Search   Recent Topics     Member Listing   Register /  Login 
Providing Key Passwords
Forum Index -> General Issues
Author Message
msamblanet
Returner

Joined: Nov 21, 2011
Messages: 5
Offline

Our application accesses password protected keys and we would like to use our own password prompting for these keys.

In JCAPI, I do not see any way to set this password. I tried providing a password for the private key but this did not work.

Is there a way to set this password? If not is it something that you would consider for an enhancement?

FYI - Under our C# code, we do this by setting CspParameters.KeyPassword to the user provided password. I have not coded this at the C layer, but I believe this maps to CryptSetProvParam with values some variations of PP_SECURE_KEYEXCHANGE_PIN, PP_KEYEXCHANGE_PIN, PP_SECURE_SIGNATURE_PIN, and PP_SIGNATURE_PIN.

tommy
Pheox Support

Joined: May 30, 2005
Messages: 148
Offline

Hi,

Yes, you're correct. One can use KP_KEYEXCHANGE_PIN or KP_SIGNATURE_PIN through the CAPI function CryptSetKeyParam. The problem though is that this functionality is not supported by all CSPs. If you're using Microsoft's own software based CSPs then there is no possibility at all to override the password dialog. Most people use these default CSPs, so I don't like to implement support for functionality that will most often fail anyway. It's very simple to implement this, so it might turn up in JCAPI some day, just have to think it through a bit.

However, if you use a hardware based CSP which has a PKCS#11 compliant DLL to access the token, then you can use JCAPI to override the dialog that is shown by the CSP, please see the interface JCAPIPKCS11PINCallback for more information on how to implement it.

Regards,
Tommy
msamblanet
Returner

Joined: Nov 21, 2011
Messages: 5
Offline

We are using hardware based keys injected into CAPI through SmartCard middleware. It does not go through PKCS11.

If there is any chance this might invoke the JCAPIPKCS11PINCallback, I can give it a shot, but as they are not loaded as PKCS11 sources, it did not feel right...
msamblanet
Returner

Joined: Nov 21, 2011
Messages: 5
Offline

Just ran a test - the PKCS11 PIN callback is not being called...which was what I expected but it was worth a try...
tommy
Pheox Support

Joined: May 30, 2005
Messages: 148
Offline

Hi,

You're correct. The CSP must in this case provide a PKCS#11 DLL for JCAPI to work with.

I have put the "silent password callback for CAPI CSP" as a requirement on our road map, since apparently you're not the only one who wants to have it now.

Sincerely,
Tommy
 
  Forum Index -> General Issues
Go to: