I've more or less identified exactly what the problem is, so I'm wondering if this is a bug that will be fixed. I have multiple PKCS11 providers, one that uses NSS in fips mode and one that uses a library for a smart card. This is the sample code I'm using:
What a lot of debugging has shown me is that when I make that first ks.load call, in the P11KeyStore class, a static variable, CKA_TRUSTED_SUPPORTED gets set to false, which prevents me from loading trusted certs in the second call (ts.load). It's fine if I call them in reverse order, because that static variable gets set after I get all my trusted certs but later in the program another class makes that call and fails. I think this should be a bug. The CKA_TRUSTED_SUPPORTED variable never gets reset to true even if it is a valid attribute.