#238 PKCS#11 Keystore Support (Smartcard)


We need Smartcards Suppport for WSS signing and decrypting. Our Smartcards come with a dll which implements the PKCS#11 interface. Sun added a JCE Provider which can be used to integrate a PKCS#11 dll to the JDK/JRE (see http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html\). The Sun PKCS#11 Provider makes it possible to access a PKCS#11 Token as a java.security.KeyStore.

Therefore, it should be possible to add PKCS#11 support for WSS by reusing most of the existing code. IMHO, the feature could be implemented so that the user can add a Keystore for a PKCS#11 dll on the "Project/SecurityConfiguration/Keystores" Tab.

The attached sample code demonstrates how to create a Keystore for a PKCS#11 dll and how to implement the password callback. The user should not be forced to store his smartcard password in the config.


  • Matthias Germann

    Helper Class for loading a Keystore for a PKCS#11 Token

  • Matthias Germann

    The smartcard support could also be implemented by using the windows native keystore (Microsoft CryptoAPI, works only on MS Windows):

    KeyStore ks = KeyStore.getInstance("Windows-MY");
    ks.load(null, null);

    The password callback is performed by the native keystore. See http://java.sun.com/developer/technicalArticles/J2SE/security/index.html for details.