• Post Reply Bookmark Topic Watch Topic
  • New Topic

Extract private Key from Etoken  RSS feed

 
Vin Nair
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi to all,
I am using Aladdin etoken and wanted to know whether there is a way to extract the private key.
Or at least read it, as I wanted to create a.jks file with the certificate and the private key.
All I could do as of now is access the etoken using the password,but am stuck after that.
I am new to this so don't know how to proceed further.

Can somebody please help me out?
 
Jesper de Jong
Java Cowboy
Sheriff
Posts: 16060
88
Android IntelliJ IDE Java Scala Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the Ranch.

You mean this device, an USB stick which can be used for authentication?

Most likely it will not be possible to get the private key that is stored on that USB stick out of it, because that would defeat the whole purpose of the device. If you could get at the private key, then you could write a program that pretends that it has the USB stick, while in reality you don't have it. If that were possible, the whole USB stick would be worthless, because the whole idea is based on the fact that someone has the physical USB stick.
 
Vin Nair
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the reply..


Okay.. so is there any way to "get inside " the etoken and get the private key converted to a .jks file somehow?
In that way I am not extracting it but accessing it inside the etoken itself.
Is that possible?
 
Jesper de Jong
Java Cowboy
Sheriff
Posts: 16060
88
Android IntelliJ IDE Java Scala Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No, most likely not.

If you want to use these USB keys with your Java application, you'll have to look on the manufacturer's website, or ask the manufacturer (contact them) how you can exactly use it for your application.

I don't know these products so I can't tell you anything about how to use them.
 
Vin Nair
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hm.. guess I will have to find some alternative.. thanks..
 
Tushar Goel
Ranch Hand
Posts: 934
4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can't extract private keys from the etoken that's why they used for. If you need to perform some operation then send that request to the token ,
token will perform the work and send you result then.
 
Vin Nair
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Okay.. thanks .. And is there a way to display the Certificate in the etoken using java?
 
Tushar Goel
Ranch Hand
Posts: 934
4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes it is. Import the certificate chain from the etoken, convert them into X509PublicKeyCertificate. Below is the example. You can use it with small
changes.

 
Jesper de Jong
Java Cowboy
Sheriff
Posts: 16060
88
Android IntelliJ IDE Java Scala Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Where do these classes such as Session, Token and X509PublicKeyCertificate come from? They are not classes in the standard JDK, so they must come from some library.
 
Tushar Goel
Ranch Hand
Posts: 934
4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am sorry. I should have mentioned it.

Every token provider, provide their library(.dll and other library) to access them. Like Aladin eToken provide "iaikPkc11" or open source pkcs11 library. These Session, Token and X509PublicKeyCertificate comes from it.
 
Vin Nair
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for all the help..some questions which are pretty novice (New to this.. sorry for the trouble ).. where do I give the password of the etoken..
and is there some tutorial for programmatically accessing and working with an etoken..
@Tushar, you said earlier that to perform some operation I will have to send the request to the etoken and it will perform the operation and return the result.
So, I wanted a .jks file with the Certificate and the private key.
Is that possible?
And could that be done using the PKCS11 library in java?

Thank you.
 
Tushar Goel
Ranch Hand
Posts: 934
4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So, I wanted a .jks file with the Certificate and the private key.

You can't take private key out. You can do encryption and decryption from eToken itself. Long back i saw some example in google to perform the same.
You can check some example here: http://jce.iaik.tugraz.at/sic/Products/Core-Crypto-Toolkits/PKCS_11_Provider/using#Algorithms and
http://stackoverflow.com/questions/21433062/generate-aes-key-through-iaik-pkcs11-wrapper-and-show-its-value
 
Jesper de Jong
Java Cowboy
Sheriff
Posts: 16060
88
Android IntelliJ IDE Java Scala Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Vin Nair wrote:@Tushar, you said earlier that to perform some operation I will have to send the request to the etoken and it will perform the operation and return the result.
So, I wanted a .jks file with the Certificate and the private key.
Is that possible?

No, what Tushar means is: you do not ask the token "give me your private key". That goes against the whole purpose of the token! The token's primary job is to keep its private key secret.

Instead of asking the token to give you its private key, you tell the token "I have this data here, please encrypt or decrypt it for me". It will then encrypt or decrypt the data using its private key. But it is ofcourse never going to tell you its private key.
 
Vin Nair
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am using Aladdin etoken
This is the code that gives me the error :


/**
* Get the private key and its certification chain from the keystore.
* The keystore is considered to have only one entry that contains
* both certification chain and its corresponding private key. If the keystore has
* no entries, an exception is thrown.
* @param aKeyStore ketystore reference
* @return private key and certification chain corresponding to it, extracted from
* given keystore.
* @throws GeneralSecurityException when a problem arise during the smartcard access
*/
private static PrivateKeyAndCertChain getPrivateKeyAndCertChain(
KeyStore aKeyStore)
throws GeneralSecurityException {
Enumeration aliasesEnum = aKeyStore.aliases();
if (aliasesEnum.hasMoreElements()) {
String alias = (String)aliasesEnum.nextElement();
Certificate[] certificationChain = aKeyStore.getCertificateChain(alias);
PrivateKey privateKey = (PrivateKey) aKeyStore.getKey(alias, null);
PrivateKeyAndCertChain result = new PrivateKeyAndCertChain();
result.mPrivateKey = privateKey;
result.mCertificationChain = certificationChain;
return result;
} else {
throw new KeyStoreException("The keystore is empty!");
}
}


Output :

Registering SafeNet provider...
Provider:SunPKCS11-Name using library C:\Windows\System32\eTPKCS11.dll
Can not extract the private key and certificate from the smart card. Reason: The keystore is empty!


It skips the code from if() condition


This program was bundled with the Aladdin etoken SDK.
So I was hoping that maybe there is some mechanism to work around because the code is used to generate a keystore.
 
Vin Nair
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I solved the error and it was something related to the installation of the driver. (I had to reinstall the etoken driver and change the type of install from standard to the next one whose name I don't remember )
Now I am getting an error which says the key I am using is not supported.


The code

/**
* Signs given document with a given private key.
* @param aDocument byte array representation of the document to sign.
* @param aPrivateKey private key to use for signing.
* @return generated signature for the given document.
*/
private static byte[] signDocument(byte[] aDocument, PrivateKey aPrivateKey)
throws GeneralSecurityException {
Signature signatureAlgorithm =
Signature.getInstance(DIGITAL_SIGNATURE_ALGORITHM_NAME);
signatureAlgorithm.initSign(aPrivateKey); // Error Code
signatureAlgorithm.update(aDocument);
byte[] digitalSignature = signatureAlgorithm.sign();
return digitalSignature;
}



This is the error :

Problem details: No installed provider supports this key: sun.security.pkcs11.P11Key$P11PrivateKey
 
Tushar Goel
Ranch Hand
Posts: 934
4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In the etoken sdk, there are 2 providers jars are available. You have to add any one of them into the classpath.. have you done it?
 
Vin Nair
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I did. This problem occurred when I changed the Digital Signature Algorithm from 'SHA1withRSA' to 'SHA256withRSA'.

The error I got before was :


Problem details: Private keys must be instance of RSAPrivate(Crt)Key or have PKCS#8 encoding
 
Vin Nair
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for all the help.. Now I am pretty clear on what to achieve and that is to digitally sign a file using the etoken.
What I can do as of now is access the etoken, view the certificate.
When I try to sign a file it gives me an error saying :

Private keys must be instance of RSAPrivate(Crt)Key or have PKCS#8 encoding


Any idea what might be wrong?

Thanks.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!