Java 安全性 - MSCAPI 提供程序:如何仅从 USB 令牌中检索证书
[英]Java security - MSCAPI provider: How to retrieve certificates from USB tokens only
问题描述
I have managed to use Sun's MSCAPI provider in my applet.
我已经设法在我的小程序中使用 Sun 的 MSCAPI 提供程序。
My applet simply lists certificates from Windows certificate store and lets user sign his/her transaction by allowing user select his/her preferred certificate.我的小程序只是从 Windows 证书存储中列出证书,并让用户通过允许用户选择他/她的首选证书来签署他/她的交易。
I would like to prevent users from signing without a USB token/smart card, which means my applet shouldn't show/list a certificate if its private key is not stored in a USB token/smart card.我想阻止用户在没有 USB 令牌/智能卡的情况下签名,这意味着如果我的小程序的私钥未存储在 USB 令牌/智能卡中,则它不应该显示/列出证书。
I retrieve certificates like this (Removed try catch block):我检索这样的证书(删除了 try catch 块):
keyStore = KeyStore.getInstance("Windows-MY", "SunMSCAPI");
keyStore.load(null);
enumeration = keyStore.aliases();
while(enumeration.hasMoreElements()) {
String alias = (String) enumeration.nextElement();
Certificate ksCertificate = keyStore.getCertificate(alias);
...
}
I manage the signing like this (Removed try catch block):我像这样管理签名(删除了 try catch 块):
// Retrieve private key
privateKey = (PrivateKey) keyStore.getKey(alias, null);
// Sign data by using certificate's signing algorithm
Signature signer = Signature.getInstance(certificate.getSigAlgName(), keyStore.getProvider());
signer.initSign(privateKey);
signer.update(data);
result = signer.sign();
I couldn't find any way to differentiate whether a certificate is from a USB token.我找不到任何方法来区分证书是否来自 USB 令牌。 I checked both Certificate and PrivateKey objects, however I couldn't find any attribute that could be helpful for me.我检查了 Certificate 和 PrivateKey 对象,但是我找不到任何对我有用的属性。
Any suggestions on how to do this with MSCAPI?关于如何使用 MSCAPI 执行此操作的任何建议? Or any suggestions as MSCAPI alternative?或者任何建议作为 MSCAPI 替代?
(The reason why I don't/can't use PKCS11 is that multiple brands of tokens need to be supported worldwide, and the requirement is that the applet shouldn't maintain the list of PKCS11 dll paths inside for each token. Retrieving dll paths from server side is also not accepted. So in this case I can't use PKCS11. Please correct me if I am wrong.) (我不/不能使用PKCS11的原因是需要在全球范围内支持多个品牌的令牌,并且要求小程序不应为每个令牌维护内部的PKCS11 dll路径列表。检索dll也不接受来自服务器端的路径。所以在这种情况下,我不能使用 PKCS11。如果我错了,请纠正我。)
1 个解决方案
解决方案1
0 2021-03-06 10:39:33
I think it's too late reply.我觉得现在回复太晚了。
Each USB token provider will give customized driver for their token.每个 USB 令牌提供商都会为其令牌提供定制的驱动程序。 Ex.ePass or ProxKey has it's own driver. Ex.ePass 或 ProxKey 有它自己的驱动程序。 Location of driver (DLL/SO) file will be differ.驱动程序 (DLL/SO) 文件的位置会有所不同。 File name of the Driver also will differ.驱动程序的文件名也会有所不同。 So you can't read/initialize them in without mentioning proper driver path.所以你不能在没有提到正确的驱动程序路径的情况下读取/初始化它们。 You can go for https://github.com/joelhockey/jacknji11你可以去https://github.com/joelhockey/jacknji11
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.