2011/8/2 NdK <ndk.cla...@gmail.com> > Hi all! > > Maybe it's nearly OT, but I think it could be useful for other readers. > > I've found that a quite recurring problem in accessing tokens from java > is the "PKCS11 not found" exception. > Disabling hot plug support, as suggested in the past to another user, > didn't work in my case. > > The "-Djava.security.debug=sunpkcs11" 'workaround' is quite > unsatisfactory (really slows down startup), but I've found that using > SunPKCS11 and a config file containing: > -8<-- > name = smartcard > library = /usr/lib/opensc-pkcs11.so > slotListIndex=1 > -8<-- > (so, specifying the slotListIndex) I can actually avoid that exception. > But every user should determine his own slotListIndex (and, IIUC, it > changes if there are certs under different PINs). > > What I still miss: > - why can't I read certs out of the card even if they're publicly readable? > Java Cryptographic is based on JCA/JCE arquitecture. The document at http://download.oracle.com/javase/1.5.0/docs/guide/security/p11guide.html , preety much explains everything you need to know. It says, for example, that only trusted certificates or pairs (key, certificates) are listed as aliases from a Java perspective.
- once I can read a cert, how could I determine which slot I should > authenticate against to use the corresponding private key? > The slot is fixed at the properties file. SUNPKCS #11 demands that you use diferent properties files for diferent slots. - should I avoid SunPKCS11 and base my program on "simple" PC/SC? > I would say no. If you can code in C, it is better to use pure C PKCS #11 (or some helper like libp11 or pkcs11-helper), since working with APDU's is not easy (nor necessary). If you need to stick to Java, maybe JNI is the answer. > > Tks, > Diego. > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > Cheers, -- Felipe Menegola Blauth
_______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel