stackoom
  简体   繁体   中英

Load MSCAPI Java Keystore without loading private keys (hard token)

 原文  2012-10-17 15:15:10       java/ keystore/ smartcard

Question

I would like to load a MSCAPI keystore within Java and examine available certificates in the MY store. However some keys for those certificates reside on hardware tokens and a popup asks for the token during load.

Is there a way to defer loading the private keys when loading the Windows keystore? 

keyStore = KeyStore.getInstance("Windows-MY", "SunMSCAPI");
keystore.load(null,null);

2 answers

solution1
 7 ACCPTED  2012-10-31 19:56:12

The popup is being activated from the MS-CAPI Cryptographic Service Provider (CSP) - the DLL supplied by the USB token manufacturer - which finally communicates to the token through a driver (also supplied by the token-manufacturer). KeyStore merely makes a call and the layers in between just pass it through; the firmware on the token is the one that throws up the authentication pop-up and maintains session-state, etc.

The key Java dll is sunmscapi.dll which has the implementation: 

// Use CertEnumCertificatesInStore to get the certificates
// from the open store. pCertContext must be reset to
// NULL to retrieve the first certificate in the store.
while (pCertContext = ::CertEnumCertificatesInStore(hCertStore, pCertContext))
{
    // Check if private key available - client authentication certificate
    // must have private key available.
    HCRYPTPROV hCryptProv = NULL;
    DWORD dwKeySpec = 0;
    HCRYPTKEY hUserKey = NULL;
    BOOL bCallerFreeProv = FALSE;
    BOOL bHasNoPrivateKey = FALSE;
    DWORD dwPublicKeyLength = 0;

    if (::CryptAcquireCertificatePrivateKey(pCertContext, NULL, NULL,
                                            &hCryptProv, &dwKeySpec, &bCallerFreeProv) == FALSE)
    {
        bHasNoPrivateKey = TRUE;

    } else {
        // Private key is available

    BOOL bGetUserKey = ::CryptGetUserKey(hCryptProv, dwKeySpec, &hUserKey);

    // Skip certificate if cannot find private key
    if (bGetUserKey == FALSE)
    {
        if (bCallerFreeProv)
            ::CryptReleaseContext(hCryptProv, NULL);

        continue;
    }
    ....

As you can see it always checks for a private key. You would have to modify this code and create a custom version of sunmscapi.dll to avoid this or otherwise defeat this check.

solution2
 1  2018-05-30 13:59:43

This issue has been solved in JDK 9.

https://bugs.openjdk.java.net/browse/JDK-8153438

http://hg.openjdk.java.net/jdk9/dev/jdk/rev/e7f78523d41d

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How can I use MSCAPI inside an applet to load a keystore Load certificate and private key into Java KeyStore Android java updating certificate and private keys in Android KeyStore OpenPGP (Bouncy Castle) with MSCAPI Keystore how to load private key in windows store using Java KeyStore How to import a private key into a Java keystore without knowning the password Lazysodium keys in Java Keystore How to store and load keys using java.security.KeyStore class Java security - MSCAPI provider: How to use without password popup? Is it possible to access keys in a keystore from signed java code without a password?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM