How to configure pkcs#11 on jsignpdf for epass2003 usb token?

After signing the pdf, it says that file is certified instead of sign. kindly help

Hi,

is it possible to add line breaks in the signature text ? I already tried it with the \n or other versions for line breaks but no one worked.

I am working with this library call as subprocess from my (python) app.

I want to know if is supported pipe in jsignpdf ?

Problem

The docs http://jsignpdf.sourceforge.net/uploads/JSignPdf.pdf in section Using hardware tokens for signing is proposing content of pkcs11.cfg file as follows:

name=Test
library=/path/to/your/PKCSDriver.so

optionally adding a line

slotIndex=1

JDK 8 PKCS#11 Reference Guide as referenced from the JSignPdf docs does not contain string slotIndex.

Proposed change

It seems the proper name shall be:

slotListIndex=1

or only the shorter version:

slot=1

Hi,

we are building a test system for a large university, where they need to isolate RSA keys they use to sign PDF documents. There is a RESTful API, which can be used to get certificates, do signatures, ...

What would be the best way to integrate jsignpdf with this "remote signing"?

• Is it something you can help with
• would you be happy to accept a pull-request
• can you suggest the best way to extend jsignpdf to support remote signing

I look forward to and will greatly appreciate any help, views!

Dan

How can I list certificate names and keys via command.
example:

java -jar ./Jsigner/JSignPdf.jar -kst WINDOWS-MY -list-keys

Hi,
Thanks for very helpful program!
I have an error when I use the console version of the program with a tsa server requiring a user and password
In windows mode everythings work fine. What is bad in my command parametrs?
When I use TSA serwer which not required user/password, console mode works fine.

Windows mode - works fine -> window_mode.png (output file is ok)

Console mode - fail -> console_mode.png (output file is not ok, size 0KB)

Thanks,
Marek

Hi! I just want to know if there is any way to read info of all signed signature from a PDF using this library?

❓ Maybe replace ~/.JSignPdf to ~/.config/JSignPdf?

Hello. Would be possible add option only for validate a signature/signed PDF document? Output would be some log file with result of validation.
For example:

• The overall result of the verification.
• Common cryptographically evaluation like: Cryptographically valid signature or not from the reason...
• Informs whether the signature is verified at the time of the time stamp (primarily), at the current moment, or at the time inserted into the PDF file by the system where the signature was added.
• Signature format of the PDF file PKCS#7/AdES-PAdES (compliance with EU eIDAS) if AdES is used what type: BASELINE_B, BASELINE_T, BASELINE_LT, BASELINE_LTA, simillary with PKCS#7_B,T etc.
• A list of information available from the signature certificate, for example who signed the document, from which organization, contacts, serial number of the certificate, etc.
• Who is the issuer of the certificate and some information about this issuer.
• Information on whether the certification authority that issued the certificate is on the EUTL list, and thus whether it is qualified (publicly available information from this source.)
• From when to when the certificate is valid.
• Revocation information mainly OCSP, possibly CRL e.g. certificate statement was verified/certificate was revoked/verification failed due to ...
• Time stamp verification, the time stamp was issued by a trusted - qualified authority on the EUTL list? (publicly available information from this source.)
• Does the timestamp have a valid certificate? And from when to when it is valid...
• Has the timestamp certificate not been revoked? (OCSP/CRL)

The program has already implemented most of the functions, the rest consist mainly of checking publicly available lists (For example Adobe use it too). I think that open-source DSS demo already implemented some of these too.
Many thanks for your consideration.

After new system installation (win 10, update), I've installed version 2.2 and found that the font size for the visible signature doesn't respect the font size if used together with signature name.

Not sure what version I had installed in the past but the problem was not there.

See attachment - signed with identical settings, just one with location set, two are "signature only" and one is "with name". Font size is set to 10.0

There is another problem - config has font (Tahoma) and code page (cp1250) set but it doesn't seem to work well - see location in the upper most signature.

test_sign.pdf

Hello there,

Signing via gui works however when using cli command, it fails with error.

> ./jsignpdf.sh -tsh SHA256 -kst "PKCS12" -ksf "/path/to/cert.p12" -d "/tmp" "/path/to/sample.pdf"

FINE Relaxing SSL security.
INFO Checking input and output PDF paths.
INFO Getting key alias
INFO Used key alias: org selfsigned pdf cert
INFO Loading private key
INFO Getting certificate chain
INFO No private key was found. Check the keystore settings (keystore type, filepath, password, key alias).
INFO Finished: Creating of signature failed.

exit code: 4

I'm sure I'm providing correct (same as in the gui mode) paths to cert.p12 and sample.pdf files.

Any ideas?

Hi!
Is it possible to have a feature to have the GUI always on top and to be able to drag and drop files in it, so that the input file box could be filled automatically?

Hi,

I'm using Debian 11 and jsignpdf 2.0.0. I have a certificate in a card and a reader in the keyboard. I use the safenetauthenticationclient package that contains libraries to access to the card. It is working with firefox and another pdf programs.

In my conf/pkcs11.cfg

I have:
...
library=/usr/lib/libeTPkcs11.so
...

or
...
library=/usr/lib/pkcs11/libIDPrimePKCS11.so
...

both option give the same result:

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by net.sf.jsignpdf.utils.PKCS11Utils ... to constructor sun.security.pkcs11.SunPKCS11()
WARNING: Please consider reporting this to the maintainers of net.sf.jsignpdf.utils.PKCS11Utils
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

So, I cannot select pkcs11 as key. Also, I have tried with java 17 with similar result:

/usr/lib/jvm/java-17-openjdk-amd64/bin/java -jar JSignPdf.jar
FINE Relaxing SSL security.
FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg
SEVERE Unable to register SunPKCS11 security provider.
java.lang.IllegalAccessException: class net.sf.jsignpdf.utils.PKCS11Utils cannot access class sun.security.pkcs11.SunPKCS11 (in module jdk.crypto.cryptoki) because module jdk.crypto.cryptoki does not export sun.security.pkcs11 to unnamed module @2f529dae
at java.base/jdk.internal.reflect.Reflection.newIllegalAccessException(Reflection.java:392)
at java.base/java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:674)
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:489)
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:480)
at net.sf.jsignpdf.utils.PKCS11Utils.initPkcs11Provider(PKCS11Utils.java:112)
at net.sf.jsignpdf.utils.PKCS11Utils.registerProviders(PKCS11Utils.java:66)
at net.sf.jsignpdf.Signer.main(Signer.java:104)

SEVERE Unable to register SunPKCS11 security provider.
java.lang.IllegalAccessError: class com.github.kwart.jsign.pkcs11.JSignPKCS11 (in unnamed module @0x2f529dae) cannot access class sun.security.util.Debug (in module java.base) because module java.base does not export sun.security.util to unnamed module @0x2f529dae
at com.github.kwart.jsign.pkcs11.JSignPKCS11.(JSignPKCS11.java:63)
at java.base/java.lang.Class.forName0(Native Method)
at java.base/java.lang.Class.forName(Class.java:375)
at net.sf.jsignpdf.utils.PKCS11Utils.initPkcs11Provider(PKCS11Utils.java:108)
at net.sf.jsignpdf.utils.PKCS11Utils.registerProviders(PKCS11Utils.java:67)
at net.sf.jsignpdf.Signer.main(Signer.java:104)

Any idea?

Hi
I would like to have an option to sign more than one document at once, do you think it's possible?
If you don't have time, I can do it

Best regards

I already have PDF's signed where the timestamp is no longer valid because the OCSP/ CRL response was not included in the PDF.

Is it possible to add a option to force the JSignPDF to download and incorporate to the final PDF the OCSP response or CRL (if OCSP not available) of the timestamp, so that in the future even after the expiring date is possible to verify that the timestamp was valid at the time of the signature.

Currently I can only do that if I chose the option "Not certified" and then open "Adobe Acrobat Reader DC" and force "Add verification information" and then "Save has..." to incorporate the answer into the PDF file permanently... otherwise the information is not added.

Of course, if the timestamp certificate is root it won't have any OCSP/ CRL to check.
Say: http://tsa.belgium.be/connect is a root certificate, and wont use OCSP/ CRL
But: http://timestamp.digicert.com will use OCSP/ CRL because is not using the root certificate to sign.

Until PAdES B-LTA is integrated in JSignPDF (if ever) these at least does something to help to achieve true LTV.

Of course, PAdES B-LTA would need the same level of attention, I've notice another application (from a government) that applies PAdES B-LTA but doesn't incorporate OCSP/ CRL on the signature timestamp... because they use root certificate for the timestamp, but if a person uses another timestamp authority the information won't be included.

It would be nice to have the option to translate the displayed on the documents:
"Digitally signed by"
"Date"
"Reason"
"Location"

In Portuguese:
"Digitally signed by" > "Assinado digitalmente por"
"Date" > "Data"
"Reason" > "Motivo"
"Location" > "Localização"

Also the date is displayed with the "BST (British Summer Time), it would be nice to indicate it in UTC (Coordinated Universal Time), since these one never changes.

If you call:
jre\bin\java.exe" -jar "InstallCert.jar" tsabase.ica.cz:443 changeit

You will get error:
no main manifest attribute

It can be fixed by adding row:
Main-Class: net.sf.jsignpdf.InstallCert
at the end of file:
JSignPdf\InstallCert.jar\META-INF\MANIFEST.MF

Source:
https://stackoverflow.com/questions/9689793/cant-execute-jar-file-no-main-manifest-attribute

I'm using ant 1.8.2 on Windows. I'm not very experienced building java projects, so I can only guess how to proceed. Executing ant with no parameters throws a FileNotFoundException on line 47 since ../jsignpdf-itxt/src/build.xml doesn't exist (and indeed, I can't find it in the source code).

