Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

sunpkcs#11, smartcard and tomcat

790737Feb 19 2015 — edited Feb 19 2015

I have a web application running on Tomcat.My application uses a webservice which signs(via smartcard) and sends email.The webservice itself adds the sunpkcs#11 provider automatically during first call and before sending email, then can  sign and send emails if smarcard not removed and inserted.If removed and inserted, in order to send email i must restart the tomcat server, if not, it gives several errors accordingly my editions on my code.

This is the code:

result= api.signAndSend(to, cc, bcc, subject, content, smartCardPin);

After removing and inserting smard card this code gives: "Token has been removed" exception.

These are my tryings:

1-  I tried removing the sunpkcs#11 provider just after sending email and creating a new sunpkcs#11 provider and adding it.it gives and error like: java.security.InvalidKeyException: No installed provider supports this key: sun.security.pkcs11.P11Key$P11PrivateKey or java.security.InvalidKeyException: No installed provider supports this key: null

2- I did not remove sunpkcs#11 provider after each api.signAndSend(...) call, rather :

result= api.signAndSend(to, cc, bcc, subject, content, smartCardPin);

  result= api.signAndSend(to, cc, bcc, subject, content, smartCardPin);


  SunPKCS11 sunPKCS11=(SunPKCS11)getLastProvider();


  sunPKCS11.logout();


  sunPKCS11.setCallbackHandler(new MyCallbackHandler());


  KeyStore.CallbackHandlerProtection cpprotection = new KeyStore.CallbackHandlerProtection(


  new MyCallbackHandler());


  KeyStore.Builder builder = KeyStore.Builder.newInstance(


  "PKCS11", sunPKCS11, cpprotection);


  KeyStore ks = builder.getKeyStore();




//finalize PKCS#11


Field moduleMapField = PKCS11.class.getDeclaredField("moduleMap");


  moduleMapField.setAccessible(true);


  Map<?, ?> moduleMap = (Map<?, ?>) moduleMapField.get(null);


  moduleMap.clear(); // force re-execution of C_Initialize next time




//load PKCS#11(i expect this code to load pkcs#11 again but i am not sure)


Method getInstanceMethod = PKCS11.class.getMethod("getInstance",


  String.class, String.class, CK_C_INITIALIZE_ARGS.class,


  Boolean.TYPE);


  CK_C_INITIALIZE_ARGS ck_c_initialize_args = new CK_C_INITIALIZE_ARGS();


  PKCS11 pkcs11 = (PKCS11) getInstanceMethod.invoke(null, pkcs11Path,


  "C_GetFunctionList", ck_c_initialize_args, false);

this code gives:

java.security.ProviderException: Initialization failed

  at sun.security.pkcs11.P11Signature.initialize(P11Signature.java:319)

  at sun.security.pkcs11.P11Signature.engineInitSign(P11Signature.java:432)

  at java.security.Signature$Delegate.init(Signature.java:1127)

  at java.security.Signature$Delegate.chooseProvider(Signature.java:1087)

  at java.security.Signature$Delegate.engineInitSign(Signature.java:1151)

  at java.security.Signature.initSign(Signature.java:512)

  at org.esign.bouncycastle.operator.jcajce.JcaContentSignerBuilder.build(Unknown Source)

.

.

.

Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_KEY_HANDLE_INVALID

  at sun.security.pkcs11.wrapper.PKCS11.C_SignInit(Native Method)

  at sun.security.pkcs11.wrapper.PKCS11$SynchronizedPKCS11.C_SignInit(PKCS11.java:1721)

  at sun.security.pkcs11.P11Signature.initialize(P11Signature.java:311)

java: 1.8.0.31

Any help would be appreciated.

Comments

Processing
Locked Post
New comments cannot be posted to this locked post.

Post Details

Locked on Mar 19 2015
Added on Feb 19 2015
#cryptography
0 comments
1,473 views