Cannot load Keys

[Dimitris F]

Hello,

the organization I am currently employed is switching into FOSS and digital signing documents is of utmost importance.
The problem we are currently facing with Jsign Pdf is that we cannot load the keys from the Alladin usb token.
We use Ubuntu 12.04.4 and have tried various versions of jsign pdf. The keystore type is PKCS11.
Any help is invaluable, thank you in advance.

[Dimitris F]

I forget to mention that the pkcs11.cfg is:

# Sample file for registering PKCS#11 security provider in JSignPdf
# Feel free to edit it and then set path to the file in the conf.properties configuration file.

# Look for full list of possible attributes at
# http://download.oracle.com/javase/6/docs/technotes/guides/security/p11guide.html#ATTRS

name=JSignPdf

# if you are not sure about your PKCS driver library check following URL:
# http://www.freeotfe.org/docs/Explorer/pkcs11_drivers.htm

library=/usr/lib/libeTPkcs11.so

and  have uncommented the conf.properties lines:

#certificate.checkKeyUsage=false

#certificate.checkValidity=false

 

pkcs11config.path=conf/pkcs11.cfg

 
as proposed in similar threads. I have tried OpenJDK java 6 and 7 with the same results. Thank you again.

[Josef Cacek]

What does mean the "cannot load the keys".
Does the JSignPdf print some error message?
-- jc

> --
> You received this message because you are subscribed to the Google Groups
> "JSignPdf" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jsignpdf+u...@googlegroups.com.
> To post to this group, send email to jsig...@googlegroups.com.
> Visit this group at http://groups.google.com/group/jsignpdf.
> For more options, visit https://groups.google.com/d/optout.

[Dimitris F]

Dear Josef,

when I press the load keys button the key alliases are not loaded and therefore I cannot sign the pdf. The console output is shown in the picture. Thank you for your immediate response .

[Josef Cacek]

Try to allow also the invalid keys. 

Edit conf/conf.properties file and uncomment following two lines (remove hash "#" character):

#certificate.checkValidity=false

#certificate.checkKeyUsage=false

-- jc

--

[Dimitris F]

I have already done that from the beginning

# Global properties for advanced JSignPdf configuration

# font.path is a path to font used in visible signature
#font.path=C:\\WINNT\\Fonts\\VLADIMIR.ttf

# font.name is the name of font in the font-file filled in font.path property.
#font.name=vladimir.ttf

# font encoding of choosen font: Cp1250, Cp1252, Cp1257, Cp1250, Identity-H, Identity-V, MacRoman
#font.encoding=Cp1250

# setting property certificate.checkValidity to false, you can disable validity checks
certificate.checkValidity=false

# by setting property certificate.checkKeyUsage to false, you can disable keyUsage checks
# i.e. checks that the certificate purpose is "digitalSignature" or "nonRepudiation"
certificate.checkKeyUsage=false

# by setting property certificate.checkCriticalExtensions to true (or commenting out),
# you can enable critical extension checks
# i.e. checks that all certificate extensions marked as critical are supported (or known) by JSignPdf
# JSignPdf currently supports following critical extensions:
#     2.5.29.15 - KeyUsage
#     2.5.29.17 - Subject Alternative Name
#     2.5.29.19 - Basic Constraints
#     2.5.29.29 - Certificate Issuer
#     2.5.29.37 - Extended Key Usage
certificate.checkCriticalExtensions=false

# pkcs11config.path is a path (either absolute or relative to the working directory) to PKCS#11 provider configuration;
# if the file exists it's used to register a new SunPKCS11 provider instance
# as described in http://download.oracle.com/javase/6/docs/technotes/guides/security/p11guide.html
pkcs11config.path=conf/pkcs11.cfg

# relax.ssl.security is a true/false flag (false is default) which can disable some SSL checks. If the value is true,
# then for instance the JSignPDF will trust all server certificates when making requests to TSA or OCSP.
relax.ssl.security=true

# pdf2image.libraries is a comma-separated list of libraries, which should be used to retrieve PDF page preview. The order
# does matter here. The first successfully generated image wins. Supported library names are jpedal, pdfbox and pdfrenderer
# Default value: 'jpedal,pdfbox,pdfrenderer'
pdf2image.libraries=jpedal,pdfbox,pdfrenderer

# tsa.hashAlgorithm is a default hash algorithm name used when requesting time-stamp from a TSA (SHA-1, SHA-256, SHA-384, SHA-512, ...)
# Default value: 'SHA-1'
tsa.hashAlgorithm=SHA-1

and also

# Sample file for registering PKCS#11 security provider in JSignPdf
# Feel free to edit it and then set path to the file in the conf.properties configuration file.

# Look for full list of possible attributes at
# http://download.oracle.com/javase/6/docs/technotes/guides/security/p11guide.html#ATTRS

name=JSignPdf

# if you are not sure about your PKCS driver library check following URL:
# http://www.freeotfe.org/docs/Explorer/pkcs11_drivers.htm

library=/usr/lib/libeTPkcs11.so

thank you again.

[Josef Cacek]

OK, I can imagine what can be the problem now.

1) it seems you already have the SunPKCS11 provider registered in your
JRE (check $JAVA_HOME/jre/lib/security/java.security)

2) You have to run JSignPdf from the directory where it's installed

3) If your configuration is correct, you should see following messages
appearing in the console window during the program start:
DEBUG Relaxing SSL security.
DEBUG Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg
DEBUG SunPKCS11 provider registered with name SunPKCS11-JSignPdf

-- jc

[Dimitris F]

could you be more specific please? Thank you

[Josef Cacek]

JAVA_HOME is a place, where your java is installed.

