EldoS | Feel safer!

Software components for data protection, secure storage and transfer

[Java] Use PKCS11 to get certificate on USB token

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.
Posted: 02/22/2016 04:39:06
by Mickaël Bénès (Standard support level)
Joined: 02/26/2013
Posts: 80


I'm trying to sign a document with a certificate from USB token. So I used TElPKCS11CertStorage and from the sample I've seen, open a session and log into the token with PIN code. But when I try to perform a CAdES signature, I've got an error saying there's no private key :
SecureBlackbox.PKI.EElCMSError: Private key not found
at SecureBlackbox.PKI.TElCMSSignature.internalSign(SBCMS.pas:4282)
at SecureBlackbox.PKI.TElCMSSignature.sign(SBCMS.pas:4329)
at SecureBlackbox.PKI.TElCAdESSignatureProcessor.sign(SBCAdES.pas:1470)
at SecureBlackbox.PKI.TElCAdESSignatureProcessor.createBES(SBCAdES.pas:1512)
at SecureBlackbox.PKI.TElCAdESSignatureProcessor.createBES(SBCAdES.pas:1497)
at test.Main.testPKCS11(Main.java:118)
at test.Main.main(Main.java:58)
Which isn't true since I've signed many files with this exact certificate.

Here is my code :
TElPKCS11CertStorage storage   = new TElPKCS11CertStorage();
//certStorage.setDLLName( AppletAWS.getConfig("lib.pkcs11.gemalto.win.64.path") );   // 64 bits
storage.setDLLName( AppletAWS.getConfig("lib.pkcs11.gemalto.win.32.path") );      // 32 bits

String pin                  = requestPIN();
TElPKCS11SessionInfo session    = storage.openSession( 0, false );
session.login( SBPKCS11Base.utUser, pin );

File f                  = new File( "Z:\\Mickael\\Sauvergarde\\C_Users_Mickaël\\Desktop\\fichiers_tests\\Applets\\depot\\candidature_light\\candidature_light-01.pdf" );
TElX509Certificate telCert   = storage.getCertificate( 0 );

System.out.println( "Signer cert : " + telCert.getSubjectName().CommonName );

TElFileStream fs                  = null;
TElCAdESSignatureProcessor processor   = new TElCAdESSignatureProcessor();
TElSignedCMSMessage cms               = new TElSignedCMSMessage();

try {
   fs = new TElFileStream( f.getAbsolutePath(), "r", true );
   cms.createNew( fs, 0, fs.getLength() );
   cms.setDetached( true );
   TElCMSSignature sig   = cms.getSignature( cms.addSignature() );
   sig.getCommitmentTypeIndication().setIncluded( true );
   sig.getCommitmentTypeIndication().setProofOfOrigin( true );
   sig.getCommitmentTypeIndication().setProofOfCreation( true );
   sig.setUsePSS( false );

   processor.setSignature( sig );
   processor.setOnBeforeSign( new TSBCAdESBeforeSignEvent(_onBeforeSign) );
   processor.createBES( telCert );

   int iter         = PKCS7.iterationNumberOfSignForFile( f );
   String sigFileName   = "";
   if (iter == 0) {
      sigFileName = f.getAbsolutePath() + PKCS7.CADES_EXTENSIONS[0];
   else {
      sigFileName = f.getAbsolutePath() + "." + iter + PKCS7.CADES_EXTENSIONS[0];
   File fileSig = new File( sigFileName );
   CAdES.saveCMS( cms, fileSig );
catch ( Exception e ) {
   throw e;

So from there I've tried out the TinySignerPKCS11 sample in PDFBlackbox. When I select the certificate from TElPKCS11CertStorage, I've got this error :
SecureBlackbox.PDF.EElPDFPublicKeySecurityHandlerError: No signing certificate found
at SecureBlackbox.PDF.TElPDFPublicKeySecurityHandler.getEstimatedSignatureSize(SBPDFSecurity.pas:3752)
at SecureBlackbox.PDF.TElPDFDocument.$preCalculateSignatures$3714$setupSignatureInfo(SBPDF.pas:7140)
at SecureBlackbox.PDF.TElPDFDocument.preCalculateSignatures(SBPDF.pas:9362)
at SecureBlackbox.PDF.TElPDFDocument.close(SBPDF.pas:6158)
at Main.signClick(Main.java:757)
But when selecting it from the TElWinCertStorage, the signature is performed correctly.

What should I do ? Thanks.
Posted: 02/22/2016 04:53:32
by Ken Ivanov (Team)

Hi Mickaël,

Thank you for getting in touch with us.

The most common reason for the private key not being recognized by TElPKCS11CertStorage is where the private key object's attributes are not sufficient to establish the correspondence between the certificate and the key objects. Some key import tools write token object attributes improperly, making third-party reader applications unable to match the objects to each other straightaway.

