Java/Eclipse example
Guide to integration with the Eclipse IDE
Eclipse is an IDE for Linux and Windows used to develop Java code.
The version used for the integration was 4.20.0. Versions above 8 onwards can be used for this guide, although version 8 or earlier has some differences due to a change in Java from version 9 onwards.
Environment configuration
-
Install the HSM client in your environment.
-
Configure the basic environment variables. This can be done by editing the variables directly or via DINAMOcon.
-
DFENCE_PKCS11_IP: IP of the HSM
- DFENCE_PKCS11_USER: HSM user name
If you want to use multiple users in the application, you should enable the variable:
For more information, see the configuration section.
Java applications that make use of PKCS#11 need to use some HSM libraries; all of them are in the installation folder. The name of the file is tacndp11.dll (Windows) or libtacndp11.so (Linux).
Examples:
- 64-bis installation:
- 64-bit version:
C:\Program Files\Dinamo Networks\HSM Dinamo\sdk\c\tacndp11.dll - 32-bit version:
C:\Program Files\Dinamo Networks\HSM Dinamo\sdk\32-bit\tacndp11.dll - 32-bit installation:
C:\Program Files\Dinamo Networks\HSM Dinamo\sdk\c\tacndp11.dll
On Linux, the PKCS#11 library will be in the system libraries folder.
Examples:
- CentOS/Red Hat 64-bit:
-
/usr/lib64/libtacndp11.so -
Ubuntu/Debian 32-bit/64-bit and CentOS/Red Hat 32-bit:
/usr/lib/libtacndp11.so
Setting up a project in Eclipse
To configure the project you need to add the tacndjavalib.jar to build path. The library ndjac.jar only needs to be added if you are using JCA.
Example code (Java 9+)
The difference between java 9+ and java 8 is just how the libraries are imported and how the provider object is created.
The following code creates the provider with the Dinamo library, loads the master user's keystore using the special password method with the DFENCE_PKCS11_SPECIAL_PWD environment variable enabled, and then lists the name and content of the certificates in the user's partition.
The result of the example is more interesting if there are certificates on the partition.
The file p11config.cfg must have at least the following fields name e library. Examples below:
name = dinamo
library = C:\Program Files\Dinamo Networks\HSM Dinamo\sdk\c\tacndp11.dll
name = dinamo
library = /usr/lib/libtacndp11.so
name = dinamo
library = /usr/lib64/libtacndp11.so
Oracle's PKCS#11 Documentation can be found here.
import java.io.IOException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.Security;
import java.security.cert.CertificateException;
import java.util.Enumeration;
public class pkcs11 {
public static void main(String[] args) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
String pkcs11Config = "/usr/app/p11config.cfg";
Provider p = Security.getProvider("SunPKCS11");
p = p.configure(pkcs11Config);
java.security.Security.addProvider(p);
/////
//
// Nota: substitua a string de pin usando o formato:
//
// usuario:senha@ip
//
/////
String pin = "master:12345678@192.168.1.101";
java.security.KeyStore keyStore = java.security.KeyStore.getInstance("PKCS11");
keyStore.load(null, pin.toCharArray());
Enumeration<String> enumeration = keyStore.aliases();
while(enumeration.hasMoreElements()) {
String alias = enumeration.nextElement();
System.out.println("alias name: " + alias);
java.security.cert.Certificate certificate = keyStore.getCertificate(alias);
System.out.println(certificate.toString());
}
}
}
To configure the provider in java 8 the code is as follows:
Provider providerPKCS11 = new sun.security.pkcs11.SunPKCS11(pkcs11Config);
java.security.Security.addProvider(providerPKCS11);