Re: PKCS11 quagmire... (JSS question)

Fri, 15 Jun 2007 11:46:18 -0700 

David Stutzman wrote:

  PK11PrivKey tempAgentKey = null;
  try {
tempAgentKey = PK11PrivKey.fromPrivateKeyInfo(agentPrivateKey.getEncoded(), 
           cm.getInternalCryptoToken());
  }
  catch (TokenException ex) { //handle exception }
This works fine. This morning I used a hardware token to login and I end up with a null error because the PKCS11 code returns null for the call to agentPrivateKey.getEncoded(). Is there a way I can work around this?
Nope. If the key is in a token, for many tokens it can't be extracted. This is actually a feature of the token.
Can EncryptedPrivateKeyInformation help out here? I don't technically need the raw key and would like to not even attempt to remove it from the token which probably wouldn't work anyway. I just need to get JSS to reach through the sun-pkcs11 and use the key to do the signature. I just don't know if this is even possible.
I don't know Java well enough, JSS should have a primative interface to be able to sign with the key in place. I know NSS provides such interfaces, and they are definately required to use a hardware token. 
The private key is needed to create the SignerInfo structure:
SignerInfo ::= SEQUENCE {
         version CMSVersion,
         sid SignerIdentifier,
         digestAlgorithm DigestAlgorithmIdentifier,
         signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL,
         signatureAlgorithm SignatureAlgorithmIdentifier,
         signature SignatureValue,
         unsignedAttrs [1] IMPLICIT UnsignedAttributes OPTIONAL }
This look like a CMS signature. NSS can definately create on of these signed by a key in a token, I don't know if JSS has the reflection to do so, however. 
The JSS method to create this is:
SignerInfo(SignerIdentifier signerIdentifier, SET signedAttributes, SET unsignedAttributes, OBJECT_IDENTIFIER contentType, byte[] messageDigest, SignatureAlgorithm signingAlg, PrivateKey signingKey) 
So just passing agentPrivateKey here doesn't work?
I haven't really looked into it but would it alternatively be possible to construct that SignerInfo ASN1 structure "by hand" and not use the above method. In that case I could just use Sun methods to do the signature and insert it into the SignerInfo. I'd probably hate to do this because I'm not a big fan of ASN1 and it takes me a while to understand what I'm doing (big thanks to Nelson though on recommending Peter Gutmann's dumpasn1 utility which has been a lifesaver for me). 

Thanks,
Dave
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to