Open jycr opened 2 years ago
I think there are two separate things going wrong.
First, this:
Caused by: java.security.ProviderException: slotListIndex is 0 but token only has 0 slots
I am willing to believe I got something wrong here, but I am not completely sure that I did. I am not sure if I did. It asks for the number of slots available if tokens are present (it first asks for all slots even without tokens, and that count should always be at least 1). And ... well, that leads to problem number two:
2022-09-14 20:55:47.625206+0200 0x25321 Debug 0x0 14552 0 java: (keychain-pkcs11.dylib) [mil.navy.nrl.cmf.pkcs11:general] Looking for identities for token com.apple.setoken 2022-09-14 20:55:47.627565+0200 0x25321 Debug 0x0 14552 0 java: (keychain-pkcs11.dylib) [mil.navy.nrl.cmf.pkcs11:general] No identities found 2022-09-14 20:55:47.627644+0200 0x25321 Debug 0x0 14552 0 java: (keychain-pkcs11.dylib) [mil.navy.nrl.cmf.pkcs11:general] Looking for identities for token com.apple.setoken:aks 2022-09-14 20:55:47.628745+0200 0x25321 Debug 0x0 14552 0 java: (keychain-pkcs11.dylib) [mil.navy.nrl.cmf.pkcs11:general] No identities found 2022-09-14 20:55:47.628858+0200 0x25321 Debug 0x0 14552 0 java: (keychain-pkcs11.dylib) [mil.navy.nrl.cmf.pkcs11:general] C_Initalize returning CKR_OK
This tells me it didn't find any identities.
So this is something not everyone completely understands about Keychain-PKCS11 ... it was designed to work only with HARDWARE tokens. It uses the TkToken
interface to only get hardware identities. It doesn't get ALL identities that are found in the Keychain. It is possible by setting a special preferences item to get CERTIFICATES exposed as another slot, but that is certificates only; you don't get a full identity and you can't perform crypto operations on them. That's mostly useful for things like Firefox to get certificates from the Keychain.
I've thought about adding the functionality to create another slot that lets you use any identity found in the Keychain, but I haven't done that yet.
I'm looking for a way to use the certificates stored in the MacOS Keychain (with the private key export option disabled) via a PKCS#11 API.
I tried using
keychain-pkcs11
with Java PKCS#11 provider but it doesn't work.Java error log:
Here MacOS event log:
Here some commands to determine my context:
Do you know what's wrong?