Does Java Crypto JCA Provider really require windows dll?

Question

As I read here here:

"Unlike most Java Cryptography Architecture (JCA) providers, the Sun PKCS#11 Provider does not implement the cryptographic functionality directly; it relies on a native PKCS#11 implementation to which it forwards all operations. This implementation must be available as a .dll file in Windows or a .so file in UNIX and Linux. For example, if you use the Utimaco SafeGuard Smartcard Provider for Windows, the PKCS#11 implementation is the library pkcs201n.dll."

Are smartcard provider obliged to have jca provider? For example where can I find jca provider for gemalto ?

Answer 1

The PKCS#11 Reference Guide is a good place to start.

Gemalto smart cards always ship with a PKCS#11 DLL, unfortunately it has different names depending on the card. Just look through the files that came with your installation until you find a DLL with "p" and "11" in it :)

After you located it, you may follow the steps given in the reference guide, i.e. create a configuration file that points to the PKCS#11 library etc. If everything went well, you should be able to access the smart card as simply as

KeyStore ks = KeyStore.getInstance("PKCS11");
ks.load(null, "pin".toCharArray());

Please note that for production code you should implement a proper CallbackHandler as outlined in the guide, of course - the above is just for a quick check that everything works.

Answer 2

Are smartcard provider obliged to have jca provider? For example where can I find jca provider for gemalto ?

No, of course not, that fully depends on what's in the contract. It's quite likely you get a PKCS#11 compatible library (with more or less functionality depending on the provider/card). It's likely but probably not fully tested that this is compatible with the PKCS#11 provider, which is a bit picky on how things are configured. The delivery of an actual JCA provider is a rarity, and you are lucky if you can get one that actually works.

[EDIT]

About the different question in the title: only the Sun PKCS#11 provider requires you to configure a .dll. Others may require one depending on the implementation. If the provider depends on OS support (e.g. the CAPI provider uses Windows functionality) it will probably require a non-configurable .dll or .so somewhere on the library path. Bouncy Castle and other pure Java providers generally don't require any .dll or .so.

Contact Gemalto to see if they have a JCA provider, they should know for sure.