Certificados y Java (I). Manejar certificados PKCS#11 (Smart Card) y PKCS12 (fichero .p12)

0. Introducción

Nuestro objetivo es poder firmar un fichero. Para ello, debemos tener un certificado a mano para poder firmar.

Veamos como leemos un certificado de tarjeta (Smart Card) tipo PKSC#11

Para ello debemos tener instalado correctamente el certificado digital. En una entrada anterior se instaló el lector de tarjetas Zoweetek y una tarjeta de la ACCV.

1. Creamos un proyecto Maven

En Eclipse File-New-Other-MavenProject y marcamos "Create a simple project (skip archetype selection) y Next

Elegimos:

• Group Id: org.ximodante
• Artificact Id: JavaCertificates

Y lo demás por omisión y Finish
Vamos al pom.xml y le añadimos las librería que nos hacen falta, quedando así:

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>org.ximodante</groupId>
  <artifactId>JavaCertificates</artifactId>
  <version>0.0.1-SNAPSHOT</version>
  
  <properties>
    <failOnMissingWebXml>false</failOnMissingWebXml>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    <maven.compiler.plugin>3.8.0</maven.compiler.plugin>
    <maven.compiler.source>10</maven.compiler.source>
    <maven.compiler.target>10</maven.compiler.target>
    <bouncycastle.version>1.60</bouncycastle.version>
    <apache.pdfbox.version>2.0.11</apache.pdfbox.version>
  
  </properties>
  
  <dependencies>
    

    <!-- 1. PDFBOX para majejar PDFs -->    
    <!-- https://mvnrepository.com/artifact/org.apache.pdfbox/pdfbox -->
    <dependency>
      <groupId>org.apache.pdfbox</groupId>
      <artifactId>pdfbox</artifactId>
      <version>${apache.pdfbox.version}</version>
    </dependency>
    

    <!-- 2. XMPBOX para majejar XMP (Abobe extensible metadata) -->    

    <!-- https://mvnrepository.com/artifact/org.apache.pdfbox/xmpbox -->
    <dependency>
      <groupId>org.apache.pdfbox</groupId>
      <artifactId>xmpbox</artifactId>
      <version>${apache.pdfbox.version}</version>
    </dependency>
    
    

    <!-- 3. BOUNCYCASTLE para manejar todo el tema de certificados -->    

    <!-- https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on -->
    <dependency>
      <groupId>org.bouncycastle</groupId>
      <artifactId>bcprov-jdk15on</artifactId>
      <version>${bouncycastle.version}</version>
    </dependency>
    
    <!-- https://mvnrepository.com/artifact/org.bouncycastle/bcmail-jdk15on -->
    <dependency>
      <groupId>org.bouncycastle</groupId>
      <artifactId>bcmail-jdk15on</artifactId>
       <version>${bouncycastle.version}</version>
    </dependency>
    
        
  </dependencies>
  
</project>

NOTA: Para este primer post, solo nos interesan las librería BouncyCastle.