What you can try is add the pcsoWeakenedKeySearchCriteria option to the TElPKCS11CertStorage.PKCS11Options flag set and check if it helps:

TSBPKCS11StorageOptions ops = storage.getPKCS11Options();
ops = ops | pcsoWeakenedKeySearchCriteria;

Please add the above code before calling the Open() method.

Posted: 02/22/2016 05:20:56
by Mickaël Bénès (Standard support level)
Joined: 02/26/2013
Posts: 80

Thanks for the reply.

I've tried it out but the class TSBPKCS11StorageOptions doesn't seem to exist and storage.getPKCS11Options() returns an int.
Posted: 02/22/2016 05:26:04
by Mickaël Bénès (Standard support level)
Joined: 02/26/2013
Posts: 80

Nevermind, I found out :
int ops = storage.getPKCS11Options() | SBPKCS11Base.pcsoWeakenedKeySearchCriteria;
storage.setPKCS11Options( ops );
It works fine now ! Thank you.
Posted: 02/22/2016 05:34:32
by Ken Ivanov (Team)

Superb, thank you for letting us know!

Posted: 02/22/2016 11:43:51
by Mickaël Bénès (Standard support level)
Joined: 02/26/2013
Posts: 80

Hey again, I've got another issue.

We need our application to be abble to sign on Mac OS, that's why I made some tests with TElPKCS11CertStorage. I actually can sign documents (both on Mac OS and Windows), but the verification fails on Mac OS with this error :
Exception in thread "Thread-37" java.lang.UnsatisfiedLinkError: SecureBlackbox.Base.JNI.certCloseStore(JI)Z
at SecureBlackbox.Base.JNI.certCloseStore(Native Method)
at SecureBlackbox.Base.SBWinCrypt.certCloseStore(SBWinCrypt.pas:4140)
at SecureBlackbox.Base.TElWinCertStorage.clearInfo(SBWinCertStorage.pas:611)
at SecureBlackbox.Base.TElWinCertStorage.Destroy(SBWinCertStorage.pas:580)
at org.freepascal.rtl.TObject.Free(system.pp)
at SecureBlackbox.Base.SBUtils.freeAndNil(SBUtils.pas:10554)
at SecureBlackbox.Base.TElX509CertificateValidator.Destroy(SBCertValidator.pas:1033)
at org.freepascal.rtl.TObject.Free(system.pp)
at SecureBlackbox.Base.SBUtils.freeAndNil(SBUtils.pas:10554)
at SecureBlackbox.PKIPDF.TElPDFAdvancedPublicKeySecurityHandler.$validateChainAndCollectRevocationInfo$480$collectSingleRevocationInfo(SBPAdES.pas:1653)
at SecureBlackbox.PKIPDF.TElPDFAdvancedPublicKeySecurityHandler.validateChainAndCollectRevocationInfo(SBPAdES.pas:1676)
at SecureBlackbox.PKIPDF.TElPDFAdvancedPublicKeySecurityHandler.validateHash(SBPAdES.pas:1376)
at SecureBlackbox.PDF.TElPDFSignature.validate(SBPDF.pas:5051)
at SecureBlackbox.PDF.TElPDFSignature.validate(SBPDF.pas:4982)
at awsoutil.outil.signature.pades.VerifSignFile_SignThread.run(VerifSignFile_SignThread.java:163)
It happens on the TElPDFSignature.validate() method (yes I signed with PAdES).

I hardly can show you the code (many classes/functions used) but I can explain the steps :

  • open a token session
  • log into it (after PIN code is given)
  • select certificate
  • perform signature
  • verify signature
Steps 4 and 5 are repeated for every file selected by the user. I tried to close the TElPKCS11CertStorage after signing and before veriying but it didn't fixed the problem and of course only the first file could be signed (the others got the error saying that no signing certificate was found, obviously).

Just to be sure, I tested it with CAdES signature and I got the same error.

Any ideas ? Thanks.
Posted: 02/22/2016 11:45:59
by Eugene Mayevski (Team)

This particular issue is a glitch that must have been fixed in build 287. Could you please check which build you are using and let us know if it's build 287? The build number can be inspected as SBUtils.SBB_VERSION_NUMBER constant.

Sincerely yours
Eugene Mayevski
Posted: 02/22/2016 11:51:51
by Mickaël Bénès (Standard support level)
Joined: 02/26/2013
Posts: 80

Yes I'm using build 287 :
Posted: 02/22/2016 12:09:33
by Eugene Mayevski (Team)

Thank you for clarification.

Let's continue in HelpDesk ( https://www.eldos.com/helpdesk/ ) please. I have created a new support ticket based on your above message. You will see your (and only your) support tickets by following this URL. You will also get e-mail notifications about updates related to your support ticket.

Sincerely yours
Eugene Mayevski
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.



Topic viewed 3262 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!