Přeskočit na hlavní obsah

JSignPKCS11 - when your smartcard is too smart

TL;DR Yes, you can add digital signatures in Java even when you use newer hardware tokens such as Gemalto SafeNet eToken 5110 CC. JSignPKCS11 might help.



Maybe you've seen the infamous PKCS11 error message CKR_USER_NOT_LOGGED_IN already. Thrown even when the SunPKCS11 security provider and the keystore settings were properly configured for your hardware token.

java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
        at jdk.crypto.cryptoki/sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:685)
        at java.base/java.security.Signature$Delegate.engineSign(Signature.java:1404)
        at java.base/java.security.Signature.sign(Signature.java:713)
...
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
        at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_Sign(Native Method)
        at jdk.crypto.cryptoki/sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:664)
        ... 6 more

I fought this issue in my JSignPDF application as several users had hit it. After some debugging over the failing SunPKCS11 implementation and over the passing pkcs11-tools one, I realized the Java implementation only covers the old version of PKCS #11. There is no support for the new login type "CKU_CONTEXT_SPECIFIC" in SunPKCS11. So I forked the OpenJDK SunPKCS11 into the intoolswetrust GitHub organization (where I keep my popular projects) and added a logic to call this login type before signing.

Sounds interesting? Do you want to try it too? Just add the Maven dependency:

<dependency>
    <groupId>com.github.kwart.jsign</groupId>
    <artifactId>jsign-pkcs11</artifactId>
    <version>${jsign.pkcs11.version}</version>
</dependency>

and instead of class registering security provider with class "sun.security.pkcs11.SunPKCS11" use the class "com.github.kwart.jsign.pkcs11.JSignPKCS11".

NSS is not supported

If you use the SunPKCS11 for accessing NSS keystores, then don't use the JSignPKCS11 as there is no support for NSS modes.

Komentáře

Populární příspěvky z tohoto blogu

Three ways to redirect HTTP requests to HTTPs in WildFly and JBoss EAP

WildFly application server (and JBoss EAP) supports several simple ways how to redirect the communication from plain HTTP to TLS protected HTTPs. This article presents 3 ways. Two are on the application level and the last one is on the server level valid for requests to all deployments. 1. Request confidentiality in the deployment descriptor The first way is based on the Servlet specification. You need to specify which URLs should be protected in the web.xml deployment descriptor. It's the same approach as the one used for specifying which URLs require authentication/authorization. Just instead of requesting an assigned role, you request a transport-guarantee . Sample content of the WEB-INF/web.xml <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" version="3.1

Simple TLS certificates in WildFly 18

It's just 2 weeks when WildFly 18 was released. It includes nice improvements in TLS certificates handling through ACME protocol (Automatic Certificate Management Environment), it greatly simplifies obtaining valid HTTPS certificates. There was already a support for the Let's Encrypt CA in WildFly 14 as Farah Juma described in her blog post last year. New WildFly version allows using other CA-s with ACME protocol support. It also adds new switch --lets-encrypt to interactive mode of security enable-ssl-http-server JBoss CLI commands. Let's try it. Before we jump on WildFly configuration, let's just mention the HTTPs can be used even in the default configuration and a self-signed certificate is generated on the fly. Nevertheless, it's not secure and you should not use it for any other purpose than testing. Use Let's Encrypt signed certificate for HTTPs application interface Start WildFly on a machine with the public IP address. Run it on the defaul

Weby ministerstev a jejich zabezpečení

Nedávno jsem hledal informaci na webu ministerstva zdravotnictví a zarazilo mě, že jsem nebyl automaticky přesměrován na zabezpečený protokol HTTPs. Napadlo mě podívat se, jak jsou na tom weby jednotlivých ministerstev s podporou tohoto protokolu. Rozdíly v zabezpečení jsou mezi weby velké a u některých ministerstev přímo překvapivé. Ministerstvo HTTPs Auto Redirect TLS 1.2 TLS 1.3 !RC4 !TLS 1 EV cert Doprava mdcr.cz Finance mfcr.cz Kultura mkcr.cz Místní rozvoj mmr.cz Obrana army.cz Práce a soc. věcí mpsv.cz Průmysl mpo.cz Spravedlnost justice.cz Školství msmt.cz Vnitra mvcr.cz Zahraničí mzv.cz Zdravotnictví mzcr.cz Zemědělství eagri.cz Životní prostředí mzp.cz Trocha teorie Proč HTTPs HTTPs znamená HTTP komunikaci přes spojení šifrované pomocí TLS protokolu (dříve SSL). Protokol HTTPs poskytuje nejen šifrování komunikace, ale t