Retrieve public/private key - iKey 2032 token using pkcs#11


General J2EE: Retrieve public/private key - iKey 2032 token using pkcs#11

  1. Hi All,

    I'm trying to access one iKey 2032 token in Java 1.5 (Windows Environment) using SUN pkcs#11 provider

    My documentation support is:

    My 1st step was configuration. I add the line: ${java.home}/lib/security/pkcs11.cfg
    to "" file. Where the "pksc11.cfg" contains:

    name = rainbow_token
    library = c:\winnt\system32\dkck232.dll

    attributes(*,CKO_PRIVATE_KEY,*) = {
      CKA_SIGN = true

    attributes(*,CKO_PRIVATE_KEY,CKK_DH) = {
      CKA_SIGN = null

    attributes(*,CKO_PRIVATE_KEY,CKK_RSA) = {
      CKA_DECRYPT = true

    Then I try to use the keytool, as described in: er
    to access the token material. Like this:
    c:\>keytool -keystore NONE -storetype PKCS11 –list

    It displayed the following::

    Keystore type: PKCS11
    Keystore provider: SunPKCS11-rainbow_token
    Your keystore contains 3 entries
    349eefd1-845b-4ba4-9f88-06e9f5cb82f6, keyEntry,
    Certificate fingerprint (MD5): 09:7E:7A:22:EF:FB:05:3C:43:AB:8F:FD:93:BE:62:0F
    0c8696a7-c0b6-4d66-8ab3-03b93c597a6d, keyEntry,
    Certificate fingerprint (MD5): E2:BD:1E:DB:E6:D5:BD:FD:0D:5B:67:7F:82:BA:45:46
    dae4aebd-ac90-433d-8ef4-e1fed57de3fa, keyEntry,
    Certificate fingerprint (MD5): C0:B7:71:03:D0:52:2F:D7:5A:4F:D1:2B:40:CC:18:7B

    There is no problem up to this level, even i managed to access one rainbow iKey 2032 token in Java 1.5 (Windows Environment) using Sun PKCS#11 provider. Token is stored with certificate. There is no problem to logging into the token using java.

    Provider p = new;

    KeyStore ks = null;
    char[] pin = {'P','A','S','S','W','O','R','D'};
    ks = KeyStore.getInstance("pkcs11");
    catch(Exception e) {}

    Now I am wondering how to retrieve a public and private key from token, so that I can encrypt and decrypt a plain text file. Could you please give me a sample program for this?

    Your help is very much appreciated!!



  2. use API[ Go to top ]

    // get the certificate
    X509Certificate cert =(X509Certificate) ks.getCertificate(certificateAlias);

    // get the public key from the certificate
    PublicKey key = cert.getPublicKey();
    // get the private key from the keystore.
    PrivateKey privateKey = (PrivateKey) ks.getKey(certificateAlias,privateKeyPass.toCharArray());

    Hope it will be helpful