JDK 1.6 Beta 2: SUNMSCAPI and custom CSP's question
I've managed to sign using a private key imported into my windows keystore (new feature jdk 1.6).
However when I use a private key that is managed by another CSP (providing access to a smart card), I get this stack trace:
Exception in thread "main" java.security.SignatureException: Not implemented
at sun.security.mscapi.RSASignature.signHash(Native Method)
at sun.security.mscapi.RSASignature.engineSign(RSASignature.java:228)
at java.security.Signature$Delegate.engineSign(Signature.java:1128)
at java.security.Signature.sign(Signature.java:522)
at xx.xxx.one.dot.six.Test.main(Test.java:49)
I've tried 2 different custom CSP providers, (one amongst them is the Belgian electronic id card CSP), both give me the same exception!
Certificate access is no problem, only the private key operations fail!
Do I hit some limitation of the SUNMSCAPI provider?
[923 byte] By [
Tom2406a] at [2007-10-3 8:50:29]
Just for your info,
my issue has been solved, it seems that the SUNMSCAPI JNI code calls CryptSetKeyParam and CryptGetKeyParam, both methods where missing in my CSP's. Adding these solved my problem.
Some additional thoughts:
1) the JNI code always calls CryptSetKeyParam with param KP_MODE ECB, this is completely wrong!
2) the JNI call to CryptGetKeyParam with param KP_ALGID is (as seen in Microsoft doc) only supported by the Microsoft Strong Cryptographic Provider, not by definition for custom CSP's.
3) the call to CryptGetKeyParam with param KP_KEYLEN is redundant, since it is derivable from previous info!
For more info see MSDN: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/alg_id.asp
Conclusion:
My issue is solved, but my CSP's should have worked out-of-the-box, the real problem is in the SUNMSCAPI jni code that does some unexpected calls.
kind regards,
Tom
Hi Tom, and everybody who reads me,
I磎 trying to generate a PKCS#7 signature using MSCAPI package磗 private keys and BouncyCastle crypto provider.
My problem is that when I try to use the private key recovered from MSCAPI access in the BCastle code, I get an exception that tells me that this private key is invalid :-( , I think this is because I磎 using a wrapper of the native key that is really behind MSCAPI access layer, and BCastle doen磘 know how to manage this:
org.bouncycastle.cms.CMSException: key inappropriate for signature.
at org.bouncycastle.cms.CMSSignedDataGenerator.generate(Unknown Source)
I also tried to make a cast from mscapi.PrivateKey class to java.security.interfacesRSAPrivateKey, but I get a classcastException:
java.lang.ClassCastException: sun.security.mscapi.RSAPrivateKey cannot be cast to java.security.interfaces.RSAPrivateKey
I don磘 know how to solve this without use a propietary Java MSCAPI access library (like assemble磗 one, etc).
縮omeone could help me?
Thanks for your time.
Jes鷖 el tuty.
Hi Tom,
first of all, thanks for your quick answer :-)
I wish you were right, but before I try to sign using PKCS#7 signature, I signed without problems using PKCS#1, and I verify the signature correctly. This implies that the key is proper to sign (I also looked at the certificate and it has signature attribute on :-S ).
緿o you have built a PKCS#7 successfully using a sun.mscapi.PrivateKey?
Regards.
Jesus el tuty.
