Java SunPKCS11 access USB crypto

I have a working implementation of ACS CryptoMate64 token with Java SunPKCS11 on Windows through the provided acos-pkcs11.dll library (Java 32bit in order to have SunPKCS11 available on Windows).

ACS CryptoMate64 is a USB token which is accessed by SunPKCS11 locally on Windows computer. There is no PKCS11 libraries for Linux (no .so files or anything similar).

Because I am using a Linux machines in order to get some functionality I would like to ask if there is any way how to access PCKS11 device through network connected on different computer through USB.

The idea is following: Linux: Application that wants to use USB CryptoMate64 but don't have libraries. Windows: Connected USB CryptoMate64 with acos-pkcs11.dll. Application is using CryptoMate64 which is connected on Windows computer.

Is it possible to configure Java SunPKCS11 on Linux machine to use it remotely through network? Or it is part of PKCS11 module provided by Manufacturer?

I know that HSMs is able to communicate through network through PKCS11 so my question is asking if it is also possible to communicate this way with USB cryptotoken.

Every suggestions or ideas how to do it are welcome.


The method commonly used by network based HSM's is to have a PKCS#11 library performs Marshalling for the method calls and sends this data over the network using a transport protocol. This application transport protocol is normally defined for a TCP socket. Due to the nature of the data, this transport connection should be made secure. It should at least provide client & server authentication and maintain confidentiality, authenticity and integrity. TLS with client authentication could be used, although the protocol cannot rely on the DNS naming system for its security.

Now the networked HSM or system containing the HSM should contain a service that performs un-Marshalling on the data, perform pre-processing and send it to the HSM. Although not required, this could be implemented by simply calling a non-networked PKCS#11 library with the secure un-Marshalled data.

Another option would be to create your own Java security provider. This provider could call code on the server and call the PCKS#11 library over there. Implementing a Java security provider is not easy either, and requires that you sign the provider with an Oracle provided certificate for your private key (for normal Java SE installations).

As you may understand, this using an HSM over a network should not be taken lightly, and should be part of the HSM's security. You could try and create such a system yourself, but you should not fool yourself; it is pretty likely that a networked HSM is not as safe as a locally used one. In general, you may be better off buying another USB token if the service is not available from the HSM vendor. Or you could buy a networked HSM of course.

链接地址: http://www.djcxy.com/p/73818.html

上一篇: netty中使用SunPKCS11的TLS客户端身份验证的gRpc失败

下一篇: Java SunPKCS11访问USB加密