Closed lepalom closed 2 years ago
Have you used the jsignpdf.sh
script?
If not, please use it.
Yes, but then: FINE Relaxing SSL security. FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg FINE PKCS11 provider registered with name SunPKCS11-JSignPdf FINE PKCS11 provider registered with name JSignPKCS11-JSignPdf
but nopkcs11 provider is showed (or I don't see it)
Just to add some info, following the documentation:
$ java -Djava.security.debug=pkcs11keystore -Djava.security.debug=sunpkcs11 -jar JSignPdf.jar FINE Relaxing SSL security. FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg SEVERE Unable to register SunPKCS11 security provider. java.lang.IllegalAccessException: class net.sf.jsignpdf.utils.PKCS11Utils cannot access class sun.security.pkcs11.SunPKCS11 (in module jdk.crypto.cryptoki) because module jdk.crypto.cryptoki does not export sun.security.pkcs11 to unnamed module @2f529dae at java.base/jdk.internal.reflect.Reflection.newIllegalAccessException(Reflection.java:392) at java.base/java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:674) at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:489) at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:480) at net.sf.jsignpdf.utils.PKCS11Utils.initPkcs11Provider(PKCS11Utils.java:112) at net.sf.jsignpdf.utils.PKCS11Utils.registerProviders(PKCS11Utils.java:66) at net.sf.jsignpdf.Signer.main(Signer.java:104)
SEVERE Unable to register SunPKCS11 security provider.
java.lang.IllegalAccessError: class com.github.kwart.jsign.pkcs11.JSignPKCS11 (in unnamed module @0x2f529dae) cannot access class sun.security.util.Debug (in module java.base) because module java.base does not export sun.security.util to unnamed module @0x2f529dae
at com.github.kwart.jsign.pkcs11.JSignPKCS11.
Hope this helps.
What about the
./jsignpdf.sh -lkt
It should contain PKCS11
if properly configured.
or if you don't want to use the shell script, you have to add following java arguments yourself:
--add-exports jdk.crypto.cryptoki/sun.security.pkcs11=ALL-UNNAMED \
--add-exports jdk.crypto.cryptoki/sun.security.pkcs11.wrapper=ALL-UNNAMED \
--add-opens java.base/java.security=ALL-UNNAMED \
--add-exports java.base/sun.security.action=ALL-UNNAMED \
--add-exports java.base/sun.security.rsa=ALL-UNNAMED \
--add-opens java.base/sun.security.util=ALL-UNNAMED
/jsignpdf.sh -lkt FINE Relaxing SSL security. FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg FINE PKCS11 provider registered with name SunPKCS11-JSignPdf FINE PKCS11 provider registered with name JSignPKCS11-JSignPdf INFO Available key store types: BCFKS BCFKS-DEF BCPKCS12 BKS BKS-V1 BOUNCYCASTLE CASEEXACTJKS CloudFoxy DKS IBCFKS IBCFKS-DEF JCEKS JKS PKCS12 PKCS12-3DES-3DES PKCS12-3DES-40RC2 PKCS12-DEF PKCS12-DEF-3DES-3DES PKCS12-DEF-3DES-40RC2 FINE Removing security provider with name SunPKCS11-JSignPdf FINE Removing security provider with name JSignPKCS11-JSignPdf
But no pkcs11 store types available. What I'm doing worng?
Not sure, what's wrong there. You could try if using PKCS11 with NSS keystore works for you: https://github.com/intoolswetrust/jsignpdf#testing-pkcs11-without-a-card-reader
Just a note: With NSS you'll surely see an exception during registration of JSignPKCS11-JSignPdf (it doesn't support it), but the SunPKCS11-JSignPdf should work:
$ ./jsignpdf.sh -lkt
FINE Relaxing SSL security.
FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg
FINE PKCS11 provider registered with name SunPKCS11-testPkcs11
SEVERE Unable to register SunPKCS11 security provider.
java.lang.reflect.InvocationTargetException
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499)
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:480)
at net.sf.jsignpdf.utils.PKCS11Utils.initPkcs11Provider(PKCS11Utils.java:110)
at net.sf.jsignpdf.utils.PKCS11Utils.registerProviders(PKCS11Utils.java:67)
at net.sf.jsignpdf.Signer.main(Signer.java:104)
Caused by: java.lang.NullPointerException
at java.base/java.io.File.<init>(File.java:278)
at com.github.kwart.jsign.pkcs11.JSignPKCS11.<init>(JSignPKCS11.java:284)
at com.github.kwart.jsign.pkcs11.JSignPKCS11.<init>(JSignPKCS11.java:103)
... 8 more
INFO Available key store types:
BCFKS
BCFKS-DEF
BCPKCS12
BKS
BKS-V1
BOUNCYCASTLE
CASEEXACTJKS
CloudFoxy
DKS
IBCFKS
IBCFKS-DEF
JCEKS
JKS
PKCS11
PKCS12
PKCS12-3DES-3DES
PKCS12-3DES-40RC2
PKCS12-DEF
PKCS12-DEF-3DES-3DES
PKCS12-DEF-3DES-40RC2
FINE Removing security provider with name SunPKCS11-testPkcs11
I have the same exact problem. it happens randomly, sometimes reboot fixes it. I tried OpenJDK 8,11,14 as well as Oracle Java 17. Running Kubuntu 20.04.
./jsignpdf.sh -lkt
FINE Relaxing SSL security.
FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg
FINE PKCS11 provider registered with name SunPKCS11-eObcanka
FINE PKCS11 provider registered with name JSignPKCS11-eObcanka
INFO Available key store types:
BCFKS
BCFKS-DEF
BCPKCS12
BKS
BKS-V1
BOUNCYCASTLE
CASEEXACTJKS
CloudFoxy
DKS
IBCFKS
IBCFKS-DEF
JCEKS
JKS
PKCS12
PKCS12-3DES-3DES
PKCS12-3DES-40RC2
PKCS12-DEF
PKCS12-DEF-3DES-3DES
PKCS12-DEF-3DES-40RC2
FINE Removing security provider with name SunPKCS11-eObcanka
FINE Removing security provider with name JSignPKCS11-eObcanka
I found out that if I unplug my YubiKey the JSignPKCS11 appears in the list. So it seems to be some conflict. Let me know how I can help to debug this. @lepalom try to unplug any other security device you may have connected
I have a similar problem but I think I got to the next step. The device is a Safenet 5110cc Gemalto Thales MD 940, the Linux middleware is installed and working, as are the pcscd and libccid packages.
So, configuring the proper slot (0 for my case) and probably the proper library, one of the following possible (I have tried all):
/usr/lib/libeToken.so /usr/lib/libIDPrimePKCS11.so /usr/lib/libIDPrimeTokenEngine.so /usr/lib/libeTokenHID.so /usr/lib/libSACUI.so /usr/lib/libSACLog.so /usr/lib/libIDPVSlotEngine.so /usr/lib/libeTPkcs11.so
enables PKCS11 and JSIGNPKCS11 keystore types. Selecting either of them and pressing Load Keys produces the GUI dialog error saying: "Keystore was not loaded successfully" and the following java exception:
INFO Getting keystore type instance: JSIGNPKCS11 java.io.IOException: load failed at com.github.kwart.jsign.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:759) at java.security.KeyStore.load(KeyStore.java:1445) at net.sf.jsignpdf.utils.KeyStoreUtils.loadKeyStore(KeyStoreUtils.java:359) at net.sf.jsignpdf.utils.KeyStoreUtils.getKeyAliases(KeyStoreUtils.java:112) at net.sf.jsignpdf.SignPdfForm.btnLoadAliasesActionPerformed(SignPdfForm.java:1195) at net.sf.jsignpdf.SignPdfForm.access$900(SignPdfForm.java:71) at net.sf.jsignpdf.SignPdfForm$10.actionPerformed(SignPdfForm.java:779) at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:2022) at javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2348) at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:402) at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:259) at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:252) at java.awt.Component.processMouseEvent(Component.java:6539) at javax.swing.JComponent.processMouseEvent(JComponent.java:3324) at java.awt.Component.processEvent(Component.java:6304) at java.awt.Container.processEvent(Container.java:2239) at java.awt.Component.dispatchEventImpl(Component.java:4889) at java.awt.Container.dispatchEventImpl(Container.java:2297) at java.awt.Component.dispatchEvent(Component.java:4711) at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4904) at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4535) at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4476) at java.awt.Container.dispatchEventImpl(Container.java:2283) at java.awt.Window.dispatchEventImpl(Window.java:2746) at java.awt.Component.dispatchEvent(Component.java:4711) at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:760) at java.awt.EventQueue.access$500(EventQueue.java:97) at java.awt.EventQueue$3.run(EventQueue.java:709) at java.awt.EventQueue$3.run(EventQueue.java:703) at java.security.AccessController.doPrivileged(Native Method) at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:74) at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:84) at java.awt.EventQueue$4.run(EventQueue.java:733) at java.awt.EventQueue$4.run(EventQueue.java:731) at java.security.AccessController.doPrivileged(Native Method) at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:74) at java.awt.EventQueue.dispatchEvent(EventQueue.java:730) at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:205) at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116) at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105) at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101) at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93) at java.awt.EventDispatchThread.run(EventDispatchThread.java:82) Caused by: java.security.UnrecoverableKeyException at com.github.kwart.jsign.