openjdk team mailing list archive

[Hans-Christoph Steiner <hans@xxxxxxx>]

Package: openjdk-7-jre-headless
Version: 7u21-2.3.9-5
Severity: normal

OpenSC has become a common standard way of accessing Hardware Security Modules
(HSMs), it is also build into OSX, and available for Windows.  It would make
it much easier for people to get started using HSMs with Java if OpenSC could
be pre-configured in the openjdk.

The changes needed are quite small, its just a question of how best to manage
them.

There could be an /etc/java-7-openjdk/security/opensc.cfg like the nss.cfg
that is already there.  It would include something like this:

  name = OpenSC
  description = SunPKCS11 w/ OpenSC Smart card Framework
  library = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

Then to enable it, java.security would include something like this:

  security.provider.10=sun.security.pkcs11.SunPKCS11 \
     ${java.home}/lib/security/opensc.cfg

This should co-exist with the NSS config that is already there, according to
the java docs: "To use more than one slot per PKCS#11 implementation, or to
use more than one PKCS#11 implementation, simply repeat the installation for
each with the appropriate configuration file. This will result in a Sun
PKCS#11 provider instance for each slot of each PKCS#11 implementation."[1]

With this configuration, many HSMs would "just work" with keytool and
jarsigner.  For example, the command line would work without any extra setup:

  keytool -providerName SunPKCS11-OpenSC \
    -keystore NONE -storetype PKCS11 -list

Versus now, you have to find where opensc-pkcs11.so is installed, then put
that into a conf file like in the opensc.cfg example, and run it like this:

  keytool -providerClass sun.security.pkcs11.SunPKCS11 \
    -providerArg my-opensc-java.cfg -providerName SunPKCS11-OpenSC \
	-keystore NONE -storetype PKCS11 -list


[1] http://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html

Attachment: signature.asc
Description: OpenPGP digital signature