Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Signature with a privatekey doesn't works in JSS

28 views
Skip to first unread message

Felix Alejandro Prieto Carratala

unread,
Oct 7, 2010, 5:02:30 PM10/7/10
to dev-tec...@lists.mozilla.org
Hi,
I need sign an array of byte with a privatekey (an iText requirement) that is stored in JSS. I looked in google but everybody suggested the same idea which is essentially:

       try {
            //certificate is a org.​mozilla.​jss.​crypto.X509Certificate from the keystore
            byte[] derCert = certificate.getEncoded();
            org.mozilla.jss.pkix.cert.Certificate cert =
                    (org.mozilla.jss.pkix.cert.Certificate) ASN1Util.decode(org.mozilla.jss.pkix.cert.Certificate.getTemplate(),
                    derCert);
            Name issuerName = cert.getInfo().getIssuer();

            MessageDigest md =
                    MessageDigest.getInstance(DigestAlgorithm.SHA1.toString());
            //data is the byte[]
            byte[] messageDigest = md.digest(data);

            ContentInfo ci = new ContentInfo(data);

            IssuerAndSerialNumber iasn = new IssuerAndSerialNumber(issuerName,
                    new INTEGER(certificate.getSerialNumber()));

            SET authenticatedAttributes = null;
            SET unauthenticatedAttributes = null;

            OBJECT_IDENTIFIER contentType = ContentInfo.DATA;
            SignatureAlgorithm signingAlg = SignatureAlgorithm.RSASignatureWithSHA1Digest;

             //pk is a org.​mozilla.​jss.​crypto.PrivateKey that i get with
            //CryptoManager.findPrivKeyByCert(cryptoManager.findCertByNickname(nickName));
             SignerInfo si = new SignerInfo(iasn,
                    authenticatedAttributes,
                    unauthenticatedAttributes,
                    contentType,
                    messageDigest,
                    signingAlg,
                    pk);

            SET digestAlgorithms = null;
            digestAlgorithms = new SET();
            digestAlgorithms.addElement(new AlgorithmIdentifier(DigestAlgorithm.SHA1.toOID()));

            SET certificates = null;
            SET signers = null;
            SET crls = null;
            certificates = new SET();

            certificates.addElement(new ANY(certificate.getEncoded()));
            certificates.addElement(new ANY(certChain[1].getEncoded()));
            for (int i = certChain.length; i < 0; --i) {               
                certificates.addElement(new ANY(certChain[i - 1].getEncoded()));
            }

            signers = new SET();
            signers.addElement(si);
            SignedData sd = new SignedData(digestAlgorithms, ci, certificates, crls,
                    signers);

            ContentInfo cisd = new ContentInfo(sd);

            ByteArrayOutputStream baos = new ByteArrayOutputStream();
            cisd.encode(baos);

            return baos.toByteArray();

        } catch (Exception ex) {
            Logger.getLogger(Main.class.getName()).log(Level.SEVERE, null, ex);
        }


The program stops in:

SignerInfo si = new SignerInfo(iasn,
                    authenticatedAttributes,
                    unauthenticatedAttributes,
                    contentType,
                    messageDigest,
                    signingAlg,
                    pk);

throwing:

java.security.SignatureException: Signature operation failed on token
        at org.mozilla.jss.pkcs11.PK11Signature.engineRawSignNative(Native Method)
        at org.mozilla.jss.pkcs11.PK11Signature.engineSign(PK11Signature.java:255)
        at org.mozilla.jss.crypto.Signature.sign(Signature.java:125)
        at org.mozilla.jss.pkcs7.SignerInfo.<init>(SignerInfo.java:368)
        ....
java.lang.NullPointerException
        at com.itextpdf.text.pdf.PdfPKCS7.getEncodedPKCS1(PdfPKCS7.java:1109)
         ....

