search

ebourg / jsign

Java implementation of Microsoft Authenticode for signing Windows executables, installers & scripts
https://ebourg.github.io/jsign
Apache License 2.0
259 stars 108 forks source link

jsign with yubikey under windows #122

Closed bse-sja closed 2 years ago

bse-sja commented 2 years ago

Have jsign 4.1-Snapshot working with yubikey under linux.

But I get the following failure under windows (yubikey PIV tools are installed):

C:\Users\u1\Dropbox\jsign>java -jar ./jsign-4.1-SNAPSHOT.jar --storetype YUBIKEY test.exe
jsign: Couldn't sign test.exe
java.security.ProviderException: Failed to create a SunPKCS11 provider from the configuration --name=yubikey
library = C:\Program Files (x86)\Yubico\Yubico PIV Tool\bin\libykcs11.dll
        at net.jsign.ProviderUtils.createSunPKCS11Provider(ProviderUtils.java:52)
        at net.jsign.YubiKey.getProvider(YubiKey.java:41)
        at net.jsign.SignerHelper.build(SignerHelper.java:325)
        at net.jsign.SignerHelper.sign(SignerHelper.java:518)
        at net.jsign.JsignCLI.execute(JsignCLI.java:116)
        at net.jsign.JsignCLI.main(JsignCLI.java:40)
Caused by: java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
        at java.lang.reflect.Constructor.newInstance(Unknown Source)
        at net.jsign.ProviderUtils.createSunPKCS11Provider(ProviderUtils.java:49)
        ... 5 more
Caused by: java.security.ProviderException: Error parsing configuration
        at sun.security.pkcs11.Config.getConfig(Config.java:89)
        at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:130)
        at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:104)
        ... 10 more
Caused by: sun.security.pkcs11.ConfigurationException: Unexpected value Token['('], line 2
        at sun.security.pkcs11.Config.excToken(Config.java:397)
        at sun.security.pkcs11.Config.parseLine(Config.java:629)
        at sun.security.pkcs11.Config.parseLibrary(Config.java:700)
        at sun.security.pkcs11.Config.parse(Config.java:420)
        at sun.security.pkcs11.Config.<init>(Config.java:230)
        at sun.security.pkcs11.Config.getConfig(Config.java:85)
        ... 12 more
Try `java -jar jsign.jar --help' for more information.
ebourg commented 2 years ago

Thank you for reporting this, what version of Java did you use?

bse-sja commented 2 years ago

java version "1.8.0_331" Java(TM) SE Runtime Environment (build 1.8.0_331-b09) Java HotSpot(TM) Client VM (build 25.331-b09, mixed mode, sharing)

ebourg commented 2 years ago

I've pushed a fix, could you give it a try please?

bse-sja commented 2 years ago

Now I get the following error:

C:\Users\sadams\Dropbox\jsign>java -jar ./jsign-4.1-SNAPSHOT.jar --storetype YUBIKEY test.exe
jsign: Couldn't sign test.exe
java.security.ProviderException: Failed to create a SunPKCS11 provider from the configuration --name=yubikey
library = "C:\\Program Files (x86)\\Yubico\\Yubico PIV Tool\\bin\\libykcs11.dll"
        at net.jsign.ProviderUtils.createSunPKCS11Provider(ProviderUtils.java:52)
        at net.jsign.YubiKey.getProvider(YubiKey.java:40)
        at net.jsign.SignerHelper.build(SignerHelper.java:325)
        at net.jsign.SignerHelper.sign(SignerHelper.java:518)
        at net.jsign.JsignCLI.execute(JsignCLI.java:117)
        at net.jsign.JsignCLI.main(JsignCLI.java:40)
Caused by: java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
        at java.lang.reflect.Constructor.newInstance(Unknown Source)
        at net.jsign.ProviderUtils.createSunPKCS11Provider(ProviderUtils.java:49)
        ... 5 more
Caused by: java.security.ProviderException: Initialization failed
        at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:377)
        at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:104)
        ... 10 more
Caused by: java.io.IOException: The specified module could not be found.
C:\Program Files (x86)\Yubico\Yubico PIV Tool\bin\libykcs11.dll
        at sun.security.pkcs11.wrapper.PKCS11.connect(Native Method)
        at sun.security.pkcs11.wrapper.PKCS11.<init>(PKCS11.java:144)
        at sun.security.pkcs11.wrapper.PKCS11.getInstance(PKCS11.java:157)
        at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:314)
        ... 11 more
Try `java -jar jsign.jar --help' for more information.

DLL is there and piv-tool is working.

dir "c:\Program Files (x86)\Yubico\Yubico PIV Tool\bin\libykcs11.dll"

 Directory of c:\Program Files (x86)\Yubico\Yubico PIV Tool\bin

02/23/2022  10:30 AM           156,568 libykcs11.dll
               1 File(s)        156,568 bytes
               0 Dir(s)  389,148,426,240 bytes free

C:\Users\sadams\Dropbox\jsign>yubico-piv-tool -a status
Version:        5.4.3
Serial Number:  174........
.....
ebourg commented 2 years ago

Did you add C:\Program Files (x86)\Yubico\Yubico PIV Tool\bin to your PATH?

bse-sja commented 2 years ago

Ok. Fixed PATH and now I get:

java -jar ./jsign-4.1-SNAPSHOT.jar --storetype YUBIKEY test.exe
jsign: Failed to load the keystore null
java.security.KeyStoreException: keystore type 'PKCS11' is not supported
        at net.jsign.KeyStoreUtils.load(KeyStoreUtils.java:77)
        at net.jsign.SignerHelper.build(SignerHelper.java:352)
        at net.jsign.SignerHelper.sign(SignerHelper.java:518)
        at net.jsign.JsignCLI.execute(JsignCLI.java:117)
        at net.jsign.JsignCLI.main(JsignCLI.java:40)
Caused by: java.security.KeyStoreException: PKCS11 not found
        at java.security.KeyStore.getInstance(Unknown Source)
        at net.jsign.KeyStoreUtils.load(KeyStoreUtils.java:72)
        ... 4 more
Caused by: java.security.NoSuchAlgorithmException: no such algorithm: PKCS11 for provider SunPKCS11-yubikey
        at sun.security.jca.GetInstance.getService(Unknown Source)
        at sun.security.jca.GetInstance.getInstance(Unknown Source)
        at java.security.Security.getImpl(Unknown Source)
        ... 6 more
Try `java -jar jsign.jar --help' for more information.
ebourg commented 2 years ago

I've got this error as well but I wasn't sure if this was specific to my environment.

The workaround is to create a SunPKCS11 configuration file, for example yubikey.conf, with:

name=yubikey
library = "C:\Program Files (x86)\Yubico\Yubico PIV Tool\bin\libykcs11.dll"
slotListIndex = 2

and then use the parameters --storetype PKCS11 --keystore=yubikey.conf

I'd be interested to know if the value 2 for slotListIndex works for you.

I'm not sure to understand why this is required, I'm pretty sure it worked before without this.

ebourg commented 2 years ago

I've pushed another change to set the slot automatically, could you try again with --storetype YUBIKEY please?

bse-sja commented 2 years ago

Works for me now with the following command: java -jar ./jsign-4.1-SNAPSHOT.jar --alias "X.509 Certificate for PIV Authentication" --storetype YUBIKEY --storepass xxxxxx test.exe Thanks!

ebourg commented 2 years ago

Great! Thank you for the feedback