Hi,
I need sign an array of byte with a privatekey (an iText requirement)
that is stored in JSS. I looked in google but everybody suggested the
same idea which is essentially:
try {
//certificate is a org.mozilla.jss.crypto.X509Certificate
from the keystore
byte[] derCert = certificate.getEncoded();
org.mozilla.jss.pkix.cert.Certificate cert =
(org.mozilla.jss.pkix.cert.Certificate)
ASN1Util.decode(org.mozilla.jss.pkix.cert.Certificate.getTemplate(),
derCert);
Name issuerName = cert.getInfo().getIssuer();
MessageDigest md =
MessageDigest.getInstance(DigestAlgorithm.SHA1.toString());
//data is the byte[]
byte[] messageDigest = md.digest(data);
ContentInfo ci = new ContentInfo(data);
IssuerAndSerialNumber iasn = new
IssuerAndSerialNumber(issuerName,
new INTEGER(certificate.getSerialNumber()));
SET authenticatedAttributes = null;
SET unauthenticatedAttributes = null;
OBJECT_IDENTIFIER contentType = ContentInfo.DATA;
SignatureAlgorithm signingAlg =
SignatureAlgorithm.RSASignatureWithSHA1Digest;
//pk is a org.mozilla.jss.crypto.PrivateKey that i get
with
//CryptoManager.findPrivKeyByCert(cryptoManager.findCertByNickname(nickName));
SignerInfo si = new SignerInfo(iasn,
authenticatedAttributes,
unauthenticatedAttributes,
contentType,
messageDigest,
signingAlg,
pk);
SET digestAlgorithms = null;
digestAlgorithms = new SET();
digestAlgorithms.addElement(new
AlgorithmIdentifier(DigestAlgorithm.SHA1.toOID()));
SET certificates = null;
SET signers = null;
SET crls = null;
certificates = new SET();
certificates.addElement(new ANY(certificate.getEncoded()));
certificates.addElement(new ANY(certChain[1].getEncoded()));
for (int i = certChain.length; i < 0; --i) {
certificates.addElement(new ANY(certChain[i -
1].getEncoded()));
}
signers = new SET();
signers.addElement(si);
SignedData sd = new SignedData(digestAlgorithms, ci,
certificates, crls,
signers);
ContentInfo cisd = new ContentInfo(sd);
ByteArrayOutputStream baos = new ByteArrayOutputStream();
cisd.encode(baos);
return baos.toByteArray();
} catch (Exception ex) {
Logger.getLogger(Main.class.getName()).log(Level.SEVERE,
null, ex);
}
The program stops in:
SignerInfo si = new SignerInfo(iasn,
authenticatedAttributes,
unauthenticatedAttributes,
contentType,
messageDigest,
signingAlg,
pk);
throwing:
java.security.SignatureException: Signature operation failed on token
at
org.mozilla.jss.pkcs11.PK11Signature.engineRawSignNative(Native Method)
at
org.mozilla.jss.pkcs11.PK11Signature.engineSign(PK11Signature.java:255)
at org.mozilla.jss.crypto.Signature.sign(Signature.java:125)
at org.mozilla.jss.pkcs7.SignerInfo.<init>(SignerInfo.java:368)
....
java.lang.NullPointerException
at
com.itextpdf.text.pdf.PdfPKCS7.getEncodedPKCS1(PdfPKCS7.java:1109)
....
I also try this:
//java.security.Signature
Signature signer = Signature.getInstance("SHA1withRSA",
jSSProvider);
//pk is a org.mozilla.jss.crypto.PrivateKey that i get with
//CryptoManager.findPrivKeyByCert(cryptoManager.findCertByNickname(nickName));
signer.initSign(pk);
signer.update(toSign.getBytes());
byte[] sign = signer.sign();
but throws:
java.security.SignatureException: Signing operation failed: (-8152) The
key does not support the requested operation.
at org.mozilla.jss.pkcs11.PK11Signature.engineSignNative(Native
Method)
at
org.mozilla.jss.pkcs11.PK11Signature.engineSign(PK11Signature.java:259)
at org.mozilla.jss.crypto.Signature.sign(Signature.java:125)
at
org.mozilla.jss.provider.java.security.JSSSignatureSpi.engineSign(JSSSignatureSpi.java:153)
at java.security.Signature
$Delegate.engineSign(Signature.java:1128)
at java.security.Signature.sign(Signature.java:522)
I'm using:
Internal Key Storage Token
DBM_VERSION = N/A
JDK_VERSION = N/A
JSS_VERSION = JSS_4_3_2_RTM
NSPR_VERSION = NSPR_4_7_RTM
NSS_VERSION = NSS_3_12_RTM
java -version:
java version "1.6.0_20"
Java(TM) SE Runtime Environment (build 1.6.0_20-b02)
Java HotSpot(TM) Client VM (build 16.3-b01, mixed mode, sharing)
with "Unlimited-Strength-Jurisdiction-Policy"...
Any inputs would help me......
Thanks
Felix A.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
