SSE4E

PKCS11Session - Reference Documentation

Class implementing support for cryptographic token with PKCS#11 interface

Index of Methods

• PKCS11Session() constructor
• login()
• enumerateObjects()
• signInit()
• sign()
• signUpdate()
• signFinal()
• verifyInit()
• verify()
• verifyUpdate()
• verifyFinal()
• encryptInit()
• encrypt()
• encryptUpdate()
• encryptFinal()
• decryptInit()
• decrypt()
• decryptUpdate()
• decryptFinal()
• close()

Constants

Constructor

Prototype

PKCS11Session(PKCS11Provider provider, Number slot)

PKCS11Session(PKCS11Provider provider, Number slot, Boolean readWrite)

Description

Open a new session using the given provider and selected slot.

Arguments

Exceptions

Example

var p = new PKCS11Provider("C:/usr/local/lsm/bin/lsmpkcs11.dll");

var s = new PKCS11Session(p, 1, false);
s.close();

login()

Prototype

login(String password)

login(String password, Boolean so)

Description

Login into token as user or security officer

Arguments

Return

Exceptions

Example

// Login as user in a read only session
var s = new PKCS11Session(p, 1, false);
s.login("12345678");
s.close();

// Login as security officer in a read/write session
var s = new PKCS11Session(p, 1, true);
s.login("abcdefgh", true);
s.close();

enumerateObjects()

Prototype

enumerateObjects()

Description

Enumerate all objects available in the session

Return

Exceptions

Example

// Login as user in a read only session
var s = new PKCS11Session(p, 1, false);
s.login("12345678");

var objs = s.enumerateObjects();
for (var i = 0; i < objs.length; i++) {
	print(" Class :" + objs[i].getNumberAttribute(PKCS11Object.CKA_CLASS));
	print(" Label :" + objs[i].getAttribute(PKCS11Object.CKA_LABEL).toString(ASCII));
}

s.close();

signInit()

Prototype

signInit(Number mechanism, PKCS11Object key)

signInit(Number mechanism, Key key)

signInit(Number mechanism, PKCS11Object key, ByteString parameter)

signInit(Number mechanism, Key key, ByteString parameter)

Description

Call C_SignInit() to start a PKCS#11 signature operation.

The method accepts keys in two different formats. Either as PKCS11Object or as Key object. The former can be obtained using the PKCS11Session.enumerateObjects() methods, the later using the KeyStore.getKeyFromKeyStore() method.

Arguments

Return

Exceptions

Example

// Login as user in a read/write session
var s = new PKCS11Session(p, 1, true);
s.login("12345678");

// Create RSA private session key
var attr = new Array();

attr[PKCS11Object.CKA_CLASS] = PKCS11Object.CKO_PRIVATE_KEY;
attr[PKCS11Object.CKA_KEY_TYPE] = PKCS11Object.CKK_RSA;
attr[PKCS11Object.CKA_LABEL] = "MyPrivateRSAKey";

attr[PKCS11Object.CKA_PRIME_1] = new ByteString("c0a0758cdf14256f78d4708c86becdead1b50ad4ad6c5c703e2168fbf37884cb", HEX);
attr[PKCS11Object.CKA_PRIME_2] = new ByteString("f01734d7960ea60070f1b06f2bb81bfac48ff192ae18451d5e56c734a5aab8a5", HEX);
attr[PKCS11Object.CKA_EXPONENT_1] = new ByteString("b54bb9edff22051d9ee60f9351a48591b6500a319429c069a3e335a1d6171391", HEX);
attr[PKCS11Object.CKA_EXPONENT_2] = new ByteString("d3d83daf2a0cecd3367ae6f8ae1aeb82e9ac2f816c6fc483533d8297dd7884cd", HEX);
attr[PKCS11Object.CKA_COEFFICIENT] = new ByteString("b8f52fc6f38593dabb661d3f50f8897f8106eee68b1bce78a95b132b4e5b5d19", HEX);

attr[PKCS11Object.CKA_MODULUS] = new ByteString("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", HEX);
attr[PKCS11Object.CKA_PUBLIC_EXPONENT] = new ByteString("11", HEX);

var prk = new PKCS11Object(s, attr);


// Create RSA public key
var attr = new Array();

attr[PKCS11Object.CKA_CLASS] = PKCS11Object.CKO_PUBLIC_KEY;
attr[PKCS11Object.CKA_KEY_TYPE] = PKCS11Object.CKK_RSA;
attr[PKCS11Object.CKA_LABEL] = "MyPublicRSAKey";

attr[PKCS11Object.CKA_MODULUS] = new ByteString("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", HEX);
attr[PKCS11Object.CKA_PUBLIC_EXPONENT] = new ByteString("11", HEX);

var puk = new PKCS11Object(s, attr);


// Create RSA public key in SCSH3
var key = new Key();
key.setType(Key.PUBLIC);
key.setComponent(Key.MODULUS, new ByteString("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", HEX));
key.setComponent(Key.EXPONENT, new ByteString("11", HEX));

var crypto = new Crypto();


// Initiate signing operation
s.signInit(PKCS11Session.CKM_SHA1_RSA_PKCS, prk);

// Single step signing
var msg = new ByteString("Hello World", ASCII);
var signature = s.sign(msg);

print("Signature : " + signature);


// Decrypt block with public key
var plain = crypto.decrypt(key, Crypto.RSA, signature);
print("Plain = " + plain);

// Verify signature with SCSH3
assert(crypto.verify(key, Crypto.RSA, msg, signature));


// Verify signature with PKCS#11
s.verifyInit(PKCS11Session.CKM_SHA1_RSA_PKCS, puk);

// Single step verifying
var msg = new ByteString("Hello World", ASCII);
assert(s.verify(msg, signature));


// Initiate signing operation
s.signInit(PKCS11Session.CKM_SHA1_RSA_PKCS, prk);

// Multi-Step signing (Step 1)
var msg = new ByteString("Hello ", ASCII);
s.signUpdate(msg);

// Multi-Step signing (Step 2)
var msg = new ByteString("World", ASCII);
s.signUpdate(msg);
var signature = s.signFinal();

print("Signature : " + signature);

var plain = crypto.decrypt(key, Crypto.RSA, signature);
print("Plain = " + plain);

// Verify signature with SCSH3
var msg = new ByteString("Hello World", ASCII);
assert(crypto.verify(key, Crypto.RSA, msg, signature));


// Initiate verifying operation
s.verifyInit(PKCS11Session.CKM_SHA1_RSA_PKCS, puk);

// Multi-Step verifying (Step 1)
var msg = new ByteString("Hello ", ASCII);
s.verifyUpdate(msg);

// Multi-Step verifying (Step 2)
var msg = new ByteString("World", ASCII);
s.verifyUpdate(msg);
assert(s.verifyFinal(signature));

s.close();

sign()

Prototype

ByteString sign(ByteString message)

Description

Call C_Sign() to finish a PKCS#11 signature operation.

The method returns the signature.

Arguments

Return

Exceptions

Example

// See PKCS11Session.signInit() for a complete example

signUpdate()

Prototype

signUpdate(ByteString message)

Description

Call C_SignUpdate() to continue a PKCS#11 signature operation.

Arguments

Return

Exceptions

Example

// See PKCS11Session.signInit() for a complete example

signFinal()

Prototype

ByteString signFinal()

Description

Call C_SignFinal() to finish a PKCS#11 signature operation.

The method returns the signature.

Return

Exceptions

Example

// See PKCS11Session.signInit() for a complete example

verifyInit()

Prototype

verifyInit(Number mechanism, PKCS11Object key)

verifyInit(Number mechanism, Key key)

verifyInit(Number mechanism, PKCS11Object key, ByteString parameter)

verifyInit(Number mechanism, Key key, ByteString parameter)

Description

Call C_verifyInit() to start a PKCS#11 signature verification operation.

The method accepts keys in two different formats. Either as PKCS11Object or as Key object. The former can be obtained using the PKCS11Session.enumerateObjects() methods, the later using the KeyStore.getKeyFromKeyStore() method.

