Closed nauni77 closed 17 hours ago
I've stumbled on this issue as well and fixed it two weeks ago (daf059469319d1da7d8d79cb97b9f91f1dc0f530). Could you try again with the latest snapshot build?
Alternatively, you can replace the YUBIKEY
storetype with PIV
, it should work with Jsign 6.0.
Hello, thanks for your quick answer and your fix!
The storetype PIV
is not working for me, it ends in an exception:
Caused by: javax.smartcardio.CardException: PIV card not found
Is there some location where I can find the Snapshot you told me? I always use gradle
for my java projects and have not much experience with maven. If I try to build a SNAPSHOT it always fails.
Thanks in advance, Oli
You can build the project with mvn package -DskipTests
. The build artifacts are also available in the GitHub actions: https://github.com/ebourg/jsign/actions/runs/9612062377/artifacts/1624344399
The storetype PIV is not working for me, it ends in an exception:
Caused by: javax.smartcardio.CardException: PIV card not found
What JDK do you use?
The storetype PIV is not working for me, it ends in an exception: Caused by: javax.smartcardio.CardException: PIV card not found
What JDK do you use?
At the moment I use for this project temurin-11 (11.0.21). In my eyes jdk-17 is not supported yet - right?
Now I got the SNAPSHOT release. I need to disconnect the YubiKey from computer and also disconnect from our company network. If I do so the tests are running. Additionally I need -Djapicmp.skip
, because there is no JAR to compare.
I uploaded a SNAPSHOT from master branch to our repository using:
mvn deploy -Djapicmp.skip -DskipTests
After include implementation 'net.jsign:jsign-core:7.0-SNAPSHOT'
into my build the problem still there. I can sign one file, but no additionall file can be signed. The same error is shown.
I use a "YubiKey 5C NFC"
I tried to reuse the KeyStore and AuthenticodeSigner. I tried also to create for each signing all objects again, but it's still not working.
Maybe you have some example code which worked signing multiple files in running only one java application?
jdk-17 is not supported yet - right?
Jsign supports Java from 8 to 21+. Could you try the PIV type with ZuluJDK?
I uploaded a SNAPSHOT from master branch to our repository using:
mvn deploy -Djapicmp.skip -DskipTests
You can also use mvn install
to install the artifacts locally only.
Maybe you have some example code which worked signing multiple files in running only one java application?
Yes, could you try running the testSigningWithYubikey()
test in JsignCLITest
. This test signs twice the same file and works with my Yubikey 5 NFC 5.1.2 on Windows 10 with ZuluJDK.
After your information, that jsign supports JDK17 - I tried again and got the same error as before (with JDK17) with KeyStoreType.YUBIKEY
(jsign 6.0).
class net.jsign.YubiKey (in unnamed module @0x2f01783a) cannot access class sun.security.pkcs11.wrapper.PKCS11 (in module jdk.crypto.cryptoki) because module jdk.crypto.cryptoki does not export sun.security.pkcs11.wrapper to unnamed module @0x2f01783a
java.lang.IllegalAccessError: class net.jsign.YubiKey (in unnamed module @0x2f01783a) cannot access class sun.security.pkcs11.wrapper.PKCS11 (in module jdk.crypto.cryptoki) because module jdk.crypto.cryptoki does not export sun.security.pkcs11.wrapper to unnamed module @0x2f01783a
at net.jsign.YubiKey.getTokenSlot(YubiKey.java:76)
at net.jsign.YubiKey.getSunPKCS11Configuration(YubiKey.java:60)
at net.jsign.YubiKey.getProvider(YubiKey.java:44)
at net.jsign.KeyStoreType$10.getProvider(KeyStoreType.java:252)
at net.jsign.KeyStoreBuilder.provider(KeyStoreBuilder.java:268)
at net.jsign.KeyStoreBuilder.build(KeyStoreBuilder.java:281)
at de.noventi.codesignservice.SigningDirectImplTest.testSigningOneFileInline(SigningDirectImplTest.java:41)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)
at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)
Do you know this kind of error?
If I switch at this configuration to KeyStoreType.PIV
- everything works now fine with JDK 17 and PIV! Even the signing of more than one file.
The Test JsignCLITest is working on command line. There appears:
[WARNING] Tests run: 53, Failures: 0, Errors: 0, Skipped: 1, Time elapsed: 15.90 s -- in net.jsign.JsignCLITest
[INFO]
[INFO] Results:
[INFO]
[WARNING] Tests run: 66, Failures: 0, Errors: 0, Skipped: 1
So the test seems to work - even with Temurin-17.0.11+9. All Tests are working. But with the IntelliJ IDE I have trouble to make it work. One thing is you use:
<plugin>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.13.0</version>
<configuration>
<source>8</source>
<target>8</target>
</configuration>
</plugin>
<plugin>
and IntelliJ don't like to use the compiler configurations for my defined JDK 17 ...
--add-exports java.base/sun.net.www=ALL-UNNAMED --add-exports java.base/sun.net.www.protocol.http=ALL-UNNAMED --add-exports java.base/sun.net.www.protocol.https=ALL-UNNAMED --add-exports jdk.crypto.cryptoki/sun.security.pkcs11.wrapper=ALL-UNNAMED --add-opens java.base/javax.crypto=ALL-UNNAMED --add-opens java.base/sun.net.www.protocol.http=ALL-UNNAMED --add-opens java.base/sun.net.www.protocol.https=ALL-UNNAMED
and without this it do not compile - because of missing classes.
I will try the SNAPSHOT with JDK 17 and will tell you what happened.
Now with my snapshot the PIV is not working anymore.
Bad type on operand stack
Exception Details:
Location:
net/jsign/jca/PIVCardSigningService.sign(Lnet/jsign/jca/SigningServicePrivateKey;Ljava/lang/String;[B)[B @156: invokespecial
Reason:
Type 'java/lang/Object' (current frame, stack[2]) is not assignable to 'java/lang/Throwable'
Current Frame:
bci: @156
flags: { }
locals: { top, top, top, top, top, top, top, 'java/lang/Object' }
stack: { uninitialized 150, uninitialized 150, 'java/lang/Object' }
Bytecode:
0000000: 2c03 2cb6 0038 1206 b600 36b6 0037 b800
0000010: 4a3a 0419 04b6 0049 2db6 003f 3a05 2bb6
0000020: 0057 b800 543a 062a b400 3119 06b6 0051
0000030: 3a07 1204 2bb6 0056 b600 3599 0029 bb00
0000040: 2759 bb00 2659 1904 b400 2eb2 002f b700
0000050: 4b19 05b7 004c 3a09 1909 1201 b600 4d3a
0000060: 08a7 0027 1905 be19 07b4 0030 1008 6ca4
0000070: 0015 1905 1907 b400 3010 086c b800 443a
0000080: 08a7 0007 1905 3a08 2ab4 0031 1906 1908
0000090: b600 52b0 3a07 bb00 1259 1907 b700 3dbf
00000a0:
Exception Handler Table:
bci [39, 147] => handler: 148
bci [39, 147] => handler: 148
Stackmap Table:
full_frame(@100,{Object[#43],Top,Top,Top,Top,Object[#7],Object[#41],Object[#42]},{})
chop_frame(@132,1)
full_frame(@136,{Object[#43],Top,Top,Top,Top,Top,Object[#41],Top,Object[#7]},{})
full_frame(@148,{},{Object[#12]})
java.lang.VerifyError: Bad type on operand stack
Exception Details:
Location:
net/jsign/jca/PIVCardSigningService.sign(Lnet/jsign/jca/SigningServicePrivateKey;Ljava/lang/String;[B)[B @156: invokespecial
Reason:
Type 'java/lang/Object' (current frame, stack[2]) is not assignable to 'java/lang/Throwable'
Current Frame:
bci: @156
flags: { }
locals: { top, top, top, top, top, top, top, 'java/lang/Object' }
stack: { uninitialized 150, uninitialized 150, 'java/lang/Object' }
Bytecode:
0000000: 2c03 2cb6 0038 1206 b600 36b6 0037 b800
0000010: 4a3a 0419 04b6 0049 2db6 003f 3a05 2bb6
0000020: 0057 b800 543a 062a b400 3119 06b6 0051
0000030: 3a07 1204 2bb6 0056 b600 3599 0029 bb00
0000040: 2759 bb00 2659 1904 b400 2eb2 002f b700
0000050: 4b19 05b7 004c 3a09 1909 1201 b600 4d3a
0000060: 08a7 0027 1905 be19 07b4 0030 1008 6ca4
0000070: 0015 1905 1907 b400 3010 086c b800 443a
0000080: 08a7 0007 1905 3a08 2ab4 0031 1906 1908
0000090: b600 52b0 3a07 bb00 1259 1907 b700 3dbf
00000a0:
Exception Handler Table:
bci [39, 147] => handler: 148
bci [39, 147] => handler: 148
Stackmap Table:
full_frame(@100,{Object[#43],Top,Top,Top,Top,Object[#7],Object[#41],Object[#42]},{})
chop_frame(@132,1)
full_frame(@136,{Object[#43],Top,Top,Top,Top,Top,Object[#41],Top,Object[#7]},{})
full_frame(@148,{},{Object[#12]})
at net.jsign.KeyStoreType$8.getProvider(KeyStoreType.java:229)
at net.jsign.KeyStoreBuilder.provider(KeyStoreBuilder.java:272)
at net.jsign.KeyStoreBuilder.build(KeyStoreBuilder.java:285)
.....
