use*_*353 5 java jce digital-signature pkcs#11 pkcs#7
I am trying to sign some data (a POST form) in a web based application using a Java Applet. The user's x509 certificate would be in a cryptoken/smart card. The signature needs to be in attached pkcs#7 format.
I am using this tutorial/code as a starting point in building the applet - http://www.developer.com/java/other/article.php/3587361/Java-Applet-for-Signing-with-a-Smart-Card.htm
The biggest problem for me here seems to be the fact that the applet asks the user for location of the pkcs#11 implementation library. This is a big no-no for me because my typical user is not going to know the location of his pkcs#11 library.
From Oracle's Java documentation - http://docs.oracle.com/javase/6/docs/technotes/guides/security/p11guide.html it seems that Java doesn't come with it's own implementation.
Is there a way to do this signing without asking the user for this location. I am OK with a solution which only works with just IE and Firefox on Windows.
With a few smartcards/cryptokens I have used, I have noticed that the moment I insert it, I can see the certificate in IE & Firefox's personal tab of certificates. This probably means that the crypto token registers all the certificates it contains with OS when you insert the card and deregisters it when you remove it. So it must probably be exposing some interface to the OS/Browser when it does it - can this not be used for signing?
我们在 SecureBlackox 产品的分布式加密附加组件中完成了您现在正在尝试做的事情(使用客户端模块进行分布式签名),并且我们为 IE 提供 ActiveX 控件,为其他浏览器提供 Java 小程序。
不幸的是,PKCS#11 DLL 没有在任何地方注册,因此您无法避免询问用户该 DLL 的位置。
大多数硬件设备都支持 PKCS#11 和 CryptoAPI 接口。在 CryptoAPI 接口中,CSP DLL 将基于硬件的证书公开给 CryptoAPI 引擎,从而公开给应用程序。在这种情况下,您可以使用与 Windows CryptoAPI 配合使用的 Java 类。
PKCS#11 是一个接口,由硬件供应商实现,因此 Java 无法实现它自己的 - JVM 不是硬件,也不包含证书(即使包含证书,也不能解决您的问题)。我需要注意的是,Firefox 有内置的 PKCS#11 驱动程序,Firefox 通过该驱动程序访问自己的证书。这样做是为了统一支持软件和硬件存储的证书。
| 归档时间: |
|
| 查看次数: |
3949 次 |
| 最近记录: |