Hi,
I am trying to get jsignpdf running on a Mac (terminal is fine) using keychain-pkcs11 (https://github.com/kenh/keychain-pkcs11) for lack of a proper pkcs11 driver for my Luxtrust card. The keychain-pkcs11 driver works fine with Acrobat Reader - signing pdf documents is stable, but only one at a time. Without keychain-pkcs11 (using cryptovision), jsignpdf does not work at all but that's likely due to the cryptovision driver that doesn't seem to play ball with the Luxtrust card.
I'd like to set up a batch process for multiple document signatures using jsignpdf. I have configured jsignpdf (latest version) to use the keychain-pkcs11 driver and when I call it using
./jsignpdf.sh -kst PKCS11 -ksp 'Token PIN' -ha SHA256 -kp 'Digital Signature PIN' my.pdf
it seems to run fine until the card PIN verification, after which it fails with
FEIN Relaxing SSL security.
FEIN Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg
FEIN PKCS11 provider registered with name SunPKCS11-JSignPdf
FEIN PKCS11 provider registered with name JSignPKCS11-JSignPdf
INFORMATION Checking input and output PDF paths.
INFORMATION Hole Schlüssel Alias
INFORMATION Verwendet Schlüssel: User Cert Sig
INFORMATION Lade privaten Schlüssel
INFORMATION Hole Zertifikatskette
INFORMATION Öffne PDF Eingabedatei: /Users/mfleucha/Desktop/AN-22-015_F&G.pdf
INFORMATION Erzeuge PDF Ausgabedatei: ./AN-22-015_F&G_signed.pdf
INFORMATION Erzeuge Signatur
INFORMATION Updating PDF version info 1.4 -> 1.6
INFORMATION Setze Zertifizierungsstufe
INFORMATION Bearbeite (es kann ein wenig länger dauern) ...
FEIN KeyStore type PKCS11 is supported by the provider SunPKCS11-JSignPdf
SCHWERWIEGEND Es ist ein Problem aufgetreten
java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_FAILED
at jdk.crypto.cryptoki/sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:683)
at java.base/java.security.Signature$Delegate.engineSign(Signature.java:1406)
at java.base/java.security.Signature.sign(Signature.java:712)
at com.lowagie.text.pdf.PdfPKCS7.getEncodedPKCS7(PdfPKCS7.java:1261)
at net.sf.jsignpdf.SignerLogic.signFile(SignerLogic.java:425)
at net.sf.jsignpdf.Signer.signFiles(Signer.java:246)
at net.sf.jsignpdf.Signer.main(Signer.java:139)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_FAILED
at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_SignFinal(Native Method)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:633)
... 6 more
INFORMATION Fertig: Erzeugen der Signatur fehlgeschlagen
FEIN Removing security provider with name SunPKCS11-JSignPdf
FEIN Removing security provider with name JSignPKCS11-JSignPdf
(sorry for the German text; not sure why it uses German, my Terminal is set to EN so I am a bit puzzled. If it makes a difference I will provide the EN output). A blank pdf file is created on disk but it's useless.
I have tried with Java 19 and 17.0.2.
For a start, I am a bit unsure about a Token PIN
vs. Digital Signature PIN
- I do not seem to have a possibility to set these separately for the card so I used the same PIN in the command for both.
The PKCS11 method is available in the output of ./jsignpdf.sh -lkt
.
Any help getting this running would be HUGELY appreciated; I will try my luck in Windows now but am a Mac user and avoid Win when I can...
Thank you in advance for any insights!
Michael