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:758) ... 42 more Caused by: javax.security.auth.login.FailedLoginException at com.github.kwart.jsign.pkcs11.JSignPKCS11.login(JSignPKCS11.java:1299) at com.github.kwart.jsign.pkcs11.P11KeyStore.login(P11KeyStore.java:862) at com.github.kwart.jsign.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:749) ... 42 more Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_PIN_INCORRECT at sun.security.pkcs11.wrapper.PKCS11.C_Login(Native Method) at com.github.kwart.jsign.pkcs11.JSignPKCS11.login(JSignPKCS11.java:1287) ... 44 more
Any ideas ? I would expect that if indeed it needs a PIN, then the Safenet Middleware would prompt for it, but that is not the case.
@thanosk you have to provide the pin (as the keystore password) to load key aliases.
@kwart How can i provide the PIN then ? There isn't any GUI prompt taking place, neither any argument in the conf/pkcs11.cfg
One more detail related to the original issue. I just tried behavior with the Gemalto 5110 CC. The PKCS11 keystore types are not listed when the token is not plugged in.
Replying to myself, oh you must mean the keystore password field located just below the keystore file field. I'm going to try that, I thought that field is for when you're loading a file keystore.
@thanosk If you use the batch mode (command-line), use the -ksp
argument.
Example:
./jsignpdf.sh -kst JSIGNPKCS11 -ksp 12345678 -lk
In the GUI just use the keystore password. (as you've already guessed) :)
@lepalom Was there any progress on your side? Did you try it with the token plugged in?
@kwart I don't need to mention that your help is of course invaluable. The key was loaded successfully, now is there anything else necessary for the next step of performing the signature ? Something like "being logged on" with the Gemalto ? I tried inputing the Digital Signature PIN as it calls it at the Key password field, however this is the Exception now:
java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN at com.github.kwart.jsign.pkcs11.P11Signature.engineSign(P11Signature.java:661) at java.security.Signature$Delegate.engineSign(Signature.java:1382) at java.security.Signature.sign(Signature.java:698) at com.lowagie.text.pdf.PdfPKCS7.getEncodedPKCS7(PdfPKCS7.java:1260) at net.sf.jsignpdf.SignerLogic.signFile(SignerLogic.java:418) at net.sf.jsignpdf.SignerLogic.run(SignerLogic.java:116) at java.lang.Thread.run(Thread.java:748) Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN at sun.security.pkcs11.wrapper.PKCS11.C_SignFinal(Native Method) at com.github.kwart.jsign.pkcs11.P11Signature.engineSign(P11Signature.java:615) ... 6 more
@thanosk Have you used the JSIGNPKCS11 type?
@kwart yes, I am using the JSIGNPKCS11 type and with the correct Token PIN/Password typed in the Keystore password field, pressing Load Keys works (without exception) and fills the Key alias field with a uuid-like value.
@kwart still not working. I have installed a gemalto reader and got errors.
$ ./jsignpdf.sh
FINE Relaxing SSL security.
FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg
SEVERE Unable to register SunPKCS11 security provider.
java.lang.reflect.InvocationTargetException
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at net.sf.jsignpdf.utils.PKCS11Utils.initPkcs11Provider(PKCS11Utils.java:114)
at net.sf.jsignpdf.utils.PKCS11Utils.registerProviders(PKCS11Utils.java:66)
at net.sf.jsignpdf.Signer.main(Signer.java:104)
Caused by: java.security.InvalidParameterException: Error configuring SunPKCS11 provider
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:122)
... 7 more
Caused by: sun.security.pkcs11.ConfigurationException: name must only be specified once, line 12
at jdk.crypto.cryptoki/sun.security.pkcs11.Config.excLine(Config.java:397)
at jdk.crypto.cryptoki/sun.security.pkcs11.Config.checkDup(Config.java:685)
at jdk.crypto.cryptoki/sun.security.pkcs11.Config.parseStringEntry(Config.java:574)
at jdk.crypto.cryptoki/sun.security.pkcs11.Config.parse(Config.java:414)
at jdk.crypto.cryptoki/sun.security.pkcs11.Config.<init>(Config.java:222)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:118)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:115)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:569)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:115)
... 7 more
SEVERE Unable to register SunPKCS11 security provider.
