问题
I am trying to create a browser application that will access a server which requires TLS Mutual Client Authentication. The application needs to be able to supply the client certificate and key via a PKCS#11 interface.
Having looked at various articles on mutual tls for Android, I believe the PKCS#11 requirement rules out using the Android KeyChain/adding the certificates to the default keystore on Android (because the private key cannot be directly accessed).
I have the PKCS#11 interface working so I can use the private key to sign data.
Is there a way to intercept the calls for Android to sign data with a key so that I can use the PKCS#11 interface instead? Currently it seems that my only option really is to implement my own TLS stack to achieve this.
回答1:
It depends :) What platform(s) are you targeting? On Jelly Bean, there is some support for hardware devices in the keystore, so you can write a keymaster module that uses your PKCS#11. That, however is a OS component, so it would require implementing your own ROM. You can also develop your own JCE provider that is backed by the PKCS#11 module. Then, in your browser, make sure the SSL engine uses your provider when doing client auth.
来源:https://stackoverflow.com/questions/11640706/mutual-client-authentication-with-pkcs11