Reading a pfx file from usb token with java

Question

I am trying to sign a pdf document in java using a USB e-token.I want to read the signature from USB token safenet (alladin etoken pro 72 k(Java)) and attach to pdf using java code.I have done digital signature signing using a key stored in my local machine.But i want to know how the same can be done using a USB e-token.

You don't "read a PFX from USB token" but use the token to perform a cryptographic operation (signing of the document's hash). Now, there's iText (check the license!) and there's our SecureBlackbox product, both of them support signing of PDF documents with certificates and private keys stored on the hardware devices. — Eugene Mayevski 'Callback, Aug 12 '14 at 09:04
How can i use keys stored in USB token to sign pdf documents using java.If keys are stored in my local machine, I can give the location of that keys in my java code.But if the key is stored inside the USB token how can i give that key location in my code. — user3914864, Aug 13 '14 at 05:07
It depends on what code you use. If you use one of the mentioned libraries, check their documentation. If you have written your own code for PDF signing, then you need to use PKCS11 APIs to access the hardware. — Eugene Mayevski 'Callback, Aug 13 '14 at 06:51

score 4 · Answer 1 · answered Nov 05 '15 at 06:59

The whole point of a USB token for signing is, that nobody can read the secret key from that device. So you sent the hash to the token and the token will send you the signature back.

For this to work you need a JCE provider which can talk to the token. This is typically done either by PKCS#11 (the token delivers a library for this) or the token delivers a MSCAPI driver (under windows).

Both can be used under Java, the PKCS#11 way might be a bit more complicated to setup, but in my experience it is better for automated signing because in the MSCAPI case you often need to enter the token PIN manually.

If your token is recognized by windows the following command should see and list its key:

keytool -list -storetype Windows-MY

The Windows Keystore can then be used to get a handle of the key for signing, but you can also use it to export a copy of the public key.

score 1 · Answer 2 · answered Nov 14 '16 at 10:18

You can use SUN PKCS11 provider to refer the keys in the Etoken.You can just try the below code

String pkcs11Config = "name=eToken\nlibrary=C:\\Windows\\System32\\eps2003csp11.dll";
java.io.ByteArrayInputStream pkcs11ConfigStream = new java.io.ByteArrayInputStream(pkcs11Config.getBytes());
    sun.security.pkcs11.SunPKCS11 providerPKCS11 = new sun.security.pkcs11.SunPKCS11("pkcs11Config");
    java.security.Security.addProvider(providerPKCS11);

// Get provider KeyStore and login with PIN
String pin = "12345678";
java.security.KeyStore keyStore = java.security.KeyStore.getInstance("PKCS11", providerPKCS11);
KeyStore keyStore=KeyStore.getInstance("PKCS11",providerPKCS11);
keyStore.load(null, pin.toCharArray());

// Enumerate items (certificates and private keys) in the KeyStore
java.util.Enumeration<String> aliases = keyStore.aliases();
String alias = null;
while (aliases.hasMoreElements()) {
    alias = aliases.nextElement();
    System.out.println(alias);

    }

score -1 · Answer 3 · answered Nov 05 '15 at 06:47

Try this code

 import com.lowagie.text.pdf.*;
 import com.lowagie.text.Rectangle;
 //import com.lowagie.text.pdf.pdfSignatureAppearance;
 //import com.lowagie.text.pdf.pdfStamper;
 import java.security.*;
 import java.io.*;
 import java.awt.*;
 import java.security.cert.*;
 import java.lang.*;

 import java.io.FileInputStream;
 import java.security.KeyStore;
 import java.security.cert.CertPath;
 import java.security.cert.CertificateFactory;
 import java.util.ArrayList;
 import java.util.List;



public class pdfsign1{
  public static void main(String args[]) {
try {
KeyStore ks = KeyStore.getInstance("pkcs12");
ks.load(new FileInputStream("my_private_key.pfx"), "my_password".toCharArray());
String alias = (String)ks.aliases().nextElement();
PrivateKey key = (PrivateKey)ks.getKey(alias, "my_password".toCharArray());
Certificate[] chain = ks.getCertificateChain(alias);[/b]
PdfReader reader = new PdfReader("original.pdf");
FileOutputStream fout = new FileOutputStream("signed.pdf");
PdfStamper stp = PdfStamper.createSignature(reader, fout, '\0');
PdfSignatureAppearance sap = stp.getSignatureAppearance();
//sap.setCrypto(key, chain, null, PdfSignatureAppearance.WINCER_SIGNED);
sap.setReason("I'm the author");
sap.setLocation("Lisbon");
// comment next line to have an invisible signature
sap.setVisibleSignature(new Rectangle(100, 100, 200, 200), 1, null);
stp.close();
  }
catch(Exception e) {}
}
}

The answer is not about tokens. It is about work with keystore files with format PKCS12. — hadi.mansouri, Dec 27 '18 at 14:55

Reading a pfx file from usb token with java

3 Answers3