Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple PKCS11 providers #187

Open
felagund opened this issue Jul 13, 2024 · 1 comment
Open

Multiple PKCS11 providers #187

felagund opened this issue Jul 13, 2024 · 1 comment

Comments

@felagund
Copy link

Myabe I am missing something, but if I want to use multiple PKCS11 providers (like, for example my ID for electronic signature and a USB token for signing documents with an authorized stamp for hte civil engeneering authority), do I need to always edit the conf/pkcs11.cfg file? I tried listing multiple files in conf/conf.properties but only the last one seems to be used. Listing both in the conf/pkcs11.cfg fails, ie. with

name=eObcanka
library=/usr/lib/x86_64-linux-gnu/libeopproxyp11.so

name=tokenCKAIT
library=/usr/lib/libeTPkcs11.so
slot=1

After running jsignpdf.sh I get:

FINE Relaxing SSL security.
FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg
SEVERE Unable to register SunPKCS11 security provider.
java.lang.reflect.InvocationTargetException
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:568)
        at net.sf.jsignpdf.utils.PKCS11Utils.initPkcs11Provider(PKCS11Utils.java:114)
        at net.sf.jsignpdf.utils.PKCS11Utils.registerProviders(PKCS11Utils.java:66)
        at net.sf.jsignpdf.Signer.main(Signer.java:104)
Caused by: java.security.InvalidParameterException: Error configuring SunPKCS11 provider
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:122)
        ... 7 more
Caused by: sun.security.pkcs11.ConfigurationException: name must only be specified once, line 10
        at jdk.crypto.cryptoki/sun.security.pkcs11.Config.excLine(Config.java:397)
        at jdk.crypto.cryptoki/sun.security.pkcs11.Config.checkDup(Config.java:689)
        at jdk.crypto.cryptoki/sun.security.pkcs11.Config.parseStringEntry(Config.java:578)
        at jdk.crypto.cryptoki/sun.security.pkcs11.Config.parse(Config.java:418)
        at jdk.crypto.cryptoki/sun.security.pkcs11.Config.<init>(Config.java:222)
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:118)
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:115)
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:569)
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:115)
        ... 7 more

SEVERE Unable to register SunPKCS11 security provider.
java.lang.reflect.InvocationTargetException
        at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77)
        at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499)
        at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:480)
        at net.sf.jsignpdf.utils.PKCS11Utils.initPkcs11Provider(PKCS11Utils.java:110)
        at net.sf.jsignpdf.utils.PKCS11Utils.registerProviders(PKCS11Utils.java:67)
        at net.sf.jsignpdf.Signer.main(Signer.java:104)
Caused by: java.security.ProviderException: Error parsing configuration
        at com.github.kwart.jsign.pkcs11.Config.getConfig(Config.java:88)
        at com.github.kwart.jsign.pkcs11.JSignPKCS11.<init>(JSignPKCS11.java:130)
        at com.github.kwart.jsign.pkcs11.JSignPKCS11.<init>(JSignPKCS11.java:104)
        ... 8 more
Caused by: com.github.kwart.jsign.pkcs11.ConfigurationException: name must only be specified once, line 10
        at com.github.kwart.jsign.pkcs11.Config.excLine(Config.java:374)
        at com.github.kwart.jsign.pkcs11.Config.checkDup(Config.java:650)
        at com.github.kwart.jsign.pkcs11.Config.parseStringEntry(Config.java:539)
        at com.github.kwart.jsign.pkcs11.Config.parse(Config.java:391)
        at com.github.kwart.jsign.pkcs11.Config.<init>(Config.java:219)
        at com.github.kwart.jsign.pkcs11.Config.getConfig(Config.java:84)
        ... 10 more

(and nothing gets registered).

Also, on a related note, what is the name field for? In the "Keystore type" list, it only lists "PKCS11".
@felagund
Copy link
Author

felagund commented Jul 13, 2024
edited
Loading

The docs https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html says

 To use more than one slot per PKCS#11 implementation, or to use more than one PKCS#11 implementation, simply repeat the installation for each with the appropriate configuration file. This will result in a Sun PKCS#11 provider instance for each slot of each PKCS#11 implementation.

so it should be possible but I am not sure if it is not implemented or I am missing how to configure it properly?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@felagund