与PKCS#11共同客户端身份验证 [英] Mutual client authentication with PKCS#11
问题描述
我想创建一个将访问哪些需要相互TLS客户端身份验证服务器的浏览器应用程序。该应用程序需要能够通过PKCS#11接口,提供客户端证书和密钥。
I am trying to create a browser application that will access a server which requires TLS Mutual Client Authentication. The application needs to be able to supply the client certificate and key via a PKCS#11 interface.
说完看了看Android的相互TLS各种文章,我相信PKCS#11要求排除了使用Android钥匙扣/添加证书在Android的默认密钥库(因为私钥无法直接访问)。
Having looked at various articles on mutual tls for Android, I believe the PKCS#11 requirement rules out using the Android KeyChain/adding the certificates to the default keystore on Android (because the private key cannot be directly accessed).
我有PKCS#11接口工作,所以我可以用私有密钥对数据进行签名。
I have the PKCS#11 interface working so I can use the private key to sign data.
有没有办法拦截来电为Android与一键登录数据,这样我就可以使用PKCS#11接口呢?目前看来,我唯一的选择真的是实现我自己TLS协议栈来实现这一点。
Is there a way to intercept the calls for Android to sign data with a key so that I can use the PKCS#11 interface instead? Currently it seems that my only option really is to implement my own TLS stack to achieve this.
推荐答案
这取决于:)什么平台(S),你定位?在果冻豆,有一个密钥库中的硬件设备一定的支撑,所以你可以写一个使用你的PKCS#11一个钥匙大师模块。这不过是一个OS组件,因此它需要实现自己的ROM。您也可以开发一个由PKCS#11模块支持自己的JCE提供程序。然后,在你的浏览器,确保SSL引擎使用您的供应商在做客户端验证时。
It depends :) What platform(s) are you targeting? On Jelly Bean, there is some support for hardware devices in the keystore, so you can write a keymaster module that uses your PKCS#11. That, however is a OS component, so it would require implementing your own ROM. You can also develop your own JCE provider that is backed by the PKCS#11 module. Then, in your browser, make sure the SSL engine uses your provider when doing client auth.
这篇关于与PKCS#11共同客户端身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
