Java SSL 客户端未选择智能卡密钥

Question

我正尝试在 java 程序中使用爱沙尼亚身份证进行 SSL 客户端身份验证。这适用于 Chrome/Firefox 针对银行站点和测试服务器（nginx 或 openssl s_server）。

然而，我的 Java 客户端 (okhttp) 对于本地密钥库工作正常，但在尝试使用 ID 卡时失败。我把它归结为这个测试用例，它重现了我在调试器和日志记录中看到的问题 (-Djavax.net.debug=ssl:handshake).

我可以与卡通信，例如我可以打印出同一个密钥的证书。我在 Mac OSX.

上搭载 DigiDoc3 Client

我可以看到似乎导致密钥被忽略的异常

sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_TYPE_INVALID
    at sun.security.pkcs11.wrapper.PKCS11.C_GetAttributeValue(Native Method)
    at sun.security.pkcs11.P11Key.getAttributes(P11Key.java:275)
    at sun.security.pkcs11.P11Key.privateKey(P11Key.java:330)
    at sun.security.pkcs11.P11KeyStore.loadPkey(P11KeyStore.java:1311)
    at sun.security.pkcs11.P11KeyStore.engineGetEntry(P11KeyStore.java:943)
    at java.security.KeyStore.getEntry(KeyStore.java:1521)
    at sun.security.ssl.X509KeyManagerImpl.getEntry(X509KeyManagerImpl.java:276)
    at sun.security.ssl.X509KeyManagerImpl.getCertificateChain(X509KeyManagerImpl.java:107)
    at com.baulsupp.oksocial.TestMain.main(TestMain.java:37)

测试程序输出

1.0.Authentication
ssl: KeyMgr: choosing key: Authentication (verified: OK)
null
null

测试代码

package com.baulsupp.oksocial;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.Security;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import java.util.Set;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.X509ExtendedKeyManager;

public class TestMain {
  public static void main(String[] args)
      throws UnrecoverableKeyException, CertificateException, NoSuchAlgorithmException,
      KeyStoreException, IOException {
    System.setProperty("javax.net.debug", "all");

    char[] password =
        System.getenv().get("PW").toCharArray();//System.console().readPassword("PW: ");

    X509ExtendedKeyManager km = (X509ExtendedKeyManager) getKeyManagers(password, 0)[0];

    String alias = km.chooseClientAlias(new String[] {"RSA"}, null, null);

    System.out.println(alias);

    X509Certificate[] chain = km.getCertificateChain(alias);
    System.out.println(chain);

    PrivateKey key = km.getPrivateKey(alias);
    System.out.println(key);
  }

  public static KeyManager[] getKeyManagers(char[] password, int slot)
      throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException,
      UnrecoverableKeyException {
    //Security.removeProvider("IAIK");

    //Provider provider = new org.bouncycastle.jce.provider.BouncyCastleProvider();
    //Security.addProvider(provider);

    String config =
        "name=OpenSC\nlibrary=/Applications/qdigidocclient.app/Contents/MacOS/esteid-pkcs11.so\nslotListIndex="
            + slot;

    sun.security.pkcs11.SunPKCS11 pkcs11 =
        new sun.security.pkcs11.SunPKCS11(new ByteArrayInputStream(config.getBytes()));

    Security.addProvider(pkcs11);

    //debugProviders();

    KeyStore keystore = KeyStore.getInstance("PKCS11", pkcs11);

    keystore.load(null, password);

    //debugKeys(keystore);

    KeyManagerFactory kmf = KeyManagerFactory.getInstance("NewSunX509");
    kmf.init(keystore, null);

    return kmf.getKeyManagers();
  }

  public static void debugKeys(KeyStore keystore) throws KeyStoreException {
    Enumeration<String> aliases = keystore.aliases();

    while (aliases.hasMoreElements()) {
      String s = aliases.nextElement();

      Certificate k = keystore.getCertificate(s);

      System.out.println(k);
    }
  }

  public static void debugProviders() {
    Provider[] providers = Security.getProviders();
    for (Provider p : providers) {
      System.out.println("\n\n" + p.getName());
      Set<Provider.Service> services = p.getServices();

      for (Provider.Service s : services) {
        System.out.println(s.getType() + " " + s.getAlgorithm());
      }
    }
  }
}

同时我也提出了支持请求。

Answer 1

据我所知，仅当您在 PKCS#11 模块中创建对象时，属性才有意义，而智能卡则不是这种情况。尝试使用 OpenSC 的 pkcs11-spy 查看模块要求但未实现的属性类型。

另一种选择是使用底层 PKCS#11 方法 (C_*)，它可以更好地控制 PKCS#11 细节。

Answer 2

完全基于 Martin 的回答，从源代码构建 https://github.com/OpenSC/OpenSC 并安装 OpenSC-0.15。0.dmg 提供了一个首次运行的替代驱动程序。我没有使用 pkcs11-spy，因为它只是第一次工作。

String config =
    "name=OpenSC\n" +
        "library=/Library/OpenSC/lib/opensc-pkcs11.so\n";

我能够针对 openssl 进行测试

$ openssl s_server -verify 20 -key key.pem -cert cert.pem -accept 44330   -no_ssl3 -dhparam dhparam.pem -www 

回复了

---
Client certificate
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            xxxxxxxxx
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=EE, O=AS Sertifitseerimiskeskus, CN=ESTEID-SK 2011/emailAddress=pki@sk.ee
        Validity
            Not Before: Jul 15 09:51:27 20xx GMT
            Not After : Jul 13 20:59:59 20xx GMT
        Subject: C=EE, O=ESTEID, OU=authentication, CN=SCHIMKE,YURI,xxxxxxxx, SN=SCHIMKE, GN=YURI/serialNumber=xxxxxxxx

Answer 3

Yubikey 的类似示例 https://github.com/square/okhttp/blob/97a41eb5c2c97f29fa7152e43ae3a480dc53e0fd/samples/guide/src/main/java/okhttp3/recipes/kt/YubikeyClientAuth.kt

    val config = "--name=OpenSC\nlibrary=/Library/OpenSC/lib/opensc-pkcs11.so\nslot=$slot\n"

    // May fail with ProviderException with root cause like
    // sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SLOT_ID_INVALID
    val pkcs11 = Security.getProvider("SunPKCS11").configure(config)
    Security.addProvider(pkcs11)

    val callbackHandler = ConsoleCallbackHandler

    val builderList: List<KeyStore.Builder> = Arrays.asList(
        KeyStore.Builder.newInstance("PKCS11", null, KeyStore.CallbackHandlerProtection(callbackHandler))

        // Example if you want to combine multiple keystore types
        // KeyStore.Builder.newInstance("PKCS12", null, File("keystore.p12"), PasswordProtection("rosebud".toCharArray()))
    )

    val keyManagerFactory = KeyManagerFactory.getInstance("NewSunX509")
    keyManagerFactory.init(KeyStoreBuilderParameters(builderList))
    val keyManager = keyManagerFactory.keyManagers[0] as X509ExtendedKeyManager