1

I am using SSL connection with X509 certificates provided from smartcards. I have 2 identical tokens from athena . I initialise the keystores after I am reading the certificates, but when I am trying to to do the actual connection for the second token I am getting no provider found for my Private key.Connecting using the first token it's not affected, it works. I tried adding different SunPCKS11 provider by specifing the slotIndexList to 1 , the number for the second token given by "slots = p11.C_GetSlotList(true)", but still the same error. When I am listing the providers: I see the second provider, but java doesn't use it (I don't know why).

Provider _etpkcs11;
slots = p11.C_GetSlotList(true);

if(slot ==0) 
{
String pkcs11config = "name=Athena\nlibrary=C:\WINDOWS\system32\asepkcs.dll";
byte[] pkcs11configBytes =pkcs11config.getBytes();
 ByteArrayInputStream configStream = new ByteArrayInputStream(pkcs11configBytes);
etpkcs11 = new SunPKCS11(configStream);
Security.addProvider(etpkcs11);

}

the above works the following doesn't work

if(slot ==1) 
{
String pkcs11config1 = "name=Athenaslot1\nlibrary=C:\WINDOWS\system32\asepkcs.dll";
byte[] pkcs11configBytes1 =pkcs11config1.getBytes();
ByteArrayInputStream configStream1 = new ByteArrayInputStream(pkcs11configBytes1);
etpkcs11 = new SunPKCS11(configStream1);
Security.addProvider(etpkcs11);
}

the following 

for(int j=0;j<Security.getProviders().length;j++)
        {
            System.out.println(Security.getProviders()[j].getName());   
        }

returns:

SunPKCS11-Athena
SunPKCS11-Athenaslot1
SUN
SunRsaSign
SunEC
SunJSSE
SunJCE
SunJGSS
SunSASL
XMLDSig
SunPCSC

and the error when using the second the second token:

 No installed provider supports this key: sun.security.pkcs11.P11Key$P11PrivateKey

Thanks

PS: I need the both tokens on same machine

Azim
  • 1,043
  • 13
  • 27
Iulian David
  • 861
  • 7
  • 6

2 Answers2

0

After having a look at these docs it is saying that the instantiation of the SunPKCS11 can take a slot in the configuration.

So maybe you could try 

String pkcs11config1 = "name=Athenaslot1\nslot=1\nlibrary=C:\WINDOWS\system32\asepkcs.dll";
Scary Wombat
  • 44,617
  • 6
  • 35
  • 64
  • I put the slot, even change the name to a new instance , see: SunPKCS11-Athena, SunPKCS11-Athenaslot1. The first provider contains line slot=0, and the second slot=1. – Iulian David Aug 26 '13 at 08:59
0

Even though you add 2 providers to the list of providers, the SunPKCS11 class caches the first instance. It seems like it always uses this instance all the time. That's the reason your second provider is not picked up/identified.

You might have to write some sneaky code to approach your use case. Right before you use your second provider, you have to clear the cached instance. You can refer to this post here. It is unanswered, but the code you should be looking for is

Field moduleMapField = PKCS11.class.getDeclaredField("moduleMap");  
moduleMapField.setAccessible(true);  
Map<?, ?> moduleMap = (Map<?, ?>) moduleMapField.get(<YOUR_FIRST_PROVIDER_INSTANCE>);  
moduleMap.clear(); // force re-execution of C_Initialize next time

What this basically does is clearing the cached instance. And now you can proceed to add your second provider instance to interact with your second token.

always_a_rookie
  • 4,515
  • 1
  • 25
  • 46