Reading the topic around PKCS11 at: http://signserver.org/manual/plugins.html#PKCS11CryptoToken
I realise more and more the possibility to get the Buypass smartcard work with signserver. But the card module only supports "Single part sign" and not "Multipart sign" becoming clear from this command output:
This smartcard have 2 possible interfaces Microsoft CryptoAPI and PKCS#11. For me it doesnt matter as long as I can store the signed xml to disk.
Will I have any problems with the configuration of SignServer to achieve DSIG of an xml-file through this smartcard? The program pkcs11-tool only seem to support "Multipart sign"; in addition it does not have the dsig ability for xmls,but just for the test to show you….
Is anything quite obvious for you here? Personally I would assume that signserver manages this. But before I start working with it I feel it is better to ask som simple question about it.
If positively YES, I think files in question will be:
qs_xmlsigner_configuration.properties
p11attributes.cfg
I will also assume that xml-signing with signserver can be configured in such a way that the file/template-part is not overwritten, that just the digest and the signature is written into the file, and no transforms or headings are overwritten,changed. This, however, I unfortunately experience the DEMO/LIVECD does, but the CD is just a demo. The receptor machine only accepts a certain template as to nodes, elements and tags.
S.S.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2011-10-13
HI,
SignServer 3.1 supports enveloped XML signatures which may or may not be what you are looking for.
I.e. it inserts a signature into an exisisting XML document.
Regarding the signature support in the card and SignServer, the actual signing is performed by a tool-kit so it could work but it could also break.
A very useful tool from EJBCA is the ClientToolBox. If you can generate and test PKCS11 keys using the clientToolBox, you can use them with SignServer.
Anders
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
According to the instructions at the site -> http://www.ejbca.org/userguide.html#EJBCA%20client%20toolbox
in what directory should I run "ant clientToolBox" ,
in the main dir: sigbj@sled-10sp3:~/ejbca_4_0_4/
or in the dir: sigbj@sled-10sp3:~/ejbca_4_0_4/modules/clientToolBox/
?
I find the project <project name="clientToolBox" default="build"> only in the file:
ejbca_4_0_4/modules/clientToolBox/build.xml
Without reflections I would assume main directory, and I also assume the the jdk_java_dir should be set as JAVA_HOME.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2011-10-14
Hi,
You should be able to do "ant clientToolBox" at the EJBCA install directory.
The you run it from dist/clientToolBox
Anders
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Installed/compiled "clientToolBox".
ECHOES during install:
Buildfile: /home/sigbj/ejbca_4_0_4/build.xml
No custom changes to merge.
appserver.home: /opt/jboss-4.2.3.GA
'appserver.type' could not be detected or is not configured. Glassfish 2.1.1, JBoss 5.1.0.GA, JBoss 6.0.0, WebLogic 10.3.3, WebSphere 7.0.0.13 can be detected. (Is 'appserver.home' configured?)
appserver.type: ${appserver.type}
clientToolBox:
'appserver.type' could not be detected or is not configured. Glassfish 2.1.1, JBoss 5.1.0.GA, JBoss 6.0.0, WebLogic 10.3.3, WebSphere 7.0.0.13 can be detected. (Is 'appserver.home' configured?)
clientToolBox:
'appserver.type' could not be detected or is not configured. Glassfish 2.1.1, JBoss 5.1.0.GA, JBoss 6.0.0, WebLogic 10.3.3, WebSphere 7.0.0.13 can be detected. (Is 'appserver.home' configured?)
setup:
Created dir: /home/sigbj/ejbca_4_0_4/dist/clientToolBox
Copying 25 files to /home/sigbj/ejbca_4_0_4/dist/clientToolBox/lib
Copying 6 files to /home/sigbj/ejbca_4_0_4/dist/clientToolBox
compile:
Created dir: /home/sigbj/ejbca_4_0_4/modules/clientToolBox/build
Compiling 134 source files to /home/sigbj/ejbca_4_0_4/modules/clientToolBox/build
Note: Some input files use or override a deprecated API.
Note: Recompile with -Xlint:deprecation for details.
Note: Some input files use unchecked or unsafe operations.
Note: Recompile with -Xlint:unchecked for details.
build:
Building jar: /home/sigbj/ejbca_4_0_4/dist/clientToolBox/clientToolBox.jar
Connect:
Passwort für PKCS11-Token (entered the PIN)
Failed to access the WSDL at: https:localhost/8443/ejbca/ejbcaws?wsdl
Connection refused.
Output from the console during run:
0 DEBUG org.ejbca.batchenrollmentgui.BatchEnrollmentGUIApp - No settings in file, using defaults.
656 DEBUG org.ejbca.batchenrollmentgui.ConnectDialog - Trying to load from file /home/sigbj/ejbca_4_0_4/modules/batchenrollment-gui/connect.properties
76925 DEBUG org.ejbca.batchenrollmentgui.ConnectDialog - ******* keyAlias: SIGBJÃRN STORSET/cn=buypass class 3 ca 1,o=buypass as-983163327,c=no/708083, certificate: SERIALNUMBER=9578-4050-116696626, CN=SIGBJØRN STORSET, C=NO
76926 DEBUG org.ejbca.batchenrollmentgui.ConnectDialog - ******* keyAlias: SIGBJÃRN STORSET/cn=buypass class 3 ca 1,o=buypass as-983163327,c=no/708082, certificate: SERIALNUMBER=9578-4050-116696626, CN=SIGBJØRN STORSET, C=NO
77092 DEBUG org.ejbca.util.dn.DnComponents - Using default values for DN components
77173 DEBUG org.ejbca.util.dn.DnComponents - Read profile maps with 43 lines.
77356 DEBUG org.ejbca.batchenrollmentgui.ConnectDialog - Loaded 1 certs to truststore
javax.xml.ws.WebServiceException: Failed to access the WSDL at: https://localhost:8443/ejbca/ejbcaws/ejbcaws?wsdl. It failed with:
Connection refused.
at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(Unknown Source)
at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(Unknown Source)
at com.sun.xml.internal.ws.client.WSServiceDelegate.parseWSDL(Unknown Source)
at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(Unknown Source)
at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(Unknown Source)
at com.sun.xml.internal.ws.spi.ProviderImpl.createServiceDelegate(Unknown Source)
at javax.xml.ws.Service.<init>(Unknown Source)
As you can see from the EventQueue 2 certificates/keys are called: 708082 and 708083. I need to get the key for 708083 that is the signing cert. But I might have forgot something: to define slot_number and key_id, that will be SLOT 0, KEYID 1
The cardreader is blinking so I have contact with the library,this has also been tested with pkcs11-tool.
What is there TODO for me? Any comments for this so far?
Sincerely Yours,
S
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2011-10-16
I'm not sure what you are doing here but ejbca.properties does not contain an appserver.home definition.
Anyway, it seems you are calling EJBCA, not signserver.
I also wonder about the log. Doesn't it come from the Java client? This is not what you want in case the idea was to sign with Buypass in signserver.
A little bit confused
Anders
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I think you are right, Anders, I am probably doing something that gives no sense; but I cannot find a ejbca.properties file to define even if an "export APPSRV_HOME=/opt/jboss-4.2.3.GA" was set by me before the install with ant.
- Let us skip this part for a while and take a look at the clientToolBox "test-program".
This might be important for you:
Tests from clientToolBox_PCS11 output shows that there is no support for signing by the Buypass smartcard,a card that is designed only for SinglePartSign.
This is possibly true, because there might only be support for MultipartSign in clientToolBox and signserver; I wonder if you could reassure this or if there are other reasons behind the cryptoki-return: "CKR_FUNCTION_NOT_SUPPORTED" from the "PKCS11HSMKeyTool test":
sigbj@sled-10sp3:~/ejbca_4_0_4/dist/clientToolBox> ./ejbcaClientToolBox.sh PKCS11HSMKeyTool test /usr/lib/libiidp11.so.5.3.1.31 1
Test of keystore with ID 1.
2011-10-14 21:15:02,877 INFO Using SUN PKCS11 provider: sun.security.pkcs11.SunPKCS11
Passwort für PKCS11-Token :
Testing of key: SIGBJÃRN STORSET/cn=buypass class 3 ca 1,o=buypass as-983163327,c=no/708083
Private part:
SunPKCS11-libiidp11.so.5.3.1.31-slot1 RSA private key, 1023 bits (id 65543, token object, sensitive, unextractable)
RSA key:
modulus: 7b7c875506ee24f0adcdb230ae9dda32d332698149405a51ac943009689e710402a0ce6911b04777162c7971182ca50e457f7e634b9a8d05b304befc6da9759b9f0d5ffd5799cd864ab4505952b09d5df94ecaa695f13a7a50d4c603bd7b4e10013bf55233cd25d1ef031e11ac814be95f0d73e37056e950854b272a02478c3b
public exponent: 10001
SunJCE version 1.6SunPKCS11-libiidp11.so.5.3.1.31-slot1 version 1.6; modulus length: 1023; byte length 117. The decoded byte string is equal to the original!
java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_NOT_SUPPORTED
at sun.security.pkcs11.P11Signature.engineUpdate(P11Signature.java:420)
at sun.security.pkcs11.wrapper.PKCS11.C_SignUpdate(Native Method)
at sun.security.pkcs11.P11Signature.engineUpdate(P11Signature.java:414)
… 13 more Signing not possible with this key. See exception.
Decryptions per second: 1
NOTE that this might be exactly the same as I found from running pkcs11-tool on the Buypass smartcard:
The case may be that I am missing one or several parts here, and that is the reason why the CK_RETURN appears; I cannot decide.
But if I am right here, is there any way that we can recode this to imply SinglePartSign - what I think is the problem - so that signserver will sign an XML-file with this particular smartcard architecture?
I really hope that I do not mess up anything for you concerning this, and please: if so, just give me exact instructions how to proceed so we can find out about the truth.
Here is the very important report from the Buypass Company sent to me a short while ago:
-> PKCS#11-modulen som inngår i Buypass Access implementerer versjon 2 av PKCS#11-standarden (http://www.rsa.com/rsalabs/node.asp?id=2133). Denne standarden definerer et omfattende programgrensesnitt mot smartkort, men sier samtidig at en PKCS#11-implementasjon ikke behøver å støtte alle funksjonene i grensesnittet. Funksjoner som ikke er støttet, skal - i henhold til standarden - returnere CKR_FUNCTION_NOT_SUPPORTED .
Signering i PKCS#11 kan utføres på to måter:
1) "Multipart sign":
a. C_SignInit()
b. C_SignUpdate(), evt flere ganger
c. C_SignFinal()
2) "Single part sign":
a. C_SignInit()
b. C_Sign()
Når vår PKCS#11-modul returnerer CKR_FUNCTION_NOT_SUPPORTED ved kall til C_SignUpdate(), betyr det at den bare støtter 2). Dette gjelder også PKCS#11-moduler fra flere andre smartkortleverandører, og er helt i overensstemmelse med standarden. Jeg vet ikke hvorfor pkcs11-tool bare ser ut til å støtte multipart-sign.
Buypass smartkort og Buypass Access er ikke bundet til noen bestemte applikasjoner eller biblioteker. Vi tilbyr, via Buypass Access, to standard grensesnitt mot kortet: Microsoft CryptoAPI og PKCS#11. Applikasjoner som bruker PKCS#11 må imidlertid ta høyde for at ikke alle PKCS#11-funksjoner er støttet. <-
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
By the way, I found the file:
ejbca_4_0_4/conf/ejbca.properties.sample
Edited the file uncommenting appserver.home=${env.APPSRV_HOME} and appserver.type=jboss and copied the file to:
ejbca_4_0_4/conf/ejbca.properties
Setting export APPSRV_HOME=/opt/jboss-4.2.3.GA, the "ant clientToolBox" went smoothly like it should
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Serious limitation if it does not support all signature operations of PKCS#11 it's very common. In Java you can also use update(byte) or directly sign(byte], I think.
I'd say using update is the common method though, so the buypass PKCS#11 is adapted to specific applications and not "universally" compatible.
Anyhow, if you want to experiment if java's can be adapted to only do single sign you can check modules/clientToolBox/src/org/ejbca/ui/cli/KeyStoreContainerTest.java, where the operation is coded.
If you want to play more with PKCS#11 you may also want to check out pkcs#11 spy, which is included in OpenSC. It is a wrapper library that can be used to log all PKCS#11 commands issued.
A understand that you have got to the core of the problem here.
Just for your INFO:
The Buypass smartcard solution is so far chosen as the only offer for login and signing on a personal level in Norway. This has become a policy, unfortunately. Concerning me directly, signing an ebXML-envelope might be done with a company certificate as a pemkey file, or with a Buypass smartcard if only one employee exists for that company. The payload/attachment for that envelope can only be signed with the updated smartcard signature reaching PersonHighLevel. The payload-xml-file is the crucial point for me. Keys as pemfiles are not allowed.
I will come back to you with a mesage to info@primekey.se later today
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2011-10-17
Hi,
Since you are talking about ebXML I wonder a bit about the application.
Is there an outer signature that might be a company only or personal for one-person compaines?
And there is an inner payload that must be signed by a person only?
My guess is that SignServer would be fine for the outer signature if "enveloped" match the selected profile used by the community using this scheme.
I assume that embeeded documents are not changed by SugnServer so including an attachment should be possible.
Anders
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I think you have understood.
I am using the opensource Hermes2 MessageServiceHandler from CECID Hong Kong.
The SOAP-ENV-Header has a <ds:Signature/> part with a Digest and SignatureValue element/container. The SOAP should be signed with a company-key. But in a case of single-man-company the smartcard(personal signature) may be used. So far I use a "company-key" because the configuration for such a pkcs12 keyfile is easier than a smartcard and pkcs11 in Hermes as to the SOAP-ENV.
With or "inside" the SOAP-ENV an attachment follows as payload. The payload consists of a xml-message with the request to the State Office. I am able to sign this xml-message by the means of the program xmlsec1 and the company-key converted to key.pem, but not with the smartcard as required. Xmlsec1 is so far the only program I have found signing and leaving the template to sign untouched. Not even the encoding should be touched. This is important,because the receivers MSH is very picky on that point, and rejects the message for the simplest change of elements,transforms etc.
