PKCS#11 driver prompts for PIN for each key

Question

I am using CardOS API driver from Siemens as PKCS#11 driver to load certificates from a PKI card as follows:

char[] pin = "123456".toCharArray();
KeyStore.PasswordProtection pp = new KeyStore.PasswordProtection(pin);
KeyStore keyStore = KeyStore.Builder.newInstance("PKCS11", Security.getProvider("SunPKCS11-verinice"), pp).getKeyStore();
keyStore.load(null,pin);
keyStore.getKey("key 1", pin);
keyStore.getKey("key 2", pin);

The driver prompts for a PIN for each key although i pass it as a parameter. Is there any other way to pass the PIN by API? Is there any "PIN cache" i can activate?

Answer 1

I'm also working with CardOS and Siemens cards.

There are two PINs on a card.

1. Card PIN. Used to unlock the card and read the certificates. You can handle this PIN with your own callback. PIN is only needed once.
2. Signature PIN. Used to access the qualified signature certificate. This PIN must be entered for each signature. The PIN dialog is from the Siemens middleware and you cannot dismiss it.

In most cases both PINs are the same (else the users gets confused). I also have a card without signature PIN. With this I can sign without another PIN entry. Maybe you can remove the signature PIN or get a card without signature PIN.

Answer 2

You should ask this from your PKCS#11 vendor, in this case Siemens. There's probably nothing you can do from Java.

Answer 3

You can use a custom CallbackHandler capable of handling a PasswordCallback, as described in section 3.1 of the Java PKCS#11 guide. Caching passwords should be done with appropriate caution, of course.