Closed cxn-sjuhasz closed 1 year ago
That's the OpenJDK 11 package from Ubuntu 20.04, or from another source?
oracle java SE jdk - both
myuser@myhost:/data/apps/signerjava$ cat release
JAVA_VERSION="1.8.0_144"
OS_NAME="Linux"
OS_VERSION="2.6"
OS_ARCH="amd64"
BUILD_TYPE="commercial"
myuser@myhost:/data/apps/signerjava11$ cat release
BUILD_TYPE="commercial"
IMPLEMENTOR="Oracle Corporation"
IMPLEMENTOR_VERSION="18.9"
JAVA_VERSION="11.0.11"
JAVA_VERSION_DATE="2021-04-20"
OS_ARCH="x86_64"
OS_NAME="Linux"
But it is reproducible with openjdk-11-jdk-headless ubuntu package as well.
Ok, I'll try to reproduce it. At first glance it looks like Security.getProvider("SunPKCS11")
returns null, I'm not sure to understand why.
If you give me some prepped log config or any other way to force more info/stacktrace out of it, i can do it for you. Afaik the PKCS11 workflow works with other java applications, like plain jarsigner or install4j.
Ok, I just installed a fresh Ubuntu VM, with the openjdk-11-jre-headless package from Ubuntu I get:
root@ubuntu:~# java -version
openjdk version "11.0.17" 2022-10-18
OpenJDK Runtime Environment (build 11.0.17+8-post-Ubuntu-1ubuntu220.04)
OpenJDK 64-Bit Server VM (build 11.0.17+8-post-Ubuntu-1ubuntu220.04, mixed mode, sharing)
root@ubuntu:~# java -jar jsign-4.0.jar --keystore pkcs11.cfg --storetype PKCS11 --alias mykey --storepass password application.exe
jsign: Couldn't sign application.exe
java.security.ProviderException: Failed to create a SunPKCS11 provider from the configuration pkcs11.cfg
at net.jsign.ProviderUtils.createSunPKCS11Provider(ProviderUtils.java:52)
at net.jsign.SignerHelper.build(SignerHelper.java:309)
at net.jsign.SignerHelper.sign(SignerHelper.java:500)
at net.jsign.JsignCLI.execute(JsignCLI.java:116)
at net.jsign.JsignCLI.main(JsignCLI.java:40)
Caused by: java.lang.reflect.InvocationTargetException
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at net.jsign.ProviderUtils.createSunPKCS11Provider(ProviderUtils.java:45)
... 4 more
Caused by: java.security.ProviderException: Library /opt/nfast/toolkits/pkcs11/libcknfast.so does not exist
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:312)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:115)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:112)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:112)
... 9 more
Try `java -jar jsign.jar --help' for more information.
The error is expected since libcknfast.so
isn't installed, but at least the stacktrace runs through SunPKCS11, so Security.getProvider("SunPKCS11")
didn't return null.
With the Oracle JDK 11 I get this:
root@ubuntu:~# /usr/lib/jvm/jdk-11/bin/java -version
java version "11.0.17" 2022-10-18 LTS
Java(TM) SE Runtime Environment 18.9 (build 11.0.17+10-LTS-269)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.17+10-LTS-269, mixed mode)
root@ubuntu:~# /usr/lib/jvm/jdk-11/bin/java -jar jsign-4.0.jar --keystore pkcs11.cfg --storetype PKCS11 --alias mykey --storepass password application.exe
jsign: Couldn't sign application.exe
java.security.ProviderException: Failed to create a SunPKCS11 provider from the configuration pkcs11.cfg
at net.jsign.ProviderUtils.createSunPKCS11Provider(ProviderUtils.java:52)
at net.jsign.SignerHelper.build(SignerHelper.java:309)
at net.jsign.SignerHelper.sign(SignerHelper.java:500)
at net.jsign.JsignCLI.execute(JsignCLI.java:116)
at net.jsign.JsignCLI.main(JsignCLI.java:40)
Caused by: java.lang.reflect.InvocationTargetException
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at net.jsign.ProviderUtils.createSunPKCS11Provider(ProviderUtils.java:45)
... 4 more
Caused by: java.security.ProviderException: Library /opt/nfast/toolkits/pkcs11/libcknfast.so does not exist
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:302)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:116)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:113)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:113)
... 9 more
Try `java -jar jsign.jar --help' for more information.
