我在Ubuntu 11.10上运行最新的opensc 0.12.2,并使用OpenJDK (java版本为"1.6.0_22")。
我可以通过以下方式读取我的智能卡(一个飞天ePass PKI):
pkcs15-tool --dump
现在我尝试使用我的智能卡与keytool:
keytool
-providerClass sun.security.pkcs11.SunPKCS11 \
-providerArg /etc/opensc/opensc-java.cfg \
-keystore NONE -storetype PKCS11 -list
导致错误的代码:
keytool error: java.security.KeyStoreException: PKCS11 not found
java.security.KeyStoreException: PKCS11 not found
at java.security.KeyStore.getInstance(KeyStore.java:603)
at sun.security.tools.KeyTool.doCommands(KeyTool.java:621)
at sun.security.tools.KeyTool.run(KeyTool.java:194)
at sun.security.tools.KeyTool.main(KeyTool.java:188)
Caused by: java.security.NoSuchAlgorithmException: PKCS11 KeyStore not available
at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
at java.security.Security.getImpl(Security.java:696)
at java.security.KeyStore.getInstance(KeyStore.java:600)
... 3 more
当我启用调试选项并运行相同的命令时,就像这样:
keytool
-providerClass sun.security.pkcs11.SunPKCS11 \
-providerArg /etc/opensc/opensc-java.cfg \
-keystore NONE -storetype PKCS11 -list \
-J-Djava.security.debug=sunpkcs11
它突然就可以工作了:
... debug infos ...
Enter keystore password:
sunpkcs11: login succeeded
Keystore type: PKCS11
Keystore provider: SunPKCS11-OpenSC
Your keystore contains 2 entries
...
Certificate fingerprint (MD5): ...
...
Certificate fingerprint (MD5): ...
当我静态配置时,它的行为是相同的:
$ grep opensc /usr/lib/jvm/java-6-openjdk/jre/lib/security/java.security
security.provider.7=sun.security.pkcs11.SunPKCS11 /etc/opensc/opensc-java.cfg
我的配置
$ cat /etc/opensc/opensc-java.cfg
name = OpenSC
description = SunPKCS11 w/ OpenSC Smart card Framework
library = /usr/lib/opensc-pkcs11.so
我猜测这可能与openjdk或内部包sun.security
有关,因为它是一个内部包,通常不会被使用。启用调试选项可能会激活此内部包?
keytool
调用中,slot = -1
技巧对我不起作用。但是,在命令行中添加-J-Djava.security.debug=sunpkcs11
是有效的。 - Hans-Christoph Steineropenjdk-7-jdk:i386, 7u111-2.6.7-1
中。由于我同时安装了openjdk7
和Oracle JDK 7
,我首先检查了keytool
是否链接到来自Open JDK 7的二进制文件。切换到Oracle JDK 7后问题消失了。 - WesternGun