santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Barbara Schachner" <B.Schach...@gmx.net>
Subject How to use xmlsec with pkcs11 tokens
Date Sun, 08 Jan 2006 16:15:35 GMT
Hello!

Could anybode please help me with the following problem?

Im using an Aladdin eToken and the new Sun PKCS#11 Provider to create XML
Signatures with the Apache xmlsec-Package (1.3.0).

My code works well with keys from a software keystore, but when I try to use
my private key from the token, I get the following
exception:

org.apache.xml.security.signature.XMLSignatureException:java.security.ProviderException:
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE
Original Exception was
org.apache.xml.security.signature.XMLSignatureException:
java.security.ProviderException:sun.security.pkcs11.wrapper.PKCS11Exception:
CKR_ATTRIBUTE_SENSITIVE
Original Exception was
java.security.InvalidKeyException:java.security.ProviderException:
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE

at org.apache.xml.security.signature.XMLSignature.sign(Unknown Source)
...

I guess this is because the signing class wants to read the private key
(which is unextractable) from the token. (See the following lines in the
stack trace:

...
Caused by: java.security.ProviderException:
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE
at sun.security.pkcs11.P11Key.fetchAttributes(P11Key.java:215)
at sun.security.pkcs11.P11Key$P11RSAPrivateKey.fetchValues(P11Key.java:416)
at sun.security.pkcs11.P11Key$P11RSAPrivateKey.getModulus(P11Key.java:448)
at sun.security.rsa.RSAKeyFactory.checkKey(RSAKeyFactory.java:110)
...)

I understood the solution could be to insert the pkcs11 provider on a higher
position, so that the token provider was used for signing instead of any
software provider. So I tried both:

1) Security.insertProviderAt(tokenProvider, 2); and

2) JCEMapper.setProviderId("SunPKCS11-Aladdin");

I think in both cases the effect was that the correct provider was selected
(because the stack trace looks different) but still it says
CKR_ATTRIBUTE_SENSITIVE:

java.security.ProviderException:
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE
at sun.security.pkcs11.P11Key.fetchAttributes(P11Key.java:215)
at sun.security.pkcs11.P11Key$P11RSAPrivateKey.fetchValues(P11Key.java:416)
at sun.security.pkcs11.P11Key$P11RSAPrivateKey.getModulus(P11Key.java:448)
at
sun.security.pkcs11.P11RSAKeyFactory.implTranslatePrivateKey(P11RSAKeyFactory.java:60)

Does anybody already have some experience with the new Sun PKCS#11 provider
in combination with Apache xmlsec? Is there a way to make this work?
Do you think my chances are better to make this run by using the IAIK Pkcs11
Provider instead of the sun provider?

Thanks in advance for any suggestions!
Barbara

-- 
Lust, ein paar Euro nebenbei zu verdienen? Ohne Kosten, ohne Risiko!
Satte Provisionen für GMX Partner: http://www.gmx.net/de/go/partner

Mime
View raw message