So the same result.
I've edited /usr/lib/jvm/java-11-openjdk-amd64/conf/security/java.security
and commented out the SunPKCS11 line:
#
# List of providers and their preference orders (see above):
#
security.provider.1=SUN
security.provider.2=SunRsaSign
security.provider.3=SunEC
security.provider.4=SunJSSE
security.provider.5=SunJCE
security.provider.6=SunJGSS
security.provider.7=SunSASL
security.provider.8=XMLDSig
security.provider.9=SunPCSC
security.provider.10=JdkLDAP
security.provider.11=JdkSASL
#security.provider.12=SunPKCS11
and now I get:
root@ubuntu:~# java -jar jsign-4.0.jar --keystore pkcs11.cfg --storetype PKCS11 --alias mykey --storepass password application.exe
jsign: Couldn't sign application.exe
java.security.ProviderException: Failed to create a SunPKCS11 provider from the configuration pkcs11.cfg
at net.jsign.ProviderUtils.createSunPKCS11Provider(ProviderUtils.java:52)
at net.jsign.SignerHelper.build(SignerHelper.java:309)
at net.jsign.SignerHelper.sign(SignerHelper.java:500)
at net.jsign.JsignCLI.execute(JsignCLI.java:116)
at net.jsign.JsignCLI.main(JsignCLI.java:40)
Caused by: java.lang.NullPointerException
at java.base/java.lang.reflect.Method.invoke(Method.java:559)
at net.jsign.ProviderUtils.createSunPKCS11Provider(ProviderUtils.java:45)
... 4 more
Try `java -jar jsign.jar --help' for more information.
Which is the same error you got.
Could you check if SunPKCS11 is enabled in your java.security
file?
It is enabled, there is where the config is referred for the library.
security.provider.12=SunPKCS11 /opt/nfast/pkcs11.cfg
It's there but it was modified. Could try with just:
security.provider.12=SunPKCS11
I could, but that way i would get error with accessing the library for nfast.
Lol, it works, i made a prepped java11 for it. With original SunPKCS11 line.
myuser@myhost:~$ ~/signerjava11/bin/java -jar jsign-4.2.jar --keystore /opt/nfast/pkcs11.cfg --storetype PKCS11 --alias mykey --storepass RANDOMPASSWORD --tsaurl http://timestamp.comodoca.com/authenticode putty.exe
Adding Authenticode signature to putty.exe
myuser@myhost:~$ ~/signerjava11/bin/jarsigner -tsa http://timestamp.digicert.com -keystore NONE -storetype PKCS11 -storepass RANDOMPASSWORD -sigalg SHA256withRSA commons-math-2.2.jar mykey
jar signed.
Warning:
POSIX file permission and/or symlink attributes detected. These attributes are ignored when signing and are not protected by the signature.
The signer certificate will expire on 2024-04-29.
The timestamp will expire on 2031-11-10.
Duplicating the provider line works!!
security.provider.12=SunPKCS11
security.provider.13=SunPKCS11 /opt/nfast/pkcs11.cfg
Great! Indeed when a configuration file is added after security.provider.12=SunPKCS11
in java.security
, the name of the provider is no longer "SunPKCS11" but the one defined by the name
attribute in the configuration file. That's why Security.getProvider("SunPKCS11")
returned null.
I'll add an explicit warning if this happens.
We have an issue, where signing through an entrust ncipher HSM works on java8, but fails on java11, with a lovely nullpointer. The setup and everything is the same. The HSM is used as a tokenizer.