5
votes

I'm trying to access a smartcard on a linux system on a VM. The USB device is mapped to the VM and can be listed via lsusb (ID 076b:3021 OmniKey AG CardMan 3121). I can access the smartcard via pkcs11-tool and pkcs15-tool. Also firefox can access the token via the /usr/lib/opensc-pkcs11.so library.

But when I try to access the smartcard from Java, an empty keystore is returned. I'm using the following configuration for the sun.security.pkcs11.SunPKCS11 provider.

name = PKCS11Test
library = /usr/lib/opensc-pkcs11.so
slot = 0

When using a different slot (I tried slot 0-15), I get CKR_PIN_INCORRECT errors or "PKCS11 not found". In my tests I'm loading the keystore like this:

char[] pin = "123456".toCharArray();
KeyStore ks = KeyStore.getInstance("PKCS11", p);
ks.load(null, pin);

On the other hand the pkcs11-tool returned for slot 0:

Slot 0 CCID Compatible
token model: PKCS#15 emulated

As Java seems to access the card on slot 0 (at least no error is returned), I'm probably doing something else wrong in accessing the keystore. How can I access the private key?

1

1 Answers

1
votes

Okay, I found the solution.

Why ever, the slot 0 seems to be empty at all. Slot 1 and 2 have private keys, but were protected with different (local) PINs. With the netkey-tool I was able to set the local PIN to the global PIN. Afterwards accessing the card worked without a flaw.