Pheox - Forums

Navigation
Forum Index Search Recent Topics Hottest Topics Top Downloads

Register / Login  |  Desktop view  |  Jump to bottom of page

General Issues » Providing Key Passwords

Author: msamblanet, Visitor
29/11/2011 17:15:00
Our application accesses password protected keys and we would like to use our own password prompting for these keys.

In JCAPI, I do not see any way to set this password. I tried providing a password for the private key but this did not work.

Is there a way to set this password? If not is it something that you would consider for an enhancement?

FYI - Under our C# code, we do this by setting CspParameters.KeyPassword to the user provided password. I have not coded this at the C layer, but I believe this maps to CryptSetProvParam with values some variations of PP_SECURE_KEYEXCHANGE_PIN, PP_KEYEXCHANGE_PIN, PP_SECURE_SIGNATURE_PIN, and PP_SIGNATURE_PIN.


Author: tommy, Visitor
29/11/2011 20:24:15
Hi,

Yes, you're correct. One can use KP_KEYEXCHANGE_PIN or KP_SIGNATURE_PIN through the CAPI function CryptSetKeyParam. The problem though is that this functionality is not supported by all CSPs. If you're using Microsoft's own software based CSPs then there is no possibility at all to override the password dialog. Most people use these default CSPs, so I don't like to implement support for functionality that will most often fail anyway. It's very simple to implement this, so it might turn up in JCAPI some day, just have to think it through a bit.

However, if you use a hardware based CSP which has a PKCS#11 compliant DLL to access the token, then you can use JCAPI to override the dialog that is shown by the CSP, please see the interface JCAPIPKCS11PINCallback for more information on how to implement it.

Regards,
Tommy

Author: msamblanet, Visitor
30/11/2011 19:25:15
We are using hardware based keys injected into CAPI through SmartCard middleware. It does not go through PKCS11.

If there is any chance this might invoke the JCAPIPKCS11PINCallback, I can give it a shot, but as they are not loaded as PKCS11 sources, it did not feel right...

Author: msamblanet, Visitor
01/12/2011 16:32:14
Just ran a test - the PKCS11 PIN callback is not being called...which was what I expected but it was worth a try...

Author: tommy, Visitor
01/12/2011 19:34:56
Hi,

You're correct. The CSP must in this case provide a PKCS#11 DLL for JCAPI to work with.

I have put the "silent password callback for CAPI CSP" as a requirement on our road map, since apparently you're not the only one who wants to have it now.

Sincerely,
Tommy




Register / Login  |  Desktop view  |  Jump to top of page