我设法让SunPKCS11在Windows下使用Firefox ESR 52.0,但我无法在MacOS中加载它。我已经尝试了几种不同的配置并通过PKCS11直接加载它但没有任何效果,任何人都可以给我一些指针吗?
pkcs11.cfg配置如下:
name = FirefoxKeyStore
library = "/Applications/Firefox.app/Contents/MacOS/fixed-for-java-runtime/libsoftokn3.dylib"
attributes = compatibility
nssArgs = "configdir='/Users/helloworld/Library/Application Support/Firefox/Profiles/wasdwasd.default-1453211557245' certPrefix='' keyPrefix='' secmod='secmod.db' flags='readOnly' "
slot = 2
然后在Java中,我试图像这样加载它:
FileInputStream fis = new FileInputStream("pkcs11.cfg");
Provider provider = new SunPKCS11(fis);
Security.addProvider(provider);
然而,这立刻给了我以下错误:
sunpkcs11: Initializing PKCS#11 library /Applications/Firefox.app/Contents/MacOS/fixed-for-java-runtime/libsoftokn3.dylib
sunpkcs11: Multi-threaded initialization failed: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DEVICE_ERROR
Exception in thread "main" java.security.ProviderException: Initialization failed
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:376)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:107)
您可能会问我为什么要从奇怪的文件夹加载.dylib,因为我在MacOS中使用install_name_tool将@executable_path更改为@loader_path为了让库依赖工作(因为我试图在Eclipse而不是Firefox本身中运行它)。
我也尝试使用此处建议的解决方案:How to finalize SunPKCS11 Provider after it is initialized?并且它也是禁止的...我得到了同样的错误。
除了尝试此处提到的各种不同配置设置:https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11/Module_Specs#Softoken_Specific_Parameters
EDIT1
我尝试了@FaithReaper提到的方法,但它仍然抛出相同的错误。我尝试将广告位值更改为0,1或-1,结果相同。看起来加载底层PKCS11对象时存在问题。
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DEVICE_ERROR
at sun.security.pkcs11.wrapper.PKCS11.C_Initialize(Native Method)
at sun.security.pkcs11.wrapper.PKCS11$SynchronizedPKCS11.C_Initialize(PKCS11.java:1545)
at sun.security.pkcs11.wrapper.PKCS11.getInstance(PKCS11.java:157)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:330)
我不知道如果这会有所帮助,但我在FireFox个人资料上运行了modutil并且正在转发此信息:
modutil -dbdir "/Users/eto/Library/Application Support/Firefox/Profiles/ew2g332o.default-1453211557245" -rawlist
library= name="NSS Internal PKCS #11 Module"
parameters="configdir=/Users/eto/Library/Application Support/Firefox/Profiles/ew2g332o.default-1453211557245 certPrefix= keyPrefix= secmod=secmod.db flags=readOnly "
NSS="Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})"
PKCS#11模块列表
NSS内部PKCS#11模块 uri:pkcs11:library-manufacturer = Mozilla%20Foundation; library-description = NSS%20Internal%20Crypto%20Services; library-version = 3.33 插槽:附加2个插槽状态:已加载
slot:NSS Internal Cryptographic Services令牌:NSS Generic Crypto 服务uri: PKCS11:标记= NSS%20Generic%20Crypto%20Services;制造商= Mozilla的%20Foundation;串行= 0000000000000000;模型= NSS%203
slot:NSS用户私钥和证书服务令牌:NSS 证书DB uri: PKCS11:标记= NSS%20Certificate%20DB;制造商= Mozilla的%20Foundation;串行= 0000000000000000;模型= NSS%203
答案 0 :(得分:0)
首先,我注意到您向我插入/添加Provider的不同方式。您可以尝试以这种方式添加Provider吗? (可能是无关紧要的)
Provider p = new SunPKCS11(new ByteArrayInputStream(config.getBytes()));
Security.insertProviderAt(p, 1);
