Java keytool/KeyStore没有显示eToken的条目
编辑:此页面涵盖eToken的开始和结束。我希望我在发布之前就发现了这一点(我发现关于udev的部分是不必要的)Java keytool/KeyStore没有显示eToken的条目,java,pkcs#11,e-token,Java,Pkcs#11,E Token,编辑:此页面涵盖eToken的开始和结束。我希望我在发布之前就发现了这一点(我发现关于udev的部分是不必要的) 直接: 回程机: 原始问题: 我最近使用pkcs11工具初始化了一个Safenet(阿拉丁)eToken,并为它生成了一个密钥对。我可以在使用pkcs11工具时看到密钥对,但Java拒绝通过密钥工具或使用密钥库API来看到它 $pkcs11 --module /lib64/libeToken.so.8 --login -O Using slot 0 with a present to
直接:
回程机: 原始问题:
我最近使用pkcs11工具初始化了一个Safenet(阿拉丁)eToken,并为它生成了一个密钥对。我可以在使用pkcs11工具时看到密钥对,但Java拒绝通过密钥工具或使用密钥库API来看到它
$pkcs11 --module /lib64/libeToken.so.8 --login -O
Using slot 0 with a present token (0x0)
Logging in to "one".
Please enter User PIN:
Private Key Object; RSA
label: onekey
Usage: decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
label: onekey
Usage: encrypt, verify, wrap
$ cat ../../../config
description = PKCS11TestProvider - libeToken 8
name = PKCS11TestProvider
library = /lib64/libeToken.so.8
$
$ keytool -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ../../../config -list
Enter keystore password:
Keystore type: PKCS11
Keystore provider: SunPKCS11-PKCS11TestProvider
Your keystore contains 0 entries
$ java -cp . com.test.pkcs11tester
PKCS11 Token [SunPKCS11-PKCS11TestProvider] Password:
$
$
$cat com/test/pkcs11tester.java
package com.test;
import com.sun.security.auth.callback.TextCallbackHandler;
import sun.security.pkcs11.SunPKCS11;
import java.security.KeyStore;
import java.security.Security;
import java.util.Arrays;
import java.util.Enumeration;
public class pkcs11tester {
public static void main(String[] args) throws Exception {
SunPKCS11 provider = new SunPKCS11ProviderFactory()
.withDescription("PKCS11TestProvider - libeToken 8")
.withName("PKCS11TestProvider")
.withLibrary("/lib64/libeToken.so.8").build();
Security.addProvider(provider);
KeyStore.CallbackHandlerProtection pinHandler = new KeyStore.CallbackHandlerProtection(new TextCallbackHandler());
KeyStore keyStore = KeyStore.Builder.newInstance("PKCS11",provider,pinHandler).getKeyStore();
Enumeration<String> keyAliases = keyStore.aliases();
while(keyAliases.hasMoreElements()){
String alias = keyAliases.nextElement();
System.out.println(keyStore.getEntry(alias, pinHandler));
}
}
}
$ keytool -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ../../../config -list
Enter keystore password:
Keystore type: PKCS11
Keystore provider: SunPKCS11-PKCS11TestProvider
Your keystore contains 1 entry
onekey, PrivateKeyEntry,
Certificate fingerprint (SHA1): 0C:C8:3A:75:A0:6E:81:5A:02:A6:66:D3:A5:6C:00:99:9E:42:43:6F
$ java -cp . com.test.pkcs11tester
PKCS11 Token [SunPKCS11-PKCS11TestProvider] Password:
Private key entry and certificate chain with 1 elements:
[
[
Version: V3
Subject: CN=onesubject, O=Xxxx, ST=Xxxx, C=XX
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: 26467622671895747481285413975858433115065665951434681243689781936333527077589805685892716465819686680860527529496518157567899175649301749737471071408469304030637573833391644617231073872248736072965457767707383869848723754396731752444718339694909306900106909176774550510520886393209261362045036756359368697310430517069617032600529596434583578525109794104732402757033686193461186802710090516889219602199917424253492694843488263111936554190197705320777470234748624936043043343926632866860126842173018340103570303871731056989311270666387633092607719192995343286538611357386974098721988288022991330371700733023697501180691
public exponent: 65537
Validity: [From: Sun Apr 27 06:13:13 UTC 2014,
To: Tue May 27 06:13:13 UTC 2014]
Issuer: CN=onesubject, O=Xxxx, ST=Xxxx, C=XX
SerialNumber: [ a0876773 4f936f42]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 36 CD 58 98 17 71 E3 B6 49 D9 0D 72 E9 51 79 B9 6.X..q..I..r.Qy.
0010: E4 12 FA AD 6D 5D 4B 91 1E DE D4 B3 24 F0 E9 03 ....m]K.....$...
0020: 58 FE EE AE 32 5F A7 25 4A A2 7F A6 13 C8 D0 97 X...2_.%J.......
0030: 97 C9 4B B0 E2 4C 83 8D DD 6B B0 D6 15 3E 64 E8 ..K..L...k...>d.
0040: B6 FB EC 8B 70 27 9A E8 E7 A6 60 7F 33 92 11 42 ....p'....`.3..B
0050: 30 5D 8C C0 F3 01 DB F7 0D F2 B9 BD 46 7B C9 B1 0]..........F...
0060: FF BE D5 1B 94 92 64 CC 6A A2 B7 61 9F 9C 73 0D ......d.j..a..s.
0070: 01 16 4B 98 D0 9F 3C DB 9C 58 80 22 80 53 46 6C ..K...<..X.".SFl
0080: 6F 49 74 42 99 48 D2 BA 3C E3 98 DE D8 4C BF B9 oItB.H..<....L..
0090: 40 5E 79 26 A5 6C C7 E8 56 53 56 23 03 27 47 16 @^y&.l..VSV#.'G.
00A0: 6B B2 5D 3D 76 11 EA F1 F0 8C EE 5E BD CD 6B 3D k.]=v......^..k=
00B0: BC 66 F9 74 59 E3 FB 4D 9F 37 50 95 15 A4 37 63 .f.tY..M.7P...7c
00C0: B0 9B 4A BE 1C CA F7 88 EE 3F 07 D4 F7 5D D0 FD ..J......?...]..
00D0: B2 C1 20 5B C8 11 67 07 81 B9 74 8E F3 20 8D B8 .. [..g...t.. ..
00E0: 45 DC 4D 03 F3 D0 F1 53 72 5A AE EA 3B EB 27 20 E.M....SrZ..;.'
00F0: 4A C5 47 2F 42 10 91 CF 76 C2 44 CE A0 89 60 78 J.G/B...v.D...`x
]
$java-cp。com.test.pkcs11tester
PKCS11令牌[SunPKCS11-PKCS11TestProvider]密码:
具有1个元素的私钥条目和证书链:
[
[
版本:V3
主题:CN=1个主题,O=Xxxx,ST=Xxxx,C=XX
签名算法:SHA1withRSA,OID=1.2.840.113549.1.1.5
密钥:Sun RSA公钥,2048位
模数:26467622671895747481285413975858433115066659514346812436897819333527077589805688927164658196866808055275296518157567899175649301749747107140846930403063737333916446172310722487360729657575776770386984872375467317524718369490990090917675754510520520886320913620420407567575737373737370703535358345578525109794104732402757033686193461186802710090516889219602199917424253492694843488263111936554190197705320777470234748624936043043343926632866860126842173018340103570303871731056989311270666387633092607719192995343286538611357386974098721988288022991330371700733023697501180691
公众指数:65537
有效期:[自:2014年4月27日星期日06:13:13 UTC,
收件人:2014年5月27日星期二06:13:13 UTC]
发行人:CN=onesubject,O=Xxxx,ST=Xxxx,C=XX
序列号:[a0876773 4f936f42]
]
算法:[SHA1 WithRSA]
签名:
0000:36 CD 58 98 17 71 E3 B6 49 D9 0D 72 E9 51 79 B9 6.X..q..I..r.Qy。
0010:E4 12 FA AD 6D 5D 4B 91 1E DE D4 B3 24 F0 E9 03…m]K。。。
0020:58 FE EE AE 32 5F A7 25 4A A2 7F A6 13 C8 D0 97 X…2_uj。。。。。。。
0030:97 C9 4B B0 E2 4C 83 8D DD 6B B0 D6 15 3E 64 E8..K..L..K..d。
0040:B6 FB EC 8B 70 27 9A E8 E7 A6 60 7F 33 92 11 42…p'..3..B
0050:30 5D 8C C0 F3 01 DB F7 0D F2 B9 BD 46 7B C9 B1 0]。。。
0060:FF BE D5 1B 94 92 64 CC 6A A2 B7 61 9F 9C 73 0D……d.j..a.s。
