re-run SunPKCS11 after ProviderException
I am creating an instance of Sun's PKCS11 implementation, but when there are no cardreaders installed on the OS, I get a ProviderException:
From SunPKCS11.java
thrownew ProviderException("slotListIndex is " + index +" but token only has " + slots.length +"slots");
This is as expected. But when I install the driver for the cardreader, and I want to try again (without restarting the JVM first), I get the same error!
How can I reset any previous errors, without having to restart my Java-application?
If you are loading the SunPKCS11 Provider dynamically, unload the JCE provider and reload it - that should cause the PKCS11 configuration to re-read modules/slots again from the OS. If you are loading the JCE provider statically (through the java.security file), then you have no choice but to shutdown the JVM and restart it.
Note: Even if you unload a statically loaded PKCS11 Provider, and load it dynamically in your code, these are considered two separate instances of the Provider, so don't expect changes on side to be visible on the other. Sun recommends using only one form and sticking to that to minimize errors with the use of the bridge.
> If you are loading the SunPKCS11 Provider
> dynamically, unload the JCE provider and reload it -
> that should cause the PKCS11 configuration to re-read
> modules/slots again from the OS.
Well, I am loading dynamically ... I have been searching for a way to unload the JCE provider to get rid of any previous errors, but couldn't come up with a solution. How do I unload a JCE provider that has already thrown a ProviderException?
Using Security.removeProvider(providerName). http://java.sun.com/j2se/1.5.0/docs/api/java/security/Security.html#removeProvider(java.lang.String)
Unfortunatly, the error occurs when creating a new SunPKCS11 instance. This happens even before I add it to the Security context. Unloading and re-loading the SunJCE provider does not seem to change this.
Just to be clear, the problem I have:
1) No drivers installed
2) new SunPKCS11(inputStream) > throws a ProviderException, with the text: "slotListIndex is 0 but token only has 0slots"
3) I install the driver, without restarting the Java application
4) new SunPKCS11(inputStream) > still throws that ProviderException!
When I restart the Java application after the driver-installation... everything works fine. How can I reset the situation after step3 without restarting the Java application?
I may have misterpreted your problem. When you say "driver" are you referring to the SunPKCS11 Bridge Provider, or are you referring to the DLL/SO file that represents the native operating system drivers for the PKCS11 token?
The native PKCS11 drivers must always be installed on the OS before you startup your JVM because the DLL/SO must be accessible to the JVM when it starts up. Otherwise, adding/removing the SunPKCS11 Provider in your Java code makes no difference.
> I may have misterpreted your problem. When you say
> "driver" are you referring to the SunPKCS11 Bridge
> Provider, or are you referring to the DLL/SO file
> that represents the native operating system drivers
> for the PKCS11 token?
In pkcs11.config I refer to a generic (safesign) dll, which directs to the omnikey cardreader and a usb token. And the driver I am refering to, is the device-driver, not the generic dll.
> The native PKCS11 drivers must always be installed on
> the OS before you startup your JVM because the
> DLL/SO must be accessible to the JVM when it starts
> up. Otherwise, adding/removing the SunPKCS11
> Provider in your Java code makes no difference.
This means that the generic pkcs11 implementation from safesign (aetpkss1.dll) is already installed, but neither the cardreader nor the usb token has been installed yet, so no slots are found. But then I install the device driver(s) and connect the device(s) and still no slots are found.
So, I guess what you are telling me is that what I want, is impossible in Java?
If the cardreader has not been installed (and thus the drivers are not available to the OS yet), then it would be impossible for a JVM to see it. If you installed the drivers after the JVM started, based on my experience, the JVM will still not see it. So, yes, it appears that what you want - which is to have a running JVM see the module/slots in a subsequent driver installation - is not achievable.
This may be a limitation of the SunPKCS11 bridge. Have you thought about asking the vendor for their JCE Provider implementation, and then you may be able to dynamically load their classes through the class-loader and perhaps, see the slots in a running JVM?
As an aside, why would you not have the user load the reader and the token at least once, using the native-Windows tools before loading up your Java application? It would address your problem if the drivers were already installed, would it not?
