Empty keystore with SafeNet eToken 5110+ FIPS accessed through PKCS#11 (eTPKCS11.dll)

[Macadoshis]

Hi,

Consider following configuration:

<!-- Using net.jsign:jsign-maven-plugin:7.4 -->
<configuration>
    <storetype>PKCS11</storetype>
    <keystore>${project.basedir}/digicert-pkcs11.cfg</keystore>
    <replace>true</replace>
    <storepass/>
    <alias>My Existing Alias</alias>
    <tsaurl>http://timestamp.digicert.com</tsaurl>
    <algorithm>SHA-256</algorithm>
</configuration>

with cfg:

name = eToken
library = C:/Windows/System32/eTPKCS11.dll
slotListIndex = 1
showInfo = false

It seems like 8 out of 10 times in run mode, this fails with No certificate found in the keystore SunPKCS11-eToken.

After running with breakpoints, I spotted the issue here :

jsign/jsign-crypto/src/main/java/net/jsign/KeyStoreType.java

Line 697 in d18f06d

ks.load(in, params.storepass() != null ? params.storepass().toCharArray() : null);

In case of loading failure, the only difference is the field ((P11KeyStore)ks.keyStoreSpi).aliasMap being empty instead of size=1. The token info is always here.

It always succeeds ([INFO] Adding Authenticode signature to C:\Users\codesigning\IdeaProjects\jsign\javaw.exe) when I stop at this line, which makes me think it's a race condition, the try-with-resource seems not enough to guarantee the keystore has been properly loaded from the pkcs11 token.

Is there any recommandation or known issue to workaround this limitation ? Is it related to the eTPKCS11.dll dll ? Otherwise I planned to fork the project just to retry the ks.load more than 1 time which I'd hate to...

NB: running the same cfg file over keytool though always works and gets the alias and its certificate properly

keytool -list -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerArg .\digicert-pkcs11.cfg -v -alias "My Existing Alias"

Thank you.

[ebourg]

Thank you for reporting this issue. Do you know the exact model of tje token SafeNet eToken used ? Did you try with the ETOKEN storetype instead of PKCS11 ?

[Macadoshis]

Thank you for quick answer.

Token info (from Thales SafeNet Authentication Client):

Token name: DIGICERT_USB_1                  
Token category: Hardware
Reader name: SafeNet eToken 5110+ FIPS 0
Serial number (PKCS#11): 8F04********1CA4
Free space: 65712
Card ID (GUID): 0x578000017DF4957A578000017DF4957A
Product name: eToken 5110+ FIPS
Card type: IDPrime
Applet Version: IDPrime Java Applet 4.5.0.F
Mask version: G286
Token Password: Present
Token Password retries remaining: 10
Maximum Token Password retries: 10
Token Password expiration: 17 days (28-May-2026)
Administrator Password: Present
Administrator Password retries remaining: 10
Maximum administrator Password retries: 10
FIPS Profile: FIPS 140-2 L2
Full Secure Messaging (SM): No
Sign padding on-board: Yes
Supported key size: 4096 bits
ECC: Supported
CSP: eToken Base Cryptographic Provider
KSP: SafeNet Smart Card Key Storage Provider

When using configuration :

<configuration>
    <storetype>ETOKEN</storetype>
    <keystore>1</keystore>
    <replace>true</replace>
    <storepass/>
    <alias>My Existing Alias</alias>
    <tsaurl>http://timestamp.digicert.com</tsaurl>
    <algorithm>SHA-256</algorithm>
</configuration>

I get error exactly same results:

• When running mvn command in run mode:

[ERROR] Failed to execute goal net.jsign:jsign-maven-plugin:7.4:sign (sign-java) on project jsign: No certificate found in the keystore SunPKCS11-SafeNet eToken -> [Help 1]

• When running mvn command in debug mode:

I see step-by-step loading the provider (net.jsign.KeyStoreType#getProvider) from ETOKEN override and then hitting

try (FileInputStream in = fileBased ? new FileInputStream(params.createFile(params.keystore())) : null) {
  ks.load(in, params.storepass() != null ? params.storepass().toCharArray() : null);
}

with in being null and successfully loading the aliasMap (including my alias) from empty to size=1.

NB: full maven plugin below

    <build>
        <plugins>
            <plugin>
                <groupId>net.jsign</groupId>
                <artifactId>jsign-maven-plugin</artifactId>
                <version>7.4</version>
                <executions>
                    <execution>
                        <id>sign-java</id>
                        <phase>package</phase>
                        <goals>
                            <goal>sign</goal>
                        </goals>
                        <configuration>
                            <!-- Example file : my pom does not compile the exe, only runs jsign -->
                            <file>${basedir}/javaw.exe</file>
                        </configuration>
                    </execution>
                </executions>
                <configuration>
                    <storetype>ETOKEN</storetype>
<!--                    <keystore>${project.basedir}/digicert-pkcs11.cfg</keystore>-->
                    <replace>true</replace>
<!--                    <storepass/>-->
                    <alias>My Existing Alias</alias>
                    <tsaurl>http://timestamp.digicert.com</tsaurl>
                    <url>https://www.mycompany.com</url>
                    <algorithm>SHA-256</algorithm>
                    <keystore>1</keystore>
                </configuration>
            </plugin>
        </plugins>
    </build>

This run ✅ vs debug 🔴 drives me crazy :) 🙏

[Macadoshis]

NB: works every time in run mode (and mvn command line) with following ugly workaround: #346 so you can get the idea :)

[ebourg]

Did you experiment with different values for the retry delay? 500ms is quite a lot, maybe 50ms is enough?

Could you also report the version of the eTPKCS11.dll library please?

[ebourg]

What version of Java do you use? Did you try another version?

[Macadoshis]

I've been tested same behavior (failure with master/7.4, success with pull-request fix) with:

• OpenJDK 26.0.1
• Eclipse Temurin 21.0.9

I tested with a decreased value : 100ms, 50ms, 10s, and they all finally failed randomly ; 500 ms looks empirically like the most robust with 10/10 success in a row.

Also I put 3 attempts for types ETOKEN and PKCS11 but for mine the alias was fetched at first attempt (second load of the keystore).