InvalidKeyException with the error message "Key must be an instance of RSAPublicKey or RSAPrivateCrtKey". What is wrong?BadPaddingException when I try to encrypt data that is more than 117 bytes long. The RSA key used for encryption is of length 1024 bits. What is wrong?RuntimeException when I'm calling the getCertificate(String) and getCertificateChain(String) methods on a KeyStore instance. What is wrong?JCAPIJNIRuntimeException with error code 14 when I try to decrypt encrypted data. What is wrong?BadPaddingException with error message "Decryption failed. Exception raised in JCAPI.DLL: JCAPICipher_decrypt() - Could not decrypt data. This function is not supported on this system." when I'm decrypting some encrypted data. What is wrong?com.pheox.jcapi.JCAPIJNIRuntimeException exception with error message "JCAPISymmetricCipherDynamic_setKey() - Could not enumerate algorithms. No more data is available." and error code "0x00000103". What is wrong?java.security.NoSuchAlgorithmException exception with error message "Algorithm RC2 not available" and "Algorithm RC4 not available". What is wrong?com.pheox.jcapi.JCAPIJNIRuntimeException exception with error message "JCAPIHash_hashInit() - Could not initialize hash operation. Invalid algorithm specified." and error code "0x80090008". How can I resolve it?SSLException with the following cause: java.security.InvalidKeyException: Key must be an instance of RSAPublicKey. What's wrong?com.pheox.jcapi.JCAPIJNIRuntimeException with error message "JCAPIAsymmetricCipherDynamic_encrypt() - Could not determine the size of the buffer to hold the encrypted data. Invalid flags specified." and error code "0x80090009". How can I solve it?java.security.SignatureException with error message "JCAPISignature_hashInit() - Could not initialize hash operation. Invalid algorithm specified." and error code "0x80090008". How can I solve it?java.security.InvalidKeyException: Illegal key size or default parameters. How can I solve it?JCAPISignature_sign() - Could not sign the hash. Bad Length.. My RSA private key has a length of 512 bits. What can I do to solve it?
1. I cannot export my private key from Microsoft's key store. What shall I do?
Answer:
Try the following code:
JCAPIProperties.getInstance().setPrivateKeyExportable(true);
String alias = "<The certificate alias>";
KeyStore ks = KeyStore.getInstance("msks", "JCAPI");
ks.load(null, null);
Key k = ks.getKey(alias, null);
if(k instanceof JCAPIRSAPrivateKey || k instanceof JCAPIDSAPrivateKey)
System.err.println("Your private key is not exportable from Microsoft's key store. Sorry, there's nothing more to do.");
else
System.out.println("The JCAPI properties was set to not export private keys. Your private key is now exported.");
Note: as a security precaution, we do not recommend that private keys are exported from the key store since other running processes may intercept the memory and fetch the private key's native data i.e. use the JCAPI exportation feature sparsely.
Answer:
You have probably initialized the cipher with a "wrapped" RSA private key i.e. an instance of com.pheox.jcapi.JCAPIRSAPrivateKey that contains no private key data but only an internal key handle to the private key stored in Microsoft's key store.
Our cipher implementation can only encrypt/wrap data with a RSA private key if the key itself contains native data i.e. it must implement the java.security.interfaces.RSAPrivateCrtKey interface and contain all relevant data.
This problem will occur from any of the following occasions:
The solution is to make proper validation of the key before it is passed into the cipher:
JCAPIProperties.getInstance().setPrivateKeyExportable(true);
String alias = "<The certificate alias>";
char[] password = "<The password of the private key>";
KeyStore ks = KeyStore.getInstance("msks", "JCAPI");
ks.load(null, null);
Key k = ks.getKey(alias, password);
if(k instanceof RSAPrivateCrtKey)
{
Cipher c = Cipher.getInstance("RSA/ECB/PKCS1Padding", "JCAPI");
c.init(Cipher.ENCRYPT_MODE, k);
}
Note: as a security precaution, we do not recommend that private keys are exported from the key store since other running processes may intercept the memory and fetch the private key's native data i.e. use the JCAPI exportation feature sparsely.
Answer:
The RSA algorithm can only encrypt data that has a maximum byte length of the RSA key length in bits divided with eight minus eleven padding bytes, i.e. number of maximum bytes = key length in bits / 8 - 11.
In your case it means 1024 / 8 - 11 = 117.
If you would use a RSA key of length 2048 bits, then you would be able to encrypt 245 bytes of data, and so on.
Answer:
The most probable cause is the X.509 certificate factory included in Java 1.4 since the X.509 standard is not adequately implemented there. The default X.509 certificate factory used in JCE is implemented by Oracle and cannot re-create certain certificates from a DER encoded stream.
The solution is to upgrade to a more recent version of Java (version 1.5 or higher) or replace the certificate factory with a more stable provider e.g. Bouncy Castle (freeware) or IAIK (commercial).
Answer:
This will most likely occur when a private key cannot be accessed for decryption through PKCS#11 because of a defined restriction by the CSP, e.g. the private key belonging to the identification certificate will work fine for the intended operation, while accessing the private key of the signature certificate might throw the above exception.
6. My hardware token (Smartcard, USB token etc.) is not supported by JCAPI. What shall I do?
Answer:
JCAPI has a built in support for a number of PKCS#11 CSPs (Cryptographic Service Providers), please read the JCAPI User's Guide for the current list of supported CSPs. If your CSP is supported by JCAPI, but still doesn't work, then please send us a bug report.
If the CSP on your hardware token is not supported by JCAPI, then you can still try to make it work with JCAPI. First you have to gather the following information (ask the manufacturer of your hardware token about the information):
JCAPIUtil.getCSPs() to get a list of installed CSPs on your computer.
String cspName = "<The name of your CSP>";
String dllName = "<The filename of your CSP's PKCS#11 DLL>";
JCAPIPKCS11Util.addPKCS11CSP(cspName, dllName);
If it still doesn't work, then please contact us. One of the goals in JCAPI is to support as many CSPs as possible.
Answer:
The most probable cause of this exception is that you're trying to decrypt data using a private key that is stored on a hardware token using a CSP (Cryptographic Service Provider) that is not supported by JCAPI. Read question 6 for a possible solution.
Answer:
That's because AES is not supported on Windows 2000 and earlier operating systems from Microsoft. The AES algorithm was introduced into MS CAPI starting from Windows XP.
Answer:
Those algorithms are not supported by the default providers shipped with Java 1.4. You have to upgrade to a more recent version of Java (version 1.5 or higher) or use a third party JCE provider. JCAPI is not shipped with a RC2/RC4 key generator provider implementation.
Answer:
That's because the SHA2 algorithms are not supported on Windows 2000 and earlier operating systems from Microsoft. The SHA2 algorithms was introduced into MS CAPI starting from Windows XP.
Answer:
This is a problem that reside within Java 1.4 since the JSSE implementation in that version tries to create a signature by calling JCAPI's cipher implementation for encryption using a private key, which is not possible to achive in MS CAPI. The solution is to upgrade to a more recent version of Java (which calls the signature implementation of JCAPI instead) if you want to use JCAPI for SSL/TSL e.g. Java 1.5 or 6.
Answer:
The OAEP padding is not supported by MS CAPI in Windows 2000. Support for OAEP padding was introduced in Windows XP.
Answer:
That's because SHA2 algorithms are not supported on Windows 2000 and earlier operating systems from Microsoft. The SHA2 algorithms was introduced into MS CAPI starting from Windows XP.
Answer:
You have to download and install the Unlimited Strength Jurisdiction Policy Files for your Java version from SUN.
If you're using Java 6, then you can download it from here.
Answer:
The problem is that your RSA key is simply too short for encrypting your hash value. The hash algorithm SHA-384 will produce a hash value of length of 48 bytes, while SHA-512 will result in a length of 64 bytes. The solution is to either use a shorter hash, for example SHA256withRSA, or to use longer RSA keys, for example 1024 bits.
Answer:
Basically, JCAPI is licensed under the terms of a non-transferable non-exclusive company license.
Pheox currently sell the rights to use JCAPI through two different license models:
The following applies for both license models:
By acquiring a JCAPI license, the licensed company has bought the rights to use JCAPI according to the terms stated by the license agreement. It does not mean that the licensed company owns the JCAPI product itself.
It is important to know that the license is bound to a single company only. For example, if a subsidiary company develops a JCAPI based product that is owned by its parent company, then two licenses must be acquired even though the companies are members of the same company group.
Shortly, the license agreement is as follows:
A licensed company is granted to:
A licensed company is NOT granted to:
The rights to use JCAPI for a licensed company will expire when:
The following additional rights are valid per license model:
Unlimited Runtime License:
Single Runtime License:
Pheox is not liable for any damages caused by the use of the JCAPI product.
Answer:
Yes, you are allowed by the license to use JCAPI in an unlimited number of copies of your application, and better up, you are allowed to use it in an unlimited number of applications that is owned/manufactured by your company.
It will however require that the functions/interface of JCAPI will only be accessed and used by your application(s) and not by the user(s) of your application(s). Simply meaning that you cannot directly, or indirectly, expose the JCAPI interface to any other parties than your company.
Answer:
No, you are not allowed to include JCAPI in a product that is sold or transferred as a development library (or SDK). You are not allowed to expose the interface of JCAPI, and you cannot circumvent this by adding wrapper-classes around the JCAPI functionality.
You are of course allowed to use JCAPI in your own proprietary software libraries that are used for building your applications though.
4. How is the evaluation version of JCAPI licensed, and are all functions available?
Answer:
It can only be used for internal evaluation purposes. All other usage is prohibited.
All JCAPI functions are available in the evaluation version. However, the evaluation version can only be used during a limited period of time (60 days) until it will stop functioning. After the evaluation version has expired, you are welcome to download another evaluation copy if needed. You are also, of course, welcome to buy a JCAPI license.
5. Are there any other types of license agreements available e.g. for non-profitable organisations?
Answer:
Currently, there are no such license agreements available.
We've been thinking of introducing a special developers license for companies that would want to adapt, extend or brand the JCAPI source code with their own products.
6. Are there any free upgrades included when buying JCAPI a license?
Answer:
Yes, you are entitled to get free updates of bug fixes and minor enhancements in functionality. To understand this better, it is good to know how version numbers applies to JCAPI. A version in JCAPI is defined as four numbers with dots in between e.g. 1.2.0.4
A version can thus be declared as:
a.b.c.d
where:
a = Major release. New functionality and new classes are introduced. The interface of a previous version might also have been changed or removed. Example: adding major functionality, new concepts or new technologies into JCAPI.
b = Minor release. Extends the current functionality with new classes or methods that do not affect the underlying design/architecture. The interface of a previous version is kept intact, but may be noted as deprecated. Example: new PKCS#11 providers are supported, or more functionality is added to existing classes/interfaces.
c = Bug fixes (patches) available for public. This number will also get incremented when JCAPI is re-signed with a new code signing certificate when the old is about to expire.
d = Used for internal use during system test of JCAPI.
To conclude, you are entitled free upgrades of JCAPI when b and c are incremented.
1. What Windows operating systems are supported with JCAPI?
Answer:
JCAPI exists in both 32-bit and 64-bit editions to be executed on the x86 and x64 platforms respectively.
JCAPI has been successfully tested and verified on the the following 32-bit operating systems:
JCAPI has been successfully tested and verified on the the following 64-bit operating systems:
If you need JCAPI to run on other operating systems than the ones stated above, then please contact us.
2. What Java versions are supported with JCAPI?
Answer:
JCAPI and its native DLL file can be executed and linked with Java on both x86 and x64 platforms.
JCAPI has been successfully tested and verified with the following 32-bit Java versions:
JCAPI has been successfully tested and verified with the following 64-bit Java versions:
If you need JCAPI to be executed with other Java versions than the ones stated above, then please contact us.
For further information and details, please read the JCAPI User's Guide.