search

intoolswetrust / jsignpdf

PDF signing software written in Java. It supports visible signatures, timestamping, certificate verification and many other cool features
https://intoolswetrust.github.io/jsignpdf/
Other
308 stars 118 forks source link

pkcs11 card problems #70

Closed lepalom closed 2 years ago

lepalom commented 2 years ago

Hi,

I'm using Debian 11 and jsignpdf 2.0.0. I have a certificate in a card and a reader in the keyboard. I use the safenetauthenticationclient package that contains libraries to access to the card. It is working with firefox and another pdf programs.

In my conf/pkcs11.cfg

I have: ... library=/usr/lib/libeTPkcs11.so ...

or ... library=/usr/lib/pkcs11/libIDPrimePKCS11.so ...

both option give the same result:

WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by net.sf.jsignpdf.utils.PKCS11Utils ... to constructor sun.security.pkcs11.SunPKCS11() WARNING: Please consider reporting this to the maintainers of net.sf.jsignpdf.utils.PKCS11Utils WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release

So, I cannot select pkcs11 as key. Also, I have tried with java 17 with similar result:

/usr/lib/jvm/java-17-openjdk-amd64/bin/java -jar JSignPdf.jar FINE Relaxing SSL security. FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg SEVERE Unable to register SunPKCS11 security provider. java.lang.IllegalAccessException: class net.sf.jsignpdf.utils.PKCS11Utils cannot access class sun.security.pkcs11.SunPKCS11 (in module jdk.crypto.cryptoki) because module jdk.crypto.cryptoki does not export sun.security.pkcs11 to unnamed module @2f529dae at java.base/jdk.internal.reflect.Reflection.newIllegalAccessException(Reflection.java:392) at java.base/java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:674) at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:489) at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:480) at net.sf.jsignpdf.utils.PKCS11Utils.initPkcs11Provider(PKCS11Utils.java:112) at net.sf.jsignpdf.utils.PKCS11Utils.registerProviders(PKCS11Utils.java:66) at net.sf.jsignpdf.Signer.main(Signer.java:104)

SEVERE Unable to register SunPKCS11 security provider. java.lang.IllegalAccessError: class com.github.kwart.jsign.pkcs11.JSignPKCS11 (in unnamed module @0x2f529dae) cannot access class sun.security.util.Debug (in module java.base) because module java.base does not export sun.security.util to unnamed module @0x2f529dae at com.github.kwart.jsign.pkcs11.JSignPKCS11.(JSignPKCS11.java:63) at java.base/java.lang.Class.forName0(Native Method) at java.base/java.lang.Class.forName(Class.java:375) at net.sf.jsignpdf.utils.PKCS11Utils.initPkcs11Provider(PKCS11Utils.java:108) at net.sf.jsignpdf.utils.PKCS11Utils.registerProviders(PKCS11Utils.java:67) at net.sf.jsignpdf.Signer.main(Signer.java:104)

Any idea?

kwart commented 2 years ago

Have you used the jsignpdf.sh script? If not, please use it.

lepalom commented 2 years ago

Yes, but then: FINE Relaxing SSL security. FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg FINE PKCS11 provider registered with name SunPKCS11-JSignPdf FINE PKCS11 provider registered with name JSignPKCS11-JSignPdf

but nopkcs11 provider is showed (or I don't see it)

lepalom commented 2 years ago

Just to add some info, following the documentation:

$ java -Djava.security.debug=pkcs11keystore -Djava.security.debug=sunpkcs11 -jar JSignPdf.jar FINE Relaxing SSL security. FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg SEVERE Unable to register SunPKCS11 security provider. java.lang.IllegalAccessException: class net.sf.jsignpdf.utils.PKCS11Utils cannot access class sun.security.pkcs11.SunPKCS11 (in module jdk.crypto.cryptoki) because module jdk.crypto.cryptoki does not export sun.security.pkcs11 to unnamed module @2f529dae at java.base/jdk.internal.reflect.Reflection.newIllegalAccessException(Reflection.java:392) at java.base/java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:674) at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:489) at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:480) at net.sf.jsignpdf.utils.PKCS11Utils.initPkcs11Provider(PKCS11Utils.java:112) at net.sf.jsignpdf.utils.PKCS11Utils.registerProviders(PKCS11Utils.java:66) at net.sf.jsignpdf.Signer.main(Signer.java:104)

