pkcs11 | PKCS # 11/Ruby Interface
kandi X-RAY | pkcs11 Summary
kandi X-RAY | pkcs11 Summary
PKCS #11/Ruby Interface
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of pkcs11
pkcs11 Key Features
pkcs11 Examples and Code Snippets
Community Discussions
Trending Discussions on pkcs11
QUESTION
I'm using iText 7.1.15 and SignDeferred to apply signatures to pdf documents. SignDeferred is required since the signature is created PKCS11 hardware token (usb key).
When i sign a "regular" pdf, e.g. created via word, i can apply multiple signatures and all signatures are shown as valid in the adobe acrobat reader.
If the pdf was created by combining multiple pdf documents with adobe DC, the first signature is valid but becomes invalid as soon as the seconds signature is applied.
Document in Adobe reader after the first signature is applied:
Document in Adobe reader after the second signature is applied:
The signatures of the same document are shown as valid in foxit reader.
I've found a similar issue on stackoverflow (multiple signatures invalidate first signature in iTextSharp pdf signing), but it was using iText 5 and i'm not sure it is the same problem.
Question: What can i do in order to keep both signatures valid in the Acrobat Reader?
Unsigned Pdf document on which the first signature becomes invalid: https://github.com/suntsu42/iTextDemoInvalidSecondSignature/blob/master/test.pdf
Twice signed document which is invalid: https://github.com/suntsu42/iTextDemoInvalidSecondSignature/blob/master/InvalidDocumentSignedTwice.pdf
Code used for signing
...ANSWER
Answered 2022-Jan-28 at 16:35As already mentioned in a comment, the example document "InvalidDocumentSignedTwice.pdf" has the signature not applied in an incremental update, so here it is obvious that former signatures will break. But this is not the issue of the OP's example project. Thus, the issue is processed with an eye on the actual outputs of the example project.
Analyzing the IssueWhen validating signed PDFs Adobe Acrobat executes two types of checks:
- It checks the signature itself and whether the revision of the PDF it covers is untouched.
- (If there are additions to the PDF after the revision covered by the signature:) It checks whether changes applied in incremental updates only consist of allowed changes.
The former check is pretty stable and standard but the second one is very whimsical and prone to incorrect negative validation results. Like in your case...
In case of your example document one can simply determine that the first check must positively validate the first signature: The file with only one (valid!) signature constitutes a byte-wise starting piece of the file with two signatures, so nothing can have been broken here.
Thus, the second type of check, the fickle type, must go wrong in the case at hand.
To find out what change one has to analyze the changes done during signing. A helpful fact is that doing the same using iText 5 does not produce the issue; thus, the change that triggered the check must be in what iText 7 does differently than iText 5 here. And the main difference in this context is that iText 7 has a more thorough tagging support than iText 5 and, therefore, also adds a reference to the new signature field to the document structure tree.
This by itself does not yet trigger the whimsical check, though, it only does so here because one outline element refers to the parent structure tree element of the change as its structure element (SE). Apparently Adobe Acrobat considers the change in the associated structure element as a change of the outline link and, therefore, as a (disallowed) change of the behavior of the document revision signed by the first signature.
So is this an iText error (adding entries to the structure tree) or an Adobe Acrobat error (complaining about the additions)? Well, in a tagged PDF (and your PDF has the corresponding Marked entry set to true) the content including annotations and form fields is expected to be tagged. Thus, addition of structure tree entries for the newly added signature field and its appearance not only should be allowed but actually recommended or even required! So this appears to be an error of Adobe Acrobat.
A Work-AroundKnowing that this appears to be an Adobe Acrobat bug is all well and good, but at the end of the day one might need a way now to sign such documents multiple times without current Adobe Acrobat calling that invalid.
It is possible to make iText believe there is no structure tree and no need to update a structure tree. This can be done by making the initialization of the document tag structure fail. For this we override the PdfDocument
method TryInitTagStructure
. As the iText PdfSigner
creates its document object internally, we do this in an override of the PdfSigner
method InitDocument
.
I.e. instead of PdfSigner
we use the class MySigner
defined like this:
QUESTION
I have a signing key that I need to safely store.
What I used to do, was store it directly in the Hardware available on that same host (TPM2.0, using pkcs11 API). Now I am moving my services to Kubernetes, I have tried googling "Kubernetes TPM" but everything I have found was securing Kubernetes with a remote TPM (Via a Key Management System), not on the host itself. Is using the hardware located on the node an anti-pattern (Because I see very little about using the node TPM with Kubernetes)? What is the thing that is most commonly done to protect those signing keys (aside from KMS)?
Thanks!
...ANSWER
Answered 2021-Dec-08 at 03:04- Run your kubernetes cluster
- Deploy Hashicorp Vault as one of your first applications.
- Then configure it according to your needs. i.e. https://www.vaultproject.io/docs/configuration/seal/pkcs11
In this era, APIs are the way.
QUESTION
My problem concern the usage of an hsm with Java (openjdk 11.0.12). Hsm should be use for signature purpose, by SHA512 RSA algorithm. I could be wrong in a lot of the following sentences, I'm totally newbie with HSM & co, so I apologize in advance.
For what I've understand there are three kinds of approaches:
1- Using SUNPKCS11 provider
2- Using vendor lib (hsm is shipped with a couple of jar, in my case nCipher is shipped with nCipherKM.jar, which should be vendor provider.)
3- openssl (we have some software in c already doing this, I prefer to avoid)
The usage of vendor lib it's really easy, at least until the Get info call, which send an Unknown Parameter to HardServer, causing an unmarshable exception. This is difficult to debug, communication protocol isn't documented. Right now I've put this solution aside.
In any case I prefer the SUNPKCS11 solution, it doesn't work out of the box for me, but it was simple to debug and analyze. And should be a standard.
In this case i'm using European DSS library to interface with PKCS11Provider, making things a little simpler for me to configure and implement.
The problem occurs during SunPKCS11 (vanilla) initialization.
At some point it calls a method "P11Keystore.mapLabels()" that match, according to code and Oracle documentation, all private key handlers (CKA_PRIVATE_KEY) coming from that slot with certificate handlers (CKO_CERTIFICATE), looking for matching between cka_id, in order to build a software in memory keystore with aliases map containing the CKA_LABEL attributes. (Private key is unextractable so access is read only https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html#KeyStoreRestrictions)
In signature initialization this private key entry is used to fetch from HSM (by some key attributes that I don't have) the private key handler.
The problem is that my hsm nCipher doesn't expose any object for CKO_CERTIFICATE, so the match returns 0 result and my software keystore is empty.
When I try to extract the private key handler from keystore I obtain nothing and I cannot initialize Signature object.
My predecessor manually wrapped the private key attributes inside a local jks, and rewrote a new provider in order to load certificate from file and not from HSM/PKCS11.
I dislike this solution, I don't want my application to have configuration depending on HSM certificate.. it's HSM certificate job to handle those keys, not mine.
Instead, I wrote another provider to fetch and use directly the private key handler, from CKA_PRIVATE_KEY, using a preconfigured CKA_LABEL, bypassing the certificate match. And it works.
However I dislike this solution too, it means more maintenance costs for a standard protocol, and the jar must be signed each time, which for me is a nuisance.
I have the feeling that I am approaching the problem from the wrong side, maybe because I'm a noob in the matter.
Explanation are over, so here my questions: 1- Am I wrong to claim that CKO_CERTIFICATE is a prerequisite for SunPKCS11? 1- Could/Should HSM expose CKO_CERTIFICATE object without malevolent side effects? 2- Is this missing object a limitation of nCipher HSM or, probably, a configuration missing during installation? (It works even without so it's a java prerequisite more than an HSM missing) 3- If the CKO_CERTIFICATE cannot be installed and exposed: Is it ok to implement our own provider to obtain the workaround, or could exist a better way to get it working?
Sorry for my English, I'm not a native one. Thanks to those who have come to read up to here and who will answer.
...ANSWER
Answered 2021-Dec-01 at 21:50..almost a month later..
I've finished my application, now I know a lot more about the argument, it works with following modes:
- Standard SunPKCS11 against a Docker SoftHSM2 image. HSM contains CKO_CERTIFICATE PUBLIC_KEY and PRIVATE_KEY, on the same slot, with same CKA_ID.All works fine and flawless.
- Custom PKCS11 extension, I have to copy/paste almost every class from java security package (because is Java 11~17 with sun.* packages), just to alter a couple of lines in Certificate retrieving logic, dropping CKO_CERTIFICTE request and loading it by file (crt/p12).
- P12, containing all information, used as mocked version for local use only.
I've tried to extend Bouncy Castle Fips provider, instead of SunPKCS11, without any luck.
In the end I think is not possible to accomplish what I need for, the problem is in the server configuration, which is not solvable from a client software. Anyway I'll fix server configuration, adopting the first working case, dropping custom PKCS11 solution, keeping it just for academic purpose.