There's a nbproject folder which suggests a NetBeans project but I couldn't open it with NetBeans either.

So I'm stumped. What is the correct way of building this library?

I am currently trying to sign pdfs from command line inside a docker container.

My docker file looks like this:

FROM php:7.3-apache

RUN apt-get update 
RUN mkdir -p /usr/share/man/man1/
RUN apt-get install -y openjdk-11-jre-headless

COPY JSignPdf /usr/src/JSignPdf
WORKDIR /usr/src/JSignPdf

Creating the signed pdf works using

java -jar JSignPdf.jar \
	-tsh SHA256 \
	-kst PKCS12 \
	--out-directory /data \
	-ksp topsecret \
	--keystore-file /data/certificate.p12 \
	--tsa-server-url http://timestamp.comodoca.com \
	/data/in.pdf

But I am getting these warnings:

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by net.sf.jsignpdf.utils.KeyStoreUtils (file:/usr/src/JSignPdf/JSignPdf.jar) to field java.security.KeyStore.keyStoreSpi
WARNING: Please consider reporting this to the maintainers of net.sf.jsignpdf.utils.KeyStoreUtils
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

Project web and documentation are not consistent with regards to required Java version. Sometime it talks about version 6, sometime about version 8.

On project home page:

Launching

If you don't use windows installer, which already includes Java, you'll need a Java Runtime Environment in version 6 and newer.

In PDF docs JSignPdf Quick Start Guide:

Prerequisites
Java
If you want to use JSignPdf, and you don’t install it on Windows using the installation program, you will need Java Runtime Environment (JRE) version 8 or newer. If you don’t have it, you can download it freely from web pages, for instance

and in section Keystore it talks about about version 6

I need use it as cli from console its possible that ?

Hi!
I have a problem concerning JSignPdf Verifier module, when I verified a signed and timestamped-pdf file by the certificate issued by my own CA, I got “Missing signing certificate for TSA” (Exit Code 30). The certificate of CA has been added to the Keystore (type jks), but it doesn’t work.

Is it possible that there is another parameter needed that I have to set to JSignPdf Verifier module?
(thanks)

Hi,

I'm trying to get JSignPdf to work with LuxTrust, which provides certificates in accordance with eIDAS.

On Windows, I used the following pkcs11 configuration:

name=JSignPdf
library=C:\Program Files\LuxTrust\runtime\bin\j2pkcs11.dll

But, that doesn't work:

c:\Program Files\JSignPdf>java -jar JSignPdf.jar -lkt
FINE Relaxing SSL security.
FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg
SEVERE Unable to register SunPKCS11 security provider.
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at net.sf.jsignpdf.utils.PKCS11Utils.initPkcs11Provider(PKCS11Utils.java:110)
at net.sf.jsignpdf.utils.PKCS11Utils.registerProviders(PKCS11Utils.java:66)
at net.sf.jsignpdf.Signer.main(Signer.java:104)
Caused by: java.security.ProviderException: Initialization failed
at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:377)
at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:104)
... 7 more
Caused by: java.io.IOException: The specified procedure could not be found.

    at sun.security.pkcs11.wrapper.PKCS11.connect(Native Method)
    at sun.security.pkcs11.wrapper.PKCS11.<init>(PKCS11.java:144)
    at sun.security.pkcs11.wrapper.PKCS11.getInstance(PKCS11.java:157)
    at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:314)
    ... 8 more

SEVERE Unable to register SunPKCS11 security provider.
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at net.sf.jsignpdf.utils.PKCS11Utils.initPkcs11Provider(PKCS11Utils.java:110)
at net.sf.jsignpdf.utils.PKCS11Utils.registerProviders(PKCS11Utils.java:67)
at net.sf.jsignpdf.Signer.main(Signer.java:104)
Caused by: java.security.ProviderException: Initialization failed
at com.github.kwart.jsign.pkcs11.JSignPKCS11.(JSignPKCS11.java:380)
at com.github.kwart.jsign.pkcs11.JSignPKCS11.(JSignPKCS11.java:104)
... 7 more
Caused by: java.io.IOException: The specified procedure could not be found.

    at sun.security.pkcs11.wrapper.PKCS11.connect(Native Method)
    at sun.security.pkcs11.wrapper.PKCS11.<init>(PKCS11.java:144)
    at sun.security.pkcs11.wrapper.PKCS11.getInstance(PKCS11.java:157)
    at com.github.kwart.jsign.pkcs11.JSignPKCS11.<init>(JSignPKCS11.java:317)
    ... 8 more

INFO Available key store types:
BCFKS
BCFKS-DEF
BCPKCS12
BKS
BOUNCYCASTLE
CASEEXACTJKS
CloudFoxy
DKS
FIPS
FIPS-DEF
IBCFKS
IBCFKS-DEF
IFIPS
IFIPS-DEF
JCEKS
JKS
PKCS12
PKCS12-3DES-3DES
PKCS12-3DES-40RC2
PKCS12-DEF
PKCS12-DEF-3DES-3DES
PKCS12-DEF-3DES-40RC2
WINDOWS-MY
WINDOWS-ROOT

Anyone who has been successful in getting LuxTrust to work? Do I use the wrong library?

Some TSA authorities may require the user to use a nonce in order to detect replays.
It would be nice for the jsignpdf to have that nonce extension support and generate them at user request, like the "TimeStampClient" (https://github.com/disig/TimeStampClient)

jsignpdf is a wonderful simple program to use, I hope it can be made even better with these Nonce extension.

jSignPDF version 2.0.0
Kubuntu 20.04
java 17.0.1 2021-10-19 LTS

When signing with my card and TSA, I get the below exception. The final PDF looks fine and has valid timestamped signature.

superuser@TheTower:~/Applications/jsignpdf-2.0.0$ ./jsignpdf.sh 
FINE Relaxing SSL security.
FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg
FINE PKCS11 provider registered with name SunPKCS11-eObcanka
FINE PKCS11 provider registered with name JSignPKCS11-eObcanka
INFO Starting JSignPdf
INFO Checking input and output PDF paths.
INFO Getting key alias
INFO Certificate Objekt 04/08/2020 00:16:43 expired already.
INFO Used key alias: Objekt 02/08/2021 18:24:39
INFO Loading private key
INFO Getting certificate chain
INFO Opening input PDF file: /home/superuser/Nextcloud2/Konevova/Dopis bonollo.pdf
INFO Creating output PDF file: /home/superuser/Nextcloud2/Konevova/Dopis bonollo_signed.pdf
INFO Creating signature
INFO Setting location: Praha
INFO Setting certification level
INFO Configuring visible signature
INFO Use only layers recommend by Acrobat 6: true
INFO Setting background image scale
INFO Setting Layer 2 text (description)
INFO Setting Layer 4 text (status)
INFO Setting Render mode
INFO Creating visible signature
INFO Processing (it may take a while) ...
INFO Reading CRLs
INFO Reading CRL distribution points from certificate XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX#redacted
INFO Found CRL URL in distribution point: http://qcrldp1.ica.cz/2qca16_rsa.crl
INFO Found CRL URL in distribution point: http://qcrldp2.ica.cz/2qca16_rsa.crl
INFO Found CRL URL in distribution point: http://qcrldp3.ica.cz/2qca16_rsa.crl
INFO Downloading CRL from http://qcrldp3.ica.cz/2qca16_rsa.crl
INFO Size of downloaded CRL: 146964
INFO Downloading CRL from http://qcrldp1.ica.cz/2qca16_rsa.crl
INFO Size of downloaded CRL: 146964
INFO Downloaded CRL is already present. Skipping.
INFO Downloading CRL from http://qcrldp2.ica.cz/2qca16_rsa.crl
INFO Size of downloaded CRL: 146964
INFO Downloaded CRL is already present. Skipping.
FINE KeyStore type JSIGNPKCS11 is not supported by the provider SunPKCS11-eObcanka
FINE KeyStore type JSIGNPKCS11 is supported by the provider JSignPKCS11-eObcanka
INFO Creating TSA client.
INFO Setting TSA hash algorithm: SHA256
INFO Setting TSA policy OID: 1.3.6.1.4.1.23624.10.1.50.2.0
javax.security.auth.login.LoginException: Unable to perform password callback
        at com.github.kwart.jsign.pkcs11.JSignPKCS11.contextSpecificLogin(JSignPKCS11.java:1335)
        at com.github.kwart.jsign.pkcs11.P11Signature.engineSign(P11Signature.java:604)
        at java.base/java.security.Signature$Delegate.engineSign(Signature.java:1423)
        at java.base/java.security.Signature.sign(Signature.java:712)
        at com.lowagie.text.pdf.PdfPKCS7.getEncodedPKCS7(PdfPKCS7.java:1258)
        at net.sf.jsignpdf.SignerLogic.signFile(SignerLogic.java:412)
        at net.sf.jsignpdf.SignerLogic.run(SignerLogic.java:115)
        at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: java.lang.NullPointerException: Cannot invoke "javax.security.auth.callback.CallbackHandler.handle(javax.security.auth.callback.Callback[])" because "this.pHandler" is null
        at com.github.kwart.jsign.pkcs11.JSignPKCS11.contextSpecificLogin(JSignPKCS11.java:1333)
        ... 7 more
INFO Closing result PDF stream
INFO Finished: Signature succesfully created.

There seems to be a "unable-to-terminate" problem when storing configuration fails.

More info in this thread:
https://groups.google.com/d/msg/jsignpdf/8vA_NAcA8dU/uXYTHJZVCQAJ

When I try to include TSA with the following settings:

TSA URL: https://freetsa.org/tsr
TSA Authentication: No
TSA policy (OID):
TSA Hash Algorithm: sha256

I get this error

SEVERE Es ist ein Problem aufgetreten
java.lang.NullPointerException: 'identifier' cannot be null
	at org.bouncycastle.asn1.ASN1ObjectIdentifier.<init>(Unknown Source)
	at com.lowagie.text.pdf.TSAClientBouncyCastle.getTimeStampToken(TSAClientBouncyCastle.java:207)
	at com.lowagie.text.pdf.TSAClientBouncyCastle.getTimeStampToken(TSAClientBouncyCastle.java:186)
	at com.lowagie.text.pdf.PdfPKCS7.getEncodedPKCS7(PdfPKCS7.java:1327)
	at net.sf.jsignpdf.SignerLogic.signFile(SignerLogic.java:425)
	at net.sf.jsignpdf.SignerLogic.run(SignerLogic.java:118)
	at java.base/java.lang.Thread.run(Thread.java:833)

It seems to be related with leaving the policy empty. What is the right policy (string) to use?

Reference:

• https://freetsa.org
• https://freetsa.org/guide
• https://freetsa.org/guide/JSignPdf-time-stamping.html

Jsignpdf 2.0.0

I am opening this issue because this will be an issue in the future version of OpenJDK (and I imagine also Java)

superuser@TheTower:~/jsignpdf-2.0.0$ GDK_SCALE=2 java -Djava.security.debug=pkcs11keystore -Djava.security.debug=sunpkcs11 -jar JSignPdf.jar                            
FINE Relaxing SSL security.
FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by net.sf.jsignpdf.utils.PKCS11Utils (file:/home/superuser/jsignpdf-2.0.0/JSignPdf.jar) to constructor sun.security.pkcs11.SunPKCS11()
WARNING: Please consider reporting this to the maintainers of net.sf.jsignpdf.utils.PKCS11Utils
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
SunPKCS11 loading /home/superuser/jsignpdf-2.0.0/conf/pkcs11.cfg
sunpkcs11: Initializing PKCS#11 library /usr/lib/x86_64-linux-gnu/libeop2v1czep11.so
Information for provider SunPKCS11-eObcanka
Library info:
  cryptokiVersion: 2.20
  manufacturerID: Monet+,a.s. Zlin Stipa          
  flags: 0
  libraryDescription: Czech eID v2.1 PKCS#11 library  
  libraryVersion: 2.20

My JAVA version:

superuser@TheTower:~/jsignpdf-2.0.0$ java --version
openjdk 14.0.2 2020-07-14
OpenJDK Runtime Environment (build 14.0.2+12-Ubuntu-120.04)
OpenJDK 64-Bit Server VM (build 14.0.2+12-Ubuntu-120.04, mixed mode, sharing)

Contents of conf/pkcs11.cfg:

name=eObcanka
library=/usr/lib/x86_64-linux-gnu/libeop2v1czep11.so

I would like to suggest to remove "Contact (optional)" from GUI since these is no longer used in Adobe Acrobat Reader.

Hi,

I am trying to get jsignpdf running on a Mac (terminal is fine) using keychain-pkcs11 (https://github.com/kenh/keychain-pkcs11) for lack of a proper pkcs11 driver for my Luxtrust card. The keychain-pkcs11 driver works fine with Acrobat Reader - signing pdf documents is stable, but only one at a time. Without keychain-pkcs11 (using cryptovision), jsignpdf does not work at all but that's likely due to the cryptovision driver that doesn't seem to play ball with the Luxtrust card.

I'd like to set up a batch process for multiple document signatures using jsignpdf. I have configured jsignpdf (latest version) to use the keychain-pkcs11 driver and when I call it using

./jsignpdf.sh -kst PKCS11 -ksp 'Token PIN' -ha SHA256 -kp 'Digital Signature PIN' my.pdf

it seems to run fine until the card PIN verification, after which it fails with

FEIN Relaxing SSL security.
FEIN Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg
FEIN PKCS11 provider registered with name SunPKCS11-JSignPdf
FEIN PKCS11 provider registered with name JSignPKCS11-JSignPdf
INFORMATION Checking input and output PDF paths.
INFORMATION Hole Schlüssel Alias
INFORMATION Verwendet Schlüssel: User Cert Sig
INFORMATION Lade privaten Schlüssel
INFORMATION Hole Zertifikatskette
INFORMATION Öffne PDF Eingabedatei: /Users/mfleucha/Desktop/AN-22-015_F&G.pdf
INFORMATION Erzeuge PDF Ausgabedatei: ./AN-22-015_F&G_signed.pdf
INFORMATION Erzeuge Signatur
INFORMATION Updating PDF version info 1.4 -> 1.6
INFORMATION Setze Zertifizierungsstufe
INFORMATION Bearbeite (es kann ein wenig länger dauern) ...
FEIN KeyStore type PKCS11 is supported by the provider SunPKCS11-JSignPdf
SCHWERWIEGEND Es ist ein Problem aufgetreten
java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_FAILED
	at jdk.crypto.cryptoki/sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:683)
	at java.base/java.security.Signature$Delegate.engineSign(Signature.java:1406)
	at java.base/java.security.Signature.sign(Signature.java:712)
	at com.lowagie.text.pdf.PdfPKCS7.getEncodedPKCS7(PdfPKCS7.java:1261)
	at net.sf.jsignpdf.SignerLogic.signFile(SignerLogic.java:425)
	at net.sf.jsignpdf.Signer.signFiles(Signer.java:246)
	at net.sf.jsignpdf.Signer.main(Signer.java:139)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_FAILED
	at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_SignFinal(Native Method)
	at jdk.crypto.cryptoki/sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:633)
	... 6 more

INFORMATION Fertig: Erzeugen der Signatur fehlgeschlagen
FEIN Removing security provider with name SunPKCS11-JSignPdf
FEIN Removing security provider with name JSignPKCS11-JSignPdf

(sorry for the German text; not sure why it uses German, my Terminal is set to EN so I am a bit puzzled. If it makes a difference I will provide the EN output). A blank pdf file is created on disk but it's useless.

I have tried with Java 19 and 17.0.2.

For a start, I am a bit unsure about a Token PIN vs. Digital Signature PIN - I do not seem to have a possibility to set these separately for the card so I used the same PIN in the command for both.

The PKCS11 method is available in the output of ./jsignpdf.sh -lkt.

Any help getting this running would be HUGELY appreciated; I will try my luck in Windows now but am a Mac user and avoid Win when I can...

Thank you in advance for any insights!

Michael

I am trying to sign pdf with LTV and yes, it's posible.

I am using two signatures (in Spain). One is obtained using DNIe (National Document Identity Electronic). Another it's obtained directly from an Authorithy. (FNMT in Spain)

I am using this command:

java -jar ../SailsBE_dev/JSignPdf/jsignpdf-1.6.4/JSignPdf.jar 1_test.pdf -cl CERTIFIED_NO_CHANGES_ALLOWED --disable-acrobat6-layer-mode --disable-assembly --disable-copy --disable-fill --disable-modify-annotations --disable-modify-content --hash-algorithm SHA512 --keystore-file ../SailsBE_dev/JSignPdf/sign.p12 --keystore-type PKCS12 --keystore-password '' --tsa-server-url http://tsa.izenpe.com --tsa-hash-algorithm SHA512 --out-directory . --out-suffix _firmado --ocsp --ocsp-server-url http://ocspusu.cert.fnmt.es/ocspusu/OcspResponder -llx 5 -lly 80 -urx 300 -ury 30 -V -fs 8 -pg 10000

Well, when I sign a document using the first one, it doesn't verify the OCSP, but it exists in the signature.

Using the second one, aparently the same, it does the verification with OCSP and LTV is enabled in the document.

How is this posible?

Can I force the use of OCSP?

Thanks

Just a quick feature enhancement request.

Would it be possible to choose the alignment of the Visible signature in the render box?

I would like to align it left at the bottom of the page, and to do it properly, now, I have to know the size of the logo and the length of the description to, more or less, nail it.

Minor request, lowest priority.

Thanks!

This issue is just to cover the timezone part of the #53

Also the date is displayed with the "BST (British Summer Time), it would be nice to indicate it in UTC (Coordinated Universal Time), since these one never changes.

I'm actually in a situation, where i need to use expired certificate for signing but jsignpdf is printing error and not allowing me to do this. Can you, please, allow usage of expired certificates? Thank you.

Hey,

At the company I work at we need a PDF Signer and yours fits perfectly for the job. There is just one feature that would be nice if we could have it please.

When you go to the settings window, and under settings, display there is a dropdown box. is it possible to also just have Image and no description please. This would be very handy.

Thanks

Azure

I call JSignPdf from daemon, but don't want to pass keystore password as command line parameter visible from outside.

So following patch suggested:

diff --git a/src/net/sf/jsignpdf/SignerOptionsFromCmdLine.java b/src/net/sf/jsignpdf/SignerOptionsFromCmdLine.java
index 8ed4f04..90a1ae6 100644
--- a/src/net/sf/jsignpdf/SignerOptionsFromCmdLine.java
+++ b/src/net/sf/jsignpdf/SignerOptionsFromCmdLine.java
@@ -122,6 +122,15 @@ public class SignerOptionsFromCmdLine extends BasicSignerOptions {
            setKsFile(line.getOptionValue(ARG_KS_FILE));
        if (line.hasOption(ARG_KS_PWD))
            setKsPasswd(line.getOptionValue(ARG_KS_PWD));
+       else{
+           System.out.print("Enter private key store password:");
+           char[] keyPasswdX = null;
+           try {
+               keyPasswdX = (new java.io.BufferedReader(new java.io.InputStreamReader(System.in))).readLine().toCharArray();
+           } catch (Exception e) {
+           } 
+           setKsPasswd(keyPasswdX);
+       }
        if (line.hasOption(ARG_KEY_ALIAS))
            setKeyAlias(line.getOptionValue(ARG_KEY_ALIAS));
        if (line.hasOption(ARG_KEY_INDEX))`

Console.readPassword can't be used as it doesn't work when process run from other process

Hello.

