gpt4 book ai didi

Java SSL 客户端未选择智能卡 key

转载 作者:行者123 更新时间:2023-11-30 10:48:03 25 4
gpt4 key购买 nike

我正在尝试在 Java 程序中使用爱沙尼亚身份证进行 SSL 客户端身份验证。这在 Chrome/Firefox 中适用于银行网站和测试服务器(nginx 或 openssl s_server)。

但是,我的 Java 客户端 (okhttp) 对于本地 keystore 工作正常,但在尝试使用 ID 卡时失败。我将其归结为这个测试用例,它重现了我在调试器中看到的问题并使用日志记录 (-Djavax.net.debug=ssl:handshake)。

我可以与卡片通信,例如我可以打印出同一个 key 的证书。我搭在 DigiDoc3 Client 上在 Mac OSX 上。

我可以看到似乎导致 key 被忽略的异常

sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_TYPE_INVALID
at sun.security.pkcs11.wrapper.PKCS11.C_GetAttributeValue(Native Method)
at sun.security.pkcs11.P11Key.getAttributes(P11Key.java:275)
at sun.security.pkcs11.P11Key.privateKey(P11Key.java:330)
at sun.security.pkcs11.P11KeyStore.loadPkey(P11KeyStore.java:1311)
at sun.security.pkcs11.P11KeyStore.engineGetEntry(P11KeyStore.java:943)
at java.security.KeyStore.getEntry(KeyStore.java:1521)
at sun.security.ssl.X509KeyManagerImpl.getEntry(X509KeyManagerImpl.java:276)
at sun.security.ssl.X509KeyManagerImpl.getCertificateChain(X509KeyManagerImpl.java:107)
at com.baulsupp.oksocial.TestMain.main(TestMain.java:37)

测试程序输出

1.0.Authentication
ssl: KeyMgr: choosing key: Authentication (verified: OK)
null
null

测试代码

package com.baulsupp.oksocial;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.Security;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import java.util.Set;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.X509ExtendedKeyManager;

public class TestMain {
public static void main(String[] args)
throws UnrecoverableKeyException, CertificateException, NoSuchAlgorithmException,
KeyStoreException, IOException {
System.setProperty("javax.net.debug", "all");

char[] password =
System.getenv().get("PW").toCharArray();//System.console().readPassword("PW: ");

X509ExtendedKeyManager km = (X509ExtendedKeyManager) getKeyManagers(password, 0)[0];

String alias = km.chooseClientAlias(new String[] {"RSA"}, null, null);

System.out.println(alias);

X509Certificate[] chain = km.getCertificateChain(alias);
System.out.println(chain);

PrivateKey key = km.getPrivateKey(alias);
System.out.println(key);
}

public static KeyManager[] getKeyManagers(char[] password, int slot)
throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException,
UnrecoverableKeyException {
//Security.removeProvider("IAIK");

//Provider provider = new org.bouncycastle.jce.provider.BouncyCastleProvider();
//Security.addProvider(provider);

String config =
"name=OpenSC\nlibrary=/Applications/qdigidocclient.app/Contents/MacOS/esteid-pkcs11.so\nslotListIndex="
+ slot;

sun.security.pkcs11.SunPKCS11 pkcs11 =
new sun.security.pkcs11.SunPKCS11(new ByteArrayInputStream(config.getBytes()));

Security.addProvider(pkcs11);

//debugProviders();

KeyStore keystore = KeyStore.getInstance("PKCS11", pkcs11);

keystore.load(null, password);

//debugKeys(keystore);

KeyManagerFactory kmf = KeyManagerFactory.getInstance("NewSunX509");
kmf.init(keystore, null);

return kmf.getKeyManagers();
}

public static void debugKeys(KeyStore keystore) throws KeyStoreException {
Enumeration<String> aliases = keystore.aliases();

while (aliases.hasMoreElements()) {
String s = aliases.nextElement();

Certificate k = keystore.getCertificate(s);

System.out.println(k);
}
}

public static void debugProviders() {
Provider[] providers = Security.getProviders();
for (Provider p : providers) {
System.out.println("\n\n" + p.getName());
Set<Provider.Service> services = p.getServices();

for (Provider.Service s : services) {
System.out.println(s.getType() + " " + s.getAlgorithm());
}
}
}
}

与此同时,我也提出了支持请求。

最佳答案

据我所知,仅当您在 PKCS#11 模块中创建对象时,属性才重要,而智能卡则不是这种情况。尝试使用 OpenSC 的 pkcs11-spy 查看模块要求但未实现的属性类型。

另一种选择是使用底层 PKCS#11 方法 (C_*),它可以更好地控制 PKCS#11 细节。

关于Java SSL 客户端未选择智能卡 key ,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/35977268/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com