search

intoolswetrust / jsignpdf

PDF signing software written in Java. It supports visible signatures, timestamping, certificate verification and many other cool features
https://intoolswetrust.github.io/jsignpdf/
Other
315 stars 121 forks source link

LuxTrust #131

Closed tillburkert closed 1 year ago

tillburkert commented 1 year ago

Hi,

I'm trying to get JSignPdf to work with LuxTrust, which provides certificates in accordance with eIDAS.

On Windows, I used the following pkcs11 configuration:

name=JSignPdf library=C:\Program Files\LuxTrust\runtime\bin\j2pkcs11.dll

But, that doesn't work:

c:\Program Files\JSignPdf>java -jar JSignPdf.jar -lkt FINE Relaxing SSL security. FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg SEVERE Unable to register SunPKCS11 security provider. java.lang.reflect.InvocationTargetException at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source) at java.lang.reflect.Constructor.newInstance(Unknown Source) at net.sf.jsignpdf.utils.PKCS11Utils.initPkcs11Provider(PKCS11Utils.java:110) at net.sf.jsignpdf.utils.PKCS11Utils.registerProviders(PKCS11Utils.java:66) at net.sf.jsignpdf.Signer.main(Signer.java:104) Caused by: java.security.ProviderException: Initialization failed at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:377) at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:104) ... 7 more Caused by: java.io.IOException: The specified procedure could not be found.

    at sun.security.pkcs11.wrapper.PKCS11.connect(Native Method)
    at sun.security.pkcs11.wrapper.PKCS11.<init>(PKCS11.java:144)
    at sun.security.pkcs11.wrapper.PKCS11.getInstance(PKCS11.java:157)
    at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:314)
    ... 8 more

SEVERE Unable to register SunPKCS11 security provider. java.lang.reflect.InvocationTargetException at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source) at java.lang.reflect.Constructor.newInstance(Unknown Source) at net.sf.jsignpdf.utils.PKCS11Utils.initPkcs11Provider(PKCS11Utils.java:110) at net.sf.jsignpdf.utils.PKCS11Utils.registerProviders(PKCS11Utils.java:67) at net.sf.jsignpdf.Signer.main(Signer.java:104) Caused by: java.security.ProviderException: Initialization failed at com.github.kwart.jsign.pkcs11.JSignPKCS11.(JSignPKCS11.java:380) at com.github.kwart.jsign.pkcs11.JSignPKCS11.(JSignPKCS11.java:104) ... 7 more Caused by: java.io.IOException: The specified procedure could not be found.

    at sun.security.pkcs11.wrapper.PKCS11.connect(Native Method)
    at sun.security.pkcs11.wrapper.PKCS11.<init>(PKCS11.java:144)
    at sun.security.pkcs11.wrapper.PKCS11.getInstance(PKCS11.java:157)
    at com.github.kwart.jsign.pkcs11.JSignPKCS11.<init>(JSignPKCS11.java:317)
    ... 8 more

INFO Available key store types: BCFKS BCFKS-DEF BCPKCS12 BKS BOUNCYCASTLE CASEEXACTJKS CloudFoxy DKS FIPS FIPS-DEF IBCFKS IBCFKS-DEF IFIPS IFIPS-DEF JCEKS JKS PKCS12 PKCS12-3DES-3DES PKCS12-3DES-40RC2 PKCS12-DEF PKCS12-DEF-3DES-3DES PKCS12-DEF-3DES-40RC2 WINDOWS-MY WINDOWS-ROOT

Anyone who has been successful in getting LuxTrust to work? Do I use the wrong library?

kwart commented 1 year ago

Did you install it from the Windows installer? Have you also tried the JSignPdfC.exe?

tillburkert commented 1 year ago

Yes, I used the Windows installer.

I didn't know what the JSignPdfC.exe is, but I tried it:

C:\Program Files\JSignPdf>JSignPdfC.exe -lkt FINE Relaxing SSL security. FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg SEVERE Unable to register SunPKCS11 security provider. java.lang.reflect.InvocationTargetException at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.base/java.lang.reflect.Method.invoke(Unknown Source) at net.sf.jsignpdf.utils.PKCS11Utils.initPkcs11Provider(PKCS11Utils.java:114) at net.sf.jsignpdf.utils.PKCS11Utils.registerProviders(PKCS11Utils.java:66) at net.sf.jsignpdf.Signer.main(Signer.java:104) Caused by: java.security.ProviderException: Initialization failed at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.(Unknown Source) at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(Unknown Source) at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(Unknown Source) at java.base/java.security.AccessController.doPrivileged(Native Method) at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(Unknown Source) ... 7 more Caused by: java.io.IOException: The specified procedure could not be found.

    at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.connect(Native Method)
    at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.<init>(Unknown Source)
    at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.getInstance(Unknown Source)
    ... 12 more

SEVERE Unable to register SunPKCS11 security provider. java.lang.reflect.InvocationTargetException at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source) at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source) at java.base/java.lang.reflect.Constructor.newInstance(Unknown Source) at net.sf.jsignpdf.utils.PKCS11Utils.initPkcs11Provider(PKCS11Utils.java:110) at net.sf.jsignpdf.utils.PKCS11Utils.registerProviders(PKCS11Utils.java:67) at net.sf.jsignpdf.Signer.main(Signer.java:104) Caused by: java.security.ProviderException: Initialization failed at com.github.kwart.jsign.pkcs11.JSignPKCS11.(JSignPKCS11.java:380) at com.github.kwart.jsign.pkcs11.JSignPKCS11.(JSignPKCS11.java:104) ... 7 more Caused by: java.io.IOException: The specified procedure could not be found.

    at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.connect(Native Method)
    at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.<init>(Unknown Source)
    at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.getInstance(Unknown Source)
    at com.github.kwart.jsign.pkcs11.JSignPKCS11.<init>(JSignPKCS11.java:317)
    ... 8 more

INFO Available key store types: BCFKS BCFKS-DEF BCPKCS12 BKS BOUNCYCASTLE CASEEXACTJKS CloudFoxy DKS FIPS FIPS-DEF IBCFKS IBCFKS-DEF IFIPS IFIPS-DEF JCEKS JKS PKCS12 PKCS12-3DES-3DES PKCS12-3DES-40RC2 PKCS12-DEF PKCS12-DEF-3DES-3DES PKCS12-DEF-3DES-40RC2 WINDOWS-MY WINDOWS-ROOT

kwart commented 1 year ago

I understand the problem now. You have to provide a path to a PKCS11 driver, but you've provided a path to the Java wrapper library for accessing such a driver.

library=C:\Program Files\LuxTrust\runtime\bin\j2pkcs11.dll

Ask your smartcard vendor what's the correct driver path. Closing for now. Feel free to reopen if you hit an issue with the correct configuration.

tillburkert commented 1 year ago

According to LuxTrust's instructions how to use their smartcard with Adobe (https://www.luxtrust.lu/upload/data/guides/ug-0622-p-e-configuration_adobe_dc_pro_0.pdf), the Gemalto library is used:

C:\Program Files (x86)\Gemalto\Classic Client\BIN\gclib.dll

My pkcs11.cfg is:

name=JSignPdf library="C:\Program Files (x86)\Gemalto\Classic Client\BIN\gclib.dll"

(I started without slot or slotListIndex.)

When I try to list the key store types everything seems to look fine, except there is no PKCS11 (I use 32-bit Java as I got some additional error when using 64-bit Java):

C:\Program Files\JSignPdf>"c:\Program Files (x86)\Java\jre1.8.0_351\bin\java.exe" -jar JSignPdf.jar -lkt FINE Relaxing SSL security. FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg FINE PKCS11 provider registered with name SunPKCS11-JSignPdf FINE PKCS11 provider registered with name JSignPKCS11-JSignPdf INFO Available key store types: BCFKS BCFKS-DEF BCPKCS12 BKS BOUNCYCASTLE CASEEXACTJKS CloudFoxy DKS FIPS FIPS-DEF IBCFKS IBCFKS-DEF IFIPS IFIPS-DEF JCEKS JKS PKCS12 PKCS12-3DES-3DES PKCS12-3DES-40RC2 PKCS12-DEF PKCS12-DEF-3DES-3DES PKCS12-DEF-3DES-40RC2 WINDOWS-MY WINDOWS-ROOT

