1 2 Previous Next 16 Replies Latest reply: Oct 8, 2011 5:12 PM by Arshad Noor RSS

    java.security.InvalidKeyException: Unsupported key type: SunPKCS11-MyPKCS11

    881648
      I am having a very strange issue with my CAC card. I wrote a small Java program to login into ProjectForge.mil webservice

      ICollabNetSoap m_sfSoap = (ICollabNetSoap)
      ClientSoapStubFactory.getSoapStub(ICollabNetSoap.class, "https://project.forge.mil/");
      String sessionId = m_sfSoap.login("", "");

      After entering CAC PIN, it is throwing exception saying that "javax.net.ssl.SSLHandshakeException: Received fatal alert: unsupported_certificate".

      More specific exception is:
      Caused by: java.security.InvalidKeyException: Unsupported key type: SunPKCS11-MyPKCS11 RSA private key, 2048 bits (id 39632224, token object, sensitive, unextractable)

      Note: I have asked three of my co-workers to run the same program using their CAC's and seems to be working fine.
      Only the difference between their CACs and mine is CA(Certificate Authority Value. Their's is 24 and where as mine is 25). It looks like JVM was not able to understand the private key of my CAC.

      On the other note, my CAC cworks fine with web service client application that was written in .Net.
      I am using Jdk-1.6.0_26 and I have already downloaded and installed latest jce .jar files.

      Any help is greatly appreciated


      Here are the exception details:

      =======================================
      [java] Tue Aug 02 17:07:54 MST 2011 URL assignment worked
      [java] Tue Aug 02 17:07:54 MST 2011 Trying login...
      [java] Exception in thread "main" AxisFault
      [java] faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
      [java] faultSubcode:
      [java] faultString: javax.net.ssl.SSLHandshakeException: Received fatal alert: unsupported_certificate
      [java] faultActor:
      [java] faultNode:
      [java] faultDetail:
      [java] {http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: Received fatal alert: unsupported_certificate
      [java] at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
      [java] at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
      [java] at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1720)
      [java] at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:954)
      [java] at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
      [java] at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1165)
      [java] at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1149)
      [java] at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
      [java] at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)
      [java] at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404)
      [java] at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)
      [java] at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
      [java] at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
      [java] at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
      [java] at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
      [java] at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
      [java] at org.apache.axis.client.Call.invoke(Call.java:2767)
      [java] at org.apache.axis.client.Call.invoke(Call.java:2443)
      [java] at org.apache.axis.client.Call.invoke(Call.java:2366)
      [java] at org.apache.axis.client.Call.invoke(Call.java:1812)
      [java] at com.collabnet.ce.soap50.webservices.cemain.CollabNetSoapStub.login(CollabNetSoapStub.java:115)
      [java] at com.collab.examples.LoginTF.main(LoginTF.java:30)
      [java] {http://xml.apache.org/axis/}hostname:GDYL8420N5B
      [java] javax.net.ssl.SSLHandshakeException: Received fatal alert: unsupported_certificate
      [java] at org.apache.axis.AxisFault.makeFault(AxisFault.java:101)
      [java] at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:154)
      [java] at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
      [java] at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
      [java] at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
      [java] at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
      [java] at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
      [java] at org.apache.axis.client.Call.invoke(Call.java:2767)
      [java] at org.apache.axis.client.Call.invoke(Call.java:2443)
      [java] at org.apache.axis.client.Call.invoke(Call.java:2366)
      [java] at org.apache.axis.client.Call.invoke(Call.java:1812)
      [java] at com.collabnet.ce.soap50.webservices.cemain.CollabNetSoapStub.login(CollabNetSoapStub.java:115)
      [java] at com.collab.examples.LoginTF.main(LoginTF.java:30)
      [java] Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: unsupported_certificate
      [java] at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
      [java] at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
      [java] at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1720)
      [java] at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:954)
      [java] at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
      [java] at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1165)
      [java] at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1149)
      [java] at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
      [java] at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)
      [java] at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404)
      [java] at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)
      [java] ... 11 more
      [java] Java Result: 1

      ==================================================================

      I have captured more specific exception which says

      Caused by: java.security.InvalidKeyException: Unsupported key type: SunPKCS11-MyPKCS11 RSA private key, 2048 bits (id 39632224, token object, sensitive, unextractable)
        • 1. Re: java.security.InvalidKeyException: Unsupported key type: SunPKCS11-MyPKCS11
          Arshad Noor
          Can you post a PEM copy of your certificate? Also, were the signing keys of your certificate generated on the card directly, or injected into the card after they were generated by the CA? Were the keys for the CAC cards that work with the program generated directly on the card or injected into the card? When you say "latest jce jar files", are you referring to the "unlimited strength" JCE files?

