problems reloading web applet. keyStore or Provider.!
First of all, thanks for reading.
INTRODUCTION
We are implementing a Document Signing applet and got some serious problems when reloading the applet with the following structure:
1 Applet loads, and if no card is inserted, it shows a warning message and waits.
2 Applet download a document to be signed.
3 Applet tries to load some PKCS11 Providers, if one match with the card inserted, Pin Dialog is shown on applet, else execution ends.
4 Applet shows the Certificates on Card, waitting to select one and sign with. (only shows Signing valid certificates).
5 Signs the applet.
6 Upload the applet to a host.
7 Shows the warning, error or succefully success of the execution and redirect the web to some webpage.
The first execution of the applet works correctly, then we reload the webpage, to execute it already and get the execution above:
1 Applet loads, and if no card is inserted, it shows a warning message and waits.
2 Applet download a document to be signed.
3 Applet tries to load some PKCS11 Providers, if one match with the card inserted, Pin Dialog is shown on applet, else execution ends.
4 Applet shows the Certificates on Card, waitting to select one and sign with. (only shows Signing valid certificates).
5 Applet fails because there are two private keys sharing same CKA_ID (logically an error if this happened in the same SmartCard ).
java.security.ProviderException: java.security.KeyStoreException: invalid KeyStore state: found 2 private keys sharing CKA_ID 0xXXXXXXXXXXXX
at sun.security.pkcs11.P11KeyStore.engineGetKey(P11KeyStore.java:317)
-
SOME TESTS:
[TEST NAME: ] [TEST RESULT: ]
[HISTORY]
[test name: Ejecting SmartCard after execution] [test result: WORKING FINE]
[HISTORY]
After running the applet the first time, we send a message to user to eject the SmartCard a moment, then insert it another time, and the applet can be runned with no problem a second time, also a third, fourth if we eject the card after every execution.
[test name: Inserting a different card] [test result: WORKING FINE]
[HISTORY]
After running the applet one time, we insert a different card, using a different PKCS11 provider, and it works as intended. That test can be located at test1.
[test name: Inserting a same pkcs11 provider card] [test result: WORKING FINE]
[HISTORY]
After running the applet one time, we insert a different card but with the same PKCS11 Provider, and as shown in test1,it works correctly cause the "removing the card".
[test name: Reloading multiple times applet] [test result: FAILS]
[HISTORY]
We run the applet, with the same SmartCard multiple times, just to see if the problem persist and we got the result:
...ProviderException: java.security.KeyStoreException: invalid KeyStore state: found2 private keys sharing CKA_ID
...ProviderException: java.security.KeyStoreException: invalid KeyStore state: found3 private keys sharing CKA_ID
...ProviderException: java.security.KeyStoreException: invalid KeyStore state: found4 private keys sharing CKA_ID
...ProviderException: java.security.KeyStoreException: invalid KeyStore state: found5 private keys sharing CKA_ID
...ProviderException: java.security.KeyStoreException: invalid KeyStore state: found6 private keys sharing CKA_ID
...
As seen at tests, we think the fail is not deregistering the keyStore, also setting it tonull doesn't solves it, calling this.destroy() at the end of the execution, also no.
But the applet works fine when it thinks the SmartCard has been removed, maybe when setting the KeyStore, or when adding the Provider to Security, but we are out of ideas at the moment.
Our new moves:
Adding at the start of the execution a new "basic provider" to make our applet thinks its working with another card, but the problem may be will persist because the SmartCard is not released from the reader, and the KeyStore is a singleton in java implementation, as intended, and will retain the information.
Any Ideas or solutions ? :)
Thanks !!!
Message was edited by:
Boza