If you use a standard Java installation on Ubuntu (from APT repositories), then you can use following command to set the environmental variable.

 

export JAVA_HOME=$(readlink -f /usr/bin/java | sed "s:bin/java::")

-- jc

On Wed, Jul 23, 2014 at 1:36 PM, 'Dimitris F' via JSignPdf <jsig...@googlegroups.com> wrote:

could you be more specific please? Thank you

--

[Dimitris F]

Dear Josef,

I followed your instructions to the letter and again I cannot find a solution even though I am convinced that there is one. Even though Jsign load the configuration file the keys are still not loading. The output is the following:

thank you in advance your help is invaluable.

[Josef Cacek]

Strange.

Do you see the keys in 

- any other program on your system?

- any other java application on your system?

-- josef

[Rajendra Prasad]

Sir,
I am not getting any problem in key loading and signing document. Please see the attached screen shot. Using JSignPdf 1.6, Ubuntu 12.04, Aladdin Token, java 1.7.0_45  .
regds
Rajendra

[Eduardo Paiva]

Dear Josef,

I seem to have the same problem of Dimitris: I cant load the keys on jsignpdf. But I can see it on firefox.

Do know what else I could try doing to fix that?

I send attached a screenshot of when I tryed to sign a pdf and the config files (I did what was indicated above).

Thank you!!

Regards

Eduardo
====
More info:

Ubuntu 14.04

java -version
java version "1.7.0_75"
OpenJDK Runtime Environment (IcedTea 2.5.4) (7u75-2.5.4-1~trusty1)
OpenJDK 64-Bit Server VM (build 24.75-b04, mixed mode)

[Josef Cacek]

Hi Eduardo,

could you try to specify slot (or slotListIndex) attribute in your pkcs11.cfg file?

Look at http://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html for the configuration description.

I didn't need to change it for my smart-card reader, but another configuration may need another set of attributes.

Regards,

-- Josef

[Cristina Maselli]

Hi, everyone!

I'm trying to use Jsignpdf , but in "keystore type" I don't have the option "pksc11", only "BCPKCS12", "BKS", "BOUNCYCASTLE", "CASEEXACTJKS", JCEKS", "JKS", "KEYCHAINSTORE", "PKCS12", "PKCS12-3DES-3DES", "PKCS12-3DES-40RC2", "PKCS12-DEF", "PKCS12-DEF-3DES-3DES" and "PKCS12-DEF-3DES-40RCS" and I have no idea which one I have to choose. I don't know either what to put in "keystore file" and what's the password if it's from the PC's  administrator or from my token. I really need to make it work before monday! 

Can you help me, please, as soon as possible?

Thank you! 

Cristina. 

[Josef Cacek]

It seems, you use a Mac and for it is AFAIK the native keystore type the KEYCHAINSTORE.

The PKCS11 is important when you have your private key on a hardware token (e.g. smartcard).

-- josef

[Cristina Maselli]

Hi, Josef,

I do, I have my private key on a hardware token, but, as I said before, the option "PKCS11" doesn't appears for me to choose it.

Should I choose the KEYCHAINSTORE option?

Thank you for your response.

Cristina.

[Rajendra Prasad]

OK

Can you tell me OS version, Token version, Java Vesrion and JsignPDF version so that I can test it at my end. In Ubuntu with Aladdin token token I don't have any issue.

Rajendra

[Josef Cacek]

Hi Cristina,

If the PKCS11 is not enabled by default, then you have to configure it manually in 2 configuration files from JSignPdf installation. You'll also need a native library (usually part of a driver comming from your hardware token vendor).

To enable adding PKCS11 directly in the JSignPdf  uncomment (remove leading hash sign) line in conf/conf.propertis: 
pkcs11config.path=conf/pkcs11.cfg 

Then configure the values in conf/pkcs11.cfg file according to documentation - http://download.oracle.com/javase/6/docs/technotes/guides/security/p11guide.html#ATTRS 

Regards,

-- Josef

[Cristina Maselli]

Hi, Rajendra,

the OS version is Mac OS X 10.6.8, token is GD BURTI, Jsignpdf version 1.6.1 and Java I'm not sure, but I think it's the last one.

Thank you.

[Cristina Maselli]

Thank you, Josef,

but I'm afraid I'm not able to do that... could you be more specific, please?

[Josef Cacek]

I don't have access to Mac OS X now, but it seems there could be direct support for SunPKCS11 security provider on Apple's Java. 

My info comes from following sites:

https://bugs.openjdk.java.net/browse/JDK-7133448

http://community.centrify.com/t5/DirectControl-Express-for-Mac/SmartCard-CAC-amp-Java/td-p/11606

The Linux and Windows Java versions don't have SunPKCS11 registered in <java_installation>/jre/lib/security/java.security and therefor I've added possibility to register the security provider in JSignPDF at runtime. There are 2 related property files in conf folder under the JSignPdf installation directory.

Try to get information about SunPKCS11 support on Mac OS X from your token vendor.

Regards,

-- josef

[PagariaGroup Support]

Dear All,

I have MACOS Sierra Version 10.12.6  and java version 8 update 181 in system and we need to try jsign for the Digital certificate but its not detect please help me to resolve mention issue .