PKCS11 Token Remval
Hi,
i am using the PKCS11 wrapper from JDK 1.5 to access certificates on a token card. The goal is to shut down my secured client application when the card is removed from the reader.
Is there something similar to the password callback handler mechanism to be notified about card removal by the PKCS11 wrapper? Or do i constantly have to poll the card? If so, what would the simplest call to the wrapper to check if the card is still there (and was not replaced by another in between two polls?
Thanks in advance
Christian
When you mean "PKCS11 wrapper", I presume you mean the SunPKCS11 bridge? If so, read on.
If you're trying to keep your Java code generic and don't want to be tied to the token with custom code, you only have the KeyStore class and methods (http://java.sun.com/j2se/1.5.0/docs/api/java/security/KeyStore.html) available to access the token and its contents.
By staying with generic KeyStore methods, you do not have access to any specific PKCS11 functionality, but you can peridically call a KeyStore method (such as size()
or getCertificate()
) to see if the card is still in the reader. If the method comes back without an exception, then you know that the card was not removed; if you do get an exception (after you know those methods worked at least once during that session), then you know the card was removed because you will now have to initialize and load the KeyStore again to read the token contents.
If you don't care about tying your code to a specific vendor's token, then you can ask them for their JCE driver and see what methods they support that map to the PKCS11 capability you want.
I just thought of this: you can also use something like the JSS (http://www.mozilla.org/projects/security/pki/jss/) which gives you more capability than generic JCE, and yet gives you access to PKCS11 tokens through their ability to integrate third-party security modules using the modutil command.
