Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
102 views
in Technique[技术] by (71.8m points)

java - How to connect to HTTPS server using Common Access Card

I need to write a java program to connect to a HTTPS server (DoD website). The website requires CAC (DoD common access card) authentication. If you access this site via browser, you insert your CAC first, and then enter a PIN.

I need to accomplish the authentication process programmatically in java (kind of acting like browser). How do I retrieve the information from the CAC? I have been Googling around and read the Java PKCS#11 Reference Guide. Seems like Sun PKCS#11 Provider can do it, but you need the native PKCS#11 token implementation.

Am I right? Has anybody done this before? Any suggestion or comment will be greatly appreciated.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

First, you need to install PKCS #11 support. This is some native code that probably came with your card reader that provides a .dll (or .so) that provides a PKCS #11 interface. Other software on the system, like Mozilla products and Sun's PKCS #11 provider, uses this library. (Microsoft products often use a different interface, "CAPI".)

Then, following the directions in the PKCS #11 Reference Guide, set up a SunPKCS11 provider. The only properties that I had to supply in my setup are the location of the native "library" that was installed, and the "name" suffix for this provider. The "name" property is appended to "SunPKCS11-", so if you specify "CAC" for the name, you can lookup the Provider later with Security.getProvider("SunPKCS11-CAC").

Then, you can use the standard JSSE system properties javax.net.ssl.keyStore (with a value of "NONE") and javax.net.ssl.keyStoreType (with a value of "PKCS11") to give the JSSE access to the key material on the CAC. You don't need to set the password property, because the native code should prompt the user for their PIN when needed.

The caveat is that only the user's "end entity" certificate is available from the CAC. To build a trusted chain, most servers expect the client to send any intermediate certificates. Working around this is possible, but complicated, as it involves implementing your own javax.net.ssl.X509KeyManager. If the server you are working with requires a complete chain, please post a follow-up question.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

2.1m questions

2.1m answers

60 comments

57.0k users

...