java.lang.reflect.InvocationTargetException
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499)
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:480)
at net.sf.jsignpdf.utils.PKCS11Utils.initPkcs11Provider(PKCS11Utils.java:110)
at net.sf.jsignpdf.utils.PKCS11Utils.registerProviders(PKCS11Utils.java:67)
at net.sf.jsignpdf.Signer.main(Signer.java:104)
Caused by: java.security.ProviderException: Error parsing configuration
at com.github.kwart.jsign.pkcs11.Config.getConfig(Config.java:88)
at com.github.kwart.jsign.pkcs11.JSignPKCS11.<init>(JSignPKCS11.java:129)
at com.github.kwart.jsign.pkcs11.JSignPKCS11.<init>(JSignPKCS11.java:103)
... 8 more
Caused by: com.github.kwart.jsign.pkcs11.ConfigurationException: name must only be specified once, line 12
at com.github.kwart.jsign.pkcs11.Config.excLine(Config.java:374)
at com.github.kwart.jsign.pkcs11.Config.checkDup(Config.java:650)
at com.github.kwart.jsign.pkcs11.Config.parseStringEntry(Config.java:539)
at com.github.kwart.jsign.pkcs11.Config.parse(Config.java:391)
at com.github.kwart.jsign.pkcs11.Config.<init>(Config.java:219)
at com.github.kwart.jsign.pkcs11.Config.getConfig(Config.java:84)
... 10 more
FINE Removing security provider with name SunPKCS11
@lepalom It seems your pkcs11.cfg
is not correct. From the message it seems you have the name
argument listed more than once. Can you share the content of the file?
This is a sample content:
name=JSignPdf
library=/usr/lib/libeTPkcs11.so
slot=1
@kwart yes, but still fails.
$ ./jsignpdf.sh
FINE Relaxing SSL security.
FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg
SEVERE Unable to register SunPKCS11 security provider.
java.lang.reflect.InvocationTargetException
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at net.sf.jsignpdf.utils.PKCS11Utils.initPkcs11Provider(PKCS11Utils.java:114)
at net.sf.jsignpdf.utils.PKCS11Utils.registerProviders(PKCS11Utils.java:66)
at net.sf.jsignpdf.Signer.main(Signer.java:104)
Caused by: java.security.InvalidParameterException: Error configuring SunPKCS11 provider
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:122)
... 7 more
Caused by: sun.security.pkcs11.ConfigurationException: library must not be specified in NSS mode
at jdk.crypto.cryptoki/sun.security.pkcs11.Config.parse(Config.java:513)
at jdk.crypto.cryptoki/sun.security.pkcs11.Config.<init>(Config.java:222)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:118)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:115)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:569)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:115)
... 7 more
SEVERE Unable to register SunPKCS11 security provider.
java.lang.reflect.InvocationTargetException
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499)
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:480)
at net.sf.jsignpdf.utils.PKCS11Utils.initPkcs11Provider(PKCS11Utils.java:110)
at net.sf.jsignpdf.utils.PKCS11Utils.registerProviders(PKCS11Utils.java:67)
at net.sf.jsignpdf.Signer.main(Signer.java:104)
Caused by: java.security.ProviderException: Error parsing configuration
at com.github.kwart.jsign.pkcs11.Config.getConfig(Config.java:88)
at com.github.kwart.jsign.pkcs11.JSignPKCS11.<init>(JSignPKCS11.java:129)
at com.github.kwart.jsign.pkcs11.JSignPKCS11.<init>(JSignPKCS11.java:103)
... 8 more
Caused by: com.github.kwart.jsign.pkcs11.ConfigurationException: library must not be specified in NSS mode
at com.github.kwart.jsign.pkcs11.Config.parse(Config.java:478)
at com.github.kwart.jsign.pkcs11.Config.<init>(Config.java:219)
at com.github.kwart.jsign.pkcs11.Config.getConfig(Config.java:84)
... 10 more
FINE Removing security provider with name SunPKCS11
and my pkcs11.cfg:
name=JSignPdf
library=/usr/lib/libeTPkcs11.so
slot=1
nssLibraryDirectory=/usr/lib/x86_64-linux-gnu
nssSecmodDirectory=~/.pki/nssdb
nssModule=keystore
@lepalom Do you want to use a token or the NSS keystore? You can't have both in the config file.