2. Clase abstacta para el manejo de certificados

Creamos una clase llamada PKCSUtils

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316

package org.ximodante.certificatemanagers; import java.io.ByteArrayInputStream; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.IOException; import java.lang.reflect.Constructor; import java.lang.reflect.InvocationTargetException; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import java.security.PrivateKey; import java.security.Provider; import java.security.Security; import java.security.UnrecoverableKeyException; import java.security.cert.Certificate; import java.security.cert.CertificateException; public class PKCSUtils { public static String[][] CARD_DRIVERS = new String[][] { {"WIN_G&D","c:\\windows\\system32\\aetpkss1.dll"}, {"WIN_SIEMENS_OLD","c:\\windows\\system32\\siecap11.dll"}, {"UNIX_G&D","/usr/lib/libaetpkss.so.3"} }; public static OsTypes getOsType() { String OSName=System.getProperty("os.name").toLowerCase(); if (OSName.indexOf("win") >= 0 ) return OsTypes.WINDOWS; else if (OSName.indexOf("nix") >= 0 || OSName.indexOf("nux") >= 0 || OSName.indexOf("aix") > 0 ) return OsTypes.UNIX; else if (OSName.indexOf("mac") >= 0 ) return OsTypes.MAC; else return OsTypes.ERROR; } public static String getJavaVersion() { return System.getProperty("java.version"); } /** * Return location of the Smart Card driver. It is indicated in CARD_DRIVERS * * example call: getPKCS11ConfigString("UNIX_G&D") * * @param smartCardDriverdriver * @return */ public static String getPKCS11ConfigString(String smartCardDriverdriver) { // See See https://stackoverflow.com/a/46524444/7704658 to indicate not a file but the content of the configuration // a prefix= "--" is used to know it is not a file name String PKCS11CfgStr=""; if (!getJavaVersion().startsWith("1.")) PKCS11CfgStr="-- "; PKCS11CfgStr=PKCS11CfgStr + "name = SmartCard"; boolean found=false; for (String[] as: CARD_DRIVERS) { if (as[0].equalsIgnoreCase(smartCardDriverdriver) && !found) { PKCS11CfgStr= PKCS11CfgStr + "\n library = " + as[1]; found=true; } } if (!found) throw new java.lang.RuntimeException("Driver name: " + smartCardDriverdriver + " NOT FOUND in PKCS11Utils.CARD_DRIVERS"); return PKCS11CfgStr; } /** * Get a Keystore from a PKCS11 Certificate (Smart Card) * * Example call * getPKCS11KeyStore("UNIX_G&D", "mySmartCardPassword") * * @param smartCardDriver : Specifies the OS and the Card and it is defined in CARD_DRIVERS static parameter of the class * @param CertificatePassword * @return a Java KeyStore * @throws KeyStoreException * @throws NoSuchAlgorithmException * @throws CertificateException * @throws IOException * @throws ClassNotFoundException * @throws SecurityException * @throws NoSuchMethodException * @throws InvocationTargetException * @throws IllegalArgumentException * @throws IllegalAccessException * @throws InstantiationException */ public static KeyStore getPKCS11KeyStore(String smartCardDriver, String CertificatePassword) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, ClassNotFoundException, NoSuchMethodException, SecurityException, InstantiationException, IllegalAccessException, IllegalArgumentException, InvocationTargetException { String pkcs11config=getPKCS11ConfigString(smartCardDriver); Provider pkcs11Provider = null; // As the class does not exists in Java 9 +, we will construct it by reflection or the compiler crashes if (getJavaVersion().startsWith("1.")) { byte[] pkcs11configBytes = pkcs11config.getBytes(); ByteArrayInputStream configStream = new ByteArrayInputStream(pkcs11configBytes); Class<?> plcs11Class = Class.forName("sun.security.pkcs11.SunPKCS11"); Constructor<?> constructor = plcs11Class.getConstructor(new Class[]{ByteArrayInputStream.class}); pkcs11Provider = (Provider) constructor.newInstance(configStream); // For JaVA 9+ } else { pkcs11Provider = Security.getProvider("SunPKCS11"); pkcs11Provider = pkcs11Provider.configure(pkcs11config); } Security.addProvider(pkcs11Provider); KeyStore ks = KeyStore.getInstance("PKCS11", pkcs11Provider); ks.load(null, CertificatePassword.toCharArray()); return ks; } /** * * @param certURL : The full name of the file for instance: "/home/myuser/certs/mycert.p12" * @param CertificatePassword: for instance "MyPassword" * @return a Java Keystore * @throws KeyStoreException * @throws NoSuchAlgorithmException * @throws CertificateException * @throws FileNotFoundException * @throws IOException */ public static KeyStore getPKCS12KeyStore(String certURL, String CertificatePassword) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, FileNotFoundException, IOException { KeyStore ks = KeyStore.getInstance("PKCS12"); if (CertificatePassword.length()>0) ks.load(new FileInputStream(certURL), CertificatePassword.toCharArray()); else ks.load(new FileInputStream(certURL), null); return ks; } /** * Get the certificate chain from a java keystore * @param ks * @return * @throws KeyStoreException */ public static Certificate[] getCertificateChain(KeyStore ks) throws KeyStoreException { String alias = (String) ks.aliases().nextElement(); Certificate[] myCertChain = ks.getCertificateChain(alias); return myCertChain; } /** * Get the certificate chain from the parameter to access a Java Smart Card certificate * @param smartCardDriver Specifies the OS and the Card and it is defined in CARD_DRIVERS static parameter of the class * @param CertificatePassword is the Smart Card Certificate * @return the certificate chain * @throws KeyStoreException * @throws NoSuchAlgorithmException * @throws CertificateException * @throws IOException * @throws ClassNotFoundException * @throws NoSuchMethodException * @throws SecurityException * @throws InstantiationException * @throws IllegalAccessException * @throws IllegalArgumentException * @throws InvocationTargetException */ public static Certificate[] getPKCS11CertificateChain(String smartCardDriver, String CertificatePassword) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, ClassNotFoundException, NoSuchMethodException, SecurityException, InstantiationException, IllegalAccessException, IllegalArgumentException, InvocationTargetException { KeyStore ks = getPKCS11KeyStore(smartCardDriver, CertificatePassword); return getCertificateChain(ks); } /** * get the alias of keystore * @param ks * @return * @throws KeyStoreException */ public static String getCertAlias(KeyStore ks) throws KeyStoreException { return (String) ks.aliases().nextElement(); } /** * Gets the alias defining the parameters of to access Smart card * @param smartCardDriver Specifies the OS and the Card and it is defined in CARD_DRIVERS static parameter of the class * @param CertificatePassword the smart card password * @return * @throws KeyStoreException * @throws NoSuchAlgorithmException * @throws CertificateException * @throws IOException * @throws ClassNotFoundException * @throws NoSuchMethodException * @throws SecurityException * @throws InstantiationException * @throws IllegalAccessException * @throws IllegalArgumentException * @throws InvocationTargetException */ public static String getPKCS11CertAlias(String smartCardDriver, String CertificatePassword) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, ClassNotFoundException, NoSuchMethodException, SecurityException, InstantiationException, IllegalAccessException, IllegalArgumentException, InvocationTargetException { KeyStore ks = getPKCS11KeyStore(smartCardDriver, CertificatePassword); return (String) ks.aliases().nextElement(); } /** * Get the private key from a Java keystore knowing its password * @param ks * @param CertificatePassword * @return * @throws KeyStoreException * @throws UnrecoverableKeyException * @throws NoSuchAlgorithmException */ public static PrivateKey getPrivateKey(KeyStore ks, String CertificatePassword) throws KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException { String alias=getCertAlias(ks); return (PrivateKey) ks.getKey(alias, CertificatePassword.toCharArray()); } /** * Get the private key from a smart card accessing by its configuration and password * @param smartCardDriver Specifies the OS and the Card and it is defined in CARD_DRIVERS static parameter of the class * @param CertificatePassword the smart card password * @return * @throws KeyStoreException * @throws UnrecoverableKeyException * @throws NoSuchAlgorithmException * @throws CertificateException * @throws IOException * @throws ClassNotFoundException * @throws NoSuchMethodException * @throws SecurityException * @throws InstantiationException * @throws IllegalAccessException * @throws IllegalArgumentException * @throws InvocationTargetException */ public static PrivateKey getPKCS11PrivateKey(String smartCardDriver, String CertificatePassword) throws KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException, CertificateException, IOException, ClassNotFoundException, NoSuchMethodException, SecurityException, InstantiationException, IllegalAccessException, IllegalArgumentException, InvocationTargetException { KeyStore ks = getPKCS11KeyStore(smartCardDriver, CertificatePassword); String alias=getCertAlias(ks); return (PrivateKey) ks.getKey(alias, CertificatePassword.toCharArray()); } /** * Tests * @param args * @throws KeyStoreException * @throws NoSuchAlgorithmException * @throws CertificateException * @throws IOException * @throws UnrecoverableKeyException * @throws InvocationTargetException * @throws IllegalArgumentException * @throws IllegalAccessException * @throws InstantiationException * @throws SecurityException * @throws NoSuchMethodException * @throws ClassNotFoundException */ public static void main(String args[]) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, UnrecoverableKeyException, ClassNotFoundException, NoSuchMethodException, SecurityException, InstantiationException, IllegalAccessException, IllegalArgumentException, InvocationTargetException { String myCardPwd="MySmartCardPassword"; String myP12Pwd="MyP12Password"; String myCardDriver="UNIX_G&D"; String myP12File="/home/myuser/mycert.p12"; //0. Show java version and OOS System.out.println("0.---------------------------------------------------------------------------"); System.out.println(getJavaVersion()); System.out.println(System.getProperty("os.name")); System.out.println(getOsType()); System.out.println(); //1. Test getPKCS11KeyStore System.out.println("1.---------------------------------------------------------------------------"); KeyStore ks1=getPKCS11KeyStore(myCardDriver, myCardPwd); System.out.println(ks1.toString()); System.out.println(); //2. Test getPKCS12KeyStore System.out.println("2.---------------------------------------------------------------------------"); KeyStore ks2=getPKCS12KeyStore(myP12File, myP12Pwd); System.out.println(ks2.toString()); System.out.println(); //3. Test getCertificateChain System.out.println("3.1.---------------------------------------------------------------------------"); Certificate[] cert1 =getCertificateChain(ks1); System.out.println(cert1[0].toString()); System.out.println(); System.out.println("3.2.---------------------------------------------------------------------------"); Certificate[] cert2 =getCertificateChain(ks2); System.out.println(cert2[0].toString()); System.out.println(); //4. Test getCertAlias System.out.println("4.---------------------------------------------------------------------------"); String alias1 =getCertAlias(ks1); System.out.println(alias1); System.out.println(); String alias2 =getCertAlias(ks1); System.out.println(alias2); System.out.println(); //5. Test Private Key System.out.println("5.---------------------------------------------------------------------------"); PrivateKey pKey1 =getPrivateKey(ks1, myCardPwd); System.out.print(pKey1.getFormat()+" "); System.out.print(pKey1.getAlgorithm()+" "); System.out.print(pKey1.getClass()+" "); System.out.println(pKey1.hashCode()); System.out.println(); PrivateKey pKey2 =getPrivateKey(ks2, myP12Pwd); System.out.print(pKey2.getFormat()+" "); System.out.print(pKey2.getAlgorithm()+" "); System.out.print(pKey2.getClass()+" "); System.out.println(pKey2.hashCode()); } }