I need to start signing documents based on crypto tokens, and this project, as a Libre Office plugin, would suit me very well, but I would need functionality like jpdfsign, that's a little outdated.

I can collaborate with code and tests, but I am a maven addit...

Is there interest in a "mavenized" version of the project?

Cheers

Hi!
May someone help with my problem? I get the error when I launch Verifier with a document which has 3 signatures.

java.lang.ClassCastException: class org.bouncycastle.asn1.BERTaggedObject cannot be cast to class org.bouncycastle.asn1.DERTaggedObject (org.bouncycastle.asn1.BERTaggedObject and org.bouncycastle.asn1.DERTaggedObject are in unnamed module of loader 'app')
	at com.lowagie.text.pdf.PdfPKCS7.<init>(Unknown Source)
	at com.lowagie.text.pdf.AcroFields.verifySignature(Unknown Source)
	at com.lowagie.text.pdf.AcroFields.verifySignature(Unknown Source)
	at net.sf.jsignpdf.verify.VerifierLogic.verify(VerifierLogic.java:201)
	at net.sf.jsignpdf.verify.VerifierLogic.verify(VerifierLogic.java:147)
	at net.sf.jsignpdf.verify.Verifier.main(Verifier.java:164)

Currently I am only able to either show name or description on the visible signature but not time of signing as say adobe reader does when it creates a signature.

I had to explain this to a few people that indeed these two were same signatures but people assume unless the signature doesn't look like one made by adobe, it isn't valid.

This would be a totally cosmetic change, allow users to Alps show time of signing on the sign itself along with name and description.

I am using 1.6.3 on ubuntu 16.04 (kde neon edtion) with PKCS#11 configured. When I try to sign a pdf I get this error:

DEBUG Relaxing SSL security.
DEBUG Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg
DEBUG SunPKCS11 provider registered with name SunPKCS11-JSignPdf
INFO  Checking input and output PDF paths.
INFO  Getting key alias
INFO  Used key alias: ******* ******
INFO  Loading private key
INFO  Getting certificate chain
INFO  Opening input PDF file: test.pdf
INFO  Creating output PDF file: ./test_signed.pdf
INFO  Creating signature
INFO  Setting certification level
INFO  Configuring visible signature
INFO  Use only layers recommend by Acrobat 6: true
INFO  Setting background image scale
INFO  Setting Layer 2 text (description)
INFO  Setting Layer 4 text (status)
INFO  Setting Render mode
INFO  Creating visible signature
INFO  Processing (it may take a while) ...
ERROR Problem occured
java.security.InvalidKeyException: Private keys must be instance of RSAPrivate(Crt)Key or have PKCS#8 encoding
        at sun.security.rsa.RSAKeyFactory.translatePrivateKey(RSAKeyFactory.java:288)
        at sun.security.rsa.RSAKeyFactory.engineTranslateKey(RSAKeyFactory.java:191)
        at sun.security.rsa.RSAKeyFactory.toRSAKey(RSAKeyFactory.java:111)
        at sun.security.rsa.RSASignature.engineInitSign(RSASignature.java:106)
        at sun.security.rsa.RSASignature.engineInitSign(RSASignature.java:99)
        at java.security.Signature$Delegate.init(Signature.java:1155)
        at java.security.Signature$Delegate.chooseProvider(Signature.java:1115)
        at java.security.Signature$Delegate.engineInitSign(Signature.java:1179)
        at java.security.Signature.initSign(Signature.java:530)
        at com.lowagie.text.pdf.PdfPKCS7.<init>(Unknown Source)
        at net.sf.jsignpdf.SignerLogic.signFile(SignerLogic.java:336)
        at net.sf.jsignpdf.Signer.signFiles(Signer.java:242)
        at net.sf.jsignpdf.Signer.main(Signer.java:137)
INFO  Finished: Creating of signature failed.
DEBUG Removing security provider with name SunPKCS11-JSignPdf

Is it a bug or it is me I miss something?

Does jsignpdf 2.1.0 support signing PDF documents using GnuPG private keys? If so, would you mind describing, or better documenting, how this can be done, please? (If you describe how this is done, I can contribute it back as a PR improving the documentation.)

I use safenet 5110 eToken, I installed the driver in Ubuntu 22.04.
my pkcs11 conf is

name=JSignPdf
library=/lib/libeToken.so
slot=2

The problem is that PKCS11 does not appear in keystore type.

I can sign with other cients, so something is wrong in my setup for jsignpdf.
Any pointers?

Hi,
At first I would like to thank you for a great project.
I have noticed a bug that may make it difficult for some people to automate their signature.

