1. 首頁
  2. 問答
  3. MacOS的SunPKCS11提供商適用於Firefox

MacOS的SunPKCS11提供商適用於Firefox

2017-11-10 212 views
0

我設法讓SunPKCS11與Windows下的Firefox ESR 52.0一起使用,但我無法在MacOS中加載它。我已經嘗試了幾種不同的配置,並通過PKCS11直接加載,但沒有任何工作,任何人都可以給我一些指針?MacOS的SunPKCS11提供商適用於Firefox

pkcs11.cfg配置如下:

name = FirefoxKeyStore 
library = "/Applications/Firefox.app/Contents/MacOS/fixed-for-java-runtime/libsoftokn3.dylib" 
attributes = compatibility 
nssArgs = "configdir='/Users/helloworld/Library/Application Support/Firefox/Profiles/wasdwasd.default-1453211557245' certPrefix='' keyPrefix='' secmod='secmod.db' flags='readOnly' " 
slot = 2

然後在Java中,我試圖加載它是這樣的:

FileInputStream fis = new FileInputStream("pkcs11.cfg"); 
Provider provider = new SunPKCS11(fis); 
Security.addProvider(provider);

然而,這立即使我有以下錯誤:

sunpkcs11: Initializing PKCS#11 library /Applications/Firefox.app/Contents/MacOS/fixed-for-java-runtime/libsoftokn3.dylib 
sunpkcs11: Multi-threaded initialization failed: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DEVICE_ERROR 
Exception in thread "main" java.security.ProviderException: Initialization failed 
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:376) 
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:107)

您可能會問爲什麼我要加載奇怪文件夾中的.dylib,這是beca使用我在MacOS中使用install_name_tool@executable_path更改爲@loader_path,以便獲得庫依賴性(因爲我試圖在Eclipse中而不是從Firefox本身運行它)。

我也嘗試使用這裏建議的解決方案:How to finalize SunPKCS11 Provider after it is initialized?,這是一個不行的...我得到同樣的錯誤。這裏提到

除了嘗試各種不同的配置設置:https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11/Module_Specs#Softoken_Specific_Parameters

EDIT1

我試圖通過@FaithReaper提到的方法,但它仍然拋出了同樣的錯誤。我嘗試將槽值更改爲0,1-1,結果相同。看起來像加載下層PKCS11對象時出現問題。

Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DEVICE_ERROR 
at sun.security.pkcs11.wrapper.PKCS11.C_Initialize(Native Method) 
at sun.security.pkcs11.wrapper.PKCS11$SynchronizedPKCS11.C_Initialize(PKCS11.java:1545) 
at sun.security.pkcs11.wrapper.PKCS11.getInstance(PKCS11.java:157) 
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:330)

我不知道這是否會幫助,但我跑在Firefox的配置文件modutil並傾倒這個信息:

modutil -dbdir "/Users/eto/Library/Application Support/Firefox/Profiles/ew2g332o.default-1453211557245" -rawlist 

library= name="NSS Internal PKCS #11 Module" 
parameters="configdir=/Users/eto/Library/Application Support/Firefox/Profiles/ew2g332o.default-1453211557245 certPrefix= keyPrefix= secmod=secmod.db flags=readOnly " 
NSS="Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})"

Listing of PKCS #11 Modules

  1. NSS Internal PKCS #11 Module uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.33 slots: 2 slots attached status: loaded

    slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

    slot: NSS User Private Key and Certificate Services token: NSS Certificate DB uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

來源

2017-11-10 codenamezero

回答

0

首先,我注意到你的不同方式插入/添加Provider與我。你能嘗試以這種方式添加Provider嗎? (也可能是irrelavent)

Provider p = new SunPKCS11(new ByteArrayInputStream(config.getBytes())); 
Security.insertProviderAt(p, 1); 
KeyStore.Builder builder = null; 
builder = KeyStore.Builder.newInstance("PKCS11", p, 
    new KeyStore.CallbackHandlerProtection(new UtilTarjetas().new CustomCallbackHandler())); 
cardKeyStore = builder.getKeyStore();

然後,也許你可以在這裏嘗試的辦法:

https://github.com/avocado-framework/avocado/issues/1112

即:

apahim commented on 7 Apr 2016

@will-Do, nss folks were able to track this issue down and seems like they are going to consider a change in NSS_InitContext() , which should include a SECMOD_RestartModules(PR_FALSE) after a fork() . Anyway, they also provided a better workaround than the one I provided you. If you set the environment variable NSS_STRICT_NOFORK to DISABLED then the code is expected to work. It worked for me and I'd like to check if it works for you as well. Looking forward to see your results.

此外,一些消息來源表明,它可能是令牌或插槽問題。您可以嘗試將槽位索引更改爲0-1

來源

2017-11-16 08:44:59 FaithReaper

+0

首先,感謝您的幫助。但問題似乎是在初始化'SunPKCS11'級別,它甚至在'insertProviderAt'或'addProvider'之前拋出'CKR_DEVICE_ERROR'。 ''CKR_DEVICE_ERROR'正在被'sun.security.pkcs11.wrapper.PKCS11.C_Initialize(Native Method)引發'見我在帖子中更新。 – codenamezero

0

如果在FireFox之外執行,Firefox在Mac OS X中提供的庫可能實際上完全損壞或無法正常工作。

嘗試配置和方法的許多不同的組合之後,我終於得到了它的工作通過不使用圖書館從Firefox ...

這裏是一步一步的方法來得到它的工作:

  1. 在你的Mac上安裝自制
  2. 運行brew install nss
  3. 運行brew install nspr
  4. 您可能需要brew link nssbrew link nspr
  5. 在配置文件中手動鏈接它們,你需要把它指向你的自制libsoftokn3.dylib,像這樣library = /usr/local/opt/nss/lib/libsoftokn3.dylib

然後你的Java代碼應該能夠加載的Firefox在Mac OS X下的keystore ...我已經提交了一個bug here。該工單包含工作sample code關於如何實例化PKCS11,加載Firefox密鑰庫並列出商店中的別名。

這絕對是一個與Firefox合作的噩夢......但至少我得到了它的工作......誰會想到他們提供的庫不起作用(但它在Windows中起作用!)? :P

爲了完整起見,我已經直接包含的代碼示例在這篇文章中,以及:

import java.io.ByteArrayInputStream; 
import java.security.KeyStore; 
import java.security.Provider; 
import java.security.Security; 
import java.util.Collections; 

public class Sample { 

    private KeyStore load(String lib, String profile) throws Exception 
    { 
     String config = "library = " + lib + "\n" + 
       "name = FirefoxKeyStore\n" + 
       "attributes = compatibility\n" + 
       "nssArgs = \"configDir='" + profile + "' certPrefix='' keyPrefix='' secmod='secmod.db' flags='readOnly,forceOpen,optimizeSpace' \"\n" + 
       "slot = 2\n"; 

     ByteArrayInputStream bais = new ByteArrayInputStream(config.getBytes()); 
     Provider provider = new sun.security.pkcs11.SunPKCS11(bais); 
     Security.addProvider(provider); 

     return KeyStore.getInstance("PKCS11"); 
    } 

    public static void main(String[] args) throws Exception { 

     Sample s = new Sample(); 

     String profile = "/Users/blah/Library/Application Support/Firefox/Profiles/yougottachangethis"; 
     String[] libs = { 
      //"/Applications/Firefox.app/Contents/MacOS/libsoftokn3.dylib", 
      "/usr/local/opt/nss/lib/libsoftokn3.dylib" 
     }; 

     for (String lib : libs) { 
      System.out.println("TRYING >>> " + lib); 
      try { 
       KeyStore ks1 = s.load(lib, profile); 

       ks1.load(null, null); 
       for (String alias : Collections.list(ks1.aliases())) { 
        System.out.println(alias); 
       } 
      } 
      catch (Exception e) 
      { 
       e.printStackTrace(); 
      } 
     } 
    } 
}

這裏是otool從蘋果的輸出(包括爲FaithReaper的評論):

otool -L libsoftokn3.dylib 
libsoftokn3.dylib: 
/usr/local/opt/nss/lib/libsoftokn3.dylib (compatibility version 1.0.0, current version 1.0.0) 
/usr/lib/libsqlite3.dylib (compatibility version 9.0.0, current version 253.0.0) 
/usr/local/Cellar/nss/3.34/lib/libnssutil3.dylib (compatibility version 1.0.0, current version 1.0.0) 
/usr/local/opt/nspr/lib/libplc4.dylib (compatibility version 1.0.0, current version 1.0.0) 
/usr/local/opt/nspr/lib/libplds4.dylib (compatibility version 1.0.0, current version 1.0.0) 
/usr/local/opt/nspr/lib/libnspr4.dylib (compatibility version 1.0.0, current version 1.0.0) 
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1238.0.0)

來源

2017-11-16 21:20:37 codenamezero

+0

我忘了說,但你如何配置系統env變量'LD_LIBRARY_PATH'?毫無疑問,'nss'取決於'nspr'。 – FaithReaper

+0

我不確定Mac是否加載了與Linux不同的庫,但是我的'LD_LIBRARY_PATH'是空白的,當我使用'otool -L libsoftokn3.dylib'時,我可以看到它已經鏈接到'/ usr/local/opt/NSPR/LIB/libnspr4.dylib'。 – codenamezero

+0

嗯.....我認爲'libsoftokn3.so'駐留在nss文件夾中,而不是nspr,並且Linux中的名稱是原樣的,沒有鏈接到'libnspr4.so'。所以這可能是問題。添加這個系統變量指向你有'libsoftokn3.dylib'(不是鏈接,但是真實文件)的文件夾,然後再試一次。你可以調查nss在哪裏? – FaithReaper

相關問題

 相關問題