Topic
  • 14 replies
  • Latest Post - ‏2013-04-24T18:28:35Z by PaulBrittin
SystemAdmin
SystemAdmin
2262 Posts

Pinned topic Error on KeyStore.Load under JVM 1.5 with IBMPKCS11Impl

‏2007-04-12T09:47:41Z |
Please help me to find out the problem.
I am using Notes 8 IBM JVM 1.5
When I load keystore, the error of "Not enough memory on device".
What should I do to fix this problem?
configfile:

name = ABC
library=C:/incryptoki2.dll
description=Hardware device config.
slotListIndex = 0

The java code:

IBMPKCS11Impl p = null;
KeyStore ks = null;
String strPwd = "123456";
String configFile = "C:\\ibmpkcs11impl.cfg";
try {
p = new IBMPKCS11Impl(configFile);
Security.addProvider(p);
ks = KeyStore.getInstance("PKCS11IMPLKS", p);
ks.load(null, strPwd.toCharArray());
} catch (Exception e) {
e.printStackTrace();
}


StackTrace

com.ibm.pkcs11.PKCS11Exception: Not enough memory on device
at com.ibm.pkcs11.nat.NativePKCS11Session.createObject(Native Method)
at com.ibm.crypto.pkcs11impl.provider.RSAPublicKey.<init>(Unknown Source)
at com.ibm.crypto.pkcs11impl.provider.RSAPKCS11KeyFactory.engineGeneratePublic(Unknown Source)
at java.security.KeyFactory.generatePublic(KeyFactory.java:303)
at com.ibm.security.x509.X509Key.buildX509Key(Unknown Source)
at com.ibm.security.x509.X509Key.parse(Unknown Source)
at com.ibm.security.x509.CertificateX509Key.<init>(Unknown Source)
at com.ibm.security.x509.X509CertInfo.parse(Unknown Source)
at com.ibm.security.x509.X509CertInfo.<init>(Unknown Source)
at com.ibm.security.x509.X509CertImpl.parse(Unknown Source)
at com.ibm.security.x509.X509CertImpl.<init>(Unknown Source)
at com.ibm.crypto.pkcs11impl.provider.X509Factory.engineGenerateCertificate(Unknown Source)
at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:378)
at com.ibm.crypto.pkcs11impl.provider.PKCS11KeyStore.engineLoad(Unknown Source)
at java.security.KeyStore.load(KeyStore.java:1173)
at test.main(test.java:17)
Updated on 2007-05-09T04:40:16Z at 2007-05-09T04:40:16Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: Error on KeyStore.Load under JVM 1.5 with IBMPKCS11Impl

    ‏2007-04-13T02:33:58Z  
    I got the possible reason of the problem.
    My Smartcard only have 3 keys inside (as following) before using IBMPKCS11Impl.
    Key 1 : ba58b1be-6e5f-4ffc-a32e-142777ea0de4(1158840768)
    Key 2 : d1480262-dce2-4fdc-bd5e-d1d3a80e7a76
    Key 3 : ba58b1be-6e5f-4ffc-a32e-142777ea0de4

    The first serval times of the KeyStore.load get no error. After that, that error occurs. Then I check the keys and found the following inside my smart card.
    Key : IBMPKCS11981393124239694088370752
    Key : IBMPKCS11622779772676422453153583
    Key : IBMPKCS11445632878901860573925085
    Key : IBMPKCS11166918693577469647657425
    Key : IBMPKCS11732058738883527560696528
    Key : IBMPKCS11134787656832185849001358
    Key : IBMPKCS11150167802706247996012027
    Key : IBMPKCS11401896910333661752016457
    Key : IBMPKCS11443371883582134852475430
    Key : IBMPKCS11387129288451660637984277
    Key : IBMPKCS11305872141427985749967327
    Key : IBMPKCS11608211721068936386267403
    Key : IBMPKCS11101915841631851343275790
    Key : IBMPKCS11477747331734976237368135
    Key : IBMPKCS11495778266651120878440761
    Key : ba58b1be-6e5f-4ffc-a32e-142777ea0de4(1158840768)
    Key : d1480262-dce2-4fdc-bd5e-d1d3a80e7a76
    Key : ba58b1be-6e5f-4ffc-a32e-142777ea0de4

    I don't know why the IBMPKCS11 write a lot of keys into my card and make my card full of memory.

    Is anyone can help me to solve this problem?
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: Error on KeyStore.Load under JVM 1.5 with IBMPKCS11Impl

    ‏2007-04-13T03:42:47Z  
    I got the possible reason of the problem.
    My Smartcard only have 3 keys inside (as following) before using IBMPKCS11Impl.
    Key 1 : ba58b1be-6e5f-4ffc-a32e-142777ea0de4(1158840768)
    Key 2 : d1480262-dce2-4fdc-bd5e-d1d3a80e7a76
    Key 3 : ba58b1be-6e5f-4ffc-a32e-142777ea0de4

    The first serval times of the KeyStore.load get no error. After that, that error occurs. Then I check the keys and found the following inside my smart card.
    Key : IBMPKCS11981393124239694088370752
    Key : IBMPKCS11622779772676422453153583
    Key : IBMPKCS11445632878901860573925085
    Key : IBMPKCS11166918693577469647657425
    Key : IBMPKCS11732058738883527560696528
    Key : IBMPKCS11134787656832185849001358
    Key : IBMPKCS11150167802706247996012027
    Key : IBMPKCS11401896910333661752016457
    Key : IBMPKCS11443371883582134852475430
    Key : IBMPKCS11387129288451660637984277
    Key : IBMPKCS11305872141427985749967327
    Key : IBMPKCS11608211721068936386267403
    Key : IBMPKCS11101915841631851343275790
    Key : IBMPKCS11477747331734976237368135
    Key : IBMPKCS11495778266651120878440761
    Key : ba58b1be-6e5f-4ffc-a32e-142777ea0de4(1158840768)
    Key : d1480262-dce2-4fdc-bd5e-d1d3a80e7a76
    Key : ba58b1be-6e5f-4ffc-a32e-142777ea0de4

    I don't know why the IBMPKCS11 write a lot of keys into my card and make my card full of memory.

    Is anyone can help me to solve this problem?
    I have deleted the IBMPKCS11 keys successfully by using the KeyStore.deleteEntry
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: Error on KeyStore.Load under JVM 1.5 with IBMPKCS11Impl

    ‏2007-04-13T06:45:11Z  
    I have deleted the IBMPKCS11 keys successfully by using the KeyStore.deleteEntry
    I got some experience here and want to share with all of you here.
    If using IBMPKCS11Impl Provider to load the keystore, the IBMPKCS11Impl will write 4 keys to the smartcard.
    However, if you use this keystore to search the all the keys in the smartcard, the IBMPKCS11 keys will not be detected.
    After that, the next time you load the keystore again, 4 more inserted.
    As a result, the smartcard will be full of IBMPKCS keys and the exception flows : Not enough memory on device.

    I found this but have no solution at all.
    Is there any one can provide a solution or suggest a good way to use IBMPKCS11 to read the smartcard?
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: Error on KeyStore.Load under JVM 1.5 with IBMPKCS11Impl

    ‏2007-04-19T12:41:45Z  
    I got some experience here and want to share with all of you here.
    If using IBMPKCS11Impl Provider to load the keystore, the IBMPKCS11Impl will write 4 keys to the smartcard.
    However, if you use this keystore to search the all the keys in the smartcard, the IBMPKCS11 keys will not be detected.
    After that, the next time you load the keystore again, 4 more inserted.
    As a result, the smartcard will be full of IBMPKCS keys and the exception flows : Not enough memory on device.

    I found this but have no solution at all.
    Is there any one can provide a solution or suggest a good way to use IBMPKCS11 to read the smartcard?
    Can you tell me your usage of the smartcard. PKCS11Impl will not put any keys automatically into your keystore, on a load. However, if you are using keys or generating keys there are cases where the PKCS11Impl provider will import keys to your card. Basically if you are using clear text keys from somewhere, it is possible that these keys are getting added to the card. This maybe what you are seeing. Later versions of PKCS11Impl will however, now delete any keys that it automatically imports for you. This import is done when on the init() call of functions like signature, and cipher.
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: Error on KeyStore.Load under JVM 1.5 with IBMPKCS11Impl

    ‏2007-04-26T02:21:11Z  
    Can you tell me your usage of the smartcard. PKCS11Impl will not put any keys automatically into your keystore, on a load. However, if you are using keys or generating keys there are cases where the PKCS11Impl provider will import keys to your card. Basically if you are using clear text keys from somewhere, it is possible that these keys are getting added to the card. This maybe what you are seeing. Later versions of PKCS11Impl will however, now delete any keys that it automatically imports for you. This import is done when on the init() call of functions like signature, and cipher.
    I have no other programming code, just the code in the first post.
    When I load the keystore, my smartcard is reading/writing for a long time.
    After these few lines coding complete the running, my smartcard got some new keys inside.
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: Error on KeyStore.Load under JVM 1.5 with IBMPKCS11Impl

    ‏2007-05-02T23:47:51Z  
    I have no other programming code, just the code in the first post.
    When I load the keystore, my smartcard is reading/writing for a long time.
    After these few lines coding complete the running, my smartcard got some new keys inside.
    This provider will not add any keys to your card. There is a small chance that session keys might get added if IBMJCE is not in the provider list before IBMPKCS11Impl. From your code I am assuming that IBMJCE is already in the provider list. How do you know that the new keys are being added? Are do they look similar. Is it possible that when the provider initializes the smart card that the card software is adding these keys to the smart card??
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: Error on KeyStore.Load under JVM 1.5 with IBMPKCS11Impl

