Hi,

I'm currently trying to evaluate JCAPI. When running demo class ListAllCerts I get an exception at line: "for(java.util.Enumeration e = ks.aliases(); e.hasMoreElements(); )".

The output is the following:
-----------------------------------
Example program failed.
com.pheox.jcapi.JCAPIJNIRuntimeException: Exception raised in JCAPI.DLL:
JCAPIKeyStore_aliases() - Could not open certificate store: UserDS
at com.pheox.jcapi.CoreKeyStoreJNI.aliases(Native Method)
at com.pheox.jcapi.g.a(Unknown Source)
at com.pheox.jcapi.JCAPIKeyStore.engineAliases(Unknown Source)
at java.security.KeyStore.aliases(KeyStore.java:943)
at ListAllCerts.main(ListAllCerts.java:24)
----------------------------------------

I've got SmartTrust Personal 3.0.2 installed (and also NetID but that's disabled) with a card reader Gemplus and a smart card, but also a soft test cert from TeliaSonera imported into Personal. I'm running on JDK1.5 and the example code is compiled on the same Java.

What can be the cause of the problem?

I would be very grateful for help as soon as possible!


Thanks
Mattias

Too much in a hurry!

Forgot to tell that it's on Win2000 SP4. Maybe should also mention that the demo is running in IntelliJ IDEA 5 (though shouldn't make any difference as I see it).


Mattias

I can add that I've tried the corresponding demo class ListCerts of Assembla JCE Provider under the same conditions AND IT WORKS!

What's the problem with JCAPI's version?


Mattias

Hi Mattias,

First, regarding your conclusion:

I can add that I've tried the corresponding demo class ListCerts of Assembla JCE Provider under the same conditions AND IT WORKS!

As far as I recall, the Assembla JCE is hardcoded to only search through the Other People (ADDRESSBOOK) and the Personal (MY) certificate stores, while JCAPI will search through all certificate stores that are defined/available for the current user. It shortly means that the problem cannot be trigged by the Assembla JCE provider since your UserDS certificate store is never accessed by the Assembla JCE provider.

You can patch your problem by excluding the UserDS certificate store in JCAPI i.e. you can use the following at the beginning of your program:

String[] certStores = JCAPIProperties.getInstance().getMSCertStoreNames();

ArrayList<String> al = new ArrayList<String>(Arrays.asList(certStores));

al.remove("UserDS");

certStores = al.toArray(new String[0]);

JCAPIProperties.getInstance().setMSCertStoreNames(certStores);

However, the code above will only solve your problem temporarily. So, in order to solve it correctly, we'll need some more information from you. Please supply answers to the following questions:
1. Do you have the same problem if you remove the smart card from your reader?
2. Do you have any certificates in your UserDS certificate store? Hint: start the mmc program and add the certificates snap-in (File -> Add/Remove snap-in.. -> Add -> Certificates), then check if there are any certificates in the Active Directory User Object folder.
3. Do you use the smart card to login on your system?

Regards,
Tommy

Hi Tommy and thanks for the reply!

If I exclude UserDS with the patch it works. Otherwise I get the same error as before, even if I remove the smart card from the reader.

I've got no certs in the Active Directory User Object folder.

Yes, I need a smart card to login on our system. So our system requires client authentication which, as I understand, the current version of JCAPI supports. (A question following on this: is Java 1.5 required to make it work?)


Mattias

Hi Mattias,

I'm having problems to reproduce your reported error condition, mainly because our w2k machine is not part of a Windows domain, which excludes the possibility of testing the smart card login through Active Directory.

I think it would be better if I extend JCAPI to not return the name of a certificate store that cannot be successfully opened i.e. JCAPI must test to open each store when the list of available stores is collected.
I'll try to incorporate this functionality during the coming week.

Btw, is there a reason for you to use such an old version of SmartTrust (3.0.2)? I'm using version 3.3.1, even though it should have nothing to do with your problem, you might consider an upgrade.

Regarding your question about client authentication. Yes, you must use Java 5 with the JCAPI SSL plugin to utilise client authentication when a private key is not exportable (such as the case with hardware tokens).

Regards,
Tommy

Updated information!

The problem with existing certificate stores that cannot be opened has now been fixed in JCAPI v1.1.1.

Regards,
Tommy