The Pheox JCAPI (
http://pheox.com/download) 提供一個JCE Provider可以直接操作Microsoft 操作系統本地證書庫/私鑰的。JCAPI用一個jcapi.dll封裝了這些復雜性,這個dll負責調用Windows內置的CSP來完成加密簽名哈希等密碼運算。
JCAPI.DLL屬于輕量級的中間層類庫,它讓Java開發者免去對待CSP的細節,比如獲得一個CSP的Handle。
JCAPI.dll提供了下面的JNI調用:
00000001????10002AA0????_Java_com_pheox_jcapi_CoreCipherJNI_decrypt@24
00000002????100021A0????_Java_com_pheox_jcapi_CoreCipherJNI_encrypt@20
00000003????100027A0????_Java_com_pheox_jcapi_CoreCipherJNI_encryptWithPrivateKey@20
00000004????10001E10????_Java_com_pheox_jcapi_CoreCipherJNI_getPrivateKeySize@12
00000005????10003610????_Java_com_pheox_jcapi_CoreKeyStoreJNI_aliases@16
00000006????100039D0????_Java_com_pheox_jcapi_CoreKeyStoreJNI_containsAlias@12
00000007????10005E50????_Java_com_pheox_jcapi_CoreKeyStoreJNI_createBase64Hash@12
00000008????10003B30????_Java_com_pheox_jcapi_CoreKeyStoreJNI_deleteEntry@12
00000009????10003DA0????_Java_com_pheox_jcapi_CoreKeyStoreJNI_getCertificate@12
0000000A????10003FE0????_Java_com_pheox_jcapi_CoreKeyStoreJNI_getCertificateChain@20
0000000B????10004530????_Java_com_pheox_jcapi_CoreKeyStoreJNI_getKey@12
0000000C????10004C00????_Java_com_pheox_jcapi_CoreKeyStoreJNI_isKeyEntry@12
0000000D????10004E00????_Java_com_pheox_jcapi_CoreKeyStoreJNI_setCertificateEntry@16
0000000E????10005020????_Java_com_pheox_jcapi_CoreKeyStoreJNI_setKeyEntry@44
0000000F????10005CA0????_Java_com_pheox_jcapi_CoreKeyStoreJNI_size@16
00000010????100062A0????_Java_com_pheox_jcapi_CoreSignatureJNI_hashFinal@12
00000011????10005F80????_Java_com_pheox_jcapi_CoreSignatureJNI_hashInit@12
00000012????10006140????_Java_com_pheox_jcapi_CoreSignatureJNI_hashUpdate@16
00000013????10006430????_Java_com_pheox_jcapi_CoreSignatureJNI_sign@28
00000014????10006F60????_Java_com_pheox_jcapi_CoreSignatureJNI_verify@28
00000015????10007CF0????_Java_com_pheox_jcapi_CoreUtilJNI_addPKCS11CSP@16
00000016????10007880????_Java_com_pheox_jcapi_CoreUtilJNI_createCertEntryStore@8
00000017????10007C20????_Java_com_pheox_jcapi_CoreUtilJNI_getAddedPKCS11CSPs@8
00000018????100078E0????_Java_com_pheox_jcapi_CoreUtilJNI_getCSP@12
00000019????10008F10????_Java_com_pheox_jcapi_CoreUtilJNI_getCertStoreFriendlyName@12
0000001A????100089C0????_Java_com_pheox_jcapi_CoreUtilJNI_getCertificateFriendlyName@12
0000001B????10007500????_Java_com_pheox_jcapi_CoreUtilJNI_getJCAPIDLLVersion@8
0000001C????10007520????_Java_com_pheox_jcapi_CoreUtilJNI_getMSCSPs@8
0000001D????10009010????_Java_com_pheox_jcapi_CoreUtilJNI_getMSCertStoreNames@8
0000001E????10007E20????_Java_com_pheox_jcapi_CoreUtilJNI_getPKCS11DLLName@12
0000001F????100083F0????_Java_com_pheox_jcapi_CoreUtilJNI_getPKCS11TokenInfo@12
00000020????10007B50????_Java_com_pheox_jcapi_CoreUtilJNI_getSupportedPKCS11CSPs@8
00000021????100077A0????_Java_com_pheox_jcapi_CoreUtilJNI_init@12
00000022????10007F40????_Java_com_pheox_jcapi_CoreUtilJNI_isPKCS11PrivateKey@12
00000023????10007D90????_Java_com_pheox_jcapi_CoreUtilJNI_removePKCS11CSP@12
00000024????10008F90????_Java_com_pheox_jcapi_CoreUtilJNI_reportMemStatus@8
00000025????10008360????_Java_com_pheox_jcapi_CoreUtilJNI_setCallbackPinCode@12
00000026????100083B0????_Java_com_pheox_jcapi_CoreUtilJNI_setCertOpenStoreFlags@12
00000027????10008C80????_Java_com_pheox_jcapi_CoreUtilJNI_setCertificateFriendlyName@16
它調用的類庫其實還是crypt32.dll和ADVAPI32.dll.
crypt32.dll:
0000002C????CertEnumSystemStore
00000041????CertGetCertificateContextProperty
0000008B????CryptFindLocalizedName
00000056????CertRegisterSystemStore
00000097????CryptHashCertificate
00000061????CertSetCertificateContextProperty
00000019????CertCreateCertificateContext
00000004????CertAddCertificateContextToStore
00000044????CertGetIssuerCertificateFromStore
0000001E????CertDeleteCertificateFromStore
00000029????CertEnumCertificatesInStore
0000007C????CryptDecodeObject
0000009C????CryptImportPublicKeyInfo
00000050????CertOpenStore
00000032????CertFindCertificateInStore
0000000F????CertCloseStore
0000003C????CertFreeCertificateContext
導入,?ADVAPI32.dll
順序?(示意)????名字
000000A8????CryptSignHashA
00000099????CryptGetHashParam
0000008B????CryptDestroyHash
0000009D????CryptHashData
00000088????CryptCreateHash
00000094????CryptExportKey
00000089????CryptDecrypt
0000009F????CryptImportKey
0000008F????CryptEncrypt
0000009C????CryptGetUserKey
0000009A????CryptGetKeyParam
0000008C????CryptDestroyKey
00000085????CryptAcquireContextA
000000A0????CryptReleaseContext
000000AA????CryptVerifySignatureA
00000092????CryptEnumProvidersA
000001C9????RegCloseKey
000001EC????RegQueryValueExA
000001F9????RegSetValueExA
000001CD????RegCreateKeyExA
000001E2????RegOpenKeyExA
000000A1????CryptSetHashParam
在標準的CryptoAPI函數上的封裝是有必要的,因為從Java程序員的角度,我們不需要太關心CSP,我們希望直接進行Cryptography運算。
JCAPI這個provider提供3個SPI的實現,
java.security.KeyStoreSpijava.security.SignatureSpijavax.crypto.CipherSpi
也就是,我們通過Java應用程序可以直接借助于JCE API來調用CryptoAPI。
這個JCE API算法支持下面的基本操作
- Add, remove, list and access X.509 certificates.
- Add, remove, access and export RSA private keys.
- Create signatures with RSA private keys using the following algorithms:
- SHA1withRSA
- MD5withRSA
- MD2withRSA
- Verify signatures with RSA public keys.
- Encrypt/decrypt data with RSA public/private keys using the following algorithm, mode and padding:
- Wrap and unwrap symmetric- and asymmetric keys with RSA key pairs through MS CAPI and PKCS#11.
- Built-in support for tested PKCS#11 CSP manufacturers that is compliant with the functions required by JCAPI.
- Dynamically adding/removing of PKCS#11 CSPs into JCAPI.
- Private key call-back interface for PKCS#11 providers. You can provide your own preferred Java call-back implementation to be called whenever a private key is accessed through PKCS#11.
- List and configure MS CAPI system (certificate) stores.
- Use a MS CAPI system (certificate) store as an un-trusted store.
- Set and get MS CAPI friendly names for certificates.
- Get MS CAPI friendly names for system (certificate) stores.
- Get detailed information about your PKCS#11 hardware token through the JCAPI PKCS#11 information class.
- Use JCAPI supported plug-ins. A JCAPI plug-in is a signed JAR file that extends or enhances the functionality of JCAPI without the need of recompiling JCAPI.
- JCAPI SSL plugin. Use this plug-in to simplify the work of integrating the JCAPI key store for SSL enabled applications. The plug-in transparently supports both the old JSSE version for Java 1.3, and the newer versions included in Java 1.4 and higher. This plug-in transparently supports the PKCS#11 implementation as defined in Java 5. Your JCAPI supported hardware keys can be plugged in and used immediately for SSL. JCAPI will automatically configure the token for you by setting the correct slot identity to use etc.
- JCAPI X.509 Factory plug-in. Use this plug-in to transparently replace any other X.509 certificate factories used by your Java system.
- JCAPI is signed with a qualified code signing certificate that is trusted by all modern web browsers which makes it suitable in trusted applets.
JCE API支持一下的系統,我只是在Windows2000上測試通過,其他平臺我不能保證破解能正常使用。
- Windows 98
- Windows 98 SE
- Windows ME
- Windows 2000
- Windows XP
JCE 支持JDK1.4以上,JDK1.3稍微為麻煩,要自己配制JCE和JSSE
- Java 1.3.1 with JCE 1.2.2 and JSSE 1.0.3
- Java 1.4
- Java 1.5
我已經在吉大正元的eSafe鑰匙上通過測試,其他鑰匙提供商可以發郵件給我,或者給Usb鑰匙我去測試。
JCAPI的時間限制比較容易去除,但由于JNI層以上的代碼做了大量混淆,我不得不重寫這個JCE Provider,最起碼要實現KeyStoreSpi,SignatureSpi和CipherSpi。
JCAPI的JCE Provider我將會在下個月提供