使用SunMSCAPI签名文档并禁止显示“输入PIN".对话 [英] Signing documents with SunMSCAPI and suppressing the "Enter PIN" dialog
问题描述
我正在开发一个Java代码,该代码使用证书令牌对文档进行签名.到目前为止,一切工作都很好,但是我想隐藏输入图钉"对话框,因为我存储了用户的图钉,因此他/她不需要每次都键入它.真正的问题是此代码将以批处理模式运行(无用户交互).我知道,一旦键入,密钥可能会在内存中,因此不需要在短时间内再次键入.但是我不能依靠它,我需要提供PIN码.这里是我到目前为止的代码(它只是一个示例,可能不完整,也无法正常工作):
I am developing a java code that signs documents using a certificate token. So far, everything works great, but I want to suppress the "enter pin" dialog because I am storing the user's pin so he/she does not need to type it every time. The real problem here is that this code will run in batch mode (no user interaction). I know that once typed, the key may be in memory so it does not need to be typed again for a shorty time. But I can't rely on that, I need to provide the PIN. Here the code I have so far (it is only a sample, it may not be complete nor work):
protected KeyStore loadKeyStoreFromSmartCard() {
keyStore = KeyStore.getInstance("Windows-MY", "SunMSCAPI");
keyStore.load(null, null);
return keyStore;
}
public void signDocument(byte[] conteudoParaAssinar, String certAlias) {
char[] pass = (char[]) null;
PrivateKey key = (PrivateKey) loadKeyStoreFromSmartCard.getKey(certAlias, pass);
Certificate[] chain = loadKeyStoreFromSmartCard(true).getCertificateChain(certAlias);
CertStore certsAndCRLs = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(chain)), "BC");
X509Certificate cert = (X509Certificate) chain[0];
CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
gen.addSigner(key, cert, CMSSignedDataGenerator.DIGEST_SHA1);
gen.addCertificatesAndCRLs(certsAndCRLs);
CMSProcessable data = new CMSProcessableByteArray(conteudoParaAssinar);
CMSSignedData signed = gen.generate(data, true, "SunMSCAPI");
byte[] envHex = signed.getEncoded();
}
编辑
我听说过 CryptSetProvParam PP_KEYEXCHANGE_PIN 巫婆可能是解决方案,但是我不知道如何从Java调用它.我发现的所有示例都是针对.net的.
I have heard about CryptSetProvParam PP_KEYEXCHANGE_PIN witch may be the solution, but I dont know how to call it from java. All examples I have found are for .net.
推荐答案
我曾经实现类似于此的东西,但是不幸的是,智能卡驱动程序存在错误,因此该驱动程序试图调出在驱动程序本身中实现的本机PIN回调有时.但让我们假设您的司机在这方面做得更好.
I implemented something similar to this once, but unfortunately the smart card driver was buggy and so the driver tried to bring up the native PIN callback implemented in the driver itself at times. But let's assume your driver does better at that.
首先,您需要实现 PasswordCallback 有趣的案例.
First of all, you need to implement a CallbackHandler, the documentation gives a good overview of the concept. In your case, it's the PasswordCallback case that's interesting to handle.
接下来,如下创建您的 KeyStore (省略异常处理)
Next, create your KeyStore as follows (exception handling omitted)
Provider provider = Security.getProvider("SunMSCAPI");
CallbackHandler cbh = // your implementation
KeyStore.ProtectionParameter protection = new KeyStore.CallbackHandlerProtection(cbh);
//get a handle of the CAPI KeyStore as before
KeyStore.Builder keystoreBuilder = KeyStore.Builder.newInstance("Windows-MY",
provider,
protection);
KeyStore store = keystoreBuilder.getKeyStore();
然后,要访问私钥,请执行以下操作:
Then, to access the private key, do this:
KeyStore.Entry ke = store.getEntry(alias, null);
if (!(ke instanceof KeyStore.PrivateKeyEntry))
throw new RuntimeException("The entry is not a private key.");
PrivateKey key = ((KeyStore.PrivateKeyEntry) ke).getPrivateKey();
提供程序将自动生成适当的 PasswordCallback ,发送给您的 CallbackHandler .处理回调时,您只需传递缓存的密码即可.
The provider will automatically generate the appropriate PasswordCallbacks to be sent to your CallbackHandler. When handling the callback, you would simply pass your cached password.
不用说,通常不赞成使用密码缓存;)
Needless to say that password caching is generally frowned upon ;)
这篇关于使用SunMSCAPI签名文档并禁止显示“输入PIN".对话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
