通过 PKCS#11 使用智能卡的 Android SSL
之所以产生这个问题,是因为我完全迷失了,所以请原谅那些琐碎和无意义的部分。
我有一个 Android 应用程序、一个网络服务、一张 MicroSD 智能卡(移动安全卡)。我需要知道如何使用带有 ssl 的卡来安全地与网络服务进行通信。重建和刷新操作系统不是一个选择。
我所知道的:
- 用于与 MSC 通信的 API
- 如何向 MSC 编写/部署小程序
- 如何调用 Web 服务
我不知道的:
- SSL
- 关于证书和密码学的内容太多(只有来自大学的可疑学术内容) )
- 事情是如何结合在一起的以及我应该使用什么来完成这个
seek-for-安卓有 OpenSC 教程和库,但操作系统需要为此打补丁。有没有办法避免这种情况并仍然使用该解决方案?
我知道我可以通过一些研究进一步深入这个问题,但我的截止日期非常接近(几天),所以我需要帮助,很多帮助,而且很快......提前谢谢你!
编辑:
更具体地说:
我有一张 Giesecke & 的智能卡 SD 卡。 Devrient,带有 Java Card 操作系统和精美的小程序和开发工具。我还收到了一个 Android 服务,用于通过 APDU 与卡(小程序)进行通信。这是相当低级的,它接受字节码作为命令和数据。
我需要通过 SSL 身份验证调用 Web 服务。现在我知道 SSL 使用(可以使用)具有 PKCS#11 接口的硬件令牌。
有一个名为 seek-for-android 的项目,其中包含指南修补操作系统并在智能卡上拥有标准 PKCS#11 接口(我相信这将是 OpenSC)。我无法修补操作系统。
那么问题又来了:
- Android SSL 实现能否以某种方式使用(自定义)PKCS#11 接口,如果可以,如何使用? (例如可能与某些安全提供商一起)
- 我可以在不修补操作系统的情况下使用 OpenSC(以及链接指南中提到的其他内容)(例如提取库并将其包含在我的应用程序中)吗?
- 总的来说,我应该如何链接低级智能卡和高级SSL之间的差距?我恳请您提供与此相关的任何材料。
The reason that this question was born is that I am totally lost, so please forgive the trivial and senseless parts.
I have an Android app, a web-service, a MicroSD smart card (mobile security card). I need to know how can I use the card with ssl to securely communicate with the web-service. Rebuilding and flashing the OS is not an option.
What I know:
- The API used to communicate with the MSC
- How to write/deploy applets to the MSC
- How to call a web-service
What I don't know:
- SSL
- Too much about certificates and cryptography (only shady academic stuff from the university)
- How things come together and what should I use to accomplish this
seek-for-android has an OpenSC tutorial and library, but the OS needs to be patched for that. Is there a way to avoid that and still use the solution?
I know I could be much further into this with a little research, but my deadline is quite close (a few days), so I need help, much help, and very soon.. Thank you in advance!
EDIT:
More specifically:
I have a Smart Card SD card from Giesecke & Devrient, with Java Card OS and fine applets and dev tools. I also recieved an android service to communicate with the card (the applets) with APDUs. This is quite low-level, it acceps byte codes as commands and data.
I need to call a web-service via SSL authentication. Now I know that SSL uses (can use) hardware tokens with PKCS#11 interfaces.
There is a project called seek-for-android with a guide to patch the OS and have a standard PKCS#11 interface over the smart card (I believe this would be OpenSC). I CAN'T patch the OS.
So the questions again:
- Can the Android SSL implementation use (custom) PKCS#11 interfaces in some way, if yes, how? (e.g. possibly with some security providers)
- Can I use OpenSC (and other stuff mentioned in the linked guide) without patching the OS (e.g. extract the libs and include it in my application)?
- Overall, how should I link the gap between the low-level smart card and the high level SSL? I kindly ask you for any material regarding this.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
由于这是封装在 microSD 卡内的特殊形式的智能卡,我假设该 API 基于特殊的 SD 卡读写操作。此类操作在没有 root 访问权限的 Android 上可能可用,也可能无法使用。
这取决于 API 的具体实现。通常这样的 microSD 卡已经附带了供应商提供的 Android 库(因为它是最开放的相关移动平台)。您应该向那里询问以获取更多信息。
As this is a special form of a Smart-Card encapsulated inside a microSD-card I assume that the API bases on special SD-Card read and write operations. Such operation may or may not be usable on Android without root access.
That depends on the certain implementation of the API. Usually such a microSD card already comes with Android libraries (as it is the most open relevant mobile platform) from the vendor. You should ask there for getting more information.
使用 Bouncycastle(Spongycastle 是 Android 的分支)并实现您自己的安全提供程序,该提供程序使用智能卡而不是存储证书的文件。
Use Bouncycastle (Spongycastle is the fork for Android) and implement your own Security Provider which uses the SmartCard instead of a file for stored certificates.
如果您可以在不修补 ROM 的情况下访问您的卡,您可以在其上实施您自己的(需要密码学知识)SSL 实现。
如果没有,那么据我所知,您需要修补 Android 才能访问额外的硬件。并且内置 SSL 库不支持客户端“硬件令牌”AFAIK。
If you can access your card without patching the ROM, you can roll your own (requires knowledge of cryptography) SSL implementation on top of it.
If not, then AFAIK you need to patch Android to get access to the extra hardware. And the built-in SSL library has no support whatsoever for client-side "hardware tokens" AFAIK.