Reputation: 6536
How to properly reload a PKCS11 KeyStore
I would like to test my keys in the PKCS11 keystore. But it seems my keystore is not updated when an external process is adding or deleting keys in the store.
The second time I print the aliases does not include new aliases which are inserted in between.
How can I properly reload the keystore?
public class KeyStoreTest {
public static void main(String[] args) throws KeyStoreException,
NoSuchAlgorithmException, CertificateException, IOException, LoginException{
// initialize keystore
InputStream is = CheckUploadScript.class.getResourceAsStream("pkcs11-hsm.config");
AuthProvider provider = new sun.security.pkcs11.SunPKCS11(is);
KeyStore ks = KeyStore.getInstance("PKCS11", provider);
ks.load(null, "0000".toCharArray());
// print all aliases
Enumeration<String> aliases = ks.aliases();
for (String key : Collections.list(aliases))
System.out.println("alias: " + key);
// upload or delete keys with external tool here
// print all aliases again (does not change)
ks.load(null, "0000".toCharArray());
aliases = ks.aliases();
for (String key : Collections.list(aliases))
System.out.println("alias: " + key);
}
}
EDIT:
I followed the instructions from the PKCS11 reference: http://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html
char[] pin = ...;
KeyStore ks = KeyStore.getInstance("PKCS11");
ks.load(null, pin);
For my understanding, when using a PKCS11 keystore the security provider handles storing and loading of keys. Therefore I don't have to specify an InputStream when I load the keystore.
Upvotes: 1
Views: 4296
Answers (2)
Reputation: 11
For PKCS11 truststores, the InputStream argument to KeyStore.getInstance must (perhaps should) be null. It is not used, so there is no file to close.
Upvotes: 1
Reputation: 136
try loading it explicit
KeyStore keyStore = KeyStore.getInstance("PKCS11", provider);
keyStore.load(trustStore, trustStorePassword);
trustStore.close();
Upvotes: 0
Related Questions
- Java keystore load works fine on JDK 8 , but throws exception "stream does not represent a PKCS12 key store" on JDK 11
- pkcs11-tool generated keys in java are not getting loaded into pkcs11 keystore
- Commands to renew a Java Keystore with a Symantec renewal using a new CSR (not the original CSR)
- java.security.KeyStoreException: PKCS11 not found
- Java KeyStore-Handling of PKCS12
- Storing a KeyStore in Java: empty file and unable to reload
- set and get DES key in java.security.KeyStore PKCS11
- PKCS#11 keystore does not validate password after successful attempt to enter it
- Reloading an SSLServerSocket after a keystore change without closing and creating a new socket
- Can I add a new certificate to the keystore without restarting the JVM?