    ‏2007-05-03T03:52:43Z  
    This provider will not add any keys to your card. There is a small chance that session keys might get added if IBMJCE is not in the provider list before IBMPKCS11Impl. From your code I am assuming that IBMJCE is already in the provider list. How do you know that the new keys are being added? Are do they look similar. Is it possible that when the provider initializes the smart card that the card software is adding these keys to the smart card??
    I am testing on some PKCS11 providers. IBMPKCS11Impl is one of them.
    I am using another provider and it can successfully read the key names.
    Before using the IBMPKCS11Impl, there are only 3 keys. (please refer to re-post #2).
    Here is my testing steps:
    • keystore.load under IBMPKCS11Impl, it is very slow.
    • run the keystore.load again and again (3 times or more)
    • keystore.load could not be executed (error: smart card memory is out)
    • I use another PKCS11 provider to read the key names and found lots of key name with initial IBMPKCS11xxxxxxxxxxx.
    So, I guess: the keystore.load under IBMPKCS11Impl writes keys to my smartcard.

    PS. I can only read and delete the IBMPKCS keys by using another PKCS11 provider. Using the IBMPKCS11Impl, the IBMPKCS keys are not visible.
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: Error on KeyStore.Load under JVM 1.5 with IBMPKCS11Impl

    ‏2007-05-03T20:42:29Z  
    I am testing on some PKCS11 providers. IBMPKCS11Impl is one of them.
    I am using another provider and it can successfully read the key names.
    Before using the IBMPKCS11Impl, there are only 3 keys. (please refer to re-post #2).
    Here is my testing steps:
    • keystore.load under IBMPKCS11Impl, it is very slow.
    • run the keystore.load again and again (3 times or more)
    • keystore.load could not be executed (error: smart card memory is out)
    • I use another PKCS11 provider to read the key names and found lots of key name with initial IBMPKCS11xxxxxxxxxxx.
    So, I guess: the keystore.load under IBMPKCS11Impl writes keys to my smartcard.

    PS. I can only read and delete the IBMPKCS keys by using another PKCS11 provider. Using the IBMPKCS11Impl, the IBMPKCS keys are not visible.
    Part of loading the keystore is to match privates with certs. It sounds like this process is adding the keys to the card and they are not going away. Which would mean you have an older version of the PKCS11Impl provider. Or the card by default is making the CKA_TOKEN attribute to true. You can add the following to your config file to fix this:
    attributes (IMPORT, CKO_PUBLIC_KEY, *) = {
    CKA_TOKEN = false
    }
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: Error on KeyStore.Load under JVM 1.5 with IBMPKCS11Impl

    ‏2007-05-04T02:50:44Z  
    Part of loading the keystore is to match privates with certs. It sounds like this process is adding the keys to the card and they are not going away. Which would mean you have an older version of the PKCS11Impl provider. Or the card by default is making the CKA_TOKEN attribute to true. You can add the following to your config file to fix this:
    attributes (IMPORT, CKO_PUBLIC_KEY, *) = {
    CKA_TOKEN = false
    }
    Thanks peckit,
    I am using the JVM and IBMPKCS11Impl from Lotus Notes 8 Version. I think that would be the latest version of the JVM and IBMPKCS11Impl under the Lotus Notes environment.
    In addition, I think my IBMPKCS11Impl is the latest version because it supports the config file.
    I get the reference from the following URL.
    http://www-128.ibm.com/developerworks/java/jdk/security/50/secguides/pkcs11implDocs/IBMJavaPKCS11ImplementationProvider.html

    I will try using your config attributes and report to this post soon.
    Thanks again.
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: Error on KeyStore.Load under JVM 1.5 with IBMPKCS11Impl

    ‏2007-05-04T03:09:32Z  
    Thanks peckit,
    I am using the JVM and IBMPKCS11Impl from Lotus Notes 8 Version. I think that would be the latest version of the JVM and IBMPKCS11Impl under the Lotus Notes environment.
    In addition, I think my IBMPKCS11Impl is the latest version because it supports the config file.
    I get the reference from the following URL.
    http://www-128.ibm.com/developerworks/java/jdk/security/50/secguides/pkcs11implDocs/IBMJavaPKCS11ImplementationProvider.html