          Arshad Noor
          StrongAuth, Inc.
          • 2. Re: java.security.InvalidKeyException: Unsupported key type: SunPKCS11-MyPKCS11
            881648
            Thanks for taking your time to respond to my posting. Certainly I can share the certificate, however is there a way that I can get your email id so that I will email the certificate to you. I am not quite sure whether
            this certificate can posted on the public domain. If you are willing share your email id with me, I will post my email id on this forum for which you may send a test mail.

            Yes, all the keys on the card are came with the CAC card. Same is the case with other co-worker's CACs.

            Yes, when I say latest jce jarfiles (local_policy.jar and US_export_policy.jar) they are related to "unlimited strength".


            Again thanks for looking into this issue
            Soma Reddy.
            • 3. Re: java.security.InvalidKeyException: Unsupported key type: SunPKCS11-MyPKCS11
              EJP
              All certificates are public documents. It's the private key you need to protect.
              • 4. Re: java.security.InvalidKeyException: Unsupported key type: SunPKCS11-MyPKCS11
                881648
                Sorry, Not sure how to generate .PEM file. I was able to export as x.509.CER file only. I was not able to attach .CEF file, as this forum does not support attachments.
                Can you pl. let me know how to create .PEM file and post it.
                • 5. Re: java.security.InvalidKeyException: Unsupported key type: SunPKCS11-MyPKCS11
                  Arshad Noor
                  If you are running on a Linux machine, just type the following:

                  <pre>openssl x509 -in <filename> -inform der -outform pem -out <pem-filename></pre>

                  Then paste the contents of the PEM-filename in a posting. If you don't have Linux, either install OpenSSL for Windows or Cygwin and run the same command.

                  Arshad Noor
                  StrongAuth, Inc.
                  • 6. Re: java.security.InvalidKeyException: Unsupported key type: SunPKCS11-MyPKCS11
                    881648
                    Thanks, I have installed OpenSSL.