Hay que saber:

• Versión de Java que tenemos
• Sistema Operativo
• Drivers de la tarjeta PKCS11

Respecto a la versión de Java, como estamos desarrollando en Java 10, y la configuracion del pkcs#11 cambia a partir de Java 9, todo el código para versiones Java 1.8 y anteriores se tiene que hacer por reflexión, ya que las referencias a la clase sun.security.pkcs11.SunPKCS11 no existen en las nuevas versiones de Java, y por tanto da error de compilación si accedemos directamente a ella. Esto se tiene en cuenta en las líneas 93-100.

En Java 9+ no se permite pasar lo parámetros de configuración de las librerias en un String , pero en StackOverflow encuentran una manera de hacerlo que es meter un prefijo de "--" y entiende que no hay que ir a un fichero para leer los parámetros. (Líneas 50-53) 

Respecto al sistema operativo y los drivers de la tarjeta, se ha creado una constante CARD_DRIVERS en las líneas  23-27 que contiene las definiciones y accesos a las librerías de la tarjeta en función del sistema operativo. En este caso solo se ha puesto los drivers de las tarjetas G&D (Linux y Windowa) y Siemens (Solo Windows). Por tanto debereis proporcionar las localizaciones de los drivers de vuestra tarjeta para vuestro sistema operativo a esta variable. 

Para el caso de ver el certificado de la tarjeta, ver como se configura en entradas anteriores y comprovar que desde Firefox se puede vcr, y tener a mano la contraseña de la tarjeta. ¡No olvidar colocar la tarjeta en el lector!

Para los certificados en fichero ".p12" hay que tener localizada la ruta en disco al fichero y también su contraseña.

Cambiar las variables myCardPwd y myP12Pwd de las contraseñas y  cambiar UNIX_GD por vuestro driver en concreto de las líneas 253-257 

Si ejecutamos la clase la salida es:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328

0.--------------------------------------------------------------------------- 10.0.1 Linux UNIX 1.--------------------------------------------------------------------------- java.security.KeyStore@3c0f93f1 2.--------------------------------------------------------------------------- java.security.KeyStore@2db7a79b 3.1.--------------------------------------------------------------------------- [ [ Version: V3 Subject: C=ES, O=MI EMPRESA, OU=CERTIFICADO ELECTRONICO DE EMPLEADO , T=INFORMATICO, SURNAME=DANTE ROWAN, GIVENNAME=XIMO, SERIALNUMBER=00000000K, CN=XIMO DANTE ROWAN - DNI 00000000K Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 19021714822695416410640732937165993185780893482489530609330271353653833986865409884357525007345857232950358020644608398916280213715193060415883879832876531731740542555392415820427951721849049132493073141912997396086315448899421338622445988272776481734273508949312612164981823405217082043937698335240980137352749854111702007707185035537211696440848221707436761398140758722285712454822641762459224271273797613662488740802157152331603569593878761205385078263148512440183328837233707473664828559803695573085387432746298260369984396583140133936394510594711790250569261292925214068907097899413187072139398842014155739659889 public exponent: 65537 Validity: [From: Tue Mar 20 14:21:35 CET 2018, To: Fri Mar 19 14:21:35 CET 2021] Issuer: C=ES, O=ACCV, OU=PKIACCV, CN=ACCVCA-120 SerialNumber: [ 0f2c933c 40619f66] Certificate Extensions: 9 [1]: ObjectId: 1.3.6.1.5.5.7.1.3 Criticality=false Extension unknown: DER encoded OCTET string = 0000: 04 2F 30 2D 30 14 06 08 2B 06 01 05 05 07 0B 02 ./0-0...+....... 0010: 30 08 06 06 04 00 8E 46 01 01 30 08 06 06 04 00 0......F..0..... 0020: 8E 46 01 01 30 0B 06 06 04 00 8E 46 01 03 02 01 .F..0......F.... 0030: 0F . [2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthorityInfoAccess [ [ accessMethod: caIssuers accessLocation: URIName: http://www.accv.es/gestcert/ACCVCA120.crt , accessMethod: ocsp accessLocation: URIName: http://ocsp.accv.es ] ] [3]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: E8 40 9B 8E FB 66 3F C1 44 D8 A1 DF D4 4A 81 42 .@...f?.D....J.B 0010: 08 17 CB E5 .... ] ] [4]: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: http://www.accv.es/fileadmin/Archivos/certificados/accvca120_der.crl] CRLIssuer:[C=ES, O=ACCV, OU=PKIACCV, CN=ACCVCA-120] ]] [5]: ObjectId: 2.5.29.32 Criticality=false CertificatePolicies [ [CertificatePolicyId: [1.3.6.1.4.1.8149.3.13.4.0] [PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.2 qualifier: 0000: 30 82 01 94 1E 82 01 90 00 43 00 65 00 72 00 74 0........C.e.r.t 0010: 00 69 00 66 00 69 00 63 00 61 00 64 00 6F 00 20 .i.f.i.c.a.d.o. 0020: 00 63 00 75 00 61 00 6C 00 69 00 66 00 69 00 63 .c.u.a.l.i.f.i.c 0030: 00 61 00 64 00 6F 00 20 00 70 00 61 00 72 00 61 .a.d.o. .p.a.r.a 0040: 00 20 00 45 00 6D 00 70 00 6C 00 65 00 61 00 64 . .E.m.p.l.e.a.d 0050: 00 6F 00 20 00 50 00 FA 00 62 00 6C 00 69 00 63 .o. .P...b.l.i.c 0060: 00 6F 00 20 00 65 00 78 00 70 00 65 00 64 00 69 .o. .e.x.p.e.d.i 0070: 00 64 00 6F 00 20 00 70 00 6F 00 72 00 20 00 65 .d.o. .p.o.r. .e 0080: 00 6C 00 20 00 49 00 6E 00 73 00 74 00 69 00 74 .l. .I.n.s.t.i.t 0090: 00 75 00 74 00 6F 00 20 00 56 00 61 00 6C 00 65 .u.t.o. .V.a.l.e 00A0: 00 6E 00 63 00 69 00 61 00 6E 00 6F 00 20 00 64 .n.c.i.a.n.o. .d 00B0: 00 65 00 20 00 46 00 69 00 6E 00 61 00 6E 00 7A .e. .F.i.n.a.n.z 00C0: 00 61 00 73 00 20 00 2D 00 20 00 41 00 43 00 43 .a.s. .-. .A.C.C 00D0: 00 56 00 20 00 28 00 50 00 6C 00 61 00 7A 00 61 .V. .(.P.l.a.z.a 00E0: 00 20 00 4E 00 E1 00 70 00 6F 00 6C 00 65 00 73 . .N...p.o.l.e.s 00F0: 00 20 00 79 00 20 00 53 00 69 00 63 00 69 00 6C . .y. .S.i.c.i.l 0100: 00 69 00 61 00 2C 00 20 00 36 00 2E 00 20 00 56 .i.a.,. .6... .V 0110: 00 61 00 6C 00 65 00 6E 00 63 00 69 00 61 00 20 .a.l.e.n.c.i.a. 0120: 00 43 00 50 00 20 00 34 00 36 00 30 00 30 00 33 .C.P. .4.6.0.0.3 0130: 00 2C 00 20 00 45 00 53 00 50 00 41 00 D1 00 41 .,. .E.S.P.A...A 0140: 00 2E 00 20 00 43 00 49 00 46 00 20 00 51 00 39 ... .C.I.F. .Q.9 0150: 00 36 00 35 00 30 00 30 00 31 00 30 00 43 00 29 .6.5.0.0.1.0.C.) 0160: 00 2E 00 20 00 43 00 50 00 53 00 20 00 79 00 20 ... .C.P.S. .y. 0170: 00 43 00 50 00 20 00 65 00 6E 00 20 00 68 00 74 .C.P. .e.n. .h.t 0180: 00 74 00 70 00 3A 00 2F 00 2F 00 77 00 77 00 77 .t.p.:././.w.w.w 0190: 00 2E 00 61 00 63 00 63 ...a.c.c ], PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 24 68 74 74 70 3A 2F 2F 77 77 77 2E 61 63 63 .$http://www.acc 0010: 76 2E 65 73 2F 6C 65 67 69 73 6C 61 63 69 6F 6E v.es/legislacion 0020: 5F 63 2E 68 74 6D _c.htm ]] ] ] [6]: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ clientAuth emailProtection ] [7]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Non_repudiation Key_Encipherment Data_Encipherment ] [8]: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ RFC822Name: ximodante@gmail.com UID=73912286S, CN=XIMO|DANTE|ROWAN, OID.2.16.724.1.3.5.3.2.11=INFORMATICO, OID.2.16.724.1.3.5.3.2.10=, OID.2.16.724.1.3.5.3.2.9=XIMODANTE@GMAIL.COM, OID.2.16.724.1.3.5.3.2.8=ROWAN, OID.2.16.724.1.3.5.3.2.7=DANTE, OID.2.16.724.1.3.5.3.2.6=XIMO, OID.2.16.724.1.3.5.3.2.5=, OID.2.16.724.1.3.5.3.2.4=00000000H, OID.2.16.724.1.3.5.3.2.3=00000000H, OID.2.16.724.1.3.5.3.2.2=MI EMPRESA, OID.2.16.724.1.3.5.3.2.1=certificado electrónico de empleado ] [9]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: E6 5F 75 0C 37 CA 44 62 D0 B0 90 9B A3 49 CA 22 ._u.7.Db.....I." 0010: 96 85 79 A5 ..y. ] ] ] Algorithm: [SHA256withRSA] Signature: 0000: 5F 35 1F 50 9D 8E 36 76 F0 BD C4 A4 86 41 2D 2F _5.P..6v.....A-/ 0010: 28 CF 3C 8D 5B 8A F0 0D D2 F8 F0 01 F8 35 DF 0A (.<.[........5.. 0020: 14 4D 4A 53 49 9E DF 51 BF 4E 61 EC B3 99 63 D0 .MJSI..Q.Na...c. 0030: CC 5B EE D5 21 01 93 26 D3 3B 66 1E 72 31 CA 23 .[..!..&.;f.r1.# 0040: 4A 5F B2 D9 78 BE 03 0E 97 82 4C F1 92 31 94 06 J_..x.....L..1.. 0050: 97 92 8B 2E 33 FF A9 31 34 F8 F7 FB 01 2B 07 1D ....3..14....+.. 0060: F9 C5 49 1E FC 44 3C 81 A9 22 0A BC 92 1E AA BD ..I..D<.."...... 0070: 3E FD F6 EC CA 1E 94 A1 40 68 0B 92 A1 8D B5 59 >.......@h.....Y 0080: D2 A9 60 F6 50 05 58 E3 5C EC 29 BD EA C1 D7 95 ..`.P.X.\.)..... 0090: 90 E6 8B DA 11 30 8A CE 75 58 AF 99 54 9F 13 13 .....0..uX..T... 00A0: D0 CC 41 2C F2 DC C7 C1 2A 27 CF FA 0F 89 AD FC ..A,....*'...... 00B0: D9 42 68 3A 52 B0 0D 0B 4C EB 03 3C EE 64 BC 5C .Bh:R...L..<.d.\ 00C0: 7B 1F 02 39 3F 1D EB DF D6 E0 1F BA EB E0 8A 14 ...9?........... 00D0: FD 7B 6A 9C 31 E7 98 88 BB F3 E7 75 2B C1 74 B6 ..j.1......u+.t. 00E0: 51 2B B4 29 E4 98 7D C0 F2 03 F0 35 6A EB BB 4E Q+.).......5j..N 00F0: 18 E5 82 68 B4 D3 01 4F 17 4A 09 29 6F 83 D2 50 ...h...O.J.)o..P 0100: 4A 65 AD BF 2E CA DB 7C 8E 02 DD B6 9C 1C A3 F4 Je.............. 0110: A5 24 C9 DA 1C E5 05 2D E1 50 45 E6 7A D1 E5 0D .$.....-.PE.z... 0120: 04 E5 C4 5B 68 9F 64 3A 40 90 2E E5 C2 50 AD FC ...[h.d:@....P.. 0130: EC 44 75 B0 10 61 0B 97 F2 37 70 9F 90 D9 51 38 .Du..a...7p...Q8 0140: 79 CB 29 7D 15 0D B2 91 21 99 84 33 4D CB 57 80 y.).....!..3M.W. 0150: 5E 00 8D 05 46 EA 7A 33 B2 1E 03 8B 16 99 7D 74 ^...F.z3.......t 0160: 10 E9 33 FA CD 8A 34 EF 39 CD 46 D1 63 7B 0E 1F ..3...4.9.F.c... 0170: 83 DD 1F CE A0 B6 87 0C 2E 3E 39 CE 19 FD D3 44 .........>9....D 0180: F5 F3 D0 7F 50 EB A4 9B 42 EC FB 3F 92 3B A7 C1 ....P...B..?.;.. 0190: F8 C8 D0 AE 33 93 E8 FD 78 9F B3 24 0F EA C3 9C ....3...x..$.... 01A0: 05 2A 2B A7 F0 F0 1E B3 B2 50 1F C4 15 57 B8 CC .*+......P...W.. 01B0: 1A 1A 41 D3 62 42 AE 91 59 75 5E 27 49 71 71 EA ..A.bB..Yu^'Iqq. 01C0: F3 F6 61 D6 32 C3 07 F5 F4 C2 33 67 0A 76 78 BA ..a.2.....3g.vx. 01D0: 04 3F 8F 36 D5 F0 80 67 2C 01 80 F8 1F 8A DC 89 .?.6...g,....... 01E0: E4 CB FA 98 61 18 E4 0E 73 4B 9C CB DA C7 70 95 ....a...sK....p. 01F0: 92 EF FF 44 08 90 72 25 5D FA BB 54 3A 17 C9 42 ...D..r%]..T:..B ] 3.2.--------------------------------------------------------------------------- [ [ Version: V3 Subject: C=ES, O=ACCV, OU=Ciudadanos, SURNAME=DANTE ROWAN, GIVENNAME=XIMO, SERIALNUMBER=00000000K, CN=XIMO DANTE ROWAN - NIF:00000000K Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 21757130547546887926731287792570240531716684128927768517543627413859405485980142027347572350063970037860667217768728083194306284863331578611854854525535163472922153877080767307418651436474925502245400991196153728239177021417001651670871254677349563692351627223238730450941293371238545906699705924695419291880497656443177970251754674625184476860189356029686362811922598102001962238968212045384817598559466925299377599470182410916072150326389960741015440799734738117762739492302380894771825837694705499766527035717445176670596986088165048420218312673744319669479917012899370872874273446650279746235787115459471191975169 public exponent: 65537 Validity: [From: Wed Jun 01 14:11:08 CEST 2016, To: Sat Jun 01 14:11:08 CEST 2019] Issuer: C=ES, O=ACCV, OU=PKIACCV, CN=ACCVCA-120 SerialNumber: [ 69bc4ec7 c373186f] Certificate Extensions: 9 [1]: ObjectId: 1.3.6.1.5.5.7.1.3 Criticality=false Extension unknown: DER encoded OCTET string = 0000: 04 22 30 20 30 14 06 08 2B 06 01 05 05 07 0B 02 ."0 0...+....... 0010: 30 08 06 06 04 00 8E 46 01 01 30 08 06 06 04 00 0......F..0..... 0020: 8E 46 01 01 .F.. [2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthorityInfoAccess [ [ accessMethod: caIssuers accessLocation: URIName: http://www.accv.es/gestcert/ACCVCA120SHA2.cacert.crt , accessMethod: ocsp accessLocation: URIName: http://ocsp.accv.es ] ] [3]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: E8 40 9B 8E FB 66 3F C1 44 D8 A1 DF D4 4A 81 42 .@...f?.D....J.B 0010: 08 17 CB E5 .... ] ] [4]: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: http://www.accv.es/fileadmin/Archivos/certificados/accvca120_der.crl] CRLIssuer:[C=ES, O=ACCV, OU=PKIACCV, CN=ACCVCA-120] ]] [5]: ObjectId: 2.5.29.32 Criticality=false CertificatePolicies [ [CertificatePolicyId: [1.3.6.1.4.1.8149.3.7.5.0] [PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.2 qualifier: 0000: 30 82 01 6C 1E 82 01 68 00 43 00 65 00 72 00 74 0..l...h.C.e.r.t 0010: 00 69 00 66 00 69 00 63 00 61 00 64 00 6F 00 20 .i.f.i.c.a.d.o. 0020: 00 72 00 65 00 63 00 6F 00 6E 00 6F 00 63 00 69 .r.e.c.o.n.o.c.i 0030: 00 64 00 6F 00 20 00 70 00 61 00 72 00 61 00 20 .d.o. .p.a.r.a. 0040: 00 43 00 69 00 75 00 64 00 61 00 64 00 61 00 6E .C.i.u.d.a.d.a.n 0050: 00 6F 00 20 00 65 00 78 00 70 00 65 00 64 00 69 .o. .e.x.p.e.d.i 0060: 00 64 00 6F 00 20 00 70 00 6F 00 72 00 20 00 6C .d.o. .p.o.r. .l 0070: 00 61 00 20 00 41 00 67 00 65 00 6E 00 63 00 69 .a. .A.g.e.n.c.i 0080: 00 61 00 20 00 64 00 65 00 20 00 54 00 65 00 63 .a. .d.e. .T.e.c 0090: 00 6E 00 6F 00 6C 00 6F 00 67 00 ED 00 61 00 20 .n.o.l.o.g...a. 00A0: 00 79 00 20 00 43 00 65 00 72 00 74 00 69 00 66 .y. .C.e.r.t.i.f 00B0: 00 69 00 63 00 61 00 63 00 69 00 F3 00 6E 00 20 .i.c.a.c.i...n. 00C0: 00 45 00 6C 00 65 00 63 00 74 00 72 00 F3 00 6E .E.l.e.c.t.r...n 00D0: 00 69 00 63 00 61 00 20 00 28 00 50 00 6C 00 2E .i.c.a. .(.P.l.. 00E0: 00 20 00 43 00 E1 00 6E 00 6F 00 76 00 61 00 73 . .C...n.o.v.a.s 00F0: 00 20 00 64 00 65 00 6C 00 20 00 43 00 61 00 73 . .d.e.l. .C.a.s 0100: 00 74 00 69 00 6C 00 6C 00 6F 00 2C 00 20 00 31 .t.i.l.l.o.,. .1 0110: 00 2E 00 20 00 43 00 49 00 46 00 20 00 51 00 34 ... .C.I.F. .Q.4 0120: 00 36 00 30 00 31 00 31 00 35 00 36 00 45 00 29 .6.0.1.1.5.6.E.) 0130: 00 2E 00 20 00 43 00 50 00 53 00 20 00 79 00 20 ... .C.P.S. .y. 0140: 00 43 00 50 00 20 00 65 00 6E 00 20 00 68 00 74 .C.P. .e.n. .h.t 0150: 00 74 00 70 00 3A 00 2F 00 2F 00 77 00 77 00 77 .t.p.:././.w.w.w 0160: 00 2E 00 61 00 63 00 63 00 76 00 2E 00 65 00 73 ...a.c.c.v...e.s ], PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 24 68 74 74 70 3A 2F 2F 77 77 77 2E 61 63 63 .