Arguments

Return

Exceptions

Example

// See PKCS11Session.signInit() for a complete example

verify()

Prototype

boolean verify(ByteString message, ByteString signature)

Description

Call C_Verify() to finish a PKCS#11 signature verification operation.

Arguments

Return

Exceptions

Example

// See PKCS11Session.signInit() for a complete example

verifyUpdate()

Prototype

verifyUpdate(ByteString message)

Description

Call C_VerifyUpdate() to continue a PKCS#11 signature verification operation.

Arguments

Return

Exceptions

Example

// See PKCS11Session.signInit() for a complete example

verifyFinal()

Prototype

boolean signFinal(ByteString signature)

Description

Call C_VerifyFinal() to finish a PKCS#11 signature verification operation.

Return

Exceptions

Example

// See PKCS11Session.signInit() for a complete example

encryptInit()

Prototype

encryptInit(Number mechanism, PKCS11Object key)

encryptInit(Number mechanism, Key key)

encryptInit(Number mechanism, PKCS11Object key, ByteString parameter)

encryptInit(Number mechanism, Key key, ByteString parameter)

Description

Call C_EncryptInit() to start a PKCS#11 encryption operation.

The method accepts keys in two different formats. Either as PKCS11Object or as Key object. The former can be obtained using the PKCS11Session.enumerateObjects() methods, the later using the KeyStore.getKeyFromKeyStore() method.

Arguments

Return

Exceptions

Example

// Login as user in a read/write session
var s = new PKCS11Session(p, 1, true);
s.login("12345678");

// Define 3 different single DES key values
var keyval1 = new ByteString("7CA110454A1A6E57", HEX);
var keyval2 = new ByteString("0131D9619DC1376E", HEX);
var keyval3 = new ByteString("9DC1376E0131D961", HEX);

// Create crypto object for internal reference
var crypto = new Crypto();

// Create DES session key
var attr = new Array();

attr[PKCS11Object.CKA_CLASS] = PKCS11Object.CKO_SECRET_KEY;
attr[PKCS11Object.CKA_KEY_TYPE] = PKCS11Object.CKK_DES;
attr[PKCS11Object.CKA_LABEL] = "MyPrivateDESKey1";
attr[PKCS11Object.CKA_ID] = new ByteString("0101", HEX);
attr[PKCS11Object.CKA_TOKEN] = false;
attr[PKCS11Object.CKA_SENSITIVE] = true;
attr[PKCS11Object.CKA_EXTRACTABLE] = false;
attr[PKCS11Object.CKA_VALUE] =  keyval1;

var k1p11 = new PKCS11Object(s, attr);

// Internal reference
var k1ref = new Key();
k1ref.setComponent(Key.DES, keyval1);


// Create DES2 session key
var attr = new Array();

attr[PKCS11Object.CKA_CLASS] = PKCS11Object.CKO_SECRET_KEY;
attr[PKCS11Object.CKA_KEY_TYPE] = PKCS11Object.CKK_DES2;
attr[PKCS11Object.CKA_LABEL] = "MyPrivateDESKey2";
attr[PKCS11Object.CKA_ID] = new ByteString("0102", HEX);
attr[PKCS11Object.CKA_TOKEN] = false;
attr[PKCS11Object.CKA_SENSITIVE] = true;
attr[PKCS11Object.CKA_EXTRACTABLE] = false;
attr[PKCS11Object.CKA_VALUE] =  keyval1.concat(keyval2);

var k2p11 = new PKCS11Object(s, attr);

// Internal reference
var k2ref = new Key();
k2ref.setComponent(Key.DES, keyval1.concat(keyval2));


// Create DES3 session key
var attr = new Array();

attr[PKCS11Object.CKA_CLASS] = PKCS11Object.CKO_SECRET_KEY;
attr[PKCS11Object.CKA_KEY_TYPE] = PKCS11Object.CKK_DES3;
attr[PKCS11Object.CKA_LABEL] = "MyPrivateDESKey3";
attr[PKCS11Object.CKA_ID] = new ByteString("0103", HEX);
attr[PKCS11Object.CKA_TOKEN] = false;
attr[PKCS11Object.CKA_SENSITIVE] = true;
attr[PKCS11Object.CKA_EXTRACTABLE] = false;
attr[PKCS11Object.CKA_VALUE] =  keyval1.concat(keyval2).concat(keyval3);

var k3p11 = new PKCS11Object(s, attr);

// Internal reference
var k3ref = new Key();
k3ref.setComponent(Key.DES, keyval1.concat(keyval2).concat(keyval3));


var message = new ByteString("Hello World !!!!", ASCII);
var iv = new ByteString("0000000000000000", HEX);


// Encrypt with PKCS#11 - single step
s.encryptInit(PKCS11Session.CKM_DES_ECB, k1p11);
var cipher = s.encrypt(message);
print("Cipher : " + cipher);

// Verify with internal reference
var ref = crypto.encrypt(k1ref, Crypto.DES_ECB, message);
print("Ref    : " + ref);
assert(ref.equals(cipher));

// Decrypt with PKCS#11
s.decryptInit(PKCS11Session.CKM_DES_ECB, k1p11);
var plain = s.decrypt(cipher);
print("Plain : " + plain.toString(ASCII));
assert(plain.equals(message));

// Encrypt with PKCS#11 - multi step
s.encryptInit(PKCS11Session.CKM_DES_ECB, k1p11);
var cipher = s.encryptUpdate(message.left(8));
var cipher = cipher.concat(s.encryptUpdate(message.right(8)));

var l = s.encryptFinal();
assert(l == null);

print("Cipher : " + cipher);
assert(ref.equals(cipher));


// Encrypt with PKCS#11 - single step
s.encryptInit(PKCS11Session.CKM_DES3_ECB, k2p11);
var cipher = s.encrypt(message);
print("Cipher : " + cipher);

// Verify with internal reference
var ref = crypto.encrypt(k2ref, Crypto.DES_ECB, message);
print("Ref    : " + ref);
assert(ref.equals(cipher));

// Decrypt with PKCS#11
s.decryptInit(PKCS11Session.CKM_DES3_ECB, k2p11);
var plain = s.decrypt(cipher);
print("Plain : " + plain.toString(ASCII));
assert(plain.equals(message));

// Encrypt with PKCS#11 - multi step
s.encryptInit(PKCS11Session.CKM_DES3_ECB, k2p11);
var cipher = s.encryptUpdate(message.left(8));
var cipher = cipher.concat(s.encryptUpdate(message.right(8)));

var l = s.encryptFinal();
assert(l == null);

print("Cipher : " + cipher);
assert(ref.equals(cipher));


// Encrypt with PKCS#11 - single step
s.encryptInit(PKCS11Session.CKM_DES3_ECB, k3p11);
var cipher = s.encrypt(message);
print("Cipher : " + cipher);

// Verify with internal reference
var ref = crypto.encrypt(k3ref, Crypto.DES_ECB, message);
print("Ref    : " + ref);
assert(ref.equals(cipher));

// Decrypt with PKCS#11
s.decryptInit(PKCS11Session.CKM_DES3_ECB, k3p11);
var plain = s.decrypt(cipher);
print("Plain : " + plain.toString(ASCII));
assert(plain.equals(message));

// Encrypt with PKCS#11 - multi step
s.encryptInit(PKCS11Session.CKM_DES3_ECB, k3p11);
var cipher = s.encryptUpdate(message.left(8));
var cipher = cipher.concat(s.encryptUpdate(message.right(8)));

var l = s.encryptFinal();
assert(l == null);

print("Cipher : " + cipher);
assert(ref.equals(cipher));


// Encrypt with PKCS#11 - single step
s.encryptInit(PKCS11Session.CKM_DES_CBC, k1p11, iv);
var cipher = s.encrypt(message);
print("Cipher : " + cipher);

