I'm trying to make a program that reads and displays certificate info from the token (Safenet)
but the problem that I face is :
Exception in thread "main" java.security.ProviderException: Error parsing configuration
so I think the problem is in the Configuration file.
How can I make the configration file and also the implementation file so it works correctly.
Thanks
you can able to resolve the error by correcting nss.cfg in %AS_HOME%\domains\nssdomain\config\
you can follow the instructions in the section "Configure Glassfish to Use the NSS Stores" on this page.
Either follow this link also.
In order to work with PKCS#11 in java you need to provide a config file where you at least specify library and name parameter. In this parameters you must specify the path to native library for the token and a arbitrary identifier. Additionally you can add more parameters but they are optional, you can take a look on java pkcs#11 reference guide. I give you a code sample to instantiate a PKCS#11:
// create configuration
String pkcs11nativeLibrary = "/path_to_native_library/library.so";
String pkcs11ConfigSettings = "name = mySmartCard\n" + "library = " + pkcs11nativeLibrary;
byte[] pkcs11ConfigBytes = pkcs11ConfigSettings.getBytes();
final ByteArrayInputStream confStream = new ByteArrayInputStream(pkcs11ConfigBytes);
// instantiate the provider with your config
SunPKCS11 pkcs11Provider = new SunPKCS11(confStream);
Security.addProvider(pkcs11Provider);
// get the keystore
Char[] pkcs11Password = "your_password".toCharArray();
KeyStore myPKCS11KS = KeyStore.getInstance("PKCS11", pkcs11Provider );
myPKCS11KS.load(null, pkcs11Password);
In the sample I put the pkcs11 password directly, however when you try to load a PKCS#11 from some client you have to get the password dinamically in order to do so you can change you key store instance for something like:
// YourCallbackHandler must implements javax.security.auth.callback.CallbackHandler
KeyStore.CallbackHandlerProtection cbhp = new KeyStore.CallbackHandlerProtection(new YourCallbackHandler());
KeyStore.Builder builder = KeyStore.Builder.newInstance("PKCS11", pkcs11Provider, cbhp);
KeyStore myPKCS11KS = builder.getKeyStore();
Hope this helps,
Related
I need jCrypt java class in my ColdFusion application to encrypt passwords. Here is the code that I'm trying to use:
<cfscript>
cfobject( name="JCrypt", type="java", action="create", class="JCrypt" );
enc_password = trim(JCrypt.crypt("kL","myPassTest123"));
</cfscript>
Once I run this code error occurred with this message:
Object Instantiation Exception.
Class not found: JCrypt
The message indicates that class is not found. I'm wondering how I can implement jCrypt in my ColdFusion application? Thank you.
I would be hesitant to use something like JCrypt that has little to no footprint on the Internet as the base for password encryption. The sourceforge page has a link to a homepage to no longer exists. You should be using BCrypt for password encryption.
https://auth0.com/blog/hashing-in-action-understanding-bcrypt/
Brad Wood has a great presentation on ColdFusion and BCrypt called "Pass the Salt".
You can download a copy of JBcrypt here:
https://www.mindrot.org/projects/jBCrypt/
Here's a ColdBox Module that can give you some idea of a CF implementation:
https://github.com/coldbox-modules/cbox-bcrypt
That repo has a copy of the JBcrypt.jar file and a CFC wrapper that you can just drop into your application.
https://github.com/coldbox-modules/cbox-bcrypt/blob/master/modules/bcrypt/models/BCrypt.cfc
This wrapper uses a Java Loader to to load the JAR if you can't just drop the file into the CF server's lib path.
oBcrypt = new path.to.Bcrypt();
password = "Password";
hashed = oBcrypt.hashPassword(password);
check = oBcrypt.checkPassword(password, hashed);
The hashPassword() function will save the salt and the encrypted password in a single string that you save in the database.
I would like to get the email address and expire date to a S/MIME certificate based on it's public key. Is this aproach even possible? Or am I totally wrong? Can I decrypt the public key to get these kind of data via java?
I searched in google, read the wiki pages and read about an oracle s/mime project. But it doesn't seam like its possible. Are those data only availabe in the csr??
Thanks in advance
I'm amazed this isn't a dupe, but I couldn't find a good one.