$http://www.acc 0010: 76 2E 65 73 2F 6C 65 67 69 73 6C 61 63 69 6F 6E v.es/legislacion 0020: 5F 63 2E 68 74 6D _c.htm ]] ] ] [6]: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ clientAuth emailProtection ] [7]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Non_repudiation ] [8]: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ RFC822Name: ximodante@gmail.com UID=00000000K, CN=XIMO|DANTE|ROWAN ] [9]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 64 90 C5 0E A1 A8 84 FC D1 CB 7A CE 6D FF 99 C1 d.........z.m... 0010: E0 C2 0C CA .... ] ] ] Algorithm: [SHA256withRSA] Signature: 0000: 1A 78 76 1F A9 4A A4 4F 61 9F 40 3B 92 C2 D4 DB .xv..J.Oa.@;.... 0010: 4E 85 84 E6 7C 66 30 CD E8 25 FB FF C3 3B 6B D9 N....f0..%...;k. 0020: 21 99 9B AC D3 1D 8C 3D 02 3D F8 11 67 FE 70 77 !......=.=..g.pw 0030: 21 8C 94 80 F8 35 FF 83 9C 4A B3 F5 3E 58 70 BE !....5...J..>Xp. 0040: 59 D6 C9 43 FA 50 0C B5 DA F8 BB 1B DE 20 A7 90 Y..C.P....... .. 0050: 42 61 3B 59 6D BE F7 3E 1C 24 95 6C ED 86 CE BE Ba;Ym..>.$.l.... 0060: E9 01 B3 D0 5A 49 6D A6 C3 BB 8E 1D E9 C3 29 3B ....ZIm.......); 0070: CA 2E A4 74 62 0E 6C C6 3B 9E 71 A5 84 9D 1B 23 ...tb.l.;.q....# 0080: BE D1 EA DD 1F 25 A6 4D E0 0B 3D 3F AB B3 E5 ED .....%.M..=?.... 0090: 84 FC 6A 74 01 03 C5 E5 35 0E F4 F8 36 97 BB B5 ..jt....5...6... 00A0: ED 0E 69 4C C7 70 41 1F 25 E7 CD 46 44 B1 C6 51 ..iL.pA.%..FD..Q 00B0: D0 A2 43 A1 9B FA 88 02 09 2B 8A 8F C0 7F 85 B7 ..C......+...... 00C0: 7B 32 DB BB 3C FC AB 11 B8 80 C4 EE 05 FF DE CD .2..<........... 00D0: 5F 85 4B BC EC 85 B3 E6 25 36 84 B0 A2 0C F5 12 _.K.....%6...... 00E0: 35 B8 30 66 AD BA 43 B0 BD DA 7E BA 76 15 60 D6 5.0f..C.....v.`. 00F0: 7E CB FE 6F 07 25 59 5F 56 F2 1A 08 AD 5B 12 9D ...o.%Y_V....[.. 0100: 22 B0 5F 81 67 04 9E D9 9F B4 03 56 39 D1 5C 94 "._.g......V9.\. 0110: FB 85 18 E0 AE BE D1 50 8B D8 A1 A6 26 8B E2 B8 .......P....&... 0120: 6C 68 6F 58 78 F3 06 35 4B 68 A5 27 77 C3 B3 F8 lhoXx..5Kh.'w... 0130: 77 F7 DD 83 55 3A 9D D1 C0 12 CF CC D8 74 5F 74 w...U:.......t_t 0140: 26 1C 22 8D C2 E8 12 48 25 1F 48 07 BC 12 7C C1 &."....H%.H..... 0150: EA 2B 45 76 BB 6E E0 7C DF 7C 3B B9 29 D3 E2 55 .+Ev.n....;.)..U 0160: B3 0C 13 5D 01 33 CF 7C 8B 59 68 42 91 69 DC D4 ...].3...YhB.i.. 0170: 3A A5 79 4C 2C D6 60 8A 0F 08 25 9D A7 61 A9 35 :.yL,.`...%..a.5 0180: A2 6D 70 6A D2 14 7E 40 8E 05 D5 96 74 6C E0 19 .mpj...@....tl.. 0190: D1 56 81 50 A2 86 CC 84 93 6B 6B CF 9F 7F EC D1 .V.P.....kk..... 01A0: 69 9A F9 47 6B A2 12 98 3E 99 F1 9F 3E 41 A6 0E i..Gk...>...>A.. 01B0: 48 1B C5 7B E8 5E E6 37 C4 09 8D 5D 48 F6 5A 28 H....^.7...]H.Z( 01C0: 14 8A 12 CB C1 31 EB 2D 0C FC B7 E7 A3 1D 4C C3 .....1.-......L. 01D0: D0 EE A1 7C 17 FB B4 10 01 AD CA AE 89 9D 98 BE ................ 01E0: C9 6F F4 6A C6 A3 5C 96 4C 7E 9B 63 31 FE 94 94 .o.j..\.L..c1... 01F0: C4 D1 6D ED E4 64 44 AB E9 D2 F6 4A D3 22 A6 CF ..m..dD....J.".. ] 4.--------------------------------------------------------------------------- EPN1 EPN1 5.--------------------------------------------------------------------------- null RSA class sun.security.pkcs11.P11Key$P11PrivateKey 0 PKCS#8 RSA class sun.security.rsa.RSAPrivateCrtKeyImpl -2192210

3. Posibles problemas

1. No has puesto la tarjeta en el lector
2. No has definido la configuración de la tarjeta en la variable CARD_DRIVERS en las líneas  23-27
3. Si no tienes tarjeta y solo tienes el certificado p12, inhabilita los tests de la tarjeta.

Happy coding!