As per all readings I have found that, while using USB Token(HSM) we are unable to fetch private key from USB Token, Then Why we call KeyStore.getKey(alias,password) in java code.
I have done something like this where ks is my KeyStore object.
PrivateKey privateKey=(PrivateKey)ks.getKey(alias,pass.toCharArray());
and then print privateKey i get the following values.
{algorithm: "RSA", encoded: null, format: null}
Can anybody explain the need of This step, and what it will do while we digitally sign a document using USB Token?
PrivateKey is an interface, the implementation depends on the cryptographic provider.
In your case, for an USB token, the provider (probably Sun pkcs#11) encapsulates the pkcs11 commands to the token when you executes a cryptographic operation. The private key is not really contained in your java service and the commands are executed on the token
A private key is non-extractable, so the encoded value must be null. For example if you use a Pkcs12 keystore ( a local .p12 file) you will see that encoded attribute contains the private key encoded in DER format
Related
I have generated RSA keypair by using pkcs11 library, and signed the CSR using private key in HSM. but when I decode CSR, it shows invalid signature. I am using bouncy castle to create CSR.
As I am hardstuck on this from many days.
I got into very odd situation were im not able to create JWT sign token in sap netweaver server.
currently the encryption is done using p12 file instead of pem file in sap server.
Docusign only provide the RSA key in .pem format. Which at the moment is not feasible for me.
Is there a way to download/create RSA key in .p12 format like it is provided in google api's instead of text/pem format or how can we create JWT sign token using RSA private key in .pem format in sap netweaver server.
Thanks and regards,
Rahul.
DocuSign creates the public/private key pairs for JWT signing. You download the private key in pem format from DocuSign. Something like this:
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAuv1+cIU9ashbXUxkJXzsqoeN3rNjcwcRMI17njwHpOh+ljV6
CNLRu+VAvtFdluK/TN+idb7jlFBe2CIdNbev/sYX1lB0+zJw1vsgSSk31d9vdPQb
n5R0FZUTsAYXv27JB6kc5N/6n2uroeNmeABkZZTLvXSmibYOjVYeB+Ig5HBS2Xxw
...lines omitted...
O2F4bIUOh1pdRydwHH0bMLXfyqn7sOxdEJwIq6Is5DwKeLJUEyfiuaGGjHQBfs+u
eoySeQKBgQC1aRTK4g4c5dgxdywCRTje/kUh5Ion6vFLLrTmEKtV9LFyFvLtFrVL
iX9G3qm0a3raSNwXylfbs88tPDrTGaTEM2opt5YpDWExpS7sLknDQxGcCzgyjTqc
/p6p+tOzgoc+osBMCNvBPS8tEAmdfTk7LFxVh8UY49JIpwoAnJ7c5Q==
-----END RSA PRIVATE KEY-----
Converting to p12 format
You can run open source applications locally to do this conversion.
There are also online converters available. See google for a list.
We are trying to implement the following workflow:
generate private key in browser, using window.crypto
create a PKCS10 certificate signing request in the browser
send the PKCS10 to a server
the server signs the request and returns an x509 certificate in PEM format
the browser stores the certificate for itself
The same thing already works using the keygen tag in the browser and using SPKAC instead of pkcs10. Now, however the browser does not store the certificate returned, just wants to save them. When we try to import the certificate to the browser by hand, we got "the private key for the certificate is missing or invalid".
We suspect that the private key generated by window.crypto.generateKey() does not get stored in the browser's keystore. How to get the private key stored in the keystore?
The implementation of the first two steps is based on http://blog.engelke.com/2014/08/23/public-key-cryptography-in-the-browser/
Update: As some browsers use the OS keystore, I am also looking into the possibility to save the key into the OS keystore through some other way.
What I have figured out so far:
Java cannot be used according to this question: Tell Java to use Windows keystore
In Windows one can use ActiveX controls.
Summary: Found no standard cross-browser and cross-OS way to generate and meaningfully use X509 certificates. There are combinations (new chrome versions (dropping keygen support) on non-windows OS) where there is no way to do this.
I am signing saml Response and assertion with x509 certificate. The response is posted to a java app, which throws error Signature length not correct…". I am asked to make sure that the xml doc is signed with certificate in JKS format and not pkcs12.
Is there a way to sign xml document in jks format in c# and then post the saml response to java app?
There is no such thing as a XML document signed in JKS format. These are apples and oranges.
XML digital signatures are specified in XMLDsig standard (assuming that you use XML digital signatures). http://www.w3.org/TR/xmldsig-core/
When you sign something you use the private key of an asymmetric key pair, probably an RSA key pair. http://en.wikipedia.org/wiki/RSA_%28algorithm%29
When you verify the signature you use the public key, commonly wrapped in an X.509 Certificate. http://en.wikipedia.org/wiki/Public_key_certificate
JKS and PKCS#12 are two different formats for storing the private key and the certificate in a container, encrypted using a password (since the private key is supposed to be private you want to protect it using a password).
When you sign an XML document you open the JKS/P12 keystore and use the private key to sign, and optionally include the certificate for easier verification for the recipient.
The private key and the certificate are identical in both cases, i.e. it does not matter if you use JKS or P12, the XML signature is bit for bit identical.
Probably you are sending both the XML document and the PKCS12 keystore to the recipient, and the recipient is unable to open PKCS12 keystore properly?
Java can open both JKS and PKCS12 with no problems at all, most likely your problem is related to something else than JKS vs PKCS12.
I do not know if C# can read and/or write JKS files (JKS == Java Key Store)
We are following the below article for over the air enrollment and profile delivery feature
http://developer.apple.com/library/ios/#documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/OTASecurity/OTASecurity.html#//apple_ref/doc/uid/TP40009505-CH3-SW1
We could able to complete steps in Phase 1 and Phase 2. Once the device acquires the certificate from SCEP server(as part of phase 2), it sends the response back to the MDM server. This response is signed by the new certificate.The response consists of signature, plist content and certificate in binary format. Ideally, we need to extract the public key from this certificate and use that to sign the configuration profile (.mobileconfig). However we have difficulty extracting the certificate from the response. Looks like the certificate is corrupted somehow. We tried different encodings. But it didn't help :(
Has anyone successfully extracted the certificate in Phase #3.
Really appreciate any help in this regard.
Thanks
The response from the device is a DER-encoded SMIME string. You can use openssl smime to extract the public key.
if you are using C#, this can be accessed as part of the Pkcs library.
using System.Security.Cryptography.Pkcs
...
//get the data as a byte[]
var signer = new SignedCms();
signer.Decode(input)
//signer.Certificates[0] contains the cert
To extract the certificates you can use openssl cli :
openssl pkcs7 -print_certs -in requestFromDevice.p7s -inform DER
You can then easily parse the output using stdout.split('-----END CERTIFICATE-----') & stdout.split("\n") (in javascript).