I had ported a custom code that uses signserver 2.0 to signserver 3.2 using netbeans 6.9 and able to build it in netbeans. This custom code uses nCipher HSM and I am porting this to use Safenet HSM. so far I did not see on this specific module that it uses ncipher api.
Based on the SignServer Manual v3.1.3, I will just configure the "custom." parameters in the build configuration file.
custom.src.java successfully transfers the file to /opt/signserver/tmp/preprocessed/java
custom.src.web successfully transfers the custom WEB-INF/web.xml to /opt/signserver/tmp/preprocessed/web/pub
but custom.build.xml did not execute the target compile.
What do I need to do to be able to integrate the custom code into signserver?
Regards,
knivez
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The extendability features of SignServer is currently going through some re-design and it might be the case that the "custom." parameters is not working as originally intended, I will have a look at it.
Depending on what your code does it might anyway be quite easy integrating it in SignServer.
If is a new worker or cryptotoken not including any EJB:s then what your build script has to do is to put the final jar in dist-server/lib/ and it will be included in signserver.ear/lib. Also if you place your project under modules with a name starting with SignServer-module-, and put your Ant script under it with the name build.xml, the SignServer build script will call your "jar" target when SignServer is being built and you have the chance to build your code and move your jar file to dist-server/lib/.
It is hard to give any more advice without knowing a little bit more about what your code does. For instance if it contains EJBs or web modules it will be a little bit more complicated.
Best regards,
Markus
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I had successfully compiled the custom code with the signserver. what I did was to modify the build.xml to include the targets in my custom code. I also include the path of the custom classes in packaging the signserver-ejb.jar. Currently this works for me now. I may modify again the build script when the functionality is working.
When I was trying to test my code I encountered this issue.
java.lang.ClassCastException: sun.security.pkcs11.P11Key$P11PrivateKey cannot be cast to java.security.interfaces.RSAPrivateKey
This is caused by executing this line. (RSAPrivateKey) getCryptoToken().getPrivateKey(ICryptoToken.PURPOSE_SIGN)
my SignerToken is PKCS11CryptoToken
Is there a solution on how to fix this problem?
Regards,
Kevin
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I printed out a toString() of the returned PrivateKey and Provider and here is the output
Private Key = SunPKCS11-libcryptoki.so-slot5 RSA private key, 2048 bits (id 4, token object, sensitive, unextractable)
Provider = SunPKCS11-libcryptoki.so-slot5
The question here maybe how to cast a P11Key$P11PrivateKey to RSAPrivateKey.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2011-12-06
Hi,
I don't know much about signserver but maybe you don't need to cast to RSA private key?
If you for example want to sign you must anyway open the right provder and it understands excatly this key.
Anders
tech support
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I have created a custom code to create a CA using PKCS11Token similar to "signserver.sh setproperties <propertyfile>"
Similar to properties file the token pin value is exposed to other users in the server.
Is there any way how to secure the pin? even looking at the contents of the database i am still able to see the pin and the username and password are in signserver_build.properties which might pose a risk of accessing the token in hsm and grab the signing keys.
If you don't want to store the PIN you can use the activate and deactivate commands to do it manually, prompting for password. the only way to be sure is to not store the PIN anywhere.
Removing the PIN in the worker property and doing an activate command to store the pin works great.
I'll tell you some experiences I had encountered using this method:
First I created the key pair outside the signserver, so it directly communicates the Safenet HSM.
I did this because I cannot generate keypair in the signserver via the created CA as it is not activated.
If I activate the CA after creation it would also fail because there is no associated key for the CA
Second I need to attempt to activate the CA before I could generate a CSR.
These scenarios works for me by following the sequence: Generate Key directly from the HSM, Create CA, Activate CA, and Generate CSR.
Another scenario I had encountered was after I uploaded the certificate chain and Activated the CA the status becomes active. Then after jboss has restarted, the CAs I had activated becomes offline.
Is there a way that the CA's status will always be active unless deactivated? Eventhough jboss or the machine will be restarted.
Thanks for your help.
Knivez
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Can you help me out if there is a solution that the worker's status would be active after a restart?
Im using a Safenet HSM to store the CA keys and every time the server or jboss is restarted the worker's would go offline.
Thus requires activation after a restart.
I had tried adding a worker using TSA module and this is always active even though jboss is restarted.
Regards,
Knivez
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
That means storing the pin in the database, right? Which might compromise the keys inside the HSM if someone could access the database server.
Another question regarding the thread synchronization in public ProcessResponse process(), how do I make sure that no deadlock would occur when we call this method? Is this being handled by the signserver framework? Is signserver thread safe?
Regards,
Knivez
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The workers in SignServer are not thread-safe. You should not modify any instance variable (the WorkerConfig for instance) from within the processData() method as different threads might access the same worker instance concurrently.
However, I am not sure how you would be able to achieve a deadlock from a call to to processData() as most workers does not use locks and no worker is waiting for any other thread to finish its work.
Regards,
Markus
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi Guys,
I had ported a custom code that uses signserver 2.0 to signserver 3.2 using netbeans 6.9 and able to build it in netbeans. This custom code uses nCipher HSM and I am porting this to use Safenet HSM. so far I did not see on this specific module that it uses ncipher api.
Based on the SignServer Manual v3.1.3, I will just configure the "custom." parameters in the build configuration file.
custom.src.java successfully transfers the file to /opt/signserver/tmp/preprocessed/java
custom.src.web successfully transfers the custom WEB-INF/web.xml to /opt/signserver/tmp/preprocessed/web/pub
but custom.build.xml did not execute the target compile.
