We're getting there

Today I walked through a first bit of the tutorial mentioned yesterday. It uses the Sun PKCS Provider rather than the IAIK, but thanks to this I didn't have any problems doing things with my eID card yet :-)

So what did I discover today:

1) The application needs the PIN of the eID card in order to retrieve the keystore from it.

I had first understood that the middleware is in charge of asking the PIN to the user whenever access is required on the card, but it appears that it is only when you try to sign a document using the eID certificate. However, when trying to load the keystore, the card still requires a PIN, but the middleware does not take this in charge. My application will have to prompt the user for his PIN by itself.

2) Java is not C

Sounds quite logical :-) But I had been used to program in C++ the last 5 years and some things you take for granted are just not the same between 2 different languages.

- You can't pass parameters by adress in Java: I had been used with C to pass parameters using their adress in memory by declaring a function like this

void myFunction(&myParameter)

however Java doesn't allow this and I've had a couple of null pointer exceptions due to this :-)

- if- statements in java only take boolean expressions: yup doing a "if(0)" doesn't work in java, you have to do "if(false)" which forces me to change the way I do things usually :-)

3) If you extract the private key from a card, you (of course) don't receive the key, however you receive an interface to it, so you can use the private key of the card in order to encrypt things with your own application.

4) This is what Robert's Keystore looks like:

Alias: Signature
Certificate: [
[
Version: V3
Subject: SERIALNUMBER=71717100052, GIVENNAME=Robert B3302, SURNAME=SPECIMEN, CN=Robert SPECIMEN (Signature), C=BE
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Key: Sun RSA public key, 1024 bits
modulus: 111899004514677203975482680672457570043331903119364034993322459228336832793594157819803568047708327522971826323979035590293818486088844003602382173875129626305902858937460678602889653574636726434057504712532262721186297169714208939386549047411126558783930559439408311683949057257680413784877522799171531680927
public exponent: 65537
Validity: [From: Fri Jun 27 12:53:29 CEST 2008,
To: Sun Jun 27 12:53:29 CEST 2010]
Issuer: SERIALNUMBER=200501, CN=SPECIMEN Citizen CA, C=BE
SerialNumber: [ 01000000 00011ac9 a806ad]

Certificate Extensions: 7
[1]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
S/MIME
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: D6 A5 FE 65 26 BF 28 6C 16 15 D7 FA 7E 3D DA 9F ...e&.(l.....=..
0010: A9 EE 7D 1D ....
]

]

[3]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.specimen-eid.belgium.be/eidc200501.crl]
]]

[4]: ObjectId: 1.3.6.1.5.5.7.1.3 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 0E 30 0C 30 0A 06 08 03 90 0E 07 01 05 02 01 ..0.0...........


[5]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Non_repudiation
]

[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [0.3.2062.7.1.1.402.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 29 68 74 74 70 3A 2F 2F 72 65 70 6F 73 69 74 .)http://reposit
0010: 6F 72 79 2E 73 70 65 63 69 6D 65 6E 2D 65 69 64 ory.specimen-eid
0020: 2E 62 65 6C 67 69 75 6D 2E 62 65 .belgium.be

]] ]
]

[7]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[accessMethod: 1.3.6.1.5.5.7.48.2
accessLocation: URIName: http://certs.specimen-eid.belgium.be/belgiumrs.crt, accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ocsp.specimen-eid.belgium.be]
]

