如何使用通用访问卡连接到HTTPS服务器 [英] How to connect to HTTPS server using Common Access Card

问题描述

我需要编写一个java程序来连接到HTTPS服务器（DoD网站）。该网站需要CAC（DoD通用访问卡）身份验证。如果您通过浏览器访问此站点，则首先插入CAC，然后输入PIN。

I need to write a java program to connect to a HTTPS server (DoD website). The website requires CAC (DoD common access card) authentication. If you access this site via browser, you insert your CAC first, and then enter a PIN.

我需要在java中以编程方式完成身份验证过程（类似于浏览器）。如何从CAC检索信息？我一直在谷歌上搜索Java PKCS＃11参考指南。似乎Sun PKCS＃11 Provider可以做到这一点，但您需要本机PKCS＃11令牌实现。

I need to accomplish the authentication process programmatically in java (kind of acting like browser). How do I retrieve the information from the CAC? I have been Googling around and read the Java PKCS#11 Reference Guide. Seems like Sun PKCS#11 Provider can do it, but you need the native PKCS#11 token implementation.

我是对的吗？有没有人这样做过？任何建议或评论将不胜感激。

Am I right? Has anybody done this before? Any suggestion or comment will be greatly appreciated.

推荐答案

首先，您需要安装PKCS＃11支持。这是您的读卡器可能附带的一些本机代码，它提供了一个提供PKCS＃11接口的.dll（或.so）。系统上的其他软件，如Mozilla产品和Sun的PKCS＃11提供程序，使用此库。 （Microsoft产品通常使用不同的界面CAPI。）

First, you need to install PKCS #11 support. This is some native code that probably came with your card reader that provides a .dll (or .so) that provides a PKCS #11 interface. Other software on the system, like Mozilla products and Sun's PKCS #11 provider, uses this library. (Microsoft products often use a different interface, "CAPI".)

然后，按照 PKCS＃11参考指南，设置 SunPKCS11 提供者。我必须在我的设置中提供的唯一属性是已安装的本机库的位置，以及此提供程序的名称后缀。 name属性附加到SunPKCS11-，因此如果您为名称指定CAC，则可以稍后使用查找提供程序 Security.getProvider（SunPKCS11-CAC）。

Then, following the directions in the PKCS #11 Reference Guide, set up a SunPKCS11 provider. The only properties that I had to supply in my setup are the location of the native "library" that was installed, and the "name" suffix for this provider. The "name" property is appended to "SunPKCS11-", so if you specify "CAC" for the name, you can lookup the Provider later with Security.getProvider("SunPKCS11-CAC").

然后，您可以使用标准的JSSE系统属性 javax .net.ssl.keyStore （值为NONE）和 javax.net.ssl.keyStoreType （值为PKCS11），以便JSSE访问CAC上的密钥材料。您不需要设置密码属性，因为本机代码应在需要时提示用户输入PIN。

Then, you can use the standard JSSE system properties javax.net.ssl.keyStore (with a value of "NONE") and javax.net.ssl.keyStoreType (with a value of "PKCS11") to give the JSSE access to the key material on the CAC. You don't need to set the password property, because the native code should prompt the user for their PIN when needed.

需要注意的是，只有用户的最终实体 证书可从CAC获得。要构建可信链，大多数服务器都希望客户端发送任何中间证书。解决这个问题是可能的，但很复杂，因为它涉及实现你自己的 javax.net.ssl.X509KeyManager 。如果您使用的服务器需要完整的链条，请发布后续问题。

The caveat is that only the user's "end entity" certificate is available from the CAC. To build a trusted chain, most servers expect the client to send any intermediate certificates. Working around this is possible, but complicated, as it involves implementing your own javax.net.ssl.X509KeyManager. If the server you are working with requires a complete chain, please post a follow-up question.

这篇关于如何使用通用访问卡连接到HTTPS服务器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！