                    Here is the PEM copy of my certificate
                    ==================================================
                    -----BEGIN CERTIFICATE-----
                    MIIElTCCA32gAwIBAgIDG5RgMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNVBAYTAlVT
                    MRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UE
                    CxMDUEtJMRIwEAYDVQQDEwlET0QgQ0EtMjUwHhcNMTEwMzI1MDAwMDAwWhcNMTIw
                    NTI4MjM1OTU5WjCBjDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJu
                    bWVudDEMMAoGA1UECxMDRG9EMQwwCgYDVQQLEwNQS0kxEzARBgNVBAsTCkNPTlRS
                    QUNUT1IxMjAwBgNVBAMTKVlBUlJBUFVSRUREWS5TT01BU0VLSEFSQS5SRUREWS4x
                    Mzg2Nzc5MDM4MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArPjzB0Lk
                    FAMegXbka3944sAm2jq7qKGnpIYhL82/gAj7zJzAPJsoE66L9spiEoDfh0osy2pO
                    wqH/0NfQdGjgIGjDG2OrKhTxYXBqKZk2p7V84H4RK5duB8JU7B7R7uY+U9RkyiNd
                    YuSycGXKULGa5eow/OCCI3iN8A+4NjpvswKhw3WvWhDow4xl1x6E6I89RhscU78z
                    D6VtamidLK8mCWDihplmSFtCCCK5RsUjv/KuZcASAHe3Tb7di2Fb68liS5Yhf5v7
                    SrezRYHbHpAZMOImy74t1UzcGkHFkE5kO4SPbAcVyhMwzE3aZNubXl5biQCEmxqh
                    80HvckcQj+b5TwIDAQABo4IBMjCCAS4wHwYDVR0jBBgwFoAULgtl+dZl3kujJXWk
                    oS6FIUBzuQowNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5kaXNhLm1pbC9j
                    cmwvRE9EQ0FfMjUuY3JsMA4GA1UdDwEB/wQEAwIGwDAjBgNVHSAEHDAaMAsGCWCG
                    SAFlAgELCTALBglghkgBZQIBCxMwHQYDVR0OBBYEFFhzyfk4PpY2JzyrNAH+ka4n
                    MDLRMGMGCCsGAQUFBwEBBFcwVTAxBggrBgEFBQcwAoYlaHR0cDovL2NybC5kaXNh
                    Lm1pbC9zaWduL0RPRENBXzI1LmNlcjAgBggrBgEFBQcwAYYUaHR0cDovL29jc3Au
                    ZGlzYS5taWwwGwYDVR0JBBQwEjAQBggrBgEFBQcJBDEEEwJVUzANBgkqhkiG9w0B
                    AQUFAAOCAQEATpknlaaGiKZRNL+8YNgVy2kQDEFgdg/O4tB7NBRq3PiyUodnpOur
                    2WbML+ViDMv7IxKEKUGnOgpc9CRNCR3+NERmaeVShlQwfF/3PjZ/DWiSuSMD79qC
                    Y+tom4AkV69kLKl/O07Ql+jYh+Uy1x+MGWm46QsdOU5kwXHvPrgBI+5IpOrhXAW9
                    DmOfTbdpmQvQHBC8nnLscrolQutLQtOIN60mRZmJG1x762sGNQsFgO8fTOus+C8v
                    rlGafWRi/BJxlQCB3qb5nvI1TI68DLlqvgvX8IR7fpL/tq222PDAorpGf23YpSQt
                    9x1xD5aZLkgYIICa6/L1Yus9FjtCR6eHug==
                    -----END CERTIFICATE-----
                    =======================================================
                    • 7. Re: java.security.InvalidKeyException: Unsupported key type: SunPKCS11-MyPKCS11
                      sabre150
                      I can see nothing in your certificate information that looks out of order :-
                      Issuer DN .............. CN=DOD CA-25, OU=PKI, OU=DoD, O=U.S. Government, C=US
                      Not after .............. Tue May 29 00:59:59 BST 2012
                      Not before ............. Fri Mar 25 00:00:00 GMT 2011
                      Serial No. ............. 1807456
                      Signature Alg. ......... SHA1withRSA
                      Signature Alg. OID ..... 1.2.840.113549.1.1.5
                      Signature Alg. Params .. null
                      Subject DN ............. CN=YARRAPUREDDY.SOMASEKHARA.REDDY.1386779038, OU=CONTRACTOR, OU=PKI, OU=DoD, O=U.S. Government, C=US
                      Version ................ v3
                      PK algorithm ........... RSA
                      PK bit length .......... 2048
                      PK modulus ............. acf8f30742e414031e8176e46b7f78e2c026da3abba8a1a7a486212fcdbf8008fbcc9cc03c9b2813ae8bf6ca621280df874a2ccb6a4ec2a1ffd0d7d07468e02068c31b63ab2a14f161706a299936a7b57ce07e112b976e07c254ec1ed1eee63e53d464ca235d62e4b27065ca50b19ae5ea30fce08223788df00fb8363a6fb302a1c375af5a10e8c38c65d71e84e88f3d461b1c53bf330fa56d6a689d2caf260960e2869966485b420822b946c523bff2ae65c0120077b74dbedd8b615bebc9624b96217f9bfb4ab7b34581db1e901930e226cbbe2dd54cdc1a41c5904e643b848f6c0715ca1330cc4dda64db9b5e5e5b8900849b1aa1f341ef7247108fe6f94f
                      PK exponent ............ 10001
                      I'm a little out of my comfort zone using jsse with PKCS11 but are you sure you have installed the 'unlimited strength' jars correctly?
                      • 8. Re: java.security.InvalidKeyException: Unsupported key type: SunPKCS11-MyPKCS11
                        881648
                        Thanks for checking.

                        As for as 'unlimited strength' jars are concerned, I have copied the following .jars into the directories (C:\Program Files (x86)\Java\jdk1.6.0_26\jre\lib\security) and (C:\Program Files (x86)\Java\Jre6\lib\security)

                        local_policy.jar Size 2.42 KB(2,481 bytes ) Size on disk: 4.00KB (4096 bytes) Modified Thursday, Nover 16, 2006 6:10:04PM
                        US_export_policy.jar Size 2.40 KB(2,465 bytes) Size on disk: 4.00KB (4096 bytes) Modified Thursday, Nover 16, 2006 6:10:04PM


                        In my eclipse IDE Preferences-->Java-->Installed JREs->Jre6 is pointing to C:\Program Files (x86)\Java\jdk1.6.0_26


                        Thanks
                        • 9. Re: java.security.InvalidKeyException: Unsupported key type: SunPKCS11-MyPKCS11
                          sabre150
                          And if your run the program outside of Eclipse do you get the same problem? I'm always sceptical of problems such as this when configuration of Eclipse, Netbeans etc may be concerned.

