2 Replies Latest reply: Jul 11, 2011 7:58 AM by 446516 RSS

    eToken + RSA Key Secondary Authentication problem

    843811
      Hello. I need to access to an eToken using Java Security API (PKCS11) and I can't use the "RSA Key Secondary Authentication" mode because when I try to sign I've got an error (CKR_USER_NOT_LOGGED_IN).

      Do you know why it happens?

      This is my code:
      String pkcs11config;
      pkcs11config = "name = my-eToken";
      pkcs11config += "\nlibrary = c:\\WINDOWS\\system32\\eTpkcs11.dll";
      InputStream confStream = new ByteArrayInputStream(pkcs11config.getBytes());
      sunpkcs11 = new SunPKCS11(confStream);
      Security.addProvider(sunpkcs11);
      alias = "myAlias";
       
      KeyStore.Builder builder = KeyStore.Builder.newInstance("PKCS11", sunpkcs11,
        new KeyStore.CallbackHandlerProtection(new MyCallbackHandler()));
      KeyStore keyStore = builder.getKeyStore();
      // get my private key
      KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry) keyStore.getEntry(alias,
              new KeyStore.PasswordProtection("aliasPwd".toCharArray()));
      privateKey = pkEntry.getPrivateKey();
       
      Serializable o = new SignedBean("bla bla");  //dummy object which wraps a String, just for testing
      sig = Signature.getInstance("SHA1withRSA");
      signedObject = new SignedObject(o, privateKey, sig);
      And when attempts to create an instance of SignedObject throws the exception:
      java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
           at sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:420)
           at java.security.Signature$Delegate.engineSign(Signature.java:1131)
           at java.security.Signature.sign(Signature.java:527)
           at java.security.SignedObject.sign(SignedObject.java:227)
           at java.security.SignedObject.<init>(SignedObject.java:144)
           at ar.gov.mecon.esidif.firmaDigital.test.ETokenTest2.testLogin(ETokenTest2.java:99)
           at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
           at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
           at java.lang.reflect.Method.invoke(Method.java:585)
           at junit.framework.TestCase.runTest(TestCase.java:154)
           at junit.framework.TestCase.runBare(TestCase.java:127)
           at junit.framework.TestResult$1.protect(TestResult.java:106)
           at junit.framework.TestResult.runProtected(TestResult.java:124)
           at junit.framework.TestResult.run(TestResult.java:109)
           at junit.framework.TestCase.run(TestCase.java:118)
           at junit.framework.TestSuite.runTest(TestSuite.java:208)
           at junit.framework.TestSuite.run(TestSuite.java:203)
           at org.eclipse.jdt.internal.junit.runner.junit3.JUnit3TestReference.run(JUnit3TestReference.java:128)
           at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
           at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:460)
           at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:673)
           at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:386)
           at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:196)
      Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
           at sun.security.pkcs11.wrapper.PKCS11.C_SignFinal(Native Method)
           at sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:391)
           ... 23 more
      Thanks in advance
        • 1. Re: eToken + RSA Key Secondary Authentication problem
          446516
          Hello. Try redefining your callback:
          KeyStore.Builder builder = KeyStore.Builder.newInstance("PKCS11", sunpkcs11,
            new KeyStore.CallbackHandlerProtection(new CallbackHandler() {
              public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
                //makes nothing... so the native driver login implemantation is called
              }
            }));
          
          KeyStore keyStore = builder.getKeyStore();
          // get my private key
          privateKey = (PrivateKey) this.getKeyStore().getKey(alias, null); //send null cause the secondary pwd is gotten by the driver 
          In my case, it works fine (JDK 1.5), but it open twice the dialog for the secondary key :( I don't know why!!

          If you know, please answer me!!

          Hope this help you
          • 2. Re: eToken + RSA Key Secondary Authentication problem
            446516
            Well, I found the problem:

            +"In my case, it works fine (JDK 1.5), but it open twice the dialog for the secondary key I don't know why!!"+

            I'm using iText 2.1.7 for signing pdf files, and this library calls twice the native method C_Sign(..), so, this is the cause.
            If you are not using iText, this have to work fine.