重新实现JCAPI的JCE Provider

security

浏览: 371318 次
来自: www.pgp.org.cn

最近访客更多访客>>

suncathay

feitianzi

zhqhqch

bnyt

博主相关

博客

微博

相册

留言

关于我

文章分类

社区版块

存档分类

Java Windows JNI XP Security

The Pheox JCAPI (http://pheox.com/download) 提供一个JCE Provider可以直接操作Microsoft 操作系统本地证书库/私钥的。JCAPI用一个jcapi.dll封装了这些复杂性，这个dll负责调用Windows内置的CSP来完成加密签名哈希等密码运算。
JCAPI.DLL属于轻量级的中间层类库，它让Java开发者免去对待CSP的细节，比如获得一个CSP的Handle。
JCAPI.dll提供了下面的JNI调用：

00000001    10002AA0    _Java_com_pheox_jcapi_CoreCipherJNI_decrypt@24
00000002    100021A0    _Java_com_pheox_jcapi_CoreCipherJNI_encrypt@20
00000003    100027A0    _Java_com_pheox_jcapi_CoreCipherJNI_encryptWithPrivateKey@20
00000004    10001E10    _Java_com_pheox_jcapi_CoreCipherJNI_getPrivateKeySize@12
00000005    10003610    _Java_com_pheox_jcapi_CoreKeyStoreJNI_aliases@16
00000006    100039D0    _Java_com_pheox_jcapi_CoreKeyStoreJNI_containsAlias@12
00000007    10005E50    _Java_com_pheox_jcapi_CoreKeyStoreJNI_createBase64Hash@12
00000008    10003B30    _Java_com_pheox_jcapi_CoreKeyStoreJNI_deleteEntry@12
00000009    10003DA0    _Java_com_pheox_jcapi_CoreKeyStoreJNI_getCertificate@12
0000000A    10003FE0    _Java_com_pheox_jcapi_CoreKeyStoreJNI_getCertificateChain@20
0000000B    10004530    _Java_com_pheox_jcapi_CoreKeyStoreJNI_getKey@12
0000000C    10004C00    _Java_com_pheox_jcapi_CoreKeyStoreJNI_isKeyEntry@12
0000000D    10004E00    _Java_com_pheox_jcapi_CoreKeyStoreJNI_setCertificateEntry@16
0000000E    10005020    _Java_com_pheox_jcapi_CoreKeyStoreJNI_setKeyEntry@44
0000000F    10005CA0    _Java_com_pheox_jcapi_CoreKeyStoreJNI_size@16
00000010    100062A0    _Java_com_pheox_jcapi_CoreSignatureJNI_hashFinal@12
00000011    10005F80    _Java_com_pheox_jcapi_CoreSignatureJNI_hashInit@12
00000012    10006140    _Java_com_pheox_jcapi_CoreSignatureJNI_hashUpdate@16
00000013    10006430    _Java_com_pheox_jcapi_CoreSignatureJNI_sign@28
00000014    10006F60    _Java_com_pheox_jcapi_CoreSignatureJNI_verify@28
00000015    10007CF0    _Java_com_pheox_jcapi_CoreUtilJNI_addPKCS11CSP@16
00000016    10007880    _Java_com_pheox_jcapi_CoreUtilJNI_createCertEntryStore@8
00000017    10007C20    _Java_com_pheox_jcapi_CoreUtilJNI_getAddedPKCS11CSPs@8
00000018    100078E0    _Java_com_pheox_jcapi_CoreUtilJNI_getCSP@12
00000019    10008F10    _Java_com_pheox_jcapi_CoreUtilJNI_getCertStoreFriendlyName@12
0000001A    100089C0    _Java_com_pheox_jcapi_CoreUtilJNI_getCertificateFriendlyName@12
0000001B    10007500    _Java_com_pheox_jcapi_CoreUtilJNI_getJCAPIDLLVersion@8
0000001C    10007520    _Java_com_pheox_jcapi_CoreUtilJNI_getMSCSPs@8
0000001D    10009010    _Java_com_pheox_jcapi_CoreUtilJNI_getMSCertStoreNames@8
0000001E    10007E20    _Java_com_pheox_jcapi_CoreUtilJNI_getPKCS11DLLName@12
0000001F    100083F0    _Java_com_pheox_jcapi_CoreUtilJNI_getPKCS11TokenInfo@12
00000020    10007B50    _Java_com_pheox_jcapi_CoreUtilJNI_getSupportedPKCS11CSPs@8
00000021    100077A0    _Java_com_pheox_jcapi_CoreUtilJNI_init@12
00000022    10007F40    _Java_com_pheox_jcapi_CoreUtilJNI_isPKCS11PrivateKey@12
00000023    10007D90    _Java_com_pheox_jcapi_CoreUtilJNI_removePKCS11CSP@12
00000024    10008F90    _Java_com_pheox_jcapi_CoreUtilJNI_reportMemStatus@8
00000025    10008360    _Java_com_pheox_jcapi_CoreUtilJNI_setCallbackPinCode@12
00000026    100083B0    _Java_com_pheox_jcapi_CoreUtilJNI_setCertOpenStoreFlags@12
00000027    10008C80    _Java_com_pheox_jcapi_CoreUtilJNI_setCertificateFriendlyName@16

