Accessing cryptographic services
Java™ applications can use the IBMCAC provider on a Windows platform to access private keys and certificates on a Common Access Card (CAC), and use cryptographic algorithm implementations.
The IBMCAC provider enables the CAC to use existing Java
technology security and cryptography APIs. When used with the third-party middleware the CAC
keystore can be treated like a Microsoft
Windows keystore. Therefore Java platform applications can use the IBMCAC provider to:
- Access private keys and certificates on the CAC
- Use cryptographic algorithm implementations
Keys and certificates are stored in Windows key containers and certificate stores, known as keystores. You can access these keystores by using the java.security.KeyStore class and the IBMCAC provider. The same keystore APIs are used for accessing other types of keystores, such as JKS or PKCS12. However, because Windows keystores do not use passwords and cannot be imported or exported, values for password and input-output stream arguments should be null. By default, the IBMCAC provider silently ignores values that are not null.
The following example shows one way to sign data by using the RSA private key stored in the CAC
under the alias
myRSA
. The example also shows how to verify the signature that is
generated.if(Security.getProvider(“IBMCAC”) == null)
Security.addProvider(new IBMCAC());
// load the CAC keystore
KeyStore ks = KeyStore.getInstance("Windows-MY");
ks.load(null, null);
byte[] data = “abcdefghijk”.getBytes();
String alias = "myRSA";
// get the privateKey and certificate
PrivateKey privKey = (PrivateKey) ks.getKey(alias, null);
Certificate cert = ks.getCertificate(alias);
Provider p = ks.getProvider();
// sign with IBMCAC provider
Signature sig = Signature.getInstance("SHA1withRSA", p);
sig.initSign(privKey);
sig.update(data);
byte[] signature = sig.sign();
System.out.println("\tGenerated signature...");
sig.initVerify(cert);
sig.update(data);
// verify the signature
if (sig.verify(signature)) {
System.out.println("\tSignature verified!");
}