Based on some other threads here in the forum, I tried using -ksp, -kp, and -ha, but I always get some error:

C:\Program Files\JSignPdf>"c:\Program Files (x86)\Java\jre1.8.0_351\bin\java.exe" -jar JSignPdf.jar -kst JSIGNPKCS11 -ksp xxxxxx c:\Users\etilbur\Test.pdf -d c:\Users\etilbur -kp xxxxxx FINE Relaxing SSL security. FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg FINE PKCS11 provider registered with name SunPKCS11-JSignPdf FINE PKCS11 provider registered with name JSignPKCS11-JSignPdf INFO Checking input and output PDF paths. java.security.KeyStoreException: JSIGNPKCS11 not found at java.security.KeyStore.getInstance(Unknown Source) at net.sf.jsignpdf.utils.KeyStoreUtils.loadKeyStore(KeyStoreUtils.java:355) at net.sf.jsignpdf.utils.KeyStoreUtils.getPkInfo(KeyStoreUtils.java:411) at net.sf.jsignpdf.SignerLogic.signFile(SignerLogic.java:154) at net.sf.jsignpdf.Signer.signFiles(Signer.java:246) at net.sf.jsignpdf.Signer.main(Signer.java:139) Caused by: java.security.NoSuchAlgorithmException: JSIGNPKCS11 KeyStore not available at sun.security.jca.GetInstance.getInstance(Unknown Source) at java.security.Security.getImpl(Unknown Source) ... 6 more WARNING Keystore was not loaded succesfully. Check if the keystore type, path and password are valid. SEVERE Problem occured java.lang.NullPointerException: Keystore was not loaded succesfully. Check if the keystore type, path and password are valid. at net.sf.jsignpdf.utils.KeyStoreUtils.getKeyAliasInternal(KeyStoreUtils.java:224) at net.sf.jsignpdf.utils.KeyStoreUtils.getPkInfo(KeyStoreUtils.java:413) at net.sf.jsignpdf.SignerLogic.signFile(SignerLogic.java:154) at net.sf.jsignpdf.Signer.signFiles(Signer.java:246) at net.sf.jsignpdf.Signer.main(Signer.java:139)

INFO Finished: Creating of signature failed. FINE Removing security provider with name SunPKCS11-JSignPdf FINE Removing security provider with name JSignPKCS11-JSignPdf

I also tried PKCS11 and JSignPKCS11 as key store type.

tillburkert commented 1 year ago

I think I figured it out.

There was also a 64-bit version of the Gemalto library, so I use that one. I also need to add slot=1 in my pkcs11.cfg (I somehow managed to get a list of different slots, not sure how I did that):

name=JSignPdf library="C:\Program Files\Gemalto\Classic Client\BIN\gclib.dll" slot=1

I also needed to use "-ha SHA256" (otherwise I get CKR_DEVICE_ERROR):

C:\Program Files\JSignPdf>java -jar JSignPdf.jar -kst PKCS11 c:\Users\etilbur\Test.pdf -d c:\Users\etilbur -ksp xxxxxx -ha SHA256 FINE Relaxing SSL security. FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg FINE PKCS11 provider registered with name SunPKCS11-JSignPdf FINE PKCS11 provider registered with name JSignPKCS11-JSignPdf INFO Checking input and output PDF paths. INFO Getting key alias INFO Used key alias: User Cert Sig INFO Loading private key INFO Getting certificate chain INFO Opening input PDF file: c:\Users\etilbur\Test.pdf INFO Creating output PDF file: c:/Users/etilbur/Test_signed.pdf INFO Creating signature INFO Setting certification level INFO Processing (it may take a while) ... FINE KeyStore type PKCS11 is supported by the provider SunPKCS11-JSignPdf INFO Closing result PDF stream INFO Finished: Signature succesfully created. FINE Removing security provider with name SunPKCS11-JSignPdf FINE Removing security provider with name JSignPKCS11-JSignPdf

kwart commented 1 year ago

Thanks for the details and your solution! I believe it'll help others who use similar tokens.