4

I have an applet for digital signature. My problem is that initialize the keystore, but it remains open until you close the browser. How do I ask the pin every time I want to sign?

This is the initialization code:

/* Se obtiene el proveedor del contenedor de claves */
pkcs11config = "name=Athena\nlibrary=C:\\Windows\\system32\\asepkcs.dll";
byte[] pkcs11configBytes1 = pkcs11config.getBytes();
ByteArrayInputStream configStream1 = new ByteArrayInputStream(pkcs11configBytes1);
BouncyCastleProvider providerBC = new BouncyCastleProvider();

Security.addProvider(providerBC);
//Cargo el proveedor de la CIPE
providerPKCS11 = new SunPKCS11(configStream1);
Security.addProvider(providerPKCS11);
ks = KeyStore.getInstance("PKCS11", providerPKCS11);
ks.load(null, null);

Can anyone tell me how to fix it? Thank you.

Panagiotis Giannakis
  • 400
  • 1
  • 9
  • 19
Fernando
  • 41
  • 3

2 Answers2

2

The PKCS#11 provider only will ask for PIN when it is required. And it is only required per operation if the CKA_ALWAYS_AUTHENTICATE flag is set for the token key that is being used. To allow for a user PIN to be entered, a callback handler has to be implemented according to the PKCS#11 provider documentation.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
  • 3
    In real life CKA_ALWAYS_AUTHENTICATE is more like a hint, rather than function. The calling application "asks for pin" when ... the calling application decides to interact with the user. Because the application calls C_Login. Some PKCS#11 providers interact with the user themselves, by opening GUI windows etc. Essentially they react on behalf of the calling application for CKR_USER_NOT_LOGGED_ON or similar situation. – Martin Paljak Apr 15 '14 at 23:38
  • 1
    This is certainly true. However, if `CKA_ALWAYS_AUTHENTICATE` is not handled using the callback procedure, there is precious little you can do about it. The only thing you can try is to log in every time before you start an operation, but I'm not sure that the API to do that is available from the PKCS#11 provider, you need lower level access for that. – Maarten Bodewes Apr 16 '14 at 07:52
  • Ok, how to set the CKA_ALWAYS_AUTHENTICATE flag? – Fernando Apr 16 '14 at 17:46
  • I did this: pkcs11config= "name=Athena\nlibrary=C:\\Windows\\system32\\asepkcs.dll\nattributes(*,*,*)={CKA_ALWAYS_AUTHENTICATE=true}"; and the result was: Exception in thread "AWT-EventQueue-1" java.security.ProviderException: Error parsing configuration at sun.security.pkcs11.Config.getConfig (Config.java: 88).... – Fernando Apr 16 '14 at 17:53
  • Normally, you don't. **It should be an attribute of the key that is already set**. Otherwise the PKCS#11 dll will be in an authenticated state for the key, even if you do provide the PIN again. In that case you may as well ask the user to provide the PIN without the PKCS#11 doing anything and hope that the process you run in is safe. – Maarten Bodewes Apr 16 '14 at 21:43
1

PKCS#11 shares the login state between all sessions so it should be enough for you to call providerPKCS11.logout(); and you should be logged out from all PKCS#11 sessions - signing operations should fail. Reloading KeyStore with correct PIN should log you in again in all sessions - signing operations should succeed. Displaying the GUI to the user and asking him to enter the PIN before every signing operation is up to you.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
jariq
  • 11,681
  • 3
  • 33
  • 52