This content has been marked as final. Show 6 replies
Even if one can identify the private key using the public key or certificate as an identity, one will still have to provide the PIN.
Thanks, that is true. But what I want is to get the private key providing the PIN code, using the fact that we already possess the corresponding public key, which was fetched without the need of the PIN, since it is public. I never told above that what I wanted was to get the private key without the PIN. Sorry, my bad (my english is not great stuff)!
Again, since we already posess the public key, there is a way to get the corresponding private key from the smart card (which is a keystore like any other ...!) ?
If you could get the private key out without the PIN it would be a major security breach and the device would be completely pointless. So you can't do it.
And don't think that because you have the public key you have any entitlement to the private key. Anybody has access to the public key. That's what a public key is for.
If you have already loaded the keystore then you can easily get the Privatekey using getKey(String alias, char pass) if the private key is exportable. The standard keystores like JKS will allow you to access the private key like this, however, smart card devices can and most likely will have a restriction on you being able to access the Privatekey even if you have the pass/pin for it. So most likely, you will not be able to access the private key especially if you are using it through the pkcs11 interface.
So it's not possible to do such a thing I was thinking for.
Thanks for your all replies,
If you have control over the keys that are being populated in the smart card, you can use a naming scheme that allows you to derive the private key name from the public key. You could have key-x and have aliases key-x-public and key-x-private. Obviously this only works if you have control over key aliases. As the smartcard is essentially a portable PKCS11 token, you may also be able to have a cert, public and private key with the same alias. This would depend on the P11 provider you have for your card. Note that you will not have the actual key, but a handle to the key that the provider/card will use to perform private key crypto operations on the card.
Here is an excerpt from my HSM contents:
./ctkmu l -s 14 Do you wish to view private (user) objects [y/N]: y Please enter User's PIN for the token in slot 14: Public and Private Objects: root-ca - PUBLIC_KEY RSA root-ca - PRIVATE_KEY RSA root-ca - CERTIFICATE RSA (trusted) ...