Issue when implementing PKCS#11
Solved
kzanadeus
Posted messages
70
Status
Membre
-
karlzorn -
karlzorn -
Hello,
I am an analyst/developer and I am working on a large project to create a PKCS#11. So far, everything was fine, but suddenly I encountered a strange problem.
When I connect to a secure website (https://), the connection is refused, and I get the error: sec_error_unknown_issuer. However, if I install the authority of my certificate in the PKCS#11 of Firefox and keep only my user certificate in my PKCS#11, it works; I connect, authenticate, and can perform electronic signatures.
On the other hand, as soon as I put my authority certificate back into my PKCS#11 and remove it from Firefox's, sec_error_unknown_issuer comes back again and again, and there’s no way to get through.
If anyone has an idea, I’m open to suggestions and can provide details (logs or code snippets) if necessary.
Thank you in advance.
Best regards.
Kzanadeus.
I am an analyst/developer and I am working on a large project to create a PKCS#11. So far, everything was fine, but suddenly I encountered a strange problem.
When I connect to a secure website (https://), the connection is refused, and I get the error: sec_error_unknown_issuer. However, if I install the authority of my certificate in the PKCS#11 of Firefox and keep only my user certificate in my PKCS#11, it works; I connect, authenticate, and can perform electronic signatures.
On the other hand, as soon as I put my authority certificate back into my PKCS#11 and remove it from Firefox's, sec_error_unknown_issuer comes back again and again, and there’s no way to get through.
If anyone has an idea, I’m open to suggestions and can provide details (logs or code snippets) if necessary.
Thank you in advance.
Best regards.
Kzanadeus.
Configuration: Windows XP Firefox 3.0.5
11 réponses
Hello,
If I understood correctly:
You have a token or smart card, so to use it correctly with Firefox on Windows, you need to install the PKCS#11 module for your device (a ".dll" file) in the "Firefox Preferences > Security Devices > Advanced > Encryption" section.
As soon as you connect your device, the public part, which is your certificate, will be present in your Certificate Manager.
If you need clarification, let me know.
Good work.
If I understood correctly:
You have a token or smart card, so to use it correctly with Firefox on Windows, you need to install the PKCS#11 module for your device (a ".dll" file) in the "Firefox Preferences > Security Devices > Advanced > Encryption" section.
As soon as you connect your device, the public part, which is your certificate, will be present in your Certificate Manager.
If you need clarification, let me know.
Good work.
Thank you for the reply.
After many trials and research, I finally understood where the problem was coming from.
In fact, there is additional information to provide via PKCS#11 to Firefox for it to recognize it as known. I provided the certificate chain and the necessary rights to the certificate, and everything eventually worked.
Now my PKCS#11 is functioning well, although there are still some gray areas for the future. Indeed, there are over 400 encryption algorithms referenced in the PKCS#11 standard, so I still have work to do if I want to be compatible with everything. But I have the time now that the basic functionalities are operational.
Out of curiosity, how do you know the PKCS#11 standard? Have you implemented one yourself?
Best regards.
Kzanadeus.
After many trials and research, I finally understood where the problem was coming from.
In fact, there is additional information to provide via PKCS#11 to Firefox for it to recognize it as known. I provided the certificate chain and the necessary rights to the certificate, and everything eventually worked.
Now my PKCS#11 is functioning well, although there are still some gray areas for the future. Indeed, there are over 400 encryption algorithms referenced in the PKCS#11 standard, so I still have work to do if I want to be compatible with everything. But I have the time now that the basic functionalities are operational.
Out of curiosity, how do you know the PKCS#11 standard? Have you implemented one yourself?
Best regards.
Kzanadeus.
Hello,
I need to create a program in VB.NET that communicates with an HSM using the PKCS#11 API.
I am very new to this field and know very little. I kindly ask you to help me find a way to approach this problem.
Best regards.
Yassir.
I need to create a program in VB.NET that communicates with an HSM using the PKCS#11 API.
I am very new to this field and know very little. I kindly ask you to help me find a way to approach this problem.
Best regards.
Yassir.
Hello, I think the best way is to start with the official PKCS#11 documentation available on the RSA laboratories' website.
Then, I think it's important to get hands-on experience using FireFox, which can easily install everything that uses PKCS#11.
If details are needed, I'm here.
Best regards.
Kzanadeus.
Then, I think it's important to get hands-on experience using FireFox, which can easily install everything that uses PKCS#11.
If details are needed, I'm here.
Best regards.
Kzanadeus.
Hello,
first of all, thank you for your response. In fact, I have already started with the PKCS#11 documentation, and everything is working well for now.
What is the link between my project (creating a program in vb.net using the Cryptoki API, which can create keys for encryption and decryption, signing, certificates...) and FireFox??
Thank you again.
Best regards.
Yassir.
first of all, thank you for your response. In fact, I have already started with the PKCS#11 documentation, and everything is working well for now.
What is the link between my project (creating a program in vb.net using the Cryptoki API, which can create keys for encryption and decryption, signing, certificates...) and FireFox??
Thank you again.
Best regards.
Yassir.
The purpose of my project is the customization of data in an e-passport, and I must first complete the already reported first phase. Then I need to move on to the second phase: securing the data of a passport.
I may not be clear enough, as the environment is very new to me.
Best regards.
I may not be clear enough, as the environment is very new to me.
Best regards.
I suppose that the custom data refers to electronic certificate data.
If that's the case, the PKCS#11 module will only be there to make requests, so after that, I'm not sure if the library is complete and therefore makes all the calls or if it's your application that receives the requests from the PKCS#11 module... so I don't really know how to help you.
If that's the case, the PKCS#11 module will only be there to make requests, so after that, I'm not sure if the library is complete and therefore makes all the calls or if it's your application that receives the requests from the PKCS#11 module... so I don't really know how to help you.
Hello,
Do you have a link that explains the purpose, goals, and issues that can be addressed with PKCS#11?
(PKCS#11 for dummies)
Thank you in advance.
Do you have a link that explains the purpose, goals, and issues that can be addressed with PKCS#11?
(PKCS#11 for dummies)
Thank you in advance.
Here is the official link: https://www.rsa.com/en-us/company/insight?id=2133
Take a look and see the possibilities, they are huge.
Take a look and see the possibilities, they are huge.
I am working on a project to integrate a generic middleware "SAFE SIGNE" using PKCS#11 and I am stuck on an error when calling the private key of the signing certificate. (I can't sign) [encryption and decryption work fine].
The error:
[303] error generating the signature of the data.
...if (custom) {
LOG.info("custom provider...");
customizeProviderP11CS(digestAlgorithm, true, false);
}
signedData = cms.sign(testData,
signerCert,
signerPKey,
digestAlgorithm,
tokenManager.getProvider());
assertNotNull(signedData);...
And also another question regarding the SlotID, do we get it in decimal format or in hex?
If you can help me.
Thank you in advance.
What language is the application made in?
Do you use the DLL in the source code?
If you provide the source code in detail, maybe I can help you more.
The SlotID is in decimal.
Are you in Tunisia?
Good work
The support I am using is a smart card reader + different types of smart cards because SAFESIGN allows the use of all types of cards, which is the purpose of the project.
Java language.
Regarding the DLL, it is the DLL of the middleware safesign aetpkss1.dll
Here is a part of the code:
if (provider != null) {
signedData = signGen.generate(content, isAttach, provider.getName());
} else {
signedData = signGen.generate(content, isAttach, "PKCS#11_P11 card");
}
if (LOG.isDebugEnabled()) {
LOG.debug("Signature generated");
}
SignerInformation signerInfo = (SignerInformation) signedData.getSignerInfos().getSigners().iterator().next();
if (LOG.isDebugEnabled()) {
LOG.debug("Data signed");
}
this.signatureValue = signerInfo.getSignature();
this.certSigner = cert;
this.signerId = signerInfo.getSID();
return signedData.getEncoded();
} catch (Exception e) {
LOG.error("Error while signing the data (", e);
throw new SignatureException(
SignatureException.CODE.ERROR_GENERATE_SIGN);
}
To call the DLL, it is done from an environment properties file:
# PKCS#11 smart card tests
#
pkcs11.smartcard.module=C:/Windows/System32/aetpkss1.dll
pkcs11.smartcard.slot=cd01
pkcs11.smartcard.pin=1234
....
I hope I was clear.
Thank you.