use xipki/pkcs11wrapper instead mikma/pkcs11wrapper

[armando-basile]

Hi xipki, i trying to use your wrapper instead mikma but i saw that some objects are missing: iaik.pkcs.pkcs11.objects.AESSecretKey iaik.pkcs.pkcs11.objects.ECDSAPrivateKey iaik.pkcs.pkcs11.objects.ECDSAPublicKey iaik.pkcs.pkcs11.objects.Object iaik.pkcs.pkcs11.parameters.Parameters iaik.pkcs.pkcs11.wrapper.PKCS11Constants iaik.pkcs.pkcs11.wrapper.Functions

and some methods: Token.closeAllSessions() Session.destroyObject(PKCS11Object)

have you planning a roadmap for porting ?

regards Armando

[xipki]

Hi Armando,

please adapt your code as follows:

1. For AESSecretKey, please use ValuedSecretKey.newAESSecretKey() instead.
2. For ECDSAPrivateKey and ECDSAPublicKey, please use ECPrivateKey and ECPublicKey instead.
3. Object is renamed to PKCS11Object.
4. Parameters is renamed to Params. And the package iaik.pkcs.pkcs11.parameters is renamed to iaik.pkcs.pkcs11.params.
5. PKCS11Constants is repacked to iaik.pkcs.pkcs11.constants.
6. Functions is repacked to iaik.pkcs.pkcs11.constants.
7. Session.destroyObject(PKCS11Object) should be there. Please re-check it.
8. Token.closeAllSession() cannot be supported, since it is not supported in the underlying JNI (JDK's SunPKCS11 provider). Please manage your session by yourself. You can close a single session by Session.closeSession().

Best regards Lijun

[xipki]

You may find example on the usage of this Pkcs11wrapper under https://github.com/xipki/pkcs11wrapper/tree/sunpkcs11/examples.

[armando-basile]

ok, thanks. I fixed my code and now work fine :)

I have only a issue: i implemented a "reload pkcs11 config" feature that reload module and slot info from xml at runtime and try to unload old objects (tokens and modules) then generate new objects.

With this scenario to initialize modules and get slot list i use

Module pkcs11_module = Module.getInstance(pkcs11_lib_path);
InitializeArgs iargs = new DefaultInitializeArgs(null, false, true);
pkcs11_module.initialize(iargs);
Slot[] pkcs11_slots = module.getSlotList(false);

to finalize modules i use:

module.finalize(null);

but when i recall for second time function to initialize modules, getSlotList method return an empty array []. To work fine i need to restart application.

Have you any idea ?

[xipki]

Hi Armando,

please finalize the module only if you are sure that it will not be used anymore.

Once you have finalized it, you cannot re-initialize it again in one JVM. This is the restriction of Sun's PKCS#11 wrapper. For details of this restriction please refer to https://github.com/openjdk/jdk/blob/523ef3b3720283cd1696ce9fd0a977c1f41b2965/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java#L151.

BR

Lijun

[armando-basile]

ok, i know. Thanks

[xipki]

I extended the Module.finalize(Object) method to make the Module re-initializable after the finalization. Now one should be able to re-initialize the module.

Please try again using the following dependency in your maven project:

  <dependency>
      <groupId>org.xipki.iaik</groupId>
      <artifactId>sunpkcs11-wrapper</artifactId>
      <version>1.4.5-SNAPSHOT</version>
  </dependency>

[armando-basile]

YEAH, now work also module re-init after finalize

[xipki]

unfortunately, the access of private field is deprecated in JDK 13 and will be removed in the later versions. So I remove the code block in Module.finalize(Object) which modifies the private field moduleMap in the class sun.security.pkcs11.wrapper.PKCS11. As result, the module of one library cannot be re-initialized after the calling of Module.finialize(Object).

[armando-basile]

ok, i know. But with your latest feature now it's possible, so this fix will be definitive or it's possible in future that this feature doesn't work anymore ?

[xipki]

For consistency, I do not want to have two versions with different behaviors. So the aforementioned have been removed from the released version 1.4.5.

[xipki]

BTW, the rename of package iaik.pkcs.pkcs11.parameters to iaik.pkcs.pkcs11.params is reverted. Which means, you can use the original package name, as in the project mikma/pkcs11wrapper, iaik.pkcs.pkcs11.parameters. And the classes PKCS11Constants and Functions are again in their original package iaik.pkcs.pkcs11.wrapper.