// Verify with internal reference
var ref = crypto.encrypt(k1ref, Crypto.DES_CBC, message, iv);
print("Ref    : " + ref);
assert(ref.equals(cipher));

// Decrypt with PKCS#11
s.decryptInit(PKCS11Session.CKM_DES_CBC, k1p11, iv);
var plain = s.decrypt(cipher);
print("Plain : " + plain.toString(ASCII));
assert(plain.equals(message));

// Encrypt with PKCS#11 - multi step
s.encryptInit(PKCS11Session.CKM_DES_CBC, k1p11, iv);
var cipher = s.encryptUpdate(message.left(8));
var cipher = cipher.concat(s.encryptUpdate(message.right(8)));

var l = s.encryptFinal();
assert(l == null);

print("Cipher : " + cipher);
assert(ref.equals(cipher));


// Encrypt with PKCS#11 - single step
s.encryptInit(PKCS11Session.CKM_DES3_CBC, k2p11, iv);
var cipher = s.encrypt(message);
print("Cipher : " + cipher);

// Verify with internal reference
var ref = crypto.encrypt(k2ref, Crypto.DES_CBC, message, iv);
print("Ref    : " + ref);
assert(ref.equals(cipher));

// Decrypt with PKCS#11
s.decryptInit(PKCS11Session.CKM_DES3_CBC, k2p11, iv);
var plain = s.decrypt(cipher);
print("Plain : " + plain.toString(ASCII));
assert(plain.equals(message));

// Encrypt with PKCS#11 - multi step
s.encryptInit(PKCS11Session.CKM_DES3_CBC, k2p11, iv);
var cipher = s.encryptUpdate(message.left(8));
var cipher = cipher.concat(s.encryptUpdate(message.right(8)));

var l = s.encryptFinal();
assert(l == null);

print("Cipher : " + cipher);
assert(ref.equals(cipher));


// Encrypt with PKCS#11 - single step
s.encryptInit(PKCS11Session.CKM_DES3_CBC, k3p11, iv);
var cipher = s.encrypt(message);
print("Cipher : " + cipher);

// Verify with internal reference
var ref = crypto.encrypt(k3ref, Crypto.DES_CBC, message, iv);
print("Ref    : " + ref);
assert(ref.equals(cipher));

// Decrypt with PKCS#11
s.decryptInit(PKCS11Session.CKM_DES3_CBC, k3p11, iv);
var plain = s.decrypt(cipher);
print("Plain : " + plain.toString(ASCII));
assert(plain.equals(message));

// Encrypt with PKCS#11 - multi step
s.encryptInit(PKCS11Session.CKM_DES3_CBC, k3p11, iv);
var cipher = s.encryptUpdate(message.left(8));
var cipher = cipher.concat(s.encryptUpdate(message.right(8)));

var l = s.encryptFinal();
assert(l == null);

print("Cipher : " + cipher);
assert(ref.equals(cipher));

// Encrypt / decrypt with RSA

// Create RSA private key
var attr = new Array();

attr[PKCS11Object.CKA_CLASS] = PKCS11Object.CKO_PRIVATE_KEY;
attr[PKCS11Object.CKA_KEY_TYPE] = PKCS11Object.CKK_RSA;
attr[PKCS11Object.CKA_LABEL] = "MyPrivateRSAKey";

attr[PKCS11Object.CKA_PRIME_1] = new ByteString("c0a0758cdf14256f78d4708c86becdead1b50ad4ad6c5c703e2168fbf37884cb", HEX);
attr[PKCS11Object.CKA_PRIME_2] = new ByteString("f01734d7960ea60070f1b06f2bb81bfac48ff192ae18451d5e56c734a5aab8a5", HEX);
attr[PKCS11Object.CKA_EXPONENT_1] = new ByteString("b54bb9edff22051d9ee60f9351a48591b6500a319429c069a3e335a1d6171391", HEX);
attr[PKCS11Object.CKA_EXPONENT_2] = new ByteString("d3d83daf2a0cecd3367ae6f8ae1aeb82e9ac2f816c6fc483533d8297dd7884cd", HEX);
attr[PKCS11Object.CKA_COEFFICIENT] = new ByteString("b8f52fc6f38593dabb661d3f50f8897f8106eee68b1bce78a95b132b4e5b5d19", HEX);

attr[PKCS11Object.CKA_MODULUS] = new ByteString("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", HEX);
attr[PKCS11Object.CKA_PUBLIC_EXPONENT] = new ByteString("11", HEX);

var prk = new PKCS11Object(s, attr);


