Search code examples
javapkipkcs#11

PKCS#11 driver prompts for PIN for each key

I am using CardOS API driver from Siemens as PKCS#11 driver to load certificates from a PKI card as follows:

char[] pin = "123456".toCharArray();
KeyStore.PasswordProtection pp = new KeyStore.PasswordProtection(pin);
KeyStore keyStore = KeyStore.Builder.newInstance("PKCS11", Security.getProvider("SunPKCS11-verinice"), pp).getKeyStore();
keyStore.load(null,pin);
keyStore.getKey("key 1", pin);
keyStore.getKey("key 2", pin);

The driver prompts for a PIN for each key although i pass it as a parameter. Is there any other way to pass the PIN by API? Is there any "PIN cache" i can activate?

Solution

  • I'm also working with CardOS and Siemens cards.

    There are two PINs on a card.

    1. Card PIN. Used to unlock the card and read the certificates. You can handle this PIN with your own callback. PIN is only needed once.
    2. Signature PIN. Used to access the qualified signature certificate. This PIN must be entered for each signature. The PIN dialog is from the Siemens middleware and you cannot dismiss it.

    In most cases both PINs are the same (else the users gets confused). I also have a card without signature PIN. With this I can sign without another PIN entry. Maybe you can remove the signature PIN or get a card without signature PIN.