QUESTION
I'm using OpenSC's PKCS11 engine for OpenSSL. I want to obtain the logs from OpenSC, also I want to force a login. According to https://github.com/OpenSC/libp11/blob/master/README.md I can do so with the VERBOSE and FORCE_LOGIN parameters, but where do I put them?
I tried to put them into the corresponding OpenSSL config section:
...ANSWER
Answered 2021-Nov-12 at 20:56FORCE_LOGIN
and VERBOSE
commands do not take any parameters.
The proper way to forward them to the engine through the config file is to use EMPTY
instead of 1
:
QUESTION
Using a MacBook Pro, Big Sur OS, I followed the hyperledger fabric documentation, I installed all the required files and tools. However, when I reached to the final step, the code generated a goimports error that I am not able to repair. The Error was the following:
...ANSWER
Answered 2021-Oct-28 at 09:34Two things to try:
- Use Go 1.16 (which is the version currently used to build/run Fabric).
- Use Go installed to /usr/local/go with the official installer rather than installed with Homebrew.
If there really is something wrong with the imports in those files, which there shouldn't be unless they have been modified locally, use the goimports -l -w
command for each of the files listed to correct them.
For reference, I am also using a Macbook Pro, running MacOS Monterey but previously with Big Sur, and make basic-checks
runs cleanly for me with Go 1.16.9 on the latest main branch code.
QUESTION
I'm working on an automating a hashicorp vault process, and I need to repeatedly run the vault operator init command because of trial and error testing, I tried uninstalling vault and installing it again, but it seems like that doesn't remove the previous unseal keys + root token it generates, how can I do this?
I read somewhere that I needed to delete my storage "file" path which I already did but its not working (Actually my /opt/vault/data/ directory is empty), here is my vault.hcl file:
...ANSWER
Answered 2021-Sep-14 at 16:31If you want to do the testing only why don't you use the vault in dev mode?
QUESTION
I'm trying to use AWS IoT embedded C SDK.
After compiling, every demo works just fine, except for the fleet_provisioning
demo.
SDK version
used: 202108.00
logs:
...ANSWER
Answered 2021-Sep-24 at 15:06So after many days of struggle, with no answers.. oh, I'm so lonely here 😩️ Yeah probably no one will read this.
Anyway I've increased the size of this definitions in configs file:
QUESTION
I am running Hyperledger Fabric v2.2.3 from github release, in Oracle Linux 8.4
https://github.com/hyperledger/fabric/releases/download/v2.3.3/hyperledger-fabric-linux-amd64-2.3.3.tar.gz
I am running the orderer and peer without dockers.
and I am running PKCS11 using SoftHSM 2.5.0 without FabricCA.
I have also followed the guide at official document to setup the PKCS11.
https://hyperledger-fabric.readthedocs.io/en/release-2.2/hsm.html
I have also read this stackoverflow post stating that need to remove the SW
section.
peer node start throwing Could not find default pkcs11 BCCSP error
I successfully generated the token, the certs for both Orderer and Peer.
My Orderer started everythings successfully, but not my Peer.
Question: is the pre-built peer binary in github release for v2.2.3 is not built with PKCS11 enabled ?
Am I need to build the peer myself to enable the PKCS11 support ?
ANSWER
Answered 2021-Sep-15 at 07:12You are correct, the pre-built binaries of fabric do not have pkcs11 enabled. You need to build the peer and orderer binaries from source, specifying the tag pkcs11
to create versions that support PKCS11
QUESTION
I'm building a 32 bits embedded device that an external actor can communicate with through a PKCS#11 interface.
Basically there are 3 components :
- Our embedded device (only supports 32 bits)
- The host (may be 32 or 64 bits, not up to me)
- The host library (can be compiled in 32 or 64 bits)
I'm developing both the device and the host library and my main issue right now is to ensure compatibility with both 32 and 64 bits host applications.
The pkcs11t.h defines CK_ULONG as such :
...ANSWER
Answered 2021-Sep-14 at 11:12Presumably your embedded device performs a service. This service needs an interface.
You need to specify that interface. Each available command, value, action, etc. should be documented along with acceptable ranges for values and what happens in error conditions. Then you simply implement the specification on both sides.
Bit-depth or data types of either side is irrelevant. If data doesn't fit the interface requirements, then it must be converted before using the interface.
QUESTION
I followed the guide in the page linphone-sdk and also run these with the MSYS2 MSYS command in Windows 10:
...ANSWER
Answered 2021-Sep-13 at 04:56When I configured my environment according to the https://gitlab.linphone.org/BC/public/linphone-sdk/ page and used the Developer Command Prompt for VS 2017 the build seems to go through.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install pkcs11
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page