Always ask for the pin KeyStore PKCS11

Question

I have an applet for digital signature. My problem is that initialize the keystore, but it remains open until you close the browser. How do I ask the pin every time I want to sign?

This is the initialization code:

/* Se obtiene el proveedor del contenedor de claves */
pkcs11config = "name=Athena\nlibrary=C:\\Windows\\system32\\asepkcs.dll";
byte[] pkcs11configBytes1 = pkcs11config.getBytes();
ByteArrayInputStream configStream1 = new ByteArrayInputStream(pkcs11configBytes1);
BouncyCastleProvider providerBC = new BouncyCastleProvider();

Security.addProvider(providerBC);
//Cargo el proveedor de la CIPE
providerPKCS11 = new SunPKCS11(configStream1);
Security.addProvider(providerPKCS11);
ks = KeyStore.getInstance("PKCS11", providerPKCS11);
ks.load(null, null); 

Can anyone tell me how to fix it? Thank you.

Answer 1

PKCS#11 shares the login state between all sessions so it should be enough for you to call providerPKCS11.logout(); and you should be logged out from all PKCS#11 sessions - signing operations should fail. Reloading KeyStore with correct PIN should log you in again in all sessions - signing operations should succeed. Displaying the GUI to the user and asking him to enter the PIN before every signing operation is up to you.

Answer 2

The PKCS#11 provider only will ask for PIN when it is required. And it is only required per operation if the CKA_ALWAYS_AUTHENTICATE flag is set for the token key that is being used. To allow for a user PIN to be entered, a callback handler has to be implemented according to the PKCS#11 provider documentation.