它调用的类库其实还是crypt32.dll和ADVAPI32.dll.

crypt32.dll:
0000002C    CertEnumSystemStore
00000041    CertGetCertificateContextProperty
0000008B    CryptFindLocalizedName
00000056    CertRegisterSystemStore
00000097    CryptHashCertificate
00000061    CertSetCertificateContextProperty
00000019    CertCreateCertificateContext
00000004    CertAddCertificateContextToStore
00000044    CertGetIssuerCertificateFromStore
0000001E    CertDeleteCertificateFromStore
00000029    CertEnumCertificatesInStore
0000007C    CryptDecodeObject
0000009C    CryptImportPublicKeyInfo
00000050    CertOpenStore
00000032    CertFindCertificateInStore
0000000F    CertCloseStore
0000003C    CertFreeCertificateContext

导入, ADVAPI32.dll
顺序 (示意)    名字
000000A8    CryptSignHashA
00000099    CryptGetHashParam
0000008B    CryptDestroyHash
0000009D    CryptHashData
00000088    CryptCreateHash
00000094    CryptExportKey
00000089    CryptDecrypt
0000009F    CryptImportKey
0000008F    CryptEncrypt
0000009C    CryptGetUserKey
0000009A    CryptGetKeyParam
0000008C    CryptDestroyKey
00000085    CryptAcquireContextA
000000A0    CryptReleaseContext
000000AA    CryptVerifySignatureA
00000092    CryptEnumProvidersA
000001C9    RegCloseKey
000001EC    RegQueryValueExA
000001F9    RegSetValueExA
000001CD    RegCreateKeyExA
000001E2    RegOpenKeyExA
000000A1    CryptSetHashParam

在标准的CryptoAPI函数上的封装是有必要的，因为从Java程序员的角度，我们不需要太关心CSP，我们希望直接进行Cryptography运算。

JCAPI这个provider提供3个SPI的实现，

java.security.KeyStoreSpi

java.security.SignatureSpi

javax.crypto.CipherSpi

也就是，我们通过Java应用程序可以直接借助于JCE API来调用CryptoAPI。

这个JCE API算法支持下面的基本操作

Add, remove, list and access X.509 certificates.
Add, remove, access and export RSA private keys.
Create signatures with RSA private keys using the following algorithms:
- SHA1withRSA
- MD5withRSA
- MD2withRSA
Verify signatures with RSA public keys.
Encrypt/decrypt data with RSA public/private keys using the following algorithm, mode and padding:
- RSA/ECB/PKCS1Padding
Wrap and unwrap symmetric- and asymmetric keys with RSA key pairs through MS CAPI and PKCS#11.
Built-in support for tested PKCS#11 CSP manufacturers that is compliant with the functions required by JCAPI.
Dynamically adding/removing of PKCS#11 CSPs into JCAPI.
Private key call-back interface for PKCS#11 providers. You can provide your own preferred Java call-back implementation to be called whenever a private key is accessed through PKCS#11.
List and configure MS CAPI system (certificate) stores.
Use a MS CAPI system (certificate) store as an un-trusted store.
Set and get MS CAPI friendly names for certificates.
Get MS CAPI friendly names for system (certificate) stores.
Get detailed information about your PKCS#11 hardware token through the JCAPI PKCS#11 information class.
Use JCAPI supported plug-ins. A JCAPI plug-in is a signed JAR file that extends or enhances the functionality of JCAPI without the need of recompiling JCAPI.
JCAPI SSL plugin. Use this plug-in to simplify the work of integrating the JCAPI key store for SSL enabled applications. The plug-in transparently supports both the old JSSE version for Java 1.3, and the newer versions included in Java 1.4 and higher. This plug-in transparently supports the PKCS#11 implementation as defined in Java 5. Your JCAPI supported hardware keys can be plugged in and used immediately for SSL. JCAPI will automatically configure the token for you by setting the correct slot identity to use etc.
JCAPI X.509 Factory plug-in. Use this plug-in to transparently replace any other X.509 certificate factories used by your Java system.
JCAPI is signed with a qualified code signing certificate that is trusted by all modern web browsers which makes it suitable in trusted applets.

JCE API支持一下的系统，我只是在Windows2000上测试通过，其他平台我不能保证破解能正常使用。

Windows 98
Windows 98 SE
Windows ME
Windows 2000
Windows XP

JCE 支持JDK1.4以上，JDK1.3稍微为麻烦，要自己配制JCE和JSSE

Java 1.3.1 with JCE 1.2.2 and JSSE 1.0.3
Java 1.4
Java 1.5

我已经在吉大正元的eSafe钥匙上通过测试，其他钥匙提供商可以发邮件给我，或者给Usb钥匙我去测试。

JCAPI的时间限制比较容易去除，但由于JNI层以上的代码做了大量混淆，我不得不重写这个JCE Provider，最起码要实现KeyStoreSpi，SignatureSpi和CipherSpi。

JCAPI的JCE Provider我将会在下个月提供

分享到：