CKR_PIN_INCORRECT error for PKCS11

[ymschaap]

[removed]

[ebourg]

I guess you've figured out how to solve this since you closed it. I'd like to document how to use various hardware tokens with jsign, so if you want to share how you did I'm interested.

[ymschaap]

Sure! I made it work, happy to provide details. It more or less uses the files from this gist.

My case and solution:

I have an Electron app, and create a MacOS and Windows build. To resolve the Windows Defender warning for the .exe file build, I bought an EV code signing certificate.

This came as a SafeNet eToken 5100, a hardware USB stick. I also retrieved a password (by email) which is the storepass value.

Setup:

• Setup locally java, openssl 1.1
• SafeNet authentication client (for Mac in my case)
• Create a ./hardwareToken.cfg text file (see gist above)

Test: keytool -list -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerArg ./hardwareToken.cfg

Should return the alias of the cert. It will fail if library is set wrong.

Build & sign:

• electron-builder creates the binaries.
• for the windows binary I run post-build hook javascript file (see gist above).

This is my jsign command: java -jar ./jsign-3.1.jar --keystore ./hardwareToken.cfg --storepass 'xxxxxx' --storetype PKCS11 --tsaurl http://timestamp.globalsign.com/scripts/timestamp.dll --alias 'xxxxxx' ${configuration.path}

Which is run by Node post-build: require("child_process").execSync(command);

Note: I opened this ticket because I used double quotes, instead of single quotes for the --storepass, and then it fails with CKR_PIN_INCORRECT.

[ebourg]

Nice, thank you!