Java PKCS11 windows 64 new eID error

485 views
Skip to first unread message

Gregory

unread,
Mar 23, 2015, 12:47:25 PM3/23/15
to eid-middl...@googlegroups.com
Hey,

I'm using the "beidpkcs11.dll" file of "eID Middelware" (version 4.0.7) to read the Belgian eID for signing purpose.

All works great in except of one combination: Windows 64 bit with the new eID's (those with key length of 2048 bits and 10 years valid).
Other combinations work perfectly:
  • Windows 64 bit with older eID (key length 1024 bits)
  • Windows 32 bit with new and old eID

Error is on Windows 7 64bit with java 8:

Caused by: java.security.InvalidKeyException: Private keys must be instance of RSAPrivate(Crt)Key or have PKCS#8 encoding
    at sun.security.rsa.RSAKeyFactory.translatePrivateKey(Unknown Source)
    at sun.security.rsa.RSAKeyFactory.engineTranslateKey(Unknown Source)
    at sun.security.rsa.RSAKeyFactory.toRSAKey(Unknown Source)
    at sun.security.rsa.RSASignature.engineInitSign(Unknown Source)
    at sun.security.rsa.RSASignature.engineInitSign(Unknown Source)
    at java.security.Signature$Delegate.init(Unknown Source)
    at java.security.Signature$Delegate.chooseProvider(Unknown Source)
    at java.security.Signature$Delegate.engineInitSign(Unknown Source)
    at java.security.Signature.initSign(Unknown Source)

This is my test code:


 

   public static void main(String[] args) throws Exception {
        File tmpConfigFile = File.createTempFile("pkcs11-", "conf");
        tmpConfigFile.deleteOnExit();
        PrintWriter configWriter = new PrintWriter(new FileOutputStream(tmpConfigFile), true);
        configWriter.println("name=SmartCard");
        configWriter.println("library=c:\\Windows\\System32\\beidpkcs11.dll");
        configWriter.println("slotListIndex=0");

        sun.security.pkcs11.SunPKCS11 provider = new sun.security.pkcs11.SunPKCS11(tmpConfigFile.getAbsolutePath());
        Security.addProvider(provider);
 
        KeyStore keyStore = KeyStore.getInstance("PKCS11", provider);
        keyStore.load(null, null);
        PrivateKeyEntry privateKeyEntry = (PrivateKeyEntry) keyStore.getEntry("Signature", null);
        PrivateKey privateKey = privateKeyEntry.getPrivateKey();
        Signature signature = Signature.getInstance("SHA1withRSA");

        signature.initSign(privateKey); // ERROR IS THROWN HERE
        byte[] toBeSigned = "hello world".getBytes();
        signature.update(toBeSigned);
        byte[] signatureValue = signature.sign();

        X509Certificate certificate = (X509Certificate) privateKeyEntry.getCertificate();
        RSAPublicKey publicKey = (RSAPublicKey) certificate.getPublicKey();
        BigInteger signatureValueBigInteger = new BigInteger(signatureValue);
        BigInteger messageBigInteger =
            signatureValueBigInteger.modPow(publicKey.getPublicExponent(), publicKey.getModulus());
        System.out.println("original message: " + new String(Hex.encodeHex(messageBigInteger.toByteArray())));

    }

What's wrong here?


Thank you

Gregory

Gregory

unread,
Mar 24, 2015, 4:40:58 AM3/24/15
to eid-middl...@googlegroups.com
Solved!

Seems to be a problem in the DLL. With the new eID Middleware (version 4.10, http://eid.belgium.be/en/using_your_eid/installing_the_eid_software/windows/), it works.

Thanks

Verhelst Wouter

unread,
Mar 24, 2015, 5:36:48 AM3/24/15
to Gregory, eid-middl...@googlegroups.com
Hi,

Yes, there was an issue in 4.0.7 where the C_GetMechanismInfo() function would report a maximum key size of 1024 in all cases, rather than the 2048 needed for recent cards. Apparently most PKCS#11 users don't call this method (they just check the actual key size), but the Java VM does, and then (rightly!) complains if things don't match up.

This was indeed fixed in 4.1.

--
Wouter Verhelst
________________________________________
Van: eid-middl...@googlegroups.com [eid-middl...@googlegroups.com] namens Gregory [gregory.cast...@gmail.com]
Verzonden: dinsdag 24 maart 2015 9:40
Aan: eid-middl...@googlegroups.com
Onderwerp: [eid-mw-dev] Re: Java PKCS11 windows 64 new eID error

Solved!

Seems to be a problem in the DLL. With the new eID Middleware (version 4.10, http://eid.belgium.be/en/using_your_eid/installing_the_eid_software/windows/), it works.

Thanks

--
You received this message because you are subscribed to the Google Groups "eID Middleware Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to eid-middleware-...@googlegroups.com<mailto:eid-middleware-...@googlegroups.com>.
For more options, visit https://groups.google.com/d/optout.

Frederik Vernelen

unread,
Mar 24, 2015, 6:19:19 AM3/24/15
to eid-middl...@googlegroups.com
Oops, seems I had send my reply to Gregory in private :)
So, just for the record:

Hello Gregory,

This might be due to a supported algoritm check that java8 does.
There was a bug in the middleware, where it did not report it could handle 2K key signatures.
This issue should be fixed in the future release build (v410), which you can find on http://eid.belgium.be/en/using_your_eid/installing_the_eid_software/windows/
Wkr,
 Frederik


Reply all
Reply to author
Forward
0 new messages