Entering PIN more than one time while using JSignPdf with Smartcard in batch mode

[Roman Pozarlik]

Hi,

I am trying to sign several PDF files using batch mode and Smartcard. Unfortunately, JSignPdf is asking for PIN for each file which it is signing.

Could this be changed or configured?

The PIN should not be saved anywhere for security reason. So, JSignPdf should use it when it is entered for the first time and sign all the selected files. 

Is it possible in current version or some development is required?

Thank you for your help.

Roman

[Josef Cacek]

Hello Roman,
correct me if I'm wrong - you use acertificate stored on a SmartCard
and to access it you use the WINDOWS-MY keystore type. If this is
true, then the dialog which is asking for PIN doesn't come from
JSignPdf, but from Windows.

You should use PKCS#11 keystore type instead of WINDOWS-MY. It will
deal with your SmartCard reader directly. Enable it by uncommenting
(removing leading hash sign) line in conf/conf.propertis:
pkcs11config.path=conf/pkcs11.cfg

Then configure the values in conf/pkcs11.cfg file according to
documentation -
http://download.oracle.com/javase/6/docs/technotes/guides/security/p11guide.html#ATTRS

Then provide the PIN as a normal keystore password and everything
should work as expected.

Regards,
-- Josef

> --
> You received this message because you are subscribed to the Google Groups
> "JSignPdf" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jsignpdf+u...@googlegroups.com.
> To post to this group, send email to jsig...@googlegroups.com.
> Visit this group at http://groups.google.com/group/jsignpdf.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

[Roman Pozarlik]

Hi Josef,

Thank you for your answer.

You are correct - I tried to use WINDOWS-MY keystore. I understand that I should use PKCS#11 keystore.

However, the documentation you are pointing is quite complex and thus difficult to use.

Do you have any example how to configure values in pkcs11.cfg file in the simplest manner, with most default values?

With best wishes, Roman

[Josef Cacek]

Hi Roman,
the simple configuration which is in the conf/pkcs11.cfg worked for
me some years ago with Windows XP. So the name and library attributes
were enough.
If it's also your case, you only need to find the correct library and
fill the full path in the configuration file (don't forget to escape
back-slashes - i.e. use the doubled).

One hint from (https://code.google.com/p/esign-helper/):
32-bit
Siemens - %SYSTEMROOT%\System32\siecap11.dll
Charismathics - %SYSTEMROOT%\System32\cmP11.dll
ACS - %SYSTEMROOT%\System32\acospkcs11.dll
GemPlus - %SYSTEMROOT%\System32\pk2priv.dll OR
%SYSTEMROOT%\System32\w32pk2ig.dll
SeTec - %SYSTEMROOT%\System32\SetTokI.dll
ActivIdentity - %SYSTEMROOT%\System32\acpkcs.dll
SafeNet - %SYSTEMROOT%\System32\dkck232.dll

64-bit
Siemens - %SYSTEMROOT%\SysWOW64\siecap11.dll
Charismathics - %SYSTEMROOT%\SysWOW64\cmP11.dll
ACS - %SYSTEMROOT%\SysWOW64\acospkcs11.dll
GemPlus - %SYSTEMROOT%\SysWOW64\pk2priv.dll OR
%SYSTEMROOT%\System32\w32pk2ig.dll
SeTec - %SYSTEMROOT%\SysWOW64\SetTokI.dll
ActivIdentity - %SYSTEMROOT%\SysWOW64\acpkcs.dll
SafeNet - %SYSTEMROOT%\SysWOW64\dkck232.dll

another one from
(http://jce.iaik.tugraz.at/sic/Products/Core-Crypto-Toolkits/PKCS_11_Provider/using):
- aetpkss1.dll (for G&D StarCos and Rainbow iKey 3000)
- cs2_pkcs11.dll (for Utimaco CryptoServer LAN)
- CccSigIT.dll (for IBM MFC)
- pk2priv.dll (for GemSAFE, old version)
- gclib.dll (for GemSAFE, new version)
- dspkcs.dll (for Dallas iButton)
- slbck.dll (for Schlumberger Cryptoflex and Cyberflex Access)
- SetTokI.dll (for SeTec)
- acpkcs.dll (for ActivCard)
- psepkcs11.dll (for A-Sign Premium)
- id2cbox.dll (for ID2 PKCS#11)
- smartp11.dll (for SmartTrust PKCS#11)
- pkcs201n.dll (for Utimaco Cryptoki for SafeGuard)
- dkck201.dll (for DataKey and Rainbow iKey 2000 series)
- cryptoki.dll (for Eracom CSA)
- AuCryptoki2-0.dll (for Oberthur AuthentIC)
- eTpkcs11.dll (for Aladdin eToken, and some Siemens Card OS cards)
- cknfast.dll (for nCipher nFast or nShield)
- cryst201.dll (for Chrysalis LUNA)
- cryptoki.dll (for IBM 4758)
- softokn3.dll (for the Mozilla or Netscape crypto module, see also
next property)
- iveacryptoki.dll (for Rainbow CryptoSwift HSM)
- sadaptor.dll (for Eutron CryptoIdentity or Algorithmic Research MiniKey)
- pkcs11.dll (for TeleSec)
- siecap11.dll (for Siemens HiPath SIcurity Card API)
- asepkcs.dll (for Athena Smartcard System ASE Card)
- /opt/SUNWconn/cryptov2/lib/libvpkcs11.so (for SUN Crypto Accelerator
4000, 32-bit libraries)
- /opt/SUNWconn/cryptov2/lib/sparcv9/libvpkcs11.so (for SUN Crypto
Accelerator 4000, 64-bit libraries)
- /opt/SUNWconn/crypto/lib/libpkcs11.so (for SUN Crypto Accelerator
1000, 32-bit libraries)
- /opt/SUNWconn/crypto/lib/sparcv9/libpkcs11.so (for SUN Crypto
Accelerator 1000, 64-bit libraries)

I hope it helps.
-- jc

[Roman Pozarlik]

Hi Josef,

Thank you for your help. I am working with CryptoTech and I have found library CCPkiP11.dll.

My files seems like these:

conf.properties

pkcs11config.path=conf/pkcs11.cfg

relax.ssl.security=true

pkc11.cfg

library=C:\\Program Files (x86)\\CryptoTech\\CryptoCard\\CCPkiP11.dll

my BAT file

JSignPdf.jar -e -opwd 12345 -upwd 12345 -os "" -op "signed_" -d "C:\tmp" "C:\tmp\*.pdf"

Unfortunately, nothing happens, no messages, no warnings??

With best wishes, Roman

[Josef Cacek]

Hi Roman,

Do you see the PKCS#11 keystore type in the GUI now?

What is output of "java -jar JSignPdf.jar --list-keystore-types" in the console?

Your batch command should contain -kst and -ksp options:
-ksp,--keystore-password <password> password to KeyStore
-kst,--keystore-type <type> sets KeyStore type (you can list possible
values for this option -lkt argument)

Use the -ksp to provide the smartcard PIN as the Keystore password.

-- jc

On Tue, Aug 27, 2013 at 11:21 AM, Roman Pozarlik