stackoom
  简体   繁体   中英

Get X509Certificates from smart card without authentication

 原文  2016-07-21 09:32:36       java/ x509certificate/ smartcard/ pkcs#11

Question

I want to retrieve the list of X509Certificate from my smart card without logging in (without PIN).

My code is the following: 

    String conf = args[0];
    Provider p = new sun.security.pkcs11.SunPKCS11(conf);
    Security.addProvider(p);

    KeyStore ks = KeyStore.getInstance("PKCS11");

    1) ks.load(null, null);
    2) ks.load(null, "".toCharArray());

The first test (1) fails with this StackTrace: 

Exception in thread "main" java.io.IOException: load failed
    at sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:763)
    at java.security.KeyStore.load(Unknown Source)
    at TestPKCS11.main(TestPKCS11.java:29)
Caused by: javax.security.auth.login.LoginException: no password provided, and n
o callback handler available for retrieving password
        at sun.security.pkcs11.SunPKCS11.login(SunPKCS11.java:1184)
        at sun.security.pkcs11.P11KeyStore.login(P11KeyStore.java:849)
        at sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:751)

The second (2) fails with: 

Exception in thread "main" java.io.IOException: load failed
    at sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:763)
    at java.security.KeyStore.load(Unknown Source)
    at TestPKCS11.main(TestPKCS11.java:30)
Caused by: javax.security.auth.login.LoginException
        at sun.security.pkcs11.SunPKCS11.login(SunPKCS11.java:1238)
        at sun.security.pkcs11.P11KeyStore.login(P11KeyStore.java:849)
        at sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:753)
        ... 2 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_PIN_INVALID
        at sun.security.pkcs11.wrapper.PKCS11.C_Login(Native Method)
        at sun.security.pkcs11.SunPKCS11.login(SunPKCS11.java:1222)

My config is the following: 

name=SmartCard
slotListIndex = 0
library=C:\gclib.dll
attributes(*,CKO_PUBLIC_KEY,*)={ CKA_TOKEN=true }

NB: I have a local tool (Classic Client ToolBox) that does not require the PIN to display the certificates.

1 answers

solution1
 0  2016-07-21 16:48:25

Looks like Sun's provider always calls Login, no matter if you want to login or not. Frankly speaking, it can be that the only option is to change the approach, eg use some other way to access PKCS#11 devices (we have such mechanisms in our SecureBlackbox, for example).

On the other hand, possibility to retrieve information without logging in to the device, is a kind of information leak, and as such possibility to obtain the list or the certificates themselves depends on the particular device. What works on your device might not work on other devices.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question X509Certificates Lifecycle how to compare x509certificates using a binary search X509Certificates duplicated when added to an X509Data's certificate list How do i check if certificate A got certfiicate B as issuer in Java? --> X509Certificates How can I extract an X509 certificate from a smart card using Java? Mutual Authentication with x509 Certificates using HttpClient 4.0.1 Java + X509: How get Certificates Revoked? Spring security x.509 authentication - accept certificates based on their issuer Certificate Authority How to make C++ client trust all X.509 certificates without any verification (like in Java) Smart card authentication using LDAP
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM