当前位置: 文江博客话题详情

尝试在 Java 中使用 SunPKCS11 和 NSS 启用 FIPS 模式

发布于 2024-12-28 18:51:12 字数 3330 浏览 3 评论 0原文

我正在开发一个需要 FIPS 140-2 验证加密的项目,并且我正在尝试将 NSS 与 SunPKCS11 令牌接口结合使用,并且在 NSS 中打开 FIPS 模式之前我已经让它正常工作。我收到一个错误 CKR_USER_NOT_LOGGED_IN,我只是不知道该怎么办。关于我应该做什么有什么建议吗?

我是安全领域的新手,因此此代码是根据 Oracle Java 教程、SunPKCS11 参考页以及在 Web 上以 FIPS 模式使用 NSS 的建议中的示例拼凑而成的。

这是我正在使用的代码:

String ksName = "my.pfx";
char[] spass = {'m', 'y', 'p', 'w' };
String alias = "testalias";
try {
    KeyStore ks = KeyStore.getInstance("PKCS12");
    FileInputStream ksfis = new FileInputStream(ksName); 
    BufferedInputStream ksbufin = new BufferedInputStream(ksfis);
    ks.load(ksbufin, spass);
    PrivateKey priv = (PrivateKey) ks.getKey(alias, spass);

    System.out.println(" Initialize the signing.");
    Signature sig = Signature.getInstance("SHA1withRSA", "SunPKCS11-NSS-FIPS");
    sig.initSign(priv);

    System.out.println(" Open the digital object to sign.");
    FileInputStream fis = new FileInputStream( "digitalRecipes2.txt" );
    BufferedInputStream bufin = new BufferedInputStream(fis);
    byte[] buffer = new byte[1024];
    int len;
    while ((len = bufin.read(buffer)) >= 0) {
        sig.update(buffer, 0, len);
    }
    bufin.close();

    byte[] realSig = sig.sign();

    FileOutputStream sigfos = new FileOutputStream("digitalRecipes2.txt.sig");
    sigfos.write(realSig);
    sigfos.close();

    java.security.cert.Certificate cert = ks.getCertificate(alias);
    byte[] encodedCert = cert.getEncoded();

    FileOutputStream certfos = new FileOutputStream("mykey.cert");
    certfos.write(encodedCert);
    certfos.close();    
} catch (Exception e) {
    System.err.println( "Caught exception " + e.toString() );
    e.printStackTrace();
}

这是我用于 nss 的配置。

name = NSS-FIPS
nssLibraryDirectory = /opt/local/lib/nss
nssSecmodDirectory = /Users/xxxx/work/workspace/learnin/XXXX
nssDbMode = readWrite 
nssModule = fips

当我运行此代码时,我得到以下堆栈跟踪。

Initialize the signing.
Caught exception java.security.InvalidKeyException: Could not create RSA private key
java.security.InvalidKeyException: Could not create RSA private key
    at     sun.security.pkcs11.P11RSAKeyFactory.implTranslatePrivateKey(P11RSAKeyFactory.java:88)
    at sun.security.pkcs11.P11KeyFactory.engineTranslateKey(P11KeyFactory.java:115)
    at sun.security.pkcs11.P11KeyFactory.convertKey(P11KeyFactory.java:48)
    at sun.security.pkcs11.P11Signature.engineInitSign(P11Signature.java:374)
    at java.security.Signature$Delegate.engineInitSign(Signature.java:1095)
    at java.security.Signature.initSign(Signature.java:480)
    at     com.xxxxxxxx.digitalSigning.SignMeUpSunPKCS11NSS.main(SignMeUpSunPKCS11NSS.java:43)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
    at sun.security.pkcs11.wrapper.PKCS11.C_CreateObject(Native Method)
    at sun.security.pkcs11.P11RSAKeyFactory.generatePrivate(P11RSAKeyFactory.java:238)
    at     sun.security.pkcs11.P11RSAKeyFactory.implTranslatePrivateKey(P11RSAKeyFactory.java:62)
    ... 6 more

这是 CKR_USER_NOT_LOGGED_IN 错误,我不知道该怎么办。

如果我将 NSS 配置更改为不使用 FIPS 模式,则程序可以正常运行并签署文件、提供签名并提供公钥。

我在 NSS 配置文件中列出的相应目录中使用以下命令创建了 NSS 数据库。

modutil -create -dbdir .
modutil -fips true -dbdir .
modutil -changepw "NSS FIPS 140-2 Certificate DB" -dbdir .
原文

I'm working on a project requiring FIPS 140-2 validated cryptography, and I'm trying to use NSS with the SunPKCS11 token interface, and I've gotten it working up until turning on FIPS mode in NSS. I get an error, CKR_USER_NOT_LOGGED_IN, that I just don't have any idea what to do with. Any suggestions as to what I should do?

I'm new to the security world, so this code is cobbled together from the examples in the Oracle Java Tutorials, the SunPKCS11 reference page, and suggestions for using NSS in FIPS mode on the web.

Here's the code I'm using:

String ksName = "my.pfx";
char[] spass = {'m', 'y', 'p', 'w' };
String alias = "testalias";
try {
    KeyStore ks = KeyStore.getInstance("PKCS12");
    FileInputStream ksfis = new FileInputStream(ksName); 
    BufferedInputStream ksbufin = new BufferedInputStream(ksfis);
    ks.load(ksbufin, spass);
    PrivateKey priv = (PrivateKey) ks.getKey(alias, spass);

    System.out.println(" Initialize the signing.");
    Signature sig = Signature.getInstance("SHA1withRSA", "SunPKCS11-NSS-FIPS");
    sig.initSign(priv);

    System.out.println(" Open the digital object to sign.");
    FileInputStream fis = new FileInputStream( "digitalRecipes2.txt" );
    BufferedInputStream bufin = new BufferedInputStream(fis);
    byte[] buffer = new byte[1024];
    int len;
    while ((len = bufin.read(buffer)) >= 0) {
        sig.update(buffer, 0, len);
    }
    bufin.close();

    byte[] realSig = sig.sign();

    FileOutputStream sigfos = new FileOutputStream("digitalRecipes2.txt.sig");
    sigfos.write(realSig);
    sigfos.close();

    java.security.cert.Certificate cert = ks.getCertificate(alias);
    byte[] encodedCert = cert.getEncoded();

    FileOutputStream certfos = new FileOutputStream("mykey.cert");
    certfos.write(encodedCert);
    certfos.close();    
} catch (Exception e) {
    System.err.println( "Caught exception " + e.toString() );
    e.printStackTrace();
}

and here's the config I'm using for nss.

name = NSS-FIPS
nssLibraryDirectory = /opt/local/lib/nss
nssSecmodDirectory = /Users/xxxx/work/workspace/learnin/XXXX
nssDbMode = readWrite 
nssModule = fips

When I run this code, I get the the following stacktrace.

Initialize the signing.
Caught exception java.security.InvalidKeyException: Could not create RSA private key
java.security.InvalidKeyException: Could not create RSA private key
    at     sun.security.pkcs11.P11RSAKeyFactory.implTranslatePrivateKey(P11RSAKeyFactory.java:88)
    at sun.security.pkcs11.P11KeyFactory.engineTranslateKey(P11KeyFactory.java:115)
    at sun.security.pkcs11.P11KeyFactory.convertKey(P11KeyFactory.java:48)
    at sun.security.pkcs11.P11Signature.engineInitSign(P11Signature.java:374)
    at java.security.Signature$Delegate.engineInitSign(Signature.java:1095)
    at java.security.Signature.initSign(Signature.java:480)
    at     com.xxxxxxxx.digitalSigning.SignMeUpSunPKCS11NSS.main(SignMeUpSunPKCS11NSS.java:43)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
    at sun.security.pkcs11.wrapper.PKCS11.C_CreateObject(Native Method)
    at sun.security.pkcs11.P11RSAKeyFactory.generatePrivate(P11RSAKeyFactory.java:238)
    at     sun.security.pkcs11.P11RSAKeyFactory.implTranslatePrivateKey(P11RSAKeyFactory.java:62)
    ... 6 more

and it's the CKR_USER_NOT_LOGGED_IN error that I have no idea what to do with.

If I change the NSS configuration to not use FIPS mode, then the program runs fine and signs the file, gives the signature, and gives the public key.

I created the NSS databases using the following commands while in the appropriate directory listed in the NSS config file.

modutil -create -dbdir .
modutil -fips true -dbdir .
modutil -changepw "NSS FIPS 140-2 Certificate DB" -dbdir .

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

三五鸿雁 2025-01-04 18:51:12

您应该首先登录安全令牌。您可以使用AuthProvider:

AuthProvider aprov = Security.getProvider("SunPKCS11-NSS-FIPS");
aprov.login(subject, new MyCallbackHandler());

按照:

http: //docs.oracle.com/javase/6/docs/technotes/guides/security/p11guide.html#Login

You should login on security token first. You can use AuthProvider:

AuthProvider aprov = Security.getProvider("SunPKCS11-NSS-FIPS");
aprov.login(subject, new MyCallbackHandler());

In accordance with:

http://docs.oracle.com/javase/6/docs/technotes/guides/security/p11guide.html#Login

回复 原文
~没有更多了~

关于作者

抽个烟儿

暂无简介

文章
评论
25 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

Promise

文章 0 评论 0

qq_lbRlsh

文章 0 评论 0

待"谢繁草

文章 0 评论 0

yy2010hell

文章 0 评论 0

漫无边际

文章 0 评论 0

傲娇萝莉攻

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文