1

have been attempting to use a PKCS#11 token (Smart card) as a KeyStore (not the TrustStore) on the client side for client authentication of a TLS connection. However, the SSL handshake fails with a SSLException with the message:

Unexpectedly, privatekey is not an RSA private key.

This cannot be true because the private key/certificate pairs on the smart card are RSA keys. Am I missing some configuration to use a smart card as a KeyStore for JSSE?

Here are my configuration details:

Firstly, configured the Sun PKCS#11 Provider to work with an 'ActivCard' dll that interfaces with the smart card. The Sun PKCS#11 Provider configuration file just contains the 'name' and 'library' attributes.

The instantiation of the SunPKCS#11 provider looks like this:

java.security.AuthProvider provider = 
    new sun.security.pkcs11.SunPKCS11.SunPKCS11(<Configuration file>);

Then, the instantiation of a java.security.KeyStore object from the smart card is done using this code below:

KeyStore.ProtectionParameter thePasswordProtection = 
    new KeyStore.PasswordProtection( null );

KeyStore.Builder theBuilder = 
    KeyStore.Builder.newInstance( "PKCS11", provider, thePasswordProtection );

java.security.KeyStore theKeyStore = theBuilder.getKeyStore();

Moreover, this instantiated KeyStore is used to make a KeyManagerFactory to be used by JSSE using the code below:

KeyManagerFactory kmf = javax.net.ssl.KeyManagerFactory.
    getInstance( "SunX509", "SunJSSE" );

kmf.init( theKeyStore, <smart card pin> );

This KeyManagerFactory is used to then initialize an SSLContext which is then used to instantiate an SSLSocket.

As per instructions in Oracle's JSSERefGuide for Java 6, this is all I need to do for it to work. Although it is not required to set the below system properties while using the keystores programmatically, I also tried adding the system properties:

  • javax.net.ssl.keyStoreType to PKCS11,
  • javax.net.ssl.keyStore to NONE and
  • javax.net.ssl.keyStoreProvider to the name specified for the Sun PKCS#11 provider in its configuration file.

Any ideas what I am doing wrong here? Any pointers or thoughts would be much appreciated.

WesternGun
  • 11,303
  • 6
  • 88
  • 157
ravi
  • 11
  • 1
  • 3
  • I am using RSA'S SSL/TLS provider for the SSL/TLS itself and not the default SunJSSE implementation, if that is relevant at all. – ravi Aug 14 '13 at 23:38
  • Surely you have to call `Security.addProvider()` somewhere along the line, with the `new sun.security.pkcs11.SunPKCS11.SunPKCS11()`? – user207421 Aug 15 '13 at 02:12
  • Yes EJP, I did add it to the list of providers. Sorry, I forgot to include that detail. Also, the SunPKCS11 provider does give me a KeyStore just fine and I can tell it is of type PKCS11 with all the keys in there. I even get as far as to pass on that KeyStore to the KeyManagerFactory to do SSL. But the SSL handshake fails. – ravi Aug 15 '13 at 15:47
  • Just noticed this is similar to my issue http://stackoverflow.com/questions/35977268/java-ssl-client-not-selecting-a-smartcard-key Any solution here? – Yuri Schimke Mar 13 '16 at 23:46

0 Answers0