Anders, I'm using the WINDOWS-MY which appears to be "SunMSCAPI". So I guess I'll dig in that source code and just file a bug report if I don't see any other way to trigger the pin validation.
Jason ________________________________________ From: Anders Rundgren <anders.rundgren....@gmail.com> Sent: Friday, December 1, 2017 11:53 PM To: Bernd Eckenfels; Jason Mehrens; security-dev Subject: Re: KeyStore.login pin validation for smartcard. Unfortunately this is a part of the underlying implementation. Assuming you use PKCS #11, you could take a look at the code and see what it does with an externally supplied password. Anders On 2017-12-01 23:08, Bernd Eckenfels wrote: > Hm, I remember I had a problem the other way around: I could not make the pin > entry dialog stop popping up for protected keys. Passing in password or > callback did not do the trick. So if you don’t see such a dialog it might be > the key is unprotected? (Besides the normal keystore Protection of the User) > > Old screenshot: > http://itblog.eckenfels.net/uploads/screen/screenshot-token.png > > Gruss > Bernd > -- > http://bernd.eckenfels.net > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ > *From:* security-dev <security-dev-boun...@openjdk.java.net> on behalf of > Jason Mehrens <jason_mehr...@hotmail.com> > *Sent:* Friday, December 1, 2017 9:01:13 PM > *To:* security-dev > *Subject:* KeyStore.login pin validation for smartcard. > Hello security-dev, > > Using the java.security.KeyStore API is there anyway to force validation of > the smartcard pin (on Windows)? > > When testing it seems like the KeyStore.load method ignores the password > parameter as I can pass invalid pins and it will not throw an error. > It seems to just using the existing user session from when the workstation > was unlocked to gain access to the certificates on the smartcard. > I've tried to use the KeyStore.CallbackHandlerProtection too but it doesn't > see to force validation of the pin either. > > Maybe there is something I'm missing? > > What would be ideal is if the KeyStore.load was passed null or empty password > the existing session was used otherwise if a pin was given force a > re-validation of the given pin before loading the store. > > Thanks, > > Jason
