ERROR: "Keystore was not loaded succesfully."
2,338 views
Skip to first unread message
Adam
Apr 25, 2016, 7:13:41 AM4/25/16
to JSignPdf
This is the first time I try to digitally signature a PDF file so apologize beforehand for the dummy question. Here is my setup:
OS:
$ lsb_release -a
LSB Version: core-2.0-amd64:core-2.0-noarch:core-3.0-amd64:core-3.0-noarch:core-3.1-amd64:core-3.1-noarch:core-3.2-amd64:core-3.2-noarch:core-4.0-amd64:core-4.0-noarch:core-4.1-amd64:core-4.1-noarch:security-4.0-amd64:security-4.0-noarch:security-4.1-amd64:security-4.1-noarch
Distributor ID: Ubuntu
Description: Ubuntu 14.04.4 LTS
Release: 14.04
Codename: trusty
Java:
$ java -version
java version "1.8.0_77"
Java(TM) SE Runtime Environment (build 1.8.0_77-b03)
Java HotSpot(TM) 64-Bit Server VM (build 25.77-b03, mixed mode)
JSignPdf:
$ java -jar JSignPdf.jar --version
DEBUG Relaxing SSL security.
DEBUG Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg
DEBUG SunPKCS11 provider registered with name SunPKCS11-JSignPdf
JSignPdf version 1.6.1
DEBUG Removing security provider with name SunPKCS11-JSignPdf
SafeNet Authentication Client Tools:
Also, it seems that I can successfully connect to SafeNet 5100 and I can see my two certificates in it:
OS:
$ lsb_release -a
LSB Version: core-2.0-amd64:core-2.0-noarch:core-3.0-amd64:core-3.0-noarch:core-3.1-amd64:core-3.1-noarch:core-3.2-amd64:core-3.2-noarch:core-4.0-amd64:core-4.0-noarch:core-4.1-amd64:core-4.1-noarch:security-4.0-amd64:security-4.0-noarch:security-4.1-amd64:security-4.1-noarch
Distributor ID: Ubuntu
Description: Ubuntu 14.04.4 LTS
Release: 14.04
Codename: trusty
Java:
$ java -version
java version "1.8.0_77"
Java(TM) SE Runtime Environment (build 1.8.0_77-b03)
Java HotSpot(TM) 64-Bit Server VM (build 25.77-b03, mixed mode)
JSignPdf:
$ java -jar JSignPdf.jar --version
DEBUG Relaxing SSL security.
DEBUG Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg
DEBUG SunPKCS11 provider registered with name SunPKCS11-JSignPdf
JSignPdf version 1.6.1
DEBUG Removing security provider with name SunPKCS11-JSignPdf
SafeNet Authentication Client Tools:
Also, it seems that I can successfully connect to SafeNet 5100 and I can see my two certificates in it:
In other words, so far so good I guess. However, when I do:
$ java -jar JSignPdf.jar -V -kst PKCS11 -ka <alias> -ksp <password> test.pdf
I get:
DEBUG Relaxing SSL security.
DEBUG Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg
DEBUG SunPKCS11 provider registered with name SunPKCS11-JSignPdf
INFO Checking input and output PDF paths.
java.security.KeyStoreException: PKCS11 not found
at java.security.KeyStore.getInstance(KeyStore.java:851)
at net.sf.jsignpdf.utils.KeyStoreUtils.loadKeyStore(KeyStoreUtils.java:348)
at net.sf.jsignpdf.utils.KeyStoreUtils.getPkInfo(KeyStoreUtils.java:413)
at net.sf.jsignpdf.SignerLogic.signFile(SignerLogic.java:135)
at net.sf.jsignpdf.Signer.signFiles(Signer.java:242)
at net.sf.jsignpdf.Signer.main(Signer.java:137)
Caused by: java.security.NoSuchAlgorithmException: PKCS11 KeyStore not available
at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
at java.security.Security.getImpl(Security.java:695)
at java.security.KeyStore.getInstance(KeyStore.java:848)
... 5 more
WARN Keystore was not loaded succesfully. Check if the keystore type, path and password are valid.
ERROR Problem occured
java.lang.NullPointerException: Keystore was not loaded succesfully. Check if the keystore type, path and password are valid.
at net.sf.jsignpdf.utils.KeyStoreUtils.getKeyAliasInternal(KeyStoreUtils.java:216)
at net.sf.jsignpdf.utils.KeyStoreUtils.getPkInfo(KeyStoreUtils.java:415)
at net.sf.jsignpdf.SignerLogic.signFile(SignerLogic.java:135)
at net.sf.jsignpdf.Signer.signFiles(Signer.java:242)
at net.sf.jsignpdf.Signer.main(Signer.java:137)
INFO Finished: Creating of signature failed.
DEBUG Removing security provider with name SunPKCS11-JSignPdf
and, when I do:
DEBUG Relaxing SSL security.
DEBUG Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg
DEBUG SunPKCS11 provider registered with name SunPKCS11-JSignPdf
INFO Checking input and output PDF paths.
INFO Getting key alias
INFO Used key alias: le-383af22f-e8dc-4b74-95c8-5ea777fd40b6
INFO Loading private key
INFO Getting certificate chain
INFO No private key was found. Check the keystore settings (keystore type, filepath, password, key alias).
INFO Finished: Creating of signature failed.
DEBUG Removing security provider with name SunPKCS11-JSignPdf
I suspect that, my problem has to do with any of the following things:
1) use PKCS12 instead of PKCS11 or vice versa
2) put the key in the keystore (but where should I find the key and how can I put it in the keystore)?
Any help is appreciated.
Josef Cacek
Apr 25, 2016, 2:33:45 PM4/25/16
to JSignPdf forum
Hi,
it seems sth. failed during registering PKCS11. It's interesting, that it's not reported during the initial phase (i.e. DEBUG message about registered SunPKCS11 provider).
You can try to list keystore types as the first step:
$ java -jar JSignPdf.jar -lkt
Afterwards, if you see the PKCS11 in the list then this is the next step - list key aliases in the keystore:
$ java -jar JSignPdf.jar -kst PKCS11 -ksp <password> -lk
It should give you result similar to this one:
DEBUG Relaxing SSL security.
DEBUG Registering SunPKCS11 provider from configuration in /home/kwart/test/fips/fips-pkcs11.cfg
DEBUG SunPKCS11 provider registered with name SunPKCS11-testPkcs
INFO Getting keystore type instance: PKCS11
INFO Getting key alias
INFO Key aliases in the keystore:
jbossweb
DEBUG Removing security provider with name SunPKCS11-testPkcs
To make the picture complete - When I have an incorrect PKCS11 configuration, then my logs usually contains sth like:
DEBUG Relaxing SSL security.
DEBUG Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg
Unable to register SunPKCS11 security provider.
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
at net.sf.jsignpdf.utils.PKCS11Utils.registerProvider(PKCS11Utils.java:66)
at net.sf.jsignpdf.Signer.main(Signer.java:109)
Caused by: java.security.ProviderException: Could not initialize NSS
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:212)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
... 6 more
...
I.e. I see the exception already during the PKCS11 provider registration.
-- jc
--
You received this message because you are subscribed to the Google Groups "JSignPdf" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jsignpdf+u...@googlegroups.com.
To post to this group, send email to jsig...@googlegroups.com.
Visit this group at https://groups.google.com/group/jsignpdf.
For more options, visit https://groups.google.com/d/optout.
0 new messages