Java security - MSCAPI provider: How to use withou

2019-01-25 13:58发布

问题:

I've managed to use Sun's MSCAPI provider in my application. The problem I'm having now is that it always pops up a window, asking for a password, even though I've provided it in the code. This is a problem, because I need the cryptography functionality in a webservice.

Here's the code I have now:

String alias = "Alias to my PK";
char[] pass = "MyPassword".toCharArray();

KeyStore ks = KeyStore.getInstance("Windows-MY");
ks.load(null, pass);
Provider p =  ks.getProvider();

Signature sig = Signature.getInstance("SHA1withRSA",p);
PrivateKey key = (PrivateKey) ks.getKey(alias, pass)

sig.initSign(key);
sig.update("Testing".getBytes());
sig.sign();

This is working great, but I get a popup asking for the password when the last line is run. How do I prevent that?

回答1:

The MSCAPI provider does not support providing the password to CAPI:

A compatibility mode is supported for applications that assume a password must be supplied. It permits (but ignores) a non-null password. The mode is enabled by default. (1)

To set the password through CAPI, you must call CryptSetKeyParam with the undocumented KP_KEYEXCHANGE_PIN or KP_SIGNATURE_PIN and hope your underlying hardware token provider supports it. (They are not completely undocumented - the documentation for Windows CE and Windows Mobile mention them (2) and they are included in the header files).



回答2:

My guess is that Windows is popping up the pop up.

Import your key again using the Certificate Import Wizard, but make sure that you don't check the following option on the "Password" screen.

[_] Enable strong private key protection. You will be prompted every time the private key is used by an application if you enable this option.



回答3:

I resolved this problem setting the provider as follow:

signeData = gen.generate(content, ks.getProvider());

Where

ks is a KeyStore and

genis a CMSSignedDataGenerator