Reputation: 38180
java keystore and password security for smartcard on windows
http://docs.oracle.com/javase/6/docs/api/java/security/KeyStore.html
In the code below password is requested to the user by the java application:
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
// get user password and file input stream
char[] password = getPassword();
java.io.FileInputStream fis =
new java.io.FileInputStream("keyStoreName");
ks.load(fis, password);
fis.close();
Does it mean the application could get my digital certificate password even if it is on a smartcard and potentially use it for something else ?
Upvotes: 0
Views: 944
Answers (1)
Reputation: 69329
Yes, another application with sufficient privileges could read the contents of the password from memory or snoop the password as it is typed into the keyboard.
The code example shows the password stored as a char array, which is recommended practice. Such arrays can be reset to a different value after the password is used, unlike immutable Strings. This minimises the attack window, but does not remove it.
Several smart card manufacturers offer external PIN pad devices that ensure the password is delivered directly to the card. You could consider investigating one of these solutions.
Upvotes: 2
Related Questions
- Java keystore for passwords
- Windows keystores and certificates
- How to avoid smart card selection popup when accessing windows-my using Java
- Common Access Card (CAC) Authentication Using Java
- Storing key using Keystore
- Writing and Reading certificates from smartcard
- Using WINDOWS-MY Keystore with JDK 1.4
- java keystore and password settings
- Reusing Java Keystore when accessing a smartcard on Windows
- Keystore's password management