1 Reply Latest reply on Jun 1, 2017 3:33 PM by 3470856

    nFast Server failure proof



      I m using sunPkcs11 class to connect my app to NetHsm.

      My local service nFast runs on port 9004. It is used as bridge to communicate with the NetHsm.

      My provider is set like that:

      Provider provider =  new sun.security.pkcs11.SunPKCS11(pkcs11ConfigFile);  // name = nCipher, library = D:\Program\nCipher\nfast\toolkits\pkcs11\cknfast-64.dll


      And I decipher like that:

      KeyStore ks = KeyStore.getInstance("PKCS11", provider);

      ks.load(null, password);

      Key key = ks.getKey(keyId, null);

      IvParameterSpec paramSpec = new IvParameterSpec(iv);

      AlgorithmParameters algParams = AlgorithmParameters.getInstance("AES");


      Cipher ci = Cipher.getInstance("AES/CBC/NoPadding", provider);

      ci.init(Cipher.DECRYPT_MODE, key, algParams);



      All is right, I can decipher my keys.

      Now, I stop the service nFast. I get an exception because it is impossible to decipher my keys. Normal ...

      java.security.ProviderException: update() failed

      Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DEVICE_ERROR

      I restart the service and I would like to be able to decipher again my keys but I get an exception.

      java.security.ProviderException: update() failed

      Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_GENERAL_ERROR

          at sun.security.pkcs11.wrapper.PKCS11.C_FindObjectsInit(Native Method)

          at sun.security.pkcs11.P11KeyStore.findObjects(P11KeyStore.java:2673)

          at sun.security.pkcs11.P11KeyStore.mapLabels(P11KeyStore.java:2288)

          at sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:770)


      I'm obliged to restart my app.


      How can I re-initialize the provider in order to communicate again with the service without restarting the app?

        • 1. Re: nFast Server failure proof

          I'm now able to open several time the provider by purging session and token at each call. So bad that C_Finalize do not do the job in moduleMap.

           import sun.security.pkcs11.wrapper.PKCS11;
          import sun.security.pkcs11.wrapper.PKCS11Constants;

          // Open provider
          Provider provider = new sun.security.pkcs11.SunPKCS11(pkcs11ConfigFile);
          // Do what you need ...
          // Finalize the pkcs11 driver in the wrapper
          PKCS11 pkcs11 = PKCS11.getInstance(library, null, null, true);
          // Clean the pkcs11 driver in the wrapper to force C_Initialize next time
          Field moduleMapField = PKCS11.class.getDeclaredField("moduleMap");
          Map<?, ?> moduleMap = (Map<?, ?>) moduleMapField.get(pkcs11LibraryPath);