从没有PIN /密码的PKCS11智能卡获取证书 [英] Getting certificates from PKCS11 Smartcard without PIN/password
问题描述
摘要:当通过OpenSC在PKCS11上使用JCA时,在提取证书时会请求PIN。
Abstract: when using JCA over PKCS11 over OpenSC, the PIN is requested when extracting certificates.
我有一个需要使用智能卡签名的应用程序。 OpenSC支持智能卡,因此我使用Java内置的pkcs11包装提供程序来使用它。出于功能原因,我需要在没有请求PIN的情况下获取卡中的证书。如果用户最终签名,那么当然需要PIN。
I have got an application that needs to sign using a smartcard. The smartcard is supported by OpenSC, so I am using the Java-built-in pkcs11 wrapper provider to use it. For functional reasons, I need to obtain the certificates in the card without a PIN requested. If the user finally signs, then, of course, the PIN is needed.
我看到我可以在不提供PIN的情况下从命令行执行此操作:
I see I can do it from command line without providing a PIN:
pkcs11-tool --module C:\WINDOWS\system32\opensc-pkcs11.dll -r -a 50-MDS_Signature -y cert -o p.cer
Using slot 1 with a present token (0x1)
到目前为止,很好。
Oracle的文档清楚地说构建器将根据需要使用先前配置的回调处理程序提示输入密码( http://docs.oracle.com/javase/6/docs/technotes/指南/安全性/ p11guide.html#登录)。但是,我的代码总是请求pin作为子,因为我调用 KeyStore ks0 = ksbuilder0.getKeyStore(); ,即使只提取公共信息(例如证书)。
The documentation from Oracle clearly says "The builder will prompt for a password as needed using the previously configured callback handler" (http://docs.oracle.com/javase/6/docs/technotes/guides/security/p11guide.html#Login). However, my code does always request the pin as son as I call KeyStore ks0 = ksbuilder0.getKeyStore(); even while only extracting public info (such as certificates).
跟随代码摘录:
private static final String PKCS11_LIB = "C:\\WINDOWS\\system32\\opensc-pkcs11.dll";
private static final String NAME = "OpenSCpkcs11";
private static final String SLOT = "1";
private static final String PIN = "11111111";
private static final String ALIAS = "myCert";
[...]
private static CallbackHandler myCallbackHandler = new CallbackHandler() {
@Override
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
for (Callback callback : callbacks) {
if (callback instanceof PasswordCallback) {
PasswordCallback passwordCallback = (PasswordCallback) callback;
System.out.println(passwordCallback.getPrompt() + PIN);
passwordCallback.setPassword(PIN.toCharArray());
}
}
}
};
[...]
String configString = "name = "
+ NAME.replace(' ', '_')
+ "\n"
+ "library = "
+ PKCS11_LIB
+ "\n slot = "
+ SLOT
+ " "
+ "\n attributes = compatibility \n"
+ "attributes(*,*,*)=\n{\nCKA_TOKEN=true\nCKA_LOCAL=true\n}";
ByteArrayInputStream configStream = new ByteArrayInputStream(
configString.getBytes());
SunPKCS11 pkcs11Provider0 = new SunPKCS11(configStream);
pkcs11Provider0.login(null, myCallbackHandler);
Security.addProvider(pkcs11Provider0);
KeyStore.CallbackHandlerProtection chp = new KeyStore.CallbackHandlerProtection(
myCallbackHandler);
KeyStore.Builder ksbuilder0 = KeyStore.Builder.newInstance(
"PKCS11", pkcs11Provider0, chp);
KeyStore ks0 = ksbuilder0.getKeyStore();
X509Certificate cert0 = (X509Certificate) ks0.getCertificate(ALIAS);
// System.out.println("Cert " + cert0.toString());
Principal p = cert0.getSubjectDN();
System.out.println("I am: " + cert0.getSubjectDN().getName());
结果如下:
Contraseña de la tarjeta de claves PKCS11 [SunPKCS11-OpenSCpkcs11]: 11111111
2014-01-16 17:48:11.275 cannot lock memory, sensitive data may be paged to disk
I am: CN=pepe perez, SURNAME=pepe, L=qwerty
如您所见,在获得证书之前请求密码。通过调试我可以看到在行 KeyStore中请求密码ks0 = ksbuilder0.getKeyStore();
As you can see, the password is requested before the certificate is got. By means of debugging I can see that the password is requested in the line KeyStore ks0 = ksbuilder0.getKeyStore();
有什么想法吗?有没有办法按我的意愿配置它?还有其他想法或测试吗?
Any idea? Is there no way to configure it as I want? Any further idea or test?
此外:您是否知道有任何其他方式来访问智能卡,例如直接通过JAVA2OpenSC包装器等?
Furthermore: do you know of any other way to access smartcards, for example directly through a JAVA2OpenSC wrapper or the like?
谢谢,
推荐答案
最后,没有使用JCA的解决方案。最终的解决方案是直接攻击PKCS11驱动程序。我使用过jacknji11( https://github.com/joelhockey/jacknji11 )和PKCS11规范(< a href =http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/pkcs-11-cryptographic-token-interface-standard.htm =nofollow> http:// www.emc.com/emc-plus/rsa-labs/standards-initiatives/pkcs-11-cryptographic-token-interface-standard.htm )。
Finally, there was no solution using JCA. The final solution was to directly attack the PKCS11 driver. I have used jacknji11 (https://github.com/joelhockey/jacknji11) and the PKCS11 spec (http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/pkcs-11-cryptographic-token-interface-standard.htm).
这篇关于从没有PIN /密码的PKCS11智能卡获取证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
