PKI tokens are hardware devices that store digital certificates and private keys securely. When you need to encrypt, decrypt or sign something, the token does this internally in a secure chip meaning the keys are never at risk of being stolen.
USB token based certificates are an implementation of PKCS#11, one of the Public-Key Cryptography Standards. Digital signature certificates are issued by a Certificate Authority (CA).
The PKCS #11 standard defines a platform-independent API to cryptographic tokens, such as hardware security modules (HSM) and smart cards. The API defines most commonly used cryptographic object types (RSA keys, X.509 Certificates, DES/Triple DES keys, etc.) and all the functions needed to use, create/generate, modify and delete those objects Read more PKCS11.
iText 7 for Java represents the next level of SDKs for developers that want to take advantage of the benefits PDF can bring. Equipped with a better document engine, high and low-level programming capabilities and the ability to create, edit and enhance PDF documents, iText 7 can be a boon to nearly every workflow. Read more iText.
Token name: eToken
Token category: Hardware
Product name: SafeNet eToken 5110 FIPS
Model: Token 15.0.0.3 15.0.19
Card type: Java Card
OS version: eToken Java Applet 1.8.5
The programs and systems used and the most important uses Software package must be installed :
- Change Token PIN
- Change Token Name
- Install tokens drivers
- Insert token PIN when need to Sign or decrypt process
- Signing & Encryption Files ,Emails
- Certificates Explore
- Check validity of Certificate
- Create Encryption Group
- Exchange Digital Certificates With others
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.8.2</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.itextpdf</groupId>
<artifactId>kernel</artifactId>
<version>7.0.2</version>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
<version>1.49</version>
<optional>true</optional>
</dependency>
</dependencies>
In order to enable the JDK to access the security token, you will first need to create a configuration file. Open any plain-text editor and create a file named eToken.cfg. The file should contain 2, possibly 3, lines:
- Add the username of the token
- Adding the path of the library dedicated to the usb token, which is the eTPKCS11.dll library
- Add the USB slot
name=eTokenn
library=c:\WINDOWS\system32\eTPKCS11.dll
slot=0
Note: The default slot number when left unspecified is 0. SafeNet eToken 5100 will automatically assign to slot 0, therefore there will be no need for the slot line in the .cfg file. However this may need to be changed depending on the number of eTokens/SmartCard readers installed. The default slot number for the SafeNet Ikey 4000 is slot 3. The slot line will be required when using a SafeNet iKey 4000.
sun.security.pkcs11.SunPKCS11 providerPKCS11 = new sun.security.pkcs11.SunPKCS11(pkcs11Config);
When you run the program, a window will appear to enter the password to be able to connect to the USB Token and get the Certificates
KeyStore.CallbackHandlerProtection chp = new KeyStore.CallbackHandlerProtection(new MyGuiCallbackHandler() {});
KeyStore.Builder builder = KeyStore.Builder.newInstance("PKCS11", null, chp);
KeyStore keyStore = builder.getKeyStore();
if( x509Certificate.getKeyUsage()[2] == true)
Key key = keyStore.getKey(alias, null);
privateKey = (PrivateKey )key ;
publicKey = x509Certificate.getPublicKey();
The file can only be decrypted using a USB Token and the certificate's public and private keys match
