JSignPdf in a batch mode gets stuck after signature creation and removing PKCS11 security provider

[votocek]

At first, thank you for a great SW.

• Using JsignPdf 2.2.2 on Windows 10 x86-64.
• Using CMD script to invoke JSignPdf in a batch mode.
• When using PKCS12 keystore, it is working fine.
• When using a hardware keystore (eObcanka used in the Czech Republic) with PKCS11 or JSIGNPKCS11 keystoretype, it does signing part well but then it gets stuck - it doesn't exit and return the prompt to the shell.

c:\App\GP>"c:\App\GP\Programy\zulu21.34.19-ca-jre21.0.3\bin\java" --add-exports=jdk.crypto.cryptoki/sun.security.pkcs11=ALL-UNNAMED --add-opens=java.base/sun.security.util=ALL-UNNAMED --add-exports=jdk.crypto.cryptoki/sun.security.pkcs11.wrapper=ALL-UNNAMED --add-exports=java.base/sun.security.action=ALL-UNNAMED --add-exports=java.base/sun.security.rsa=ALL-UNNAMED --add-opens=java.base/java.security=ALL-UNNAMED -Duser.language=en "-Djsignpdf.home=c:\App\GP\Programy\jsignpdf-2.2.2" -jar "c:\App\GP\Programy\jsignpdf-2.2.2/JSignPdf.jar" -kst PKCS11 -ksp 123456  "Test_pro_podpis.pdf"
FINE Relaxing SSL security.
FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg
FINE PKCS11 provider registered with name SunPKCS11-eObcanka
FINE PKCS11 provider registered with name JSignPKCS11-eObcanka
INFO Checking input and output PDF paths.
INFO Getting key alias
INFO Used key alias: iSignum 20240604-210002
INFO Loading private key
INFO Getting certificate chain
INFO Opening input PDF file: Test_pro_podpis.pdf
INFO Creating output PDF file: ./Test_pro_podpis_signed.pdf
INFO Creating signature
INFO Setting certification level
INFO Processing (it may take a while) ...
FINE KeyStore type PKCS11 is supported by the provider SunPKCS11-eObcanka
INFO Closing result PDF stream
INFO Finished: Signature succesfully created.
FINE Removing security provider with name SunPKCS11-eObcanka
FINE Removing security provider with name JSignPKCS11-eObcanka
<stuck here without returning prompt to the CMD script>  

Sometime it helps to press Ctrl+C to interrupt it but most of the time I need to close the whole window with Command Prompt.

• I tried Zulu JRE 11 and 21.
• I tried JSignPdf for Windows with bundled JRE and running JSignPdfC.exe wrapper. Result is the same. It works but then gets stuck.
• If I use GUI version of JSignPdf then I don't notice any problems.

Any clue how to debug what is going wrong in a batch mode?

[votocek]

I did several testing and I can confirm:

• GUI version of JSignPDF is working fine. Problem only in a batch mode.
• Linux version is working fine in batch mode. Problem is only in Windows version (using Windows 10).
• No problems occur when I disable PKCS11 configuration (jsignpdf-2.2.2\conf\pkcs11.cfg).

When this file is present and contains configuration for the Czech Republic identity card (second version issued from 07/2018):

# Sample file for registering PKCS#11 security provider in JSignPdf
# Feel free to edit it and then set path to the file in the conf.properties configuration file.

name=eObcanka
# Windows:
# This is a proxy DLL which should point you to a correct version of DLL based on your card version
#library=C:\Windows\System32\eopproxyp11.dll
# Let's use directly the correct DLL for second version of the card:
library=C:\Windows\System32\eop2v1czep11.dll

# Linux:
#library=/usr/lib/x86_64-linux-gnu/libeopproxyp11.so
#library=/usr/lib/x86_64-linux-gnu/libeop2v1czep11.so

then I am able to complete signing in a batch mode but JSignPDF program gets stuck after removing PKCS11 security provider. Please see the output in the previous post.

