0

I'm trying to read the public certificate names from a smartcard to display to the user before they sign a file using a gemalto smartcard. I've followed the getInfo example from iaikPkcs11Wrapper demos as below :

        Module pkcs11Module = Module.getInstance(settings.getCryptoDll());
        Slot[] slotList;
        try{
            slotList = pkcs11Module.getSlotList(true);
        }catch(TokenException tex){//module is not initialised
            tex.printStackTrace();
            pkcs11Module.initialize(new DefaultInitializeArgs());
            slotList = pkcs11Module.getSlotList(true);
        }
        for (Slot slot : slotList) {
            Token token = slot.getToken();
            iaik.pkcs.pkcs11.Session session = token.openSession(true, SessionReadWriteBehavior.RO_SESSION, null, null);
            session.findObjectsInit(null);
            Object[] objects = new Object[0];
            try {
                objects = session.findObjects(1);

This fails always at the line objects = findObjects(1); with a CKR_TEMPLATE_INCONSISTENT exception.

As I understand from the documentation session.findObjectsInit(null) should just return all accessible objects on the card and you can then compare them for type.

I have various smartcards and they all fail like this, I've also tried calling session.findObjectsInit(tempObj) with a GenericTemplate object and a X509PublicKeyCertificate which both return the same exception, and with an X509AttributeCertificate which returns no objects but does not throw the exception.

I'd appreciate any pointers anyone can give. Or do I need to create a matching template object using GenericTemplate? I'm unsure why I'm getting the exception as I thought passing the object into the getObjectInit method filtered for thet object so anything returned should match.

EDIT I've subsequently tried with other templates and ones for objects not on the card just return an empty array- no exception and ones I think are on the cards just throw the ckr_template_inconsistent exception, any help would be gratefully received.

EDIT2 I've now tried with some new 'V3' cards, which do infact work, all my test cards work using another technique (we currently use capicom via com4J for signing), so maybe there is an issue with the iaik wrapper, or gclib.dll (or me).

Egg Vans
  • 944
  • 10
  • 21
  • Probably the best idea is to use/create a PKCS#11 proxy and log or make your PKCS#11 .dll log itself. This could show you where stuff goes wrong. But it could be a PKCS#11 / card mismatch. Ask IAIK, and if that doesn't help, ask Gemalto. This is too specific to find out by asking on SO (unless you are *very* lucky of course). – Maarten Bodewes May 30 '15 at 22:31
  • @Maarten Thanks for the comment, I'm looking into something else now I thought it may just be an issue with my usage of the IAIK wrapper but it seems like its more than that. – Egg Vans Jun 01 '15 at 09:26

0 Answers0