The KeyStoreType.YUBIKEY is also not working:
class net.jsign.YubiKey (in unnamed module @0x2f01783a) cannot access class sun.security.pkcs11.wrapper.PKCS11 (in module jdk.crypto.cryptoki) because module jdk.crypto.cryptoki does not export sun.security.pkcs11.wrapper to unnamed module @0x2f01783a
java.lang.IllegalAccessError: class net.jsign.YubiKey (in unnamed module @0x2f01783a) cannot access class sun.security.pkcs11.wrapper.PKCS11 (in module jdk.crypto.cryptoki) because module jdk.crypto.cryptoki does not export sun.security.pkcs11.wrapper to unnamed module @0x2f01783a
at net.jsign.YubiKey.getTokenSlot(YubiKey.java:77)
at net.jsign.YubiKey.getSunPKCS11Configuration(YubiKey.java:61)
at net.jsign.YubiKey.getProvider(YubiKey.java:45)
at net.jsign.KeyStoreType$10.getProvider(KeyStoreType.java:257)
at net.jsign.KeyStoreBuilder.provider(KeyStoreBuilder.java:272)
at net.jsign.KeyStoreBuilder.build(KeyStoreBuilder.java:285)
at ....
Do I have to add some exports to the compiler? Even with Zulu 17 the same errors are existing.
For the YUBIKEY storetype you need this parameter: --add-exports jdk.crypto.cryptoki/sun.security.pkcs11.wrapper=ALL-UNNAMED
Thanks - your right. I did it just add the "add-exports" to the compile and not for test execution. Of course it was needed to add to runtime environment.
Now with OpenJDK Runtime Environment Temurin-17.0.11+9 (build 17.0.11+9)
and jsign 6.0 it's possible to sign
So this is working for me. Thanks a lot for your help!
But I'm really worry about the next version, because my SNAPSHOT version don't work wit PIV or YUBIKEY. The Exception of PIV (with the SNAPSHOT) is still the same as described above. Encoding a second file with YUBIKEY will still end in Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
. But the stacktrace is a little different:
something went wrong during signing the file
de.company.codesignservice.exceptions.CodeSigningException: something went wrong during signing the file
at de.company.codesignservice.SigningDirectImplTest.testSigningTwoFilesInline(SigningDirectImplTest.java:103)
at de.company.codesignservice.SigningDirectImplTest.testSigningTwoFilesInlineYubikey(SigningDirectImplTest.java:76)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)
at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)
Caused by: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
at jdk.crypto.cryptoki/sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:678)
at java.base/java.security.Signature$Delegate.engineSign(Signature.java:1423)
at java.base/java.security.Signature.sign(Signature.java:712)
at net.jsign.bouncycastle.operator.jcajce.JcaContentSignerBuilder$1.getSignature(Unknown Source)
at net.jsign.bouncycastle.cms.SignerInfoGenerator.generate(Unknown Source)
at net.jsign.bouncycastle.cms.CMSSignedDataGenerator.generate(Unknown Source)
at net.jsign.asn1.authenticode.AuthenticodeSignedDataGenerator.getSignerInfo(AuthenticodeSignedDataGenerator.java:56)
at net.jsign.asn1.authenticode.AuthenticodeSignedDataGenerator.generate(AuthenticodeSignedDataGenerator.java:43)
at net.jsign.AuthenticodeSigner.createSignedData(AuthenticodeSigner.java:395)
at net.jsign.AuthenticodeSigner.sign(AuthenticodeSigner.java:370)
at de.company.codesignservice.SigningDirectImplTest.testSigningTwoFilesInline(SigningDirectImplTest.java:101)
... 4 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_SignFinal(Native Method)
at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11$SynchronizedPKCS11.C_SignFinal(PKCS11.java:1826)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:628)
... 14 more
Can you help to make at least one of the methods work with the next version?
Thanks in advance, Oli
I'm unable to reproduce the "Bad type on operand stack" error with the 7.0 snapshot. Here's what I did:
jsign-7.0-SNAPSHOT.jar
"C:\Program Files\Eclipse Adoptium\jdk-17.0.11.9-hotspot\bin\java.exe" -jar jsign-7.0-SNAPSHOT.jar --storetype PIV --storepass 123456 --alias SIGNATURE jsign-core\src\test\resources\wineyes.exe
You get this error only when running your code from IntelliJ, but not when running the Jsign PIV unit test with Maven from the command line?
