RE: RE: Sign a PDF using USB Token - PKCS#11

Sun, 21 Jun 2020 16:08:48 -0700 

I strongly encourage that you do not try to do any crypto with your key and 
pdfbox until you 

1. understand how to work with your hardware in Java
2. understand the basic concepts of how and why the crypto operations work
3. have a very basic/minimal understanding of how signed PDFs should function.

That being said - this is taken from one of our test cases. It will require 
deliberate modifications to work with your purposes as it is (modified from) 
written for our purposes.

    public static void main(String[] args) throws InvalidKeyException, 
SignatureException, NoSuchAlgorithmException, KeyStoreException, 
CertificateException, UnrecoverableKeyException
    {
        Provider provider = Security.getProvider("SunMSCAPI");        
        CallbackHandler cbh = new EmptyStringPasswordCallbackHandler();
        KeyStore.ProtectionParameter protection = new 
KeyStore.CallbackHandlerProtection(cbh);
        KeyStore.Builder keystoreBuilder = 
KeyStore.Builder.newInstance("Windows-MY", provider, protection);
        KeyStore store = keystoreBuilder.getKeyStore();
        java.security.cert.X509Certificate publicCertificate = 
X509Chain.convert( "YOUR X509 Cert here" );
        String alias = store.getCertificateAlias(publicCertificate);
        PrivateKey privateKey = (PrivateKey) store.getKey(alias, null);

        byte[] asn1={(byte)0x30, ... your message here ... (byte)0x97};
        byte[] expected=new byte[] {(byte)0x5D, ... your digest here ... 
(byte)0xFD};

        //new WindowsSmartCardTest().
        //signAndVerify(privateKey, publicCertificate, asn1, expected, 
provider);
        Signature rsaS = provider == null ? 
Signature.getInstance("NONEwithRSA") : Signature.getInstance("NONEwithRSA", 
provider);

        rsaS.initSign(privateKey);
        log.log(Level.INFO, "provider={0}", rsaS.getProvider());
        rsaS.update(asn1);
        byte[] res = rsaS.sign();
        log.log(Level.INFO, "sig:{0}", Formatters.hexArray0x(res));
        assertArrayEquals("signature is deterministic", expected, res);
        rsaS.initVerify(publicCertificate);
        rsaS.update(asn1);
        assertTrue("validation should pass", rsaS.verify(res));

    }

Happy hunting. The offer stands for testing the hardware.

May I assume this is your hardware: 
https://mobile-security.gi-de.com/starsign-crypto-usb-token-s ?

It seems that they obtained FIPS 140-2: 
https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2628.pdf

