Sorry Mike. You can stop working on signing using GPK card services & GemSAFE Cards. If you read the first record of a public key file(say 0200:0007), it may read something like 00 00 80 8A 00 00 AF. The byte 0x80 => that all the crypto operations which use the private key are protected by not 1 but 2 secret codes(the user PIN, and the 'Hidden PIN'). Since your application(you) has no knowledge of this, it can't do a 'select cyrpto context' and hence no signing. To solve your problems, you have to follow one of the following approach: (1) Use 'raw GPK8000 cards' with no PKCS#11 flavour (2) Use a java wrapper for PKCS#11 (say, from www.alphaworks.ibm.com. license is your baby..) Warm Regards ---------- The man who goes alone can start today; but he who travels with another must wait till that other is ready. - Henry David Thoreau >-----Original Message----- >From: Mike Leung [mailto:[EMAIL PROTECTED]] >Sent: Saturday, March 03, 2001 9:34 PM >To: [EMAIL PROTECTED] >Subject: [OCF] Signing data using GPK8000 card > > > >I loaded a pair of RSA keys and a X.509v3 certificate onto a >Gemplus GPK8000 smart card using Netscape 4.76. With GPK Card >Services 0.2, I can successfully read the certificate from >:3F00:0200:0002 (private objects file, need to present PIN >first), and the modulus and exponent of the public key from >:3F00:0200:0009. However, I failed to get any data signed and >I always get the following response: > >com.gemplus.opencard.service.GPKException: ISO error (69 82): >Access condition not fulfilled: >Secure messaging required and no key specified in Access Condition. >Secure messaging required and no temporary administration key >established. > >What do I need? I notice that :3F00:0200:0201 is a DES key >file. Do I need to know that 3DES key and provide an >administration credential to the signature card service? >Since this key is set by the PKCS#11 implementation of >GemSAFE, is it some kind of confidential? If so, how can I use >OCF to get signed data from a GPK8000 card loaded by PKCS#11? > >The source code is something like this: > >GPKSignatureService scs = >(GPKSignatureService)sc.getCardService(SignatureCardService.cla >ss, true); >CardFilePath keyPath = new CardFilePath(":3F00:0200:0009"); >keyFile = new GPKSignatureKeyFile(keyPath, 1024, >GPKRSAKeyFile.UNCERTIFIED_KEY); >byte[] dataToSign = "I WANT TO GET THIS SIGNED".getBytes(); >byte[] mySignature = scs.signData(keyFile, >GPKStandardNames.SHA1_RSA, GPKStandardNames.PKCS_PADDING, dataToSign); > > >Thanks! > > >Sincerely, >Mike > > > > > > >--- >> Visit the OpenCard web site at http://www.opencard.org/ for more >> information on OpenCard---binaries, source code, documents. >> This list is being archived at >http://www.opencard.org/archive/opencard/ > >! To unsubscribe >from the [EMAIL PROTECTED] mailing list send an email >! to >! [EMAIL PROTECTED] >! containing the word >! unsubscribe >! in the body. > > --- > Visit the OpenCard web site at http://www.opencard.org/ for more > information on OpenCard---binaries, source code, documents. > This list is being archived at http://www.opencard.org/archive/opencard/ ! To unsubscribe from the [EMAIL PROTECTED] mailing list send an email ! to ! [EMAIL PROTECTED] ! containing the word ! unsubscribe ! in the body.
