The Pheox JCAPI (
http://pheox.com/download) 提供一个JCE Provider可以直接操作Microsoft 操作系统本地证书库/私钥的。JCAPI用一个jcapi.dll封装了这些复杂性,这个dll负责调用Windows内置的CSP来完成加密签名哈希等密码运算。
JCAPI.DLL属于轻量级的中间层类库,它让Java开发者免去对待CSP的细节,比如获得一个CSP的Handle。
JCAPI.dll提供了下面的JNI调用:
00000001 10002AA0 _Java_com_pheox_jcapi_CoreCipherJNI_decrypt@24
00000002 100021A0 _Java_com_pheox_jcapi_CoreCipherJNI_encrypt@20
00000003 100027A0 _Java_com_pheox_jcapi_CoreCipherJNI_encryptWithPrivateKey@20
00000004 10001E10 _Java_com_pheox_jcapi_CoreCipherJNI_getPrivateKeySize@12
00000005 10003610 _Java_com_pheox_jcapi_CoreKeyStoreJNI_aliases@16
00000006 100039D0 _Java_com_pheox_jcapi_CoreKeyStoreJNI_containsAlias@12
00000007 10005E50 _Java_com_pheox_jcapi_CoreKeyStoreJNI_createBase64Hash@12
00000008 10003B30 _Java_com_pheox_jcapi_CoreKeyStoreJNI_deleteEntry@12
00000009 10003DA0 _Java_com_pheox_jcapi_CoreKeyStoreJNI_getCertificate@12
0000000A 10003FE0 _Java_com_pheox_jcapi_CoreKeyStoreJNI_getCertificateChain@20
0000000B 10004530 _Java_com_pheox_jcapi_CoreKeyStoreJNI_getKey@12
0000000C 10004C00 _Java_com_pheox_jcapi_CoreKeyStoreJNI_isKeyEntry@12
0000000D 10004E00 _Java_com_pheox_jcapi_CoreKeyStoreJNI_setCertificateEntry@16
0000000E 10005020 _Java_com_pheox_jcapi_CoreKeyStoreJNI_setKeyEntry@44
0000000F 10005CA0 _Java_com_pheox_jcapi_CoreKeyStoreJNI_size@16
00000010 100062A0 _Java_com_pheox_jcapi_CoreSignatureJNI_hashFinal@12
00000011 10005F80 _Java_com_pheox_jcapi_CoreSignatureJNI_hashInit@12
00000012 10006140 _Java_com_pheox_jcapi_CoreSignatureJNI_hashUpdate@16
00000013 10006430 _Java_com_pheox_jcapi_CoreSignatureJNI_sign@28
00000014 10006F60 _Java_com_pheox_jcapi_CoreSignatureJNI_verify@28
00000015 10007CF0 _Java_com_pheox_jcapi_CoreUtilJNI_addPKCS11CSP@16
00000016 10007880 _Java_com_pheox_jcapi_CoreUtilJNI_createCertEntryStore@8
00000017 10007C20 _Java_com_pheox_jcapi_CoreUtilJNI_getAddedPKCS11CSPs@8
00000018 100078E0 _Java_com_pheox_jcapi_CoreUtilJNI_getCSP@12
00000019 10008F10 _Java_com_pheox_jcapi_CoreUtilJNI_getCertStoreFriendlyName@12
0000001A 100089C0 _Java_com_pheox_jcapi_CoreUtilJNI_getCertificateFriendlyName@12
0000001B 10007500 _Java_com_pheox_jcapi_CoreUtilJNI_getJCAPIDLLVersion@8
0000001C 10007520 _Java_com_pheox_jcapi_CoreUtilJNI_getMSCSPs@8
0000001D 10009010 _Java_com_pheox_jcapi_CoreUtilJNI_getMSCertStoreNames@8
0000001E 10007E20 _Java_com_pheox_jcapi_CoreUtilJNI_getPKCS11DLLName@12
0000001F 100083F0 _Java_com_pheox_jcapi_CoreUtilJNI_getPKCS11TokenInfo@12
00000020 10007B50 _Java_com_pheox_jcapi_CoreUtilJNI_getSupportedPKCS11CSPs@8
00000021 100077A0 _Java_com_pheox_jcapi_CoreUtilJNI_init@12
00000022 10007F40 _Java_com_pheox_jcapi_CoreUtilJNI_isPKCS11PrivateKey@12
00000023 10007D90 _Java_com_pheox_jcapi_CoreUtilJNI_removePKCS11CSP@12
00000024 10008F90 _Java_com_pheox_jcapi_CoreUtilJNI_reportMemStatus@8
00000025 10008360 _Java_com_pheox_jcapi_CoreUtilJNI_setCallbackPinCode@12
00000026 100083B0 _Java_com_pheox_jcapi_CoreUtilJNI_setCertOpenStoreFlags@12
00000027 10008C80 _Java_com_pheox_jcapi_CoreUtilJNI_setCertificateFriendlyName@16
它调用的类库其实还是crypt32.dll和ADVAPI32.dll.
