Re: [tomcat] branch main updated: Integrate JSign for cross-platform builds with signed Windows binaries
On Thu, Jun 10, 2021 at 12:08 AM Emmanuel Bourg wrote: > Le 2021-06-09 21:09, Rémy Maucherat a écrit : > > > Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: > > CKR_FUNCTION_FAILED > > at > > > jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_SignFinal(Native > > Method) > > at > > > jdk.crypto.cryptoki/sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:635) > > ... 12 more > > Try `java -jar jsign.jar --help' for more information. > > > > The cfg file is: > > name=DigiCertONE > > library="/home/remm/.digicertone/smpkcs11.so" > > slotListIndex=0 > > > > The .so is there (otherwise it would complain earlier). Also the smctl > > tool > > shows the key. I tried other algorithms but no success so far. > > > You can try adding -Djava.security.debug=sunpkcs11, it should provide > more info. > https://pastebin.com/nqNUix6j So I think it shows the security provider [why was this hacked in as a fake token card ??] works on init, but I didn't get any extra details on the error. Now I will try again with a clean environment instead of my bleeding edge Fedora stuff. Rémy > > Emmanuel Bourg > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >
Re: [tomcat] branch main updated: Integrate JSign for cross-platform builds with signed Windows binaries
Le 2021-06-09 21:09, Rémy Maucherat a écrit : Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_FAILED at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_SignFinal(Native Method) at jdk.crypto.cryptoki/sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:635) ... 12 more Try `java -jar jsign.jar --help' for more information. The cfg file is: name=DigiCertONE library="/home/remm/.digicertone/smpkcs11.so" slotListIndex=0 The .so is there (otherwise it would complain earlier). Also the smctl tool shows the key. I tried other algorithms but no success so far. You can try adding -Djava.security.debug=sunpkcs11, it should provide more info. Emmanuel Bourg - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [tomcat] branch main updated: Integrate JSign for cross-platform builds with signed Windows binaries
On Wed, Jun 9, 2021 at 6:40 PM Mark Thomas wrote: > On 09/06/2021 17:36, ma...@apache.org wrote: > > This is an automated email from the ASF dual-hosted git repository. > > > > markt pushed a commit to branch main > > in repository https://gitbox.apache.org/repos/asf/tomcat.git > > > > > > The following commit(s) were added to refs/heads/main by this push: > > new 9f391c9 Integrate JSign for cross-platform builds with signed > Windows binaries > > 9f391c9 is described below > > > > commit 9f391c998ee9adbc22acce2bbabbc2c6b8fc4172 > > Author: Mark Thomas > > AuthorDate: Wed Jun 9 17:36:25 2021 +0100 > > > > Integrate JSign for cross-platform builds with signed Windows > binaries > > The signing works on Linux. I'm just testing it on Windows before > back-porting. > -installer-sign-uninstaller: [jsign] Adding Authenticode signature to /home/remm/Work/releases/tomcat-9.0.47/output/dist/Uninstall.exe BUILD FAILED /home/remm/Work/releases/tomcat-9.0.47/build.xml:2615: Couldn't sign /home/remm/Work/releases/tomcat-9.0.47/output/dist/Uninstall.exe With the command line and after getting a real standalone JVM, I'm still getting: [remm@omni releases]$ java -jar libs/jsign-3.1/jsign-3.1.jar --keystore ~/.digicertone/pkcs11properties.cfg --storepass NONE --storetype PKCS11 --alias "Tomcat-PMC-key-2021-04" --alg SHA-512 --tsaurl http://timestamp.digicert.com tomcat-9.0.47/output/dist/Uninstall.exe Adding Authenticode signature to tomcat-9.0.47/output/dist/Uninstall.exe jsign: Couldn't sign tomcat-9.0.47/output/dist/Uninstall.exe java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_FAILED at jdk.crypto.cryptoki/sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:685) at java.base/java.security.Signature$Delegate.engineSign(Signature.java:1404) at java.base/java.security.Signature.sign(Signature.java:713) at net.jsign.bouncycastle.operator.jcajce.JcaContentSignerBuilder$1.getSignature(Unknown Source) at net.jsign.bouncycastle.cms.SignerInfoGenerator.generate(Unknown Source) at net.jsign.bouncycastle.cms.CMSSignedDataGenerator.generate(Unknown Source) at net.jsign.bouncycastle.cms.CMSSignedDataGenerator.generate(Unknown Source) at net.jsign.asn1.authenticode.AuthenticodeSignedDataGenerator.generate(AuthenticodeSignedDataGenerator.java:50) at net.jsign.AuthenticodeSigner.createSignedData(AuthenticodeSigner.java:368) at net.jsign.AuthenticodeSigner.sign(AuthenticodeSigner.java:339) at net.jsign.SignerHelper.sign(SignerHelper.java:424) at net.jsign.JsignCLI.execute(JsignCLI.java:111) at net.jsign.JsignCLI.main(JsignCLI.java:40) Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_FAILED at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_SignFinal(Native Method) at jdk.crypto.cryptoki/sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:635) ... 12 more Try `java -jar jsign.jar --help' for more information. The cfg file is: name=DigiCertONE library="/home/remm/.digicertone/smpkcs11.so" slotListIndex=0 The .so is there (otherwise it would complain earlier). Also the smctl tool shows the key. I tried other algorithms but no success so far. Rémy > Mark > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >
Re: [tomcat] branch main updated: Integrate JSign for cross-platform builds with signed Windows binaries
On 09/06/2021 17:36, ma...@apache.org wrote: This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 9f391c9 Integrate JSign for cross-platform builds with signed Windows binaries 9f391c9 is described below commit 9f391c998ee9adbc22acce2bbabbc2c6b8fc4172 Author: Mark Thomas AuthorDate: Wed Jun 9 17:36:25 2021 +0100 Integrate JSign for cross-platform builds with signed Windows binaries The signing works on Linux. I'm just testing it on Windows before back-porting. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org