Read-Certificate-Information-From-USB-Token_PKI

Overview

PKI tokens are hardware devices that store digital certificates and private keys securely. When you need to encrypt, decrypt or sign something, the token does this internally in a secure chip meaning the keys are never at risk of being stolen.

USB token based certificates are an implementation of PKCS#11, one of the Public-Key Cryptography Standards. Digital signature certificates are issued by a Certificate Authority (CA).

PKCS#11

The PKCS #11 standard defines a platform-independent API to cryptographic tokens, such as hardware security modules (HSM) and smart cards.

The API defines most commonly used cryptographic object types (RSA keys, X.509 Certificates, DES/Triple DES keys, etc.) and all the functions needed to use, create/generate, modify and delete those objects Read more PKCS11.

---

Specifications of the USB Token that worked on :

Token name: eToken

Token category: Hardware

Product name: SafeNet eToken 5110 FIPS

Model: Token 15.0.0.3 15.0.19

Card type: Java Card

OS version: eToken Java Applet 1.8.5

---

installation

The programs and systems used and the most important uses Software package must be installed :

1- safeNet Authentication Client

• Change Token PIN
• Change Token Name
• Install tokens drivers
• Insert token PIN when need to Sign or decrypt process

2-Entrust Entelligence Security Provider

• Signing & Encryption Files ,Emails
• Certificates Explore
• Check validity of Certificate
• Create Encryption Group
• Exchange Digital Certificates With others

3-Download eTPKCS11.dll

4-Download sunpkcs11.jar

---

Add an external configuration file which content following information:

In order to enable the JDK to access the security token, you will first need to create a configuration file. Open any plain-text editor and create a file named eToken.cfg. The file should contain 2, possibly 3, lines:

• Add the username of the token
  
• Adding the path of the library dedicated to the usb token, which is the eTPKCS11.dll library
  
• Add the USB slot

name=eTokenn 
library=c:\WINDOWS\system32\eTPKCS11.dll  
slot=0

Note: The default slot number when left unspecified is 0. SafeNet eToken 5100 will automatically assign to slot 0, therefore there will be no need for the slot line in the .cfg file. However this may need to be changed depending on the number of eTokens/SmartCard readers installed. The default slot number for the SafeNet Ikey 4000 is slot 3. The slot line will be required when using a SafeNet iKey 4000.

---

Also, add an external library, which is sunpkcs11.jar to run provider PKCS11 :

 sun.security.pkcs11.SunPKCS11 providerPKCS11 = new sun.security.pkcs11.SunPKCS11(pkcs11Config);

---

Read certificate information from token, such as:

• Private Key
• Public key
• Issuer
• Key usage
• Signature Algorithm
• Certificate Extensions
• And a lot of information ....

---

Run the program

When you run the program, a window will appear to enter the password to be able to connect to the USB Token and get the Certificates

 KeyStore.CallbackHandlerProtection chp = new KeyStore.CallbackHandlerProtection(new MyGuiCallbackHandler() {});
 KeyStore.Builder builder = KeyStore.Builder.newInstance("PKCS11", null, chp);
 KeyStore keyStore = builder.getKeyStore();

---

Then the program will print all certification information

---

Good Luck