No difference when using “proxy DLL” (eopproxyp11.dll) or the correct DLL directly (eop2v1czep11.dll).

Any idea why JSignPDF is working in a different way in a batch mode and GUI mode in Windows?

[kwart]

Have you tried the windows distribution too? i.e. using the JSignPdfC.exe wrapper

Ah, I see, you tried it. Wasn't reading fully the first message.

[votocek]

Let me add more information and correct my previous statement:

• GUI version of JSignPDF is working fine. Problem only in a batch mode.
• Both modes of JSignPDF – GUI and the batch mode – have troubles when closing the program. The difference is that the batch mode gets stuck visibly in a command prompt window whereas GUI version close its window (and I previously thought that JSignPDF program had closed correctly) but the javaw.exe process is still present among running processes – it gets stuck and doesn’t exit properly.

I think the problem is related to manipulation with PKCS11 library (C:\Windows\System32\eop2v1czep11.dll) which is part of the SW for the Czech eObcanka (https://info.identitaobcana.cz/Download/). The author of this SW (MONET+ a.s.) claims that the application uses OpenSSL Toolkit.

If the issues is not in JSignPDF program and it is in the provided PKCS11 library, then there is no help, I am afraid. Thank you for any ideas what to try.

[kwart]

Could you try using jstack to dump the stack trace (when it got stuck) and paste it here?

jstack -l <JavaProcessId>

[votocek]

Thank you for help. Unfortunately, I am not able to get the trace while the java process gets stuck – getting „access denied“ error regardless of running the jstack command as a normal user (=the same user as JSignPDF) od local admin.

Let me demonstrate my testcase: First CMD window – run JSignPDF:

REM set JAVA_HOME=%~dp0..\zulu21.34.19-ca-jre21.0.3
REM Use JDK instead:
set JAVA_HOME=%~dp0..\zulu21.34.19-ca-jdk21.0.3
set JAVA_PRG=%JAVA_HOME%\bin\java
set JSIGN_HOME=%~dp0

REM Options copied from the Linux shell script version:
set JAVA_OPTS=--add-exports=jdk.crypto.cryptoki/sun.security.pkcs11=ALL-UNNAMED --add-opens=java.base/sun.security.util=ALL-UNNAMED --add-exports=jdk.crypto.cryptoki/sun.security.pkcs11.wrapper=ALL-UNNAMED --add-exports=java.base/sun.security.action=ALL-UNNAMED --add-exports=java.base/sun.security.rsa=ALL-UNNAMED --add-opens=java.base/java.security=ALL-UNNAMED

"%JAVA_PRG%" %JAVA_OPTS% -Duser.language=en -Djsignpdf.home=%JSIGN_HOME% -jar "%JSIGN_HOME%JSignPdf.jar"

JSignPDF starts in a GUI mode and it writes to CMD window as a console output:

FINE Relaxing SSL security.
FINE Registering SunPKCS11 provider from configuration in conf/pkcs11-windows.cfg
FINE PKCS11 provider registered with name SunPKCS11-eObcanka
FINE PKCS11 provider registered with name JSignPKCS11-eObcanka

In the second CMD window as a local admin:

REM Try to get jstack while JSignPDF is running:
c:\App\GP>c:\App\GP\Programy\zulu21.34.19-ca-jdk21.0.3\bin\jstack.exe -l 2832

OK. I got some output. jstack is working.

Now I close the JSignPDF. Its window closes but java.exe process with PID=2832 still exists. It writes to the CMD window:

FINE Removing security provider with name SunPKCS11-eObcanka
FINE Removing security provider with name JSignPKCS11-eObcanka

Try to run jstack:

c:\App\GP>c:\App\GP\Programy\zulu21.34.19-ca-jdk21.0.3\bin\jstack.exe -l 2832
2832: Přístup byl odepřen

Access denied error.

Any clue? Did I something wrong?