                          P.S. To make sure you are actually running the Java version you think you should print the values of the System properties at the start of your program.
                          • 10. Re: java.security.InvalidKeyException: Unsupported key type: SunPKCS11-MyPKCS11
                            881648
                            Yes, if I run the program outside Eclipse IDE, it is giving the same problem.

                            Thanks
                            Soma.
                            • 11. Re: java.security.InvalidKeyException: Unsupported key type: SunPKCS11-MyPKCS11
                              Arshad Noor
                              The problems is most likely related to differences between your and your co-workers' PCs and the PKCS11 libraries on them.

                              When you use the SunPKCS11 bridge, you are using a thin veneer of JCE to communicate with a PKCS11 DLL file (I am assuming it is Windows because you referenced .NET in your posting), which in turn is communicating with the CAC. The P11 library is the one doing the heavy lifting when communicating the card for SSL ClientAuth.

                              When you use .NET, you are NOT using the P11 library; you are using Windows' native CAPI DLLs or CAPI DLLs supplied by the vendor of the smartcard or middleware vendor. The communication pathway is completely different. So the fact that the card works with .NET doesn't really tell you why its not working with the P11 DLL.

                              Since the program works for your co-workers (the number of the CA in the DN is irrelevant - 24 vs 25), you need to focus on determining the differences between your PC environment and its P11 DLL vs. your co-workers' PC environments and their P11 DLLs. A single difference in versions of the P11 libraries is sufficient to cause headaches such as these. Some tools to use to get more clues:

                              1) Use sha1sum to check the hash of the DLL files on your and your coworkers' PCs to see if they are different;
                              2) Use Firefox to talk to the CAC and see if you can authetnicate with a secure web-server using SSL ClientAuth;

                              Once you understand the differences, you'll zone in on the problem.

                              Arshad Noor
                              StrongAuth, Inc.

                              P.S. Have you tried to use your CAC on their PC and see if the webservice works, and correspondingly have your co-workers use their CACs on your PC to see if it fails? That test alone should validate or invalidate my observation.
                              • 12. Re: java.security.InvalidKeyException: Unsupported key type: SunPKCS11-MyPKCS11
                                881648
                                I agree with your comments regarding CAC working with .Net application. However, as for as PC environment is concerned, it does not seems to be anything
                                to do with the software component version differences.

                                I have asked my co-worker to use his CAC on my laptop and it works fine. On the otherhand, when I use my CAC on his laptop
                                I get the exactly the same error message, where as his CAC works fine.


                                I will use firefox to talk to webservice and keep you posted.

                                Thank you,
                                Soma.
                                • 13. Re: java.security.InvalidKeyException: Unsupported key type: SunPKCS11-MyPKCS11
                                  881648
                                  I was able to talk to ProjectForge.mil using Firefox. ProjectForge.mil has an addon for Firefox. Downloaded and installed and initially did not identify the CAC reader automatically.
                                  However, I have followed instructions given at the URL driver "http://militarycac.com/firefox.htm" to load pkcs11 driver.

                                  Thanks,
                                  Soma Reddy.
                                  • 14. Re: java.security.InvalidKeyException: Unsupported key type: SunPKCS11-MyPKCS11
                                    Arshad Noor
                                    The only logical conclusion is that the firmware on your smartcard is different from your colleagues. And this firmware has a bug working with the PKCS11 library you are using with your SOAP program. Obviously, Firefox has no problem with the card, so it can talk to the P11 library which can talk to your card; its only your SOAP program that has the problem.

                                    Talk to the issuer of your smartcard and have them verify the firmware revision number and its compatibility with your DLLs; its not unusual for card manufacturers to change firmware numbers just in their manufacturing process and send customers a batch of cards containing the older and the newer firmware in the same shipment.

                                    Arshad Noor
                                    StrongAuth, Inc.
                                    1 2 Previous Next