]
Algorithm: [SHA1withRSA]
Signature:
0000: 6E FF 99 0A 71 BB 84 A6 06 D1 04 A3 04 1F D3 18 n...q...........
0010: 3F 01 50 9B 86 73 0C 5C 2E D7 5E E3 11 9C 5E 36 ?.P..s.\..^...^6
0020: 6E B5 DD 0C 87 82 6A 0E 3A C7 1D F2 0D 22 15 48 n.....j.:....".H
0030: 7E 15 5D 14 99 62 B1 B6 FC 69 2B DA C7 5C EE 8B ..]..b...i+..\..
0040: 12 83 E6 2D 76 51 BB 0C DA DD 9C 2E 31 48 E9 50 ...-vQ......1H.P
0050: 43 D4 6F CA 37 34 55 79 17 B7 67 6D 22 67 DB 47 C.o.74Uy..gm"g.G
0060: 82 D5 B8 E8 0F B1 1D 7C 68 35 43 A9 B5 01 33 5D ........h5C...3]
0070: 08 A1 25 78 B8 2E EA 4E 00 82 F0 B3 E1 AC 1B 00 ..%x...N........
0080: 19 64 AB 5F 6E 72 28 62 5B C8 EE 03 62 71 F8 34 .d._nr(b[...bq.4
0090: 29 26 D0 9F 42 85 09 98 8A 25 D7 27 00 8B FA 33 )&..B....%.'...3
00A0: D9 34 54 3F 91 0C DD DF 04 AC AE FE 8F A5 89 4E .4T?...........N
00B0: 36 29 97 F0 42 B3 AF 0F 57 7E C2 DF A9 38 34 80 6)..B...W....84.
00C0: CA 4C 02 0A F5 77 A6 9D 03 F3 EA 00 46 B1 3D 84 .L...w......F.=.
00D0: 1F 08 08 EE A5 5F 13 CF C3 F9 26 CF 0D 53 0A 97 ....._....&..S..
00E0: B2 03 B7 58 9B BF D9 28 FB 52 B7 3C 3A A1 01 12 ...X...(.R.<:... 00F0: A8 9F 16 1B 2E 08 40 B7 E1 75 D3 A6 99 FA C4 55 ......@..u.....U ] Private key: SunPKCS11-SmartCard RSA private key, 1024 bits (id 8, token object, sensitive, unextractable) Alias: CA Certificate: [ [ Version: V3 Subject: SERIALNUMBER=200501, CN=SPECIMEN Citizen CA, C=BE Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 2048 bits modulus: 24309273447568538957156508466386268898415107335583551368823688961531705079858783447021374034717678833842586327744977882297899684641705067012968690088631174500351522865180182888170119129058775225366268794191985793208393299880134419639983160415259625386713053446067097986752764309316649169158468766774476967742379020065001838762054459624239706015643265240392612772679901414395230002154233213833013517108509388982200906819138940918447369151838771328362186158931798953602761192508322372556024064991148488514456745237140603698272392833864221074287313455535322067490438534891963751597500625651621237287559503514429481168119 public exponent: 65537 Validity: [From: Thu Dec 23 12:00:00 CET 2004, To: Mon Jan 27 00:00:00 CET 2014] Issuer: CN=SPECIMEN Belgium Root CA, C=BE SerialNumber: [ 11111111 11111111 11111111 11111115] Certificate Extensions: 7 [1]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false NetscapeCertType [ SSL CA S/MIME CA Object Signing CA] [2]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: D6 A5 FE 65 26 BF 28 6C 16 15 D7 FA 7E 3D DA 9F ...e&.(l.....=.. 0010: A9 EE 7D 1D .... ] ] [3]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 67 5C 8F 5D 98 A4 3C CC C5 F6 1F 71 20 D3 86 0F g\.]..<....q ... 0010: 3D 1B 2F 35 =./5 ] ] [4]: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.specimen-eid.belgium.be/belgium.crl] ]] [5]: ObjectId: 2.5.29.32 Criticality=false CertificatePolicies [ [CertificatePolicyId: [0.3.2062.7.1.1.400.1] [PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 29 68 74 74 70 3A 2F 2F 72 65 70 6F 73 69 74 .)http://reposit 0010: 6F 72 79 2E 73 70 65 63 69 6D 65 6E 2D 65 69 64 ory.specimen-eid 0020: 2E 62 65 6C 67 69 75 6D 2E 62 65 .belgium.be ]] ] ] [6]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign Crl_Sign ] [7]: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:0 ] ] Algorithm: [SHA1withRSA] Signature: 0000: 2B 8A 4E 07 C9 B8 88 81 65 CD 65 5D 01 EF 08 8C +.N.....e.e].... 0010: E4 88 BE 49 0A D6 32 08 A1 AB 0C 2C 40 8C F4 18 ...I..2....,@... 0020: FC A4 61 13 55 DE 02 C3 C2 F1 67 C3 6D 96 0C D6 ..a.U.....g.m... 0030: 13 F8 0B 27 C0 47 D1 ED 5D BF 79 C9 A4 0F 0F 3D ...'.G..].y....