SEVERE Unable to register SunPKCS11 security provider. java.lang.IllegalAccessError: class com.github.kwart.jsign.pkcs11.JSignPKCS11 (in unnamed module @0x2f529dae) cannot access class sun.security.util.Debug (in module java.base) because module java.base does not export sun.security.util to unnamed module @0x2f529dae at com.github.kwart.jsign.pkcs11.JSignPKCS11.(JSignPKCS11.java:63) at java.base/java.lang.Class.forName0(Native Method) at java.base/java.lang.Class.forName(Class.java:375) at net.sf.jsignpdf.utils.PKCS11Utils.initPkcs11Provider(PKCS11Utils.java:108) at net.sf.jsignpdf.utils.PKCS11Utils.registerProviders(PKCS11Utils.java:67) at net.sf.jsignpdf.Signer.main(Signer.java:104)

Hope this helps.

kwart commented 2 years ago

What about the

./jsignpdf.sh -lkt

It should contain PKCS11 if properly configured.

or if you don't want to use the shell script, you have to add following java arguments yourself:

--add-exports jdk.crypto.cryptoki/sun.security.pkcs11=ALL-UNNAMED \
  --add-exports jdk.crypto.cryptoki/sun.security.pkcs11.wrapper=ALL-UNNAMED \
  --add-opens java.base/java.security=ALL-UNNAMED \
  --add-exports java.base/sun.security.action=ALL-UNNAMED \
  --add-exports java.base/sun.security.rsa=ALL-UNNAMED \
  --add-opens java.base/sun.security.util=ALL-UNNAMED
lepalom commented 2 years ago

/jsignpdf.sh -lkt FINE Relaxing SSL security. FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg FINE PKCS11 provider registered with name SunPKCS11-JSignPdf FINE PKCS11 provider registered with name JSignPKCS11-JSignPdf INFO Available key store types: BCFKS BCFKS-DEF BCPKCS12 BKS BKS-V1 BOUNCYCASTLE CASEEXACTJKS CloudFoxy DKS IBCFKS IBCFKS-DEF JCEKS JKS PKCS12 PKCS12-3DES-3DES PKCS12-3DES-40RC2 PKCS12-DEF PKCS12-DEF-3DES-3DES PKCS12-DEF-3DES-40RC2 FINE Removing security provider with name SunPKCS11-JSignPdf FINE Removing security provider with name JSignPKCS11-JSignPdf

But no pkcs11 store types available. What I'm doing worng?

kwart commented 2 years ago

Not sure, what's wrong there. You could try if using PKCS11 with NSS keystore works for you: https://github.com/intoolswetrust/jsignpdf#testing-pkcs11-without-a-card-reader

Just a note: With NSS you'll surely see an exception during registration of JSignPKCS11-JSignPdf (it doesn't support it), but the SunPKCS11-JSignPdf should work:

$ ./jsignpdf.sh -lkt
FINE Relaxing SSL security.
FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg
FINE PKCS11 provider registered with name SunPKCS11-testPkcs11
SEVERE Unable to register SunPKCS11 security provider.
java.lang.reflect.InvocationTargetException
    at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77)
    at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499)
    at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:480)
    at net.sf.jsignpdf.utils.PKCS11Utils.initPkcs11Provider(PKCS11Utils.java:110)
    at net.sf.jsignpdf.utils.PKCS11Utils.registerProviders(PKCS11Utils.java:67)
    at net.sf.jsignpdf.Signer.main(Signer.java:104)
Caused by: java.lang.NullPointerException
    at java.base/java.io.File.<init>(File.java:278)
    at com.github.kwart.jsign.pkcs11.JSignPKCS11.<init>(JSignPKCS11.java:284)
    at com.github.kwart.jsign.pkcs11.JSignPKCS11.<init>(JSignPKCS11.java:103)
    ... 8 more

INFO Available key store types:
BCFKS
BCFKS-DEF
BCPKCS12
BKS
BKS-V1
BOUNCYCASTLE
CASEEXACTJKS
CloudFoxy
DKS
IBCFKS
IBCFKS-DEF
JCEKS
JKS
PKCS11
PKCS12
PKCS12-3DES-3DES
PKCS12-3DES-40RC2
PKCS12-DEF
PKCS12-DEF-3DES-3DES
PKCS12-DEF-3DES-40RC2
FINE Removing security provider with name SunPKCS11-testPkcs11
michnovka commented 2 years ago

I have the same exact problem. it happens randomly, sometimes reboot fixes it. I tried OpenJDK 8,11,14 as well as Oracle Java 17. Running Kubuntu 20.04.

./jsignpdf.sh -lkt
FINE Relaxing SSL security.
FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg
FINE PKCS11 provider registered with name SunPKCS11-eObcanka
FINE PKCS11 provider registered with name JSignPKCS11-eObcanka
INFO Available key store types:
BCFKS
BCFKS-DEF
BCPKCS12
BKS
BKS-V1
BOUNCYCASTLE
CASEEXACTJKS
CloudFoxy
DKS
IBCFKS
IBCFKS-DEF
JCEKS
JKS
PKCS12
PKCS12-3DES-3DES
PKCS12-3DES-40RC2
PKCS12-DEF
PKCS12-DEF-3DES-3DES
PKCS12-DEF-3DES-40RC2
FINE Removing security provider with name SunPKCS11-eObcanka
FINE Removing security provider with name JSignPKCS11-eObcanka
michnovka commented 2 years ago

I found out that if I unplug my YubiKey the JSignPKCS11 appears in the list. So it seems to be some conflict. Let me know how I can help to debug this. @lepalom try to unplug any other security device you may have connected

thanosk commented 2 years ago

I have a similar problem but I think I got to the next step. The device is a Safenet 5110cc Gemalto Thales MD 940, the Linux middleware is installed and working, as are the pcscd and libccid packages.

So, configuring the proper slot (0 for my case) and probably the proper library, one of the following possible (I have tried all):

/usr/lib/libeToken.so
/usr/lib/libIDPrimePKCS11.so
/usr/lib/libIDPrimeTokenEngine.so
/usr/lib/libeTokenHID.so
/usr/lib/libSACUI.so
/usr/lib/libSACLog.so
/usr/lib/libIDPVSlotEngine.so
/usr/lib/libeTPkcs11.so

enables PKCS11 and JSIGNPKCS11 keystore types. Selecting either of them and pressing Load Keys produces the GUI dialog error saying: "Keystore was not loaded successfully" and the following java exception:

INFO Getting keystore type instance: JSIGNPKCS11
java.io.IOException: load failed
    at com.github.kwart.jsign.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:759)
    at java.security.KeyStore.load(KeyStore.java:1445)
    at net.sf.jsignpdf.utils.KeyStoreUtils.loadKeyStore(KeyStoreUtils.java:359)
    at net.sf.jsignpdf.utils.KeyStoreUtils.getKeyAliases(KeyStoreUtils.java:112)
    at net.sf.jsignpdf.SignPdfForm.btnLoadAliasesActionPerformed(SignPdfForm.java:1195)
    at net.sf.jsignpdf.SignPdfForm.access$900(SignPdfForm.java:71)
    at net.sf.jsignpdf.SignPdfForm$10.actionPerformed(SignPdfForm.java:779)
    at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:2022)
    at javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2348)
    at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:402)
    at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:259)
    at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:252)
    at java.awt.Component.processMouseEvent(Component.java:6539)
    at javax.swing.JComponent.processMouseEvent(JComponent.java:3324)
    at java.awt.Component.processEvent(Component.java:6304)
    at java.awt.Container.processEvent(Container.java:2239)
    at java.awt.Component.dispatchEventImpl(Component.java:4889)
    at java.awt.Container.dispatchEventImpl(Container.java:2297)
    at java.awt.Component.dispatchEvent(Component.java:4711)
    at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4904)
    at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4535)
    at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4476)
    at java.awt.Container.dispatchEventImpl(Container.java:2283)
    at java.awt.Window.dispatchEventImpl(Window.java:2746)
    at java.awt.Component.dispatchEvent(Component.java:4711)
    at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:760)
    at java.awt.EventQueue.access$500(EventQueue.java:97)
    at java.awt.EventQueue$3.run(EventQueue.java:709)
    at java.awt.EventQueue$3.run(EventQueue.java:703)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:74)
    at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:84)
    at java.awt.EventQueue$4.run(EventQueue.java:733)
    at java.awt.EventQueue$4.run(EventQueue.java:731)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:74)
    at java.awt.EventQueue.dispatchEvent(EventQueue.java:730)
    at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:205)
    at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
    at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)
    at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
    at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
    at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)
Caused by: java.security.UnrecoverableKeyException
    at com.github.kwart.jsign.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:758)
    ... 42 more
Caused by: javax.security.auth.login.FailedLoginException
    at com.github.kwart.jsign.pkcs11.JSignPKCS11.login(JSignPKCS11.java:1299)
    at com.github.kwart.jsign.pkcs11.P11KeyStore.login(P11KeyStore.java:862)
    at com.github.kwart.jsign.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:749)
    ... 42 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_PIN_INCORRECT
    at sun.security.pkcs11.wrapper.PKCS11.C_Login(Native Method)
    at com.github.kwart.jsign.pkcs11.JSignPKCS11.login(JSignPKCS11.java:1287)
    ... 44 more

Any ideas ? I would expect that if indeed it needs a PIN, then the Safenet Middleware would prompt for it, but that is not the case.

kwart commented 2 years ago

@thanosk you have to provide the pin (as the keystore password) to load key aliases.

thanosk commented 2 years ago

@kwart How can i provide the PIN then ? There isn't any GUI prompt taking place, neither any argument in the conf/pkcs11.cfg

kwart commented 2 years ago

One more detail related to the original issue. I just tried behavior with the Gemalto 5110 CC. The PKCS11 keystore types are not listed when the token is not plugged in.

thanosk commented 2 years ago

Replying to myself, oh you must mean the keystore password field located just below the keystore file field. I'm going to try that, I thought that field is for when you're loading a file keystore.

kwart commented 2 years ago

@thanosk If you use the batch mode (command-line), use the -ksp argument. Example:

./jsignpdf.sh -kst JSIGNPKCS11 -ksp 12345678 -lk

In the GUI just use the keystore password. (as you've already guessed) :)

kwart commented 2 years ago

@lepalom Was there any progress on your side? Did you try it with the token plugged in?

thanosk commented 2 years ago

@kwart I don't need to mention that your help is of course invaluable. The key was loaded successfully, now is there anything else necessary for the next step of performing the signature ? Something like "being logged on" with the Gemalto ? I tried inputing the Digital Signature PIN as it calls it at the Key password field, however this is the Exception now:

java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
    at com.github.kwart.jsign.pkcs11.P11Signature.engineSign(P11Signature.java:661)
    at java.security.Signature$Delegate.engineSign(Signature.java:1382)
    at java.security.Signature.sign(Signature.java:698)
    at com.lowagie.text.pdf.PdfPKCS7.getEncodedPKCS7(PdfPKCS7.java:1260)
    at net.sf.jsignpdf.SignerLogic.signFile(SignerLogic.java:418)
    at net.sf.jsignpdf.SignerLogic.run(SignerLogic.java:116)
    at java.lang.Thread.run(Thread.java:748)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
    at sun.security.pkcs11.wrapper.PKCS11.C_SignFinal(Native Method)
    at com.github.kwart.jsign.pkcs11.P11Signature.engineSign(P11Signature.java:615)
    ... 6 more
kwart commented 2 years ago

@thanosk Have you used the JSIGNPKCS11 type?

thanosk commented 2 years ago

@kwart yes, I am using the JSIGNPKCS11 type and with the correct Token PIN/Password typed in the Keystore password field, pressing Load Keys works (without exception) and fills the Key alias field with a uuid-like value.

lepalom commented 2 years ago

@kwart still not working. I have installed a gemalto reader and got errors.

$ ./jsignpdf.sh 
FINE Relaxing SSL security.
FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg
SEVERE Unable to register SunPKCS11 security provider.
java.lang.reflect.InvocationTargetException
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:568)
    at net.sf.jsignpdf.utils.PKCS11Utils.initPkcs11Provider(PKCS11Utils.java:114)
    at net.sf.jsignpdf.utils.PKCS11Utils.registerProviders(PKCS11Utils.java:66)
    at net.sf.jsignpdf.Signer.main(Signer.java:104)
Caused by: java.security.InvalidParameterException: Error configuring SunPKCS11 provider
    at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:122)
    ... 7 more
Caused by: sun.security.pkcs11.ConfigurationException: name must only be specified once, line 12
    at jdk.crypto.cryptoki/sun.security.pkcs11.Config.excLine(Config.java:397)
    at jdk.crypto.cryptoki/sun.security.pkcs11.Config.checkDup(Config.java:685)
    at jdk.crypto.cryptoki/sun.security.pkcs11.Config.parseStringEntry(Config.java:574)
    at jdk.crypto.cryptoki/sun.security.pkcs11.Config.parse(Config.java:414)
    at jdk.crypto.cryptoki/sun.security.pkcs11.Config.<init>(Config.java:222)
    at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:118)
    at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:115)
    at java.base/java.security.AccessController.doPrivileged(AccessController.java:569)
    at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:115)
    ... 7 more

SEVERE Unable to register SunPKCS11 security provider.
java.lang.reflect.InvocationTargetException
    at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77)
    at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499)
    at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:480)
    at net.sf.jsignpdf.utils.PKCS11Utils.initPkcs11Provider(PKCS11Utils.java:110)
    at net.sf.jsignpdf.utils.PKCS11Utils.registerProviders(PKCS11Utils.java:67)
    at net.sf.jsignpdf.Signer.main(Signer.java:104)
Caused by: java.security.ProviderException: Error parsing configuration
    at com.github.kwart.jsign.pkcs11.Config.getConfig(Config.java:88)
    at com.github.kwart.jsign.pkcs11.JSignPKCS11.<init>(JSignPKCS11.java:129)
    at com.github.kwart.jsign.pkcs11.JSignPKCS11.<init>(JSignPKCS11.java:103)
    ... 8 more
Caused by: com.github.kwart.jsign.pkcs11.ConfigurationException: name must only be specified once, line 12
    at com.github.kwart.jsign.pkcs11.Config.excLine(Config.java:374)
    at com.github.kwart.jsign.pkcs11.Config.checkDup(Config.java:650)
    at com.github.kwart.jsign.pkcs11.Config.parseStringEntry(Config.java:539)
    at com.github.kwart.jsign.pkcs11.Config.parse(Config.java:391)
    at com.github.kwart.jsign.pkcs11.Config.<init>(Config.java:219)
    at com.github.kwart.jsign.pkcs11.Config.getConfig(Config.java:84)
    ... 10 more

FINE Removing security provider with name SunPKCS11
kwart commented 2 years ago

@lepalom It seems your pkcs11.cfg is not correct. From the message it seems you have the name argument listed more than once. Can you share the content of the file?

This is a sample content:

name=JSignPdf
library=/usr/lib/libeTPkcs11.so
slot=1
lepalom commented 2 years ago

@kwart yes, but still fails.

$ ./jsignpdf.sh 
FINE Relaxing SSL security.
FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg
SEVERE Unable to register SunPKCS11 security provider.
java.lang.reflect.InvocationTargetException
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:568)
    at net.sf.jsignpdf.utils.PKCS11Utils.initPkcs11Provider(PKCS11Utils.java:114)
    at net.sf.jsignpdf.utils.PKCS11Utils.registerProviders(PKCS11Utils.java:66)
    at net.sf.jsignpdf.Signer.main(Signer.java:104)
Caused by: java.security.InvalidParameterException: Error configuring SunPKCS11 provider
    at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:122)
    ... 7 more
Caused by: sun.security.pkcs11.ConfigurationException: library must not be specified in NSS mode
    at jdk.crypto.cryptoki/sun.security.pkcs11.Config.parse(Config.java:513)
    at jdk.crypto.cryptoki/sun.security.pkcs11.Config.<init>(Config.java:222)
    at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:118)
    at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:115)
    at java.base/java.security.AccessController.doPrivileged(AccessController.java:569)
    at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:115)
    ... 7 more

SEVERE Unable to register SunPKCS11 security provider.
java.lang.reflect.InvocationTargetException
    at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77)
    at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499)
    at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:480)
    at net.sf.jsignpdf.utils.PKCS11Utils.initPkcs11Provider(PKCS11Utils.java:110)
    at net.sf.jsignpdf.utils.PKCS11Utils.registerProviders(PKCS11Utils.java:67)
    at net.sf.jsignpdf.Signer.main(Signer.java:104)
Caused by: java.security.ProviderException: Error parsing configuration
    at com.github.kwart.jsign.pkcs11.Config.getConfig(Config.java:88)
    at com.github.kwart.jsign.pkcs11.JSignPKCS11.<init>(JSignPKCS11.java:129)
    at com.github.kwart.jsign.pkcs11.JSignPKCS11.<init>(JSignPKCS11.java:103)
    ... 8 more
Caused by: com.github.kwart.jsign.pkcs11.ConfigurationException: library must not be specified in NSS mode
    at com.github.kwart.jsign.pkcs11.Config.parse(Config.java:478)
    at com.github.kwart.jsign.pkcs11.Config.<init>(Config.java:219)
    at com.github.kwart.jsign.pkcs11.Config.getConfig(Config.java:84)
    ... 10 more

FINE Removing security provider with name SunPKCS11

and my pkcs11.cfg:

name=JSignPdf
library=/usr/lib/libeTPkcs11.so
slot=1
nssLibraryDirectory=/usr/lib/x86_64-linux-gnu
nssSecmodDirectory=~/.pki/nssdb
nssModule=keystore
kwart commented 2 years ago

@lepalom Do you want to use a token or the NSS keystore? You can't have both in the config file.

lepalom commented 2 years ago

@kwart the certificates that I have in my card.

kwart commented 2 years ago

@lepalom then remove the properties with names starting nss from the configuration file.

kwart commented 2 years ago

@thanosk Do you use one or more PINs on your token? Did you left the key password field empty?

lepalom commented 2 years ago

@kwart YES!!!!

removing that field worked. It doesn't work with my keyboard. I need a gemalto reader. What I don't understand is why it is not working with the keyboard with card reader.

thanosk commented 2 years ago

@thanosk Do you use one or more PINs on your token? Did you left the key password field empty?

@kwart The token uses 2 PUKs and 2 PINs, they are "officially" called as Token PUK (or Admin Password), Digital Signature PUK, Token PIN (or Token Password), Digital Signature PIN.

For clarity, these are in command-line mode:

./jsignpdf.sh -kst JSIGNPKCS11 -ksp 'Token PIN' -lk
FINE Relaxing SSL security.
FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg
FINE PKCS11 provider registered with name SunPKCS11-JSignPdf
FINE PKCS11 provider registered with name JSignPKCS11-JSignPdf
INFO Getting keystore type instance: JSIGNPKCS11
INFO Getting key alias
INFO Key aliases in the keystore:
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
FINE Removing security provider with name SunPKCS11-JSignPdf
FINE Removing security provider with name JSignPKCS11-JSignPdf

./jsignpdf.sh -kst JSIGNPKCS11 -ksp 'Token PIN' -ha SHA256 -kp 'Digital Signature PIN' my.pdf 
FINE Relaxing SSL security.
FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg
FINE PKCS11 provider registered with name SunPKCS11-JSignPdf
FINE PKCS11 provider registered with name JSignPKCS11-JSignPdf
INFO Checking input and output PDF paths.
INFO Getting key alias
INFO Used key alias: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
INFO Loading private key
INFO Getting certificate chain
INFO Opening input PDF file: my.pdf
INFO Creating output PDF file: ./my_signed.pdf
INFO Creating signature
INFO Setting certification level
INFO Processing (it may take a while) ...
FINE KeyStore type JSIGNPKCS11 is not supported by the provider SunPKCS11-JSignPdf
FINE KeyStore type JSIGNPKCS11 is supported by the provider JSignPKCS11-JSignPdf
javax.security.auth.login.FailedLoginException
    at com.github.kwart.jsign.pkcs11.JSignPKCS11.contextSpecificLogin(JSignPKCS11.java:1365)
    at com.github.kwart.jsign.pkcs11.P11Signature.engineSign(P11Signature.java:604)
    at java.base/java.security.Signature$Delegate.engineSign(Signature.java:1402)
    at java.base/java.security.Signature.sign(Signature.java:711)
    at com.lowagie.text.pdf.PdfPKCS7.getEncodedPKCS7(PdfPKCS7.java:1260)
    at net.sf.jsignpdf.SignerLogic.signFile(SignerLogic.java:418)
    at net.sf.jsignpdf.Signer.signFiles(Signer.java:235)
    at net.sf.jsignpdf.Signer.main(Signer.java:131)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_PIN_INCORRECT
    at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_Login(Native Method)
    at com.github.kwart.jsign.pkcs11.JSignPKCS11.contextSpecificLogin(JSignPKCS11.java:1353)
    ... 7 more
SEVERE Problem occured
java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
    at com.github.kwart.jsign.pkcs11.P11Signature.engineSign(P11Signature.java:661)
    at java.base/java.security.Signature$Delegate.engineSign(Signature.java:1402)
    at java.base/java.security.Signature.sign(Signature.java:711)
    at com.lowagie.text.pdf.PdfPKCS7.getEncodedPKCS7(PdfPKCS7.java:1260)
    at net.sf.jsignpdf.SignerLogic.signFile(SignerLogic.java:418)
    at net.sf.jsignpdf.Signer.signFiles(Signer.java:235)
    at net.sf.jsignpdf.Signer.main(Signer.java:131)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
    at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_SignFinal(Native Method)
    at com.github.kwart.jsign.pkcs11.P11Signature.engineSign(P11Signature.java:615)
    ... 6 more

INFO Finished: Creating of signature failed.
FINE Removing security provider with name SunPKCS11-JSignPdf
FINE Removing security provider with name JSignPKCS11-JSignPdf
kwart commented 2 years ago

@thanosk Try to use the Token PIN only:

./jsignpdf.sh -kst JSIGNPKCS11 -ksp 'Token PIN' -ha SHA256 my.pdf

If this doesn't work, could you try to configure both PINs to the same value and retry?

thanosk commented 2 years ago

@kwart you are the man. I definitely want to buy you a beer. It required setting both PINs to the same value. The combination of not having the same value and omitting the -kp argument did not work.

When both PINs are of the same value, both these commands work:

./jsignpdf.sh -kst JSIGNPKCS11 -ksp 'Token PIN' -ha SHA256 my.pdf 
and
./jsignpdf.sh -kst JSIGNPKCS11 -ksp 'Token PIN' -ha SHA256 -kp 'Token PIN' my.pdf

I intend to write a HowTo (I'm part of the Greek Linux community) and I will definitely give you the credit.

kwart commented 2 years ago

I could try to improve the jsign-pkcs11 project to support two different PINs. Do you have some guide on how to import (to Gemalto token) a certificate that would require the 'Digital Signature PIN'?

thanosk commented 2 years ago

I could try to improve the jsign-pkcs11 project to support two different PINs. Do you have some guide on how to import (to Gemalto token) a certificate that would require the 'Digital Signature PIN'?