0070:01 16 4B 98 D0 9F 3C DB 9C 58 80 22 80 53 46 6C..K..根据我的观察,SunPKCS11提供程序仅枚举与X.509证书关联的密钥。因此,您至少需要生成一个自签名证书并将其导入令牌。如果您想验证我的答案是否正确,请参阅“第5步”的“section”Read Only Access(只读访问)”。假定您的密钥库未命名为“NONE”,则需要在keytool的-keystore参数中指定其名称,以及其他内容。@WarrenDew-我遵从Java 7文档[1],其中他们使用“NONE”作为密钥库名称。因为这是一个加密令牌,所以没有密钥库文件。[1] 我想这是因为您的SunPKCS11提供程序或工厂没有正确初始化配置文件。@happymeal-结果表明这是由于缺少私钥的ID属性和证书。我似乎也缺少密钥对的ID。我将添加一个证书和一个ID,看看这是否有帮助。有了添加的ID和证书,一切都开始工作了。我对问题进行了编辑,以反映正确的配置和输出,以防任何人需要它。如何使用无法访问的私钥创建自签名证书?您是如何解决这个问题的?@Martin我不确定这是否对您有帮助,但您可以使用其他一些不使用SunPKCS11的工具,例如。
$ java -cp . com.test.pkcs11tester
PKCS11 Token [SunPKCS11-PKCS11TestProvider] Password:
Private key entry and certificate chain with 1 elements:
[
[
Version: V3
Subject: CN=onesubject, O=Xxxx, ST=Xxxx, C=XX
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: 26467622671895747481285413975858433115065665951434681243689781936333527077589805685892716465819686680860527529496518157567899175649301749737471071408469304030637573833391644617231073872248736072965457767707383869848723754396731752444718339694909306900106909176774550510520886393209261362045036756359368697310430517069617032600529596434583578525109794104732402757033686193461186802710090516889219602199917424253492694843488263111936554190197705320777470234748624936043043343926632866860126842173018340103570303871731056989311270666387633092607719192995343286538611357386974098721988288022991330371700733023697501180691
public exponent: 65537
Validity: [From: Sun Apr 27 06:13:13 UTC 2014,
To: Tue May 27 06:13:13 UTC 2014]
Issuer: CN=onesubject, O=Xxxx, ST=Xxxx, C=XX
SerialNumber: [ a0876773 4f936f42]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 36 CD 58 98 17 71 E3 B6 49 D9 0D 72 E9 51 79 B9 6.X..q..I..r.Qy.
0010: E4 12 FA AD 6D 5D 4B 91 1E DE D4 B3 24 F0 E9 03 ....m]K.....$...
0020: 58 FE EE AE 32 5F A7 25 4A A2 7F A6 13 C8 D0 97 X...2_.%J.......
0030: 97 C9 4B B0 E2 4C 83 8D DD 6B B0 D6 15 3E 64 E8 ..K..L...k...>d.
0040: B6 FB EC 8B 70 27 9A E8 E7 A6 60 7F 33 92 11 42 ....p'....`.3..B
0050: 30 5D 8C C0 F3 01 DB F7 0D F2 B9 BD 46 7B C9 B1 0]..........F...
0060: FF BE D5 1B 94 92 64 CC 6A A2 B7 61 9F 9C 73 0D ......d.j..a..s.
0070: 01 16 4B 98 D0 9F 3C DB 9C 58 80 22 80 53 46 6C ..K...<..X.".SFl
0080: 6F 49 74 42 99 48 D2 BA 3C E3 98 DE D8 4C BF B9 oItB.H..<....L..
0090: 40 5E 79 26 A5 6C C7 E8 56 53 56 23 03 27 47 16 @^y&.l..VSV#.'G.
00A0: 6B B2 5D 3D 76 11 EA F1 F0 8C EE 5E BD CD 6B 3D k.]=v......^..k=
00B0: BC 66 F9 74 59 E3 FB 4D 9F 37 50 95 15 A4 37 63 .f.tY..M.7P...7c
00C0: B0 9B 4A BE 1C CA F7 88 EE 3F 07 D4 F7 5D D0 FD ..J......?...]..
00D0: B2 C1 20 5B C8 11 67 07 81 B9 74 8E F3 20 8D B8 .. [..g...t.. ..
00E0: 45 DC 4D 03 F3 D0 F1 53 72 5A AE EA 3B EB 27 20 E.M....SrZ..;.'
00F0: 4A C5 47 2F 42 10 91 CF 76 C2 44 CE A0 89 60 78 J.G/B...v.D...`x
]