JAVA Toolkit
| home | contact




Strange Behavior

 

Q:

Why does the PKCS11 KeyStore not show certain keys or certificates which are on the token?

A:

There may be different reasons. First, you can verify, if you have set the property called LOGIN_KEYSTORE_SESSION_ON_DEMAND to false in your IAIKPkcs11.properties file. Because if you have set it to true, the keystore may not see all private keys and other private objects on the token. Second, the PKCS#11 module of your cryptographic hardware may have a bug in its find operations that can cause this bahavior. See Q 2.2 of the PKCS#11 wrapper for details.

Q:

The dialog that prompts the PIN does not always come up correctly. What can I do?

A:

This behavior of the default PIN dialog may occur with certain Java™ Runtime Environment (JREs). You may simply try to use a different (newer) JRE. Alternatively, you may try to use a different implementation of the PIN dialog. In the "Using"-section of the provider documentation, you can find the description how to configure a different implementation in the configuration file. You may even implement your own dialog by writing a class that implements the iaik.apps.util.passphrase.PassphrasePrompt interface. You can also set a dialog for prompting a PIN at runtime using the setPassphrasePrompt(PassphrasePrompt) method of the DefaultLoginManager of the IAIKPkcs11 provider instance.

Q:

 My application does not terminate after the main() method finished. Is it a problem with PKCS#11?
 

A:

 No, it is not a problem of PKCS#11. If your application uses the PKCS#11 provider with the Java™ Swing-based dialogs for prompting the PIN, this problem occurs. It is a common problem with application which use Swing. You can add a System.exit(0); as last line of your main() method. For further details see the bug with ID 4030718 in SUN's bug database.
 

Q:

 The login dialog appears only on the first access to a token key. Does the provider cache the PIN?
 

A:

The provider does not cache the PIN unless the application provides it via the load(InputStream, char[]) method of the KeyStore. The reason for not needing to login again is the login state of PKCS#11 tokens. If an application does a login to the token, the login state remains active until the application does an explicit logout or if the application closes all sessions. The PKCS#11 Provider cannot perform a logout automatically as it would interrupt other currently active operations on the token. It can also not close all sessions, because this would cause the destruction of session key objects. Thus, it is up to the application to perform a logout manually. It can trigger a logout using the logout(Session) method of the TokenManager. This may look like this in your code:

 IAIKPkcs11 providerInstance = ...; 
       
 // ... 
       
 providerInstance.getTokenManager().logout(null);

 
print    tip a friend
back to previous page back  |  top to the top of the page