@kwart the certificates that I have in my card.
@lepalom then remove the properties with names starting nss
from the configuration file.
@thanosk Do you use one or more PINs on your token? Did you left the key password field empty?
@kwart YES!!!!
removing that field worked. It doesn't work with my keyboard. I need a gemalto reader. What I don't understand is why it is not working with the keyboard with card reader.
@thanosk Do you use one or more PINs on your token? Did you left the key password field empty?
@kwart The token uses 2 PUKs and 2 PINs, they are "officially" called as Token PUK (or Admin Password), Digital Signature PUK, Token PIN (or Token Password), Digital Signature PIN.
For clarity, these are in command-line mode:
./jsignpdf.sh -kst JSIGNPKCS11 -ksp 'Token PIN' -lk FINE Relaxing SSL security. FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg FINE PKCS11 provider registered with name SunPKCS11-JSignPdf FINE PKCS11 provider registered with name JSignPKCS11-JSignPdf INFO Getting keystore type instance: JSIGNPKCS11 INFO Getting key alias INFO Key aliases in the keystore: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx FINE Removing security provider with name SunPKCS11-JSignPdf FINE Removing security provider with name JSignPKCS11-JSignPdf
./jsignpdf.sh -kst JSIGNPKCS11 -ksp 'Token PIN' -ha SHA256 -kp 'Digital Signature PIN' my.pdf FINE Relaxing SSL security. FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg FINE PKCS11 provider registered with name SunPKCS11-JSignPdf FINE PKCS11 provider registered with name JSignPKCS11-JSignPdf INFO Checking input and output PDF paths. INFO Getting key alias INFO Used key alias: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx INFO Loading private key INFO Getting certificate chain INFO Opening input PDF file: my.pdf INFO Creating output PDF file: ./my_signed.pdf INFO Creating signature INFO Setting certification level INFO Processing (it may take a while) ... FINE KeyStore type JSIGNPKCS11 is not supported by the provider SunPKCS11-JSignPdf FINE KeyStore type JSIGNPKCS11 is supported by the provider JSignPKCS11-JSignPdf javax.security.auth.login.FailedLoginException at com.github.kwart.jsign.pkcs11.JSignPKCS11.contextSpecificLogin(JSignPKCS11.java:1365) at com.github.kwart.jsign.pkcs11.P11Signature.engineSign(P11Signature.java:604) at java.base/java.security.Signature$Delegate.engineSign(Signature.java:1402) at java.base/java.security.Signature.sign(Signature.java:711) at com.lowagie.text.pdf.PdfPKCS7.getEncodedPKCS7(PdfPKCS7.java:1260) at net.sf.jsignpdf.SignerLogic.signFile(SignerLogic.java:418) at net.sf.jsignpdf.Signer.signFiles(Signer.java:235) at net.sf.jsignpdf.Signer.main(Signer.java:131) Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_PIN_INCORRECT at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_Login(Native Method) at com.github.kwart.jsign.pkcs11.JSignPKCS11.contextSpecificLogin(JSignPKCS11.java:1353) ... 7 more SEVERE Problem occured java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN at com.github.kwart.jsign.pkcs11.P11Signature.engineSign(P11Signature.java:661) at java.base/java.security.Signature$Delegate.engineSign(Signature.java:1402) at java.base/java.security.Signature.sign(Signature.java:711) at com.lowagie.text.pdf.PdfPKCS7.getEncodedPKCS7(PdfPKCS7.java:1260) at net.sf.jsignpdf.SignerLogic.signFile(SignerLogic.java:418) at net.sf.jsignpdf.Signer.signFiles(Signer.java:235) at net.sf.jsignpdf.Signer.main(Signer.java:131) Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_SignFinal(Native Method) at com.github.kwart.jsign.pkcs11.P11Signature.engineSign(P11Signature.java:615) ... 6 more INFO Finished: Creating of signature failed. FINE Removing security provider with name SunPKCS11-JSignPdf FINE Removing security provider with name JSignPKCS11-JSignPdf
@thanosk Try to use the Token PIN only:
./jsignpdf.sh -kst JSIGNPKCS11 -ksp 'Token PIN' -ha SHA256 my.pdf
If this doesn't work, could you try to configure both PINs to the same value and retry?
@kwart you are the man. I definitely want to buy you a beer. It required setting both PINs to the same value. The combination of not having the same value and omitting the -kp argument did not work.
When both PINs are of the same value, both these commands work:
./jsignpdf.sh -kst JSIGNPKCS11 -ksp 'Token PIN' -ha SHA256 my.pdf and ./jsignpdf.sh -kst JSIGNPKCS11 -ksp 'Token PIN' -ha SHA256 -kp 'Token PIN' my.pdf
I intend to write a HowTo (I'm part of the Greek Linux community) and I will definitely give you the credit.
I could try to improve the jsign-pkcs11 project to support two different PINs. Do you have some guide on how to import (to Gemalto token) a certificate that would require the 'Digital Signature PIN'?
I could try to improve the jsign-pkcs11 project to support two different PINs. Do you have some guide on how to import (to Gemalto token) a certificate that would require the 'Digital Signature PIN'?
Importing such a certificate is kind of tricky. Apart from the Safenet Authentication Client (SAC), it involves another middleware called bit4id xapp. The CA's website offers to upload a newly issued certificate into the Gemalto, it triggers the bit4id middleware from inside the web browser, which in turn triggers the SAC middleware. Does any of these make sense to you ? It is a Public/National Administration CA (for citizens). If it helps, I can try to google translate some instructions written inside pdf documents that unfortunatelly only give a tiny glimpse of this import procedure (usually with example screenshots).
Both these drivers/middlewares are provided only for Windows and Mac, and I'm trying to discover how much can be done on Linux only. By Googling around for Linux SAC 10.8 (which was rather easily found) and with your help, I've managed to at least achieve signing on Linux with SAC Linux and JSignPDF. Googling for Linux Bit4ID produced nothing useful so far. Windows Signing with jsignpdf is possible with the Windows-My keystore, with a different GUI flow for the PIN, as the SAC middleware pops-up "insert your digital signature PIN" after pressing the Sign it button in jsignpdf.
I've seen that the SAC middleware offers an "import certificate" functionality (which opens a choose .cer file dialog), but haven't actually tried it, because I kind of don't want to mess more with the Qualified Certificate that was imported with the above method.
I used the Linux SAC 10.8 to import a sample cert to my token. Still, signing with it only requires the Token PIN. That's why I'm trying to find how to employ both PINs :)
@thanosk Could you try a new snapshot version? It should resolve the issue and the following command should work in it properly:
./jsignpdf.sh -kst JSIGNPKCS11 -ksp 'Token PIN' -ha SHA256 -kp 'Digital Signature PIN' my.pdf
The snapshot is available here: https://s01.oss.sonatype.org/content/repositories/snapshots/com/github/kwart/jsign/jsignpdf-distribution/2.2.0-SNAPSHOT/jsignpdf-distribution-2.2.0-20220220.203951-26.zip
@kwart I just tried it and yes it has resolved the issue. I can now use two different passwords. Well Done!
Thanks for the confirmation, @thanosk.
Closing this issue as fixed by new jsign-pkcs11 version (commit 20c823940f53d3634d12f9b346b7e1d5a8439bec). Feel free to reopen if you think, something is still missing here.
@kwart I used to sign pdf documents in bulk using JSignPdf.jar in Windows 10. But now with new drivers the token of SafeNet (Thales) 5110cc requires Token PIN and Digital Signature PIN.
I use the following command and although I give both passwords (both are identical) it insists to ask for the Digital Signature PIN with pop-up window:
java -Duser.language=en -jar JSignPdf.jar -kst PKCS11 -ksp 'Token PIN' -kp 'Digital Signature PIN' "C:\Users\ipapagi\Documents\Test1.pdf" -d C:\Users\ipapagi\Documents\Signed
I use JSignPdf version 2.2.0 (sourceforge, 2022-03-16).
From the command's output I see that it uses the SunPKCS11-JSignPdf and not JSignPKCS11-JSignPdf:
FINE Relaxing SSL security.
FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by net.sf.jsignpdf.utils.PKCS11Utils (file:/C:/Users/ipapagi/Documents/BulkDigitalSign/JSignPdf.jar) to constructor sun.security.pkcs11.SunPKCS11()
WARNING: Please consider reporting this to the maintainers of net.sf.jsignpdf.utils.PKCS11Utils
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
FINE PKCS11 provider registered with name SunPKCS11-JSignPdf
FINE PKCS11 provider registered with name JSignPKCS11-JSignPdf
INFO Checking input and output PDF paths.
INFO Getting key alias
INFO Used key alias: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
INFO Loading private key
INFO Getting certificate chain
INFO Opening input PDF file: C:\Users\ipapagi\Documents\Test1.pdf
INFO Creating output PDF file: C:/Users/ipapagi/Documents/Signed/Test1_signed.pdf
INFO Creating signature
INFO Setting certification level
INFO Configuring visible signature
INFO Use only layers recommend by Acrobat 6: true
INFO Setting background image scale
INFO Setting Layer 2 text (description)
INFO Setting Layer 4 text (status)
INFO Setting Render mode
INFO Creating visible signature
INFO Processing (it may take a while) ...
FINE KeyStore type PKCS11 is supported by the provider SunPKCS11-JSignPdf
INFO Closing result PDF stream
INFO Finished: Signature succesfully created.
FINE Removing security provider with name SunPKCS11-JSignPdf
FINE Removing security provider with name JSignPKCS11-JSignPdf
The pkcs11.cfg contains:
name=PKCS11
library=C:\Windows\System32\eTPKCS11.dll
and dll version is: 10.8.2154.0 (SafeNet Authentication Client)
How can I use the JSignPKCS11-JSignPdf that supports both PINs?
@ipapagi Have you tried the following
java -Duser.language=en -jar JSignPdf.jar -kst JSIGNPKCS11 -ksp 'Token PIN' -kp 'Digital Signature PIN' "C:\Users\ipapagi\Documents\Test1.pdf" -d C:\Users\ipapagi\Documents\Signed
java -Duser.language=en -jar JSignPdf.jar -kst JSIGNPKCS11 -ksp 'Token PIN' -kp 'Digital Signature PIN' "C:\Users\ipapagi\Documents\Test1.pdf" -d C:\Users\ipapagi\Documents\Signed
@kwart I tried it and I got:
FINE Relaxing SSL security.
FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by net.sf.jsignpdf.utils.PKCS11Utils (file:/C:/Users/ipapagi/Documents/BulkDigitalSign/JSignPdf.jar) to constructor sun.security.pkcs11.SunPKCS11()
WARNING: Please consider reporting this to the maintainers of net.sf.jsignpdf.utils.PKCS11Utils
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
FINE PKCS11 provider registered with name SunPKCS11-PKCS11
FINE PKCS11 provider registered with name JSignPKCS11-PKCS11
INFO Checking input and output PDF paths.
INFO Getting key alias
INFO Used key alias: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
INFO Loading private key
INFO Getting certificate chain
INFO Opening input PDF file: C:\Users\ipapagi\Documents\Test1.pdf
INFO Creating output PDF file: C:/Users/ipapagi/Documents/Signed/Test1_signed.pdf
INFO Creating signature
INFO Setting certification level
INFO Processing (it may take a while) ...
FINE KeyStore type JSIGNPKCS11 is not supported by the provider SunPKCS11-PKCS11
FINE KeyStore type JSIGNPKCS11 is supported by the provider JSignPKCS11-PKCS11
SEVERE Problem occured
`
java.security.ProviderException: Initialization failed
at com.github.kwart.jsign.pkcs11.P11Signature.initialize(P11Signature.java:354)
at com.github.kwart.jsign.pkcs11.P11Signature.engineInitSign(P11Signature.java:478)
at java.base/java.security.Signature$Delegate.engineInitSign(Signature.java:1349)
at java.base/java.security.Signature.initSign(Signature.java:634)
at com.lowagie.text.pdf.PdfPKCS7.
at net.sf.jsignpdf.SignerLogic.signFile(SignerLogic.java:364)
at net.sf.jsignpdf.Signer.signFiles(Signer.java:246)
at net.sf.jsignpdf.Signer.main(Signer.java:139)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_MECHANISM_INVALID
at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_SignInit(Native Method)
at com.github.kwart.jsign.pkcs11.P11Signature.initialize(P11Signature.java:345)
... 7 more
INFO Finished: Creating of signature failed.