With a smartcard the xmlsec1 should be initiated with its openssl/nss crypto-engine,this does not work, enthough there is contact with the crypto-engine and the card. The reason maybe the SinglePartSign problem again,but I am not sure, but the engine would have to imply the SLOT number and the KEY_ID of the slot in the openssl.cnf, since there are 2 certs,one for decryption and one for signing. This I have not been able to do, and have got no answer from the openssl Forum. The openssl.cnf has to be complete from top to toe since the xmlsec1 crypto-switch can be run with no attributes except one [-crypto openssl].
With the pkcs11-tool it becomes clear - and it is also obvious with clientToolBox - that the SinglePartSign as the only implementation of this particular card is the main problem. I presume I have understood this right. Actually, I should write a complaint as to this matter, but I try to solve this first. Complaints usually is never taken into consideration.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
QUOTE: It seems that fixing the problem with the Buypass card would be a useful first step.
Actually there is no problem with the card (no cards AFAIK do *native* step-wise
signing), it is rather the PKCS #11 driver that is the culprit.
I would contact:
1. the Buypass people
2. The OpenSC community to resolve this issue.
After that you should be able to try different signature solutions including
SignServer.
ENDQUOTE
I tested signing using an Aventra card. In Norway you can get an eId (just like from Bygpass) from Commfides using the Aventra cards (http://www.commfides.com/).
I also tested with clientToolBox now, and that works, which means it "should" actually work with SignServer as well.
tomas@ubuntu:~/Dev/workspace/ejbca-Branch_4_0/dist/clientToolBox$ ./ejbcaClientToolBox.sh pkcs11hsmkeytool test /usr/lib/opensc-pkcs11.so 1
Test of keystore with ID 1.
2011-10-25 09:37:35,693 INFO Using SUN PKCS11 provider: sun.security.pkcs11.SunPKCS11
PKCS11 Token Password:
Testing of key: MyEID (test01):tomas's EJBCA Sample ID
Private part:
SunPKCS11-opensc-pkcs11.so-slot1 RSA private key, 2048 bits (id 139769645439968, token object, sensitive, unextractable)
RSA key:
modulus: 9d2c931e85f6238800959d68b4612e7dd799df321ef79c62375016b89e0921f91fb5d28f9c657c53d73f164ab4b76b677181b3139e939d93ea54ae1503d6a36dec7733078820cf16dc57f776edaeba451a864f348f907b7062777d0ebaf42ecdc6f5c4391c4602a0c873bd6cdef6bcec0cffc418d4ab6634375be3460798108dcbe8f54a15185300055af7aa5e2d924520a4e6eaba4146db45e7c574e26514e65d5df83d70d33d2eacd5a01b624f5ef4f559d4f92e9017986ec8f0a61b4e72877e7b13687bd106ccae3ff6c2d303387c73839597694593e20d50d7e2f7931592f25db44056b6de5970b62f3a1bf121f08b76ae18dc2415c044526f20c660a825
public exponent: 10001
SunJCE version 1.7SunPKCS11-opensc-pkcs11.so-slot1 version 1.7; modulus length: 2048; byte length 245. The decoded byte string is equal to the original!
Signature test of key MyEID (test01):tomas's EJBCA Sample ID: signature length 256; first byte 7a; verifying true
Signings per second: 1
Decryptions per second: 1
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thank You! This is good work by you!
Of course, if I could use other cards that would give a more flexible solution. In the future I am sure that other firms will have the opportunity to stand for cards to public/official use. I have taken a qick glance at the site http://www.commfides.com/
By the way, take a look at this link below, that is telling about problems with collition between the opensource and the commercial software production that is right into my realm: http://www.medilink.com/news.html
The headings:
Behandlerkrav
Ny PKI-løsning er på lufta
Ny PKI-løsning, and its "read more" link:
http://www.medilink.com/060911_PKI.html
Quote:
"…specified goverment standards…new type smartcards…integration limited to Windows OpSys…originally we applied open international standards…had to rebuild…"
-S-
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
New development in this matter:
After following up Anders' email step 1 to contact Buypass directly first, I received this message from them:
QUOTE:
Subject: Re: Angående sertifikater - Linux
Hei,
Jeg har blitt bedt av vår kundeservice om å kontakte deg.
Jeg har fått beskjed om at multipartsignering i PKCS#11 støttes i nyeste
versjon av Buypass Access (5.6). Dersom Linux-versjonen av release 5.6 er
klar, skal jeg få lagt ut en pakke for nedlasting. Dersom den ikke er klar,
kommer vi tilbake om kort tid med beskjed om når den foreligger.
Mvh *** ********
Buypass AS
:ENDQUOTE
And I had the version 5.3.1 - quite a bit behind - so Buypass is taking care of it.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
From the following answered message, recently received from xmlsec@aleksey.com, it becomes clear that Multisign is the mechanism applied also in XMLSEC:
QUOTE:
MultiPartSign and SinglePartSign
From:"Si St" <sigbj-st@operamail.com>
To:xmlsec@aleksey.com
Date:Wed, 26 Oct 2011 11:32 AM (16 hours 14 minutes ago)
Is this an actual subject with the following in mind:
1) "Multipart sign":
a. C_SignInit()
b. C_SignUpdate()
c. C_SignFinal()
2) "Single part sign":
a. C_SignInit()
b. C_Sign()
Some card drivers/modules only support Multipart or Singlepart. Are
these 2 signing types part of the xmlsec code? With Signserver from
primekey.se and pkcs11-tool they both support Multipart, while a certain
type of smartcard(its driver) only supports Singlepart.
Will it matter with XMLSEC and cryptoengine? It could be a reason why
xmlsec does not find the key (error:45), but there are no return with
e.g. "C_SignUpdate() : CKR_FUNCTION_NOT_SUPPORTED" which I assume always
comes from the card module, so then there are other reasons why error 45
appears.
-
Si St
ANSWERED:
"Aleksey Sanin" <aleksey@aleksey.com> wrote:
On Wednesday, October 26, 2011 11:35 AM,
xmlsec is always using "Multipart" signing
Aleksey
:ENDQUOTE
Ref to pkcs11-tool, Signserver/clientToolBox and xmlsec1 this shows how important it is to have MultiPartSign implemented in smartcards,
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2011-10-27
Please note that no cards I'm aware of perform native "Multipart" because that would be extremely inefficient.
Multipart must therefore be emulated by the driver.
Some cards does not even do the PKCS #1 padding natively.
You really need an updated PKCS #11 driver!
Anders
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I am aware of that the subject is the driver, module, libiidp11.so - not the hardware card. I may confuse by my choice of expression of the matter here.
It is the libiidp11.so.5.3.1.31 that has to be rewritten for my case.
