[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [iaik-ssl]cu|| Invalid Mechanism Error While Signing



hi Nick,

> -----Original Message-----
> From: iaik-ssl-owner@iaik.at [mailto:iaik-ssl-owner@iaik.at] 
> On Behalf Of Nick Karamer
> Sent: Friday, April 12, 2002 12:03 PM
> To: Karl Scheibelhofer
> Cc: iaik-ssl@iaik.at
> Subject: [iaik-ssl]cu|| Invalid Mechanism Error While Signing
> 
> 
> Hi Karl,
> 
> Thanks .. i got it working through searching with two 
> attributes set, one for CKA_PRIVATE to true and CKA_ID to the 
> Key Id for Private, in case of Public Key i set CKA_PRIVATE 
> to false. Thanks again for your help.  Now the keys are found 
> but it gives an error 
> 
> iaik.pkcs.pkcs11.wrapper.PKCS11Exception:
> CKR_MECHANISM_INVALID                 
> 	at
> ASC_HSMManager.getChallengeSignedFromSmartCard(ASC_HSMManager.
> java:1011)
> 	at ASC_HSMManager.main(ASC_HSMManager.java:78)
> 
> when i call C_SignUpdate function.
> 
> CK_ATTRIBUTE[] attributeTemplateList = new
> CK_ATTRIBUTE[2];
> attributeTemplateList[0] = new CK_ATTRIBUTE();
> attributeTemplateList[0].type = 2;         
> attributeTemplateList[0].pValue = new
> Boolean(PKCS11Constants.TRUE);
> attributeTemplateList[1] = new CK_ATTRIBUTE(); 
> attributeTemplateList[1].type =
> PKCS11Constants.CKA_ID;
> attributeTemplateList[1].pValue =
> a_strKeyId.getBytes();
> long[] slotIDs_ = __pkcs11.C_GetSlotList(true);
> token_ = slotIDs_[0];
> session_ = __pkcs11.C_OpenSession(token_, 
> PKCS11Constants.CKF_SERIAL_SESSION | 
> PKCS11Constants.CKF_RW_SESSION, null, null); 
> __pkcs11.C_Login(session_, PKCS11Constants.CKU_USER,
> str_UserPIN.toCharArray());
> System.out.println("The Smart Card is Logged in with
> New User");
> System.out.println("Going to get Handle for Private
> Key the User --- " + str_UserPIN); 
> __pkcs11.C_FindObjectsInit(session_,
> attributeTemplateList);
> long[] availableSignatureKeys = 
> __pkcs11.C_FindObjects(session_, 100); //maximum of 100 at once
> __pkcs11.C_FindObjectsFinal(session_);
> if (availableSignatureKeys!=null && 
> availableSignatureKeys.length >= 1)
>         {
>           System.out.println("Private Key has been
> Found");
>           CK_MECHANISM signatureMechanism_  = new
> CK_MECHANISM();
>           signatureMechanism_.mechanism =
> PKCS11Constants.CKM_RSA_PKCS;
> /* *************************************************
> I have also tried CKM_SHA1_RSA_PKCS 
> *****************************************************/
> signatureMechanism_.pParameter = null; 
> __pkcs11.C_SignInit(session_, signatureMechanism_,
> availableSignatureKeys[0]);
> __pkcs11.C_SignUpdate(session_, a_DataToBeSigned);
> signedData = __pkcs11.C_SignFinal(session_);
>         }
> 
> Do i have to add some provider or what ? Why this is
> saying Invalid mechanism. The mechanism
> CKM_SHA1_RSA_PKCS also does not appear when i print
> information for all mechanisms available on the Smart
> Card.

you can only use those mechanisms that are really supported by your
smart card and driver.
if you call the GetInfo demo, you see the list of available mechanisms. 
if your card supports RSA keys, it should normally support at least one
of the RSA mechanisms.

