Closed mfleucha closed 1 year ago
Let's start with the simpler question - the PIN vs QPIN. The standard SunPKCS11
implementation doesn't support different PINs. Still, in JSignPdf, there is the alternative keystore type JSIGNPKCS11
, which allows using different PINs. (The JSIGNPKCS11
is registered by this provider: https://github.com/intoolswetrust/jsign-pkcs11)
And regarding the CKR_FUNCTION_FAILED
question. I don't know what failed within the keychain-pkcs11 library. Maybe unsupported key type or digest algorithm? Or some protection mechanism in the Mac OS?
https://github.com/kenh/keychain-pkcs11/blob/v1.0.0/src/keychain_pkcs11.c#L2460-L2481
I have tested today with Java 8 - not realising how incompatible newer versions appear to be. With Java 8 it worked right away to sign using the combination of 'jsignpdf' and 'keychain-pkcs11'. Great news!
Thanks for your time.
Hi,
I am trying to get jsignpdf running on a Mac (terminal is fine) using keychain-pkcs11 (https://github.com/kenh/keychain-pkcs11) for lack of a proper pkcs11 driver for my Luxtrust card. The keychain-pkcs11 driver works fine with Acrobat Reader - signing pdf documents is stable, but only one at a time. Without keychain-pkcs11 (using cryptovision), jsignpdf does not work at all but that's likely due to the cryptovision driver that doesn't seem to play ball with the Luxtrust card.
I'd like to set up a batch process for multiple document signatures using jsignpdf. I have configured jsignpdf (latest version) to use the keychain-pkcs11 driver and when I call it using
./jsignpdf.sh -kst PKCS11 -ksp 'Token PIN' -ha SHA256 -kp 'Digital Signature PIN' my.pdf
it seems to run fine until the card PIN verification, after which it fails with
(sorry for the German text; not sure why it uses German, my Terminal is set to EN so I am a bit puzzled. If it makes a difference I will provide the EN output). A blank pdf file is created on disk but it's useless.
I have tried with Java 19 and 17.0.2.
For a start, I am a bit unsure about a
Token PIN
vs.Digital Signature PIN
- I do not seem to have a possibility to set these separately for the card so I used the same PIN in the command for both.The PKCS11 method is available in the output of
./jsignpdf.sh -lkt
.Any help getting this running would be HUGELY appreciated; I will try my luck in Windows now but am a Mac user and avoid Win when I can...
Thank you in advance for any insights!
Michael