An issue with keytool and PKCS11
Mark Joseph
mark at p6r.com
Thu Jan 21 00:40:14 UTC 2016
Can you add a -debug option and show me the full output?
You can also add a -J-Djava.security.debug=all but I am not sure if the output is useful.
--Max
We found it useful but there is a lot of it. We also used it while walking though the code and viewing our own logs.
You can see for example that it will silently select a local Sun mechanism if it cannot find one in your P11 token.
Mark Joseph
P6R, Inc
> On Jan 12, 2016, at 9:38 AM, Mark Joseph <mark at p6r.com> wrote:
>
> Hi,
>
> We are a PKCS#11 vendor and we are in the process of integrating our C library with keytool and jarsigner.
>
> We are executing the following comand line.
>
> keytool -keystore NONE -storetype PKCS11 -storepass 12345678 -providerName SunPKCS11-P6Rtoken -providerclass sun.security.pkcs11.SunPKCS11 -providerarg E:\work\SKC_OPT_2015_2\p6r.cfg -genkeypair -keyalg RSA -keysize 2048 -alias p6rsignkey -v
>
> We are doing this on Windows, and we are using the latest Java keytool out of the JDK.
> Our library is 64 bits and the Java version we have installed is 64 bits.
>
> Now what we are seeing is strange. The above worked one time with the key pair being generated and stored in our PKCS11 library.
>
> Then we reset everything and continued to do testing and the result was that keytool again created a Certificate and a Private key and placed them into our PKCS11 library.
>
> However, instead of finishing by creating the key pair by calling our PKCS11 library it just stopped and returned. There was no error or exception printed out.
>
> So we are stuck not knowing what is wrong? Any one seen this before or have a way we can see why the keytool is "aborting" out of running?
>
>
>
> Best,
> Mark Joseph
> P6R, Inc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20160120/31c74752/attachment.htm>
More information about the security-dev
mailing list