4

I'm interested in using a client token to perform client certificate authentication for SSL/TLS, but the client private key resides on a (non-PKCS11-accessible) hardware token. I originally wanted to replace the key manager, but I can't return the private keys from the token, so I am considering modifying the underlying SSLSocket and related classes to accomplish my goal.

In which Java classes is the private key used in the establishment of the TLS session so that I could override that functionality? Any other suggestions?

emsworth
  • 1,149
  • 10
  • 21

1 Answers1

2

I ended up doing this by creating a new provider. My provider registers the following:

  • Hardware device abstraction that implements PrivateKey; I called it "Token".
  • Custom keystore that extends KeyStoreSpi. The keystore knows how to enumerate certificates and aliases from the Token.
  • Custom Signature object that knows how to perform signing operations using Token. I only needed to implement a subset of the RSA/SHA signature algorithms for my class.
  • Custom socket factory that extends SSLSocketFactory. I did this to set the preferred cipher suite.

The provider registers my Token as a PKCS11 device to avoid default password prompts during client authentication (I use custom password prompts for the token PIN). I put my provder at the top of the providers list, created a new SSLContext and set the SSLSocketFactory, and finally established the connection.

-Djavax.net.debug=true on the client and server was my friend throughout.

emsworth
  • 1,149
  • 10
  • 21