I am generating CMC revocation requests and CMC enrollment requests and
am signing them with what are basically RA credentials on the CA. We
sign in to our application using either a PKCS12 file or a PKCS11
(Sun-PKCS11) token. In either case we ultimately end up with a Java
KeyStore that, when client authentication is requested over an SSL link,
provides our credentials to the server for authentication. I'm using
all JSS methods to create the requests and the requests needs to be
signed and to do that I need a JSS private key. I'm currently using the
following bit of code to convert the Java private key (agentPrivateKey
below, residing in the PKCS12 file, of type java.security.Key) to a JSS key:
PK11PrivKey tempAgentKey = null;
try {
tempAgentKey =
PK11PrivKey.fromPrivateKeyInfo(agentPrivateKey.getEncoded(),
cm.getInternalCryptoToken());
}
catch (TokenException ex) { //handle exception }
This works fine. This morning I used a hardware token to login and I
end up with a null error because the PKCS11 code returns null for the
call to agentPrivateKey.getEncoded(). Is there a way I can work around
this?
You'll probably ask, why not just add the pkcs11 dll using modutil and
use JSS completely for the login (which works now thanks to Glen) but we
would have to add a whole new set of SSL calls to support JSS with the
hardware token while keeping the existing Sun SSL code to continue to
support the PKCS12 method, which may end up being the only way to do this...
Can EncryptedPrivateKeyInformation help out here? I don't technically
need the raw key and would like to not even attempt to remove it from
the token which probably wouldn't work anyway. I just need to get JSS
to reach through the sun-pkcs11 and use the key to do the signature. I
just don't know if this is even possible.
The private key is needed to create the SignerInfo structure:
SignerInfo ::= SEQUENCE {
version CMSVersion,
sid SignerIdentifier,
digestAlgorithm DigestAlgorithmIdentifier,
signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL,
signatureAlgorithm SignatureAlgorithmIdentifier,
signature SignatureValue,
unsignedAttrs [1] IMPLICIT UnsignedAttributes OPTIONAL }
The JSS method to create this is:
SignerInfo(SignerIdentifier signerIdentifier, SET signedAttributes, SET
unsignedAttributes, OBJECT_IDENTIFIER contentType, byte[] messageDigest,
SignatureAlgorithm signingAlg, PrivateKey signingKey)
I haven't really looked into it but would it alternatively be possible
to construct that SignerInfo ASN1 structure "by hand" and not use the
above method. In that case I could just use Sun methods to do the
signature and insert it into the SignerInfo. I'd probably hate to do
this because I'm not a big fan of ASN1 and it takes me a while to
understand what I'm doing (big thanks to Nelson though on recommending
Peter Gutmann's dumpasn1 utility which has been a lifesaver for me).
Thanks,
Dave
_______________________________________________
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