= 0040: 57 07 CA D4 19 5F CD AF FC 71 0F 9B 46 F3 F8 A4 W...._...q..F... 0050: 12 2F 4C 4D 72 8C 0D D8 63 80 A1 A5 02 59 9C E0 ./LMr...c....Y.. 0060: 1F 55 F6 85 B7 84 85 67 08 B2 EB 83 2E 92 37 5F .U.....g......7_ 0070: 72 B9 30 AC DB D6 58 55 1F F0 DA D6 70 9E 8C C9 r.0...XU....p... 0080: D0 B6 20 05 EB A1 48 76 96 B9 AA 46 7B B1 4E A9 .. ...Hv...F..N. 0090: 83 C4 E5 01 B7 94 AC D0 E6 75 35 06 09 60 7E 9F .........u5..`.. 00A0: 29 31 E7 07 6B B6 FB 6E DC B8 45 61 47 D6 52 BC )1..k..n..EaG.R. 00B0: F0 79 79 61 3D 12 AF 4D E0 62 41 8B 61 C7 01 E1 .yya=..M.bA.a... 00C0: 23 FB 81 15 F5 CE FC 76 9D 8B 52 D7 5D 66 D2 0F #......v..R.]f.. 00D0: C1 15 A8 D0 38 40 C5 3D 38 FF 46 57 0C E0 15 F2 ....8@.=8.FW.... 00E0: 36 75 F4 0D D0 EA C3 A5 D1 09 0E 7D 0E 40 89 CD 6u...........@.. 00F0: 1B 5E D5 3F 1F D2 7A 3B B9 C3 CA E8 8E 44 8B 42 .^.?..z;.....D.B ] Private key: null Alias: Root Certificate: [ [ Version: V3 Subject: CN=SPECIMEN Belgium Root CA, C=BE Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 2048 bits modulus: 26691376432534724492914239230536419796245516068532173901583967047600268926599080494681481520702134118891565316669898570691114551706817351962178500667181029693650065893361463787785300509028117452231414940342359485172277604079140049287137596689084656358926439744495271507065982288770837970026835661043448496256726253647767817292995578739674090998624027230583215392405441418148657818976769620253079041070042952983293214469145330275436682586834300598436530165781418685318418982623744621632911090583722316269620253757229959960866058867588475478638980377832743068439889482014217721312571288986733070918469283356832727190777 public exponent: 65537 Validity: [From: Wed Aug 13 11:00:00 CEST 2003, To: Mon Jan 27 00:00:00 CET 2014] Issuer: CN=SPECIMEN Belgium Root CA, C=BE SerialNumber: [ 11111111 11111111 11111111 11111112] Certificate Extensions: 6 [1]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false NetscapeCertType [ SSL CA S/MIME CA Object Signing CA] [2]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 67 5C 8F 5D 98 A4 3C CC C5 F6 1F 71 20 D3 86 0F g\.]..<....q ... 0010: 3D 1B 2F 35 =./5 ] ] [3]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 67 5C 8F 5D 98 A4 3C CC C5 F6 1F 71 20 D3 86 0F g\.]..<....q ... 0010: 3D 1B 2F 35 =./5 ] ] [4]: ObjectId: 2.5.29.32 Criticality=false CertificatePolicies [ [CertificatePolicyId: [0.3.2062.9.6.1.31.1.1] [PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 2A 68 74 74 70 3A 2F 2F 72 65 70 6F 73 69 74 .*http://reposit 0010: 6F 72 79 2E 73 70 65 63 69 6D 65 6E 2D 65 69 64 ory.specimen-eid 0020: 2E 62 65 6C 67 69 75 6D 2E 62 65 2F .belgium.be/ ]] ] ] [5]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign Crl_Sign ] [6]: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ] ] Algorithm: [SHA1withRSA] Signature: 0000: 2F CC F7 B0 2F 29 2B 00 5A 2C BC 31 5A 4A E5 20 /.../)+.Z,.1ZJ. 0010: 6B C8 06 09 4D 2F C9 1D 7E 6A 55 F4 D4 50 81 C5 k...M/...jU..P.. 0020: 75 49 DA DE 12 CD 14 A9 89 DB CA 16 8E E0 01 D3 uI.............. 0030: 85 2E E1 1F E6 61 76 61 BB 8E B1 E3 6C 19 A6 2C .....ava....l.., 0040: 8F 82 99 0E 98 D1 8B 60 CE BB 3F 92 1A AA DD CB .......`..?..... 0050: 5B CA 2A C7 77 47 B5 38 12 C1 67 1C 50 64 E4 98 [.*.wG.8..g.Pd.. 0060: B1 9D 70 E7 BC 3D A7 61 CE A3 76 E9 F7 23 8A 6D ..p..=.a..v..#.m 0070: C1 2D E1 0E 75 20 71 45 B4 56 1E 4B E0 97 8C 3B .-..u qE.V.K...; 0080: BB 77 FC DD EC A3 26 FD D6 9A 58 14 9C 6A 30 A3 .w....&...X..j0. 0090: 26 DD 67 22 6A CD F7 DB 7F 2D 48 B5 93 3B 5C 4E &.g"j....-H..;\N 00A0: EC 6C 86 BE 8F 47 7A DE CD 69 BA 8A A1 22 B0 3E .l...Gz..i...".>
00B0: 83 16 5F 9B B5 33 95 7C 5A 31 55 D8 9A CB CA EC .._..3..Z1U.....
00C0: 57 7C 18 DC 30 47 20 EA 35 15 7D B8 3C 60 B3 59 W...0G .5...<`.Y 00D0: 56 50 B3 A8 03 C8 2D 28 0D 2D 12 1D 35 62 E0 AB VP....-(.-..5b.. 00E0: ED E5 53 54 43 4B 68 BB 98 00 B6 78 E7 C7 93 06 ..STCKh....x.... 00F0: E4 46 C6 5C 65 19 C4 00 D3 79 4D C4 45 76 0F DF .F.\e....yM.Ev.. ] Private key: null Alias: Authentication Certificate: [ [ Version: V3 Subject: SERIALNUMBER=71717100052, GIVENNAME=Robert B3302, SURNAME=SPECIMEN, CN=Robert SPECIMEN (Authentication), C=BE Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 99118761443669422291498760732724032715373214217302511965045964772871859003736852323149962836757489278007171937318381868594464271689448425826496925091035462057600115094523702878251665568942712725243978766284465174977057852526309353417744114866030522499405177739161556746031358035987771634436298681323393403787 public exponent: 65537 Validity: [From: Fri Jun 27 12:53:24 CEST 2008, To: Sun Jun 27 12:53:24 CEST 2010] Issuer: SERIALNUMBER=200501, CN=SPECIMEN Citizen CA, C=BE SerialNumber: [ 01000000 00011ac9 a7f30e] Certificate Extensions: 6 [1]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false NetscapeCertType [ SSL client S/MIME ] [2]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: D6 A5 FE 65 26 BF 28 6C 16 15 D7 FA 7E 3D DA 9F ...e&.(l.....=.. 0010: A9 EE 7D 1D .... ] ] [3]: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.specimen-eid.belgium.be/eidc200501.crl] ]] [4]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature ] [5]: ObjectId: 2.5.29.32 Criticality=false CertificatePolicies [ [CertificatePolicyId: [0.3.2062.7.1.1.401.1] [PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 29 68 74 74 70 3A 2F 2F 72 65 70 6F 73 69 74 .)http://reposit 0010: 6F 72 79 2E 73 70 65 63 69 6D 65 6E 2D 65 69 64 ory.specimen-eid 0020: 2E 62 65 6C 67 69 75 6D 2E 62 65 .belgium.be ]] ] ] [6]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthorityInfoAccess [ [accessMethod: 1.3.6.1.5.5.7.48.2 accessLocation: URIName: http://certs.specimen-eid.belgium.be/belgiumrs.crt, accessMethod: 1.3.6.1.5.5.7.48.1 accessLocation: URIName: http://ocsp.specimen-eid.belgium.be] ] ] Algorithm: [SHA1withRSA] Signature: 0000: 48 89 61 2B EB DC 68 67 47 DA 33 9E 82 11 C4 40 H.a+..hgG.3....@ 0010: 6C 47 DD A7 6D 97 0D 95 C6 7C 81 FB 79 46 95 E1 lG..m.......yF.. 0020: 73 9C 5F 30 9B C3 96 42 E5 AE A6 FC 2F 54 9C 39 s._0...B..../T.9 0030: 1C B3 F7 5E 77 50 7B EB C9 17 92 9B 09 3D A0 89 ...^wP.......=.. 0040: 76 B4 8B F4 AE 20 EC F0 80 01 F4 63 DD 29 A0 D8 v.... .....c.).. 0050: 77 DE AD 95 05 E9 F9 D5 7B 49 60 A1 24 F6 DF 28 w........I`.$..( 0060: ED 0C 83 71 14 BD BE EE 0A FB AE C3 B0 3D 15 FD ...q.........=.. 0070: EF 58 14 54 40 80 07 2F 77 85 72 14 F1 90 B4 06 .X.T@../w.r..... 0080: F4 4B 35 A5 76 BF 6A 0C 3D AE 7C D4 95 8B 41 DD .K5.v.j.=.....A. 0090: 57 D2 F3 1C FC B0 53 C6 9F D8 63 71 AB 00 9D 57 W.....S...cq...W 00A0: 4C 2D 58 43 56 44 9A 2B 34 3D 07 13 3C 7C F5 F3 L-XCVD.+4=..<... 00B0: 17 96 31 E2 FE AC F4 65 25 78 05 C6 D3 62 30 0E ..1....e%x...b0. 00C0: 28 2E 89 54 A6 49 B7 1C AC A8 59 01 45 29 29 7B (..T.I....Y.E)). 00D0: C4 66 07 13 91 A0 F7 DF 28 F9 A9 20 FC FF FC 07 .f......(.. .... 00E0: 7F 9E D9 0D A0 D4 36 14 CE C3 94 3E C2 30 EC C3 ......6....>.0..
00F0: 95 33 7A EE F7 28 C5 33 15 58 86 D6 48 77 3D E3 .3z..(.3.X..Hw=.

]
Private key: SunPKCS11-SmartCard RSA private key, 1024 bits (id 1, token object, sensitive, unextractable)
Retrieving the Provider Name
Unregistering the Provider SunPKCS11-SmartCard

4) Man, this is fun!

Yeah, I just have to say that today I had a lot of fun putting some code together, and seeing how it works. That's one thing I love about developments: making things work :-)