如何从Java中的usb令牌获取KeyStore

Question

我有一个SafeNet 5100 eToken，其中有一个有效的证书，用于从我的公司访问需要它（多因素验证）的Web应用程序。

我正在创建一个桌面应用程序来访问此网站。我已经能够将网站的证书添加到TrustStore，并将我的证书写入KeyStore。

到目前为止，我已经得到了什么是：

System.setProperty("javax.net.ssl.trustStore", "U:\\Certificados\\efau.truestore"); 
System.setProperty("javax.net.ssl.trustStoreType", "jks"); 
System.setProperty("javax.net.ssl.trustStorePassword", "oiadad"); 

KeyManagerFactory kFac; 
SSLContext sslContext; 
SSLSocketFactory sockFactory = null; 
KeyStore ks; 

try { 
    // load keystore present in windows and print aliases found (only one, so nextElement always prints same information (name of certificate inside usb token I want to open)) 
    ks = KeyStore.getInstance("Windows-MY", "SunMSCAPI"); 
    ks.load(null, null); 
    System.out.println(ks.aliases().nextElement()); 
    System.out.println(ks.aliases().nextElement()); 

    // try to load my certificate specifically from all certificates and passes necessary token password to it 
    InputStream in = IOUtils.toInputStream(ks.aliases().nextElement(), "UTF-8"); 
    System.out.println(in); 
    ks.load(in, password); 

    // print certificate to check if I have it 
    System.out.println(ks.getCertificate(ks.aliases().nextElement())); 

    // get ssl context and key manager factory 
    sslContext = SSLContext.getInstance("SSL", "SunJSSE"); 
    kFac = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); 
    kFac.init(ks,null); 

    sslContext.init(kFac.getKeyManagers(), null, null); 
    sockFactory = sslContext.getSocketFactory(); 

    // start connection with website 
    HttpsURLConnection conn = (HttpsURLConnection)new URL(<my-https-url>).openConnection(); 
    conn.setRequestMethod("GET"); 
    conn.setDoInput(true); 
    conn.setSSLSocketFactory(sockFactory); 

    int responseCode = conn.getResponseCode(); 
    System.out.println("RESPONSE: " + responseCode); 

} catch (KeyStoreException e) { 
    e.printStackTrace(); 
} catch (NoSuchAlgorithmException e) { 
    e.printStackTrace(); 
} catch (CertificateException e) { 
    e.printStackTrace(); 
} catch (IOException e) { 
    e.printStackTrace(); 
} catch (NoSuchProviderException e) { 
    e.printStackTrace(); 
} catch (UnrecoverableKeyException e1) { 
    e1.printStackTrace(); 
} catch (KeyManagementException e1) { 
    e1.printStackTrace(); 
} 

当我运行这段代码，我得到：

javax.net.ssl.SSLHandshakeException: Received fatal alert: decrypt_error 
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source) 
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source) 
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown Source) 
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source) 
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) 
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source) 
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source) 
    at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) 
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) 
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) 
    at java.net.HttpURLConnection.getResponseCode(Unknown Source) 
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source) 
    at receita.system.monitoring.Ping.main(Ping.java:313) 

当我键入令牌正确的密码，我得到这个错误，当我输入一个错误的密码时，所以我认为我从来没有以正确的方式传递密码。

为什么我会收到异常？

--------- ---------更新

我创建了以下信息指着我PKCS11.dll库中的配置文件：

name = Aladdin 
library = C:/WINDOWS/system32/eTPKCS11.dll 

，并在主功能我补充：

SunPKCS11 newProvider = new SunPKCS11("u:/Certificados/etpkcs11.cfg"); 
Provider a = newProvider; 
Security.addProvider(a); 

KeyStore ks; 
try { 
    ks = KeyStore.getInstance("PKCS11"); 
    ... 
} 

而现在我得到这个作为一个错误：

java.security.KeyStoreException: PKCS11 not found 
    at java.security.KeyStore.getInstance(Unknown Source) 
    at receita.system.monitoring.Ping.main(Ping.java:292) 
Caused by: java.security.NoSuchAlgorithmException: PKCS11 KeyStore not available 
    at sun.security.jca.GetInstance.getInstance(Unknown Source) 
    at java.security.Security.getImpl(Unknown Source) 
    ... 2 more 

我还试图修改Keystore.getInstance到：

ks = KeyStore.getInstance("PKCS11", a); 

，然后我得到这个不同的错误：

java.security.KeyStoreException: PKCS11 not found 
    at java.security.KeyStore.getInstance(Unknown Source) 
    at receita.system.monitoring.Ping.main(Ping.java:292) 
Caused by: java.security.NoSuchAlgorithmException: no such algorithm: PKCS11 for provider SunPKCS11-Aladdin 
    at sun.security.jca.GetInstance.getService(Unknown Source) 
    at sun.security.jca.GetInstance.getInstance(Unknown Source) 
    at java.security.Security.getImpl(Unknown Source) 
    ... 2 more 

---------更新2（工作代码） ---------

我最后的工作代码为：

System.setProperty("javax.net.ssl.trustStore", "U:\\Certificados\\efau.truestore"); 
System.setProperty("javax.net.ssl.trustStoreType", "jks"); 
System.setProperty("javax.net.ssl.trustStorePassword", "oiadad"); 

KeyManagerFactory kFac; 
SSLContext sslContext; 
SSLSocketFactory sockFactory = null; 

SunPKCS11 providerMSCAPI = new SunPKCS11("u:/Certificados/etpkcs11.cfg"); 
Provider a = providerMSCAPI; 
Security.addProvider(a); 

KeyStore ks; 
try { 
    ks = KeyStore.getInstance("PKCS11"); 

    ks.load(null, password); 

    InputStream in = IOUtils.toInputStream(ks.aliases().nextElement(), "UTF-8"); 
    ks.load(in, password); 


    sslContext = SSLContext.getInstance("SSL", "SunJSSE"); 
    kFac = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); 
    kFac.init(ks,null); 

    sslContext.init(kFac.getKeyManagers(), null, null); 
    sockFactory = sslContext.getSocketFactory(); 

    HttpsURLConnection conn = (HttpsURLConnection)new URL(/*<my-url>*/).openConnection(); 
    conn.setRequestMethod("GET"); 
    conn.setDoInput(true); 
    conn.setSSLSocketFactory(sockFactory); 

    int responseCode = conn.getResponseCode(); 

    InputStream inputstream = conn.getInputStream(); 
    InputStreamReader inputstreamreader = new InputStreamReader(inputstream); 
    BufferedReader bufferedreader = new BufferedReader(inputstreamreader); 

    String line = null; 
    String htmlResponse = ""; 

    while ((line = bufferedreader.readLine()) != null) { 
     htmlResponse += line + "\n"; 
    } 

} catch (KeyStoreException e) { 
    e.printStackTrace(); 
} catch (NoSuchAlgorithmException e) { 
    e.printStackTrace(); 
} catch (CertificateException e) { 
    e.printStackTrace(); 
} catch (IOException e) { 
    e.printStackTrace(); 
} catch (NoSuchProviderException e) { 
    e.printStackTrace(); 
} catch (UnrecoverableKeyException e1) { 
    e1.printStackTrace(); 
} catch (KeyManagementException e1) { 
    e1.printStackTrace(); 
} 

我不得不或设置运行配置的调试参数：

-Djava.security.debug=sunpkcs11 

或设置.cfg文件插槽：

name=SafeNet 
library=C:\Windows\System32\eTPKCS11.dll 
slot=4 

Answer 1

的SunMSCAPI实现是不完美的（例如，如果您拥有具有相同“友好名称”的证书，有些将无法访问，因为它也是用于密钥库别名的唯一密钥）。我不确定它如何与硬件令牌一起工作。

由于your token seems to support PKCS#11，您不妨利用Oracle JRE对PKCS11 keystores的直接支持。基本上，您的令牌驱动程序应该带有一个实现PKCS＃11接口的DLL，并且您需要将Java指向它（如PKCS＃11指南中所述）。欲了解更多灵活性，它可能是动态的安装提供更方便（请参阅开头的段落“要动态安装的供应商，[...]”。

---

按照你的意见，也许你如果添加"slot=...\n"的配置字符串和使用可以使用试错（通过捕获这些异常），以找到合适的插槽，而是使用的配置文件，你可以从一个字符串加载配置。

String password = "xxxxxxxxx"; 
String storeType = "PKCS11"; 

String configuration = "name = OpenSC\n" 
     + "library = /usr/lib/opensc-pkcs11.so\n"; 
Provider provider = new sun.security.pkcs11.SunPKCS11(
     new ByteArrayInputStream(configuration.getBytes("UTF-8"))); 

Security.addProvider(provider); 

KeyStore keyStore = KeyStore.getInstance(storeType, provider); 
keyStore.load(null, password.toCharArray()); 

一个循环来尝试各种值，直到它停止抛出异常这可能会起作用。您可能需要删除失败的安全提供程序，或更改名称。 （我并不是建议这是一个干净的方法）

顺便说一句，如果你不想硬编码你的密码（当然！）或从某个配置文件加载它，你可以使用回调处理程序是这样的：

KeyStore keyStore = KeyStore.getInstance(storeType, provider); 
LoadStoreParameter param = new LoadStoreParameter() { 
    @Override 
    public ProtectionParameter getProtectionParameter() { 
     return new KeyStore.CallbackHandlerProtection(... put your callback handler here...); 
    } 
}; 
keyStore.load(param); 

你的回调处理程序可能是“new com.sun.security.auth.callback.DialogCallbackHandler()”。我通常不会建议使用com.sun.*或sun.*软件包中的任何软件包，因为它们不属于公共Java API的一部分，但您在此处使用的是sun.security.pkcs11.SunPKCS11，因此无论如何您的代码都将与此JRE系列绑定。

Answer 2

尝试下面的代码，用java

类测试{ 公共静态无效的主要（字符串ARGS []）抛出IOException异常，GeneralSecurityException，DocumentException，CertificateVerificationException { //创建的实例，以获得从USB令牌密钥库SunPKCS11提供商

  String pkcs11Config = "name=eToken\nlibrary=C:\\Windows\\System32\\eps2003csp11.dll"; 
      java.io.ByteArrayInputStream pkcs11ConfigStream = new java.io.ByteArrayInputStream(pkcs11Config.getBytes()); 
      sun.security.pkcs11.SunPKCS11 providerPKCS11 = new sun.security.pkcs11.SunPKCS11(pkcs11ConfigStream); 
      java.security.Security.addProvider(providerPKCS11); 

      // Get provider KeyStore and login with PIN 
      String pin = "12345678"; 
      java.security.KeyStore keyStore = java.security.KeyStore.getInstance("PKCS11", providerPKCS11); 
      keyStore.load(null, pin.toCharArray()); 

     // Enumerate items (certificates and private keys) in th KeyStore 
      java.util.Enumeration<String> aliases = keyStore.aliases(); 
      String alias = null; 
      while (aliases.hasMoreElements()) { 
       alias = aliases.nextElement(); 
       System.out.println(alias); 
      } 
     } 
}