as i wrote in my last response, for signing an OCSP
request/response, the demo.pkcs.pkcs11.SignCertificate demo shows how you can do
this.
i guess, it should be rather trivial to adapt this code
for signing OCSP.
regards
Karl
Scheibelhofer
Hi
Nick,
first have a look
at the demo.pkcs.pkcs11.GenerateKeyPair demo. the first part in this demo shows
how to generate a new key-pair.
there you get as
result
RSAPublicKey generatedRSAPublicKey =
(RSAPublicKey)
generatedKeyPair.getPublicKey();
RSAPrivateKey
generatedRSAPrivateKey = (RSAPrivateKey)
generatedKeyPair.getPrivateKey();
if your HSM sets
the ID automatically upon key generation (i epect that this is what you mean),
you should be able to get this ID by writing
byte[] privateKeyIDBytes =
generatedRSAPrivateKey.getId().getByteArrayValue();
thereafter. if
your HSM does not assign an ID automatically you have to provide one as shown in
the demo.
rsaPrivateKeyTemplate.getId().setByteArrayValue(id);
the demo
demo.pkcs.pkcs11.SignAndVerify shows how to sign arbitrary data. (there are
several demos showing different variants of signing for certain purposes:
SignRaw, SignPKCS#7 or SignCertificate). there is no explicit demo that shows
how to sign an OCSP request/response. if you use our OCSP implementation from
IAIK-JCE 3.0 (currently in beta, but release in the next two weeks), you can use
the demo.pkcs.pkcs11.SignCertificate, because the signing mechanism for
X509Certificates is pretty much the same as for OCSP requests. you can download
an evaluation version of IAIK-JCE 3.0 Beta 1 from our
web-site.
i hope this is
what you need.
Karl
Scheibelhofer
Hi,
Thanks for Help. Here i describe my problem
again.
We have two major classes BasicOCSPResponse and OCSPResponse
for composing ocsp response. We compose Single Responses and then compose
BasicOCSPResponse object from those, set extra fields like ResponderID. Now we
are going to sign the response. If we want to do it using Software module[when
private key is not saved in HSM] then we call its sign function and get the
data signed. I am fine till this. But what i want to do is that do signing in
HSM as my Keys are in HSM. So i am doing following steps
BasicOCSPResponse basicOCSPResponse =
..........
byte [] unsignedData =
basicOCSPResponse.getTBSResponseData();
- Get Private Key Handle from HSM
- Create Mechanism reference
session.signInit(....,....,....);
You can look into SignAndVerify.java demo
class, i simply provide my file as argument in which i have saved unsigned
ocsp response bytes using BasicOCSPResponse.writeTo() function
byte [] signatureValue = session.sign(....);
No problem so far
I want to send this signed data back to BasicOCSPResponse
object[either new object or to the already created object], i do something
like this
basicOCSPResponse = new
BasicOCSPResponse(signatureValue);
But Exception is thrown here which says
Too Large ASN1 Object - printStackTrace function shows
decode functions - perhaps decoding problem
How on earth can i get BasicOCSPResponse object created from
the signed data i get back from HSM?
I see one reason that because HSM is returning signature
only so i can not create the BasicOCSPResponse object, but there is no
function in BasicOCSPResponse object which sets signature value so that i can
use this function. I am definite that i am making mistake somewhere or i am
not using the right functions but am really stuck. Will really appreciate
urgent help.
Best Regards
Nick Karamer
----- Original Message -----
Sent: Thursday, January 03, 2002 3:04
PM
Subject: RE: Help on Pkcs11
please
Hi
Nick,
first have a
look at the demo.pkcs.pkcs11.GenerateKeyPair demo. the first part in this
demo shows how to generate a new key-pair.
there you get
as result
RSAPublicKey generatedRSAPublicKey =
(RSAPublicKey)
generatedKeyPair.getPublicKey();
RSAPrivateKey generatedRSAPrivateKey = (RSAPrivateKey)
generatedKeyPair.getPrivateKey();
if your HSM
sets the ID automatically upon key generation (i epect that this is what you
mean), you should be able to get this ID by writing
byte[] privateKeyIDBytes =
generatedRSAPrivateKey.getId().getByteArrayValue();
thereafter.
if your HSM does not assign an ID automatically you have to provide one as
shown in the demo.
rsaPrivateKeyTemplate.getId().setByteArrayValue(id);
the demo
demo.pkcs.pkcs11.SignAndVerify shows how to sign arbitrary data. (there are
several demos showing different variants of signing for certain purposes:
SignRaw, SignPKCS#7 or SignCertificate). there is no explicit demo that
shows how to sign an OCSP request/response. if you use our OCSP
implementation from IAIK-JCE 3.0 (currently in beta, but release in the next
two weeks), you can use the demo.pkcs.pkcs11.SignCertificate, because the
signing mechanism for X509Certificates is pretty much the same as for OCSP
requests. you can download an evaluation version of IAIK-JCE 3.0 Beta 1 from
our web-site.
i hope this
is what you need.
Karl
Scheibelhofer
Hi,
Thanks for your help.
I got your email from the code IAIK has provided as
demo. I have been successful in generating keys etc into the HSM. But the
problem is that suppose i want to sign an OCSP request with some key,
which is saved in the HSM. How do i do that? i could not find any
sample[might be it is there] which signs any data and returns the signed
data back to me. Also when i generate a key pair, there is an ID
associated with it. I want to save this into database so that i know which
of my key is for what purpose[i can save the key purpose with key ID in
the database] when i have more than 1 key pairs for different kinds of
signing. this ID is normally a byte array random number, any idea on
saving this to database? i am using SQL server 2000.
Thanks for your Help.
Regards
Nick
Karamer