regards

   Karl

--

Karl Scheibelhofer, <mailto:Karl.Scheibelhofer@iaik.at>
Institute for Applied Information Processing and Communications (IAIK)
at Graz University of Technology, Austria, http://www.iaik.at and
http://jcewww.iaik.at
Phone: (+43) (316) 873-5540

> 
> Greatly thankful
> Nick
>  
> --- Karl Scheibelhofer <Karl.Scheibelhofer@iaik.at>
> wrote:
> > hi,
> > 
> > > -----Original Message-----
> > > From: Nick Karamer [mailto:nkaramer@yahoo.com]
> > > Sent: Friday, April 12, 2002 6:19 AM
> > > To: Karl Scheibelhofer
> > > Cc: iaik-ssl@iaik.at
> > > Subject: RE: [iaik-ssl]cu|| Retrieving Public Key
> > from Smart Card
> > > 
> > > 
> > > Hi Karl,
> > > 
> > > Thanks for Your Response. That is fine that i will
> > > save the Public Key in this situation but i do not
> > > want to save Private Key ever out of Smart Card.
> > Now i
> > > want that i send some information to smart card
> > which
> > > is signed by Private Key and then i verify it with
> > the
> > > Public Key saved in say Database [which i would
> > have
> > > done when i had generated the key pair]. In this
> > case
> > > i will definitly have to search the Private Key so
> > > that i get the Key handle for Private key and then
> > > pass to encrypt and/or sign methods. What do you
> > > suggest in that case.
> > 
> > if you have the key's ID, search for the private key
> > just by it's ID.
> > otherwise, try to search for a private key with the
> > same modulus as the
> > public key.
> > 
> > if your PKCS#11 driver does not return any object
> > (nor an error), your
> > driver does not work correctly. contact the vendor
> > to fix it. (i assume
> > you paid for this hardware/software that claims to
> > be PKCS#11 compliant.
> > if it is not, they should make it compliant...)
> > 
> > regards
> > 
> >   Karl
> > 
> > --
> > 
> > Karl Scheibelhofer,
> > <mailto:Karl.Scheibelhofer@iaik.at>
> > Institute for Applied Information Processing and 
> Communications (IAIK)
> > at Graz University of Technology, Austria,
> > http://www.iaik.at and
> > http://jcewww.iaik.at
> > Phone: (+43) (316) 873-5540
> > 
> > > 
> > > Best Regards
> > > Nick
> > > --- Karl Scheibelhofer
> > <Karl.Scheibelhofer@iaik.at>
> > > wrote:
> > > > hi Nick,
> > > > 
> > > > > -----Original Message-----
> > > > > From: iaik-ssl-owner@iaik.at
> > > > [mailto:iaik-ssl-owner@iaik.at]
> > > > > On Behalf Of Nick Karamer
> > > > > Sent: Thursday, April 11, 2002 12:43 PM
> > > > > To: iaik-ssl@iaik.at
> > > > > Subject: [iaik-ssl]cu|| Retrieving Public Key
> > from
> > > > Smart Card
> > > > > 
> > > > > 
> > > > > Hi all,
> > > > > 
> > > > > I am successful in generating Key pair on the
> > > > smart
> > > > > card through my application code. Infact i had
> > to
> > > > use
> > > > > C_XXXX functions od wrapper class PKCS11
> > directly.
> > > > Now
> > > > > i want to do following
> > > > > 
> > > > > 1- Retreive Public Key
> > > > > 2- Retrieve Private Key to send the handle of
> > that
> > > > for
> > > > > signing.
> > > > 
> > > > the method C_GenerateKeyPair returns the handle
> > of
> > > > the generated public
> > > > key and the private key.
> > > > you do not need to search for them.
> > > > 
> > > > > 
> > > > > I have written following code to find the Key
> > > > > 
> > > > >       long[] slotIDs_ =
> > > > __pkcs11.C_GetSlotList(true);
