Package: openjdk-7-jre-headless Version: 7u21-2.3.9-5 Severity: normal OpenSC has become a common standard way of accessing Hardware Security Modules (HSMs), it is also build into OSX, and available for Windows. It would make it much easier for people to get started using HSMs with Java if OpenSC could be pre-configured in the openjdk.
The changes needed are quite small, its just a question of how best to manage
them.
There could be an /etc/java-7-openjdk/security/opensc.cfg like the nss.cfg
that is already there. It would include something like this:
name = OpenSC
description = SunPKCS11 w/ OpenSC Smart card Framework
library = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
Then to enable it, java.security would include something like this:
security.provider.10=sun.security.pkcs11.SunPKCS11 \
${java.home}/lib/security/opensc.cfg
This should co-exist with the NSS config that is already there, according to
the java docs: "To use more than one slot per PKCS#11 implementation, or to
use more than one PKCS#11 implementation, simply repeat the installation for
each with the appropriate configuration file. This will result in a Sun
PKCS#11 provider instance for each slot of each PKCS#11 implementation."[1]
With this configuration, many HSMs would "just work" with keytool and
jarsigner. For example, the command line would work without any extra setup:
keytool -providerName SunPKCS11-OpenSC \
-keystore NONE -storetype PKCS11 -list
Versus now, you have to find where opensc-pkcs11.so is installed, then put
that into a conf file like in the opensc.cfg example, and run it like this:
keytool -providerClass sun.security.pkcs11.SunPKCS11 \
-providerArg my-opensc-java.cfg -providerName SunPKCS11-OpenSC \
-keystore NONE -storetype PKCS11 -list
[1] http://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html
signature.asc
Description: OpenPGP digital signature
