Svetlin Nakov - Discussion Phorum - Nakov Document Signer Framework

Error "The certification chain is too short" (no replies)

crapufish — Thu, 14 Dec 2006 14:06:44 +0200

Hello!

I am trying to sign a document with a valid key (using PKCS#11) and the SmartCardSignerApplet demo. In the validation page (ShowSignedFileUploadResults) it says that the certification chain is too short and it contains only one certificate (my own). This is not true, as the certification path contains 3 entities (my certificate and two authorities).
Could you help me on this matter and give me a hint why this happens?

Thanks!

Electronic signature on-line validator (no replies)

mrella — Thu, 07 Dec 2006 19:37:12 +0200

This web utility is designed for validate electronic signatures in PKCS7 or CMS format (Binary and Base 64). It ONLY validates the mathematical exactness of the signature and performs an inspection showing the internal signature composition. IMPORTANT : For now it doesn't validate attached signatures, neither download CRL to validate the signning certificate status, nor validates the certification authority root certificate (but it allows to download the signing certificates to validate them throw other ways). Feel free using it.

[www.signaturevalidator.com]

How to export key´s to a .p12 file (1 reply)

pitako — Sun, 26 Nov 2006 00:19:57 +0200

Hello,

i´m trying to export the certificate and key´s from a smart card to a .p12 file. it is saving on my filesystem but when i install on my browser, it say me the the file is empty.

public void pin(){
char[] pin = pw.toCharArray();
try {

smartCardKeyStore = KeyStore.getInstance("PKCS12");
smartCardKeyStore.load(null,pin);

} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}

public void save(){

FileOutputStream outPFX;
try {
outPFX = new FileOutputStream(fileKey);
smartCardKeyStore.store(outPFX ,pw.toCharArray());
System.out.println(smartCardKeyStore.getProvider());

} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}

maybe my provider is not the adequate, but i didn´t find what is to use in this case.

does somebody what provider and keystore type should i use?

thanks,

Pitako

GEMPLUS GPK8000/16000 SMARTCARD: JVM Crashes (no replies)

felipebr — Mon, 13 Nov 2006 22:31:29 +0200

Hi guys,

I´ve found the Nakov "tutorial" for using JCA/JCE PKCS#11 implementation for digitally signing document very simple and useful!

I tried to use it with my GPK8000 smartcard but when i load the gclib.dll (which works pretty well as a firefox pkcs11 module), the jvm crashes and closes the browser (mozilla, ie, opera) i´m using.

Are there any solution for this? Or any other dlls that i can use?

Tks,

Separating Two-Phase Signing Process (2 replies)

rmarins — Tue, 01 Aug 2006 20:11:21 +0300

Hi Nakov,

I'm currently working on an open source application implementing PKI through web. I have the following scenario: there is the web application where many documents are stored on server-side, in a repository. I would like to provide the signing of such documents in the following way:

- calculate the content hash value using the MessageDigest class (MD5, SHA1, ...);
- then, the applet receive the message digest and encrypt the "fingerprint" with using some crypto algorithm (DSA, RSA, ...)
- thus, the complete signature is sent back to the server

However, I face some issues. The Signature class doesn't support to provide the digest separetly. (Is there any method for doing so?) Furthermore, I'm actually generating the hash from server-side and I would like to encrypt it independently. But I'm doubtly: is that way correct?

The hash function is different from the signature size, right? So, I don't need to generate a SHA1 hash of 512 or 1024 bits, but it's what the RSA signature does right?

Thanks in advance for your precious help.

need help: constructor is not recognisable (1 reply)

budse — Tue, 09 May 2006 10:18:02 +0300

Hi Svetlin,

Thanks for a great framework! I am currently learning to use and adapt your document signing framework to use with smart card. I am having similar problem with larger file, as mentioned by Cafer here:
[www.nakov.com]

As I dive closer to your source code, I came over this code segment:
Class: SmartCardSignerApplet
Method: loadKeyStoreFromSmartCard
Constructor pkcs11Constr = sunPkcs11Class.getConstructor(java.io.InputStream.class);

As it appears in my IDE (Eclipse version 3.0), that constructor is not recognisable. Also in my javadoc API version 1.5.0 does not mention that Constructor object can be constructed that way (it expects an array instead).

