|
Hi,
Thanks for Help. Here i describe my problem
again.
We have two major classes BasicOCSPResponse and
OCSPResponse for composing ocsp response. We compose Single Responses and then
compose BasicOCSPResponse object from those, set extra fields like ResponderID.
Now we are going to sign the response. If we want to do it using Software
module[when private key is not saved in HSM] then we call its sign function and
get the data signed. I am fine till this. But what i want to do is that do
signing in HSM as my Keys are in HSM. So i am doing following steps
BasicOCSPResponse basicOCSPResponse =
..........
byte [] unsignedData =
basicOCSPResponse.getTBSResponseData();
- Get Private Key Handle from HSM
- Create Mechanism reference
session.signInit(....,....,....);
You can look into SignAndVerify.java
demo class, i simply provide my file as argument in which i have saved unsigned
ocsp response bytes using BasicOCSPResponse.writeTo() function
byte [] signatureValue =
session.sign(....);
No problem so far
I want to send this signed data back to
BasicOCSPResponse object[either new object or to the already created object], i
do something like this
basicOCSPResponse = new
BasicOCSPResponse(signatureValue);
But Exception is thrown here which
says
Too Large ASN1 Object - printStackTrace function
shows decode functions - perhaps decoding problem
How on earth can i get BasicOCSPResponse object
created from the signed data i get back from HSM?
I see one reason that because HSM is returning
signature only so i can not create the BasicOCSPResponse object, but there is no
function in BasicOCSPResponse object which sets signature value so that i can
use this function. I am definite that i am making mistake somewhere or i am not
using the right functions but am really stuck. Will really appreciate urgent
help.
Best Regards
Nick Karamer
----- Original Message -----
Sent: Thursday, January 03, 2002 3:04
PM
Subject: RE: Help on Pkcs11 please
Hi
Nick,
first have a
look at the demo.pkcs.pkcs11.GenerateKeyPair demo. the first part in this demo
shows how to generate a new key-pair.
there you get
as result
RSAPublicKey generatedRSAPublicKey =
(RSAPublicKey)
generatedKeyPair.getPublicKey();
RSAPrivateKey generatedRSAPrivateKey = (RSAPrivateKey)
generatedKeyPair.getPrivateKey();
if
your HSM sets the ID automatically upon key generation (i epect that this is
what you mean), you should be able to get this ID by
writing
byte[] privateKeyIDBytes =
generatedRSAPrivateKey.getId().getByteArrayValue();
thereafter. if your HSM does not assign an ID
automatically you have to provide one as shown in the
demo.
rsaPrivateKeyTemplate.getId().setByteArrayValue(id);
the demo
demo.pkcs.pkcs11.SignAndVerify shows how to sign arbitrary data. (there are
several demos showing different variants of signing for certain purposes:
SignRaw, SignPKCS#7 or SignCertificate). there is no explicit demo that shows
how to sign an OCSP request/response. if you use our OCSP implementation from
IAIK-JCE 3.0 (currently in beta, but release in the next two weeks), you can
use the demo.pkcs.pkcs11.SignCertificate, because the signing mechanism for
X509Certificates is pretty much the same as for OCSP requests. you can
download an evaluation version of IAIK-JCE 3.0 Beta 1 from our
web-site.
i hope this is
what you need.
Karl
Scheibelhofer
Hi,
Thanks for your help.
I got your email from the code IAIK has
provided as demo. I have been successful in generating keys etc into the
HSM. But the problem is that suppose i want to sign an OCSP request with
some key, which is saved in the HSM. How do i do that? i could not find any
sample[might be it is there] which signs any data and returns the signed
data back to me. Also when i generate a key pair, there is an ID associated
with it. I want to save this into database so that i know which of my key is
for what purpose[i can save the key purpose with key ID in the database]
when i have more than 1 key pairs for different kinds of signing. this ID is
normally a byte array random number, any idea on saving this to database? i
am using SQL server 2000.
Thanks for your Help.
Regards
Nick
Karamer
|