I have the access program version 5.3.1 that contain among several things:
libiid.so.5.3.1.31
libiidplg.so.5.3.1.31
libiidp11.so.5.3.1.31
libiidgui.so.5.3.1.31
and it is the libiidp11.so.5.3.1.31 that make calls to the card applying pkcs11-tool and clientToolBox
I assume I am right here.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Here is the the test on the new PKCS11-driver from Buypass:
sigbj@linux-2x4g:~/EJBCA/clientToolBox> ./ejbcaClientToolBox.sh PKCS11HSMKeyTool test /usr/lib/libiidp11.so.5.6.0.44 1
Test of keystore with ID 1.
2011-11-03 21:09:53,927 INFO Using SUN PKCS11 provider: sun.security.pkcs11.SunPKCS11
Passwort für PKCS11-Token :
Testing of key: SIGBJÃRN STORSET, 9578-4050-116696626/cn=buypass class 3 ca 1,o=buypass as-983163327,c=no/708082
Private part:
SunPKCS11-libiidp11.so.5.6.0.44-slot1 RSA private key, 1024 bits (id 65538, token object, sensitive, unextractable)
RSA key:
modulus: 9a2392ca0b3cd26e2f4a04c76c97fafeeba7d031a5c84da271c27e9a6b52cdd9d6691ff483a7a7aec32c5aadcd9aa8c21f4757c8f0a87f2edd8e02f9dee9cc8237d95c5cc9bb8d4f626d2894e67138709a945a40cc537143dd2fef12d4f060eaf0b6e24de4946b2221493120aef0d288cd27082950edc87af6bbb96bdc855e53
public exponent: 10001
SunJCE version 1.6SunPKCS11-libiidp11.so.5.6.0.44-slot1 version 1.6; modulus length: 1024; byte length 117. The decoded byte string is equal to the original!
Signature test of key SIGBJÃRN STORSET, 9578-4050-116696626/cn=buypass class 3 ca 1,o=buypass as-983163327,c=no/708082: signature length 128; first byte 4f; verifying true
Signings per second: 1
Decryptions per second: 1
Testing of key: SIGBJÃRN STORSET, 9578-4050-116696626/cn=buypass class 3 ca 1,o=buypass as-983163327,c=no/708083
Private part:
SunPKCS11-libiidp11.so.5.6.0.44-slot1 RSA private key, 1023 bits (id 65540, token object, sensitive, unextractable)
RSA key:
modulus: 7b7c875506ee24f0adcdb230ae9dda32d332698149405a51ac943009689e710402a0ce6911b04777162c7971182ca50e457f7e634b9a8d05b304befc6da9759b9f0d5ffd5799cd864ab4505952b09d5df94ecaa695f13a7a50d4c603bd7b4e10013bf55233cd25d1ef031e11ac814be95f0d73e37056e950854b272a02478c3b
public exponent: 10001
SunJCE version 1.6SunPKCS11-libiidp11.so.5.6.0.44-slot1 version 1.6; modulus length: 1023; byte length 117. The decoded byte string is equal to the original!
Signature test of key SIGBJÃRN STORSET, 9578-4050-116696626/cn=buypass class 3 ca 1,o=buypass as-983163327,c=no/708083: signature length 128; first byte 19; verifying true
Signings per second: 1
Decryptions per second: 1
sigbj@linux-2x4g:~/EJBCA/clientToolBox>
Also the test to sign with pkcs11-tool went like it should: the file was signed without error. So now this part is OK. I have still problems with the "xmlsec1 -crypto openssl" but this part is nothing for this forum. Signserver probably would have to wait. I will be looking for somebody beeing able to write a java-script for signing a xml-document according to my needs, in tune with the xmldsig specifications.
- S -
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2011-11-07
In case you want to adjust the signer to match your specific profile, this file does it all:
Thank you for this link to that file. I will really try to look into it.
My problem with just having the pkcs11-tool is that I have to do the canonalization on my own, - and manually.
Not a easy task. But I get quite a help from the link: http://www.di-mgt.com.au/xmldsig.html
I am sure that signserver has it all and could I ever be able code it for the purpose I need, signserver will solve it all.
- sigbj -
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Is ToolBox testing C_GetAttributeValue or something like this as to smartcards?
I get the following with pkcs11-tool -test switch:
sigbj@linux-ueuk:~> pkcs11-tool -l -test -module /usr/lib/libiidp11.so.5.6.0.44
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
seems to be OK
Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
Signatures (currently only RSA signatures)
testing key 0 ()
all 4 signature functions seem to work
testing signature mechanisms: warning: PKCS11 function C_GetAttributeValue(VALUE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
RSA-X-509: couldn't get the pubkey VALUE attribute, no validation done
warning: PKCS11 function C_GetAttributeValue(VALUE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
RSA-PKCS: couldn't get the pubkey VALUE attribute, no validation done
warning: PKCS11 function C_GetAttributeValue(VALUE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
SHA1-RSA-PKCS: couldn't get the pubkey VALUE attribute, no validation done
warning: PKCS11 function C_GetAttributeValue(VALUE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
MD5-RSA-PKCS: couldn't get the pubkey VALUE attribute, no validation done
testing key 1 (1024 bits, label=) with 1 signature mechanism
warning: PKCS11 function C_GetAttributeValue(ID) failed: rv = CKR_OBJECT_HANDLE_INVALID (0x82)
MD5-RSA-PKCS: private key has no ID, can't lookup the corresponding pubkey for verification
Verify: not logged in, skipping verify tests
Key unwrap: not logged in, skipping key unwrap tests
Decryption: not logged in, skipping decryption tests
Testing card detection
Please press return to continue, x to exit: x
Testing card detection using C_WaitForSlotEvent
Please press return to continue, x to exit: x
No errors
The ToolBox gave an error free output at this previous signserver forum posting: Number 22, 2011-11-03 14:10:05 PDT above at this page
It is impossible to get an validating signature from pkcs11-tool even if the signature is there at correct bytes
Sincerly Yours,
S
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Reading the topic around PKCS11 at:
http://signserver.org/manual/plugins.html#PKCS11CryptoToken
I realise more and more the possibility to get the Buypass smartcard work with signserver. But the card module only supports "Single part sign" and not "Multipart sign" becoming clear from this command output:
sigbj@sled-10sp3:~> pkcs11-tool -login -sign -slot-label BEID -slot 1 -id 01 -module /usr/lib/libiidp11.so -i xml.xml -o signed_xml.xml
Please enter PIN:
Using signature algorithm RSA-X-509
error: PKCS11 function C_SignUpdate failed: rv = CKR_FUNCTION_NOT_SUPPORTED (0x54)
This smartcard have 2 possible interfaces Microsoft CryptoAPI and PKCS#11. For me it doesnt matter as long as I can store the signed xml to disk.
Will I have any problems with the configuration of SignServer to achieve DSIG of an xml-file through this smartcard? The program pkcs11-tool only seem to support "Multipart sign"; in addition it does not have the dsig ability for xmls,but just for the test to show you….
Is anything quite obvious for you here? Personally I would assume that signserver manages this. But before I start working with it I feel it is better to ask som simple question about it.
If positively YES, I think files in question will be:
qs_xmlsigner_configuration.properties
p11attributes.cfg
I will also assume that xml-signing with signserver can be configured in such a way that the file/template-part is not overwritten, that just the digest and the signature is written into the file, and no transforms or headings are overwritten,changed. This, however, I unfortunately experience the DEMO/LIVECD does, but the CD is just a demo. The receptor machine only accepts a certain template as to nodes, elements and tags.
