jsign icon indicating copy to clipboard operation
jsign copied to clipboard
verified publisher icon ebourg

Signing with etoken works when manually initiated but not via service or over ssh

Open KarlOfDuty opened this issue 1 year ago • 2 comments

I hit one final issue, so everything works when I'm at the computer running the signing command myself, both in KDE and in the tty.

However if I try to use the exact same command on the exact same file via a gitlab runner service on the same computer or me running it remotely using ssh it does not work.

Here are the different cases I've tested, all tests are run using the gitlab-runner user unless otherwise specified:

Action Result
Running in a terminal in KDE. Works.
Running in TTY locally. Works.
Running in a Gitlab pipeline step. Doesn't work.
Running in a Gitlab pipeline step, service edited to run as root. Works.
Running in a terminal over ssh. Doesn't work.
Running in a terminal over ssh as root. Works.
Running in a terminal over ssh using sudo. Works.

Here is the command I use and the error I get:

jsign sign --storetype ETOKEN --storepass "$SIGNING_PASS" test.ps1

jsign: Failed to load the keystore
java.security.KeyStoreException: keystore type 'ETOKEN' is not supported with security provider SunPKCS11-SafeNet eToken
        at net.jsign.KeyStoreType.getKeystore(KeyStoreType.java:667)
        at net.jsign.KeyStoreBuilder.build(KeyStoreBuilder.java:285)
        at net.jsign.SignerHelper.build(SignerHelper.java:327)
        at net.jsign.SignerHelper.sign(SignerHelper.java:450)
        at net.jsign.SignerHelper.execute(SignerHelper.java:305)
        at net.jsign.JsignCLI.execute(JsignCLI.java:221)
        at net.jsign.JsignCLI.main(JsignCLI.java:57)
Caused by: java.security.KeyStoreException: PKCS11 not found
        at java.base/java.security.KeyStore.getInstance(KeyStore.java:967)
        at net.jsign.KeyStoreType.getKeystore(KeyStoreType.java:662)
        ... 6 more
Caused by: java.security.NoSuchAlgorithmException: no such algorithm: PKCS11 for provider SunPKCS11-SafeNet eToken
        at java.base/sun.security.jca.GetInstance.getService(GetInstance.java:101)
        at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:218)
        at java.base/java.security.Security.getImpl(Security.java:778)
        at java.base/java.security.KeyStore.getInstance(KeyStore.java:964)
        ... 7 more
Try `jsign --help' for more information.

I am using Rocky 9 with the 7.1 snapshot RPM you provided in the previous issue.

KarlOfDuty avatar Feb 13 '25 12:02 KarlOfDuty

Maybe a permission issue to access the eToken from the service account?

Try this to display more information:

JSIGN_OPTS=-Djava.security.debug=sunpkcs11 jsign sign --storetype ETOKEN --storepass "$SIGNING_PASS" test.ps1

ebourg avatar Feb 13 '25 13:02 ebourg

This is the beginning of what it says when it works:

SunPKCS11 loading --name="SafeNet eToken"
library = "/usr/lib64/pkcs11/libeTPkcs11.so"
slot=0
sunpkcs11: Initializing PKCS#11 library /usr/lib64/pkcs11/libeTPkcs11.so
Information for provider SunPKCS11-SafeNet eToken
Library info:
  cryptokiVersion: 2.20
  manufacturerID: SafeNet, Inc.
  flags: 0
  libraryDescription: SafeNet eToken PKCS#11
  libraryVersion: 10.08
All slots: 0, 1, 2, 3, 4, 5, 6, 7
Slots with tokens: 0

# Continues with more specific token info that I don't think is necessary to post here. But basically it finds the token in slot 0 and signs correctly.

This is everything it says when it doesn't work:

SunPKCS11 loading --name="SafeNet eToken"
library = "/usr/lib64/pkcs11/libeTPkcs11.so"

sunpkcs11: Initializing PKCS#11 library /usr/lib64/pkcs11/libeTPkcs11.so
Information for provider SunPKCS11-SafeNet eToken
Library info:
  cryptokiVersion: 2.20
  manufacturerID: SafeNet, Inc.
  flags: 0
  libraryDescription: SafeNet eToken PKCS#11
  libraryVersion: 10.08
All slots: 0, 1, 2, 3, 4, 5, 6, 7
Slots with tokens: (none)
jsign: Couldn't sign test.ps1
java.security.ProviderException: Failed to create a SunPKCS11 provider from the configuration --name="SafeNet eToken"
library = "/usr/lib64/pkcs11/libeTPkcs11.so"

        at net.jsign.ProviderUtils.createSunPKCS11Provider(ProviderUtils.java:55)
        at net.jsign.SafeNetEToken.getProvider(SafeNetEToken.java:43)
        at net.jsign.KeyStoreType$17.getProvider(KeyStoreType.java:461)
        at net.jsign.KeyStoreBuilder.provider(KeyStoreBuilder.java:272)
        at net.jsign.KeyStoreBuilder.build(KeyStoreBuilder.java:285)
        at net.jsign.SignerHelper.build(SignerHelper.java:327)
        at net.jsign.SignerHelper.sign(SignerHelper.java:450)
        at net.jsign.SignerHelper.execute(SignerHelper.java:305)
        at net.jsign.JsignCLI.execute(JsignCLI.java:221)
        at net.jsign.JsignCLI.main(JsignCLI.java:57)
Caused by: java.lang.reflect.InvocationTargetException
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:569)
        at net.jsign.ProviderUtils.createSunPKCS11Provider(ProviderUtils.java:48)
        ... 9 more
Caused by: java.security.ProviderException: Initialization failed
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:458)
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:179)
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:153)
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:569)
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:153)
        ... 14 more
Caused by: java.security.ProviderException: slotListIndex is 0 but token only has 0 slots
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:439)
        ... 18 more
Try `jsign --help' for more information.

So it seems it cannot access the token in those cases for some reason.

KarlOfDuty avatar Feb 13 '25 14:02 KarlOfDuty

I observed similar behavior on Ubuntu 24.04 but not 22.04 due to a newer pcscd package. This might be helpful to others:

create or edit: /etc/default/pcscd with the contents: PCSCD_ARGS="--disable-polkit"

sudo systemctl restart pcscd

jsign ...

philschwartzsonos avatar Jul 22 '25 14:07 philschwartzsonos

I can confirm this solves the issue on RHEL 9 as well, thank you very much @philschwartzsonos!

@ebourg not sure if this is something jsign can do anything about, so you can go ahead and close the issue if you wish.

KarlOfDuty avatar Jul 28 '25 10:07 KarlOfDuty

I don't think I can do much at the jsign level unfortunately. If there was at least a very specific error jsign could return a hint about the pcscd configuration in the error message, but here the SunPKCS11 error is quite generic.

ebourg avatar Jul 28 '25 12:07 ebourg

For the reference: https://blog.apdu.fr/posts/2023/11/pcsc-lite-and-polkit/

The permission issue can be diagnosed with pcsc_scan:

$ pcsc_scan
PC/SC device scanner
V 1.6.2 (c) 2001-2022, Ludovic Rousseau <[email protected]>
SCardEstablishContext: Access denied.

ebourg avatar Jul 28 '25 12:07 ebourg

Fair enough, now it's documented at least.

KarlOfDuty avatar Jul 28 '25 13:07 KarlOfDuty