This discussion is archived
2 Replies Latest reply: Jan 31, 2012 5:31 AM by 913108 RSS

keyStore.aliases() returns an empty list when there's a private key -PKCS11

446516 Newbie
Currently Being Moderated
Hello everybody.
I've got a strange problem on my Aladdin eToken, when I try to get the aliases that it contains.
This PKCS#11 device (eToken) works fine with a mail client (outlook), so, I'm sure that it really got a private key + certificate inside, but when I try to get the aliases list from Java API it returns an empty list, I don't know why :S

The same happens if I use keytool to list the device contents.

This is my code:
### test_eToken.cfg ###
name = AladdinEToken
library = C:\WINDOWS\system32\eTpkcs11.dll
String configName = "C:\test_eToken.cfg";
Provider p = new SunPKCS11(configName);

CallbackHandler pwdCallback = new CallbackHandler() {
    public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {

builder = KeyStore.Builder.newInstance("PKCS11", provider, new KeyStore.CallbackHandlerProtection(

Enumeration<String> aliases = builder.getKeyStore().aliases(); 
//aliases is empty!!! and it got a private key sure
Using keytool I try -list command, but this is what happens:
C:\PROGRA~1\Java\JDK15~1.0_1\bin>keytool -keystore NONE -storepass ******* -storetype PKCS11 -providerClass -providerArg C:\test_eToken.cfg -list

KeyStore type: PKCS11
Keysotre provider: SunPKCS11-Test-eToken

Your keystore contains 0 entries
I don't know if this is important, but I've got 2 eTokens, one works fine and the other is what shows this problem. I found a differnce in the private key attributos, shown in the PKI Client application (eToken driver):
The one wich wokrs fine, in the Key Specification attribute gots AT_KEYEXCHANGE, while the other one gots AT_KEYSIGNATURE.
Is it relevant?

Thanks in advance, Gervasio
  • 1. Re: keyStore.aliases() returns an empty list when there's a private key -PKCS11
    913108 Newbie
    Currently Being Moderated

    I have also this problem. I have a smartcard with two certificates that i can view via ie browser.

    If i try to access to the certificate via "Windows-MY" keystore, there is not problem and i can list certificates with keystore.aliases().

    Also, if i use instance, the problem not is present.

        private void getCertificatesSlot() {
            CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[1];
            CK_ATTRIBUTE attr = new CK_ATTRIBUTE();
            long[] certificates;
            this._certificatesSlot = new Vector<X509Certificate>();
            attr.type = PKCS11Constants.CKA_CLASS;
            attr.pValue = PKCS11Constants.CKO_CERTIFICATE;
            attrs[0] = attr;
            try {
                System.out.println("Slot looking for certificates");
                this._p11.C_FindObjectsInit(this._hSession, attrs);
                certificates = this._p11.C_FindObjects(this._hSession, MAX_CERTS);
                System.out.println("Slot found (" + certificates.length + ") certificates");
            } catch (PKCS11Exception pkcse) {
                System.out.println("Excepción looking for certificates: " + pkcse.getMessage());
            System.out.println("Loading certificates");
            X509Certificate certificatetmp = null;
         for (long hCertificado : certificates) {
                certificatetmp = this.getCertificate(hCertificado);
                if (certificatetmp != null) {
                    System.out.println("Certificate " + certificatetmp.getSubjectDN().getName());
    But i try access with PKCS11 keystore instance, like @gervasio_amy, keystore.aliases() return an empty list.
    this.kStore = KeyStore.getInstance("PKCS11", mytokenprovider);
    this.kStore.load(null, secretnip);
    this.kStore.aliases() //return empty list
    This problem is not present with an old version of my smartcard. Does anyone know where can be the problem?

    Thanks in advance.
  • 2. Re: keyStore.aliases() returns an empty list when there's a private key -PKCS11
    913108 Newbie
    Currently Being Moderated
    More Info. This line

    this.kStore = KeyStore.getInstance("PKCS11", mytokenprovider);

    write "*ERROR - SEQUENCE is missing non-optional elmt.*" to output console. But not throws exception or runtime error.

    Any ideas? Smartcard problem?