Does not display PKCS11 provider

[ieugen]

Hello,

I can't get PKCS11 provider to work with jsignpdf tool, but I can see smartcard with keytool, pkcs11-tool and clojure code.
It all started once I've got a new Electronic ID that I would like to use to sign PDF's.

I can see the certificates using keytool and a provider config but only after it asks for a PIN.
I think this is the weak link :)

I can't see the PKCS11 provider in my jsignpdf list.

./jsignpdf.sh -lkt
FINE Relaxing SSL security.
INFO Available key store types:
BCFKS
BCFKS-DEF
BCPKCS12
BKS
BOUNCYCASTLE
CASEEXACTJKS
CloudFoxy
DKS
FIPS
FIPS-DEF
IBCFKS
IBCFKS-DEF
IFIPS
IFIPS-DEF
JCEKS
JKS
PKCS12
PKCS12-3DES-3DES
PKCS12-3DES-40RC2
PKCS12-DEF
PKCS12-DEF-3DES-3DES
PKCS12-DEF-3DES-40RC2

So I think the algorithm in keytool is working a bit better.

And trying to list the keys I get this:

./jsignpdf.sh -kst PKCS11  -lk
FINE Relaxing SSL security.
INFO Getting keystore type instance: PKCS11
java.security.KeyStoreException: PKCS11 not found
        at java.base/java.security.KeyStore.getInstance(KeyStore.java:873)
        at net.sf.jsignpdf.utils.KeyStoreUtils.loadKeyStore(KeyStoreUtils.java:355)
        at net.sf.jsignpdf.utils.KeyStoreUtils.getKeyAliases(KeyStoreUtils.java:112)
        at net.sf.jsignpdf.Signer.main(Signer.java:127)
Caused by: java.security.NoSuchAlgorithmException: PKCS11 KeyStore not available
        at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
        at java.base/java.security.Security.getImpl(Security.java:655)
        at java.base/java.security.KeyStore.getInstance(KeyStore.java:870)
        ... 3 more
Exception in thread "main" java.lang.NullPointerException: Keystore was not loaded succesfully. Check if the keystore type, path and password are valid.
        at net.sf.jsignpdf.utils.KeyStoreUtils.getKeyAliases(KeyStoreUtils.java:114)
        at net.sf.jsignpdf.Signer.main(Signer.java:127)

keytool -keystore NONE -storetype PKCS11         -providerClass sun.security.pkcs11.SunPKCS11         -providerArg pkcs11.cfg         -list
Enter keystore password:
Keystore type: PKCS11
Keystore provider: SunPKCS11-RoIdPlug

Your keystore contains 3 entries

CA certificate Common Name/cn=ro cei mai root-ca,ou=dgep,o=ministerul afacerilor interne,c=ro/1[REDACTED]9, trustedCertEntry,
Certificate fingerprint (SHA-256): B5:[REDACTED]:80
CA certificate Common Name/cn=ro cei mai root-ca,ou=dgep,o=ministerul afacerilor interne,c=ro/2[REDACTED]4, trustedCertEntry,
Certificate fingerprint (SHA-256): B7:[REDACTED]:1D
Certificate ECC Authentication, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 27:[REDACTED]:BE

The pkcs11.cfg file contains:

name = RoIdPlug
library = /usr/lib/idplugclassic/libidplug-pkcs11.so

I've also tried to configure security via file so jsignpdf loads the SunPKCS11 provider with the smartcard middleware so I can see PKCS11, but I did not manage to do that.

I updated jsignpdf.sh like:

"$JAVA" $JAVA_OPTS -Dsecurity.overridePropertiesFile=true -Djava.security.properties=file://$DIR/conf/extra.security -Djava.security.debug=pkcs11keystore -Djava.security.debug=sunpkcs11 "-Djsignpdf.home=$DIR" -jar "$DIR/JSignPdf.jar" "$@"

and extra.security

security.provider.13=sun.security.pkcs11.SunPKCS11 /home/ieugen/Descărcări/jsignpdf-2.3.0/conf/pkcs11.cfg

Any idea what am I missing?

Do you think we can improve jsignpdf algorithm to dynamically load PKCS11 config with also loading the pin?

