1 Reply Latest reply: Jul 26, 2013 2:38 AM by 429c8b9b-12be-4e1e-b1c2-a54b7765ddc0 RSS

    SunPKCS11 sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ARGUMENTS_BAD

    944800
      In a desperate attempt to workaround the SunMSCAPI related problem (in thread SunMSCAPI Access was denied because of a security violation. I wrote another signed applet to perform signatures using a SunPKCS11 SmartCard implementation with the source as given below:
      import java.security.*;
      import javax.security.auth.callback.CallbackHandler;
      import javax.swing.*;
      import java.awt.*;
      import java.io.ByteArrayInputStream;
      import java.io.FileOutputStream;
      import java.io.InputStream;
      import java.security.cert.X509Certificate;
      import java.text.SimpleDateFormat;
      import java.util.Arrays;
      import java.util.Enumeration;
      import java.util.Set;
      
      public class TestSunPKCS11 extends JApplet {
      
          @Override
          public void init() {
              log("init() OS="+System.getProperty("os.name")+", Java="+System.getProperty("java.version")+", "+this.getClass().getPackage().getImplementationVersion());
              Container content = getContentPane();        JTextArea t = new JTextArea("Hello PKCS11!");        t.setLineWrap(true);        content.add(t);
      
              String pkcs11Config = "name = SmartCard"+System.getProperty("line.separator")+"library = c:\\windows\\system32\\pteidpkcs11.dll";
              byte[] pkcs11configBytes = pkcs11Config.getBytes();
              ByteArrayInputStream configStream = new ByteArrayInputStream(pkcs11configBytes);
              final Provider pkcs11Provider = new sun.security.pkcs11.SunPKCS11(configStream);
              Security.addProvider(pkcs11Provider);
              CallbackHandler cmdLineHdlr = new com.sun.security.auth.callback.DialogCallbackHandler();
              KeyStore.Builder builder = KeyStore.Builder.newInstance("PKCS11", pkcs11Provider, 
                      new KeyStore.CallbackHandlerProtection(cmdLineHdlr));
      
              KeyStore aKeyStore;
              PrivateKey privateKey;
              X509Certificate certificate;
              String alias = "CITIZEN SIGNATURE CERTIFICATE";
              //String alias = "CITIZEN AUTHENTICATION CERTIFICATE";
              char[] password = "xxxx".toCharArray(); //"password".toCharArray();
              byte[] data = "Data to be signed!".getBytes();
              String aliasCode = null;
      
              try {
                  aKeyStore = builder.getKeyStore();
                  //aKeyStore = KeyStore.getInstance("PKCS11");
                  //aKeyStore = KeyStore.getInstance("PKCS11",pkcs11Provider);
                  //aKeyStore.load(null,password);
                  log("ks provider=" + aKeyStore.getProvider().getInfo());
                  Set<Service> ss = aKeyStore.getProvider().getServices();
                  for (Service s : ss) {
                      PDFSignerApplet.log("s.getType="+s.getType()+", algorithm="+s.getAlgorithm());
                  }
                  //aKeyStore.load(null);
                  Enumeration<String> aliases = aKeyStore.aliases();
                  while (aliases.hasMoreElements()) {
                      String a = aliases.nextElement(); log("keystore alias: " + a);
                      if (alias.equals(a)) {
                          log(" selected " + a);
                          aliasCode = a;
                      }
                  }
      
                  final PrivateKey key = (PrivateKey) aKeyStore.getKey(alias, null);
                  final java.security.cert.Certificate[] chain = aKeyStore.getCertificateChain(alias);
      
                  final Signature sign = Signature.getInstance("SHA1withRSA",aKeyStore.getProvider()); // PKCS11-SmartCard provider failed before with java.security.InvalidKeyException: Private key must be instance of RSAPrivate(Crt)Key or have PKCS#8 encoding at sun.security.pkcs11.P11RSAKeyFactory.implTranslatePrivateKey(P11RSAKeyFactory.java:101)...
                  sign.initSign(key);
                  sign.update(data);
      
                  byte[] ba0 = sign.sign(); // BREAKS HERE with sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ARGUMENTS_BAD
                  display("Sig0:",ba0);
                              
                  privateKey = (PrivateKey) aKeyStore.getKey(aliasCode, password);
                  certificate = (X509Certificate) aKeyStore.getCertificate(aliasCode);
                  //privateKey = key;
                  //certificate = (X509Certificate)chain[0];
                  //aKeyStore.load(null);
                  
                  Signature signature = sign;
                  //Signature signature = Signature.getInstance("SHA1withRSA");
                  //signature.initSign(privateKey);
                  signature.update(data);
      
                  // Sign again
                  byte[] ba1 = signature.sign();
                  display("Sig1:", ba1);
                  
              } catch (Exception e) {
                  e.printStackTrace();
              }
          }
      
          public static void display(String aLabel, byte[] ba) {
              StringBuffer sb = new StringBuffer();
              for (byte b : ba) {
                  sb.append(String.format("%02x", b)).append(" ");
              }
              log(aLabel+" "+sb);
          }
          public static void log(String aMsg) {
              System.out.println(aMsg);
          }
      }
      For this source I get the following console log:
      init() OS=Windows 7, Java=1.7.0_07, 2.0.30.build563
      ks provider=SunPKCS11-SmartCard using library c:\windows\system32\pteidpkcs11.dll
      ...
      s.getType=Signature, algorithm=SHA1withRSA
      ...
      s.getType=KeyStore, algorithm=PKCS11
      keystore alias: CITIZEN AUTHENTICATION CERTIFICATE
      keystore alias: CITIZEN SIGNATURE CERTIFICATE
       selected CITIZEN SIGNATURE CERTIFICATE
      java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ARGUMENTS_BAD
           at sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:547)
           at java.security.Signature$Delegate.engineSign(Unknown Source)
           at java.security.Signature.sign(Unknown Source)
           at org.itij.applet.TestSunPKCS11.init(TestSunPKCS11.java:82)
           at com.sun.deploy.uitoolkit.impl.awt.AWTAppletAdapter.init(Unknown Source)
           at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
           at java.lang.Thread.run(Unknown Source)
      Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ARGUMENTS_BAD
           at sun.security.pkcs11.wrapper.PKCS11.C_SignFinal(Native Method)
           at sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:509)
           ... 6 more
      I am not sure that this problem is reproducible (as I think I have gotten a " java.security.InvalidKeyException: Private keys must be instance of RSAPrivate(Crt)Key or have PKCS#8 encoding" error before but the DLL provider documents this signing algorithm as supported), but, as I am not a PKCS#11 implementation expert, I have no clue what the current error message is, or what is wrong.

      If this is a problem of the underlying DLL, how can I build a bug report to the DLL provider ? If it is with my code, I would appreciate if anyone can explain what I am doing wrong.

      Joao
        • 1. Re: SunPKCS11 sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ARGUMENTS_BAD
          429c8b9b-12be-4e1e-b1c2-a54b7765ddc0

          Hello, João,

           

          In Portuguese (English follows next)

          Bom dia!

          Estou exactamente com o mesmo problema, com um código semelhante. Encontrou alguma solução para esta situação?

          O software pede-me o pin, mas depois dá esse erro. Não costumo programar em JAVA, portanto estou um pouco perdido (com a CAPICOM em c# a assinatura funciona lindamente).

          Obrigado,

           

          João

           

          In English

          I have exactly the same problem, using a code similar to yours.

          Have you managed to solve this? How?

          Do I have to call AMA for support?

           

          Thank you in advance.

           

          João