I probably will have more questions, but for now, I am trying to adapt your code into a web based action class (using webwork) instead of applet. I tried to work around the constructor issue by using code such as this:

Constructor pkcs11Constr = sunPkcs11Class.getConstructor(new Class[]{java.io.InputStream.class});

The code will compile OK, but when I am running it produce:

ERROR [http-8080-Processor25]
(DocumentDemoAction.java:163) - Can not read the keystore from the smart card.
Possible reasons:
- The smart card reader in not connected.
- The smart card is not inserted.
- The PKCS#11 implementation library is invalid. - The PIN for the smart card is incorrect.
Problem details: null

While executing the same data using your applet based solution seems to work just fine (save for only a small data file, as mentioned by Cafer on the other thread).

I am using jdk1.5.0_06 currently.

Thanks.

CKR_FUNCTION_NOT_SUPPORTED (3 replies)

veri — Tue, 09 May 2006 10:10:54 +0300

Hi all!

I need to know what it means:

I have:
Signature signatureAlgorithm = Signature.getInstance("SHA1withRSA");
signatureAlgorithm.initSign(aPrivateKey);
signatureAlgorithm.update(aDocument);

but it fails with this message:

java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_NOT_SUPPORTED

at sun.security.pkcs11.P11Signature.engineUpdate(P11Signature.java:318)

at java.security.Signature$Delegate.engineUpdate(Signature.java:1121)

at java.security.Signature.update(Signature.java:688)

at java.security.Signature.update(Signature.java:671)

at it.ised.example.SmartCardSignerApplet.signDocument(SmartCardSignerApplet.java:410)

at it.ised.example.SmartCardSignerApplet.signDocument(SmartCardSignerApplet.java:287)

at it.ised.example.SmartCardSignerApplet.signFile(SmartCardSignerApplet.java:209)

at it.ised.example.SmartCardSignerApplet.signSelectedFile(SmartCardSignerApplet.java:137)

at it.ised.example.SmartCardSignerApplet.main(SmartCardSignerApplet.java:117)

Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_NOT_SUPPORTED

at sun.security.pkcs11.wrapper.PKCS11.C_SignUpdate(Native Method)

at sun.security.pkcs11.P11Signature.engineUpdate(P11Signature.java:312)

... 8 more

does this depends from my SmartCard?
Thanks in advance.

How to sign large files with applet (7 replies)

cafer — Tue, 09 May 2006 09:57:03 +0300

Hi Svetlin,
Thanks for your effort about digital signatures and the information you shared with us. I tested your applet for digital signature, but with large files(600K) it gave problem. Do you know how to resolve this problem?
I tried to implement update metod with smaller buffer sizes repeatedly, but problem still continue.

Thanks for your response,

Cafer Jonturk

Signing in web app (3 replies)

gmocnik — Wed, 22 Mar 2006 11:42:13 +0200

Hi,

I've read your article Problems with Digital Signing of Documents in Web-based Systems. You are saying that if you invoke applet from javascript, it loses the ability to access the local file system. I've tried this and it worked. There is another thing ... I am developing a web app, which has to sign data. I would like to display the certificates the users has on his computer in his keystore, so he can choose from the list with which he'll sign the data. I've been searching over the net and found some solutions which are separte for IE, Mozilla. I am more interested in solution in mozilla which can work on diffrend OS. It uses JSS library. (http://www.mozilla.org/projects/security/pki/).

The problem is that, I've just seen the application that uses JSS and there is no useful tutorial how to deal with library. Do you have some experiences with this maybe?

Thank you.