FINE Removing security provider with name SunPKCS11-PKCS11
FINE Removing security provider with name JSignPKCS11-PKCS11`
It'll be a hash algorithm issue, I guess.
JSignPdf uses SHA-1 by default. It's probably not supported by your token. Try another algorithm (E.g. ones from the SHA-2 family). Use the --hash-algorithm
(-ha
) argument:
-ha SHA256
@kwart , you're right again!
The -ha SHA256
did the trick!
All is ok now. Only the parameter '-a' now requires at least pdf version 1.6, because of SHA256.
Thank you, you helped me a lot!
@kwart , you're right again!
The
-ha SHA256
did the trick!All is ok now. Only the parameter '-a' now requires at least pdf version 1.6, because of SHA256.
Thank you, you helped me a lot!
What is your command? When I do following, I get an error:
C:\Users\User\Signatures\jsignpdf-pades>java -jar JSignPdf-pades.jar -da SHA256 -ha SHA256 -kst WINDOWS-MY -ts http://timestamp.apple.com/ts01 --trust-certificate-url https://www.apple.com/appleca/AppleIncRootCertificate.cer -pl BASELINE_LTA --trust-certificate-url https://www.apple.com/certificateauthority/AppleTimestampCA.cer --trust-certificate-file C:\location-of-trust-cert.cer "simple.pdf"
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
INFO Signing PDF file -ha
SEVERE Error occured
eu.europa.esig.dss.model.DSSException: Unable to create FileDocument for File with name '-ha'
at eu.europa.esig.dss.model.FileDocument.<init>(FileDocument.java:66)
at com.github.intoolswetrust.jsignpdf.pades.Main.signFiles(Main.java:150)
at com.github.intoolswetrust.jsignpdf.pades.Main.main(Main.java:80)
I never even managed to run it with PKCS11, only the MS Keystore.
Hi,
I'm using Debian 11 and jsignpdf 2.0.0. I have a certificate in a card and a reader in the keyboard. I use the safenetauthenticationclient package that contains libraries to access to the card. It is working with firefox and another pdf programs.
In my conf/pkcs11.cfg
I have: ... library=/usr/lib/libeTPkcs11.so ...
or ... library=/usr/lib/pkcs11/libIDPrimePKCS11.so ...
both option give the same result:
WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by net.sf.jsignpdf.utils.PKCS11Utils ... to constructor sun.security.pkcs11.SunPKCS11() WARNING: Please consider reporting this to the maintainers of net.sf.jsignpdf.utils.PKCS11Utils WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release
So, I cannot select pkcs11 as key. Also, I have tried with java 17 with similar result:
/usr/lib/jvm/java-17-openjdk-amd64/bin/java -jar JSignPdf.jar FINE Relaxing SSL security. FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg SEVERE Unable to register SunPKCS11 security provider. java.lang.IllegalAccessException: class net.sf.jsignpdf.utils.PKCS11Utils cannot access class sun.security.pkcs11.SunPKCS11 (in module jdk.crypto.cryptoki) because module jdk.crypto.cryptoki does not export sun.security.pkcs11 to unnamed module @2f529dae at java.base/jdk.internal.reflect.Reflection.newIllegalAccessException(Reflection.java:392) at java.base/java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:674) at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:489) at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:480) at net.sf.jsignpdf.utils.PKCS11Utils.initPkcs11Provider(PKCS11Utils.java:112) at net.sf.jsignpdf.utils.PKCS11Utils.registerProviders(PKCS11Utils.java:66) at net.sf.jsignpdf.Signer.main(Signer.java:104)
SEVERE Unable to register SunPKCS11 security provider. java.lang.IllegalAccessError: class com.github.kwart.jsign.pkcs11.JSignPKCS11 (in unnamed module @0x2f529dae) cannot access class sun.security.util.Debug (in module java.base) because module java.base does not export sun.security.util to unnamed module @0x2f529dae at com.github.kwart.jsign.pkcs11.JSignPKCS11.(JSignPKCS11.java:63)
at java.base/java.lang.Class.forName0(Native Method)
at java.base/java.lang.Class.forName(Class.java:375)
at net.sf.jsignpdf.utils.PKCS11Utils.initPkcs11Provider(PKCS11Utils.java:108)
at net.sf.jsignpdf.utils.PKCS11Utils.registerProviders(PKCS11Utils.java:67)
at net.sf.jsignpdf.Signer.main(Signer.java:104)
Any idea?