Error: Private keys must be instance of RSAPrivate(Crt)Key or have PKCS#8 encoding

[GoogleCodeExporter]

Look at my code:

public static byte[] getSigned(byte[] xmlInput, String pin) {

        ByteArrayOutputStream bout = new ByteArrayOutputStream();

        try {
            KeyingDataProvider keyingProviderMy = createPKCS11KeyStoreKeyingDataProvider("C:/Program Files/CryptoTech/CryptoCard/CCPkiP11.dll", "SmartCard", "3", pin, false);

            DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
            dbf.setNamespaceAware(true);

            DocumentBuilder db = dbf.newDocumentBuilder();
            Document doc = db.parse(new ByteArrayInputStream(xmlInput));

            Element elemToSign = doc.getDocumentElement();

            XadesSigningProfile p = new XadesBesSigningProfile(keyingProviderMy).withAlgorithmsProvider(MyAlgorithmsProvider.class);
            XadesSigner signer = p.newSigner();
            new Enveloped(signer).sign(elemToSign);

            TransformerFactory tf = TransformerFactory.newInstance();
            tf.newTransformer().transform(new DOMSource(doc), new StreamResult(bout));

        } catch (Exception ex) {      
            return null;
        }

        return bout.toByteArray();
    }

First run works perfect, but when I want to sign the document again, it shows 
me an exception "Private keys must be instance of RSAPrivate(Crt)Key or have 
PKCS#8 encoding".

I decided to create KeyingDataProvider only once. It works ok for the first 
time, but again, after second try it gives me another Exception: 
xades4j.verification.UnexpectedJCAException: expected but could not find 
private key

Could You help me? Thanks for any hints!

Original issue reported on code.google.com by monc...@gmail.com on 7 Jul 2011 at 1:49

[GoogleCodeExporter]

I think I did what you're trying to do but using the Portuguese citizen card 
(i.e. multiple signatures using the same KeyingDataProvider). Right now I don't 
have the smart card reader with me, but I'll look into this next week.

Original comment by luis.fgoncalv on 8 Jul 2011 at 2:52

[GoogleCodeExporter]

OK thanks, I appreciate your commitment and I am waiting for any help :)

Original comment by monc...@gmail.com on 15 Jul 2011 at 8:49

[GoogleCodeExporter]

I was able to reproduce the issue, but not consistently. If I create a 
XadesSigner and use it N times, all goes OK. But if I test with a dummy 
signature directly using the Signature engine class and then the XadesSigner (N 
times on each), I get the error.. Looks like it has something to do with the 
PKCS11 provider being in use or something. I'll keep looking into it.

Original comment by luis.fgoncalv on 15 Jul 2011 at 10:23

• Changed state: Accepted

[GoogleCodeExporter]

Adding these just for reference:

https://issues.apache.org/bugzilla/show_bug.cgi?id=40826
https://issues.apache.org/bugzilla/show_bug.cgi?id=43056
http://download.oracle.com/javase/1.5.0/docs/guide/security/p11guide.html#Delaye
dSelect

Original comment by luis.fgoncalv on 15 Jul 2011 at 10:37

[GoogleCodeExporter]

I found the cause when creating multiple instances of 
PKCS11KeyStoreKeyingDataProvider. I was always trying to add  new instance of 
the provider, but the addProvider method failed. Then, the provider instance 
was used anyway to create the KeyStore. When the signature engine is 
initialized, the delayed provider selection fails, because there is no provider 
installed that matches the given instance (the addProvider had failed). The 
links above were useful on this one.

Anyway, if the PKCS11KeyStoreKeyingDataProvider was created only once, I had no 
problems. I wasn't able to reproduce your second scenario.

Can you test with the updated source code?

Original comment by luis.fgoncalv on 15 Jul 2011 at 11:13

• Changed state: Started

[GoogleCodeExporter]

Did you have a chance to try this out?

Original comment by luis.fgoncalv on 19 Jul 2011 at 3:33

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

I haven't tried it yet, but anyway, thanks for your fast reaction! I'm going to 
try that for sure in the next few days (I don't have a reader right now) and 
I'll leave you a comment.

It's completely out of topic, but I have a one suggestion. Could you implement 
an updated version of PKCS11KeyStoreKeyingDataProvider, where there's a SLOT as 
a additional argument (then in the body: config.append("slot = 
").append(slot);). My card reader started to work only when I had provided him 
slot=3 (I had to modify your method by myself, but in the end, it could be 
helpful for other users in the future).

You did a good job!

Original comment by monc...@gmail.com on 21 Jul 2011 at 9:39

[GoogleCodeExporter]

I'm closing this issue since the main problem is resolved and the optional slot 
argument was added.

Original comment by luis.fgoncalv on 8 Sep 2011 at 10:03

• Changed state: Fixed

[GoogleCodeExporter]

I have a problem with exception: 
xades4j.verification.UnexpectedJCAException: expected but could not find 
private key
when i'm trying to sign the second document.

How did You resolved this ?

I'm using PKCS11KeyStoreKeyingDataProvider with slotId and everything works but 
for first document. Signing the second one throws exception.

Thanks in advance for Your help.

Original comment by mario790...@gmail.com on 3 Dec 2014 at 7:53

[GoogleCodeExporter]

This problem should have been fixed by not registering the JCA provider 
multiple times. Which version of the library are you using?

Original comment by luis.fgoncalv on 4 Dec 2014 at 10:53

[GoogleCodeExporter]

Ok solved
change this 
Cipher rsaCipher = Cipher.getInstance(TRANSFORMATION, provider);

with this
Cipher rsaCipher = Cipher.getInstance(TRANSFORMATION, "SunPKCS11-Luna"); 

and it starts working 

Original comment by tiwari9...@gmail.com on 4 Feb 2015 at 9:41