Using an Aladdin eToken with Java keytool

The Aladdin eToken is a great little security device when you have sensitive private key information. They are a great USB solution in that they support all major operating-systems with a PKCS#11 driver. This means they also integrate with Java on all major platforms (through the SunPKCS11 Security Provider).

The one problem we have come across  with the device is trying to create keys on it using the standard Java keytool application. There are two errors you’ll almost certainly face, both in the form of a sun.security.pkcs11.wrapper.PKCS11Exception.

Error 1: CKR_ATTRIBUTE_TYPE_INVALID

This error (we found) pops up when you don’t specify the key algorithm on the command line. You need to specify “-keyalg RSA” to ensure that an RSA key (instead of the default DSA) is generated for the eToken.

Error 2: CKR_TEMPLATE_INCONSISTENT

This one is a little more nasty.  It’s not well documented, but effectively the keytool doesn’t generate signatures that the eToken’s PKCS#11 implementation likes (we couldn’t find any tool other than the eToken software that did). Under Windows you need a registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Aladdin\eToken\MIDDLEWARE\GENERAL

The key is a DWORD attribute: “TolerantX509Attributes” with a value of “1”. But what about Mac and Linux. You’ll need to look for the eToken config file: /etc/eToken.conf, then under the “[GENERAL]” section of the file add the line:

TolerantX509Attributes=1

This will allow keytool (and other PKCS#11 tools) to generate and store keypairs on your USB eToken.

A Command Line Example

keytool -v -genkeypair -keyalg RSA -alias myKey -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /home/me/pkcs11.conf

Advertisement

Response to a Vista comment

This post is a response to the following comment, posted on my blog. Since the poster failed to leave any contact details, I feel I should post a comment here, since I’ve been meaning to follow up the Vista is a Linux Clone post for some time. I will be quoting from the comment in this post (so you can read the post here as I respond to it).

The Linux world is full of hearsay and conjecture, first off XP has been on the market longer than Suse.

SUSE Linux was first officially released in 1994 (and became a unique distro in 1996), Windows XP was released October 2001. That puts SUSE on the market 7 (or 5 if you take it from 1996) years before Windows XP.

Second all operating systems, tend to look the same regardless what company makes them. If beggars become choosers and looks is all the eye candy we can sue each other over, it’s like having two cold wars that literally cancel each other out.

I agree strongly that most Consumer Operating Systems do tend to look similar (with the notable exception of Mac OS). This is due to some basic user interface principals, mostly pioneered at Xerox Park. The fact is that Linux is ahead of any other Operating System when it comes to adoption of functionality. Many of the new features people are seeing in Vista or adaption of functionality that has existed in the Linux world for ages.

Also Vista is not all about just Directx 10, it has core features that make it more robust than most server distros. The fact you distro geeks have nothing better in mind, shows that you lack proper reasoning.

No, Vista is not about Direct X 10. But the fact that Direct X 10 sits underneath Vista’s entire graphics system, raises some serious security concerns with me. Direct X 10 almost replaces the traditional driver layer of the Operating System. To me it’s a bit like Microsoft executing games in unprotected mode on the XBox, in order to give a small performance boost, ie: just plain stupid. These layers have been put in place for a good reason, and have been built-up over decades. Why throw them away, or subvert them now?

Microsoft business solutions are actually worth the price, the reason I say this is because an operating system alone means nothing if its core features are not there. It comes packed with software that actually works, sure there are bugs in MS environment.

Hrm… Are you trying to sell me something here? Having looked at Vista in the stores, I wouldn’t pay any money for any version. There is no way on this earth that any software (other than maybe a few very large database or application server systems) could possibly be worth the amount you pay for Vista. Further more, Vista does not come “packed with software”, it comes with a few half-hearted attempts to take on the Linux distro market. If they were serious about providing a good package, Vista would include at least:

  • Microsoft Office
  • Microsoft ISS
  • .NET Studio
  • Microsoft SQL Server
  • Adobe Acrobat Reader

Over and above what it already has.

However in the distro world you have to rewrite lines of code to fix broken or at times missing links within open source components, I’m sure you could argue that this caveat makes Linux overpowering. However if you enjoy debugging software that should run at start, it sort of makes you rethink your place in the cosmos.

In 10+ years of running Linux software, I have yet to edit a line of code in the software I run. That excludes code I’ve written myself of course. On the other hand, if you’ve ever tried getting Oracle Application Server; MySQL; Apache; or WebSphere running under a Windows machine, you too will know the meaning of true frustration. I spent 2 weeks of my life trying to get WebSphere to work, and over a month resolving file-locking issues with a web system that worked flawlessly under Linux.

Lets talk about security, we no longer compare Vista and Linux because in the department they are at equal terms.

If you truly believe that: you are delusional. Sorry for getting a bit ranty, but this is complete rubbish. Linux takes a Unix approach to security, a system that was created decades ago, and has only evolved and improved over time. Vista throws out everything we’ve learned about security and puts the onus (in a technical, and legal sense) on the user. Linux secures everything on the file-system and network layers. Because all your inter-application communication goes through one of those two layers, it means you only have two points to gaurd (in a code sense). Vista expects an uninformed user to make impossible security decisions, or switch the security off.

Just like Linux, Windows also went through evolution. We can’t compare say windows 3.11 to VIsta, nor could we compare one distro to another.

I will agree that you can’t point out flaws in an older version of Windows and claim the same holds for Vista, but it doesn’t mean you can’t compare the two. Whats more, we can absolutely compare different Linux distributions, but then it comes down to what people want, and where their preferences lie.

However, what comes down to is stability, the fact you don’t here people complaining about issues on Linux does not mean there aren’t any that would implying its a perfect OS. But theres a problem with that analogy you see, nothing is perfect, Linux in all its glory suffers just as many flaws and holes in security when compared to something like xp.

I’m not by any measure implying that Linux is a perfect Operating System, nor even that such a system exists. I do feel strongly that it is the right choice for me, and for many of the people I live and work with. I feel limited by the lack of choice in a Windows system, and somehow I always feel that Windows systems think they know better than me. They provide convoluted, and annoying paths through config that often lead you to a dead end. Sometimes the options you change are thrown away on the next boot because some little “auto-detection” wizard or tool decides to run.

For lack of a better word it is called organization, something open source lacks otherwise we wouldn’t be seeing millions of distros.

The writer of this comment has obviously never worked for a large software company. The Open Source world may seem chaotic from the outside, but the hallmark of the really good projects (KDE, OpenOffice, Wine, etc.) is their excellent organization and structuring of the work and project itself. A software company on the other hand look organized on the outside, but is chaos on the inside.

I’ve seen deadlines and political pressure turn good ideas into steaming piles of software dung! Software that cost millions of dollars to develop. It winds up being re-written after a few years, because nobody can bare to maintain it anymore, and you know something: the process starts all over again.

Breaking the spam chain

Chain letters are a form of spam. It’s really as simple as that. I know so many people who forward these emails on, and all they’re doing is helping spread spam. We jail spammers, fine them, and yet people continue to send these emails. Most people think that spam is just some sort of by-product of the internet, just like viruses are. Let me tell you that neither viruses, nor spam just come out of no-where. They are created and send by human beings (or in most cases software written by human beings). These are not “glitches” in code, they are systems designed specifically for one purpose: take your money away from you. It’s robbery, plain and simple, and by forwarding chain letters, you are contributing to this mess.

One of the most popular phrases I read in these things is, “Microsoft is tracking this email and will donate….” (Microsoft is sometimes AOL, or some other Big Computer Companytm). The fact is: email is untraceable. No one will donate the money. It’s spam, or worse. In some (growing number) of cases, the images, and/or hidden code within the email caries a computer virus. So by forwarding this email to 10 of your closest friends, you’re sending them a virus for their computers as well.

Don’t forward chain email, emails warning you about gangs, hijackings, or computer viruses. Not from your closest friends, and certainly not to them.
You are not helping them!

Crippled Passwords are Amoung us!

I love my secure passwords. Lovely passwords like “fr!bBl3~98_m0nT4=” (no, this is not a password I use, just an example of the type). This kind of mangling makes a password more difficult to guess for password breaking programmes. No it doesn’t make them “unbreakable”, but nothing in this digital world of ours is truly “unbreakable”, but many things are “very very difficult to break”, and that’s kinda what I aim for.

When I signed up for Internet banking with my bank, I thought “nice secure password”, and typed a really horribly convoluted password, the response was “invalid password”. I picked up the phone (something I don’t do often), and called their help line, only to get told “you can only use letters and numbers in your password sir”. The frightening thing is: there are many web sites I’ve signed up to recently that have this “no symbols or spaces” password policy. What on earth is wrong with you people!?!?! You tell me to select a secure password, but then tell me the one I gave is to secure??? I see absolutely no technical (or non-technical for that matter) reason why you cannot store my horrible password.

Surely you don’t store my password as plain text in your database do you. This is a massive potential security problem. If someone breaks into their database, they own your accounts. One of the first things I do is click the “forgot my password” link on the site. If they send me the password I typed in, I change my password and get rid of my account, simple reason: they’re storing my password somewhere. If they reset my password, or send me a random one, it’s a good indication that they are storing hashed passwords, and so my data is a bit more secure.

Be careful what sites you sign up with, how secure their data is directly affects you.