gpt4 book ai didi

java - 如何从 Java 中的 USB token 获取 KeyStore

转载 作者:搜寻专家 更新时间:2023-11-01 03:23:09 30 4
gpt4 key购买 nike

我已经有一个 SafeNet 5100 eToken,里面有一个有效的证书,我用它来访问我公司需要它的 Web 应用程序(多因素身份验证)。

我正在创建一个桌面应用程序来访问这个网站。我已经能够将网站的证书添加到 TrustStore 并将我的证书放入 KeyStore

到目前为止我得到的是:

System.setProperty("javax.net.ssl.trustStore", "U:\\Certificados\\efau.truestore");
System.setProperty("javax.net.ssl.trustStoreType", "jks");
System.setProperty("javax.net.ssl.trustStorePassword", "oiadad");

KeyManagerFactory kFac;
SSLContext sslContext;
SSLSocketFactory sockFactory = null;
KeyStore ks;

try {
// load keystore present in windows and print aliases found (only one, so nextElement always prints same information (name of certificate inside usb token I want to open))
ks = KeyStore.getInstance("Windows-MY", "SunMSCAPI");
ks.load(null, null);
System.out.println(ks.aliases().nextElement());
System.out.println(ks.aliases().nextElement());

// try to load my certificate specifically from all certificates and passes necessary token password to it
InputStream in = IOUtils.toInputStream(ks.aliases().nextElement(), "UTF-8");
System.out.println(in);
ks.load(in, password);

// print certificate to check if I have it
System.out.println(ks.getCertificate(ks.aliases().nextElement()));

// get ssl context and key manager factory
sslContext = SSLContext.getInstance("SSL", "SunJSSE");
kFac = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kFac.init(ks,null);

sslContext.init(kFac.getKeyManagers(), null, null);
sockFactory = sslContext.getSocketFactory();

// start connection with website
HttpsURLConnection conn = (HttpsURLConnection)new URL(<my-https-url>).openConnection();
conn.setRequestMethod("GET");
conn.setDoInput(true);
conn.setSSLSocketFactory(sockFactory);

int responseCode = conn.getResponseCode();
System.out.println("RESPONSE: " + responseCode);

} catch (KeyStoreException e) {
e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (CertificateException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
} catch (NoSuchProviderException e) {
e.printStackTrace();
} catch (UnrecoverableKeyException e1) {
e1.printStackTrace();
} catch (KeyManagementException e1) {
e1.printStackTrace();
}

当我运行这段代码时,我得到:

javax.net.ssl.SSLHandshakeException: Received fatal alert: decrypt_error
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at java.net.HttpURLConnection.getResponseCode(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source)
at receita.system.monitoring.Ping.main(Ping.java:313)

当我输入正确的 token 密码和输入错误的密码时,我都会收到此错误,所以我认为我从来没有以正确的方式传递密码。

为什么我会收到异常?

------------ 更新------------

我创建了一个配置文件,其中包含指向我的 PKCS11.dll 库的以下信息:

name = Aladdin
library = C:/WINDOWS/system32/eTPKCS11.dll

在主函数中我添加:

SunPKCS11 newProvider = new SunPKCS11("u:/Certificados/etpkcs11.cfg");
Provider a = newProvider;
Security.addProvider(a);

KeyStore ks;
try {
ks = KeyStore.getInstance("PKCS11");
...
}

现在我得到这个错误:

java.security.KeyStoreException: PKCS11 not found
at java.security.KeyStore.getInstance(Unknown Source)
at receita.system.monitoring.Ping.main(Ping.java:292)
Caused by: java.security.NoSuchAlgorithmException: PKCS11 KeyStore not available
at sun.security.jca.GetInstance.getInstance(Unknown Source)
at java.security.Security.getImpl(Unknown Source)
... 2 more

我还尝试将 Keystore.getInstance 修改为:

ks = KeyStore.getInstance("PKCS11", a);

然后我得到这个不同的错误:

java.security.KeyStoreException: PKCS11 not found
at java.security.KeyStore.getInstance(Unknown Source)
at receita.system.monitoring.Ping.main(Ping.java:292)
Caused by: java.security.NoSuchAlgorithmException: no such algorithm: PKCS11 for provider SunPKCS11-Aladdin
at sun.security.jca.GetInstance.getService(Unknown Source)
at sun.security.jca.GetInstance.getInstance(Unknown Source)
at java.security.Security.getImpl(Unknown Source)
... 2 more

--------更新2(工作代码)--------

我的最终工作代码是:

System.setProperty("javax.net.ssl.trustStore", "U:\\Certificados\\efau.truestore");
System.setProperty("javax.net.ssl.trustStoreType", "jks");
System.setProperty("javax.net.ssl.trustStorePassword", "oiadad");

KeyManagerFactory kFac;
SSLContext sslContext;
SSLSocketFactory sockFactory = null;

SunPKCS11 providerMSCAPI = new SunPKCS11("u:/Certificados/etpkcs11.cfg");
Provider a = providerMSCAPI;
Security.addProvider(a);

KeyStore ks;
try {
ks = KeyStore.getInstance("PKCS11");

ks.load(null, password);

InputStream in = IOUtils.toInputStream(ks.aliases().nextElement(), "UTF-8");
ks.load(in, password);


sslContext = SSLContext.getInstance("SSL", "SunJSSE");
kFac = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kFac.init(ks,null);

sslContext.init(kFac.getKeyManagers(), null, null);
sockFactory = sslContext.getSocketFactory();

HttpsURLConnection conn = (HttpsURLConnection)new URL(/*<my-url>*/).openConnection();
conn.setRequestMethod("GET");
conn.setDoInput(true);
conn.setSSLSocketFactory(sockFactory);

int responseCode = conn.getResponseCode();

InputStream inputstream = conn.getInputStream();
InputStreamReader inputstreamreader = new InputStreamReader(inputstream);
BufferedReader bufferedreader = new BufferedReader(inputstreamreader);

String line = null;
String htmlResponse = "";

while ((line = bufferedreader.readLine()) != null) {
htmlResponse += line + "\n";
}

} catch (KeyStoreException e) {
e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (CertificateException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
} catch (NoSuchProviderException e) {
e.printStackTrace();
} catch (UnrecoverableKeyException e1) {
e1.printStackTrace();
} catch (KeyManagementException e1) {
e1.printStackTrace();
}

而且我必须在运行配置中设置调试参数:

-Djava.security.debug=sunpkcs11

或者在.cfg文件中设置插槽:

name=SafeNet
library=C:\Windows\System32\eTPKCS11.dll
slot=4

最佳答案

SunMSCAPI 实现并不完美(例如,如果您拥有具有相同“友好名称”的证书,则有些证书将无法访问,因为它也是用于 keystore 别名的唯一 key )。我不确定它与硬件 token 的配合情况如何。

your token seems to support PKCS#11 ,您不妨利用 Oracle JRE 对 PKCS11 keystores 的直接支持.

基本上,您的 token 驱动程序应该带有一个实现 PKCS#11 接口(interface)的 DLL,并且您需要将 Java 指向它(如 PKCS#11 指南中所述)。为了获得更大的灵 active ,动态安装提供程序可能更方便(请参阅以“动态安装提供程序,[...]”开头的段落。


根据您的评论,也许您可​​以通过反复试验(通过捕获这些异常)来找到正确的插槽。您可以从字符串加载配置,而不是使用配置文件。

String password = "xxxxxxxxx";
String storeType = "PKCS11";

String configuration = "name = OpenSC\n"
+ "library = /usr/lib/opensc-pkcs11.so\n";
Provider provider = new sun.security.pkcs11.SunPKCS11(
new ByteArrayInputStream(configuration.getBytes("UTF-8")));

Security.addProvider(provider);

KeyStore keyStore = KeyStore.getInstance(storeType, provider);
keyStore.load(null, password.toCharArray());

如果您将 "slot=...\n" 添加到配置字符串并使用循环尝试各种值直到它停止抛出异常,它可能会起作用。您可能需要删除失败的安全提供程序,或者也更改名称。 (我并不是说这是一种干净的方法。)

顺便说一句,如果您不想硬编码您的密码(当然!)或从某个配置文件加载它,您可以使用这样的回调处理程序:

KeyStore keyStore = KeyStore.getInstance(storeType, provider);
LoadStoreParameter param = new LoadStoreParameter() {
@Override
public ProtectionParameter getProtectionParameter() {
return new KeyStore.CallbackHandlerProtection(... put your callback handler here...);
}
};
keyStore.load(param);

您的回调处理程序可以是“new com.sun.security.auth.callback.DialogCallbackHandler()”。我通常不建议使用任何 com.sun.*sun.* 包,因为它们不是公共(public) Java API 的一部分,但您在此处使用 sun.security.pkcs11.SunPKCS11,因此无论如何您的代码都将绑定(bind)到这个 JRE 系列。

关于java - 如何从 Java 中的 USB token 获取 KeyStore,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/23665092/

30 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com