.createBES(SBCAdES.pas:1512)
at SecureBlackbox.PKI.TElCAdESSignatureProcessor.createBES(SBCAdES.pas:1497)
at test.Main.testPKCS11(Main.java:118)
at test.Main.main(Main.java:58)
Which isn't true since I've signed many files with this exact certificate.

Here is my code :
Code
TElPKCS11CertStorage storage   = new TElPKCS11CertStorage();
//certStorage.setDLLName( AppletAWS.getConfig("lib.pkcs11.gemalto.win.64.path") );   // 64 bits
storage.setDLLName( AppletAWS.getConfig("lib.pkcs11.gemalto.win.32.path") );      // 32 bits
storage.open();

String pin                  = requestPIN();
TElPKCS11SessionInfo session    = storage.openSession( 0, false );
session.login( SBPKCS11Base.utUser, pin );

File f                  = new File( "Z:\\Mickael\\Sauvergarde\\C_Users_Mickaël\\Desktop\\fichiers_tests\\Applets\\depot\\candidature_light\\candidature_light-01.pdf" );
TElX509Certificate telCert   = storage.getCertificate( 0 );

System.out.println( "Signer cert : " + telCert.getSubjectName().CommonName );

TElFileStream fs                  = null;
TElCAdESSignatureProcessor processor   = new TElCAdESSignatureProcessor();
TElSignedCMSMessage cms               = new TElSignedCMSMessage();

try {
   fs = new TElFileStream( f.getAbsolutePath(), "r", true );
   cms.createNew( fs, 0, fs.getLength() );
   cms.setDetached( true );
   
   TElCMSSignature sig   = cms.getSignature( cms.addSignature() );
   sig.clearTimestamps();
   sig.clearCountersignatures();
   sig.clearValidationTimestamps();
   sig.getCommitmentTypeIndication().setIncluded( true );
   sig.getCommitmentTypeIndication().setProofOfOrigin( true );
   sig.getCommitmentTypeIndication().setProofOfCreation( true );
   sig.setUsePSS( false );

   processor.setSignature( sig );
   processor.setOnBeforeSign( new TSBCAdESBeforeSignEvent(_onBeforeSign) );
   processor.createBES( telCert );

   int iter         = PKCS7.iterationNumberOfSignForFile( f );
   String sigFileName   = "";
   if (iter == 0) {
      sigFileName = f.getAbsolutePath() + PKCS7.CADES_EXTENSIONS[0];
   }
   else {
      sigFileName = f.getAbsolutePath() + "." + iter + PKCS7.CADES_EXTENSIONS[0];
   }
   
   File fileSig = new File( sigFileName );
   CAdES.saveCMS( cms, fileSig );
}
catch ( Exception e ) {
   throw e;
}


So from there I've tried out the TinySignerPKCS11 sample in PDFBlackbox. When I select the certificate from TElPKCS11CertStorage, I've got this error :
Quote
SecureBlackbox.PDF.EElPDFPublicKeySecurityHandlerError: No signing certificate found
at SecureBlackbox.PDF.TElPDFPublicKeySecurityHandler.getEstimatedSignatureSize(SBPDFSecurity.pas:3752)
at SecureBlackbox.PDF.TElPDFDocument.$preCalculateSignatures$3714$setupSignatureInfo(SBPDF.pas:7140)
at SecureBlackbox.PDF.TElPDFDocument.preCalculateSignatures(SBPDF.pas:9362)
at SecureBlackbox.PDF.TElPDFDocument.close(SBPDF.pas:6158)
at Main.signClick(Main.java:757)
But when selecting it from the TElWinCertStorage, the signature is performed correctly.

What should I do ? Thanks.
#35956
Posted: 02/22/2016 04:53:32
by Ken Ivanov (EldoS Corp.)

Hi Mickaël,

Thank you for getting in touch with us.

The most common reason for the private key not being recognized by TElPKCS11CertStorage is where the private key object's attributes are not sufficient to establish the correspondence between the certificate and the key objects. Some key import tools write token object attributes improperly, making third-party reader applications unable to match the objects to each other straightaway.

What you can try is add the pcsoWeakenedKeySearchCriteria option to the TElPKCS11CertStorage.PKCS11Options flag set and check if it helps:

Code
TSBPKCS11StorageOptions ops = storage.getPKCS11Options();
ops = ops | pcsoWeakenedKeySearchCriteria;
storage.setPKCS11Options(ops);


Please add the above code before calling the Open() method.

Ken
#35957
Posted: 02/22/2016 05:20:56
by Mickaël Bénès (Standard support level)
Joined: 02/26/2013
Posts: 74

Thanks for the reply.