I wanting to run JSignPdf from the command line (on windows) I use this command:
java -jar JSignPdf.jar -kst PKCS12 -ksf cert.p12 -ksp Password123 -ha SHA512 -c kontakt -l lokalizacja -r powod -ts http://time.certum.pl -tsh SHA-256 --disable-fill --disable-modify-content --disable-assembly --disable-modify-annotations --disable-screen-readers --disable-copy -cl CERTIFIED_NO_CHANGES_ALLOWED --out-directory "C:\Users\Dell Latitude\AppData\Local\Temp\" "C:\Users\Dell Latitude\AppData\Local\Temp\tmp9713.pdf"

and gets the error:
File Latitude\AppData\Local\Temp\tmp9713.pdf is not readable by the application. Check if the file exists and the user has read right.

Can it be improved in the next version?
using " doesn't help as you can see

Hello,
very nice program that works on Linux systems too, great work, many thanks.
I have one question, why certificate "AAA" from Comodo is automatically added when PDF document (PKCS#7) is signed with X.509 certificate from file (PKCS#12 format)? Is it possible to disable this?
Thank you.

Hello. Would be possible add option append only time stamp without own digital signature from some TSA server (HTTP/HTTPS)?
This is necessary, for example:

• To preserve the so-called of "digital continuity" (for example by using periodical timestamping (e.g. each year), the availability or integrity of the validation data is maintained) - append only time stamp to the signed PDF document, so that it is still valid and usable for legal acts even after the expiration of the time stamp originally appended at the time of signing. This is the addition of the so-called "archival electronic time stamp" (this can also be qualified if TSA is on the EUTL list). The process is also defined by eIDAS and is described by ETSI here. This is a necessary requirement for the AdES (PAdES) BASELINE-LTA signature format (e.g. also addressed here). Adding a time stamp must be done before the expiration of the original time stamp (eg a moment before the expiration of its validity).
• To supplement the time stamp if you receive an digitally signed PDF document without any time stamp and you need to keep its validity indefinitely...

Many thanks for your consideration.

Hello, do you have any idea about this error? It's just sometimes wrong

Array
(
[0] => INFO Checking input and output PDF paths.
[1] => INFO Getting key alias
[2] => INFO Used key alias: 1
[3] => INFO Loading private key
[4] => INFO Getting certificate chain
[5] => INFO Opening input PDF file: /xxx.pdf](xxx.pdf)
[6] => INFO Creating output PDF file: /xxx_signed.pdf](xxx_signed.pdf)
[7] => INFO Creating signature
[8] => INFO Updating PDF version info 1.4 -> 1.6
[9] => INFO Setting certification level
[10] => INFO Processing (it may take a while) ...
[11] => INFO Reading OCSP URL from certificate chain.
[12] => INFO Getting OCSP data from URL: http://qcpocsp2012.e-szigno.hu/
[13] => SEVERE Problem occured
[14] => ExceptionConverter: java.net.ConnectException: Connection refused (Connection refused)
[15] => at java.net.PlainSocketImpl.socketConnect(Native Method)
[16] => at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
[17] => at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
[18] => at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
[19] => at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
[20] => at java.net.Socket.connect(Socket.java:607)
[21] => at java.net.Socket.connect(Socket.java:556)
[22] => at sun.net.NetworkClient.doConnect(NetworkClient.java:180)
[23] => at sun.net.www.http.HttpClient.openServer(HttpClient.java:463)
[24] => at sun.net.www.http.HttpClient.openServer(HttpClient.java:558)
[25] => at sun.net.www.http.HttpClient.(HttpClient.java:242)
[26] => at sun.net.www.http.HttpClient.New(HttpClient.java:339)
[27] => at sun.net.www.http.HttpClient.New(HttpClient.java:357)
[28] => at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:1226)
[29] => at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1205)
[30] => at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1056)
[31] => at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:990)
[32] => at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1340)
[33] => at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1315)
[34] => at com.lowagie.text.pdf.OcspClientBouncyCastle.getEncoded(OcspClientBouncyCastle.java:244)
[35] => at net.sf.jsignpdf.SignerLogic.signFile(SignerLogic.java:385)
[36] => at net.sf.jsignpdf.Signer.signFiles(Signer.java:235)
[37] => at net.sf.jsignpdf.Signer.main(Signer.java:131)
[38] =>
[39] => INFO Finished: Creating of signature failed.
)

Hello... I would like to use your project as a web service where I will sent the sign as a string from javascript. My question is... Is that possible??? Which data is required to sign a pdf with your app...just for sign because my idea is capture the sign from web with javascript?

Greetings.

It would be nice for JSignPDF to sign PDF files to conform to ETSI EN 319 142-1 V1.1.0 (2016-02) (PAdES digital signatures) ( https://www.etsi.org/deliver/etsi_en/319100_319199/31914201/01.01.00_30/en_31914201v010100v.pdf ) B-LTA level.

6
6.1. Signature levels
d) B-LTA level provides requirements for the incorporation of electronic time-stamps that allow validation of the
signature long time after its generation. This level aims to tackle the long term availability and integrity of the
validation material.