Java security - MSCAPI provider: How to use without password popup?

Question

I've managed to use Sun's MSCAPI provider in my application. The problem I'm having now is that it always pops up a window, asking for a password, even though I've provided it in the code. This is a problem, because I need the cryptography functionality in a webservice.

Here's the code I have now:

String alias = "Alias to my PK";
char[] pass = "MyPassword".toCharArray();

KeyStore ks = KeyStore.getInstance("Windows-MY");
ks.load(null, pass);
Provider p =  ks.getProvider();

Signature sig = Signature.getInstance("SHA1withRSA",p);
PrivateKey key = (PrivateKey) ks.getKey(alias, pass)

sig.initSign(key);
sig.update("Testing".getBytes());
sig.sign();

This is working great, but I get a popup asking for the password when the last line is run. How do I prevent that?

Answer 1

My guess is that Windows is popping up the pop up.

Import your key again using the Certificate Import Wizard, but make sure that you don't check the following option on the "Password" screen.

[_] Enable strong private key protection. You will be prompted every time the private key is used by an application if you enable this option.

Answer 2

The MSCAPI provider does not support providing the password to CAPI:

A compatibility mode is supported for applications that assume a password must be supplied. It permits (but ignores) a non-null password. The mode is enabled by default. (1)

To set the password through CAPI, you must call CryptSetKeyParam with the undocumented KP_KEYEXCHANGE_PIN or KP_SIGNATURE_PIN and hope your underlying hardware token provider supports it. (They are not completely undocumented - the documentation for Windows CE and Windows Mobile mention them (2) and they are included in the header files).