// Create RSA public key
var attr = new Array();

attr[PKCS11Object.CKA_CLASS] = PKCS11Object.CKO_PUBLIC_KEY;
attr[PKCS11Object.CKA_KEY_TYPE] = PKCS11Object.CKK_RSA;
attr[PKCS11Object.CKA_LABEL] = "MyPublicRSAKey";

attr[PKCS11Object.CKA_MODULUS] = new ByteString("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", HEX);
attr[PKCS11Object.CKA_PUBLIC_EXPONENT] = new ByteString("11", HEX);

var puk = new PKCS11Object(s, attr);

var message = new ByteString("Hello World !!!!", ASCII);

s.encryptInit(PKCS11Session.CKM_RSA_PKCS, puk);
var cipher = s.encrypt(message);

print("Cipher = " + cipher);

s.decryptInit(PKCS11Session.CKM_RSA_PKCS, prk);
var plain = s.decrypt(cipher);

print("Plain = " + plain.toString(ASCII));

encrypt()

Prototype

ByteString encrypt(ByteString message)

Description

Call C_Encrypt() to perform a PKCS#11 encryption operation.

The method returns the cipher text.

Arguments

Return

Exceptions

Example

// See PKCS11Session.encryptInit() for a complete example

encryptUpdate()

Prototype

ByteString encryptUpdate(ByteString message)

Description

Call C_EncryptUpdate() to encrypt a block of data in a PKCS#11 encryption operation.

Arguments

Return

Exceptions

Example

// See PKCS11Session.encryptInit() for a complete example

encryptFinal()

Prototype

ByteString encryptFinal()

Description

Call C_EncryptFinal() to finish a PKCS#11 encryption operation.

The method returns the last encrypted block or null, depending on the algorithm.

Return

Exceptions

Example

// See PKCS11Session.encryptInit() for a complete example

decryptInit()

Prototype

decryptInit(Number mechanism, PKCS11Object key)

decryptInit(Number mechanism, Key key)

decryptInit(Number mechanism, PKCS11Object key, ByteString parameter)

decryptInit(Number mechanism, Key key, ByteString parameter)

Description

Call C_DecryptInit() to start a PKCS#11 decryption operation.

The method accepts keys in two different formats. Either as PKCS11Object or as Key object. The former can be obtained using the PKCS11Session.enumerateObjects() methods, the later using the KeyStore.getKeyFromKeyStore() method.

Arguments

Return

Exceptions

Example

// See PKCS11Session.encryptInit() for a complete example

decrypt()

Prototype

ByteString decrypt(ByteString message)

Description

Call C_Decrypt() to perform a PKCS#11 decryption operation.

The method returns the plain text.

Arguments

Return

Exceptions

Example

// See PKCS11Session.encryptInit() for a complete example

decryptUpdate()

Prototype

ByteString decryptUpdate(ByteString message)

Description

Call C_DecryptUpdate() to decrypt a block of data in a PKCS#11 decryption operation.

Arguments

Return

Exceptions

Example

// See PKCS11Session.encryptInit() for a complete example

decryptFinal()

Prototype

ByteString decryptFinal()

Description

Call C_DecryptFinal() to finish a PKCS#11 decryption operation.

The method returns the last decrypted block or null, depending on the algorithm.

Return

Exceptions

Example

// See PKCS11Session.encryptInit() for a complete example

close()

Prototype

close()

Description

Close session

Return

Exceptions

Example

var s = new PKCS11Session(p, 1, false);
s.close();

© Copyright 2003 - 2010 CardContact Software & System Consulting, Minden, Germany