S.S.
HI,
SignServer 3.1 supports enveloped XML signatures which may or may not be what you are looking for.
I.e. it inserts a signature into an exisisting XML document.
Regarding the signature support in the card and SignServer, the actual signing is performed by a tool-kit so it could work but it could also break.
A very useful tool from EJBCA is the ClientToolBox. If you can generate and test PKCS11 keys using the clientToolBox, you can use them with SignServer.
Anders
I have found this file: ejbca_4_0_4.zip
According to the instructions at the site ->
http://www.ejbca.org/userguide.html#EJBCA%20client%20toolbox
in what directory should I run "ant clientToolBox" ,
in the main dir: sigbj@sled-10sp3:~/ejbca_4_0_4/
or in the dir: sigbj@sled-10sp3:~/ejbca_4_0_4/modules/clientToolBox/
?
I find the project <project name="clientToolBox" default="build"> only in the file:
ejbca_4_0_4/modules/clientToolBox/build.xml
Without reflections I would assume main directory, and I also assume the the jdk_java_dir should be set as JAVA_HOME.
Hi,
You should be able to do "ant clientToolBox" at the EJBCA install directory.
The you run it from dist/clientToolBox
Anders
Installed/compiled "clientToolBox".
ECHOES during install:
Buildfile: /home/sigbj/ejbca_4_0_4/build.xml
No custom changes to merge.
appserver.home: /opt/jboss-4.2.3.GA
'appserver.type' could not be detected or is not configured. Glassfish 2.1.1, JBoss 5.1.0.GA, JBoss 6.0.0, WebLogic 10.3.3, WebSphere 7.0.0.13 can be detected. (Is 'appserver.home' configured?)
appserver.type: ${appserver.type}
clientToolBox:
'appserver.type' could not be detected or is not configured. Glassfish 2.1.1, JBoss 5.1.0.GA, JBoss 6.0.0, WebLogic 10.3.3, WebSphere 7.0.0.13 can be detected. (Is 'appserver.home' configured?)
clientToolBox:
'appserver.type' could not be detected or is not configured. Glassfish 2.1.1, JBoss 5.1.0.GA, JBoss 6.0.0, WebLogic 10.3.3, WebSphere 7.0.0.13 can be detected. (Is 'appserver.home' configured?)
setup:
Created dir: /home/sigbj/ejbca_4_0_4/dist/clientToolBox
Copying 25 files to /home/sigbj/ejbca_4_0_4/dist/clientToolBox/lib
Copying 6 files to /home/sigbj/ejbca_4_0_4/dist/clientToolBox
compile:
Created dir: /home/sigbj/ejbca_4_0_4/modules/clientToolBox/build
Compiling 134 source files to /home/sigbj/ejbca_4_0_4/modules/clientToolBox/build
Note: Some input files use or override a deprecated API.
Note: Recompile with -Xlint:deprecation for details.
Note: Some input files use unchecked or unsafe operations.
Note: Recompile with -Xlint:unchecked for details.
build:
Building jar: /home/sigbj/ejbca_4_0_4/dist/clientToolBox/clientToolBox.jar
BUILD SUCCESSFUL
Total time: 12 seconds
sigbj@sled-10sp3:~/ejbca_4_0_4> env | grep APP
APPSRV_HOME=/opt/jboss-4.2.3.GA
RUNNING: ./bin/batchenrollmentgui.sh
Got up the window with the text:
https://localhost:8443/ejbca
Truststore: PEM
Truststore file path: ~/gpg-des/newcorvus_cert_key/bpP83_S-cer.pem
PKCS11
/usr/lib/libiidp11.so.5.3.1.31
Connect:
Passwort für PKCS11-Token (entered the PIN)
Failed to access the WSDL at: https:localhost/8443/ejbca/ejbcaws?wsdl
Connection refused.
Output from the console during run:
0 DEBUG org.ejbca.batchenrollmentgui.BatchEnrollmentGUIApp - No settings in file, using defaults.
656 DEBUG org.ejbca.batchenrollmentgui.ConnectDialog - Trying to load from file /home/sigbj/ejbca_4_0_4/modules/batchenrollment-gui/connect.properties
76925 DEBUG org.ejbca.batchenrollmentgui.ConnectDialog - ******* keyAlias: SIGBJÃRN STORSET/cn=buypass class 3 ca 1,o=buypass as-983163327,c=no/708083, certificate: SERIALNUMBER=9578-4050-116696626, CN=SIGBJØRN STORSET, C=NO
76926 DEBUG org.ejbca.batchenrollmentgui.ConnectDialog - ******* keyAlias: SIGBJÃRN STORSET/cn=buypass class 3 ca 1,o=buypass as-983163327,c=no/708082, certificate: SERIALNUMBER=9578-4050-116696626, CN=SIGBJØRN STORSET, C=NO
77092 DEBUG org.ejbca.util.dn.DnComponents - Using default values for DN components
77173 DEBUG org.ejbca.util.dn.DnComponents - Read profile maps with 43 lines.
77356 DEBUG org.ejbca.batchenrollmentgui.ConnectDialog - Loaded 1 certs to truststore
javax.xml.ws.WebServiceException: Failed to access the WSDL at: https://localhost:8443/ejbca/ejbcaws/ejbcaws?wsdl. It failed with:
Connection refused.
at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(Unknown Source)
at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(Unknown Source)
at com.sun.xml.internal.ws.client.WSServiceDelegate.parseWSDL(Unknown Source)
at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(Unknown Source)
at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(Unknown Source)
at com.sun.xml.internal.ws.spi.ProviderImpl.createServiceDelegate(Unknown Source)
at javax.xml.ws.Service.<init>(Unknown Source)
As you can see from the EventQueue 2 certificates/keys are called: 708082 and 708083. I need to get the key for 708083 that is the signing cert. But I might have forgot something: to define slot_number and key_id, that will be SLOT 0, KEYID 1
The cardreader is blinking so I have contact with the library,this has also been tested with pkcs11-tool.
What is there TODO for me? Any comments for this so far?
Sincerely Yours,
S
I'm not sure what you are doing here but ejbca.properties does not contain an appserver.home definition.
Anyway, it seems you are calling EJBCA, not signserver.
I also wonder about the log. Doesn't it come from the Java client? This is not what you want in case the idea was to sign with Buypass in signserver.
A little bit confused
Anders
I think you are right, Anders, I am probably doing something that gives no sense; but I cannot find a ejbca.properties file to define even if an "export APPSRV_HOME=/opt/jboss-4.2.3.GA" was set by me before the install with ant.
- Let us skip this part for a while and take a look at the clientToolBox "test-program".
This might be important for you:
Tests from clientToolBox_PCS11 output shows that there is no support for signing by the Buypass smartcard,a card that is designed only for SinglePartSign.
