YubiKey SpringBoot application running as system service

[nauni77]

Hello,
I think this is not a topic of jsign, but I hope someone can help.

I ran into this issue, after implementing a software for signing with SpringBoot and jsign. Connecting the stick to the server and executing the software directly on the machine is working without problems.

Go to another computer, login with SSH to the server (stick connected) and run the application from this SSH-Connection results in an error. Even if I try to create a system service which runs the program, run into the same issue.

ubuntu@ubuntu-server:~$ cat runCodeSignService.sh
#!/bin/bash
/home/ubuntu/.sdkman/candidates/java/current/bin/java -jar -Dspring.config.additional-location=file:/home/ubuntu/codesignservice.yml --add-exports=jdk.crypto.cryptoki/sun.security.pkcs11.wrapper=ALL-UNNAMED /home/ubuntu/code-signing-service-0.1.4.jar
ubuntu@ubuntu-server:~$ ./runCodeSignService.sh

  .   ____          _            __ _ _
 /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
 \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
  '  |____| .__|_| |_|_| |_\__, | / / / /
 =========|_|==============|___/=/_/_/_/

 :: Spring Boot ::                (v3.3.1)

2024-08-27T20:24:25.114Z  INFO 3497 --- [codeSignService] [           main] de.company.codesignservice.App           : Starting App v0.1.4 using Java 21.0.4 with PID 3497 (/home/ubuntu/code-signing-service-0.1.4.jar started by ubuntu in /home/ubuntu)
2024-08-27T20:24:25.119Z  INFO 3497 --- [codeSignService] [           main] de.company.codesignservice.App           : No active profile set, falling back to 1 default profile: "default"
2024-08-27T20:24:26.617Z  INFO 3497 --- [codeSignService] [           main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat initialized with port 8080 (http)
2024-08-27T20:24:26.632Z  INFO 3497 --- [codeSignService] [           main] o.apache.catalina.core.StandardService   : Starting service [Tomcat]
2024-08-27T20:24:26.632Z  INFO 3497 --- [codeSignService] [           main] o.apache.catalina.core.StandardEngine    : Starting Servlet engine: [Apache Tomcat/10.1.25]
2024-08-27T20:24:26.664Z  INFO 3497 --- [codeSignService] [           main] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring embedded WebApplicationContext
2024-08-27T20:24:26.665Z  INFO 3497 --- [codeSignService] [           main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 1435 ms
2024-08-27T20:24:26.747Z  INFO 3497 --- [codeSignService] [           main] d.n.c.signing.CodeSigningWithAPI         : using keystore type: YUBIKEY
2024-08-27T20:24:26.946Z  WARN 3497 --- [codeSignService] [           main] ConfigServletWebServerApplicationContext : Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'codeSigningWithAPI': Invocation of init method failed
2024-08-27T20:24:26.950Z  INFO 3497 --- [codeSignService] [           main] o.apache.catalina.core.StandardService   : Stopping service [Tomcat]
2024-08-27T20:24:26.964Z  INFO 3497 --- [codeSignService] [           main] .s.b.a.l.ConditionEvaluationReportLogger :

Error starting ApplicationContext. To display the condition evaluation report re-run your application with 'debug' enabled.
2024-08-27T20:24:26.983Z ERROR 3497 --- [codeSignService] [           main] o.s.boot.SpringApplication               : Application run failed