Importing such a certificate is kind of tricky. Apart from the Safenet Authentication Client (SAC), it involves another middleware called bit4id xapp. The CA's website offers to upload a newly issued certificate into the Gemalto, it triggers the bit4id middleware from inside the web browser, which in turn triggers the SAC middleware. Does any of these make sense to you ? It is a Public/National Administration CA (for citizens). If it helps, I can try to google translate some instructions written inside pdf documents that unfortunatelly only give a tiny glimpse of this import procedure (usually with example screenshots).

Both these drivers/middlewares are provided only for Windows and Mac, and I'm trying to discover how much can be done on Linux only. By Googling around for Linux SAC 10.8 (which was rather easily found) and with your help, I've managed to at least achieve signing on Linux with SAC Linux and JSignPDF. Googling for Linux Bit4ID produced nothing useful so far. Windows Signing with jsignpdf is possible with the Windows-My keystore, with a different GUI flow for the PIN, as the SAC middleware pops-up "insert your digital signature PIN" after pressing the Sign it button in jsignpdf.

I've seen that the SAC middleware offers an "import certificate" functionality (which opens a choose .cer file dialog), but haven't actually tried it, because I kind of don't want to mess more with the Qualified Certificate that was imported with the above method.

kwart commented 2 years ago

I used the Linux SAC 10.8 to import a sample cert to my token. Still, signing with it only requires the Token PIN. That's why I'm trying to find how to employ both PINs :)

kwart commented 2 years ago

@thanosk Could you try a new snapshot version? It should resolve the issue and the following command should work in it properly:

./jsignpdf.sh -kst JSIGNPKCS11 -ksp 'Token PIN' -ha SHA256 -kp 'Digital Signature PIN' my.pdf

The snapshot is available here: https://s01.oss.sonatype.org/content/repositories/snapshots/com/github/kwart/jsign/jsignpdf-distribution/2.2.0-SNAPSHOT/jsignpdf-distribution-2.2.0-20220220.203951-26.zip

thanosk commented 2 years ago

@kwart I just tried it and yes it has resolved the issue. I can now use two different passwords. Well Done!

kwart commented 2 years ago

Thanks for the confirmation, @thanosk.

Closing this issue as fixed by new jsign-pkcs11 version (commit 20c823940f53d3634d12f9b346b7e1d5a8439bec). Feel free to reopen if you think, something is still missing here.

ipapagi commented 2 years ago

@kwart I used to sign pdf documents in bulk using JSignPdf.jar in Windows 10. But now with new drivers the token of SafeNet (Thales) 5110cc requires Token PIN and Digital Signature PIN.

I use the following command and although I give both passwords (both are identical) it insists to ask for the Digital Signature PIN with pop-up window: java -Duser.language=en -jar JSignPdf.jar -kst PKCS11 -ksp 'Token PIN' -kp 'Digital Signature PIN' "C:\Users\ipapagi\Documents\Test1.pdf" -d C:\Users\ipapagi\Documents\Signed

I use JSignPdf version 2.2.0 (sourceforge, 2022-03-16). From the command's output I see that it uses the SunPKCS11-JSignPdf and not JSignPKCS11-JSignPdf: FINE Relaxing SSL security. FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by net.sf.jsignpdf.utils.PKCS11Utils (file:/C:/Users/ipapagi/Documents/BulkDigitalSign/JSignPdf.jar) to constructor sun.security.pkcs11.SunPKCS11() WARNING: Please consider reporting this to the maintainers of net.sf.jsignpdf.utils.PKCS11Utils WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release FINE PKCS11 provider registered with name SunPKCS11-JSignPdf FINE PKCS11 provider registered with name JSignPKCS11-JSignPdf INFO Checking input and output PDF paths. INFO Getting key alias INFO Used key alias: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx INFO Loading private key INFO Getting certificate chain INFO Opening input PDF file: C:\Users\ipapagi\Documents\Test1.pdf INFO Creating output PDF file: C:/Users/ipapagi/Documents/Signed/Test1_signed.pdf INFO Creating signature INFO Setting certification level INFO Configuring visible signature INFO Use only layers recommend by Acrobat 6: true INFO Setting background image scale INFO Setting Layer 2 text (description) INFO Setting Layer 4 text (status) INFO Setting Render mode INFO Creating visible signature INFO Processing (it may take a while) ... FINE KeyStore type PKCS11 is supported by the provider SunPKCS11-JSignPdf INFO Closing result PDF stream INFO Finished: Signature succesfully created. FINE Removing security provider with name SunPKCS11-JSignPdf FINE Removing security provider with name JSignPKCS11-JSignPdf

The pkcs11.cfg contains: name=PKCS11 library=C:\Windows\System32\eTPKCS11.dll and dll version is: 10.8.2154.0 (SafeNet Authentication Client)

How can I use the JSignPKCS11-JSignPdf that supports both PINs?

