4

编辑:此页面从头到尾涵盖了 eToken。我希望我在发布之前找到了这个(我发现不需要 udev 的部分)
直接:https
: //r3blog.nl/index.php/etoken-pro-72k/ Wayback Machine:https ://web.archive.org /web/20140427063731/https://r3blog.nl/index.php/etoken-pro-72k/

原始问题:
我最近使用 pkcs11-tool 初始化了一个 Safenet (Aladdin) eToken 并为其生成了一个密钥对。使用 pkcs11-tool 时我可以看到密钥对,但 Java 拒绝通过 keytool 或使用 KeyStore API 看到它。

$pkcs11 --module /lib64/libeToken.so.8 --login -O
Using slot 0 with a present token (0x0)
Logging in to "one".
Please enter User PIN:
Private Key Object; RSA
  label:      onekey
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
  label:      onekey
  Usage:      encrypt, verify, wrap

但是,使用 KeyTool:

$ cat ../../../config
description = PKCS11TestProvider - libeToken 8
name = PKCS11TestProvider
library = /lib64/libeToken.so.8
$
$ keytool -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ../../../config -list
Enter keystore password:

Keystore type: PKCS11
Keystore provider: SunPKCS11-PKCS11TestProvider

Your keystore contains 0 entries

运行简短的 java 程序时的类似结果

$ java -cp . com.test.pkcs11tester
PKCS11 Token [SunPKCS11-PKCS11TestProvider] Password:
$
$
$cat com/test/pkcs11tester.java
package com.test;

import com.sun.security.auth.callback.TextCallbackHandler;
import sun.security.pkcs11.SunPKCS11;

import java.security.KeyStore;
import java.security.Security;
import java.util.Arrays;
import java.util.Enumeration;

public class pkcs11tester {


  public static void main(String[] args) throws Exception {
    SunPKCS11 provider = new SunPKCS11ProviderFactory()
        .withDescription("PKCS11TestProvider - libeToken 8")
        .withName("PKCS11TestProvider")
        .withLibrary("/lib64/libeToken.so.8").build();
    Security.addProvider(provider);
    KeyStore.CallbackHandlerProtection pinHandler = new KeyStore.CallbackHandlerProtection(new TextCallbackHandler());
    KeyStore keyStore = KeyStore.Builder.newInstance("PKCS11",provider,pinHandler).getKeyStore();
    Enumeration<String> keyAliases = keyStore.aliases();


    while(keyAliases.hasMoreElements()){
      String alias = keyAliases.nextElement();
      System.out.println(keyStore.getEntry(alias, pinHandler));
    }

  }
}

编辑:我根据eToken java keytool certificate安装了 Safenet Authentication Client 8 (SAC) 。这就是 libeToken.so.8 的来源。


结合 Jariq 的回答。

我删除了密钥对并生成了一个与 ID 相关联的新集合。然后我安装libengine-pkcs11-openssl以获取 OpenSSL 的 PKCS11 引擎并按照配置/usr/share/doc/libengine-pkcs11-openssl/html/wiki/QuickStart.html更改 openssl.conf 以包含所需的引擎配置。

令牌现在看起来像:

$ pkcs11 -O
Using slot 0 with a present token (0x0)
Logging in to "one".
Please enter User PIN:
Private Key Object; RSA
  label:      onekey
  ID:         01
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
  label:      onekey
  ID:         01
  Usage:      encrypt, verify, wrap
Certificate Object, type = X.509 cert
  label:      onekey
  ID:         01

使用密钥工具:

$ keytool -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ../../../config -list
Enter keystore password:

Keystore type: PKCS11
Keystore provider: SunPKCS11-PKCS11TestProvider

Your keystore contains 1 entry

onekey, PrivateKeyEntry,
Certificate fingerprint (SHA1): 0C:C8:3A:75:A0:6E:81:5A:02:A6:66:D3:A5:6C:00:99:9E:42:43:6F

使用 PKCS11 Java API:

$ java -cp . com.test.pkcs11tester
PKCS11 Token [SunPKCS11-PKCS11TestProvider] Password:
Private key entry and certificate chain with 1 elements:
[
[
  Version: V3
  Subject: CN=onesubject, O=Xxxx, ST=Xxxx, C=XX
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 26467622671895747481285413975858433115065665951434681243689781936333527077589805685892716465819686680860527529496518157567899175649301749737471071408469304030637573833391644617231073872248736072965457767707383869848723754396731752444718339694909306900106909176774550510520886393209261362045036756359368697310430517069617032600529596434583578525109794104732402757033686193461186802710090516889219602199917424253492694843488263111936554190197705320777470234748624936043043343926632866860126842173018340103570303871731056989311270666387633092607719192995343286538611357386974098721988288022991330371700733023697501180691
  public exponent: 65537
  Validity: [From: Sun Apr 27 06:13:13 UTC 2014,
               To: Tue May 27 06:13:13 UTC 2014]
  Issuer: CN=onesubject, O=Xxxx, ST=Xxxx, C=XX
  SerialNumber: [    a0876773 4f936f42]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 36 CD 58 98 17 71 E3 B6   49 D9 0D 72 E9 51 79 B9  6.X..q..I..r.Qy.
0010: E4 12 FA AD 6D 5D 4B 91   1E DE D4 B3 24 F0 E9 03  ....m]K.....$...
0020: 58 FE EE AE 32 5F A7 25   4A A2 7F A6 13 C8 D0 97  X...2_.%J.......
0030: 97 C9 4B B0 E2 4C 83 8D   DD 6B B0 D6 15 3E 64 E8  ..K..L...k...>d.
0040: B6 FB EC 8B 70 27 9A E8   E7 A6 60 7F 33 92 11 42  ....p'....`.3..B
0050: 30 5D 8C C0 F3 01 DB F7   0D F2 B9 BD 46 7B C9 B1  0]..........F...
0060: FF BE D5 1B 94 92 64 CC   6A A2 B7 61 9F 9C 73 0D  ......d.j..a..s.
0070: 01 16 4B 98 D0 9F 3C DB   9C 58 80 22 80 53 46 6C  ..K...<..X.".SFl
0080: 6F 49 74 42 99 48 D2 BA   3C E3 98 DE D8 4C BF B9  oItB.H..<....L..
0090: 40 5E 79 26 A5 6C C7 E8   56 53 56 23 03 27 47 16  @^y&.l..VSV#.'G.
00A0: 6B B2 5D 3D 76 11 EA F1   F0 8C EE 5E BD CD 6B 3D  k.]=v......^..k=
00B0: BC 66 F9 74 59 E3 FB 4D   9F 37 50 95 15 A4 37 63  .f.tY..M.7P...7c
00C0: B0 9B 4A BE 1C CA F7 88   EE 3F 07 D4 F7 5D D0 FD  ..J......?...]..
00D0: B2 C1 20 5B C8 11 67 07   81 B9 74 8E F3 20 8D B8  .. [..g...t.. ..
00E0: 45 DC 4D 03 F3 D0 F1 53   72 5A AE EA 3B EB 27 20  E.M....SrZ..;.'
00F0: 4A C5 47 2F 42 10 91 CF   76 C2 44 CE A0 89 60 78  J.G/B...v.D...`x

]
4

1 回答 1

3

根据我的观察,SunPKCS11 提供程序仅枚举与 X.509 证书关联的密钥。因此,您至少需要生成一个自签名证书并将其导入令牌。如果您想验证我的回答是否正确,请查看“附录 B:Sun PKCS#11 提供者的密钥库要求”部分“只读访问”步骤“5”。

于 2014-04-27T05:15:22.690 回答