This is possibly true, because there might only be support for MultipartSign in clientToolBox and signserver; I wonder if you could reassure this or if there are other reasons behind the cryptoki-return: "CKR_FUNCTION_NOT_SUPPORTED" from the "PKCS11HSMKeyTool test":
sigbj@sled-10sp3:~/ejbca_4_0_4/dist/clientToolBox> ./ejbcaClientToolBox.sh PKCS11HSMKeyTool test /usr/lib/libiidp11.so.5.3.1.31 1
Test of keystore with ID 1.
2011-10-14 21:15:02,877 INFO Using SUN PKCS11 provider: sun.security.pkcs11.SunPKCS11
Passwort für PKCS11-Token :
Testing of key: SIGBJÃRN STORSET/cn=buypass class 3 ca 1,o=buypass as-983163327,c=no/708083
Private part:
SunPKCS11-libiidp11.so.5.3.1.31-slot1 RSA private key, 1023 bits (id 65543, token object, sensitive, unextractable)
RSA key:
modulus: 7b7c875506ee24f0adcdb230ae9dda32d332698149405a51ac943009689e710402a0ce6911b04777162c7971182ca50e457f7e634b9a8d05b304befc6da9759b9f0d5ffd5799cd864ab4505952b09d5df94ecaa695f13a7a50d4c603bd7b4e10013bf55233cd25d1ef031e11ac814be95f0d73e37056e950854b272a02478c3b
public exponent: 10001
SunJCE version 1.6SunPKCS11-libiidp11.so.5.3.1.31-slot1 version 1.6; modulus length: 1023; byte length 117. The decoded byte string is equal to the original!
java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_NOT_SUPPORTED
at sun.security.pkcs11.P11Signature.engineUpdate(P11Signature.java:420)
at sun.security.pkcs11.wrapper.PKCS11.C_SignUpdate(Native Method)
at sun.security.pkcs11.P11Signature.engineUpdate(P11Signature.java:414)
… 13 more
Signing not possible with this key. See exception.
Decryptions per second: 1
NOTE that this might be exactly the same as I found from running pkcs11-tool on the Buypass smartcard:
sigbj@sled-10sp3:~> pkcs11-tool -login -sign -slot-label BEID -slot 1 -id 01 -module /usr/lib/libiidp11.so -i xml.xml -o signed_xml.xml
Please enter PIN:
Using signature algorithm RSA-X-509
error: PKCS11 function C_SignUpdate failed: rv = CKR_FUNCTION_NOT_SUPPORTED (0x54)
Aborting.
The case may be that I am missing one or several parts here, and that is the reason why the CK_RETURN appears; I cannot decide.
But if I am right here, is there any way that we can recode this to imply SinglePartSign - what I think is the problem - so that signserver will sign an XML-file with this particular smartcard architecture?
I really hope that I do not mess up anything for you concerning this, and please: if so, just give me exact instructions how to proceed so we can find out about the truth.
Here is the very important report from the Buypass Company sent to me a short while ago:
-> PKCS#11-modulen som inngår i Buypass Access implementerer versjon 2 av PKCS#11-standarden (http://www.rsa.com/rsalabs/node.asp?id=2133). Denne standarden definerer et omfattende programgrensesnitt mot smartkort, men sier samtidig at en PKCS#11-implementasjon ikke behøver å støtte alle funksjonene i grensesnittet. Funksjoner som ikke er støttet, skal - i henhold til standarden - returnere CKR_FUNCTION_NOT_SUPPORTED .
Signering i PKCS#11 kan utføres på to måter:
1) "Multipart sign":
a. C_SignInit()
b. C_SignUpdate(), evt flere ganger
c. C_SignFinal()
2) "Single part sign":
a. C_SignInit()
b. C_Sign()
Når vår PKCS#11-modul returnerer CKR_FUNCTION_NOT_SUPPORTED ved kall til C_SignUpdate(), betyr det at den bare støtter 2). Dette gjelder også PKCS#11-moduler fra flere andre smartkortleverandører, og er helt i overensstemmelse med standarden. Jeg vet ikke hvorfor pkcs11-tool bare ser ut til å støtte multipart-sign.
Buypass smartkort og Buypass Access er ikke bundet til noen bestemte applikasjoner eller biblioteker. Vi tilbyr, via Buypass Access, to standard grensesnitt mot kortet: Microsoft CryptoAPI og PKCS#11. Applikasjoner som bruker PKCS#11 må imidlertid ta høyde for at ikke alle PKCS#11-funksjoner er støttet. <-
By the way, I found the file:
ejbca_4_0_4/conf/ejbca.properties.sample
Edited the file uncommenting appserver.home=${env.APPSRV_HOME} and appserver.type=jboss and copied the file to:
ejbca_4_0_4/conf/ejbca.properties
Setting export APPSRV_HOME=/opt/jboss-4.2.3.GA, the "ant clientToolBox" went smoothly like it should
Serious limitation if it does not support all signature operations of PKCS#11 it's very common. In Java you can also use update(byte) or directly sign(byte], I think.
I'd say using update is the common method though, so the buypass PKCS#11 is adapted to specific applications and not "universally" compatible.
Anyhow, if you want to experiment if java's can be adapted to only do single sign you can check modules/clientToolBox/src/org/ejbca/ui/cli/KeyStoreContainerTest.java, where the operation is coded.
If you want to play more with PKCS#11 you may also want to check out pkcs#11 spy, which is included in OpenSC. It is a wrapper library that can be used to log all PKCS#11 commands issued.
Cheers,
Tomas
PrimeKey Solutions offers commercial EJBCA and SignServer support subscriptions and training courses. Please see www.primekey.se or contact info@primekey.se for more information.
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/
A understand that you have got to the core of the problem here.
Just for your INFO:
The Buypass smartcard solution is so far chosen as the only offer for login and signing on a personal level in Norway. This has become a policy, unfortunately. Concerning me directly, signing an ebXML-envelope might be done with a company certificate as a pemkey file, or with a Buypass smartcard if only one employee exists for that company. The payload/attachment for that envelope can only be signed with the updated smartcard signature reaching PersonHighLevel. The payload-xml-file is the crucial point for me. Keys as pemfiles are not allowed.
I will come back to you with a mesage to info@primekey.se later today
Hi,
Since you are talking about ebXML I wonder a bit about the application.
Is there an outer signature that might be a company only or personal for one-person compaines?
And there is an inner payload that must be signed by a person only?
My guess is that SignServer would be fine for the outer signature if "enveloped" match the selected profile used by the community using this scheme.
I assume that embeeded documents are not changed by SugnServer so including an attachment should be possible.
Anders
I think you have understood.
I am using the opensource Hermes2 MessageServiceHandler from CECID Hong Kong.
The SOAP-ENV-Header has a <ds:Signature/> part with a Digest and SignatureValue element/container. The SOAP should be signed with a company-key. But in a case of single-man-company the smartcard(personal signature) may be used. So far I use a "company-key" because the configuration for such a pkcs12 keyfile is easier than a smartcard and pkcs11 in Hermes as to the SOAP-ENV.
With or "inside" the SOAP-ENV an attachment follows as payload. The payload consists of a xml-message with the request to the State Office. I am able to sign this xml-message by the means of the program xmlsec1 and the company-key converted to key.pem, but not with the smartcard as required. Xmlsec1 is so far the only program I have found signing and leaving the template to sign untouched. Not even the encoding should be touched. This is important,because the receivers MSH is very picky on that point, and rejects the message for the simplest change of elements,transforms etc.
With a smartcard the xmlsec1 should be initiated with its openssl/nss crypto-engine,this does not work, enthough there is contact with the crypto-engine and the card. The reason maybe the SinglePartSign problem again,but I am not sure, but the engine would have to imply the SLOT number and the KEY_ID of the slot in the openssl.cnf, since there are 2 certs,one for decryption and one for signing. This I have not been able to do, and have got no answer from the openssl Forum. The openssl.cnf has to be complete from top to toe since the xmlsec1 crypto-switch can be run with no attributes except one [-crypto openssl].
With the pkcs11-tool it becomes clear - and it is also obvious with clientToolBox - that the SinglePartSign as the only implementation of this particular card is the main problem. I presume I have understood this right. Actually, I should write a complaint as to this matter, but I try to solve this first. Complaints usually is never taken into consideration.
There is hope!
http://metro.1045641.n5.nabble.com/XWSS-and-PKCS11-td1063509.html
disabledMechanisms = {
CKM_SHA1_RSA_PKCS
}
Anders
In Ref to your email:
QUOTE:
It seems that fixing the problem with the Buypass card would be a useful first step.
Actually there is no problem with the card (no cards AFAIK do *native* step-wise
signing), it is rather the PKCS #11 driver that is the culprit.
I would contact:
1. the Buypass people
2. The OpenSC community to resolve this issue.
After that you should be able to try different signature solutions including
SignServer.
ENDQUOTE
I will try to contact the Buypass people, and post on opensc community,and I assume this is the right address:
http://old.nabble.com/OpenSC-f973.html
By the way, I have posted these,on openssl earlier:
http://old.nabble.com/sufficient-engine-configuration-i-openssl.cnf-for-signing-with-smartcard-xmlsec1-td32606851.html
http://old.nabble.com/defining-slot-and-key-id-in-the-openssl.cnf-td32629316.html
And I will try to have a look into the
modules/clientToolBox/src/org/ejbca/ui/cli/KeyStoreContainerTest.java
in conjunction with the
http://metro.1045641.n5.nabble.com/XWSS-and-PKCS11-td1063509.html
Hi Sigbjorn,
I tested signing using an Aventra card. In Norway you can get an eId (just like from Bygpass) from Commfides using the Aventra cards (http://www.commfides.com/).
pkcs11-tool -login -sign -slot-label MyEID -id 9b741d74012280abc7ce3b1ea81d6165c1b925c9 -module /usr/lib/opensc-pkcs11.so -i test.txt -mechanism SHA1-RSA-PKCS
This worked for me at least. Haven't tested it in signserver, but at least the card works to sign using OpenSC, which is the first step.
Cheers,
Tomas
I also tested with clientToolBox now, and that works, which means it "should" actually work with SignServer as well.
tomas@ubuntu:~/Dev/workspace/ejbca-Branch_4_0/dist/clientToolBox$ ./ejbcaClientToolBox.sh pkcs11hsmkeytool test /usr/lib/opensc-pkcs11.so 1
Test of keystore with ID 1.
2011-10-25 09:37:35,693 INFO Using SUN PKCS11 provider: sun.security.pkcs11.SunPKCS11
PKCS11 Token Password:
Testing of key: MyEID (test01):tomas's EJBCA Sample ID
Private part:
SunPKCS11-opensc-pkcs11.so-slot1 RSA private key, 2048 bits (id 139769645439968, token object, sensitive, unextractable)
RSA key:
modulus: 9d2c931e85f6238800959d68b4612e7dd799df321ef79c62375016b89e0921f91fb5d28f9c657c53d73f164ab4b76b677181b3139e939d93ea54ae1503d6a36dec7733078820cf16dc57f776edaeba451a864f348f907b7062777d0ebaf42ecdc6f5c4391c4602a0c873bd6cdef6bcec0cffc418d4ab6634375be3460798108dcbe8f54a15185300055af7aa5e2d924520a4e6eaba4146db45e7c574e26514e65d5df83d70d33d2eacd5a01b624f5ef4f559d4f92e9017986ec8f0a61b4e72877e7b13687bd106ccae3ff6c2d303387c73839597694593e20d50d7e2f7931592f25db44056b6de5970b62f3a1bf121f08b76ae18dc2415c044526f20c660a825
public exponent: 10001
SunJCE version 1.7SunPKCS11-opensc-pkcs11.so-slot1 version 1.7; modulus length: 2048; byte length 245. The decoded byte string is equal to the original!
Signature test of key MyEID (test01):tomas's EJBCA Sample ID: signature length 256; first byte 7a; verifying true
Signings per second: 1
Decryptions per second: 1
Thank You! This is good work by you!
Of course, if I could use other cards that would give a more flexible solution. In the future I am sure that other firms will have the opportunity to stand for cards to public/official use. I have taken a qick glance at the site http://www.commfides.com/
By the way, take a look at this link below, that is telling about problems with collition between the opensource and the commercial software production that is right into my realm:
http://www.medilink.com/news.html
The headings:
Behandlerkrav
Ny PKI-løsning er på lufta
Ny PKI-løsning, and its "read more" link:
http://www.medilink.com/060911_PKI.html
Quote:
"…specified goverment standards…new type smartcards…integration limited to Windows OpSys…originally we applied open international standards…had to rebuild…"
-S-
New development in this matter:
After following up Anders' email step 1 to contact Buypass directly first, I received this message from them:
QUOTE:
Subject: Re: Angående sertifikater - Linux
Hei,
Jeg har blitt bedt av vår kundeservice om å kontakte deg.
Jeg har fått beskjed om at multipartsignering i PKCS#11 støttes i nyeste
versjon av Buypass Access (5.6). Dersom Linux-versjonen av release 5.6 er
klar, skal jeg få lagt ut en pakke for nedlasting. Dersom den ikke er klar,
kommer vi tilbake om kort tid med beskjed om når den foreligger.
Mvh *** ********
Buypass AS
:ENDQUOTE
And I had the version 5.3.1 - quite a bit behind - so Buypass is taking care of it.
From the following answered message, recently received from xmlsec@aleksey.com, it becomes clear that Multisign is the mechanism applied also in XMLSEC:
QUOTE:
MultiPartSign and SinglePartSign
From:"Si St" <sigbj-st@operamail.com>
To:xmlsec@aleksey.com
Date:Wed, 26 Oct 2011 11:32 AM (16 hours 14 minutes ago)
Is this an actual subject with the following in mind:
1) "Multipart sign":
a. C_SignInit()
b. C_SignUpdate()
c. C_SignFinal()
2) "Single part sign":
a. C_SignInit()
b. C_Sign()
Some card drivers/modules only support Multipart or Singlepart. Are
these 2 signing types part of the xmlsec code? With Signserver from
primekey.se and pkcs11-tool they both support Multipart, while a certain
type of smartcard(its driver) only supports Singlepart.
