2 Replies Latest reply: Jan 31, 2012 7:31 AM by 913108 RSS

    keyStore.aliases() returns an empty list when there's a private key -PKCS11

      Hello everybody.
      I've got a strange problem on my Aladdin eToken, when I try to get the aliases that it contains.
      This PKCS#11 device (eToken) works fine with a mail client (outlook), so, I'm sure that it really got a private key + certificate inside, but when I try to get the aliases list from Java API it returns an empty list, I don't know why :S

      The same happens if I use keytool to list the device contents.

      This is my code:
      ### test_eToken.cfg ###
      name = AladdinEToken
      library = C:\WINDOWS\system32\eTpkcs11.dll
      String configName = "C:\test_eToken.cfg";
      Provider p = new SunPKCS11(configName);
      CallbackHandler pwdCallback = new CallbackHandler() {
          public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
      builder = KeyStore.Builder.newInstance("PKCS11", provider, new KeyStore.CallbackHandlerProtection(
      Enumeration<String> aliases = builder.getKeyStore().aliases(); 
      //aliases is empty!!! and it got a private key sure
      Using keytool I try -list command, but this is what happens:
      C:\PROGRA~1\Java\JDK15~1.0_1\bin>keytool -keystore NONE -storepass ******* -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg C:\test_eToken.cfg -list
      KeyStore type: PKCS11
      Keysotre provider: SunPKCS11-Test-eToken
      Your keystore contains 0 entries
      I don't know if this is important, but I've got 2 eTokens, one works fine and the other is what shows this problem. I found a differnce in the private key attributos, shown in the PKI Client application (eToken driver):
      The one wich wokrs fine, in the Key Specification attribute gots AT_KEYEXCHANGE, while the other one gots AT_KEYSIGNATURE.
      Is it relevant?

      Thanks in advance, Gervasio
        • 1. Re: keyStore.aliases() returns an empty list when there's a private key -PKCS11

          I have also this problem. I have a smartcard with two certificates that i can view via ie browser.

          If i try to access to the certificate via "Windows-MY" keystore, there is not problem and i can list certificates with keystore.aliases().

          Also, if i use sun.security.pkcs11.wrapper.PKCS11 instance, the problem not is present.

              private void getCertificatesSlot() {
                  CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[1];
                  CK_ATTRIBUTE attr = new CK_ATTRIBUTE();
                  long[] certificates;
                  this._certificatesSlot = new Vector<X509Certificate>();
                  attr.type = PKCS11Constants.CKA_CLASS;
                  attr.pValue = PKCS11Constants.CKO_CERTIFICATE;
                  attrs[0] = attr;
                  try {
                      System.out.println("Slot looking for certificates");
                      this._p11.C_FindObjectsInit(this._hSession, attrs);
                      certificates = this._p11.C_FindObjects(this._hSession, MAX_CERTS);
                      System.out.println("Slot found (" + certificates.length + ") certificates");
                  } catch (PKCS11Exception pkcse) {
                      System.out.println("Excepción looking for certificates: " + pkcse.getMessage());
                  System.out.println("Loading certificates");
                  X509Certificate certificatetmp = null;
               for (long hCertificado : certificates) {
                      certificatetmp = this.getCertificate(hCertificado);
                      if (certificatetmp != null) {
                          System.out.println("Certificate " + certificatetmp.getSubjectDN().getName());
          But i try access with PKCS11 keystore instance, like @gervasio_amy, keystore.aliases() return an empty list.
          this.kStore = KeyStore.getInstance("PKCS11", mytokenprovider);
          this.kStore.load(null, secretnip);
          this.kStore.aliases() //return empty list
          This problem is not present with an old version of my smartcard. Does anyone know where can be the problem?

          Thanks in advance.
          • 2. Re: keyStore.aliases() returns an empty list when there's a private key -PKCS11
            More Info. This line

            this.kStore = KeyStore.getInstance("PKCS11", mytokenprovider);

            write "*ERROR - SEQUENCE is missing non-optional elmt.*" to output console. But not throws exception or runtime error.

            Any ideas? Smartcard problem?