kwart commented 2 years ago

@ipapagi Have you tried the following

java -Duser.language=en -jar JSignPdf.jar -kst JSIGNPKCS11 -ksp 'Token PIN' -kp 'Digital Signature PIN' "C:\Users\ipapagi\Documents\Test1.pdf" -d C:\Users\ipapagi\Documents\Signed
ipapagi commented 2 years ago

java -Duser.language=en -jar JSignPdf.jar -kst JSIGNPKCS11 -ksp 'Token PIN' -kp 'Digital Signature PIN' "C:\Users\ipapagi\Documents\Test1.pdf" -d C:\Users\ipapagi\Documents\Signed

@kwart I tried it and I got:

FINE Relaxing SSL security. FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by net.sf.jsignpdf.utils.PKCS11Utils (file:/C:/Users/ipapagi/Documents/BulkDigitalSign/JSignPdf.jar) to constructor sun.security.pkcs11.SunPKCS11() WARNING: Please consider reporting this to the maintainers of net.sf.jsignpdf.utils.PKCS11Utils WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release FINE PKCS11 provider registered with name SunPKCS11-PKCS11 FINE PKCS11 provider registered with name JSignPKCS11-PKCS11 INFO Checking input and output PDF paths. INFO Getting key alias INFO Used key alias: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx INFO Loading private key INFO Getting certificate chain INFO Opening input PDF file: C:\Users\ipapagi\Documents\Test1.pdf INFO Creating output PDF file: C:/Users/ipapagi/Documents/Signed/Test1_signed.pdf INFO Creating signature INFO Setting certification level INFO Processing (it may take a while) ... FINE KeyStore type JSIGNPKCS11 is not supported by the provider SunPKCS11-PKCS11 FINE KeyStore type JSIGNPKCS11 is supported by the provider JSignPKCS11-PKCS11 SEVERE Problem occured ` java.security.ProviderException: Initialization failed at com.github.kwart.jsign.pkcs11.P11Signature.initialize(P11Signature.java:354) at com.github.kwart.jsign.pkcs11.P11Signature.engineInitSign(P11Signature.java:478) at java.base/java.security.Signature$Delegate.engineInitSign(Signature.java:1349) at java.base/java.security.Signature.initSign(Signature.java:634) at com.lowagie.text.pdf.PdfPKCS7.(PdfPKCS7.java:638) at net.sf.jsignpdf.SignerLogic.signFile(SignerLogic.java:364) at net.sf.jsignpdf.Signer.signFiles(Signer.java:246) at net.sf.jsignpdf.Signer.main(Signer.java:139) Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_MECHANISM_INVALID at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_SignInit(Native Method) at com.github.kwart.jsign.pkcs11.P11Signature.initialize(P11Signature.java:345) ... 7 more INFO Finished: Creating of signature failed. FINE Removing security provider with name SunPKCS11-PKCS11 FINE Removing security provider with name JSignPKCS11-PKCS11`

kwart commented 2 years ago

It'll be a hash algorithm issue, I guess. JSignPdf uses SHA-1 by default. It's probably not supported by your token. Try another algorithm (E.g. ones from the SHA-2 family). Use the --hash-algorithm (-ha) argument:

-ha SHA256
ipapagi commented 2 years ago

@kwart , you're right again!

The -ha SHA256 did the trick!

All is ok now. Only the parameter '-a' now requires at least pdf version 1.6, because of SHA256.

Thank you, you helped me a lot!

KingCZE commented 5 months ago

@kwart , you're right again!

The -ha SHA256 did the trick!

All is ok now. Only the parameter '-a' now requires at least pdf version 1.6, because of SHA256.

Thank you, you helped me a lot!

What is your command? When I do following, I get an error:

C:\Users\User\Signatures\jsignpdf-pades>java -jar JSignPdf-pades.jar -da SHA256 -ha SHA256 -kst WINDOWS-MY -ts http://timestamp.apple.com/ts01 --trust-certificate-url https://www.apple.com/appleca/AppleIncRootCertificate.cer -pl BASELINE_LTA --trust-certificate-url https://www.apple.com/certificateauthority/AppleTimestampCA.cer --trust-certificate-file C:\location-of-trust-cert.cer "simple.pdf"
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
INFO Signing PDF file -ha
SEVERE Error occured
eu.europa.esig.dss.model.DSSException: Unable to create FileDocument for File with name '-ha'
        at eu.europa.esig.dss.model.FileDocument.<init>(FileDocument.java:66)
        at com.github.intoolswetrust.jsignpdf.pades.Main.signFiles(Main.java:150)
        at com.github.intoolswetrust.jsignpdf.pades.Main.main(Main.java:80)

I never even managed to run it with PKCS11, only the MS Keystore.