search

intoolswetrust / jsignpdf

PDF signing software written in Java. It supports visible signatures, timestamping, certificate verification and many other cool features
https://intoolswetrust.github.io/jsignpdf/
Other
313 stars 121 forks source link

Multiple PKCS11 providers #187

Open felagund opened 1 month ago

felagund commented 1 month ago

Myabe I am missing something, but if I want to use multiple PKCS11 providers (like, for example my ID for electronic signature and a USB token for signing documents with an authorized stamp for hte civil engeneering authority), do I need to always edit the conf/pkcs11.cfg file? I tried listing multiple files in conf/conf.properties but only the last one seems to be used. Listing both in the conf/pkcs11.cfg fails, ie. with 

name=eObcanka
library=/usr/lib/x86_64-linux-gnu/libeopproxyp11.so

name=tokenCKAIT
library=/usr/lib/libeTPkcs11.so
slot=1

After running jsignpdf.sh I get:

FINE Relaxing SSL security.
FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg
SEVERE Unable to register SunPKCS11 security provider.
java.lang.reflect.InvocationTargetException
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:568)
        at net.sf.jsignpdf.utils.PKCS11Utils.initPkcs11Provider(PKCS11Utils.java:114)
        at net.sf.jsignpdf.utils.PKCS11Utils.registerProviders(PKCS11Utils.java:66)
        at net.sf.jsignpdf.Signer.main(Signer.java:104)
Caused by: java.security.InvalidParameterException: Error configuring SunPKCS11 provider
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:122)
        ... 7 more
Caused by: sun.security.pkcs11.ConfigurationException: name must only be specified once, line 10
        at jdk.crypto.cryptoki/sun.security.pkcs11.Config.excLine(Config.java:397)
        at jdk.crypto.cryptoki/sun.security.pkcs11.Config.checkDup(Config.java:689)
        at jdk.crypto.cryptoki/sun.security.pkcs11.Config.parseStringEntry(Config.java:578)
        at jdk.crypto.cryptoki/sun.security.pkcs11.Config.parse(Config.java:418)
        at jdk.crypto.cryptoki/sun.security.pkcs11.Config.<init>(Config.java:222)
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:118)
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:115)
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:569)
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:115)
        ... 7 more

SEVERE Unable to register SunPKCS11 security provider.
java.lang.reflect.InvocationTargetException
        at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77)
        at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499)
        at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:480)
        at net.sf.jsignpdf.utils.PKCS11Utils.initPkcs11Provider(PKCS11Utils.java:110)
        at net.sf.jsignpdf.utils.PKCS11Utils.registerProviders(PKCS11Utils.java:67)
        at net.sf.jsignpdf.Signer.main(Signer.java:104)
Caused by: java.security.ProviderException: Error parsing configuration
        at com.github.kwart.jsign.pkcs11.Config.getConfig(Config.java:88)
        at com.github.kwart.jsign.pkcs11.JSignPKCS11.<init>(JSignPKCS11.java:130)
        at com.github.kwart.jsign.pkcs11.JSignPKCS11.<init>(JSignPKCS11.java:104)
        ... 8 more
Caused by: com.github.kwart.jsign.pkcs11.ConfigurationException: name must only be specified once, line 10
        at com.github.kwart.jsign.pkcs11.Config.excLine(Config.java:374)
        at com.github.kwart.jsign.pkcs11.Config.checkDup(Config.java:650)
        at com.github.kwart.jsign.pkcs11.Config.parseStringEntry(Config.java:539)
        at com.github.kwart.jsign.pkcs11.Config.parse(Config.java:391)
        at com.github.kwart.jsign.pkcs11.Config.<init>(Config.java:219)
        at com.github.kwart.jsign.pkcs11.Config.getConfig(Config.java:84)
        ... 10 more

(and nothing gets registered).

Also, on a related note, what is the name field for? In the "Keystore type" list, it only lists "PKCS11".

felagund commented 1 month ago

The docs https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html says

 To use more than one slot per PKCS#11 implementation, or to use more than one PKCS#11 implementation, simply repeat the installation for each with the appropriate configuration file. This will result in a Sun PKCS#11 provider instance for each slot of each PKCS#11 implementation.

so it should be possible but I am not sure if it is not implemented or I am missing how to configure it properly?