Interesting it seems there is something wrong with my SNAPSHOT ... creating the SNAPSHOT did not produce any error. Which JDK do you use creating the SNAPSHOT?
If I replace my SNAPSHOT with our SNAPSHOT the PIV signature is working. Even sign one file with YUBIKEY is working. But signing more than one file will still fail with an error. The stacktrace I postet above.
Which JDK do you use creating the SNAPSHOT?
The snapshot build was generated by OpenJDK 8 (Temurin 8.0.412+8).
I've been able to reproduce the verification error. I suspect an issue with the minimization process with Proguard. In this case if you depend on net.jsign:jsign-core
and not on net.jsign:jsign
you should be fine.
Even sign one file with YUBIKEY is working. But signing more than one file will still fail with an error
Could you try again with the -Djava.security.debug=all
parameter?
Hi, building a SNAPSHOT with JDK 1.8 works. Thanks.
I used jsign-core but nothing changes.
Adding the java.security.debug
results in this output:
SunPKCS11 loading --name=yubikey
library = "/usr/local/lib/libykcs11.dylib"
slot=0
sunpkcs11: Initializing PKCS#11 library /usr/local/lib/libykcs11.dylib
Information for provider SunPKCS11-yubikey
Library info:
cryptokiVersion: 2.40
manufacturerID: Yubico (www.yubico.com)
flags: 0
libraryDescription: PKCS#11 PIV Library (SP-800-73)
libraryVersion: 2.52
All slots: 0
Slots with tokens: 0
Slot info for slot 0:
slotDescription: Yubico YubiKey OTP+FIDO+CCID
manufacturerID: Yubico (www.yubico.com)
flags: CKF_TOKEN_PRESENT | CKF_REMOVABLE_DEVICE | CKF_HW_SLOT
hardwareVersion: 1.00
firmwareVersion: 1.00
Token info for token in slot 0:
label: YubiKey PIV #29169391
manufacturerID: Yubico (www.yubico.com)
model: YubiKey YK5
serialNumber: 29169391
flags: CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_TOKEN_INITIALIZED
ulMaxSessionCount: 16
ulSessionCount: 0
ulMaxRwSessionCount: 16
ulRwSessionCount: 2
ulMaxPinLen: 64
ulMinPinLen: 6
ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION
ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION
ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION
ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
hardwareVersion: 1.00
firmwareVersion: 5.71
utcTime:
Mechanism CKM_RSA_PKCS_KEY_PAIR_GEN:
ulMinKeySize: 1024
ulMaxKeySize: 4096
flags: 65537 = CKF_HW | CKF_GENERATE_KEY_PAIR
Mechanism CKM_RSA_PKCS:
ulMinKeySize: 1024
ulMaxKeySize: 4096
flags: 11009 = CKF_HW | CKF_ENCRYPT | CKF_DECRYPT | CKF_SIGN | CKF_VERIFY
Mechanism CKM_RSA_PKCS_PSS:
ulMinKeySize: 1024
ulMaxKeySize: 4096
flags: 10241 = CKF_HW | CKF_SIGN | CKF_VERIFY
Mechanism CKM_RSA_PKCS_OAEP:
ulMinKeySize: 1024
ulMaxKeySize: 4096
flags: 769 = CKF_HW | CKF_ENCRYPT | CKF_DECRYPT
Mechanism CKM_RSA_X_509:
ulMinKeySize: 1024
ulMaxKeySize: 4096
flags: 11009 = CKF_HW | CKF_ENCRYPT | CKF_DECRYPT | CKF_SIGN | CKF_VERIFY
Mechanism CKM_SHA1_RSA_PKCS:
ulMinKeySize: 1024
ulMaxKeySize: 4096
flags: 10241 = CKF_HW | CKF_SIGN | CKF_VERIFY
Mechanism CKM_SHA256_RSA_PKCS:
ulMinKeySize: 1024
ulMaxKeySize: 4096
flags: 10241 = CKF_HW | CKF_SIGN | CKF_VERIFY
Mechanism CKM_SHA384_RSA_PKCS:
ulMinKeySize: 1024
ulMaxKeySize: 4096
flags: 10241 = CKF_HW | CKF_SIGN | CKF_VERIFY
Mechanism CKM_SHA512_RSA_PKCS:
ulMinKeySize: 1024
ulMaxKeySize: 4096
flags: 10241 = CKF_HW | CKF_SIGN | CKF_VERIFY
Mechanism CKM_SHA1_RSA_PKCS_PSS:
ulMinKeySize: 1024
ulMaxKeySize: 4096
flags: 10241 = CKF_HW | CKF_SIGN | CKF_VERIFY
Mechanism CKM_SHA256_RSA_PKCS_PSS:
ulMinKeySize: 1024
ulMaxKeySize: 4096
flags: 10241 = CKF_HW | CKF_SIGN | CKF_VERIFY
Mechanism CKM_SHA384_RSA_PKCS_PSS:
ulMinKeySize: 1024
ulMaxKeySize: 4096
flags: 10241 = CKF_HW | CKF_SIGN | CKF_VERIFY
Mechanism CKM_SHA512_RSA_PKCS_PSS:
ulMinKeySize: 1024
ulMaxKeySize: 4096
flags: 10241 = CKF_HW | CKF_SIGN | CKF_VERIFY
Mechanism CKM_EC_KEY_PAIR_GEN:
ulMinKeySize: 256
ulMaxKeySize: 384
flags: 26279937 = CKF_HW | CKF_GENERATE_KEY_PAIR | CKF_EC_F_P | CKF_EC_UNCOMPRESS
Mechanism CKM_ECDSA:
ulMinKeySize: 256
ulMaxKeySize: 384
flags: 26224641 = CKF_HW | CKF_SIGN | CKF_VERIFY | CKF_EC_F_P | CKF_EC_UNCOMPRESS
Mechanism CKM_ECDSA_SHA1:
ulMinKeySize: 256
ulMaxKeySize: 384
flags: 26224641 = CKF_HW | CKF_SIGN | CKF_VERIFY | CKF_EC_F_P | CKF_EC_UNCOMPRESS
Mechanism CKM_ECDSA_SHA224:
ulMinKeySize: 256
ulMaxKeySize: 384
flags: 26224641 = CKF_HW | CKF_SIGN | CKF_VERIFY | CKF_EC_F_P | CKF_EC_UNCOMPRESS
Mechanism CKM_ECDSA_SHA256:
ulMinKeySize: 256
ulMaxKeySize: 384
flags: 26224641 = CKF_HW | CKF_SIGN | CKF_VERIFY | CKF_EC_F_P | CKF_EC_UNCOMPRESS
Mechanism CKM_ECDSA_SHA384:
ulMinKeySize: 256
ulMaxKeySize: 384
flags: 26224641 = CKF_HW | CKF_SIGN | CKF_VERIFY | CKF_EC_F_P | CKF_EC_UNCOMPRESS
Mechanism CKM_ECDSA_SHA512:
ulMinKeySize: 256
ulMaxKeySize: 384
flags: 26224641 = CKF_HW | CKF_SIGN | CKF_VERIFY | CKF_EC_F_P | CKF_EC_UNCOMPRESS
Mechanism CKM_ECDH1_DERIVE:
ulMinKeySize: 256
ulMaxKeySize: 384
flags: 26738689 = CKF_HW | CKF_DERIVE | CKF_EC_F_P | CKF_EC_UNCOMPRESS
Mechanism CKM_SHA_1:
ulMinKeySize: 0
ulMaxKeySize: 0
flags: 1024 = CKF_DIGEST
Mechanism CKM_SHA256:
ulMinKeySize: 0
ulMaxKeySize: 0
flags: 1024 = CKF_DIGEST
Mechanism CKM_SHA384:
ulMinKeySize: 0
ulMaxKeySize: 0
flags: 1024 = CKF_DIGEST
Mechanism CKM_SHA512:
ulMinKeySize: 0
ulMaxKeySize: 0
flags: 1024 = CKF_DIGEST
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: KeyPairGenerator.EC -> sun.security.pkcs11.P11KeyPairGenerator
(CKM_EC_KEY_PAIR_GEN)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: KeyPairGenerator.RSA -> sun.security.pkcs11.P11KeyPairGenerator
aliases: [OID.1.2.840.113549.1.1, 1.2.840.113549.1.1, 1.2.840.113549.1.1.1]
(CKM_RSA_PKCS_KEY_PAIR_GEN)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.SHA512withRSA -> sun.security.pkcs11.P11Signature
aliases: [OID.1.2.840.113549.1.1.13, 1.2.840.113549.1.1.13]
(CKM_SHA512_RSA_PKCS)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.NONEwithECDSA -> sun.security.pkcs11.P11Signature
(CKM_ECDSA)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.NONEwithECDSAinP1363Format -> sun.security.pkcs11.P11Signature
(CKM_ECDSA)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Cipher.RSA/ECB/PKCS1Padding -> sun.security.pkcs11.P11RSACipher
aliases: [RSA]
(CKM_RSA_PKCS)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.SHA1withRSASSA-PSS -> sun.security.pkcs11.P11PSSSignature
(CKM_SHA1_RSA_PKCS_PSS)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.SHA3-256withECDSAinP1363Format -> sun.security.pkcs11.P11Signature
(CKM_ECDSA)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.SHA384withRSASSA-PSS -> sun.security.pkcs11.P11PSSSignature
(CKM_SHA384_RSA_PKCS_PSS)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.SHA256withECDSA -> sun.security.pkcs11.P11Signature
aliases: [OID.1.2.840.10045.4.3.2, 1.2.840.10045.4.3.2]
(CKM_ECDSA_SHA256)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: KeyAgreement.ECDH -> sun.security.pkcs11.P11ECDHKeyAgreement
(CKM_ECDH1_DERIVE)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.SHA3-384withECDSA -> sun.security.pkcs11.P11Signature
aliases: [OID.2.16.840.1.101.3.4.3.11, 2.16.840.1.101.3.4.3.11]
(CKM_ECDSA)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.MD2withRSA -> sun.security.pkcs11.P11Signature
aliases: [OID.1.2.840.113549.1.1.2, 1.2.840.113549.1.1.2]
(CKM_RSA_PKCS)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.SHA384withRSA -> sun.security.pkcs11.P11Signature
aliases: [OID.1.2.840.113549.1.1.12, 1.2.840.113549.1.1.12]
(CKM_SHA384_RSA_PKCS)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: KeyFactory.EC -> sun.security.pkcs11.P11ECKeyFactory
(CKM_EC_KEY_PAIR_GEN)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.SHA1withECDSAinP1363Format -> sun.security.pkcs11.P11Signature
(CKM_ECDSA_SHA1)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.SHA1withECDSA -> sun.security.pkcs11.P11Signature
aliases: [OID.1.2.840.10045.4.1, 1.2.840.10045.4.1]
(CKM_ECDSA_SHA1)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.SHA512withECDSAinP1363Format -> sun.security.pkcs11.P11Signature
(CKM_ECDSA_SHA512)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: MessageDigest.SHA-512 -> sun.security.pkcs11.P11Digest
aliases: [OID.2.16.840.1.101.3.4.2.3, 2.16.840.1.101.3.4.2.3, SHA512]
(CKM_SHA512)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.SHA256withRSASSA-PSS -> sun.security.pkcs11.P11PSSSignature
(CKM_SHA256_RSA_PKCS_PSS)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.SHA384withECDSA -> sun.security.pkcs11.P11Signature
aliases: [OID.1.2.840.10045.4.3.3, 1.2.840.10045.4.3.3]
(CKM_ECDSA_SHA384)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: MessageDigest.SHA-256 -> sun.security.pkcs11.P11Digest
aliases: [OID.2.16.840.1.101.3.4.2.1, 2.16.840.1.101.3.4.2.1, SHA256]
(CKM_SHA256)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: AlgorithmParameters.EC -> sun.security.util.ECParameters
aliases: [OID.1.2.840.10045.2.1, 1.2.840.10045.2.1, EllipticCurve]
(CKM_EC_KEY_PAIR_GEN)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.SHA384withECDSAinP1363Format -> sun.security.pkcs11.P11Signature
(CKM_ECDSA_SHA384)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.SHA3-224withRSA -> sun.security.pkcs11.P11Signature
aliases: [OID.2.16.840.1.101.3.4.3.13, 2.16.840.1.101.3.4.3.13]
(CKM_RSA_PKCS)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.SHA224withECDSA -> sun.security.pkcs11.P11Signature
aliases: [OID.1.2.840.10045.4.3.1, 1.2.840.10045.4.3.1]
(CKM_ECDSA_SHA224)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.SHA256withECDSAinP1363Format -> sun.security.pkcs11.P11Signature
(CKM_ECDSA_SHA256)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.SHA512withRSASSA-PSS -> sun.security.pkcs11.P11PSSSignature
(CKM_SHA512_RSA_PKCS_PSS)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.SHA3-224withECDSA -> sun.security.pkcs11.P11Signature
aliases: [OID.2.16.840.1.101.3.4.3.9, 2.16.840.1.101.3.4.3.9]
(CKM_ECDSA)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.SHA224withRSA -> sun.security.pkcs11.P11Signature
aliases: [OID.1.2.840.113549.1.1.14, 1.2.840.113549.1.1.14]
(CKM_RSA_PKCS)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.SHA3-512withECDSA -> sun.security.pkcs11.P11Signature
aliases: [OID.2.16.840.1.101.3.4.3.12, 2.16.840.1.101.3.4.3.12]
(CKM_ECDSA)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.MD5withRSA -> sun.security.pkcs11.P11Signature
aliases: [OID.1.2.840.113549.1.1.4, 1.2.840.113549.1.1.4]
(CKM_RSA_PKCS)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.SHA224withECDSAinP1363Format -> sun.security.pkcs11.P11Signature
(CKM_ECDSA_SHA224)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.SHA3-512withECDSAinP1363Format -> sun.security.pkcs11.P11Signature
(CKM_ECDSA)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: MessageDigest.SHA-1 -> sun.security.pkcs11.P11Digest
aliases: [OID.1.3.14.3.2.26, 1.3.14.3.2.26, SHA, SHA1]
(CKM_SHA_1)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.SHA256withRSA -> sun.security.pkcs11.P11Signature
aliases: [OID.1.2.840.113549.1.1.11, 1.2.840.113549.1.1.11]
(CKM_SHA256_RSA_PKCS)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.SHA3-224withECDSAinP1363Format -> sun.security.pkcs11.P11Signature
(CKM_ECDSA)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.SHA3-384withRSA -> sun.security.pkcs11.P11Signature
aliases: [OID.2.16.840.1.101.3.4.3.15, 2.16.840.1.101.3.4.3.15]
(CKM_RSA_PKCS)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Cipher.RSA/ECB/NoPadding -> sun.security.pkcs11.P11RSACipher
(CKM_RSA_X_509)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.SHA3-512withRSA -> sun.security.pkcs11.P11Signature
aliases: [OID.2.16.840.1.101.3.4.3.16, 2.16.840.1.101.3.4.3.16]
(CKM_RSA_PKCS)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.SHA1withRSA -> sun.security.pkcs11.P11Signature
aliases: [OID.1.2.840.113549.1.1.5, 1.2.840.113549.1.1.5, 1.3.14.3.2.29]
(CKM_SHA1_RSA_PKCS)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.RSASSA-PSS -> sun.security.pkcs11.P11PSSSignature
aliases: [OID.1.2.840.113549.1.1.10, 1.2.840.113549.1.1.10, PSS]
(CKM_RSA_PKCS_PSS)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.SHA512withECDSA -> sun.security.pkcs11.P11Signature
aliases: [OID.1.2.840.10045.4.3.4, 1.2.840.10045.4.3.4]
(CKM_ECDSA_SHA512)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.SHA3-256withECDSA -> sun.security.pkcs11.P11Signature
aliases: [OID.2.16.840.1.101.3.4.3.10, 2.16.840.1.101.3.4.3.10]
(CKM_ECDSA)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.SHA3-384withECDSAinP1363Format -> sun.security.pkcs11.P11Signature
(CKM_ECDSA)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: MessageDigest.SHA-384 -> sun.security.pkcs11.P11Digest
aliases: [OID.2.16.840.1.101.3.4.2.2, 2.16.840.1.101.3.4.2.2, SHA384]
(CKM_SHA384)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: KeyFactory.RSA -> sun.security.pkcs11.P11RSAKeyFactory
aliases: [OID.1.2.840.113549.1.1, 1.2.840.113549.1.1, 1.2.840.113549.1.1.1]
(CKM_RSA_PKCS_KEY_PAIR_GEN)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: Signature.SHA3-256withRSA -> sun.security.pkcs11.P11Signature
aliases: [OID.2.16.840.1.101.3.4.3.14, 2.16.840.1.101.3.4.3.14]
(CKM_RSA_PKCS)
Provider: SunPKCS11-yubikey.putService(): SunPKCS11-yubikey: KeyStore.PKCS11 -> sun.security.pkcs11.P11KeyStore
aliases: [PKCS11-yubikey]
(KeyStore)
Provider: KeyStore.PKCS11 type from: SunPKCS11-yubikey
sunpkcs11: user already logged in
pkcs11keystore: did not find match for private key with CKA_ID [0x01] (ignoring entry)
Token Alias Map:
X.509 Certificate for Digital Signature type=[private key]
label=[X.509 Certificate for Digital Signature]
id=0x02
trusted=[false]
matched=[true]
cert=[ subject: CN=company SE - Test Zertifikat
issuer: CN=company SE - Test Zertifikat
serialNum: 705238770397581868373230520434335314024439656957]
X.509 Certificate for PIV Attestation type=[private key]
label=[X.509 Certificate for PIV Attestation]
id=0x19
trusted=[false]
matched=[true]
cert=[ subject: CN=Yubico PIV Attestation
issuer: CN=Yubico PIV Root CA Serial 263751
serialNum: 10868241389019373434]
pkcs11keystore: P11KeyStore load. Entry count: 2
Provider: MessageDigest.SHA-256 algorithm from: SUN
Provider: Signature.SHA256WITHECDSA signing algorithm from: SunPKCS11-yubikey
Provider: MessageDigest.SHA-256 algorithm from: SUN
something went wrong during signing the file
de.company.codesignservice.exceptions.CodeSigningException: something went wrong during signing the file
at de.company.codesignservice.SigningDirectImplTest.testSigningTwoFilesInline(SigningDirectImplTest.java:103)
at de.company.codesignservice.SigningDirectImplTest.testSigningTwoFilesInlineYubikey(SigningDirectImplTest.java:77)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)
at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)
Caused by: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
at jdk.crypto.cryptoki/sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:678)
at java.base/java.security.Signature$Delegate.engineSign(Signature.java:1423)
at java.base/java.security.Signature.sign(Signature.java:712)
at org.bouncycastle.operator.jcajce.JcaContentSignerBuilder$1.getSignature(Unknown Source)
at org.bouncycastle.cms.SignerInfoGenerator.generate(Unknown Source)
at org.bouncycastle.cms.CMSSignedDataGenerator.generate(Unknown Source)
at net.jsign.asn1.authenticode.AuthenticodeSignedDataGenerator.getSignerInfo(AuthenticodeSignedDataGenerator.java:56)
at net.jsign.asn1.authenticode.AuthenticodeSignedDataGenerator.generate(AuthenticodeSignedDataGenerator.java:43)
at net.jsign.AuthenticodeSigner.createSignedData(AuthenticodeSigner.java:395)
at net.jsign.AuthenticodeSigner.sign(AuthenticodeSigner.java:370)
at de.company.codesignservice.SigningDirectImplTest.testSigningTwoFilesInline(SigningDirectImplTest.java:101)
... 4 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_SignFinal(Native Method)
at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11$SynchronizedPKCS11.C_SignFinal(PKCS11.java:1826)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:628)
... 14 more
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
at jdk.crypto.cryptoki/sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:678)
at java.base/java.security.Signature$Delegate.engineSign(Signature.java:1423)
at java.base/java.security.Signature.sign(Signature.java:712)
at org.bouncycastle.operator.jcajce.JcaContentSignerBuilder$1.getSignature(Unknown Source)
at org.bouncycastle.cms.SignerInfoGenerator.generate(Unknown Source)
at org.bouncycastle.cms.CMSSignedDataGenerator.generate(Unknown Source)
at net.jsign.asn1.authenticode.AuthenticodeSignedDataGenerator.getSignerInfo(AuthenticodeSignedDataGenerator.java:56)
at net.jsign.asn1.authenticode.AuthenticodeSignedDataGenerator.generate(AuthenticodeSignedDataGenerator.java:43)
at net.jsign.AuthenticodeSigner.createSignedData(AuthenticodeSigner.java:395)
at net.jsign.AuthenticodeSigner.sign(AuthenticodeSigner.java:370)
at de.company.codesignservice.SigningDirectImplTest.testSigningTwoFilesInline(SigningDirectImplTest.java:101)
at de.company.codesignservice.SigningDirectImplTest.testSigningTwoFilesInlineYubikey(SigningDirectImplTest.java:77)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)
at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_SignFinal(Native Method)
at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11$SynchronizedPKCS11.C_SignFinal(PKCS11.java:1826)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:628)
... 14 more
Ok I've figured it out: the fix for the CKR_USER_NOT_LOGGED_IN
error was applied to the SignerHelper
class which is purely internal to Jsign for now (that will probably change in the future). The AuthenticodeSigner
class you use is missing the logout/login logic required for signing multiple times. You have to fetch the java.security.Provider of the keystore and explicitely logout/login before signing:
Provider provider = keystore.getProvider();
((AuthProvider) provider).logout();
((AuthProvider) provider).login(null, callbacks -> {
for (Callback callback : callbacks) {
if (callback instanceof PasswordCallback) {
((PasswordCallback) callback).setPassword(storepass);
}
}
});
If you want to avoid this hassle you can simply use the PIV storetype, it handles the authentication automatically before signing.
@nauni77 I think I've found a solution that also works when signing multiple times with the API. Please give it a try.
Hello, I use SpringBoot and the dependency :
implementation 'net.jsign:jsign-core:6.0'
. I implemented bean to execute the signing of my files. Signing the first file works perfect, but if I try to sign another file in the same program run it always fails.I simplified the code and created a Test only using jsign specific code.
It fails with
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
, but I don't know why - because the first time the KeyStoreBuilder contains the correct PIN and the file was signed succesfully.Why I can only sign one file during one run of the program? I hope you can help me.
Best regards, Oli