Skip to content

Commit

Permalink
Fix the CKR_USER_NOT_LOGGED_IN error when signing more than one file …
Browse files Browse the repository at this point in the history
…with the YUBIKEY storetype
  • Loading branch information
ebourg committed Jun 10, 2024
1 parent ec8b984 commit b07ec5c
Show file tree
Hide file tree
Showing 3 changed files with 23 additions and 1 deletion.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ See https://ebourg.github.io/jsign for more information.
* The value of the `storetype` parameter is now case insensitive
* The Azure Key Vault account no longer needs the permission to list the keys when signing with jarsigner
* On Windows the YubiKey library path is automatically added to the PATH of the command line tool
* Signing more than one file with the `YUBIKEY` storetype no longer triggers a `CKR_USER_NOT_LOGGED_IN` error
* API changes:
* The keystore builder and the JCA provider are now in a separate `jsign-crypto` module
* The PEFile class has been refactored to keep only the methods related to signing
Expand Down
2 changes: 1 addition & 1 deletion jsign-cli/src/test/java/net/jsign/JsignCLITest.java
Original file line number Diff line number Diff line change
Expand Up @@ -371,7 +371,7 @@ public void testSigningEncryptedPEM() throws Exception {
public void testSigningWithYubikey() throws Exception {
Assume.assumeTrue("No Yubikey detected", YubiKey.isPresent());

cli.execute("--storetype=YUBIKEY", "--certfile=target/test-classes/keystores/jsign-test-certificate-full-chain.spc", "--storepass=123456", "" + targetFile);
cli.execute("--storetype=YUBIKEY", "--certfile=target/test-classes/keystores/jsign-test-certificate-full-chain.spc", "--storepass=123456", "--alias=X.509 Certificate for Digital Signature", "" + targetFile, "" + targetFile);
}

@Test
Expand Down
21 changes: 21 additions & 0 deletions jsign-core/src/main/java/net/jsign/SignerHelper.java
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
import java.net.URL;
import java.nio.charset.Charset;
import java.nio.file.Files;
import java.security.AuthProvider;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.PrivateKey;
Expand All @@ -41,6 +42,9 @@
import java.util.List;
import java.util.Set;
import java.util.logging.Logger;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.login.LoginException;

import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.cms.ContentInfo;
Expand Down Expand Up @@ -433,6 +437,23 @@ public void sign(File file) throws SignerException {
signer = build();
}

// logout and login again to avoid the CKR_USER_NOT_LOGGED_IN error with the Yubikey PKCS#11 provider
Provider provider = ksparams.provider();
if (provider instanceof AuthProvider) {
try {
((AuthProvider) provider).logout();
((AuthProvider) provider).login(null, callbacks -> {
for (Callback callback : callbacks) {
if (callback instanceof PasswordCallback) {
((PasswordCallback) callback).setPassword(ksparams.storepass().toCharArray());
}
}
});
} catch (LoginException e) {
// ignore the CKR_USER_NOT_LOGGED_IN error thrown when the user isn't logged in
}
}

log.info("Adding Authenticode signature to " + file);
signer.sign(signable);

Expand Down

0 comments on commit b07ec5c

Please sign in to comment.