Closed tillburkert closed 1 year ago
Did you install it from the Windows installer?
Have you also tried the JSignPdfC.exe
?
Yes, I used the Windows installer.
I didn't know what the JSignPdfC.exe is, but I tried it:
C:\Program Files\JSignPdf>JSignPdfC.exe -lkt
FINE Relaxing SSL security.
FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg
SEVERE Unable to register SunPKCS11 security provider.
java.lang.reflect.InvocationTargetException
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.base/java.lang.reflect.Method.invoke(Unknown Source)
at net.sf.jsignpdf.utils.PKCS11Utils.initPkcs11Provider(PKCS11Utils.java:114)
at net.sf.jsignpdf.utils.PKCS11Utils.registerProviders(PKCS11Utils.java:66)
at net.sf.jsignpdf.Signer.main(Signer.java:104)
Caused by: java.security.ProviderException: Initialization failed
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.
at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.connect(Native Method)
at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.<init>(Unknown Source)
at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.getInstance(Unknown Source)
... 12 more
SEVERE Unable to register SunPKCS11 security provider.
java.lang.reflect.InvocationTargetException
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.base/java.lang.reflect.Constructor.newInstance(Unknown Source)
at net.sf.jsignpdf.utils.PKCS11Utils.initPkcs11Provider(PKCS11Utils.java:110)
at net.sf.jsignpdf.utils.PKCS11Utils.registerProviders(PKCS11Utils.java:67)
at net.sf.jsignpdf.Signer.main(Signer.java:104)
Caused by: java.security.ProviderException: Initialization failed
at com.github.kwart.jsign.pkcs11.JSignPKCS11.
at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.connect(Native Method)
at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.<init>(Unknown Source)
at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.getInstance(Unknown Source)
at com.github.kwart.jsign.pkcs11.JSignPKCS11.<init>(JSignPKCS11.java:317)
... 8 more
INFO Available key store types: BCFKS BCFKS-DEF BCPKCS12 BKS BOUNCYCASTLE CASEEXACTJKS CloudFoxy DKS FIPS FIPS-DEF IBCFKS IBCFKS-DEF IFIPS IFIPS-DEF JCEKS JKS PKCS12 PKCS12-3DES-3DES PKCS12-3DES-40RC2 PKCS12-DEF PKCS12-DEF-3DES-3DES PKCS12-DEF-3DES-40RC2 WINDOWS-MY WINDOWS-ROOT
I understand the problem now. You have to provide a path to a PKCS11 driver, but you've provided a path to the Java wrapper library for accessing such a driver.
library=C:\Program Files\LuxTrust\runtime\bin\j2pkcs11.dll
Ask your smartcard vendor what's the correct driver path. Closing for now. Feel free to reopen if you hit an issue with the correct configuration.
According to LuxTrust's instructions how to use their smartcard with Adobe (https://www.luxtrust.lu/upload/data/guides/ug-0622-p-e-configuration_adobe_dc_pro_0.pdf), the Gemalto library is used:
C:\Program Files (x86)\Gemalto\Classic Client\BIN\gclib.dll
My pkcs11.cfg is:
name=JSignPdf library="C:\Program Files (x86)\Gemalto\Classic Client\BIN\gclib.dll"
(I started without slot or slotListIndex.)
When I try to list the key store types everything seems to look fine, except there is no PKCS11 (I use 32-bit Java as I got some additional error when using 64-bit Java):
C:\Program Files\JSignPdf>"c:\Program Files (x86)\Java\jre1.8.0_351\bin\java.exe" -jar JSignPdf.jar -lkt FINE Relaxing SSL security. FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg FINE PKCS11 provider registered with name SunPKCS11-JSignPdf FINE PKCS11 provider registered with name JSignPKCS11-JSignPdf INFO Available key store types: BCFKS BCFKS-DEF BCPKCS12 BKS BOUNCYCASTLE CASEEXACTJKS CloudFoxy DKS FIPS FIPS-DEF IBCFKS IBCFKS-DEF IFIPS IFIPS-DEF JCEKS JKS PKCS12 PKCS12-3DES-3DES PKCS12-3DES-40RC2 PKCS12-DEF PKCS12-DEF-3DES-3DES PKCS12-DEF-3DES-40RC2 WINDOWS-MY WINDOWS-ROOT
Based on some other threads here in the forum, I tried using -ksp, -kp, and -ha, but I always get some error:
C:\Program Files\JSignPdf>"c:\Program Files (x86)\Java\jre1.8.0_351\bin\java.exe" -jar JSignPdf.jar -kst JSIGNPKCS11 -ksp xxxxxx c:\Users\etilbur\Test.pdf -d c:\Users\etilbur -kp xxxxxx FINE Relaxing SSL security. FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg FINE PKCS11 provider registered with name SunPKCS11-JSignPdf FINE PKCS11 provider registered with name JSignPKCS11-JSignPdf INFO Checking input and output PDF paths. java.security.KeyStoreException: JSIGNPKCS11 not found at java.security.KeyStore.getInstance(Unknown Source) at net.sf.jsignpdf.utils.KeyStoreUtils.loadKeyStore(KeyStoreUtils.java:355) at net.sf.jsignpdf.utils.KeyStoreUtils.getPkInfo(KeyStoreUtils.java:411) at net.sf.jsignpdf.SignerLogic.signFile(SignerLogic.java:154) at net.sf.jsignpdf.Signer.signFiles(Signer.java:246) at net.sf.jsignpdf.Signer.main(Signer.java:139) Caused by: java.security.NoSuchAlgorithmException: JSIGNPKCS11 KeyStore not available at sun.security.jca.GetInstance.getInstance(Unknown Source) at java.security.Security.getImpl(Unknown Source) ... 6 more WARNING Keystore was not loaded succesfully. Check if the keystore type, path and password are valid. SEVERE Problem occured java.lang.NullPointerException: Keystore was not loaded succesfully. Check if the keystore type, path and password are valid. at net.sf.jsignpdf.utils.KeyStoreUtils.getKeyAliasInternal(KeyStoreUtils.java:224) at net.sf.jsignpdf.utils.KeyStoreUtils.getPkInfo(KeyStoreUtils.java:413) at net.sf.jsignpdf.SignerLogic.signFile(SignerLogic.java:154) at net.sf.jsignpdf.Signer.signFiles(Signer.java:246) at net.sf.jsignpdf.Signer.main(Signer.java:139)
INFO Finished: Creating of signature failed. FINE Removing security provider with name SunPKCS11-JSignPdf FINE Removing security provider with name JSignPKCS11-JSignPdf
I also tried PKCS11 and JSignPKCS11 as key store type.