Thanks,
Eugen

[ieugen]

I forgot the clojure code:

deps.edn

{:paths ["src"]
 :deps {
      org.clojure/clojure {:mvn/version "1.12.2"}
}
 :aliases
 ;; using :deps in aliases will replace deps. Use :extra-deps if you need all
 {:dev {:extra-deps {org.clojure/test.check {:mvn/version "1.1.1"}}
        :jvm-opts [;; SunPKCS11 in Java 9 and later
                   ;; https://blog.adamgamboa.dev/pkcs-11-provider-across-multiple-java-versions/
                   "--add-exports=jdk.crypto.cryptoki/sun.security.pkcs11=ALL-UNNAMED"
                   "--add-exports=jdk.crypto.cryptoki/sun.security.pkcs11.wrapper=ALL-UNNAMED"
                   "--add-exports=java.base/sun.security.action=ALL-UNNAMED"
                   "--add-exports=java.base/sun.security.rsa=ALL-UNNAMED"
                   "--add-opens=java.base/java.security=ALL-UNNAMED"
                   "--add-opens=java.base/sun.security.util=ALL-UNNAMED"
                   "-Djava.security.debug=sunpkcs11"
                   "-Djava.security.debug=pkcs11keystore"]}
}}

(ns user
  (:import (java.security Security Provider KeyStore)))

(comment

  ;; https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/tools/keytool/Main.java#L903
  (let [config-name "pkcs11.cfg"
        provider (Security/getProvider "SunPKCS11")]
    (def provider (Provider/.configure provider config-name))
    (println "provider" provider)
    (Security/addProvider provider))

  (let [ks (KeyStore/getInstance "PKCS11" provider)
        pin (String/.toCharArray "THE_PIN")]
    (KeyStore/.load ks nil pin)
    (doseq [k (enumeration-seq (KeyStore/.aliases ks))]
      (println "Key" k (bean k))))
  
  )

I get something like this:

; Key CA certificate Common Name/cn=ro cei mai root-ca,ou=dgep,o=ministerul afacerilor interne,c=ro/2[REDACTED]4 {:blank false, :bytes #object[[B 0x798dc9bc [B@798dc9bc], :class java.lang.String, :empty false}
; Key CA certificate Common Name/cn=ro cei mai root-ca,ou=dgep,o=ministerul afacerilor interne,c=ro/1[REDACTED]9 {:blank false, :bytes #object[[B 0x1122a14f [B@1122a14f], :class java.lang.String, :empty false}
; Key Certificate ECC Authentication {:blank false, :bytes #object[[B 0x5599d4bc [B@5599d4bc], :class java.lang.String, :empty false}
nil
; 
; pkcs11keystore: Token Alias Map:
; pkcs11keystore:   CA certificate Common Name/cn=ro cei mai root-ca,ou=dgep,o=ministerul afacerilor interne,c=ro/2[REDACTED]4	type=[trusted cert]
; 	label=[CA certificate Common Name]

[REDACTED]

[ieugen]

After getting back to this, I found that neither keytool nor my clojure code worked.
I got java.security.KeyStoreException: PKCS11 not found .
I did not change the code in any way but I did upgrade to JDK25 and probably some other system changes.

I fiddled with the software and after some trial and error, I managed to make it work with jsignpdf built from source .

I had to specify the slot in my pkcs11.cfg file:

name=RoIdPlug
library=/usr/lib/idplugclassic/libidplug-pkcs11.so
slot=3

And I also had to supply the pin via CLI + the gui option to get the gui running

(note: add a space in front of the command so it is not saved in bash history !! )

 ./jsignpdf.sh -kst PKCS11 -ksp <PIN_IS_HERE> -gui

I checked the signed PDF in Adobe reader and it seems to see the signature.

The signature shows it's done using the "Authentication" certificate.
I hope it's the right one / one that is accepted.
The electronic ID card has 2 certificates on it, but I could not make the new one work (tried slot 4 and 5).

[ieugen]

So, I've gone back to Windows to check how things are done there.

Using Adobe Reader, I can sign with the Second (Signature) certificate - which has another pin (larger one).
The PIN is requested when I try to sign.

I did not have time to test how I can use the Signature certificate with jsignpdf.

So, using Adobe Reader on Windows I have to perform the following steps:

• insert cart in smart card reader
• start IDPlug Manager middleware (UI for working with the national ID card)
• Enter Authentication PIN so I can access / see the smart card and available certificates on the card
• Open PDF in Adobe Reader
• Select area to sign
• Enter Signature PIN so I can use the Signature certificate

Not sure if jsignpdf can handle this use case yet - probably not.

I imagine that the two pin setup is required because, being a national ID cart, you can access the information only after you prove you are you with a PIN. (the auth certificate contains personal information).

I hope to get some time to test jsignpdf soon because I am not a fan of using two computers to sign a tax form.
Especially since using Windows annoys me greatly.

@kwart : please let me know if you have interest in this / any ideas on how to handle things.