![]() |
![]() |
Frequently asked Questions (FAQs) |
Here we provide answers to frequently asked questions. These may help you to solve problems quickly.
java.lang.UnsatisfiedLinkError: no pkcs11wrapper in java.library.path
?CKR_OPERATION_NOT_INITIALIZED
mean?iaik.pkcs.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_TYPE_INVALID
. What is wrong?java.lang.UnsatisfiedLinkError: Native Library pkcs11wrapper.dll already loaded in another classloader
.
What causes this problem and how can i solve it?findObjectsInit
, findObjects
and
findObjectsFinal
to search for certain objects and seems to get objects that
do not match the template. Is that a bug of the wrapper?findObjectsInit
, findObjects
and findObjectsFinal
to search for certain objects. The find operation
does not return any objects, even if there are objects on the token that match
the template. What is wrong?GetInfo
demo
even shows it. Is this a bug?java.lang.UnsatisfiedLinkError: no pkcs11wrapper in java.library.path
?It seems that you do not have the pkcs11wrapper.dll (or libpkcs11wrapper.so
under Unix) in you search path.
You can provide such a path directly to the Java VM setting the java.library.path
system property like:
java -Djava.library.path=../../native/platforms/win32/Release;.
-cp ../classes;../../java/classes;../../java/resources;../lib/iaik_jce_full.jar
demo.pkcs.pkcs11.GetInfo cryptoki.dll
where ../../native/platforms/win32/Release
is the path where the
pkcs11wrapper.dll (or libpkcs11wrapper.so under unix) file is. You can also place the file
in the folder for binary files of you Java Runtime Environment; e.g. the jre/bin
folder.
Alternatively, you can also place the file pkcs11wrapper.dll in the system directory of Windows.
On Unix systems you can place the libpkcs11wrapper.so in a lib
directory of the system.
CKR_OPERATION_NOT_INITIALIZED
mean?This normally means that the PKCS#11 driver you are using has a bug. We observed
this bug with the drivers for iButton (version 1.01) and with older drviers
for Datakey cards and iKey 2000 series tokens. For Datakey cards and iKey 2000
series tokens there are already drivers that fix this bug.
Bug details: The wrapper asks the driver for the required buffer length for
returned data. It uses the method specified in the PKCS#11 standard - it passes
NULL_PTR as buffer when calling the driver function (e.g. C_Sign). The driver
must answer with the required buffer length, but it must not abort any active
operation (e.g. signing). Thereafter, the wrapper allocates the required buffer
and calls the function (e.g. C_Sign) a second time, providing the appropriate
buffer. Now the driver should process the operation and finalize it if appropriate.
Drivers with that bug abort the active operation after the first (query buffer
length) call. According to the standard they must not do this.
If you want to do a workaround, this is possible. You have to modify the function
Java_iaik_pkcs_pkcs11_wrapper_PKCS11Implementation_C_1Sign
in the file
pkcs11wrapper.c
. Instead of asking for the required buffer length,
modify the wrapper to use a buffer with a sufficient length. Have a look the
source code, you will quickly see what has to be done. To anticipate the question:
No, this workaround will not become part of the next release. We do not include
any code which's only purpose is to workaround bugs of third-party products.
Ask the vendor of the product to fix the bug.
We had similar problems with certain cards; e.g. the Rainbow iKey2032 and DataKey cards.
This is due to bugs in drivers. As workaround you can try to set the class and key-type
attributes as not present. This may look like this:
secreteEnrcyptionKeyTemplate.getObjectClass().setPresent(false);
secreteEnrcyptionKeyTemplate.getKeyType().setPresent(false);
maybe the driver accepts the key template if you try this.
java.lang.UnsatisfiedLinkError: Native Library pkcs11wrapper.dll already loaded in another classloader
.
What causes this problem and how can i solve it?The Java VM causes this error. SUN's Java VMs have the restriction that they cannot handle native libraries
from more than one classloader. You may have a look at the bug database at SUN's Java web site and search for
the bug entries with the IDs 4286309, 4642062 and 4299094. According to the comments from SUN, according to
the fact that they consider this a restriction (or a feature) rather than a bug, and that this bug has been
there for many years, it is unlikely that this will be fixed soon. The only workaround that we are aware of is
to place the class which directly accesses the native library
(i.e. iaik.pkcs.pkcs11.wrapper.PKCS11Implementation
) or the complete jar file
which contains this class (i.e. iaikPkcs11Wrapper.jar
) into the
jre/lib/ext
directory of the Java Runtime.
Note that this problem may also occur in application servers. The solution will be analogous there.
However, we have heard that there are other VMs (like Oracle) which do not contain this bug.
findObjectsInit
,
findObjects
and findObjectsFinal
to search for certain
objects and seems to get objects that do not match the template. Is that a bug
of the wrapper?No, this is not a bug of the wrapper. It is a bug of the PKCS#11 driver that you use. We found such bugs in drivers for DataKey cards and iKey 2000 series tokens.
findObjectsInit
,
findObjects
and findObjectsFinal
to search for certain
objects. The find operation does not return any objects, even if there are objects
on the token that match the template. What is wrong?It is a bug of the PKCS#11 driver that you use. We found such bugs in drivers for DataKey cards and iKey 2000 series tokens.
GetInfo
demo
even shows it. Is this a bug?Yes, it is a bug in the find operations of the PKCS#11 driver that you use. We found such bugs in drivers for DataKey cards and iKey 2000 series tokens.
There is a demo included to do that. It is called DownloadPrivateKey
.
You can start it using the batch file in the demo/test
directory.
There is a demo included to do that. It is called DumpObjects
.
You can start it using the batch file in the demo/test
directory.
In the output directory that you specify on the command line, you can find
the DER-encoded certificates. In Windows you can open them by simply double-clicking
them in the file explorer.
The Microsoft Java VM is based on the JDK 1.1.5 specification and
requires a native wrapper DLL which does not use callbacks. In the
directory native/platforms/win32/release_JDK11
there is such
a version. You must place this DLL somewhere in the search path of your
system; e.g. C:\WINNT\System32
. In addition, it is necessary
to place the wrapper's class files in the classes directory of the Java
VM. This is usually in the <Windows DIR>/java/classes
.
You must place the class files unpacked; e.g.
C:/WINNT/java/classes/iaik/pkcs/pkcs11/Module.class
and so
on. Your applet which is based on the PKCS#11 wrapper can be developed
and deployed like any other applet. Unfortunately, there seems to be no
easier way to get the wrapper running with the Microsoft VM.