What do I need to do to be able to integrate the custom code into signserver?
Regards,
knivez
Hi Knivez,
The extendability features of SignServer is currently going through some re-design and it might be the case that the "custom." parameters is not working as originally intended, I will have a look at it.
Depending on what your code does it might anyway be quite easy integrating it in SignServer.
If is a new worker or cryptotoken not including any EJB:s then what your build script has to do is to put the final jar in dist-server/lib/ and it will be included in signserver.ear/lib. Also if you place your project under modules with a name starting with SignServer-module-, and put your Ant script under it with the name build.xml, the SignServer build script will call your "jar" target when SignServer is being built and you have the chance to build your code and move your jar file to dist-server/lib/.
It is hard to give any more advice without knowing a little bit more about what your code does. For instance if it contains EJBs or web modules it will be a little bit more complicated.
Best regards,
Markus
Hi Markus,
I had successfully compiled the custom code with the signserver. what I did was to modify the build.xml to include the targets in my custom code. I also include the path of the custom classes in packaging the signserver-ejb.jar. Currently this works for me now. I may modify again the build script when the functionality is working.
When I was trying to test my code I encountered this issue.
java.lang.ClassCastException: sun.security.pkcs11.P11Key$P11PrivateKey cannot be cast to java.security.interfaces.RSAPrivateKey
This is caused by executing this line. (RSAPrivateKey) getCryptoToken().getPrivateKey(ICryptoToken.PURPOSE_SIGN)
my SignerToken is PKCS11CryptoToken
Is there a solution on how to fix this problem?
Regards,
Kevin
I printed out a toString() of the returned PrivateKey and Provider and here is the output
Private Key = SunPKCS11-libcryptoki.so-slot5 RSA private key, 2048 bits (id 4, token object, sensitive, unextractable)
Provider = SunPKCS11-libcryptoki.so-slot5
The question here maybe how to cast a P11Key$P11PrivateKey to RSAPrivateKey.
Hi,
I don't know much about signserver but maybe you don't need to cast to RSA private key?
If you for example want to sign you must anyway open the right provder and it understands excatly this key.
Anders
tech support
Exactly, casting is wrong. Since the key is "unextractable" is can naturally not be "casted" to a software RSA key.
Cheers,
Tomas
PrimeKey Solutions offers commercial EJBCA and SignServer support subscriptions and training courses. Please see www.primekey.se or contact info@primekey.se for more information.
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/
I tried to change the existing code from using RSAPrivateKey to just PrivateKey then compiled and it works.
Thanks for you insights Anders and Tomas that helps a lot.
Regards,
Kevin
Hi Guys,
I need your thoughts on this.
I have created a custom code to create a CA using PKCS11Token similar to "signserver.sh setproperties <propertyfile>"
Similar to properties file the token pin value is exposed to other users in the server.
Is there any way how to secure the pin? even looking at the contents of the database i am still able to see the pin and the username and password are in signserver_build.properties which might pose a risk of accessing the token in hsm and grab the signing keys.
here is my code snippet:
If you don't want to store the PIN you can use the activate and deactivate commands to do it manually, prompting for password. the only way to be sure is to not store the PIN anywhere.
Cheers,
Tomas
PrimeKey Solutions offers commercial EJBCA and SignServer support subscriptions and training courses. Please see www.primekey.se or contact info@primekey.se for more information.
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/
Hi Tomas,
Removing the PIN in the worker property and doing an activate command to store the pin works great.
I'll tell you some experiences I had encountered using this method:
First I created the key pair outside the signserver, so it directly communicates the Safenet HSM.
I did this because I cannot generate keypair in the signserver via the created CA as it is not activated.
If I activate the CA after creation it would also fail because there is no associated key for the CA
Second I need to attempt to activate the CA before I could generate a CSR.
These scenarios works for me by following the sequence: Generate Key directly from the HSM, Create CA, Activate CA, and Generate CSR.
Another scenario I had encountered was after I uploaded the certificate chain and Activated the CA the status becomes active. Then after jboss has restarted, the CAs I had activated becomes offline.
Is there a way that the CA's status will always be active unless deactivated? Eventhough jboss or the machine will be restarted.
Thanks for your help.
Knivez
Hi Guys,
Can you help me out if there is a solution that the worker's status would be active after a restart?
Im using a Safenet HSM to store the CA keys and every time the server or jboss is restarted the worker's would go offline.
Thus requires activation after a restart.
I had tried adding a worker using TSA module and this is always active even though jboss is restarted.
Regards,
Knivez
Hi Knivez,
To have the worker auto-activated you will have to set the "pin" worker property to the HSM's partition password.
Best regards,
Markus
Hi Markus,
That means storing the pin in the database, right? Which might compromise the keys inside the HSM if someone could access the database server.
Another question regarding the thread synchronization in public ProcessResponse process(), how do I make sure that no deadlock would occur when we call this method? Is this being handled by the signserver framework? Is signserver thread safe?
Regards,
Knivez
Yes, as said before you have to choose.
The workers in SignServer are not thread-safe. You should not modify any instance variable (the WorkerConfig for instance) from within the processData() method as different threads might access the same worker instance concurrently.
However, I am not sure how you would be able to achieve a deadlock from a call to to processData() as most workers does not use locks and no worker is waiting for any other thread to finish its work.
Regards,
Markus