我想在Java中加载一个MSCAPI密钥库,并检查MY存储中可用的证书。然而,一些证书的密钥存储在硬件令牌上,在加载时会弹出一个提示框要求输入令牌。
Is there a way to defer loading the private keys when loading the Windows keystore?
keyStore = KeyStore.getInstance(Windows-MY, SunMSCAPI);
keystore.load(null,null);
解决方案
The activation of the popup originates from the MS-CAPI Cryptographic Service Provider (CSP), which is a DLL provided by the manufacturer of the USB token. This DLL then communicates with the token through a driver, also supplied by the same manufacturer. KeyStore simply initiates a call, and all intermediate layers facilitate its transmission. The firmware on the token is responsible for displaying the authentication popup and managing session-state, among other functions.
The crucial Java dll is sunmscapi.dll, encompassing the implementation:
Utilize CertEnumCertificatesInStore for retrieving the certificates.
// pCertContext must be reset to obtain the certificate from the open store.
使用“// Use NULL to retrieve the first certificate in the store.”来改写这段话。
在遍历证书存储中的证书时,使用如下代码:``` while (::CertEnumCertificatesInStore(hCertStore, pCertContext)) ```
{
// Verify the availability of the private key - client authentication certificate
必须确保私钥可用。
HCRYPTPROV hCryptProv = NULL;
DWORD dwKeySpec = 0;
hUserKey is initialized as NULL.
bCallerFreeProv = FALSE;
bHasNoPrivateKey = FALSE;
将DWORD dwPublicKeyLength = 0;改写为设置dwPublicKeyLength为0。
if (::CryptAcquireCertificatePrivateKey(pCertContext, NULL, NULL,
如果 (&hCryptProv, &dwKeySpec, &bCallerFreeProv) 不等于 FALSE,则执行以下操作
{
bHasNoPrivateKey = true;
} else {
// Private key is available
::CryptGetUserKey(hCryptProv, dwKeySpec, &hUserKey) 返回一个 BOOL 值 bGetUserKey。
// If the private key cannot be found, skip the certificate.
如果 (bGetUserKey == FALSE)
{
如果 (bCallerFreeProv)
CryptReleaseContext(hCryptProv, NULL);
continue;
}
....
As evident, it consistently verifies the presence of a private key. To bypass or overcome this verification, one must make alterations to the code and develop a personalized edition of sunmscapi.dll.
还木有评论哦,快来抢沙发吧~