[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PKCS#11 Question

Subject: Re: PKCS#11 Question
From: Scott Kovatch <email@hidden>
Date: Thu, 22 Nov 2007 22:11:28 -0500
Delivered-to: email@hidden
Delivered-to: email@hidden

Steve,

What you say is correct, but even though the actual private key bits stored on the card aren't visible, Jay should still see private key entries that encapsulate a PKCS#11 object reference. It sounds like there might be a bug in our PKCS#11 driver.

Scott

On Nov 22, 2007, at 6:31 PM, Stephen Winnall wrote:

Jay
The whole point behind any security token (like a smartcard) is that the private key never leaves that token, so it's not surprising that you don't see a key in the KeyChain. Certificates can be nailed to a post in the middle of town if you're so inclined, so they can be copied off the token and into the keychain, but not the private key.

Some smartcards generate the keypair on the card and only export the public key (from which the certificate is made). Other cards and tokens (e.g. USB) need the keypair to be installed on them first. But once all that has happened (and you've distributed the certificates to whoever needs them), PKCS#11 should handle the rest.
Steve
On 20 Nov 2007, at 22:40, Jay Kline wrote:
Im writing a java application that does authentication via Smart Cards (PKCS#11) and need to get it functional on OSX. Using the SunPKCS11 provider with the library out in /usr/libexec/SmartCardServices/ pkcs11 it "half works". That is, it dosnt error, and can give some information about the card and/or reader, but it seems to provide an empty KeyStore.

Ive looked around a little to see how to use the KeyChain via the Apple.KeyChainStore provider instead, but I cant find any documentation on it. Just using the basic usage examples Ive found:
ks = KeyStore.getInstance("KeychainStore","Apple");
ks.load(null,null);
I can see certificate entries for my smart card in the keystore, but no key entries.
Ive found I can use keytool to test both cases easily:
keytool -keystore NONE -storetype PKCS11 -providerClass
sun.security.pkcs11.SunPKCS11 -providerArg pkcs11.config -list
The above lists PrivateKeyEntry's on Linux, and has 0 entries on Mac.
keytool -keystore NONE -storagetype KeychainStore -list - providerClass com.apple.crypto.provider.Apple
The above lists trustedCertEntry's for the certs on the card, but no
PrivateKeyEntry.
Am I going about this wrong?
Jay
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Java-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/java-dev/email@hidden
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Java-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/java-dev/email@hidden
This email sent to email@hidden


_______________________________________________
Do not post admin requests to the list. They will be ignored.
Java-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/java-dev/email@hidden

This email sent to email@hidden

References:
	>PKCS#11 Question (From: Jay Kline <email@hidden>)
	>Re: PKCS#11 Question (From: Stephen Winnall <email@hidden>)

Prev by Date: Re: Replacement for Cocoa-Java bridge
Next by Date: Re: BSD Java 6 Preview Release 2
Previous by thread: Re: PKCS#11 Question
Next by thread: Apple Bug Attachments
Index(es):
- Date
- Thread

Home