EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Using applet with eToken

Posted: 07/28/2014 22:57:09
by Sóstenes Alves (Standard support level)
Joined: 12/11/2012
Posts: 6


I am using the applet that came with the EldoS SDK to sign documents using eToken.

My eToken is automatically loaded to the Windows Storage when it is connected to the computer. So, in my case, it is more practical to access the eToken via Windows Storage than implementing the SunPKCS11.

The problem is that in this case, apparently you can not use the signingKey object, or it is not used when the process method is executed.

In the attached image, in line 1016, the signingCert and signingKey objects are created correctly, but when running the line 1018, the applet opens the authentication program that comes with the eToken.

My question is: is this expected behavior? That is, if I use an eToken via Windows Storage, I always have to authenticate using the software provided with the eToken?

Thank you!

Posted: 07/29/2014 05:03:22
by Ken Ivanov (Team)

Hello Sóstenes,

Thank you for contacting us.

The authentication process is controlled by the token's CSP, an intermediate cryptographic layer put between the CryptoAPI (which provides Windows Storage access) and the low-level token driver. In some cases you can pass the PIN to the driver in programmatic way. We will check if it is possible to do from within the Java applet and get back to you once we are ready to answer (hopefully, later today or tomorrow).

Posted: 07/29/2014 06:31:10
by Sóstenes Alves (Standard support level)
Joined: 12/11/2012
Posts: 6

Thanks Ken! I'll be waiting.
Posted: 07/29/2014 07:52:13
by Ken Ivanov (Team)

Hi Sóstenes,

Not the best news, sorry. It appears that JSP SunMSCAPI does not allow the user code to set CSP parameters (including those responsible for PINs). This means that there is no way to pass the PIN to the driver from the applet's code.

The vendor's authentication screen could probably be overridden by accessing the token through its PKCS#11 interface, where you can pass the PIN from your code. Yet this also needs checking, as certain devices and drivers (not all, not even a majority) always default to their own authentication dialog.

Posted: 07/29/2014 23:21:09
by Sóstenes Alves (Standard support level)
Joined: 12/11/2012
Posts: 6

Thanks for the info, Ken. I'll do some testing with the PKCS#11 interface.



Topic viewed 788 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!