PKCS#11 keystore does not validate password after successful attempt to enter it

Question

I'm using the following code to access the contents of a PKCS#11 smartcard from an Athena smartcard reader.

Provider pkcs11Provider = new SunPKCS11(new ByteArrayInputStream (config.getBytes()));
if (Security.getProvider(pkcs11Provider.getName()) != null) {
    Security.removeProvider(pkcs11Provider.getName());
}

Security.addProvider(pkcs11Provider);

KeyStore myKeyStore = KeyStore.getInstance ("PKCS11", pkcs11Provider);
myKeyStore.load(null, keystore_password.toCharArray());

return myKeyStore;

The problem is as follows:

1. I enter wrong password.
2. Code throws an exception (as expected).
3. I enter correct password.
4. Code does not throw an exception (as expected).
5. I enter wrong password.
6. Code does not throw an exception (unexpected).

According to http://docs.oracle.com/javase/6/docs/technotes/guides/security/p11guide.html, when the KeyStore.Builder class is used, no password is asked for after the first successful load using the same smartcard. Of course, I'm not using this class in the code above. Does the same thing apply to KeyStore.getInstance(...) method? Is there any way to make the keystore throw exceptions when wrong passwords are entered, regardless of previous load attempts?

Answer 1

try this

((SunPKCS11) pkcs11Provider ).logout();
pkcs11Provider.clear();

if this doesn't help then replace the provider with newly created SunPKCS11 object before each login