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'codeSigningWithAPI': Invocation of init method failed
	at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor.postProcessBeforeInitialization(InitDestroyAnnotationBeanPostProcessor.java:222) ~[spring-beans-6.1.10.jar!/:6.1.10]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsBeforeInitialization(AbstractAutowireCapableBeanFactory.java:422) ~[spring-beans-6.1.10.jar!/:6.1.10]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1780) ~[spring-beans-6.1.10.jar!/:6.1.10]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:600) ~[spring-beans-6.1.10.jar!/:6.1.10]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:522) ~[spring-beans-6.1.10.jar!/:6.1.10]
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:337) ~[spring-beans-6.1.10.jar!/:6.1.10]
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234) ~[spring-beans-6.1.10.jar!/:6.1.10]
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:335) ~[spring-beans-6.1.10.jar!/:6.1.10]
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:200) ~[spring-beans-6.1.10.jar!/:6.1.10]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:975) ~[spring-beans-6.1.10.jar!/:6.1.10]
	at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:962) ~[spring-context-6.1.10.jar!/:6.1.10]
	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:624) ~[spring-context-6.1.10.jar!/:6.1.10]
	at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:146) ~[spring-boot-3.3.1.jar!/:3.3.1]
	at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:754) ~[spring-boot-3.3.1.jar!/:3.3.1]
	at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:456) ~[spring-boot-3.3.1.jar!/:3.3.1]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:335) ~[spring-boot-3.3.1.jar!/:3.3.1]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1363) ~[spring-boot-3.3.1.jar!/:3.3.1]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1352) ~[spring-boot-3.3.1.jar!/:3.3.1]
	at de.company.codesignservice.App.main(App.java:14) ~[!/:0.1.4]
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) ~[na:na]
	at java.base/java.lang.reflect.Method.invoke(Method.java:580) ~[na:na]
	at org.springframework.boot.loader.launch.Launcher.launch(Launcher.java:91) ~[code-signing-service-0.1.4.jar:0.1.4]
	at org.springframework.boot.loader.launch.Launcher.launch(Launcher.java:53) ~[code-signing-service-0.1.4.jar:0.1.4]
	at org.springframework.boot.loader.launch.JarLauncher.main(JarLauncher.java:58) ~[code-signing-service-0.1.4.jar:0.1.4]
Caused by: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DEVICE_ERROR
	at net.jsign.YubiKey.getSunPKCS11Configuration(YubiKey.java:69) ~[jsign-crypto-7.0-SNAPSHOT.jar!/:na]
	at net.jsign.YubiKey.getProvider(YubiKey.java:48) ~[jsign-crypto-7.0-SNAPSHOT.jar!/:na]
	at net.jsign.KeyStoreType$10.getProvider(KeyStoreType.java:257) ~[jsign-crypto-7.0-SNAPSHOT.jar!/:na]
	at net.jsign.KeyStoreBuilder.provider(KeyStoreBuilder.java:272) ~[jsign-crypto-7.0-SNAPSHOT.jar!/:na]
	at net.jsign.KeyStoreBuilder.build(KeyStoreBuilder.java:285) ~[jsign-crypto-7.0-SNAPSHOT.jar!/:na]
	at de.company.codesignservice.signing.CodeSigningWithAPI.initialize(CodeSigningWithAPI.java:59) ~[!/:0.1.4]
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) ~[na:na]
	at java.base/java.lang.reflect.Method.invoke(Method.java:580) ~[na:na]
	at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleMethod.invoke(InitDestroyAnnotationBeanPostProcessor.java:457) ~[spring-beans-6.1.10.jar!/:6.1.10]
	at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleMetadata.invokeInitMethods(InitDestroyAnnotationBeanPostProcessor.java:401) ~[spring-beans-6.1.10.jar!/:6.1.10]
	at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor.postProcessBeforeInitialization(InitDestroyAnnotationBeanPostProcessor.java:219) ~[spring-beans-6.1.10.jar!/:6.1.10]
	... 23 common frames omitted
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DEVICE_ERROR
	at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_GetSlotList(Native Method) ~[jdk.crypto.cryptoki:na]
	at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11$SynchronizedPKCS11.C_GetSlotList(PKCS11.java:1701) ~[jdk.crypto.cryptoki:na]
	at net.jsign.YubiKey.getTokenSlot(YubiKey.java:81) ~[jsign-crypto-7.0-SNAPSHOT.jar!/:na]
	at net.jsign.YubiKey.getSunPKCS11Configuration(YubiKey.java:64) ~[jsign-crypto-7.0-SNAPSHOT.jar!/:na]
	... 33 common frames omitted

ubuntu@ubuntu-server:~$

Running yubico-piv-tool -astatus direct on the machine works fine. But connecting via SSH to the server and execute it runs into a failure. Because of this, I think this is not a jsign issue, but maybe you have an idea to fix this.

$ yubico-piv-tool -astatus
Failed to connect to yubikey: Error in PCSC call.
Try removing and reconnecting the device.

Thanks in advance, Oli

[nauni77]

I think the reason is the permission from the different TTYs. With SSH or as service you get a /dev/pts/0 which seems to have no permission to the sign-stick. And if you login into the system the /dev/tty1 is used.

Using a sudo to start application or starting the service as root-user works.

Is this a general problem of sign sticks?