Troubleshooting (PKCS11 RSA Private Key Exception)

Problem:

When using a PKCS11 device as a keystore within an NAS2 Sender configuration to sign a message, the following error message is displayed:

DEBUG (W.SmartSend.1) {com.ibi.agents.XDNAS2EmitAgent} Error emitting 
NAS2: XD[FAIL] cause: 0 subcause: 0 message: java.io.IOException: 
java.security.InvalidKeyException: Supplied key (sun.security.
pkcs11.P11Key$P11PrivateKey) is not a RSAPrivateKey instance
   at 
org.bouncycastle.mail.smime.SMIMESignedGenerator$ContentSigner.write(Unkn
own Source)
   at 
org.bouncycastle.mail.smime.handlers.PKCS7ContentHandler.writeTo(Unknown 
Source)
   at 
javax.activation.ObjectDataContentHandler.writeTo(DataHandler.java:883)

Solution:

The problem usually results from an incorrect configuration on the NAS2 Sender side for the S/MIME JCE Cryptography Provider. Confirm that you have selected a correct provider that corresponds to your device and are not using the default "BC" provider as your selection. The following are some examples:

Device: G&D Smart Card USB Key

Provider: SunPKCS11-StarSign

Device: nCipher HSM module

Provider: SunPKCS11-nShield

Note that each PKCS11 Device will have its own corresponding S/MIME JCE Cryptography Provider. However, all of the PKCS11 based provider names start with the SunPKCS11.


iWay Software