What should be in Xades4J compatible PKCS11 native library?

Question

In https://github.com/luisgoncalves/xades4j/wiki/DefiningKeyingData it is said that keys and certificates that are stored in smart card, can be used for signing XML documents. Native library is mentioned in code example:

KeyingDataProvider kp = new PKCS11KeyStoreKeyingDataProvider(
               "path/to/native/lib",
               "name",
               new FirstCertificateSelector(),
               null, null, false);

But what should be in this native library, is it dll or Java jar, what functions the library should export? I tried to use libraries pkcs11wrapper-1.2.18.jar and pkcs11wrapper.dll from the distributions of digital signature packages of my country but the exceptions were thrown:

Exception in thread "main" java.security.ProviderException: java.lang.reflect.InvocationTargetException
    at xades4j.providers.impl.PKCS11KeyStoreKeyingDataProvider.createPkcs11Provider(PKCS11KeyStoreKeyingDataProvider.java:211)
    at xades4j.providers.impl.PKCS11KeyStoreKeyingDataProvider.access$100(PKCS11KeyStoreKeyingDataProvider.java:52)
    at xades4j.providers.impl.PKCS11KeyStoreKeyingDataProvider$1.getBuilder(PKCS11KeyStoreKeyingDataProvider.java:118)
    at xades4j.providers.impl.KeyStoreKeyingDataProvider.ensureInitialized(KeyStoreKeyingDataProvider.java:175)
    at xades4j.providers.impl.KeyStoreKeyingDataProvider.getSigningCertificateChain(KeyStoreKeyingDataProvider.java:189)
    at xades4j.production.SignerBES.sign(SignerBES.java:151)
    at xades4j.production.SignerBES.sign(SignerBES.java:122)
    ...
Caused by: java.lang.reflect.InvocationTargetException
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
    at java.lang.reflect.Constructor.newInstance(Unknown Source)
    at xades4j.providers.impl.PKCS11KeyStoreKeyingDataProvider.createPkcs11Provider(PKCS11KeyStoreKeyingDataProvider.java:198)
    ... 8 more
Caused by: java.security.ProviderException: Error parsing configuration
    at sun.security.pkcs11.Config.getConfig(Config.java:88)
    at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:129)
    at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:107)
    ... 13 more
Caused by: sun.security.pkcs11.ConfigurationException: Unexpected value Token['('], line 2
    at sun.security.pkcs11.Config.excToken(Config.java:375)
    at sun.security.pkcs11.Config.parseLine(Config.java:595)
    at sun.security.pkcs11.Config.parseLibrary(Config.java:666)
    at sun.security.pkcs11.Config.parse(Config.java:398)
    at sun.security.pkcs11.Config.<init>(Config.java:220)
    at sun.security.pkcs11.Config.getConfig(Config.java:84)
    ... 15 more

The similar exception trace is generated also in cases when I provide empty path or path to non-existent library file.

What should be in native library to use it from Xades4J? Should this native library support some universally accepted interface. Maybe Xades4J is appropriate only for smart cards that are issued by Spain government?

Answer 1

You need a so-called PKCS#11 driver for your device. It is a user-mode DLL (on Windows) or .so on Linux, Android and macOS (on iOS there are no shared modules, so PKCS#11 support must be compiled into the application).

Answer 2

That is the driver that comes from the card provider. To use your smart card, you need to install some software. That software (normally) has some nice interface but it also install drivers, (dll's for windows, so's for unix).

• For portuguese cards
• For belgian cards

Going back to xades4j:

So, "path/to/native/lib" is correct...

In xades4j, see the test classes:

static protected String PTCC_PKCS11_LIB_PATH = "C:\\Windows\\System32\\pteidpkcs11.dll";

in this class And it is used here

By the way, not xades4j, but interessing, for the Estonian card, see this:

signatureToken = new PKCS11SignatureToken("/usr/local/lib/opensc-pkcs11.so", "22975".toCharArray(), 2);

See also this: Signing a PDF with an eID using PKCS#11 and iText