加载MSCAPI Java密钥库而无需加载私钥(硬令牌) [英] Load MSCAPI Java Keystore without loading private keys (hard token)

问题描述

我想在Java中加载MSCAPI keystore并检查MY存储区中的可用证书.但是，这些证书的某些密钥位于硬件令牌上，并且在加载过程中会弹出一个窗口要求令牌.

I would like to load a MSCAPI keystore within Java and examine available certificates in the MY store. However some keys for those certificates reside on hardware tokens and a popup asks for the token during load.

加载Windows密钥存储区时是否有办法推迟加载私钥?

Is there a way to defer loading the private keys when loading the Windows keystore?

keyStore = KeyStore.getInstance("Windows-MY", "SunMSCAPI");
keystore.load(null,null);

推荐答案

正在从MS-CAPI加密服务提供程序(CSP)(由USB令牌制造商提供的DLL)激活弹出窗口，最终该DLL通过以下方式与令牌进行通信驱动程序(也由令牌制造商提供). KeyStore只是进行呼叫，而中间的各个层只是通过该呼叫.令牌上的固件是抛出身份验证弹出窗口并保持会话状态等的固件.

The popup is being activated from the MS-CAPI Cryptographic Service Provider (CSP) - the DLL supplied by the USB token manufacturer - which finally communicates to the token through a driver (also supplied by the token-manufacturer). KeyStore merely makes a call and the layers in between just pass it through; the firmware on the token is the one that throws up the authentication pop-up and maintains session-state, etc.

关键的Java dll是sunmscapi.dll，它具有以下实现:

The key Java dll is sunmscapi.dll which has the implementation:

// Use CertEnumCertificatesInStore to get the certificates
// from the open store. pCertContext must be reset to
// NULL to retrieve the first certificate in the store.
while (pCertContext = ::CertEnumCertificatesInStore(hCertStore, pCertContext))
{
    // Check if private key available - client authentication certificate
    // must have private key available.
    HCRYPTPROV hCryptProv = NULL;
    DWORD dwKeySpec = 0;
    HCRYPTKEY hUserKey = NULL;
    BOOL bCallerFreeProv = FALSE;
    BOOL bHasNoPrivateKey = FALSE;
    DWORD dwPublicKeyLength = 0;

    if (::CryptAcquireCertificatePrivateKey(pCertContext, NULL, NULL,
                                            &hCryptProv, &dwKeySpec, &bCallerFreeProv) == FALSE)
    {
        bHasNoPrivateKey = TRUE;

    } else {
        // Private key is available

    BOOL bGetUserKey = ::CryptGetUserKey(hCryptProv, dwKeySpec, &hUserKey);

    // Skip certificate if cannot find private key
    if (bGetUserKey == FALSE)
    {
        if (bCallerFreeProv)
            ::CryptReleaseContext(hCryptProv, NULL);

        continue;
    }
    ....

如您所见，它总是检查私钥.您将必须修改此代码并创建sunmscapi.dll的自定义版本，以避免这种情况，否则将使该检查失败.

As you can see it always checks for a private key. You would have to modify this code and create a custom version of sunmscapi.dll to avoid this or otherwise defeat this check.

这篇关于加载MSCAPI Java密钥库而无需加载私钥(硬令牌)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！