Using an Aladdin eToken with Java keytool

The Aladdin eToken is a great little security device when you have sensitive private key information. They are a great USB solution in that they support all major operating-systems with a PKCS#11 driver. This means they also integrate with Java on all major platforms (through the SunPKCS11 Security Provider).

The one problem we have come across  with the device is trying to create keys on it using the standard Java keytool application. There are two errors you’ll almost certainly face, both in the form of a sun.security.pkcs11.wrapper.PKCS11Exception.

Error 1: CKR_ATTRIBUTE_TYPE_INVALID

This error (we found) pops up when you don’t specify the key algorithm on the command line. You need to specify “-keyalg RSA” to ensure that an RSA key (instead of the default DSA) is generated for the eToken.

Error 2: CKR_TEMPLATE_INCONSISTENT

This one is a little more nasty.  It’s not well documented, but effectively the keytool doesn’t generate signatures that the eToken’s PKCS#11 implementation likes (we couldn’t find any tool other than the eToken software that did). Under Windows you need a registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Aladdin\eToken\MIDDLEWARE\GENERAL

The key is a DWORD attribute: “TolerantX509Attributes” with a value of “1”. But what about Mac and Linux. You’ll need to look for the eToken config file: /etc/eToken.conf, then under the “[GENERAL]” section of the file add the line:

TolerantX509Attributes=1

This will allow keytool (and other PKCS#11 tools) to generate and store keypairs on your USB eToken.

A Command Line Example

keytool -v -genkeypair -keyalg RSA -alias myKey -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /home/me/pkcs11.conf

Advertisements

One Response to “Using an Aladdin eToken with Java keytool”

  1. Mike Says:

    Thanks for the tip on TolerantX509Attributes!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: