Forum Stats

  • 3,815,462 Users
  • 2,259,030 Discussions
  • 7,893,109 Comments

Discussions

Java can't see entries on a pkcs11 token

User_KZASH
User_KZASH Member Posts: 39 Blue Ribbon
edited Mar 7, 2018 10:42AM in Java Programming

I use the following code to access many PKCS11 tokens but on a token in special I can't read any entries. I receive no error.

The weird thing is that I have tested 3 tokens of the exact same model(MTOKEN CRYPTOID model E manufacturerID LONGMAI) and 2 are working and one is not(because no objects can be read from Java).

I acces these tokens using the same DLL file cryptoide_pkcs11.dll

On all 3 tokens I can read the objects using OpenSC like this: "pkcs11-tool --module=D:\temp\cryptoide_pkcs11.dll --login --pin ******** --list-objects" and on the token that Java sees nothing OpenSC sees the certificate and the private key.

In my Java code, at the line "while(enume.hasMoreElements()) { " I receive an empty set on one of these 3 tokens.

Why can't Java see the objects on this token?

I know the information provided could be too little to give an answer but maybe someoane can suggest how can I debug this.

Thank you.

package pkcs11test;

import java.io.FileOutputStream;
import java.io.IOException;
import java.io.PrintStream;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.util.Enumeration;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.KeyManagerFactory;
import sun.security.pkcs11.SunPKCS11;
import sun.security.pkcs11.wrapper.CK_TOKEN_INFO;
import sun.security.pkcs11.wrapper.PKCS11;
import sun.security.pkcs11.wrapper.PKCS11Exception;

public class PKCS11Test {
   public static void main(String[] args) {
   try {
        char[] pass = "******".toCharArray(); // PIN of the token
        String dllFile = "D:\\temp\\cryptoide_pkcs11.dll"; // DLL file used to acces the token
        String configFile = "config.cfg"; // config file
        PKCS11 p11 = PKCS11.getInstance(dllFile, "C_GetFunctionList", null, false);
         long[] slots = p11.C_GetSlotList(true);
         for (int j = 0; j < slots.length; j++) {
            CK_TOKEN_INFO tokenInfo = p11.C_GetTokenInfo(slots[j]);
             System.err.println("Token found at position "+j+
             " label "+new String(tokenInfo.<span class="pln" style="margin: 0px; padding: 0px; border: 0px; font-weight: inherit; font-style: inherit; font-size: inherit; font-family: inherit; vertical-align: basel

Answers

  • Unknown
    edited Mar 6, 2018 12:39PM
    I know the information provided could be too little to give an answer

    Correct - you haven't SHOWN US anything at all except code:

    1. no actual execution showing that two work and one doesn't

    2. no exception handlers after each suspect line

    3. no logging at all except in an exception handler

    4. no debugging info  showing the results of executing suspect lines

    5. no indication of what line you even think is returning the 'nothing' you think should be returned.

     but maybe someoane can suggest how can I debug this.

    The same way you troubleshoot any other code:

    1. execute it in a GUI using the debugger

    2. execute the code line by line

    3. examine the results of key variables to see if they contain what they should contain

    4. do steps 1, 2 and 3 again using what you say works and compare the variable contents between the two runs

    There are NO SHORTCUTS

    If the problem is in the DLL then you need to ask that vendor for help.

  • User_KZASH
    User_KZASH Member Posts: 39 Blue Ribbon
    edited Mar 7, 2018 2:31AM

    Thank you.

    However, the debugger is not of much use since using it I will only see how Java reads an empty HashMap when I execute "Enumeration<String> enume = keystorePkcs11.aliases();"

    Here is a image with the debbuger that simply shows that Java reads 0 aliases from this token: http://cc123.caido.ro/debug.png

    I tried to copy a different certificate on the token and the new certificate is readable so I imagined that the certificate must be the problem.

    So I saved the certificate with the problem in .cer format(without private key)  and I reimported it on the token.

    Now I have the same certificate twice on the same token and the surprise is that the second certificate is readable from Java, so now I'm thinking that the certificate container from the token is the problem.

    The not working certificate is in a container and the copy of this certificate is in root - no container.

    Because all the certificates are readable from OpenSC, using pkcs11-tool and the same DLL as in Java I only think that it must be an incompatibility.

    I wrote to the vendor also.

  • Unknown
    edited Mar 7, 2018 10:42AM

    Since you don't want to provide the info I ask for there is not much point in trying to help you further.

    Good luck with your problem.

This discussion has been closed.