Hi All,
I've encountered a problem getting aliases from key store after I log in to my iKey USB token.
I use a machine running Windows XP.
I use JDK 1.6.0 update 2.
The provider initializes fine, the debug message even tells me that I successfully log in, but when i try to get aliases from the keystore, i get an empty string enumeration.
This is a part of my code responsible for initialization (it seems to work without problems):
public void initialize( String libraryPath, String pin, String newProviderName ) throws Exception {
// create configuration data
String p11ConfigSettings = "name = ";
p11ConfigSettings += newProviderName;
p11ConfigSettings += "\nlibrary = ";
p11ConfigSettings += libraryPath;
p11ConfigSettings += "\n";
byte[] p11ConfigSettingsBytes = p11ConfigSettings.getBytes();
ByteArrayInputStream p11ConfigStream = new ByteArrayInputStream( p11ConfigSettingsBytes );
try {
// dynamically instantiate the provider
Class<?> p11Class = Class.forName( "sun.security.pkcs11.SunPKCS11" );
Constructor<?> p11Constructor = p11Class.getConstructor( java.io.InputStream.class );
p11Provider = (Provider) p11Constructor.newInstance( p11ConfigStream );
Security.addProvider( p11Provider );
}
catch ( Exception e ) {
System.out.println( "Could not instantiate the provider!" );
throw e;
}
try {
// get key store instance
p11KeyStore = KeyStore.getInstance( "pkcs11", p11Provider );
}
catch ( Exception e ) {
System.out.println( "Could not get key store instance!" );
throw e;
}
try {
// load the key store (logging in to the card)
char[] pinChars = pin.toCharArray();
p11KeyStore.load( null, pinChars );
}
catch ( Exception e ) {
System.out.println( "Could not load key store!" );
throw e;
}
}
Some details to the shown part:
- libraryPath is "C:/windows/system32/dkck201.dll"
- I've also tried dkck232.dll, but no difference
And this is another part of my code, responsible for loading any key found on the token:
public PrivateKey getSignatureToken() throws Exception {
// try to search for keys on the token
Enumeration<String> aliasEnumeration = p11KeyStore.aliases();
while ( aliasEnumeration.hasMoreElements() ) {
// something found, take it
String alias = aliasEnumeration.nextElement();
return (PrivateKey)p11KeyStore.getKey( alias, null );
}
// no keys were found on the token
throw new Exception( "The key store is empty!" );
}
My problem is that p11KeyStore.aliases() always returns an empty enumeration, while an other application (neither using SunPKCS11, nor written in Java) can see the certificate and also use the private key for signing etc.
BTW... previously I wasn't even able to log in, because during "p11KeyStore.load( null, pinChars );" an exception occurred ("PKCS11 not found").
I avoided this adding a debug argument ("-Djava.security.debug=sunpkcs11,pkcs11") to Java VM arguments.
Unfortunately I wasn't able to overcome this problem using JDK's keytool utility at all, so I can't provide its output (except for the "PKCS11 not found" exception).
Isn't there a provider configuration attribute or a KeyStore load parameter that could solve this?
Is there any alternative to SunPKCS11 provider working with an arbitrary PKCS#11 library?
Your help is greatly appreciated!
Thanks.
Message was edited by:
mk0x55