Gregor

Verify Digital Signature using .NET/C# (1 reply)

mmmeee — Wed, 01 Feb 2006 13:06:50 +0200

Hello,

I am using Nakov Document Signer to sign a document. However on the server side we are using .NET environment, so I have to verify digital signature generated by NakovDocumentSigner using .NET environment. In order to verify signature, I need to convert public key data into modulus/exponent data fro .NET. I am listing the code how to convert, but I did not undersant why doing this way? could you explain the reason, I did search, did not find general solution or explanation. Thanks a lot.

int keyLength = certificate.GetPublicKeyLength();
byte[] publicKey = certificate.GetPublicKey();
byte[] ExponentData = new byte[3]; //???
byte[] ModulusData = new byte[keyLength/8]; //???
Array.Copy(publicKey, publicKey.Length - ExponentData.Length, ExponentData, 0, ExponentData.Length); //????
Array.Copy(publicKey, publicKey.Length - ExponentData.Length - 2 - ModulusData.Length, ModulusData,0, ModulusData.Length); //????

// Set public key for verifying signature
RSAParameters RSAKeyInfo = new RSAParameters();
RSAKeyInfo.Modulus = ModulusData;
RSAKeyInfo.Exponent = ExponentData;

Grace

About your article: A System for Digitally Signing Documents... (1 reply)

Miguel — Wed, 28 Dec 2005 12:22:40 +0200

Hi, Nakov !
We´re almost there...
maybe I did not express my idea very well. The user knows that a file will be signed, the problem is 'how', like you said below "...Web browser automatically show a dialog for selecting and accessing the certificate" yes , it´s is the idea !!! but how can I sign a file with the private key of the certificate the user had chosen before ??? When I said 'transparent' it´s means : the user choose a certificate (via dialog within web browser) and with this certificate the applet will sign a file ! Is there a way to 'take' which certificate the user had chosen in previous browser´s dialog box?

thanks !

Miguel
___________________________________________________
IBM Certified Solution Developer - WebSphere Portal V5.1

You can not sign anything without selecting the private key. When you initiate some kind of signing, the Web browser automatically show a dialog for selecting and accessing the certificate. This is part of the infrastructure and for security reasons can not be skipped. Nobody can sing without the knowledge of the user. This is normal! Otherwise it would be possible for malicious software to sign documents without the knowledge of the user.

Please use my forum at [www.nakov.com] for further questions.

Regards,

Nakov

--------------------------------------------------------------------------------

From: Miguel [mailto:migvs@uol.com.br]
Sent: Saturday, December 03, 2005 4:44 PM
To: svetlin@nakov.com
Subject: About your article: A System for Digitally Signing Documents...
Importance: High

Hi Svetlin !

I´m a J2EE developer and I read your article about "A System for Digitally Signing Documents in Web Applications" and at this moment we´re developing a web application very close as describe in your article, but it´s a little bit different. The idea is the same: signing a document via web browser interface. We have a WebSphere Application Server 5.0.2.6 and we configure it to use "Client authethication" over https. So when the user acess the web application, the browser will show a list of 'personal certificates' to choose (of course, a list of trust certificates that the server accept), and after the user has choose the web application is showed. In the web.xml of the application we have a tag like this :

CLIENT-CERT

.

Now, how can I 'know' wich the certificate the user has choose ? we have a applet too, but it´s hidden, the only purpose it´s that the applet 'read' the html fields and signing this informations based on certificate that the user has choose, no dialog box will appears, we would not like the user can choose the file that contains his private key, this process must be 'transparent'.

can you please, help me ?

sorry about my english, I´m from Brazil and if I did not be clear enough, please tell me.

thanks a lot

Miguel

______________________________________________________

IBM Certified Solution Developer - WebSphere Portal V5.1

DocumentSignerApplet on Mac OS X (5 replies)

Pier Paolo Bortone — Wed, 23 Nov 2005 00:10:19 +0200

Hi Nakov,
I tried on and on to sign a document on a Mac OS X 10.4 without any success. First of all I have to tell you that I'm a sort of beginner about Java in Mac OS.
On my client Mac OS I tried to invoke your web application DocumentSigningDemoWebApp installed on my server; when I had to choose a pkcs11 library, I selected a pkcs11 library compiled for Mac OS but I received the error dialog "Problem details: Can initialize Sun PKCS#11 security provider. Reason: no j2pkcs11 in java.library.path".
I noticed in fact that under JavaVMFramework there isn't the sunpkcs11 JAR and I forced it into the appropriate folder, but obviously many other native libraries are missing.
Do you have any advice on how to solve this problem?