> -----Original Message-----
> From: Gustavo Delgado <gustavodelga...@gmail.com>
> Sent: Sunday, June 21, 2020 5:10 PM
> To: users@pdfbox.apache.org
> Subject: Re: RE: Sign a PDF using USB Token - PKCS#11
> 
> I'm still learning about digital signature. Can you explain what do you mean 
> by 'perform a signed
> digest'?
> 
> Regarding the hardware, I believe it's only available in my country, because 
> I haven't found at
> amazon.
> 
> On 2020/06/21 03:57:50, "Jason Pyeron" <jpye...@pdinc.us> wrote:
> > I would start with a test application without PDFBox.
> >
> > Verify you can use the token to perform a signed digest first. If and only 
> > if that works, then look
> at the detached signature example. This is how we are able to use DoD CAC / 
> PIV signing.
> >
> > If the hardware can be purchased on Amazon (for a reasonable price) send me 
> > a link and test here.
> >
> > v/r,
> >
> > Jason Pyeron
> >
> > > -----Original Message-----
> > > From: Gustavo Delgado <gustavodelga...@gmail.com>
> > > Sent: Saturday, June 20, 2020 7:39 PM
> > > To: users@pdfbox.apache.org
> > > Subject: Re: Sign a PDF using USB Token - PKCS#11
> > >
> > > I'm sorry about the missing code, I should've clarified that I'm using 
> > > the following example from
> the
> > > svn repository:
> > >
> > >
> https://svn.apache.org/repos/asf/pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signat
> > > ure/CreateSignature.java
> > >
> > > Here's the complete stack trace, which I also added to the gist for a 
> > > clear view:
> > > https://gist.github.com/benywolf42/f5784671301478dd3e2cf803eb6ef8d5
> > >
> > > 20:28:22.821 [main] DEBUG org.apache.pdfbox.cos.COSStream - Create 
> > > InputStream called without data
> > > being written before to stream.
> > > java.io.IOException: org.bouncycastle.operator.OperatorCreationException: 
> > > cannot create signer: No
> > > installed provider supports this key: 
> > > sun.security.pkcs11.P11Key$P11PrivateKey
> > >   at 
> > > app.devir.docsigner.lib.CreateSignatureBase.sign(CreateSignatureBase.java:155)
> > > CreateSignatureBase.java:155
> > >   at 
> > > org.apache.pdfbox.pdfwriter.COSWriter.doWriteSignature(COSWriter.java:734)
> > >   at 
> > > org.apache.pdfbox.pdfwriter.COSWriter.visitFromDocument(COSWriter.java:1145)
> > >   at org.apache.pdfbox.cos.COSDocument.accept(COSDocument.java:385)
> > >   at org.apache.pdfbox.pdfwriter.COSWriter.write(COSWriter.java:1378)
> > >   at 
> > > org.apache.pdfbox.pdmodel.PDDocument.saveIncremental(PDDocument.java:967)
> > >   at 
> > > app.devir.docsigner.lib.CreateSignature.signDetached(CreateSignature.java:157)
> > > CreateSignature.java:157
> > >   at 
> > > app.devir.docsigner.lib.CreateSignature.signDetached(CreateSignature.java:113)
> > > CreateSignature.java:113
> > >   at 
> > > app.devir.docsigner.lib.CreateSignature.initialize(CreateSignature.java:184)
> > > CreateSignature.java:184
> > >   at app.devir.docsigner.Application.main(Application.java:20)
> > > Application.java:20
> > > Caused by: org.bouncycastle.operator.OperatorCreationException: cannot 
> > > create signer: No installed
> > > provider supports this key: sun.security.pkcs11.P11Key$P11PrivateKey
> > >   at 
> > > org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.build(Unknown 
> > > Source)
> > >   at 
> > > app.devir.docsigner.lib.CreateSignatureBase.sign(CreateSignatureBase.java:141)
> > > CreateSignatureBase.java:141
> > >   ... 9 more
> > > Caused by: java.security.InvalidKeyException: No installed provider 
> > > supports this key:
> > > sun.security.pkcs11.P11Key$P11PrivateKey
> > >   at java.security.Signature$Delegate.chooseProvider(Signature.java:1138)
> > > Signature.java:1138
> > >   at java.security.Signature$Delegate.engineInitSign(Signature.java:1179)
> > > Signature.java:1179
> > >   at java.security.Signature.initSign(Signature.java:530)
> > > Signature.java:530
> > >   ... 11 more
> > >
> > > On 2020/06/20 05:20:15, Tilman Hausherr <thaush...@t-online.de> wrote:
> > > > Hi,
> > > >
> > > > Please post more of the stack trace. It is unclear what throws the
> > > > exception. And the code in the gist does not create a signer thus
> > > > something is missing. Did you use the code from the source code download
> > > > in the current version?
> > > >
> > > > see also
> > > > https://stackoverflow.com/questions/23665092/how-to-get-keystore-from-usb-token-in-java
> > > >
> > > >
> > > >
> > > > Tilman
> > > >
> > > > Am 20.06.2020 um 05:44 schrieb Gustavo Delgado:
> > > > > Hello everyone! I hope you're all doing well.
> > > > >
> > > > > I'm struggling to digitally sign a pdf document for more time then I 
> > > > > would like and any help
> here
> > > is appreciated.
> > > > >
> > > > > I'm using a USB Token (StarSign Crypto USB Token S) and the 
> > > > > proprietary .dll available to load
> the
> > > keystore.
> > > > > I can get the available info from the token, but whenever I try to 
> > > > > sign a pdf using the
> > > <CreateSignature> class, I get the following exception:
> > > > >
> > > > > <<org.bouncycastle.operator.OperatorCreationException: cannot create 
> > > > > signer: No installed
> provider
> > > supports this key: sun.security.pkcs11.P11Key$P11PrivateKey>>
> > > > >
> > > > > I've done some research but I couldn't find any resource to overcome 
> > > > > this problem using PDF
> Box,
> > > which is the library I'd like to use because of its license.
> > > > >
> > > > > If can be of any help, I'm also posting the code I've used:
> > > > >
> > > > > https://gist.github.com/benywolf42/f5784671301478dd3e2cf803eb6ef8d5
> > > > >
> > > > > Thanks in advance and be safe!
> > > > >
> > > > > ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org
> > > > > For additional commands, e-mail: users-h...@pdfbox.apache.org
> > > > >
> > > >
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org
> > > > For additional commands, e-mail: users-h...@pdfbox.apache.org
> > > >
> > > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org
> > > For additional commands, e-mail: users-h...@pdfbox.apache.org
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org
> > For additional commands, e-mail: users-h...@pdfbox.apache.org
> >
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org
> For additional commands, e-mail: users-h...@pdfbox.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: users-h...@pdfbox.apache.org

Reply via email to