{"id":218,"date":"2008-11-15T23:00:55","date_gmt":"2008-11-16T04:00:55","guid":{"rendered":"http:\/\/www.coresecuritypatterns.com\/blogs\/?p=218"},"modified":"2020-08-08T03:33:36","modified_gmt":"2020-08-08T03:33:36","slug":"enabling-smart-card-based-pki-as-java-key-store","status":"publish","type":"post","link":"https:\/\/websecuritypatterns.com\/blogs\/2008\/11\/15\/enabling-smart-card-based-pki-as-java-key-store\/","title":{"rendered":"Enabling Smart Card based PKI as Java Key Store"},"content":{"rendered":"<p style=\"center;\"><a href=\"http:\/\/www.websecuritypatterns.com\/blogs\/wp-content\/uploads\/2008\/12\/sunray-smartcard-1.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-221 aligncenter\" src=\"http:\/\/www.websecuritypatterns.com\/blogs\/wp-content\/uploads\/2008\/12\/sunray-smartcard-1.jpg\" alt=\"\" width=\"202\" height=\"181\"><\/a><\/p>\n<p style=\"justify;\">Last week, I was test driving a PIV Smartcard based PKI as a keystore (via Java PKCS#11)&nbsp; to support using the PKI\/certificate credentials for performing encryption\/decryption and digital signature operations&nbsp; (PKI based logins to Web applications, Encryption\/decryption of documents, Digitally signing email). There is no secret receipe but some of you may find it a bit difficult &#8211; if you are doing it for first time.&nbsp; So, here is my quick cheat sheet for your better understanding :<\/p>\n<p style=\"justify;\">Since J2SE 5.0,&nbsp; JCE introduced support for the PKCS#11 standard that allows the following:<\/p>\n<ul style=\"justify;\">\n<li> Using hardware cryptographic accelerators for enhancing performance of cryptographic operations.<\/li>\n<li> Using smart cards as key stores for key and trust management.<\/li>\n<\/ul>\n<p style=\"justify;\">To use these services, it is necessary to install the PKCS#11 implementation provided by the hardware accelerator and smart card vendors. As part of the J2SE 5.0 bundle (and up), Sun facilitates a SunPKCS#11 provider.<\/p>\n<p style=\"justify;\">To use a smart card as a keystore or trust store, set the <strong>javax.net.ssl.keyStoreType<\/strong> and <strong>javax.net.ssl.trustStoreType<\/strong> of the Java runtime system properties&nbsp; to &#8220;<strong>pkcs11<\/strong>&#8220;, and set the <strong>javax.net.ssl.keyStore<\/strong> and <strong>javax.net.ssl.trustStore<\/strong> system properties to <strong>NONE<\/strong>. To specify the use of a vendor smart-card provider, use the <strong>javax.net.ssl.keyStoreProvider<\/strong> and <strong>javax.net.ssl.trustStoreProvider<\/strong><br \/>\nJava runtime system properties to identify them. (For example: \u201cSunPKCS11-smart card\u201d). By setting these properties, you can configure an application to use a smart-card keystore with no changes to the application that previously accessed a file-based keystore.<\/p>\n<p style=\"justify;\">\n<p style=\"justify;\">\n<h2><\/h2>\n<h3><span style=\"#000000;\">Configuring a Smart card as a Java Keystore (using OpenSC Framework)<\/span><\/h3>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignleft\" src=\"http:\/\/www.opensc-project.org\/media\/logo-lang.gif\" alt=\"OpenSC\" width=\"118\" height=\"30\">The following example shows how to configure OpenSC supported smart card as a Java keystore and list the certificates using the keytool utility. The OpenSC framework can be downloaded from http:\/\/www.opensc.org.<\/p>\n<ol>\n<li>Add the OpenSC PKCS#11 module as the keystore provider in java.security file located at $JAVA_HOME\/jre\/lib\/security\/java.security.\n<p style=\"justify;\">security.provider.1=sun.security.pkcs11.SunPKCS11&nbsp;&nbsp; \/opt\/openSC\/openscpkcs11-solaris.cfg<\/p>\n<\/li>\n<li>Create the OpenSC PKCS#11 configuration file. For example, the <strong><span style=\"#000000;\">openscpkcs11-solaris.cfg<\/span><\/strong> looks like as follows:<br \/>\nname = OpenSC-PKCS11<br \/>\ndescription = SunPKCS11 w\/ OpenSC Smart card Framework<br \/>\nlibrary = \/usr\/lib\/pkcs11\/opensc-pkcs11.so<\/li>\n<li>With the above settings, it is possible to use the smart card as a keystore and retrieve information about the certificates from your Smartcard. For example,&nbsp; you may use the keytool utility to list certificate entries from a smart card:<\/li>\n<\/ol>\n<p style=\"60px;\">$ keytool -keystore NONE -storetype PKCS11 -providerName SunPKCS11-OpenSC -list -v<br \/>\nEnter keystore password: &lt;SMARTCARD_PIN&gt;<br \/>\nKeystore type: PKCS11<br \/>\nKeystore provider: SunPKCS11-OpenSC<br \/>\nYour keystore contains 4 entries<\/p>\n<p