网站PKSC＃11智能卡验证和SSL客户端证书 [英] Website PKSC #11 smart card authentication and SSL client certificates

问题描述

我们是由于在一个斯堪的纳维亚国家的法律要求建立一个网站的三因素认证。客户正在使用的NetID品牌的浏览器插件做浏览器中的PKCS＃11证书身份验证。该智能卡是通过对客户的合作伙伴集中提供的。

We are creating a three-factor authentication for a website due to a legal requirements in one Scandinavian country. The customer is using NetID branded browser plug-ins to do a PKCS #11 certificate authentication in the browser. The smartcards are supplied centrally by a partner on the customer.

这个题目没有什么太大的在线资源或教程。会有人有任何指针实例实施或教程如何做到在Web浏览器的PKCS11认证？

This subject does not have much on-line resources or tutorials available. Would someone have any pointers to example implementations or tutorials how to do PKCS11 authentication in a web browser?

编辑：找到关于SSL客户端证书

Found about SSL client certificates

• 貌似身份验证方法是SSL客户端证书

• Looks like the authentication method is SSL Client Certificate

我们如何管理用户及其智能卡之间的关系？

How do we manage relationship between users and their smartcards?

千万用户提供我们自己的公钥和我们对他们进行身份验证？

Do users deliver us their public keys and we authenticate against them?

我们需要签/提供每个用户单独使用自己的证书模板？

Do we need to sign / provision each user individually using our own certicate?

是否所有用户智能卡包含一个通用的关键，我们对测试的提供者证书吗？

Do all user smartcards contain a "generic" key which we test against a provider certificate?

http://www.garex.net/apache/

<一个href=\"http://www.impetus.us/~rjmooney/projects/misc/clientcertauth.html\">http://www.impetus.us/~rjmooney/projects/misc/clientcertauth.html

https://en.wikipedia.org/wiki/PKCS11

<一个href=\"https://service.secmaker.com/examples/plugin.aspx\">https://service.secmaker.com/examples/plugin.aspx

推荐答案

不要用JavaScript做。 JavaScript的密码有一些问题，我不认为很多浏览器会让你访问PKCS＃ 11直接从JavaScript很容易（从页内运行）。

Don't do it with JavaScript. JavaScript cryptography has a number of problems, and I don't think many browsers will let you access the PKCS#11 directly from JavaScript (running from within the page) easily.

许多浏览器都支持PKCS＃11 HTTPS身份验证，即使用PKCS进行客户证书认证＃11作为SSL / TLS连接（如HTTPS的一部分）的一部分。

A number of browsers support PKCS#11 for HTTPS authentication, that is, using PKCS#11 for client-certificate authentication as part of the SSL/TLS connection (as part of HTTPS).

假设你已经有一个可用的PKCS＃11库（比方说OpenSC在 /usr/lib/opensc.so ），您可以配置Firefox来使用它：

Assuming you already have a PKCS#11 library available (let's say OpenSC in /usr/lib/opensc.so), you can configure Firefox to use it:

• preferences - >高级 - >加密，进入安全设置


• 点击加载


• 选择一个模块名称（在列表中您自己的参考），并指向 /usr/lib/opensc.so 文件（或其他适当的PKCS＃11模块是你的情况）。

• Preferences -> Advanced -> Encryption, go in "Security Devices"
• Click on 'Load'
• Choose a module name (for your own reference in the list) and point to the /usr/lib/opensc.so file (or whatever the appropriate PKCS#11 module is in your case).

然后，当你连接到一个网站，请求客户端证书，浏览器应该提供您选择从PKCS＃11功能的设备的证书。

Then, when you connect to a website that requests a client certificate, the browser should offer you to choose a certificate from the PKCS#11-enabled device.

的PKCS＃11配置机制将从一个浏览器的不同而不同，但它通常是设置PKCS的路径的问题＃11模块

The PKCS#11 configuration mechanism will vary from one browser to another, but it's usually a matter of setting the path of the PKCS#11 module.

据我所知，Internet Explorer不使用PKCS＃11（至少在没有额外的支持），而应依靠MS的CryptoAPI和InfoCard的替代。

As far as I know, Internet Explorer doesn't use PKCS#11 (at least not without extra support), but should rely on MS CryptoAPI and InfoCards instead.

在服务器端，则需要配置客户端证书身份验证的要求。具体没事PKCS＃11在那里。

On the server side, you will need to configure the requirement for client-certificate authentication. Nothing specific to PKCS#11 there.

按照你的编辑，你应该阅读有关证书颁发机构（CA）和公钥基础设施（PKI的）。你可以部署自己的内部PKI，但它听起来像你的要求是与现有的PKI集成。这是一个管理的问题主要是，与那些使这一要求，看看哪些CA，他们希望靠（可能是他们的），所以检查。

Following your edit, you should read about Certification Authorities (CAs) and Public Key Infrastructures (PKIs). You could deploy your own internal PKI, but it sounds like your requirements are to integrate with an existing PKI. This is an administrative problem mainly, so check with those making this requirement to see on which CA they want to rely (probably theirs).

在使用客户证书认证，客户端将present其证书（其中包含了用户的公钥和其他属性，包括标识符：主题专有名称）和SSL / TLS握手会确保客户端具有用于此公开密钥证书的私钥。然后，服务器验证反对信任的CA此证书（这也是在服务器端的SSL设置）。

When using client-certificate authentication, the client will present its certificate (which contains the user's public key and other attributes, including an identifier: the Subject Distinguished Name) and the SSL/TLS handshake will ensure that the client has the private key for this public key certificate. Then, the server verifies this certificate against CAs it trusts (that's also an SSL setting on the server side).

一旦你配置要信任哪些CA，映射通常如果需要使用证书的主题DN到内部用户名完成。目前对此没有硬性规定，因为它取决于你的内部用户的命名方案。这是说，它往往是明智的使用完整的主题DN作为用户名。

Once you've configured which CAs you want to trust, the mapping is usually done using the certificate's Subject DN to an internal user name if needed. There is no hard rule for this, since it depends on your internal user naming scheme. This being said, it's often sensible to use the full Subject DN as the user name.

这篇关于网站PKSC＃11智能卡验证和SSL客户端证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！