Although Bouncy is fine and has many features if you want to use it, core Java can handle X.509 certificates since forever. For a cert in a file (or anything that can be accessed as a Stream) in either PEM or DER format (although the javadoc isn't clear on that) all you need is CertificateFactory:
CertificateFactory fact = CertificateFactory.getInstance("X.509");
// from a real file
InputStream is = new FileInputStream ("filename");
Certificate cert = fact.generateCertificate(is);
is.close(); // or use try-resources to do automatically
// from an alternate/custom filesystem, such as a ZIP
Path p = Paths.get("somespecification"); // or any other creation of a Path
InputStream is = Files.newInputStream(p); // add open options if needed
// same as before
// from the classpath (usually a JAR)
InputStream is = ClassLoader /*or any Class<?> object*/ .getResourceAsStream("name");
// same as before
// from a byte[] in memory
InputStream is = new ByteArrayInputStream (bytearray);
// same as before, except don't really need to close
// you get the idea
Although JCA APIs like this one are defined to allow a lot of extension, reading an X.509 cert will actually give you not just Certificate but subclass X509Certificate from which .getNotAfter() gives the expiration date-time directly. The email address if present (which isn't required by X.509 certs in general, but should always be the case in a cert used for S/MIME) will usually be an attribute in the subject name, which actually has internal structure that Java doesn't let you get at directly so you need to:
String x500name = ((X509Certificate)cert).getSubjectX500Principal()) .toString();
// simple case: no multivalue RDN, no reserved chars ,+="<>\;# or extra spaces
for( String attr : x500name.split(", ") )
if( attr.startsWith("EMAILADDRESS=") )
... use attr.substring(13) ...
// other cases require slightly more complicated parsing
Note there is no encryption at all in X.509, and thus no actual decryption, although many people use 'decrypt' to describe anything unfamiliar not an actual cipher.
File file = new File(fileName);
FileReader fileReader = new FileReader(file);
PEMParser pemParser = new PEMParser(fileReader);
X509CertificateHolder caCertificate = (X509CertificateHolder) pemParser.readObject();
Because of using HSM hardware we need to sign a jar file w/o actually using Jarsigner. It's all pretty obvious, to the exception of the SHA256 digest of the manifest's main attributes, the attribute "SHA-256-Digest-Manifest-Main-Attributes" in the .SF file.
The main attributes are defined in the manifest specification.
However, I can not seem to find the proper order and/or values to hash. I've been scanning the source code of Jarsigner, but neither can I not find the class reading the attributes.
Does somebody knows how this works ?
[UPDATE: PKCS11 Sun provider]
Using Java PKCS11 provider works, but it yields an empty keystore
name = OpenSC
description = SunPKCS11 w/ OpenSC Smart card Framework
library = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
slotListIndex = 0
Code sample
final InputStream inputStream = Signer.class.getClassLoader().getResourceAsStream("opensc-java.cfg");
final SunPKCS11 pkcs11 = new SunPKCS11(inputStream);
final KeyStore ks = KeyStore.getInstance("PKCS11", pkcs11);
ks.load(null, "*****".toCharArray());
How to display details of the subject in a certificate (DER format ie .cer file) in java ? eg: email, country, Name or seperate OIDs etc.
Reading a certificate could be done from the above code. Will work in Android as well. Thank you GreyBeardedGeek. But to more elaborate on it (As curious requested), if you display the subject details by using methods getSubjectDN() or cert.getSubjectX500Principal().getname() it will display the whole details. Some may be encoded. I believe it ASN1.(not sure). What I need is to extract only the information I need. For an example please refer the output of the code for a sample certificate I had created. using method - cert.getSubjectX500Principal().getname() Subject Name 2.5.4.5=#130d4e2d61626c652f49542f303130,2.5.4.72=#1308456e67696e656572,2.5.4.41=#13104e7577616e20446520416c6d65696461,1.2.840.113549.1.9.1=#16106e7577616e406e2d61626c652e62697a,OU=Information Technology,O=N-able Pvt Ltd\ ,ST=Western,C=LK
2.5.4.5 is an OID (Object Identifier) which is encoded.
Using method - getSubjectDN()
OID.2.5.4.5=N-able/IT/010, OID.2.5.4.72=Engineer, OID.2.5.4.41=Nuwan De Almeida, OID.1.2.840.113549.1.9.1=#16106E7577616E406E2D61626C652E62697A, OU=Information Technology, O="N-able Pvt Ltd ", ST=Western, C=LK
Here also some information is encoded eg: email address.
So coming back to my question , how can we extract information(not encoded) separately based on the OID. Further if you install the certificate in windows OS you could view the subject information correctly.What I need is a code to get the OID value information passing the OID in java, to extract subject details separately.
Thank you again in advance.
Look into the Bouncy Castle ASN.1 parsing libraries and especially X500Name. It can parse a distinguished name (DN) into its parts (CN, O, etc.).
http://www.bouncycastle.org/docs/docs1.5on/index.html
The following code (no error handling included) will produce an instance of X509Certificate from the .cer file. You can then use that object's methods to inspect the properties of the certificate. The code is generic java, but should work in Android.
X509Certificate cert = null;
FileInputStream fis = null;
ByteArrayInputStream bais = null;
String source = "certificate.cer";
String certType = "X.509"
fis = new FileInputStream(source);
byte[] value = new byte[fis.available()];
fis.read(value);
bais = new ByteArrayInputStream(value);
java.security.cert.CertificateFactory cf = java.security.cert.CertificateFactory.getInstance(certType);
cert = (X509Certificate)cf.generateCertificate(bais);
Hello I'm trying to access the keystore from my smartcard in Java. And I'm using the following code..
I'm using the Pkcs11 implementation of OpenSc http://www.opensc-project.org/opensc
File windows.cnf =
name=dnie
library=C:\WINDOWS\system32\opensc-pkcs11.dll
Java Code =
String configName = "windows.cnf"
String PIN = "####";
Provider p = new sun.security.pkcs11.SunPKCS11(configName);
Security.addProvider(p);
KeyStore keyStore = KeyStore.getInstance("PKCS11", "SunPKCS11-dnie"); =)(=
char[] pin = PIN.toCharArray();
keyStore.load(null, pin);
When the execution goes by the line with =)(= throws me the following exception
java.security.KeyStoreException: PKCS11 not found
at java.security.KeyStore.getInstance(KeyStore.java:635)
at ObtenerDatos.LeerDatos(ObtenerDatos.java:52)
at ObtenerDatos.obtenerNombre(ObtenerDatos.java:19)
at main.main(main.java:27)
Caused by: java.security.NoSuchAlgorithmException: no such algorithm: PKCS11 for provider SunPKCS11-dnie
at sun.security.jca.GetInstance.getService(GetInstance.java:70)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:190)
at java.security.Security.getImpl(Security.java:662)
at java.security.KeyStore.getInstance(KeyStore.java:632)
I think the problem is "SunPKCS11-dnie", but I don't know to put there. I had tried with a lot of combinations...
Anyone can help me...
I was also getting the error as below:
Caused by: java.security.NoSuchAlgorithmException: no such algorithm: PKCS11 for provider SunPKCS11
I am running the application from a jar through bat file.
I bat file I replaced the code : java - jar sign.jar
with code: java -Djava.security.debug=sunpkcs11,pkcs11 -jar SigningUtility.jar
And it solved the issue.
I am not sure the problem is the name. It looks correct. ColinD's suggestion to pass the Provider instance should rule it out as a problem.
I am guessing that the problem is with the PKCS11 support. Like, you don't have a card in your reader, or the native code cannot access the reader. Have you tried using this driver in conjunction with some "known good" software, like Firefox or Thunderbird's security modules?
Why don't you just pass the Provider directly as the second argument to KeyStore.getInstance(String, Provider). In your code you'd just do:
KeyStore keyStore = KeyStore.getInstance("PKCS11", p);
Try the below code:
// Create instance of SunPKCS11 provider
String pkcs11Config = "name=eToken\nlibrary=C:\\Windows\\System32\\eps2003csp11.dll";
java.io.ByteArrayInputStream pkcs11ConfigStream = new java.io.ByteArrayInputStream(pkcs11Config.getBytes());
sun.security.pkcs11.SunPKCS11 providerPKCS11 = new sun.security.pkcs11.SunPKCS11(pkcs11ConfigStream);
java.security.Security.addProvider(providerPKCS11);
// Get provider KeyStore and login with PIN
String pin = "12345678";
java.security.KeyStore keyStore = java.security.KeyStore.getInstance("PKCS11", providerPKCS11);
keyStore.load(null, pin.toCharArray());
it is working fine for me.