Thanks in advance for your help, bye

Pier Paolo

file signed before or after upload (3 replies)

CHRISTOPHER — Wed, 26 Oct 2005 11:40:51 +0300

Hi Nakov,

the file is signed before or after uploading to the Web server ?
I have changed the action of form leaving to work the applet, on form i have choose file to upload and sign (readme.txt) and the applet show the extracted certification chain and the calculated signature correctly, on submit from file action
i have uploaded the file readme.txt on server, changed the extension
to .p7m, download the file on client for verify. But a software dedicated to signing answers that the file is not a file signed digitally.

thanks

SmartCardSignerApplet: Card locked after first sign. (5 replies)

Pier Paolo Bortone — Wed, 28 Dec 2005 12:37:16 +0200

Hi Svetlin,
your works are very useful for me. Thanks.

I'm using your applet to test several PKCS11 driver for different Smart Card.
I have only one problem: after performed the first sign I must close browser to perform other sign otherwise I can't sign in same browser session.

Could you give me some guide line to solve my problem.

Thanks in advance.

Pier Paolo.

Document Signer (2 replies)

salvatore — Fri, 21 Oct 2005 10:15:05 +0300

Hi Nakov,
I'm developping an web application in zope.
I have a form that prepare a file openoffice and send this to the browser.
In that way this file can be signed with smartcard and upload/save into server ?
Thanks

Digitally sign a word file (2 replies)

Eli — Mon, 05 Sep 2005 09:25:29 +0300

Hi.

Really great project and many thanks because you helped me a lot. I just want you to ask what kind of files is posibble to sign with this applet. Is there any restriction and if it is posibble to sign a word document with this applet and if you have some advice how to do it if not?
Thanks
Eli

jaws.jar (1 reply)

Alexander — Thu, 05 May 2005 21:13:38 +0300

Zdravej,
Otnosno build-script.bat
Vyv versiq 1.4 tozi jar, kojto ni trqbva se kazva plugin.jar
Moje bi e dobra ideq da go podavash kato parametyr na build file ili neshto podobno.

java.Security.AccessControlException (2 replies)

andy — Wed, 13 Apr 2005 04:21:48 +0300

hi Nakov,

i'm encounter this problem when trying to run the sample program.
There's this error with the message :

java.lang.Exception : java.security.AccessControlException :
access denied (java,uril.PropertyPermission user.home.read)

There are also cases when the entire browser close by itself when i launch the sample hltml file.

However i am able to access the example that was online

p.s my jdk is 1.4.2 and my browser is IE 6.0, sp2

Please advise.

Have a nice day.

Regards
Andy Wang

keystore and Certificate Arbitrator Module (1 reply)

jimmy lambert — Tue, 30 Aug 2005 15:40:06 +0300

Hi, Your applet answers a lot of questions for me. Thanks very much.. Two questions if you have a chance...

1. When managing certificated in IE, IE displays them in a dialog..even when there are no PFX's on the hard drive. How can I access the same area that IE does with JAVA.

2. We are trying to validate Certificates Thru something called the Certificate Arbitrator Module (CAM) which sends the certificate to a CA for validation. The CAM only wants a DER X.509 certificate. Not a Base64 DER...can I save it as a NON-Base 64 DER X.509?

thanks
jimmy

Sign HTML forms (2 replies)

Waldir Borba Junior — Fri, 28 Jan 2005 16:52:16 +0200

Hi Nakov,

I'm developping an web application in Java, and i have I a lot of forms with a lot os fields. My question is, how i process to sign this ? All samples that I read is sign a file, my problem is how to sign a form with data.

Thanks for any help,

Waldir

Document and signature (1 reply)

Bruno — Thu, 06 Jan 2005 09:42:51 +0200

Dear Nakov,

thanks for your signing application. It helped me a lot.

What I want to know is when I sign the file, the content of the file goes with the signature or not? If yes, is there a way I can separate it from the signature?

Thanks again,
Bruno

PkiPath and PHP/OpenSSL (1 reply)

Mat — Thu, 30 Dec 2004 23:25:21 +0200

Hi there !

I would like to implement a script in PHP in order to read the certificate chain and signature the Nakov Document Signer applet returns.
My first idea was to use the openssl functions (eg : openssl_x509_read() ) but I have some difficulties with the DER formatted chain stored with PkiPath encoding.
Do you know if it's supported by openssl ?
Is it a way to convert this chain into something supported by openssl ?

Thanks a lot !

Mat'.

How to crypt & sign a document before posting it ? (1 reply)

Axel — Mon, 20 Dec 2004 15:43:59 +0200

Hi Svetlin,

first of all, thanks for your work and very interesting applet !
I would like to adapt your applet in order to crypt and sign the document before sending it to the server.
Unfortunately, I haven't advanced skills in Java2, and maybe you'll have some suggestions on how to do that.
What I would like to do is :

- user selects the file on local computer
- applet crypts the file with a public key (retrieved from the server)
- applet signs the crypted file with user's private key

Some ideas on how to do this ? My main concern is to have something perfectly portable and running on all platforms.

Thanks a lot in advance !

-

XML signature (3 replies)

Rune Friis-Jensen — Sat, 02 Jul 2005 16:51:16 +0300

I am trying to change Nakov Document Signer to use xml signature. But I am having problems instantiating the XMLSignatureFactory.
When I use

XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");

I get the error below. Please help me.

Partial stack trace of error:

javax.xml.crypto.NoSuchMechanismException: Cannot find DOM mechanism type

at javax.xml.crypto.dsig.XMLSignatureFactory.findInstance(XMLSignatureFactory.java:190)

at javax.xml.crypto.dsig.XMLSignatureFactory.getInstance(XMLSignatureFactory.java:171)
...

Signing using a smart card via Applet! (1 reply)

Hasan — Mon, 08 Nov 2004 12:10:58 +0200

I have a smart card which supports JCA/JCE,32 Kb capasity and digital signature private key in it.
Using applet, i would like to access to that smart card and use java crypto functions of it to sign some form fields in that web site using private key,which is stored in that card.
And afterwards, upload the signed value to the server side for storing to a database.(verifying later)
Before i didn't work with smart cards, could you describe me what i can?
regards

Accessing e-Token (3 replies)

fabiano — Thu, 23 Dec 2004 00:52:32 +0200

Hello, I want to use certificates stored in a Aladdin e-Token keystore.
Do you now is it possible to do?

PDF signing (1 reply)

marko dudic — Fri, 24 Sep 2004 15:03:54 +0300

Do you know some JAVA solution for digitaly sign a PDF file.

Marko Dudić

Reproduce ShowSignedFileUploadResults.jsp in .NET (1 reply)

rgaren — Mon, 23 Aug 2004 18:50:48 +0300

I am attempting to reproduce your ShowSignedFileUploadResults.jsp in C#. I am having trouble finding a method to read the certificate chain (I cannot find an equivalent to the Java CertificateFactory method in C#). If an equivalent does not exist, could you point me in the direction of some information that would help me de-construct the certificate chain?

Thanks,
Richard

use Explorer and Netscape keystore (1 reply)

marko dudić — Fri, 13 Aug 2004 15:04:02 +0300

Hello, I try your framework and I find it very interesting.
But I want to use certificates stored in the Explorer and Netscape keystore.
Do you now have is it possible to do?

tanx, marko

Launch Exe To Sign (2 replies)

Alex — Thu, 22 Jul 2004 15:04:01 +0300

Is there advisable to launch an exe from web browser to sign the Digital Signature i.e: iSign ??