style=\"60px;\">Alias name: Signature<br \/>\nEntry type: keyEntry<br \/>\nCertificate chain length: 1<br \/>\nCertificate[1]:<br \/>\nOwner: SERIALNUMBER=79797900036, GIVENNAME=Nagappan Expire1779,<br \/>\nSURNAME=R, CN=Nagappan (Signature), C=US<br \/>\nIssuer: CN=Nagappan OpenSSL CA, C=US<br \/>\nSerial number: 1000000000102fdf39941<br \/>\nValid from: Sat Nov 01 15:29:22 EST 2008 until: Wed Jun 01 15:29:22 EST 2009<br \/>\nCertificate fingerprints:<br \/>\nMD5: 12:20:AC:2F:F2:F5:5E:91:0A:53:7A:4B:8A:F7:39:4F<br \/>\nSHA1:<br \/>\n77:76:48:DA:EC:5E:9C:26:A2:63:A9:EC:A0:14:42:BF:90:53:0F:BC<br \/>\nAlias name: Root<br \/>\nEntry type: trustedCertEntry<br \/>\nOwner: CN=Nagappan OpenSSL Root CA, C=US<br \/>\nIssuer: CN=Nagappan OpenSSL Root CA, C=US<\/p>\n<p style=\"60px;\">Serial number: 11111111111111111111111111111112<br \/>\nValid from: Sat Nov 01 15:29:22 EST 2008 until: Wed Jun 01 15:29:22 EST 2009<br \/>\nCertificate fingerprints:<br \/>\nMD5: 5A:0F:FD:DB:4F:FC:37:D4:CD:95:17:D5:04:01:6E:73<br \/>\nSHA1:<br \/>\n6A:5F:FD:25:7E:85:DC:60:81:82:8D:D1:69:AA:30:4E:7E:37:DD:3B<br \/>\nAlias name: Authentication<br \/>\nEntry type: keyEntry<br \/>\nCertificate chain length: 1<br \/>\nCertificate[1]:<br \/>\nOwner: SERIALNUMBER=79797900036, GIVENNAME=Nagappan Expire1779,<br \/>\nSURNAME=R, CN=NAGAPPAN, C=US<br \/>\nIssuer: CN=Nagappan OpenSSL CA, C=US<br \/>\nSerial number: 1000000000102fd10d2d9<br \/>\nValid from: Sat Nov 01 15:29:22 EST 2008 until: Wed Jun 01 15:29:22 EST 2009<br \/>\nCertificate fingerprints:<br \/>\nMD5: 29:7E:8A:5C:91:34:9B:05:52:21:4E:49:5B:45:F8:C4<br \/>\nSHA1:<br \/>\n15:B7:EA:27:E1:0E:9D:94:4E:7B:3B:79:00:48:A2:31:7E:9D:72:1A<\/p>\n<p style=\"60px;\">&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;<\/p>\n<h2><\/h2>\n<h3>Using Sun Ray DTU as your Smart card Reader<\/h3>\n<p>In our case, the customer chose to use <strong>Sun Ray as the Smartcard reader<\/strong> where the inserted card is used for performing session mobility and PKI\/Certificate based cryptographic operations. To enable access to Smartcard based PKI credentials on Sun Rays, make sure you install the Sun Ray PC\/SC Lite to support accessing smart cards. You may download the PC\/SC Lite for Sun Ray Server (SRSS 4.x) from:<\/p>\n<p style=\"30px;\">http:\/\/www.sun.com\/download\/products.xml?id=46af59b2<\/p>\n<p>Enjoy<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Last week, I was test driving a PIV Smartcard based PKI as a keystore (via Java PKCS#11)&nbsp; to support using the PKI\/certificate credentials for performing encryption\/decryption and digital signature operations&nbsp; (PKI based logins to Web applications, Encryption\/decryption of documents, Digitally signing email). There is no secret receipe but some of you may find it a bit difficult &#8211; if you&#8230; <a href=\"https:\/\/websecuritypatterns.com\/blogs\/2008\/11\/15\/enabling-smart-card-based-pki-as-java-key-store\/\">Read more &raquo;<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[5,20,21,6,7,8,9,11],"tags":[30,39,40,49,57,64,70],"class_list":["post-218","post","type-post","status-publish","format-standard","hentry","category-identity-management","category-java-ee","category-java-security","category-main","category-piv-fips-201","category-pki-main","category-security","category-smartcards-pki","tag-fips-140","tag-java","tag-java-security","tag-opensc","tag-pki-main","tag-smartcards","tag-sunray"],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/websecuritypatterns.com\/blogs\/wp-json\/wp\/v2\/posts\/218","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/websecuritypatterns.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/websecuritypatterns.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/websecuritypatterns.com\/blogs\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/websecuritypatterns.com\/blogs\/wp-json\/wp\/v2\/comments?post=218"}],"version-history":[{"count":1,"href":"https:\/\/websecuritypatterns.com\/blogs\/wp-json\/wp\/v2\/posts\/218\/revisions"}],"predecessor-version":[{"id":2814,"href":"https:\/\/websecuritypatterns.com\/blogs\/wp-json\/wp\/v2\/posts\/218\/revisions\/2814"}],"wp:attachment":[{"href":"https:\/\/websecuritypatterns.com\/blogs\/wp-json\/wp\/v2\/media?parent=218"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/websecuritypatterns.com\/blogs\/wp-json\/wp\/v2\/categories?post=218"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/websecuritypatterns.com\/blogs\/wp-json\/wp\/v2\/tags?post=218"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}