[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[iaik-ssl] Help on Pkcs11 please

Thanks for Help. Here i describe my problem again.
We have two major classes BasicOCSPResponse and OCSPResponse for composing ocsp response. We compose Single Responses and then compose BasicOCSPResponse object from those, set extra fields like ResponderID. Now we are going to sign the response. If we want to do it using Software module[when private key is not saved in HSM] then we call its sign function and get the data signed. I am fine till this. But what i want to do is that do signing in HSM as my Keys are in HSM. So i am doing following steps
BasicOCSPResponse basicOCSPResponse = ..........
byte [] unsignedData = basicOCSPResponse.getTBSResponseData();
- Get Private Key Handle from HSM
- Create Mechanism reference
You can look into SignAndVerify.java demo class, i simply provide my file as argument in which i have saved unsigned ocsp response bytes using BasicOCSPResponse.writeTo() function
byte [] signatureValue = session.sign(....);
 No problem so far
I want to send this signed data back to BasicOCSPResponse object[either new object or to the already created object], i do something like this
basicOCSPResponse = new BasicOCSPResponse(signatureValue);
But Exception is thrown here which says
Too Large ASN1 Object - printStackTrace function shows decode functions - perhaps decoding problem
How on earth can i get BasicOCSPResponse object created from the signed data i get back from HSM?
I see one reason that because HSM is returning signature only so i can not create the BasicOCSPResponse object, but there is no function in BasicOCSPResponse object which sets signature value so that i can use this function. I am definite that i am making mistake somewhere or i am not using the right functions but am really stuck. Will really appreciate urgent help.
Best Regards
Nick Karamer
----- Original Message -----
Sent: Thursday, January 03, 2002 3:04 PM
Subject: RE: Help on Pkcs11 please

Hi Nick,
first have a look at the demo.pkcs.pkcs11.GenerateKeyPair demo. the first part in this demo shows how to generate a new key-pair.
there you get as result
      RSAPublicKey generatedRSAPublicKey = (RSAPublicKey) generatedKeyPair.getPublicKey();
      RSAPrivateKey generatedRSAPrivateKey = (RSAPrivateKey) generatedKeyPair.getPrivateKey();
if your HSM sets the ID automatically upon key generation (i epect that this is what you mean), you should be able to get this ID by writing
   byte[] privateKeyIDBytes = generatedRSAPrivateKey.getId().getByteArrayValue();
thereafter. if your HSM does not assign an ID automatically you have to provide one as shown in the demo.
having this ID, you can save it whereever you want; e.g. into a SQL server using JDBC (http://java.sun.com/products/jdbc/index.html).
the demo demo.pkcs.pkcs11.SignAndVerify shows how to sign arbitrary data. (there are several demos showing different variants of signing for certain purposes: SignRaw, SignPKCS#7 or SignCertificate). there is no explicit demo that shows how to sign an OCSP request/response. if you use our OCSP implementation from IAIK-JCE 3.0 (currently in beta, but release in the next two weeks), you can use the demo.pkcs.pkcs11.SignCertificate, because the signing mechanism for X509Certificates is pretty much the same as for OCSP requests. you can download an evaluation version of IAIK-JCE 3.0 Beta 1 from our web-site.
i hope this is what you need.
  Karl Scheibelhofer

Karl Scheibelhofer, <mailto:Karl.Scheibelhofer@iaik.at>
Institute for Applied Information Processing and Communications (IAIK)
at Graz University of Technology , Austria, http://www.iaik.at and http://jcewww.iaik.at
Phone: (+43) (316) 873-5540
-----Original Message-----
From: Nick Kramer [mailto:nick@ascertia.com]
Sent: Thursday, January 03, 2002 3:16 PM
To: Karl.Scheibelhofer@iaik.at
Subject: Help on Pkcs11 please

Thanks for your help.
I got your email from the code IAIK has provided as demo. I have been successful in generating keys etc into the HSM. But the problem is that suppose i want to sign an OCSP request with some key, which is saved in the HSM. How do i do that? i could not find any sample[might be it is there] which signs any data and returns the signed data back to me. Also when i generate a key pair, there is an ID associated with it. I want to save this into database so that i know which of my key is for what purpose[i can save the key purpose with key ID in the database] when i have more than 1 key pairs for different kinds of signing. this ID is normally a byte array random number, any idea on saving this to database? i am using SQL server 2000.
Thanks for your Help.
Nick Karamer