开发者

Do client authentication with PKCS11 token (Smartcard)

问答 作者:

I have to call a script on a server (php, jsp - what ever). But this server is protected by a client authentication. Now it is possible for me to do it with a P12-Keystore. The code for this:

    private void installSSLContextP12() throws Exception {
    KeyStore tks = KeyStore.getInstance(KeyStore.getDefaultType());
    tks.load(new FileInputStream("/home/dan/Dokumente/Zertifikate/store"), "xxx".toCharArray());                   // load truststore

    KeyStore iks = KeyStore.getInstance("PKCS12");
    iks.load(new FileInputStream("/home/dan/Dokumente/Zertifikate/danmocz_zert.p12"), "yyy".toCharArray());     // load private keystore

    TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());            // init truststore
    tmf.init(tks);

    KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    kmf.init(iks, "yyy".toCharArray());                                                                                    // load priv. key's pw
    KeyManager[] kms = kmf.getKeyManagers();


    SSLContext ctx = SSLContext.getInstance("TLS");
    ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);                                                          // trust/keystore
    SSLContext.setDefault(ctx);  //That is enough to authenticate at the server
}

This works fine.

But now i have a Smartcard(PKCS11) and i need to authenticate with this. I use the opensc-cryptocard provider to read the card. the sample code for this comes here (see line comments !):

private void installSSLContextPKCS11() throws Exception {
    PKCS11Provider provider = new PKCS11Provider("/usr/lib/opensc-pkcs11.so.BAK");
    Security.addProvider(provider);

    System.out.println("loading truststore");
    KeyStore tks = KeyStore.getInstance(KeyStore.getDefaultType());
    tks.load(new FileInputStream("/home/dan/Dokumente/Zertifikate/store"), "xxx".toCharArray());                   // load truststore

    System.out.println("loading keystore");
    KeyStore iks = KeyStore.getInstance("PKCS11", provider);  //works fine. he asks for a right pin - cancels when pin is wrong
    iks.load(null, "zzz".toCharArray());                                                                                                         // load private keystore

    System.out.println("init truststore");
    TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());            // init truststore
    tmf.init(tks);

    KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");  // here is the problem. It seems that the pin is ignored. and if i overgive the provider (like KeyStore.getInstance-Method)i get an NoSuchAlgorithmException (for stacktrace see below)
    kmf.init(null, "834950".toCharArray());  //The debugger shows in kmf.getKeyManagers()-Array no priv. Key or anything. It contains nothing but an empty hashmap (or something like this) with p12 it contains the priv. key and the certificate from the smart card

    System.out.println("setting sslcontext");
    SSLContext ctx = SSLContext.getInstance("TLS");
    ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
    SSLContext.setDefault(ctx);

    System.out.println("doing handshake");
    final SSLSocketFactory factory = ctx.getSocketFactory();
    final SSLSocket socket = (SSLSocket) factory.createSocket("download.uv.ruhr-uni-bochum.de", 443);
    socket.setUseClientMode(true);
    socket.startHandshake();   // here i try to do the handshake. it works with a p12-keystore... like ahead. with pkcs11 i get an SSLHandshakeException (Received fatal alert: handshake_failure)
    System.out.println("done");
}

The NoSuchAlgorythmException: 

Exception in thread "main" java.security.NoSuchAlgorithmException: no such algorithm: SunX509 for provider OpenSC-PKCS11
    at sun.security.jca.GetInstance.getService(GetInstance.java:100)
    at sun.security.jca.GetInstance.getInstance(GetIn开发者_JS百科stance.java:218)
    at javax.net.ssl.KeyManagerFactory.getInstance(KeyManagerFactory.java:217)
    at clientauthtest.Main.installSSLContextPKCS11(Main.java:130)
    at clientauthtest.Main.main(Main.java:54)

Hope you see the problem. Thanks in advance... daniel

Builder builder = Builder.newInstance("PKCS11", provider, new KeyStore.CallbackHandlerProtection(/*PIN callback handler instance*/));
KeyManagerFactory kmf = KeyManagerFactory.getInstance("X509");
kmf.init(new KeyStoreBuilderParameters(builder));

This should work fine.

PHP has a PKCS11 extension that can be used to sign, verify, encrypt or decrypt your data. See: https://github.com/gamringer/php-pkcs11

Some examples are available into the tests/ folder. For example see : https://github.com/gamringer/php-pkcs11/blob/master/tests/0340-oasis_C_Encrypt.phpt

It won't help for your jsp, but as you stated that you can use php too, you should give a try.

继续阅读:authenticationpkcs#11smartcardssl

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9