I think I figured it out.
There was also a 64-bit version of the Gemalto library, so I use that one. I also need to add slot=1 in my pkcs11.cfg (I somehow managed to get a list of different slots, not sure how I did that):
name=JSignPdf library="C:\Program Files\Gemalto\Classic Client\BIN\gclib.dll" slot=1
I also needed to use "-ha SHA256" (otherwise I get CKR_DEVICE_ERROR):
C:\Program Files\JSignPdf>java -jar JSignPdf.jar -kst PKCS11 c:\Users\etilbur\Test.pdf -d c:\Users\etilbur -ksp xxxxxx -ha SHA256 FINE Relaxing SSL security. FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg FINE PKCS11 provider registered with name SunPKCS11-JSignPdf FINE PKCS11 provider registered with name JSignPKCS11-JSignPdf INFO Checking input and output PDF paths. INFO Getting key alias INFO Used key alias: User Cert Sig INFO Loading private key INFO Getting certificate chain INFO Opening input PDF file: c:\Users\etilbur\Test.pdf INFO Creating output PDF file: c:/Users/etilbur/Test_signed.pdf INFO Creating signature INFO Setting certification level INFO Processing (it may take a while) ... FINE KeyStore type PKCS11 is supported by the provider SunPKCS11-JSignPdf INFO Closing result PDF stream INFO Finished: Signature succesfully created. FINE Removing security provider with name SunPKCS11-JSignPdf FINE Removing security provider with name JSignPKCS11-JSignPdf
Thanks for the details and your solution! I believe it'll help others who use similar tokens.
Hi,
I'm trying to get JSignPdf to work with LuxTrust, which provides certificates in accordance with eIDAS.
On Windows, I used the following pkcs11 configuration:
name=JSignPdf library=C:\Program Files\LuxTrust\runtime\bin\j2pkcs11.dll
But, that doesn't work:
c:\Program Files\JSignPdf>java -jar JSignPdf.jar -lkt FINE Relaxing SSL security. FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg SEVERE Unable to register SunPKCS11 security provider. java.lang.reflect.InvocationTargetException at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source) at java.lang.reflect.Constructor.newInstance(Unknown Source) at net.sf.jsignpdf.utils.PKCS11Utils.initPkcs11Provider(PKCS11Utils.java:110) at net.sf.jsignpdf.utils.PKCS11Utils.registerProviders(PKCS11Utils.java:66) at net.sf.jsignpdf.Signer.main(Signer.java:104) Caused by: java.security.ProviderException: Initialization failed at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:377)
at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:104)
... 7 more
Caused by: java.io.IOException: The specified procedure could not be found.
SEVERE Unable to register SunPKCS11 security provider. java.lang.reflect.InvocationTargetException at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source) at java.lang.reflect.Constructor.newInstance(Unknown Source) at net.sf.jsignpdf.utils.PKCS11Utils.initPkcs11Provider(PKCS11Utils.java:110) at net.sf.jsignpdf.utils.PKCS11Utils.registerProviders(PKCS11Utils.java:67) at net.sf.jsignpdf.Signer.main(Signer.java:104) Caused by: java.security.ProviderException: Initialization failed at com.github.kwart.jsign.pkcs11.JSignPKCS11.(JSignPKCS11.java:380)
at com.github.kwart.jsign.pkcs11.JSignPKCS11.(JSignPKCS11.java:104)
... 7 more
Caused by: java.io.IOException: The specified procedure could not be found.
INFO Available key store types: BCFKS BCFKS-DEF BCPKCS12 BKS BOUNCYCASTLE CASEEXACTJKS CloudFoxy DKS FIPS FIPS-DEF IBCFKS IBCFKS-DEF IFIPS IFIPS-DEF JCEKS JKS PKCS12 PKCS12-3DES-3DES PKCS12-3DES-40RC2 PKCS12-DEF PKCS12-DEF-3DES-3DES PKCS12-DEF-3DES-40RC2 WINDOWS-MY WINDOWS-ROOT
Anyone who has been successful in getting LuxTrust to work? Do I use the wrong library?