PKCS#11 on Java 7 Windows 64 bit

1
votes

I need to use PKCS#11 with Java 7 on 64 bit Windows for reading certificates from smart cards. The oracle docs say there is no Sun PKCS#11 provider for 64 bit Windows. If I understand correctly, this means that even if I have a PKCS#11 native library, I don't have the Java "bridge" classes to interact with the native PKCS#11 implementation. What are my options? I can think of these:

  • Use an external program, e.g. a command line utility to interact with the smart card and pipe the output into my Java application
  • Somehow implement the missing PKCS#11 provider in Java? (I want to avoid the work)
  • Use a third party Java library which implements the missing Sun provider?

After much searching, I have not found a solution. The closest was an OpenJDK implementation, but I can't switch from the Oracle JDK to OpenJDK.

Am I missing something? Why are there no obvious solutions? What are my options?

Many thanks.

2
javacryptographysmartcardpkcs#11

2 Answers

1
votes

The reason that there are no options within Java 7 itself is that you're using an end-of-life product. You should really upgrade to Java 8.

That said, the Sun/Oracle PKCS#11 provider is build upon a PKCS#11 wrapper from IAIK. Since there is a 64 bit version of the provider for Java 8 then that probably means that it is possible to compile it for Java 7 as well.

However, even if you get the wrapper to work, then that doesn't necessarily mean that you get the Java 7 provider to work with it. Java 7 providers need to be signed as well, so you likely would run into trouble with that even if you could make the provider to work with the Java 7 PKCS#11 provider. You can however use the PKCS#11 functionality directly. Of course you'd lose the benefits of the provider, mainly the interop with higher level API's for TLS, XML-digsig etc.

Of course IAIK also sells their own provider, which has been security evaluated etc. Part of the documentation reads:

Note, if you have a 64-bit PKCS#11 module of your crypto hardware, you must also use the 64-bit version of the Wrapper native library, and you must also use a 64-bit Java™ VM (e.g. java -d64 ...).

0
votes

All options are possible.

External program requires that you write the native code for each platform.

Implementing a missing provider might be possible, especially if one exists in OpenJDK and you can borrow it from there (if the license allows).

As for third-party libraries - I know only our own SecureBlackbox which implements all security internally and works with PKCS#11 devices via JNI.