<rt id="bn8ez"></rt>
<label id="bn8ez"></label>

  • <span id="bn8ez"></span>

    <label id="bn8ez"><meter id="bn8ez"></meter></label>

    David.Turing's blog

     

    How to use Java produce Signature by USBKey under CryptoAPI/CSP

    Perhaps someone need to use USB-KEY or other?Hardware Token?to generate Digital Signature , through Microsoft CryptoAPI.? Perhaps MS CryptoAPI is the only way for us?to access?Cryptography Device such as USB-Key. It is sure not a comfortable way because Java developers have to?call CAPI funtions throught JNI(Java Native Interface). So?there are some java-library to?CALL?CryptoAPI, but they are not free.

    I hope to provide an OpenSource Java?Library to do this thing : SecureX[https://sourceforge.net/projects/securex]
    Here is some demo of what?SecureX Library could do:
    1, SecureX Library Arichtecture Demo
    http://dev2dev.bea.com.cn/bbs/servlet/D2DServlet/download/29304-31620-211417-3031/securex.swf
    2, SecureX USB-Key Demo
    http://dev2dev.bea.com.cn/bbs/servlet/D2DServlet/download/29304-31620-213693-3060/HNISI_SecureX_USBKey.swf

    OK, Came back to our topic, how to use java call CryptoAPI to produce signature.
    You should know at least :
    1, CryptoAPI?are just?a set of interface define by MS, and USB-Key Vendor just implement these interface so that our application can call the usb key to do some cryptographic operations(eg?Signature, Hash, Encryption). There are a lot of CSPs located in your windows system. CSP is implementation,? but we need not care about it, All we care is what CryptoAPI could do. See MSDN for more information.
    2, For Java developer, they should use JNI to access CryptoAPI but it is not an easy thing since there are some encoding difference between JDK and Windows. For example, they should know how to convert the binary Private?key stream to Java PrivateKey Object.
    3, Perhaps some?USB-Key vendor provide PKCS#11 CSP other than CryptoAPI CSP. PKCS#?CSP is? a RSA Standard [http://www.rsasecurity.com/rsalabs/node.asp?id=2133], It will be a good optional implement instead of CryptoAPI CSP.

    Back to CryptoAPI CSP:

    Java developer should do such a thing to generate a signature:

    byte []?data? = ? " http://openssl.blogjava.net " .getBytes();
    SignatureUtils?sigutil
    = new ?SignatureUtils( " MD5 " );
    sigutil.initSign(privateKey);
    sigutil.update(data,
    0 ,data.length);
    byte []?signature? = ?sigutil.sign();

    sigutil.initVerify(publicKey);
    sigutil.update(data,
    0 ,data.length);
    if ( ! sigutil.verify(signature))
    ????System.out.println(
    " The?signature?verification?failed. " );
    else
    ????System.out.println(
    " The?signature?was?successfully?verified. " );

    before we sign, we should provide a privatekey,? in the java world, private key is stored in JKS file(Java Keystore), we could get the keyEntry out through:

    keyStoreStream? = ? new ?FileInputStream(keyStoreFilename);
    keystore?
    = ?KeyStore.getInstance(KeyStore.getDefaultType());
    keystore.load(keyStoreStream,?keyStorePassword.toCharArray());
    Key?key?
    = ?keystore.getKey(alias,?keypassword);
    if ?(key? instanceof ?PrivateKey)
    ????
    return ?(PrivateKey)key;

    But?on windows,? private key is not stored in JKS, they stored in Windows Local CertStore or in USB-Key,and in most cases, private key are not allowed to Export!

    In CryptoAPI's world, you should do the following things.

    call?CryptAcquireContext?get?HCRYPTPROV?handle,?also?known?as?a?csp?handle
    call?CryptCreateHash?to?hash?your?data
    call?CryptSignHash?to?sign

    CryptAcquireContext?need Key container name?、CSP?Name、CSP?type、dwFlags。
    CryptCreateHash?need?hash?agorithm
    CryptSignHash?need?dwKeySpec,right! it's the private key spec.

    So, Java developer feel boring when he need to provide the private key.
    The proper way is:
    1,? Use Alias to get the privatekey:
    ???? (a) if the private key is exportable, we can get it and change it to a Java Object
    ???? (b) if the private key is not exportable, we get the private key handle.
    2,? Sign the Hash
    ????? (a) if the private key is exportable,? sigutil.initSign(privateKey) would do this job.
    ????? (b) if the?private key is not exportable, we?pass?the?private key handle to CSP,?
    and let CSP get the privatekey internally.
    ????
    The program below is running under securex, and it can get the privatekey from
    usb-key, and sign the data:
    ????/**
    ?????*?簽名,并將XML簽名結果保存到signatureFile中
    ?????*?需要3個條件
    ?????*?1,KeyAlias,用于獲取私鑰
    ?????*?2,source_filename_to_be_signed,確定被簽名的數據源
    ?????*?3,簽名算法
    ?????*?
    @param?save_signatureFile
    ?????
    */

    ????
    public?static?void?sign()
    ????
    {
    ????????
    byte?abyte0[][];
    ????????
    ????????
    if((abyte0?=?CorKeyStoreJNI.getKey(getKeyAlias()))?==?null)
    ????????
    {
    ????????????System.err.println(
    "這是一條不可導出的鑰匙!");
    ????????????
    return;
    ????????}

    ????????
    ????????
    if(abyte0.length?==?0)
    ????????
    {
    ????????????JCAPIRSAPrivateKey?jcapikey?
    =new?JCAPIRSAPrivateKey(getKeyAlias().getBytes());
    ????????????System.out.println(jcapikey.getAlgorithm()
    +":"+jcapikey.getPrivateExponent());
    ????????
    ????????????
    /**
    ?????????????*?簽名數據
    ?????????????
    */

    ????????????File?sourcefile
    =new?File(source_filename_to_be_signed);
    ????????????
    byte[]?data?=null;?
    ????????????
    try?{
    ????????????????????data
    =?FileUtils.getBytesFromFile(sourcefile);
    ????????????}
    ?catch?(IOException?e1)?{
    ????????????????????e1.printStackTrace();
    ????????????}

    ????????????
    ????????????
    byte[]?signature=null;
    ????????????
    ????????????
    /**
    ?????????????*?產生簽名
    ?????????????*?TODO,?使用正確的簽名算法,比如MD5withRSA->MD5
    ?????????????
    */

    ????????????SignatureUtils?sigutil
    =new?SignatureUtils(getSignAgorithm());
    ????????????
    try?{
    ????????????????sigutil.initSign(jcapikey);
    ????????????????sigutil.update(data,
    0,data.length);
    ????????????????signature?
    =?sigutil.sign();
    ????????????????System.out.println(
    "signature>>>.."+new?String(signature));
    ????????????????setRawSignature(signature);

    ????????????}
    ?catch?(InvalidKeyException?e)?{
    ????????????????e.printStackTrace();
    ????????????}
    ?catch?(SignatureException?e)?{
    ????????????????e.printStackTrace();
    ????????????}

    ????????????
    ????????????
    /**
    ?????????????*?保存簽名到save_signatureFile
    ?????????????*?也就是sign的參數
    ?????????????
    */

    ????????????
    try?{
    ????????????????FileUtils.writeFile(getSaveSignatureFile(),signature);
    ????????????}
    ?catch?(IOException?e)?{
    ????????????????e.printStackTrace();
    ????????????}

    ????????????
    ????????}

    ????}

    How's it done?
    1) Well, Suppose I USE an?USB E-Key(CSP Vendor:吉大正元www.jit.com.cn)
    I know my PrivateKey Alias is? ,? Locate In "My"
    I?get the private key?through CoreKeyStoreJNI Class which has native jni method(getKey), by which?I could
    tell the csp which private key i want to use!
    2) I get the file to byteArray which must be Hash before sign, because for Microsoft CAPI,? its signobject can accept hash object only.
    SignatureUtils?sigutil=new?SignatureUtils(getSignAgorithm());
    the getSignAgorithm?return "MD5withRSA" "SHA1withRSA" for most cases. It meas?MD5 data before RSA Sign :)
    3) when the
    sigutil.sign();
    is Excute, a native PIN-CallBack Windows is open, it will ask you for private key protected password(you can see it in my swf demo above).
    type the correct PIN , My JIT CSP will call the correct sign cryptographic operations through the?USB EKey drivers.
    All the cryptographic operations(Hash, Sign) are performed on the USB-Key INTERNALLY, NOT by the KEY Drivers.
    OK,then CSP get the signature and Signature Verify use only the Public Key?and need not access the private key, It can?perform by CSP or verify using JCE, as you like.
    4) Haha, I've not yet told you that you need a DLL to Load before you call these API. Wait till I put my whole?project?to sourceforege?SecureX(http://securex.sourceforge.net/). Any Advice, please contact me on this blog or just join the QQ Group: 14966586

    posted on 2006-07-11 13:24 david.turing 閱讀(7021) 評論(1)  編輯  收藏 所屬分類: Security領域BounyCastle&JCE

    評論

    # re: How to use Java produce Signature by USBKey under CryptoAPI/CSP[未登錄] 2007-03-20 22:11 葡萄

    老兄,最近偶也在學習這個方面的東西。。
    在,java通過csp對usbkey寫入證書等操作方面,不知道老兄有沒有中文的參考材料。。。(不好意思偶e文水平太有限了)。。。或者實例代碼更好呀。。。
    先謝謝老兄了。。近來都焦頭爛額了。。。。初搞。。見笑。。  回復  更多評論   

    導航

    統(tǒng)計

    常用鏈接

    留言簿(110)

    我參與的團隊

    隨筆分類(126)

    隨筆檔案(155)

    文章分類(9)

    文章檔案(19)

    相冊

    搜索

    積分與排名

    最新隨筆

    最新評論

    閱讀排行榜

    評論排行榜

    主站蜘蛛池模板: 我的小后妈韩剧在线看免费高清版| caoporm碰最新免费公开视频| 97在线视频免费公开观看| 亚洲精品国产福利一二区| 国产精品亚洲专区在线播放| 午夜爱爱免费视频| 另类图片亚洲校园小说区| 免费无遮挡无码永久在线观看视频| 亚洲乱亚洲乱妇无码| 国产不卡免费视频| 免费人成在线观看播放a| 中文字幕亚洲无线码a| a级毛片在线免费| 久久亚洲国产成人亚| 亚欧免费一级毛片| 亚洲日本香蕉视频| 免费看国产成年无码AV片| 亚洲中文无码卡通动漫野外| 在线免费观看国产视频| 一个人看的免费视频www在线高清动漫 | 国产午夜亚洲精品不卡电影| 亚洲VA综合VA国产产VA中| 国产大片免费天天看| 久久亚洲精品无码| 免费看黄视频网站| 黄网站色成年片大免费高清| 亚洲一区无码精品色| 亚欧日韩毛片在线看免费网站| 亚洲娇小性xxxx| 亚洲AV无码之日韩精品| 日韩精品无码免费专区午夜| 亚洲经典在线中文字幕| 国产免费av片在线无码免费看| 国产激情久久久久影院老熟女免费 | 亚洲男人的天堂在线va拉文| 黄网站色视频免费在线观看的a站最新 | 三上悠亚电影全集免费| 亚洲中字慕日产2020| mm1313亚洲国产精品美女| 免费一区二区三区| 亚洲av永久无码|