KeyStore.login pin validation for smartcard.

Jason Mehrens jason_mehrens at hotmail.com
Mon Dec 4 18:21:26 UTC 2017 

Anders,

I'm using the WINDOWS-MY which appears to be "SunMSCAPI".  So I guess I'll dig in that source code and just file a bug report if I don't see any other way to trigger the pin validation.

Jason
________________________________________
From: Anders Rundgren <anders.rundgren.net at gmail.com>
Sent: Friday, December 1, 2017 11:53 PM
To: Bernd Eckenfels; Jason Mehrens; security-dev
Subject: Re: KeyStore.login pin validation for smartcard.

Unfortunately this is a part of the underlying implementation.

Assuming you use PKCS #11, you could take a look at the code and see what it does with an externally supplied password.

Anders

On 2017-12-01 23:08, Bernd Eckenfels wrote:
> Hm, I remember I had a problem the other way around: I could not make the pin entry dialog stop popping up for protected keys. Passing in password or callback did not do the trick. So if you don’t see such a dialog it might be the key is unprotected? (Besides the normal keystore Protection of the User)
>
> Old screenshot: http://itblog.eckenfels.net/uploads/screen/screenshot-token.png
>
> Gruss
> Bernd
> --
> http://bernd.eckenfels.net
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *From:* security-dev <security-dev-bounces at openjdk.java.net> on behalf of Jason Mehrens <jason_mehrens at hotmail.com>
> *Sent:* Friday, December 1, 2017 9:01:13 PM
> *To:* security-dev
> *Subject:* KeyStore.login pin validation for smartcard.
> Hello security-dev,
>
> Using the java.security.KeyStore API is there anyway to force validation of the smartcard pin (on Windows)?
>
> When testing it seems like the KeyStore.load method ignores the password parameter as I can pass invalid pins and it will not throw an error.
> It seems to just using the existing user session from when the workstation was unlocked to gain access to the certificates on the smartcard.
> I've tried to use the KeyStore.CallbackHandlerProtection too but it doesn't see to force validation of the pin either.
>
> Maybe there is something I'm missing?
>
> What would be ideal is if the KeyStore.load was passed null or empty password the existing session was used otherwise if a pin was given force a re-validation of the given pin before loading the store.
>
> Thanks,
>
> Jason

More information about the security-dev mailing list