First, you need to install PKCS #11 support. This is some native code that probably came with your card reader that provides a .dll (or .so) that provides a PKCS #11 interface. Other software on the system, like Mozilla products and Sun's PKCS #11 provider, uses this library. (Microsoft products often use a different interface, "CAPI".)
Then, following the directions in the PKCS #11 Reference Guide, set up a SunPKCS11
provider. The only properties that I had to supply in my setup are the location of the native "library" that was installed, and the "name" suffix for this provider. The "name" property is appended to "SunPKCS11-", so if you specify "CAC" for the name, you can lookup the Provider
later with Security.getProvider("SunPKCS11-CAC")
.
Then, you can use the standard JSSE system properties javax.net.ssl.keyStore
(with a value of "NONE"
) and javax.net.ssl.keyStoreType
(with a value of "PKCS11"
) to give the JSSE access to the key material on the CAC. You don't need to set the password property, because the native code should prompt the user for their PIN when needed.
The caveat is that only the user's "end entity" certificate is available from the CAC. To build a trusted chain, most servers expect the client to send any intermediate certificates. Working around this is possible, but complicated, as it involves implementing your own javax.net.ssl.X509KeyManager
. If the server you are working with requires a complete chain, please post a follow-up question.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…