开发者

PKCS#11 driver prompts for PIN for each key

I am using CardOS API driver from Siemens as PKCS#11 driver to load certificates from a PKI card as follows:

char[] pin = "123456".toCharArray();
KeyStore.PasswordProtection pp = new KeyStore.PasswordProtecti开发者_StackOverflow中文版on(pin);
KeyStore keyStore = KeyStore.Builder.newInstance("PKCS11", Security.getProvider("SunPKCS11-verinice"), pp).getKeyStore();
keyStore.load(null,pin);
keyStore.getKey("key 1", pin);
keyStore.getKey("key 2", pin);

The driver prompts for a PIN for each key although i pass it as a parameter. Is there any other way to pass the PIN by API? Is there any "PIN cache" i can activate?


You can use a custom CallbackHandler capable of handling a PasswordCallback, as described in section 3.1 of the Java PKCS#11 guide. Caching passwords should be done with appropriate caution, of course.


I'm also working with CardOS and Siemens cards.

There are two PINs on a card.

  1. Card PIN. Used to unlock the card and read the certificates. You can handle this PIN with your own callback. PIN is only needed once.
  2. Signature PIN. Used to access the qualified signature certificate. This PIN must be entered for each signature. The PIN dialog is from the Siemens middleware and you cannot dismiss it.

In most cases both PINs are the same (else the users gets confused). I also have a card without signature PIN. With this I can sign without another PIN entry. Maybe you can remove the signature PIN or get a card without signature PIN.


You should ask this from your PKCS#11 vendor, in this case Siemens. There's probably nothing you can do from Java.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