I also try this:

        //java.​security.Signature
        Signature signer = Signature.getInstance("SHA1withRSA", jSSProvider);

        //pk is a org.​mozilla.​jss.​crypto.PrivateKey that i get with
        //CryptoManager.findPrivKeyByCert(cryptoManager.findCertByNickname(nickName));
        signer.initSign(pk);

        signer.update(toSign.getBytes());
        byte[] sign = signer.sign();

but throws:

java.security.SignatureException: Signing operation failed: (-8152) The key does not support the requested operation.
        at org.mozilla.jss.pkcs11.PK11Signature.engineSignNative(Native Method)
        at org.mozilla.jss.pkcs11.PK11Signature.engineSign(PK11Signature.java:259)
        at org.mozilla.jss.crypto.Signature.sign(Signature.java:125)
        at org.mozilla.jss.provider.java.security.JSSSignatureSpi.engineSign(JSSSignatureSpi.java:153)
        at java.security.Signature$Delegate.engineSign(Signature.java:1128)
        at java.security.Signature.sign(Signature.java:522)

I'm using:

Internal Key Storage Token

DBM_VERSION = N/A
JDK_VERSION = N/A
JSS_VERSION = JSS_4_3_2_RTM
NSPR_VERSION = NSPR_4_7_RTM
NSS_VERSION = NSS_3_12_RTM

java -version:
        java version "1.6.0_20"
        Java(TM) SE Runtime Environment (build 1.6.0_20-b02)
        Java HotSpot(TM) Client VM (build 16.3-b01, mixed mode, sharing)
with "Unlimited-Strength-Jurisdiction-Policy"...

Any inputs would help me......

Thanks
Felix A.

Jean-Marc Desperrier

unread,
Oct 8, 2010, 4:22:47 AM10/8/10
to
Felix Alejandro Prieto Carratala wrote:
> I also try this:
> [...]

> //pk is a org.​mozilla.​jss.​crypto.PrivateKey that i get with
> //CryptoManager.findPrivKeyByCert(cryptoManager.findCertByNickname(nickName));

Why is that line commented out ? Do you test you get a valid pk handle
out of findPrivKeyByCert ?

It hasn't a single chance of working if you don't use findPrivKeyByCert
to get the private key.

Felix Alejandro Prieto Carratalá

unread,
Oct 8, 2010, 3:57:23 PM10/8/10
to dev-tec...@lists.mozilla.org
Hi Jean-Marc, 

That line is commented because previously I handle the privatekey 
with findPrivKeyByCert, so that is only for information purpose and
the privatekey exists.

That code works with a privatekey stored in pkcs12 file, so i think
that the problem is with JSS and its philosophy of 
"privatekeys are'nt accessible". 

How can i use that privatekey for signing something if always its null? 

Thanks in advanced...
Felix A

Jaime Hablutzel Egoavil

unread,
Apr 11, 2013, 5:26:00 PM4/11/13
to mozilla's crypto code discussion list
If you take a look at the source code for

org.mozilla.jss.provider.java.security.JSSSignatureSpi

you can see how does JSS use private key for signing, basically:


CryptoToken owningToken = privKeyByCert.getOwningToken();
Signature signatureContext = owningToken.getSignatureContext(SignatureAlgorithm.RSASignatureWithSHA1Digest);
signatureContext.initSign(privKeyByCert);
byte[] clearText = "tosign".getBytes();
signatureContext.update(clearText);
byte[] signedBytes = signatureContext.sign();

Jaime Hablutzel Egoavil

unread,
Apr 11, 2013, 5:26:00 PM4/11/13
to mozilla.dev...@googlegroups.com, mozilla's crypto code discussion list
If you take a look at the source code for

org.mozilla.jss.provider.java.security.JSSSignatureSpi

you can see how does JSS use private key for signing, basically:


CryptoToken owningToken = privKeyByCert.getOwningToken();
Signature signatureContext = owningToken.getSignatureContext(SignatureAlgorithm.RSASignatureWithSHA1Digest);
signatureContext.initSign(privKeyByCert);
byte[] clearText = "tosign".getBytes();
signatureContext.update(clearText);
byte[] signedBytes = signatureContext.sign();


On Friday, October 8, 2010 2:57:23 PM UTC-5, Felix Alejandro Prieto Carratalá wrote:
0 new messages