> > > > >       token_ = slotIDs_[0];
> > > > >       session_ =
> > __pkcs11.C_OpenSession(token_,
> > > > > PKCS11Constants.CKF_SERIAL_SESSION |
> > > > > PKCS11Constants.CKF_RW_SESSION, null, null);
> > > > >       __pkcs11.C_Login(session_,
> > > > > PKCS11Constants.CKU_USER,
> > > > str_UserPIN.toCharArray());
> > > > >       System.out.println("The Smart Card is
> > Logged
> > > > in
> > > > > with New User");
> > > > >       System.out.println("Going to get Public
> > Key
> > > > the
> > > > > User --- " + str_UserPIN);
> > > > >       // set the search template for the
> > public
> > > > key
> > > > >       int i_KeyLength = 1024; // change it
> > > > >       RSAPublicKey rsaPublicKeyTemplate = new
> > > > > RSAPublicKey();
> > > > >      
> > > > >
> > > >
> > >
> >
> rsaPublicKeyTemplate.getId().setByteArrayValue(a_strKeyId.getBytes());
> > > > >      
> > > > >
> > > >
> > >
> >
> rsaPublicKeyTemplate.getModulusBits().setLongValue(new
> > > > > Long(i_KeyLength));
> > > > >      
> > > > >
> > > >
> > >
> >
> rsaPublicKeyTemplate.getToken().setBooleanValue(Boolean.TRUE);
> > > > >       byte [] publicKeyExponentBytes = {0x01 ,
> > > > 0x00,
> > > > > 0x01};
> > > > >      
> > > > >
> > > >
> > >
> >
> rsaPublicKeyTemplate.getPublicExponent().setByteArrayValue(pub
> > > > > licKeyExponentBytes);
> > > > >       Vector publikKeyAttributes =
> > > > > rsaPublicKeyTemplate.getSetAttributes();
> > > > >       CK_ATTRIBUTE [] publicKeyAttList = null;
> > > > >       if (publikKeyAttributes!=null &&
> > > > publikKeyAttributes.size()> 0)
> > > > >       {
> > > > >         publicKeyAttList = new
> > > > > CK_ATTRIBUTE[publikKeyAttributes.size()];
> > > > >         for (int i_Index=0; i_Index <
> > > > > publikKeyAttributes.size(); i_Index++)
> > > > >         {
> > > > >           publicKeyAttList[i_Index] =
> > > > >
> > (CK_ATTRIBUTE)publikKeyAttributes.get(i_Index);
> > > > >         }
> > > > >         System.out.println("Total Attributes
> > are "
> > > > +
> > > > > publikKeyAttributes.size());
> > > > >       }
> > > > >       __pkcs11.C_FindObjectsInit(session_,
> > > > > publicKeyAttList);
> > > > >       long [] keysFound = 
> __pkcs11.C_FindObjects(session_, 100);
> > > > >       __pkcs11.C_FindObjectsFinal(session_);
> > > > >       System.out.println("Total Attributes are
> > > > after
> > > > > finding " + publicKeyAttList.length);
> > > > >       System.out.println("Total Keys Found are
> > " +
> > > > > keysFound.length);
> > > > > 
> > > > > 
> > > > > These were the attributes which i had set when
> > i
> > > > > created the key pair and it was created with
> > > > success.
> > > > > Now everything goes fine but the function
> > > > > C_FindObjects returns 0 no of key handles.
> > Also if
> > > > i
> > > > 
> > > > as written above, you get the handles from the
> > > > key-pair generation
> > > > directly.
> > > > 
> > > > > get some key then how would i convert it to
> > 
> === message truncated ===
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Tax Center - online filing with TurboTax 
http://taxes.yahoo.com/
--
Mailinglist-archive at
http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing
content: UNSUBSCRIBE iaik-ssl
 

--
Mailinglist-archive at http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content: UNSUBSCRIBE iaik-ssl