0

I want to get my all key aliases from hsm, but i get this error message : 

Exception in thread "main" java.io.IOException: load failed
    at sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:778)
    at java.security.KeyStore.load(KeyStore.java:1445)
    at eracom.provider.ProCrypt.main(ProCrypt.java:99)
    Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: 
    CKR_OBJECT_HANDLE_INVALID
    at sun.security.pkcs11.wrapper.PKCS11.C_GetAttributeValue(Native Method)
    at sun.security.pkcs11.P11KeyStore.mapLabels(P11KeyStore.java:2415)
    at sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:770)

If i create just one secret key on hsm. there is no problem, i can get the alia from hsm, but if i have 2 or more, i get the error. How to solve it?

        KeyStore keyStore = KeyStore.getInstance("PKCS11", pkcs11);
        keyStore.load(null, slotPIN);

        SecretKey key = (SecretKey) keyStore.getKey("KEY2", slotPIN);
        System.out.println("key's attributes: " + key.toString());


        java.util.Enumeration<String> aliases = keyStore.aliases();
        String alias = null;
        while (aliases.hasMoreElements()) {
            alias = aliases.nextElement();
            System.out.println("key label name : " + alias);

        }
Mehmet Özcan
  • 85
  • 1
  • 5
  • When you have more than 1 objects created on the HSM, do they have different alias? Sun's PKCS#11 implementation doesn't handle duplicate aliases. It needs all the aliases to be unique. May be you are running the same test code to generate objects repeatedly, which generates the same alias. Try to change the alias each time, and see if you cal list all the aliases. – always_a_rookie Sep 16 '19 at 20:28
  • Thanks for your answer, I've already solved this problem. I want to ask one more to you. While i'm trying to get RSA Key Pair(Pub and priv) from HSM, Do i need certificate? – Mehmet Özcan Sep 17 '19 at 08:02
  • 3
    If you solved the problem you should post it as answer on how you solved it, which will help others who face the same issue. You could also get some reputation points doing so. And to answer your other question, yes, for the Sun provider to identify a key pair, it needs a certificate associated to the private key. You can use bouncy castle library to create a self signed certificate. – always_a_rookie Sep 17 '19 at 12:16
  • @MehmetÖzcan, so how did you solve it? – ralien Mar 13 '23 at 13:39

0 Answers0