Menu
▾
▴
Re: [SignServer-develop] Utimaco simulator and P12 import, Was: Consultation
|
From: Markus K. <ma...@pr...> - 2014-01-11 11:36:04
|
That's great Cristian!
Cheers,
Markus
On 2014-01-10 16:22, Cristian Altamirano wrote:
> Markus.
> Thank by answer.
> I tell you resolved my problem adding my certificate To HSM using java.
> The Java Class for add certificate to Utimaco HSM:
>
> import java.io.File;
> import java.io.FileInputStream;
> import java.io.FileNotFoundException;
> import java.io.IOException;
> import java.security.KeyStore;
> import java.security.KeyStoreException;
> import java.security.NoSuchAlgorithmException;
> import java.security.PrivateKey;
> import java.security.Provider;
> import java.security.Security;
> import java.security.UnrecoverableKeyException;
> import java.security.cert.CertificateException;
> import java.util.Enumeration;
>
> /**
> * @author Cristian Altamirano <cal...@gm...
> <mailto:cal...@gm...>>
> * @version 1.6
> (jdk-6u25-linux-i586.rpm)
> * @since 09/01/2014
> */
> public class AdderHSM {
> /*
> * pkcs11.cfg :
> * name=HSMToken
>
> library=/home/cristian/utimaco/Software/PKCS11/lib/Linux-x86-32/libcs2_pkcs11.so
> description=SafeGuard CryptoServer PKCS11 provider
> slot=8
> */
> /*
> * lib used: sunpkcs11.jar
> */
> private static final String UTIMACO_CONFIG =
> "/home/cristian/utimaco/SUNProvider/pkcs11.cfg";
> private static final String KEY_PIN = "ocho";
> public void pkcs12ToPckcs11() throws KeyStoreException,
> NoSuchAlgorithmException, CertificateException, FileNotFoundException,
> IOException, UnrecoverableKeyException{
>
> //Read certificate from file System
> String certificateKey="****";
> KeyStore keyStore = KeyStore.getInstance("pkcs12");
> //Load the keystore
> keyStore.load(new
> FileInputStream("/home/cristian/caltamirano.p12"),
> certificateKey.toCharArray());
> String alias = "";
> Enumeration<String> e = keyStore.aliases();
> //Get the alias from certificate
> while (e.hasMoreElements()) {
> alias = (String) e.nextElement();
> }
>
> //Load the HSM configuration
> FileInputStream fis = new FileInputStream(new
> File(UTIMACO_CONFIG));
> Provider provider = new sun.security.pkcs11.SunPKCS11(fis);
> Security.addProvider(provider);
> KeyStore p11 = KeyStore.getInstance("PKCS11", provider);
> p11.load(null, KEY_PIN.toCharArray());
>
> //Add the keystore to Utimaco HSM
> KeyStore.PrivateKeyEntry priEntry = new
> KeyStore.PrivateKeyEntry((PrivateKey) keyStore.getKey(alias,
> certificateKey.toCharArray()), keyStore.getCertificateChain(alias));
> KeyStore.PasswordProtection passwordProtection = new
> KeyStore.PasswordProtection(certificateKey.toCharArray());
> //Now add the key Alias = defaulKey in signserver file
> configuration ( qs_xmlsigner_configuration.properties)
> p11.setEntry("caltamiranoKeyAlias", priEntry,
> passwordProtection);
>
>
> System.out.println("Certified add to HSM utimaco");
> }
> }
>
>
> Then qs_xmlsigner_configuration.properties
>
>
> # $Id: qs_xmlsigner_configuration.properties 1729 2011-06-17 11:58:25Z
> netmackan $
> #
> # Example SignServer configuration property file
> #
> # Used to quick install a XMLSigner
> #
> # Install with the command:
> # bin/signserver.sh setproperties
> sample-configs/qs_xmlsigner_configuration.properties
> #
>
> ## Global properties
>
> GLOB.WORKERGENID1.CLASSPATH = org.signserver.module.xmlsigner.XMLSigner
> #GLOB.WORKERGENID1.SIGNERTOKEN.CLASSPATH =
> org.signserver.server.cryptotokens.SoftCryptoToken
> #GLOB.WORKERGENID1.SIGNERTOKEN.CLASSPATH =
> org.signserver.server.cryptotokens.P12CryptoToken
> GLOB.WORKERGENID1.SIGNERTOKEN.CLASSPATH =
> org.signserver.server.cryptotokens.PKCS11CryptoToken
>
>
> ## General properties
>
> WORKERGENID1.NAME <http://WORKERGENID1.NAME>=XMLSigner
> WORKERGENID1.AUTHTYPE=NOAUTH
>
> ## P12CryptoToken properties
>
> #WORKERGENID1.KEYSTOREPATH=/home/cristian/certificados/esign/caltamirano.p12
> #WORKERGENID1.KEYSTOREPASSWORD=1947
>
>
> ## PKCS11CryptoToken properties
>
> WORKERGENID1.sharedLibrary=/home/cristian/utimaco/Software/PKCS11/lib/Linux-x86-32/libcs2_pkcs11.so
> WORKERGENID1.slot=8
> WORKERGENID1.defaultKey=caltamiranoKeyAlias
> WORKERGENID1.pin ocho
>
>
> Then add config and certificate using CLI signserver.
