You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by Barbara Schachner <B....@gmx.net> on 2006/01/08 17:15:35 UTC
How to use xmlsec with pkcs11 tokens
Hello!
Could anybode please help me with the following problem?
Im using an Aladdin eToken and the new Sun PKCS#11 Provider to create XML
Signatures with the Apache xmlsec-Package (1.3.0).
My code works well with keys from a software keystore, but when I try to use
my private key from the token, I get the following
exception:
org.apache.xml.security.signature.XMLSignatureException:java.security.ProviderException:
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE
Original Exception was
org.apache.xml.security.signature.XMLSignatureException:
java.security.ProviderException:sun.security.pkcs11.wrapper.PKCS11Exception:
CKR_ATTRIBUTE_SENSITIVE
Original Exception was
java.security.InvalidKeyException:java.security.ProviderException:
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE
at org.apache.xml.security.signature.XMLSignature.sign(Unknown Source)
...
I guess this is because the signing class wants to read the private key
(which is unextractable) from the token. (See the following lines in the
stack trace:
...
Caused by: java.security.ProviderException:
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE
at sun.security.pkcs11.P11Key.fetchAttributes(P11Key.java:215)
at sun.security.pkcs11.P11Key$P11RSAPrivateKey.fetchValues(P11Key.java:416)
at sun.security.pkcs11.P11Key$P11RSAPrivateKey.getModulus(P11Key.java:448)
at sun.security.rsa.RSAKeyFactory.checkKey(RSAKeyFactory.java:110)
...)
I understood the solution could be to insert the pkcs11 provider on a higher
position, so that the token provider was used for signing instead of any
software provider. So I tried both:
1) Security.insertProviderAt(tokenProvider, 2); and
2) JCEMapper.setProviderId("SunPKCS11-Aladdin");
I think in both cases the effect was that the correct provider was selected
(because the stack trace looks different) but still it says
CKR_ATTRIBUTE_SENSITIVE:
java.security.ProviderException:
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE
at sun.security.pkcs11.P11Key.fetchAttributes(P11Key.java:215)
at sun.security.pkcs11.P11Key$P11RSAPrivateKey.fetchValues(P11Key.java:416)
at sun.security.pkcs11.P11Key$P11RSAPrivateKey.getModulus(P11Key.java:448)
at
sun.security.pkcs11.P11RSAKeyFactory.implTranslatePrivateKey(P11RSAKeyFactory.java:60)
Does anybody already have some experience with the new Sun PKCS#11 provider
in combination with Apache xmlsec? Is there a way to make this work?
Do you think my chances are better to make this run by using the IAIK Pkcs11
Provider instead of the sun provider?
Thanks in advance for any suggestions!
Barbara
--
Lust, ein paar Euro nebenbei zu verdienen? Ohne Kosten, ohne Risiko!
Satte Provisionen f�r GMX Partner: http://www.gmx.net/de/go/partner
Re: How to use xmlsec with pkcs11 tokens
Posted by Sean Mullan <Se...@Sun.COM>.
Try to put "attributes = compatibility" into the SunPKCS11 config file.
This will often avoid such problems but it may not work with all PKCS#11
tokens.
Failing that, can you send me a full stack trace of the exception?
--Sean
Barbara Schachner wrote:
> Hello!
>
> Could anybode please help me with the following problem?
>
> Im using an Aladdin eToken and the new Sun PKCS#11 Provider to create XML
> Signatures with the Apache xmlsec-Package (1.3.0).
>
> My code works well with keys from a software keystore, but when I try to use
> my private key from the token, I get the following
> exception:
>
> org.apache.xml.security.signature.XMLSignatureException:java.security.ProviderException:
> sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE
> Original Exception was
> org.apache.xml.security.signature.XMLSignatureException:
> java.security.ProviderException:sun.security.pkcs11.wrapper.PKCS11Exception:
> CKR_ATTRIBUTE_SENSITIVE
> Original Exception was
> java.security.InvalidKeyException:java.security.ProviderException:
> sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE
>
> at org.apache.xml.security.signature.XMLSignature.sign(Unknown Source)
> ...
>
> I guess this is because the signing class wants to read the private key
> (which is unextractable) from the token. (See the following lines in the
> stack trace:
>
> ...
> Caused by: java.security.ProviderException:
> sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE
> at sun.security.pkcs11.P11Key.fetchAttributes(P11Key.java:215)
> at sun.security.pkcs11.P11Key$P11RSAPrivateKey.fetchValues(P11Key.java:416)
> at sun.security.pkcs11.P11Key$P11RSAPrivateKey.getModulus(P11Key.java:448)
> at sun.security.rsa.RSAKeyFactory.checkKey(RSAKeyFactory.java:110)
> ...)
>
> I understood the solution could be to insert the pkcs11 provider on a higher
> position, so that the token provider was used for signing instead of any
> software provider. So I tried both:
>
> 1) Security.insertProviderAt(tokenProvider, 2); and
>
> 2) JCEMapper.setProviderId("SunPKCS11-Aladdin");
>
> I think in both cases the effect was that the correct provider was selected
> (because the stack trace looks different) but still it says
> CKR_ATTRIBUTE_SENSITIVE:
>
> java.security.ProviderException:
> sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE
> at sun.security.pkcs11.P11Key.fetchAttributes(P11Key.java:215)
> at sun.security.pkcs11.P11Key$P11RSAPrivateKey.fetchValues(P11Key.java:416)
> at sun.security.pkcs11.P11Key$P11RSAPrivateKey.getModulus(P11Key.java:448)
> at
> sun.security.pkcs11.P11RSAKeyFactory.implTranslatePrivateKey(P11RSAKeyFactory.java:60)
>
> Does anybody already have some experience with the new Sun PKCS#11 provider
> in combination with Apache xmlsec? Is there a way to make this work?
> Do you think my chances are better to make this run by using the IAIK Pkcs11
> Provider instead of the sun provider?
>
> Thanks in advance for any suggestions!
> Barbara
>