Smart Card based ssl connection not possible with SunPKCS11 Provider?
Dear all
We use jsse connections with file based Pkcs12 Keystores for longer time.
Now we d'like to replace these .p12 files with SmartCards.
While the jsse 5 reference guide suggests:
"To use a Smartcard as a keystore or trust store, set the javax.net.ssl.keyStoreType and javax.net.ssl.trustStoreType system properties, respectively, to "pkcs11", and set the javax.net.ssl.keyStore and javax.net.ssl.trustStore system properties, respectively, to NONE. To specify the use of a specific provider, use the javax.net.ssl.keyStoreProvider and javax.net.ssl.trustStoreProvider system properties (e.g., "SunPKCS11-joe"). By using these properties, you can configure an application that previously depended on these properties to access a file-based keystore to use a Smartcard keystore with no changes to the application."
this does not work!
In the following Code sequence we get a
java.net.SocketException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_TYPE_INVALID
.
.
.
System.setProperty("javax.net.ssl.trustStoreType","pkcs11");
System.setProperty("javax.net.ssl.trustStore","NONE");
System.setProperty("javax.net.ssl.trustStorePassword", pin);
System.setProperty("javax.net.ssl.trustStoreProvider","SunPKCS11-ACOSTOKEN");
System.setProperty("javax.net.ssl.keyStoreType","pkcs11");
System.setProperty("javax.net.ssl.keyStore","NONE");
System.setProperty("javax.net.ssl.keyStorePassword", pin);
System.setProperty("javax.net.ssl.keyStoreProvider","SunPKCS11-ACOSTOKEN");
SSLSocketFactory factory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket socket = (SSLSocket)factory.createSocket(host, 443);// Exception here --> CKR_ATTRIBUTE_TYPE_INVALID
socket.startHandshake();
.
.
.
Because the SmartCard with the KeyMaterial on it is working with
- IAIK package (JCE + PKCS11Wrapper + SSL)
- FireFox 2
I suggest we do something wrong here.
Has anyone an idea what it might be?
Thanks for yout help
Marcel
