1

Information :

  • There are two signature mechanisms for EBICS, A005 and A006. EBICS specification > 2017-03-29-EBICS V 3.0-FinalVersion.pdf
  • For EBICS A005, we have been using SHA256withRSA signature algorithm. It is working.
  • SafeNet eToken 5110 is used to sign data files. It is based on PKCS11 standard. Its driver/software is called "SafeNet Authentication Client".

Problem and questions :

  • SafeNet eToken 5110 is very slow with SHA256withRSA algorithm at the code signer.update(data);. No problem if we change the algorithm to SHA512withRSA. No problem with other version of eToken "3SKey basic token (eToken PRO)". Do you know if other persons have met this same problem? or only just us? What is the solution?
  • Because we cannot find solution at the moment, we are looking at EBICS A006 hoping that it will be faster. However, haven't found a way to develop Java code for it. Don't know the algorithm name to use. I have tried IAIK but it couldn't connect with native library libeTPkcs11.so or eTPKCS11.dll. BouncyCastle doesn't work with PKCS11. Do you have any advices? Thank you.

Code with SunPKCS11 (works but slow at .update(...))

String pkcs11config;
pkcs11config = ....
ByteArrayInputStream confStream = new ByteArrayInputStream(pkcs11config.getBytes());
SunPKCS11 provider = new SunPKCS11(confStream);
Security.addProvider(provider);
char[] password = "....".toCharArray();
String alias = "...";
PrivateKey privateKey = (PrivateKey) keystore.getKey(alias, password);
Signature signer = Signature.getInstance("SHA256withRSA", keystore.getProvider());
signer.initSign(privateKey);
String data = "Hello world......";
signer.update(data.getBytes());  // SLOW HERE! THE BIGGER THE DATA, THE SLOWER IT IS.
byte[] signedData = signer.sign();

Code tried with IAIK:

String pwd = System.getProperty("user.dir");
String dllFile = pwd + "/libeTPkcs11.so";
Module m = Module.getInstance(dllFile);

=> error : Exception in thread "main" java.lang.UnsatisfiedLinkError: no pkcs11wrapper in java.library.path
kofcj
  • 11
  • 1
  • 3
  • Related: https://stackoverflow.com/q/19258957/1531971 (You should stick to a single question at a time.) –  Jan 16 '18 at 16:16
  • Thank you jdv. I followed the links and got this error. `java.lang.UnsatisfiedLinkError: iaik.pkcs.pkcs11.wrapper.PKCS11Implementation.initializeLibrary()` The .dll/.so works with SunPKCS11. – kofcj Jan 17 '18 at 09:09
  • There is a native component that cannot be loaded, probably because something is not present on the java.library.path. Your best bet is to stare at stacktraces find out what these libraries need in terms of environment. –  Jan 17 '18 at 15:31
  • 1
    We encountered the same with jarsigner. Signing with eToken 5110 using SHA256 takes about 1 minute per megabyte, which is horrendous. The reason is, PKCS11 is actually using the token to compute the hash. Some versions _luckilly_ [doesn't support bigger hashes](https://safenet.gemalto.com/uploadedFiles/Products/Enterprise_Data_Protection/Multi-Factor_Authentication/Certificate-based_(PKI)_USB_Authenticators/SafeNet_eToken_5110_PB_(EN)_web.pdf) so using SHA384 or SHA512 forces PKCS11 to use software computation and speeds up the signature enormously. For now, this is a lifesaver for us. – vnov Jan 02 '19 at 08:40

0 Answers0