KeyStore.Builder builder = null;
builder = KeyStore.Builder.newInstance("PKCS11", p,
new KeyStore.CallbackHandlerProtection(new UtilTarjetas().new CustomCallbackHandler()));
cardKeyStore = builder.getKeyStore();
然后,也许您可以尝试这种方法:
https://github.com/avocado-framework/avocado/issues/1112
那是:
apahim于2016年4月7日发表评论
@ will-Do,nss人们能够追踪这个问题,似乎他们会考虑在
NSS_InitContext()中进行更改,其中SECMOD_RestartModules(PR_FALSE)应包含fork()。无论如何,他们还提供了比我提供的更好的解决方法。如果将环境变量NSS_STRICT_NOFORK设置为DISABLED,则代码可以正常工作。它对我有用,我想检查它是否也适合你。期待看到您的结果。
此外,一些消息来源表明它可能是令牌或插槽问题。您可以尝试将广告位索引更改为0或-1。
答案 1 :(得分:0)
如果在FireFox外部执行,Firefox在Mac OS X中提供的库实际上可能完全损坏或无法正常运行。
在尝试了许多不同的配置和方式组合之后,我终于通过不使用Firefox中的库来实现 ...
以下是逐步实现目标的方法:
brew install nss brew install nspr brew link nss和brew link nspr libsoftokn3.dylib,如此library = /usr/local/opt/nss/lib/libsoftokn3.dylib 然后您的Java代码应该能够在Mac OS X下加载Firefox密钥库...我已经提交了一个错误here。该票证包含有关如何实例化PKCS11的工作sample code,加载Firefox密钥库并列出商店中的别名。
这绝对是与Firefox一起工作的噩梦...但至少我让它工作......谁会认为他们提供的图书馆不起作用(但它在Windows中有效!)? :P
为了完整起见,我还在这篇文章中直接包含了示例代码:
import java.io.ByteArrayInputStream;
import java.security.KeyStore;
import java.security.Provider;
import java.security.Security;
import java.util.Collections;
public class Sample {
private KeyStore load(String lib, String profile) throws Exception
{
String config = "library = " + lib + "\n" +
"name = FirefoxKeyStore\n" +
"attributes = compatibility\n" +
"nssArgs = \"configDir='" + profile + "' certPrefix='' keyPrefix='' secmod='secmod.db' flags='readOnly,forceOpen,optimizeSpace' \"\n" +
"slot = 2\n";
ByteArrayInputStream bais = new ByteArrayInputStream(config.getBytes());
Provider provider = new sun.security.pkcs11.SunPKCS11(bais);
Security.addProvider(provider);
return KeyStore.getInstance("PKCS11");
}
public static void main(String[] args) throws Exception {
Sample s = new Sample();
String profile = "/Users/blah/Library/Application Support/Firefox/Profiles/yougottachangethis";
String[] libs = {
//"/Applications/Firefox.app/Contents/MacOS/libsoftokn3.dylib",
"/usr/local/opt/nss/lib/libsoftokn3.dylib"
};
for (String lib : libs) {
System.out.println("TRYING >>> " + lib);
try {
KeyStore ks1 = s.load(lib, profile);
ks1.load(null, null);
for (String alias : Collections.list(ks1.aliases())) {
System.out.println(alias);
}
}
catch (Exception e)
{
e.printStackTrace();
}
}
}
}
以下是来自Mac的otool的输出(包含在FaithReaper&#39的评论中):
otool -L libsoftokn3.dylib
libsoftokn3.dylib:
/usr/local/opt/nss/lib/libsoftokn3.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libsqlite3.dylib (compatibility version 9.0.0, current version 253.0.0)
/usr/local/Cellar/nss/3.34/lib/libnssutil3.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/local/opt/nspr/lib/libplc4.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/local/opt/nspr/lib/libplds4.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/local/opt/nspr/lib/libnspr4.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1238.0.0)