Will it matter with XMLSEC and cryptoengine? It could be a reason why
xmlsec does not find the key (error:45), but there are no return with
e.g. "C_SignUpdate() : CKR_FUNCTION_NOT_SUPPORTED" which I assume always
comes from the card module, so then there are other reasons why error 45
appears.
-
Si St
ANSWERED:
"Aleksey Sanin" <aleksey@aleksey.com> wrote:
On Wednesday, October 26, 2011 11:35 AM,
xmlsec is always using "Multipart" signing
Aleksey
:ENDQUOTE
Ref to pkcs11-tool, Signserver/clientToolBox and xmlsec1 this shows how important it is to have MultiPartSign implemented in smartcards,
Please note that no cards I'm aware of perform native "Multipart" because that would be extremely inefficient.
Multipart must therefore be emulated by the driver.
Some cards does not even do the PKCS #1 padding natively.
You really need an updated PKCS #11 driver!
Anders
I am aware of that the subject is the driver, module, libiidp11.so - not the hardware card. I may confuse by my choice of expression of the matter here.
It is the libiidp11.so.5.3.1.31 that has to be rewritten for my case.
I have the access program version 5.3.1 that contain among several things:
libiid.so.5.3.1.31
libiidplg.so.5.3.1.31
libiidp11.so.5.3.1.31
libiidgui.so.5.3.1.31
and it is the libiidp11.so.5.3.1.31 that make calls to the card applying pkcs11-tool and clientToolBox
I assume I am right here.
Here is the the test on the new PKCS11-driver from Buypass:
sigbj@linux-2x4g:~/EJBCA/clientToolBox> ./ejbcaClientToolBox.sh PKCS11HSMKeyTool test /usr/lib/libiidp11.so.5.6.0.44 1
Test of keystore with ID 1.
2011-11-03 21:09:53,927 INFO Using SUN PKCS11 provider: sun.security.pkcs11.SunPKCS11
Passwort für PKCS11-Token :
Testing of key: SIGBJÃRN STORSET, 9578-4050-116696626/cn=buypass class 3 ca 1,o=buypass as-983163327,c=no/708082
Private part:
SunPKCS11-libiidp11.so.5.6.0.44-slot1 RSA private key, 1024 bits (id 65538, token object, sensitive, unextractable)
RSA key:
modulus: 9a2392ca0b3cd26e2f4a04c76c97fafeeba7d031a5c84da271c27e9a6b52cdd9d6691ff483a7a7aec32c5aadcd9aa8c21f4757c8f0a87f2edd8e02f9dee9cc8237d95c5cc9bb8d4f626d2894e67138709a945a40cc537143dd2fef12d4f060eaf0b6e24de4946b2221493120aef0d288cd27082950edc87af6bbb96bdc855e53
public exponent: 10001
SunJCE version 1.6SunPKCS11-libiidp11.so.5.6.0.44-slot1 version 1.6; modulus length: 1024; byte length 117. The decoded byte string is equal to the original!
Signature test of key SIGBJÃRN STORSET, 9578-4050-116696626/cn=buypass class 3 ca 1,o=buypass as-983163327,c=no/708082: signature length 128; first byte 4f; verifying true
Signings per second: 1
Decryptions per second: 1
Testing of key: SIGBJÃRN STORSET, 9578-4050-116696626/cn=buypass class 3 ca 1,o=buypass as-983163327,c=no/708083
Private part:
SunPKCS11-libiidp11.so.5.6.0.44-slot1 RSA private key, 1023 bits (id 65540, token object, sensitive, unextractable)
RSA key:
modulus: 7b7c875506ee24f0adcdb230ae9dda32d332698149405a51ac943009689e710402a0ce6911b04777162c7971182ca50e457f7e634b9a8d05b304befc6da9759b9f0d5ffd5799cd864ab4505952b09d5df94ecaa695f13a7a50d4c603bd7b4e10013bf55233cd25d1ef031e11ac814be95f0d73e37056e950854b272a02478c3b
public exponent: 10001
SunJCE version 1.6SunPKCS11-libiidp11.so.5.6.0.44-slot1 version 1.6; modulus length: 1023; byte length 117. The decoded byte string is equal to the original!
Signature test of key SIGBJÃRN STORSET, 9578-4050-116696626/cn=buypass class 3 ca 1,o=buypass as-983163327,c=no/708083: signature length 128; first byte 19; verifying true
Signings per second: 1
Decryptions per second: 1
sigbj@linux-2x4g:~/EJBCA/clientToolBox>
Also the test to sign with pkcs11-tool went like it should: the file was signed without error. So now this part is OK. I have still problems with the "xmlsec1 -crypto openssl" but this part is nothing for this forum. Signserver probably would have to wait. I will be looking for somebody beeing able to write a java-script for signing a xml-document according to my needs, in tune with the xmldsig specifications.
- S -
In case you want to adjust the signer to match your specific profile, this file does it all:
http://signserver.svn.sourceforge.net/viewvc/signserver/trunk/signserver/modules/SignServer-Module-XMLSigner/src/java/org/signserver/module/xmlsigner
Anders
Thank you for this link to that file. I will really try to look into it.
My problem with just having the pkcs11-tool is that I have to do the canonalization on my own, - and manually.
Not a easy task. But I get quite a help from the link: http://www.di-mgt.com.au/xmldsig.html
I am sure that signserver has it all and could I ever be able code it for the purpose I need, signserver will solve it all.
- sigbj -
Is ToolBox testing C_GetAttributeValue or something like this as to smartcards?
I get the following with pkcs11-tool -test switch:
sigbj@linux-ueuk:~> pkcs11-tool -l -test -module /usr/lib/libiidp11.so.5.6.0.44
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
seems to be OK
Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
Signatures (currently only RSA signatures)
testing key 0 ()
all 4 signature functions seem to work
testing signature mechanisms:
warning: PKCS11 function C_GetAttributeValue(VALUE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
RSA-X-509: couldn't get the pubkey VALUE attribute, no validation done
warning: PKCS11 function C_GetAttributeValue(VALUE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
RSA-PKCS: couldn't get the pubkey VALUE attribute, no validation done
warning: PKCS11 function C_GetAttributeValue(VALUE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
SHA1-RSA-PKCS: couldn't get the pubkey VALUE attribute, no validation done
warning: PKCS11 function C_GetAttributeValue(VALUE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
MD5-RSA-PKCS: couldn't get the pubkey VALUE attribute, no validation done
testing key 1 (1024 bits, label=) with 1 signature mechanism
warning: PKCS11 function C_GetAttributeValue(ID) failed: rv = CKR_OBJECT_HANDLE_INVALID (0x82)
MD5-RSA-PKCS: private key has no ID, can't lookup the corresponding pubkey for verification
Verify: not logged in, skipping verify tests
Key unwrap: not logged in, skipping key unwrap tests
Decryption: not logged in, skipping decryption tests
Testing card detection
Please press return to continue, x to exit: x
Testing card detection using C_WaitForSlotEvent
Please press return to continue, x to exit: x
No errors
The ToolBox gave an error free output at this previous signserver forum posting: Number 22, 2011-11-03 14:10:05 PDT above at this page
It is impossible to get an validating signature from pkcs11-tool even if the signature is there at correct bytes
Sincerly Yours,
S