>
> ./signserver setproperties qs_xmlsigner_configuration.properties
> ./signserver uploadsignercertificate /home/cristian/caltamirano.pem
> ./signserver uploadsignercertificatechain chain.pem
>
> Now reload config and works.
>
> ./signserver reload all.
>
>
> Regards.
>
>
>
>
>
>
>
> On Fri, Jan 10, 2014 at 11:45 AM, Markus Kilås <ma...@pr...
> <mailto:ma...@pr...>> wrote:
>
> Dear Cristian,
>
> (Please, use a new subject for posts concerning a new topic)
>
> See answers below.
>
> On 2014-01-09 00:31, Cristian Altamirano wrote:
> > Dears.
> > I am testing utimaco Simulation with Signserver.
> > But I cannot understand where is the property defaultkey.
> > ¿Where is defaultkey in the image?
> > Atach a image with the configuration Utimaco Simulation.
> >
>
> The SignServer worker property DEFAULTKEY should contain the key alias
> (label) of the key _in_ the HSM slot. In your configuration below you
> have indicated that there should be a key named "tres" in the slot.
>
> On the picture it looks like you have a _slot_ labeled tres however the
> certificate is what is pointing out which key to use and it is labeled
> (CKA_LABEL) "X509 Certifificate" (!).
>
> Either you should use that as value for DEFAULTKEY or change that to be
> "tres".
>
> >
> > Then I made this configuration file.
> >
> > ## Global properties
> >
> > GLOB.WORKERGENID1.CLASSPATH = org.signserver.module.
> > xmlsigner.XMLSigner
> > GLOB.WORKERGENID1.SIGNERTOKEN.CLASSPATH =
> > org.signserver.server.cryptotokens.PKCS11CryptoToken
> >
> >
> > ## General properties
> >
> > WORKERGENID1.NAME <http://WORKERGENID1.NAME>
> <http://WORKERGENID1.NAME>=XMLSignerTest
> > WORKERGENID1.AUTHTYPE=NOAUTH
> >
> > ## PKCS11CryptoToken properties
> >
> >
> WORKERGENID1.sharedLibrary=/home/cristian/utimaco/Software/PKCS11/lib/Linux-x86-32/libcs2_pkcs11.so
> > WORKERGENID1.slot=3
> > WORKERGENID1.defaultKey=tres
> > WORKERGENID1.pin tres
> >
> >
> > The administrator of signserver say:
> >
> > Status of Signer with Id 1 is :
> > Worker status : Offline
> > Token status : Active
> > Signings: 0 (counter disabled)
> > Errors:
> > No signer certificate available
> > Certificate chain not available
> >
> > Why?
>
> Most likely offline because of the wrong name of the key as well as
> because the certificate and certificate chain needs to be uploaded to
> SignServer explicitly. See the quick install guide:
> http://www.signserver.org/manual/installguide.html#Production%20configuration%20with%20HSM
>
> Also note that SignServer (Java) has some requirements on the key
> representation in the slot. It is normally best to use a Java tool when
> creating or importing the key to the HSM to be sure it will be readable
> by Java.
>
> >
> > If I add certificate PKCS12 at slot 3 using p11tool.
> >
> > Can I work with a certified pre-loaded on hsm?
>
> SignServer does not use the certificate in the slot more than to point
> out which key-pair to use. The certificate currently has to be uploaded
> to SignServer explicitly as described in the quick install guide above.
>
>
> Best regards,
> Markus
> PrimeKey Solutions
>
> >
> > Regards.
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > --
> > Cristian Altamirano
> >
> >
>
>
>
>
> --
> Saluda.
> Cristian Altamirano
>
>
--
Kind regards,
Markus Kilås
PKI Specialist
PrimeKey Solutions AB
Anderstorpsv. 16
171 54 Solna
Sweden
Phone: +46 70 424 94 85
Skype: markusatskype
Email: mar...@pr...
www.primekey.se
|
