KeyStore.login pin validation for smartcard.
Anders Rundgren
anders.rundgren.net at gmail.com
Sat Dec 2 05:53:19 UTC 2017
Unfortunately this is a part of the underlying implementation.
Assuming you use PKCS #11, you could take a look at the code and see what it does with an externally supplied password.
Anders
On 2017-12-01 23:08, Bernd Eckenfels wrote:
> Hm, I remember I had a problem the other way around: I could not make the pin entry dialog stop popping up for protected keys. Passing in password or callback did not do the trick. So if you don’t see such a dialog it might be the key is unprotected? (Besides the normal keystore Protection of the User)
>
> Old screenshot: http://itblog.eckenfels.net/uploads/screen/screenshot-token.png
>
> Gruss
> Bernd
> --
> http://bernd.eckenfels.net
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *From:* security-dev <security-dev-bounces at openjdk.java.net> on behalf of Jason Mehrens <jason_mehrens at hotmail.com>
> *Sent:* Friday, December 1, 2017 9:01:13 PM
> *To:* security-dev
> *Subject:* KeyStore.login pin validation for smartcard.
> Hello security-dev,
>
> Using the java.security.KeyStore API is there anyway to force validation of the smartcard pin (on Windows)?
>
> When testing it seems like the KeyStore.load method ignores the password parameter as I can pass invalid pins and it will not throw an error.
> It seems to just using the existing user session from when the workstation was unlocked to gain access to the certificates on the smartcard.
> I've tried to use the KeyStore.CallbackHandlerProtection too but it doesn't see to force validation of the pin either.
>
> Maybe there is something I'm missing?
>
> What would be ideal is if the KeyStore.load was passed null or empty password the existing session was used otherwise if a pin was given force a re-validation of the given pin before loading the store.
>
> Thanks,
>
> Jason
More information about the security-dev
mailing list