search

intoolswetrust / jsignpdf

PDF signing software written in Java. It supports visible signatures, timestamping, certificate verification and many other cool features
https://intoolswetrust.github.io/jsignpdf/
Other
308 stars 118 forks source link

jsignpdf with keychain-pkcs11 #143

Closed mfleucha closed 1 year ago

mfleucha commented 1 year ago

Hi,

I am trying to get jsignpdf running on a Mac (terminal is fine) using keychain-pkcs11 (https://github.com/kenh/keychain-pkcs11) for lack of a proper pkcs11 driver for my Luxtrust card. The keychain-pkcs11 driver works fine with Acrobat Reader - signing pdf documents is stable, but only one at a time. Without keychain-pkcs11 (using cryptovision), jsignpdf does not work at all but that's likely due to the cryptovision driver that doesn't seem to play ball with the Luxtrust card.

I'd like to set up a batch process for multiple document signatures using jsignpdf. I have configured jsignpdf (latest version) to use the keychain-pkcs11 driver and when I call it using

./jsignpdf.sh -kst PKCS11 -ksp 'Token PIN' -ha SHA256 -kp 'Digital Signature PIN' my.pdf

it seems to run fine until the card PIN verification, after which it fails with

FEIN Relaxing SSL security.
FEIN Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg
FEIN PKCS11 provider registered with name SunPKCS11-JSignPdf
FEIN PKCS11 provider registered with name JSignPKCS11-JSignPdf
INFORMATION Checking input and output PDF paths.
INFORMATION Hole Schlüssel Alias
INFORMATION Verwendet Schlüssel: User Cert Sig
INFORMATION Lade privaten Schlüssel
INFORMATION Hole Zertifikatskette
INFORMATION Öffne PDF Eingabedatei: /Users/mfleucha/Desktop/AN-22-015_F&G.pdf
INFORMATION Erzeuge PDF Ausgabedatei: ./AN-22-015_F&G_signed.pdf
INFORMATION Erzeuge Signatur
INFORMATION Updating PDF version info 1.4 -> 1.6
INFORMATION Setze Zertifizierungsstufe
INFORMATION Bearbeite (es kann ein wenig länger dauern) ...
FEIN KeyStore type PKCS11 is supported by the provider SunPKCS11-JSignPdf
SCHWERWIEGEND Es ist ein Problem aufgetreten
java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_FAILED
    at jdk.crypto.cryptoki/sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:683)
    at java.base/java.security.Signature$Delegate.engineSign(Signature.java:1406)
    at java.base/java.security.Signature.sign(Signature.java:712)
    at com.lowagie.text.pdf.PdfPKCS7.getEncodedPKCS7(PdfPKCS7.java:1261)
    at net.sf.jsignpdf.SignerLogic.signFile(SignerLogic.java:425)
    at net.sf.jsignpdf.Signer.signFiles(Signer.java:246)
    at net.sf.jsignpdf.Signer.main(Signer.java:139)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_FAILED
    at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_SignFinal(Native Method)
    at jdk.crypto.cryptoki/sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:633)
    ... 6 more

INFORMATION Fertig: Erzeugen der Signatur fehlgeschlagen
FEIN Removing security provider with name SunPKCS11-JSignPdf
FEIN Removing security provider with name JSignPKCS11-JSignPdf

(sorry for the German text; not sure why it uses German, my Terminal is set to EN so I am a bit puzzled. If it makes a difference I will provide the EN output). A blank pdf file is created on disk but it's useless.

I have tried with Java 19 and 17.0.2.

For a start, I am a bit unsure about a Token PIN vs. Digital Signature PIN - I do not seem to have a possibility to set these separately for the card so I used the same PIN in the command for both.

The PKCS11 method is available in the output of ./jsignpdf.sh -lkt.

Any help getting this running would be HUGELY appreciated; I will try my luck in Windows now but am a Mac user and avoid Win when I can...

Thank you in advance for any insights!

Michael

kwart commented 1 year ago

Let's start with the simpler question - the PIN vs QPIN. The standard SunPKCS11 implementation doesn't support different PINs. Still, in JSignPdf, there is the alternative keystore type JSIGNPKCS11, which allows using different PINs. (The JSIGNPKCS11 is registered by this provider: https://github.com/intoolswetrust/jsign-pkcs11)

And regarding the CKR_FUNCTION_FAILED question. I don't know what failed within the keychain-pkcs11 library. Maybe unsupported key type or digest algorithm? Or some protection mechanism in the Mac OS? https://github.com/kenh/keychain-pkcs11/blob/v1.0.0/src/keychain_pkcs11.c#L2460-L2481

mfleucha commented 1 year ago

I have tested today with Java 8 - not realising how incompatible newer versions appear to be. With Java 8 it worked right away to sign using the combination of 'jsignpdf' and 'keychain-pkcs11'. Great news!

Thanks for your time.