crypt32.dll:
0000002C CertEnumSystemStore
00000041 CertGetCertificateContextProperty
0000008B CryptFindLocalizedName
00000056 CertRegisterSystemStore
00000097 CryptHashCertificate
00000061 CertSetCertificateContextProperty
00000019 CertCreateCertificateContext
00000004 CertAddCertificateContextToStore
00000044 CertGetIssuerCertificateFromStore
0000001E CertDeleteCertificateFromStore
00000029 CertEnumCertificatesInStore
0000007C CryptDecodeObject
0000009C CryptImportPublicKeyInfo
00000050 CertOpenStore
00000032 CertFindCertificateInStore
0000000F CertCloseStore
0000003C CertFreeCertificateContext
导入, ADVAPI32.dll
顺序 (示意) 名字
000000A8 CryptSignHashA
00000099 CryptGetHashParam
0000008B CryptDestroyHash
0000009D CryptHashData
00000088 CryptCreateHash
00000094 CryptExportKey
00000089 CryptDecrypt
0000009F CryptImportKey
0000008F CryptEncrypt
0000009C CryptGetUserKey
0000009A CryptGetKeyParam
0000008C CryptDestroyKey
00000085 CryptAcquireContextA
000000A0 CryptReleaseContext
000000AA CryptVerifySignatureA
00000092 CryptEnumProvidersA
000001C9 RegCloseKey
000001EC RegQueryValueExA
000001F9 RegSetValueExA
000001CD RegCreateKeyExA
000001E2 RegOpenKeyExA
000000A1 CryptSetHashParam
在标准的CryptoAPI函数上的封装是有必要的,因为从Java程序员的角度,我们不需要太关心CSP,我们希望直接进行Cryptography运算。
JCAPI这个provider提供3个SPI的实现,
java.security.KeyStoreSpi
java.security.SignatureSpi
javax.crypto.CipherSpi
也就是,我们通过Java应用程序可以直接借助于JCE API来调用CryptoAPI。
这个JCE API算法支持下面的基本操作
- Add, remove, list and access X.509 certificates.
- Add, remove, access and export RSA private keys.
- Create signatures with RSA private keys using the following algorithms:
- SHA1withRSA
- MD5withRSA
- MD2withRSA
- Verify signatures with RSA public keys.
- Encrypt/decrypt data with RSA public/private keys using the following algorithm, mode and padding:
- Wrap and unwrap symmetric- and asymmetric keys with RSA key pairs through MS CAPI and PKCS#11.
- Built-in support for tested PKCS#11 CSP manufacturers that is compliant with the functions required by JCAPI.
- Dynamically adding/removing of PKCS#11 CSPs into JCAPI.
- Private key call-back interface for PKCS#11 providers. You can provide your own preferred Java call-back implementation to be called whenever a private key is accessed through PKCS#11.
- List and configure MS CAPI system (certificate) stores.
- Use a MS CAPI system (certificate) store as an un-trusted store.
- Set and get MS CAPI friendly names for certificates.
- Get MS CAPI friendly names for system (certificate) stores.
- Get detailed information about your PKCS#11 hardware token through the JCAPI PKCS#11 information class.
- Use JCAPI supported plug-ins. A JCAPI plug-in is a signed JAR file that extends or enhances the functionality of JCAPI without the need of recompiling JCAPI.
- JCAPI SSL plugin. Use this plug-in to simplify the work of integrating the JCAPI key store for SSL enabled applications. The plug-in transparently supports both the old JSSE version for Java 1.3, and the newer versions included in Java 1.4 and higher. This plug-in transparently supports the PKCS#11 implementation as defined in Java 5. Your JCAPI supported hardware keys can be plugged in and used immediately for SSL. JCAPI will automatically configure the token for you by setting the correct slot identity to use etc.
- JCAPI X.509 Factory plug-in. Use this plug-in to transparently replace any other X.509 certificate factories used by your Java system.
- JCAPI is signed with a qualified code signing certificate that is trusted by all modern web browsers which makes it suitable in trusted applets.
JCE API支持一下的系统,我只是在Windows2000上测试通过,其他平台我不能保证破解能正常使用。
- Windows 98
- Windows 98 SE
- Windows ME
- Windows 2000
- Windows XP
JCE 支持JDK1.4以上,JDK1.3稍微为麻烦,要自己配制JCE和JSSE
- Java 1.3.1 with JCE 1.2.2 and JSSE 1.0.3
- Java 1.4
- Java 1.5
我已经在吉大正元的eSafe钥匙上通过测试,其他钥匙提供商可以发邮件给我,或者给Usb钥匙我去测试。
JCAPI的时间限制比较容易去除,但由于JNI层以上的代码做了大量混淆,我不得不重写这个JCE Provider,最起码要实现KeyStoreSpi,SignatureSpi和CipherSpi。
JCAPI的JCE Provider我将会在下个月提供