Robert Relyea wrote:
> Oh, so the signer info stuff is Java proper, not JSS. What you need is
> either a PrivateKey from JSS that came through it's JCE provider
> interface, or a JSS call that gives our a SingerInfo from JSS itself.
No, I'm using JSS classes for all of the CMC-related work. The only
part where Java comes in so far is the private key I need to pass to the
SignerInfo constructor. Technically, yes, the code will compile if I
just pass the java key (agentPrivateKey) pulled straight out of the
KeyStore to the SignerInfo constructor but I will get an exception at
runtime about the provider mismatch. This is why I brought in the code
that asks for the encoded version of the key and then creates a PK11PrivKey.
We use either PKCS12 or Sun-PKCS11 as the backends to get a Sun JKS
format KeyStore and when I initially wrote the code to test making the
request I was just using the PKCS12 backend. When I moved to trying the
PKCS11 side I ran into problems because I can't get an encoded version
of the key because it resides on the token. That means I can't convert
to a PK11PrivKey to pass in to SignerInfo.
Glen Beasley wrote:
> how did you construct agentPrivateKey ? Is a type PK11PrivKey?
agentPrivateKey was retrieved using the getKey method of
java.security.KeyStore (again, which works fine when the underlying
keystore is a PKCS12 file, but Sun-PKCS11 gives problems)
PK11PrivKey tempAgentKey = null;
try {
tempAgentKey =
PK11PrivKey.fromPrivateKeyInfo(agentPrivateKey.getEncoded(),
cm.getInternalCryptoToken());
}
catch (TokenException ex) { //handle exception }
> what happens when you do agentPrivateKey.getOwningToken().getName()
> does it refer to your hardware token ?
agentPrivateKey is not a JSS key.
> you should be able to pass in agentPrivateKey to the JSS method
see reply above to Bob's question as to why that won't work
We use the Sun stuff for logging on to the application which makes the
credentials available to connect easily to our client-authenticated SSL
services. We have a mix of JSS/Java/Custom JNI to initialize tokens,
generate keys and write certs on the tokens. We aren't using JSS for
the logon portion yet because of the SSL issue. We'd have to write
completely new ldap/http ssl code to use JSS as the backend and we'd
lose the flexibility of quickly turning a PKCS12 file into a KeyStore.
This is why I have quagmire in the title :).
Dave
_______________________________________________
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