I've tried it out but the class TSBPKCS11StorageOptions doesn't seem to exist and storage.getPKCS11Options() returns an int.
#35958
Posted: 02/22/2016 05:26:04
by Mickaël Bénès (Standard support level)
Joined: 02/26/2013
Posts: 74

Nevermind, I found out :
Code
int ops = storage.getPKCS11Options() | SBPKCS11Base.pcsoWeakenedKeySearchCriteria;
storage.setPKCS11Options( ops );
It works fine now ! Thank you.
#35959
Posted: 02/22/2016 05:34:32
by Ken Ivanov (EldoS Corp.)

Superb, thank you for letting us know!

Ken
#35965
Posted: 02/22/2016 11:43:51
by Mickaël Bénès (Standard support level)
Joined: 02/26/2013
Posts: 74

Hey again, I've got another issue.

We need our application to be abble to sign on Mac OS, that's why I made some tests with TElPKCS11CertStorage. I actually can sign documents (both on Mac OS and Windows), but the verification fails on Mac OS with this error :
Quote
Exception in thread "Thread-37" java.lang.UnsatisfiedLinkError: SecureBlackbox.Base.JNI.certCloseStore(JI)Z
at SecureBlackbox.Base.JNI.certCloseStore(Native Method)
at SecureBlackbox.Base.SBWinCrypt.certCloseStore(SBWinCrypt.pas:4140)
at SecureBlackbox.Base.TElWinCertStorage.clearInfo(SBWinCertStorage.pas:611)
at SecureBlackbox.Base.TElWinCertStorage.Destroy(SBWinCertStorage.pas:580)
at org.freepascal.rtl.TObject.Free(system.pp)
at SecureBlackbox.Base.SBUtils.freeAndNil(SBUtils.pas:10554)
at SecureBlackbox.Base.TElX509CertificateValidator.Destroy(SBCertValidator.pas:1033)
at org.freepascal.rtl.TObject.Free(system.pp)
at SecureBlackbox.Base.SBUtils.freeAndNil(SBUtils.pas:10554)
at SecureBlackbox.PKIPDF.TElPDFAdvancedPublicKeySecurityHandler.$validateChainAndCollectRevocationInfo$480$collectSingleRevocationInfo(SBPAdES.pas:1653)
at SecureBlackbox.PKIPDF.TElPDFAdvancedPublicKeySecurityHandler.validateChainAndCollectRevocationInfo(SBPAdES.pas:1676)
at SecureBlackbox.PKIPDF.TElPDFAdvancedPublicKeySecurityHandler.validateHash(SBPAdES.pas:1376)
at SecureBlackbox.PDF.TElPDFSignature.validate(SBPDF.pas:5051)
at SecureBlackbox.PDF.TElPDFSignature.validate(SBPDF.pas:4982)
at awsoutil.outil.signature.pades.VerifSignFile_SignThread.run(VerifSignFile_SignThread.java:163)
It happens on the TElPDFSignature.validate() method (yes I signed with PAdES).

I hardly can show you the code (many classes/functions used) but I can explain the steps :

  • open a token session
  • log into it (after PIN code is given)
  • select certificate
  • perform signature
  • verify signature
Steps 4 and 5 are repeated for every file selected by the user. I tried to close the TElPKCS11CertStorage after signing and before veriying but it didn't fixed the problem and of course only the first file could be signed (the others got the error saying that no signing certificate was found, obviously).

Just to be sure, I tested it with CAdES signature and I got the same error.

Any ideas ? Thanks.
#35966
Posted: 02/22/2016 11:45:59
by Eugene Mayevski (EldoS Corp.)

This particular issue is a glitch that must have been fixed in build 287. Could you please check which build you are using and let us know if it's build 287? The build number can be inspected as SBUtils.SBB_VERSION_NUMBER constant.


Sincerely yours
Eugene Mayevski
#35967
Posted: 02/22/2016 11:51:51
by Mickaël Bénès (Standard support level)
Joined: 02/26/2013
Posts: 74

Yes I'm using build 287 :
Quote
14.0.287.0
#35971
Posted: 02/22/2016 12:09:33
by Eugene Mayevski (EldoS Corp.)

Thank you for clarification.

Let's continue in HelpDesk ( https://www.eldos.com/helpdesk/ ) please. I have created a new support ticket based on your above message. You will see your (and only your) support tickets by following this URL. You will also get e-mail notifications about updates related to your support ticket.


Sincerely yours
Eugene Mayevski
Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.

Reply

Statistics

Topic viewed 2380 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!