An issue with keytool and PKCS11

Mark Joseph mark at p6r.com
Thu Jan 21 00:40:14 UTC 2016


Can you add a -debug option and show me the full output? 
 
You can also add a -J-Djava.security.debug=all but I am not sure if the output is useful. 
 
--Max 
 



We found it useful but there is a lot of it.    We also used it while walking though the code and viewing our own logs.


You can see for example that it will silently select a local Sun mechanism if it cannot find one in your P11 token.




Mark Joseph
P6R, Inc





> On Jan 12, 2016, at 9:38 AM, Mark Joseph <mark at p6r.com> wrote: 
>  
> Hi, 
>  
>    We are a PKCS#11 vendor and we are in the process of integrating our C library with keytool and jarsigner.    
>  
> We are executing the following comand line.   
>  
> keytool  -keystore NONE -storetype PKCS11 -storepass 12345678 -providerName SunPKCS11-P6Rtoken -providerclass sun.security.pkcs11.SunPKCS11 -providerarg E:\work\SKC_OPT_2015_2\p6r.cfg -genkeypair -keyalg RSA -keysize 2048 -alias p6rsignkey -v 
>  
> We are doing this on Windows, and we are using the latest Java keytool out of the JDK.   
> Our library is 64 bits and the Java version we have installed is 64 bits. 
>  
> Now what we are seeing is strange.    The above worked one time with the key pair being generated and stored in our PKCS11 library. 
>  
> Then we reset everything and continued to do testing and the result was that keytool again created a Certificate and a Private key and placed them into our PKCS11 library.   
>  
> However, instead of finishing by creating the key pair by calling our PKCS11 library it just stopped and returned.   There was no error or exception printed out.   
>  
> So we are stuck not knowing what is wrong?    Any one seen this before or have a way we can see why the keytool is "aborting" out of running? 
>  
>  
>  
> Best, 
> Mark Joseph 
> P6R, Inc 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20160120/31c74752/attachment.htm>


More information about the security-dev mailing list