PKCS driver # 11 requests a PIN for each key

Question

PKCS driver # 11 requests a PIN for each key

I am using the Siemens CardOS API driver as a PKCS # 11 driver to download certificates from a PKI card as follows:

char[] pin = "123456".toCharArray(); KeyStore.PasswordProtection pp = new KeyStore.PasswordProtection(pin); KeyStore keyStore = KeyStore.Builder.newInstance("PKCS11", Security.getProvider("SunPKCS11-verinice"), pp).getKeyStore(); keyStore.load(null,pin); keyStore.getKey("key 1", pin); keyStore.getKey("key 2", pin);

The driver asks for a PIN for each key, although I pass it as a parameter. Is there any other way to pass PIN by API? Is there any "PIN cache" that I can activate?

+4

java pki pkcs # 11

uı6ʎɹnɯ ꞁəıuɐp Aug 9 '11 at 12:34

source share

3 answers

You can use a custom CallbackHandler capable of handling PasswordCallback , as described in section 3.1 of the Java PKCS # 11 manual . Of course, password caching should be done with extreme caution.

+5

Bruno Aug 9 '11 at 12:37

source share

You should ask your PKCS # 11 supplier about this, in this case Siemens. You probably can't do anything with Java.

+2

Martin paljak Aug 10 '11 at 17:09

source share

wam · Accepted Answer · 2011-09-09T14:12:53+0000

I also work with CardOS and Siemens cards.

There are two PIN codes on the card.

Card PIN Used to unlock the card and read certificates. You can process this PIN with your own callback. The PIN code is needed only once.
Signature PIN Used to access a qualified signature certificate. This PIN must be entered for each signature. The PIN dialog box refers to Siemens middleware and you cannot reject it.

In most cases, both PIN codes are the same (otherwise users get confused). I also have a card without a PIN. In this case, I can subscribe without entering a PIN code. Perhaps you can delete the signature PIN code or receive a card without the signature PIN code.

PKCS driver # 11 requests a PIN for each key

More articles: