KeyStore.login pin validation for smartcard.

[Bernd Eckenfels]

Hm, I remember I had a problem the other way around: I could not make the pin entry dialog stop popping up for protected keys. Passing in password or callback did not do the trick. So if you don’t see such a dialog it might be the key is unprotected? (Besides the normal keystore Protection of the User)

Old screenshot: http://itblog.eckenfels.net/uploads/screen/screenshot-token.png

Gruss
Bernd
--
http://bernd.eckenfels.net
________________________________
From: security-dev <security-dev-bounces at openjdk.java.net> on behalf of Jason Mehrens <jason_mehrens at hotmail.com>
Sent: Friday, December 1, 2017 9:01:13 PM
To: security-dev
Subject: KeyStore.login pin validation for smartcard.

Hello security-dev,

Using the java.security.KeyStore API is there anyway to force validation of the smartcard pin (on Windows)?

When testing it seems like the KeyStore.load method ignores the password parameter as I can pass invalid pins and it will not throw an error.
It seems to just using the existing user session from when the workstation was unlocked to gain access to the certificates on the smartcard.
I've tried to use the KeyStore.CallbackHandlerProtection too but it doesn't see to force validation of the pin either.

Maybe there is something I'm missing?

What would be ideal is if the KeyStore.load was passed null or empty password the existing session was used otherwise if a pin was given force a re-validation of the given pin before loading the store.

Thanks,

Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20171201/799badfc/attachment.htm>