KeyStore.login pin validation for smartcard.

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

KeyStore.login pin validation for smartcard.

Jason Mehrens
Hello security-dev,

Using the java.security.KeyStore API is there anyway to force validation of the smartcard pin (on Windows)?  

When testing it seems like the KeyStore.load method ignores the password parameter as I can pass invalid pins and it will not throw an error.
It seems to just using the existing user session from when the workstation was unlocked to gain access to the certificates on the smartcard.  
I've tried to use the KeyStore.CallbackHandlerProtection too but it doesn't see to force validation of the pin either.  

Maybe there is something I'm missing?

What would be ideal is if the KeyStore.load was passed null or empty password the existing session was used otherwise if a pin was given force a re-validation of the given pin before loading the store.

Thanks,

Jason
Reply | Threaded
Open this post in threaded view
|

Re: KeyStore.login pin validation for smartcard.

Bernd Eckenfels-4
Hm, I remember I had a problem the other way around: I could not make the pin entry dialog stop popping up for protected keys. Passing in password or callback did not do the trick. So if you don’t see such a dialog it might be the key is unprotected? (Besides the normal keystore Protection of the User)

Old screenshot: http://itblog.eckenfels.net/uploads/screen/screenshot-token.png

Gruss
Bernd
--
http://bernd.eckenfels.net

From: security-dev <[hidden email]> on behalf of Jason Mehrens <[hidden email]>
Sent: Friday, December 1, 2017 9:01:13 PM
To: security-dev
Subject: KeyStore.login pin validation for smartcard.
 
Hello security-dev,

Using the java.security.KeyStore API is there anyway to force validation of the smartcard pin (on Windows)? 

When testing it seems like the KeyStore.load method ignores the password parameter as I can pass invalid pins and it will not throw an error.
It seems to just using the existing user session from when the workstation was unlocked to gain access to the certificates on the smartcard. 
I've tried to use the KeyStore.CallbackHandlerProtection too but it doesn't see to force validation of the pin either. 

Maybe there is something I'm missing?

What would be ideal is if the KeyStore.load was passed null or empty password the existing session was used otherwise if a pin was given force a re-validation of the given pin before loading the store.

Thanks,

Jason
Reply | Threaded
Open this post in threaded view
|

Re: KeyStore.login pin validation for smartcard.

Anders Rundgren
Unfortunately this is a part of the underlying implementation.

Assuming you use PKCS #11, you could take a look at the code and see what it does with an externally supplied password.

Anders

On 2017-12-01 23:08, Bernd Eckenfels wrote:

> Hm, I remember I had a problem the other way around: I could not make the pin entry dialog stop popping up for protected keys. Passing in password or callback did not do the trick. So if you don’t see such a dialog it might be the key is unprotected? (Besides the normal keystore Protection of the User)
>
> Old screenshot: http://itblog.eckenfels.net/uploads/screen/screenshot-token.png
>
> Gruss
> Bernd
> --
> http://bernd.eckenfels.net
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *From:* security-dev <[hidden email]> on behalf of Jason Mehrens <[hidden email]>
> *Sent:* Friday, December 1, 2017 9:01:13 PM
> *To:* security-dev
> *Subject:* KeyStore.login pin validation for smartcard.
> Hello security-dev,
>
> Using the java.security.KeyStore API is there anyway to force validation of the smartcard pin (on Windows)?
>
> When testing it seems like the KeyStore.load method ignores the password parameter as I can pass invalid pins and it will not throw an error.
> It seems to just using the existing user session from when the workstation was unlocked to gain access to the certificates on the smartcard.
> I've tried to use the KeyStore.CallbackHandlerProtection too but it doesn't see to force validation of the pin either.
>
> Maybe there is something I'm missing?
>
> What would be ideal is if the KeyStore.load was passed null or empty password the existing session was used otherwise if a pin was given force a re-validation of the given pin before loading the store.
>
> Thanks,
>
> Jason

Reply | Threaded
Open this post in threaded view
|

Re: KeyStore.login pin validation for smartcard.

Jason Mehrens
Anders,

I'm using the WINDOWS-MY which appears to be "SunMSCAPI".  So I guess I'll dig in that source code and just file a bug report if I don't see any other way to trigger the pin validation.

Jason
________________________________________
From: Anders Rundgren <[hidden email]>
Sent: Friday, December 1, 2017 11:53 PM
To: Bernd Eckenfels; Jason Mehrens; security-dev
Subject: Re: KeyStore.login pin validation for smartcard.

Unfortunately this is a part of the underlying implementation.

Assuming you use PKCS #11, you could take a look at the code and see what it does with an externally supplied password.

Anders

On 2017-12-01 23:08, Bernd Eckenfels wrote:

> Hm, I remember I had a problem the other way around: I could not make the pin entry dialog stop popping up for protected keys. Passing in password or callback did not do the trick. So if you don’t see such a dialog it might be the key is unprotected? (Besides the normal keystore Protection of the User)
>
> Old screenshot: http://itblog.eckenfels.net/uploads/screen/screenshot-token.png
>
> Gruss
> Bernd
> --
> http://bernd.eckenfels.net
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *From:* security-dev <[hidden email]> on behalf of Jason Mehrens <[hidden email]>
> *Sent:* Friday, December 1, 2017 9:01:13 PM
> *To:* security-dev
> *Subject:* KeyStore.login pin validation for smartcard.
> Hello security-dev,
>
> Using the java.security.KeyStore API is there anyway to force validation of the smartcard pin (on Windows)?
>
> When testing it seems like the KeyStore.load method ignores the password parameter as I can pass invalid pins and it will not throw an error.
> It seems to just using the existing user session from when the workstation was unlocked to gain access to the certificates on the smartcard.
> I've tried to use the KeyStore.CallbackHandlerProtection too but it doesn't see to force validation of the pin either.
>
> Maybe there is something I'm missing?
>
> What would be ideal is if the KeyStore.load was passed null or empty password the existing session was used otherwise if a pin was given force a re-validation of the given pin before loading the store.
>
> Thanks,
>
> Jason

Reply | Threaded
Open this post in threaded view
|

Re: KeyStore.login pin validation for smartcard.

Anders Rundgren
On 2017-12-04 19:21, Jason Mehrens wrote:
> Anders,
>
> I'm using the WINDOWS-MY which appears to be "SunMSCAPI".  So I guess I'll dig in
> that source code and just file a bug report if I don't see any other way to trigger the pin validation.

Hi Jason,

I haven't used CAPI for more than a decade but as far as I recall, CAPI smart card drivers
- do not require you to login to lookup a certificate
- always prompt for PIN codes for protected operations unless you do some special things which probably is outside of what SunMSCAPI permits.

This is essentially how Windows itself deals with smart cards.

My former colleges at PrimeKey AB used PKCS #11 for all their Java applications for higher flexibility.

HTH

Anders

>
> Jason
> ________________________________________
> From: Anders Rundgren <[hidden email]>
> Sent: Friday, December 1, 2017 11:53 PM
> To: Bernd Eckenfels; Jason Mehrens; security-dev
> Subject: Re: KeyStore.login pin validation for smartcard.
>
> Unfortunately this is a part of the underlying implementation.
>
> Assuming you use PKCS #11, you could take a look at the code and see what it does with an externally supplied password.
>
> Anders
>
> On 2017-12-01 23:08, Bernd Eckenfels wrote:
>> Hm, I remember I had a problem the other way around: I could not make the pin entry dialog stop popping up for protected keys. Passing in password or callback did not do the trick. So if you don’t see such a dialog it might be the key is unprotected? (Besides the normal keystore Protection of the User)
>>
>> Old screenshot: http://itblog.eckenfels.net/uploads/screen/screenshot-token.png
>>
>> Gruss
>> Bernd
>> --
>> http://bernd.eckenfels.net
>> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>> *From:* security-dev <[hidden email]> on behalf of Jason Mehrens <[hidden email]>
>> *Sent:* Friday, December 1, 2017 9:01:13 PM
>> *To:* security-dev
>> *Subject:* KeyStore.login pin validation for smartcard.
>> Hello security-dev,
>>
>> Using the java.security.KeyStore API is there anyway to force validation of the smartcard pin (on Windows)?
>>
>> When testing it seems like the KeyStore.load method ignores the password parameter as I can pass invalid pins and it will not throw an error.
>> It seems to just using the existing user session from when the workstation was unlocked to gain access to the certificates on the smartcard.
>> I've tried to use the KeyStore.CallbackHandlerProtection too but it doesn't see to force validation of the pin either.
>>
>> Maybe there is something I'm missing?
>>
>> What would be ideal is if the KeyStore.load was passed null or empty password the existing session was used otherwise if a pin was given force a re-validation of the given pin before loading the store.
>>
>> Thanks,
>>
>> Jason
>