    I will try using your config attributes and report to this post soon.
    Thanks again.
    I have tried adding that attributes.
    The error occurs:

    com.ibm.pkcs11.PKCS11Exception: Attribute value is invalid
    at com.ibm.pkcs11.nat.NativePKCS11Session.createObject(Native Method)
    at com.ibm.crypto.pkcs11impl.provider.RSAPublicKey.<init>(Unknown Source)
    at com.ibm.crypto.pkcs11impl.provider.RSAPKCS11KeyFactory.engineGeneratePublic(Unknown Source)
    at java.security.KeyFactory.generatePublic(KeyFactory.java:303)
    at com.ibm.security.x509.X509Key.buildX509Key(Unknown Source)
    at com.ibm.security.x509.X509Key.parse(Unknown Source)
    at com.ibm.security.x509.CertificateX509Key.<init>(Unknown Source)
    at com.ibm.security.x509.X509CertInfo.parse(Unknown Source)
    at com.ibm.security.x509.X509CertInfo.<init>(Unknown Source)
    at com.ibm.security.x509.X509CertImpl.parse(Unknown Source)
    at com.ibm.security.x509.X509CertImpl.<init>(Unknown Source)
    at com.ibm.crypto.pkcs11impl.provider.X509Factory.engineGenerateCertificate(Unknown Source)
    at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:378)
    at com.ibm.crypto.pkcs11impl.provider.PKCS11KeyStore.engineLoad(Unknown Source)
    Unexpected exception0: Attribute value is invalid
    at java.security.KeyStore.load(KeyStore.java:1173)
    at test.main(test.java:36)
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: Error on KeyStore.Load under JVM 1.5 with IBMPKCS11Impl

    ‏2007-05-04T03:41:34Z  
    I have tried adding that attributes.
    The error occurs:

    com.ibm.pkcs11.PKCS11Exception: Attribute value is invalid
    at com.ibm.pkcs11.nat.NativePKCS11Session.createObject(Native Method)
    at com.ibm.crypto.pkcs11impl.provider.RSAPublicKey.<init>(Unknown Source)
    at com.ibm.crypto.pkcs11impl.provider.RSAPKCS11KeyFactory.engineGeneratePublic(Unknown Source)
    at java.security.KeyFactory.generatePublic(KeyFactory.java:303)
    at com.ibm.security.x509.X509Key.buildX509Key(Unknown Source)
    at com.ibm.security.x509.X509Key.parse(Unknown Source)
    at com.ibm.security.x509.CertificateX509Key.<init>(Unknown Source)
    at com.ibm.security.x509.X509CertInfo.parse(Unknown Source)
    at com.ibm.security.x509.X509CertInfo.<init>(Unknown Source)
    at com.ibm.security.x509.X509CertImpl.parse(Unknown Source)
    at com.ibm.security.x509.X509CertImpl.<init>(Unknown Source)
    at com.ibm.crypto.pkcs11impl.provider.X509Factory.engineGenerateCertificate(Unknown Source)
    at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:378)
    at com.ibm.crypto.pkcs11impl.provider.PKCS11KeyStore.engineLoad(Unknown Source)
    Unexpected exception0: Attribute value is invalid
    at java.security.KeyStore.load(KeyStore.java:1173)
    at test.main(test.java:36)
    When using the following config line:
    attributes (IMPORT, CKO_PUBLIC_KEY, *) = { CKA_TOKEN = false }
    There is an error : Attribute value is invalid

    When using the following config line:
    attributes (IMPORT, CKO_PUBLIC_KEY, *) = { CKA_TOKEN = true }
    There is no error.
    But some IBMPKCS11Impl keys wrote on to the hardware device (smartcard)

    That means, the default of IBMPKCS11Impl is CKA_TOKEN=true
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: Error on KeyStore.Load under JVM 1.5 with IBMPKCS11Impl

    ‏2007-05-07T09:40:04Z  
    I have faced similar case recently. You may trigger the "automatic" mechanism on CKM_RSA_PKCS_KEY_PAIR_GEN. Try adding the following lines on pkcs11.cfg file to disable the mechanism.

    disabledMechanisms = {
    CKM_RSA_PKCS_KEY_PAIR_GEN
    }

  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: Error on KeyStore.Load under JVM 1.5 with IBMPKCS11Impl

    ‏2007-05-09T04:40:16Z  
    I have faced similar case recently. You may trigger the "automatic" mechanism on CKM_RSA_PKCS_KEY_PAIR_GEN. Try adding the following lines on pkcs11.cfg file to disable the mechanism.

    disabledMechanisms = {
    CKM_RSA_PKCS_KEY_PAIR_GEN
    }

    I have added that line and it seems work.
    No more keys added to my smartcard.

    Thank you very much!
  • PaulBrittin
    PaulBrittin
    1 Post

    Re: Error on KeyStore.Load under JVM 1.5 with IBMPKCS11Impl

    ‏2013-04-24T18:28:35Z  
    I have added that line and it seems work.
    No more keys added to my smartcard.

    Thank you very much!

    What line was added? I am having the same problem.