Accessing cryptographic services

Java™ applications can use the IBMCAC provider on a Windows platform to access private keys and certificates on a Common Access Card (CAC), and use cryptographic algorithm implementations.

The IBMCAC provider enables the CAC to use existing Java technology security and cryptography APIs. When used with the third-party middleware the CAC keystore can be treated like a Microsoft Windows keystore. Therefore Java platform applications can use the IBMCAC provider to:
  • Access private keys and certificates on the CAC
  • Use cryptographic algorithm implementations
For a complete list of supported algorithms, see Supported algorithms.

Keys and certificates are stored in Windows key containers and certificate stores, known as keystores. You can access these keystores by using the java.security.KeyStore class and the IBMCAC provider. The same keystore APIs are used for accessing other types of keystores, such as JKS or PKCS12. However, because Windows keystores do not use passwords and cannot be imported or exported, values for password and input-output stream arguments should be null. By default, the IBMCAC provider silently ignores values that are not null.

The following example shows one way to sign data by using the RSA private key stored in the CAC under the alias myRSA. The example also shows how to verify the signature that is generated.
if(Security.getProvider(“IBMCAC”) == null)
	            Security.addProvider(new IBMCAC());

        // load the CAC keystore  
        KeyStore ks = KeyStore.getInstance("Windows-MY");  
        ks.load(null, null);

				 byte[] data = “abcdefghijk”.getBytes();
        String alias = "myRSA";

        // get the privateKey and certificate
        PrivateKey privKey = (PrivateKey) ks.getKey(alias, null);
        Certificate cert = ks.getCertificate(alias);

        Provider p = ks.getProvider();
        // sign with IBMCAC provider
        Signature sig = Signature.getInstance("SHA1withRSA", p);
        sig.initSign(privKey);
        sig.update(data);
        byte[] signature = sig.sign();
        System.out.println("\tGenerated signature...");
        sig.initVerify(cert);
        sig.update(data);

        // verify the signature
        if (sig.verify(signature)) {
           System.out.println("\tSignature verified!");
        }