Problem with v0.18.0 and pkcs11interop.net library

[f4b0]

Problem Description

Hello, i am using the OpenSC PKCS11-Spy.dll with the pkcs11interop.net library v4.0.0.2 https://www.pkcs11interop.net/.
The Hardware i have is a Yubikey 4 which is connected to Windows 10 Pro machine.

I want to read the token serial to identify the right token for the required service.
With OpenSC version 0.17.0 the pkcs11interop.net library works fine but i don´t see the token serial number, only "000000".

I found a bugfix in the change log of OpenSC version 0.18.0 which should solve the serialnumber problem.

When i install the new OpenSC v0.18.0 i can´t run my application any more. I get always the same error message when i try to load the PKCS11-Spy.dll with pkcs11interop.net .

Error Message:

Net.Pkcs11Interop.Common.Pkcs11Exception wurde nicht von Benutzercode behandelt.
HResult=-2146233088
Message=Method C_GetFunctionList returned CKR_GENERAL_ERROR
Method=C_GetFunctionList
Source=Pkcs11Interop
StackTrace:
bei Net.Pkcs11Interop.LowLevelAPI41.Delegates.InitializeWithGetFunctionList(IntPtr libraryHandle)
bei Net.Pkcs11Interop.LowLevelAPI41.Delegates..ctor(IntPtr libraryHandle, Boolean useGetFunctionList)
bei Net.Pkcs11Interop.LowLevelAPI41.Pkcs11..ctor(String libraryPath)
bei Net.Pkcs11Interop.HighLevelAPI41.Pkcs11..ctor(String libraryPath, AppType appType)
bei Net.Pkcs11Interop.HighLevelAPI.Pkcs11..ctor(String libraryPath, AppType appType)
InnerException:

Proposed Resolution

Steps to reproduce

Logs

opensc-tool -l:

Detected readers (pcsc)
Nr. Card Features Name
0 Yes Broadcom Corp Contacted SmartCard 0
1 Yes Broadcom Corp Contactless SmartCard 0
2 Yes Yubico Yubikey 4 OTP+U2F+CCID 0

opensc-tool -n -r 2

Yubikey 4

opensc-tool --info

OpenSC 0.18.0 [Microsoft 1800]
Enabled features:pcsc openssl zlib

[frankmorgner]

Your stack trace seems incomplete...

If your talking about the NEWS comment

• Cope with empty serial number in TokenInfo
  This is only relevant for opensc-pkcs11.dll, not for pkcs11_spy.dll.

Can the problem be reproduced only with OpenSC tools e.g. the combination of pkcs11-tool, pkcs11_spy and opensc-pkcs11.dll?

[frankmorgner]

pkcs11_spy returns CKR_GENERAL_ERROR, when the spied on module can't be loaded

OpenSC/src/pkcs11/pkcs11-spy.c

Lines 224 to 232 in fcd719d

	modhandle = C_LoadModule(module, &po);
	if (modhandle && po) {
	fprintf(spy_output, "Loaded: \"%s\"\n", module);
	}
	else {
	po = NULL;
	free(pkcs11_spy);
	rv = CKR_GENERAL_ERROR;
	}

Have you configured the correct PKCS#11 library for the correct architecture?

[f4b0]

yes i am using the 32bit version and my application runs also on 32bit.
It works when i go back to version 0.17.0.

Can the problem be reproduced only with OpenSC tools e.g. the combination of pkcs11-tool, pkcs11_spy and opensc-pkcs11.dll?
I am not sure how to do this? Do you have a sample?

[f4b0]

When i run "opensc-tool --serial -r 2" i get the following message

sc_card_ctl(*, SC_CARDCTL_GET_SERIALNR, *) failed

[frankmorgner]

Try something like pkcs11-tool --module=pkcs11-spy.dll -t -l with "spying" set to your proprietary PKCS#11 provider.

[f4b0]

Hi, thanks for your support!
I can not find a pkcs11.dll from Yubico which works. I tried the following

pkcs11-tool.exe --module=C:\temp\PivTool\bin\libykcs11-1.dll -t -l

sc_dlopen failed: LoadLibrary/GetProcAddress failed
error: Failed to load pkcs11 module
Aborting.

when i run it without the module flag i get the following:
pkcs11-tool.exe -t -l

Using slot 2 with a present token (0x8)
Logging in to "********".
Please enter User PIN: C_SeedRandom() and C_GenerateRandom():
seeding (C_SeedRandom) not supported
seems to be OK
Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
RIPEMD160: OK
Signatures (currently only for RSA)
testing key 0 (PIV AUTH key)
all 4 signature functions seem to work
testing signature mechanisms:
RSA-X-509: OK
RSA-PKCS: OK
SHA1-RSA-PKCS: OK
MD5-RSA-PKCS: OK
RIPEMD160-RSA-PKCS: OK
SHA256-RSA-PKCS: OK
Verify (currently only for RSA)
testing key 0 (PIV AUTH key)
RSA-X-509: OK
RSA-PKCS: OK
SHA1-RSA-PKCS: OK
MD5-RSA-PKCS: OK
RIPEMD160-RSA-PKCS: OK
Unwrap: not implemented
Decryption (currently only for RSA)
testing key 0 (PIV AUTH key)
RSA-X-509: OK
RSA-PKCS: OK
No errors

[frankmorgner]

Yubico recommends OpenSC as PKCS#11 provider. Its own implementation is known to be buggy.

opensc-pkcs11.dll is what you're using when executing pkcs11-tool.exe -t -l. This seems to work as expected.

libykcs11-1.dll cannot be loaded. This is the same problem which you've previously experienced with pkcs11-spy.dll. I am still suspecting a mismatch in the architecture...

[frankmorgner]

what's your exact setup? I can check the problem with loading the module via pkcs11-tool.exe...

[f4b0]

Hi sorry for the delay.

I am running

• Win10 Pro 64bit
• Visual Studio 2015, .net 4.6.1, x86
• Pkcs11Interop 4.0.0.2 (nuget package)
• OpenSC 32bit 0.18.0

this is my test code:
`

        string lib = "C:\Program Files (x86)\OpenSC Project\PKCS11-Spy\pkcs11-spy.dll"
        Pkcs11 pkcs11 = new Pkcs11(lib, Settings.AppType);

        Slot slot = Helpers.GetUsableSlot("PIV Card Holder pin (PIV_II)", pkcs11); 

        // Open RW session
        Session session = slot.OpenSession(SessionType.ReadWrite);

        // Login as normal user
        //session.Login(CKU.CKU_USER, "******"); //Sensor

        // Login as normal user
        session.Login(CKU.CKU_USER, "******"); //CCON RND

        // Prepare attribute template that defines search criteria
        List<ObjectAttribute> objectAttributes = new List<ObjectAttribute>();
        objectAttributes.Add(new ObjectAttribute(CKA.CKA_ID, new byte[] { 1 }));
        objectAttributes.Add(new ObjectAttribute(CKA.CKA_CLASS, CKO.CKO_PRIVATE_KEY));

        // Initialize searching
        session.FindObjectsInit(objectAttributes);

        // Get search results
        List<ObjectHandle> foundObjects = session.FindObjects(2);

        // Terminate searching
        session.FindObjectsFinal();

        // Sign data
        Mechanism mechanism = new Mechanism(CKM.CKM_RSA_PKCS);

        byte[] pkcs1PreFix = new byte[] { 0x00, 0x00, 0x00 etc... };
      //  byte[] combinedByteArray = Combine(pkcs1PreFix, hash);

     //   signature = session.Sign(mechanism, foundObjects.First(), combinedByteArray);

        session.Logout();         

`

When i run the Code with OpenSC v0.17.0 it works but i am not able to read the serial of the Key
When i run the Code with OpenSC v0.18.0 i get the Error Message

Net.Pkcs11Interop.Common.Pkcs11Exception wurde nicht von Benutzercode behandelt.
HResult=-2146233088
Message=Method C_GetFunctionList returned CKR_GENERAL_ERROR
Method=C_GetFunctionList
Source=Pkcs11Interop
StackTrace:
bei Net.Pkcs11Interop.LowLevelAPI41.Delegates.InitializeWithGetFunctionList(IntPtr libraryHandle)
bei Net.Pkcs11Interop.LowLevelAPI41.Delegates..ctor(IntPtr libraryHandle, Boolean useGetFunctionList)
bei Net.Pkcs11Interop.LowLevelAPI41.Pkcs11..ctor(String libraryPath)
bei Net.Pkcs11Interop.HighLevelAPI41.Pkcs11..ctor(String libraryPath, AppType appType)
bei Net.Pkcs11Interop.HighLevelAPI.Pkcs11..ctor(String libraryPath, AppType appType)
InnerException:

[dengert]

SPY first tries to set the output file using environment variable "PKCS11SPY_OUTPUT"
If that is not set, will look in registry:
HKEY_LOCAL_MACHINE, "Software\OpenSC Project\PKCS11-Spy" or
HKEY_CURRENT_USER, "Software\OpenSC Project\PKCS11-Spy"
for "Output"
if that does not work it uses stderr.

So first start with looking for the output. it will log something.

SPY needs to know the name of the real pkcs11 library.
It will look for environment variable PKCS11SPY or on Windows will look in registry:
HKEY_LOCAL_MACHINE, "Software\OpenSC Project\PKCS11-Spy" or
HKEY_CURRENT_USER, "Software\OpenSC Project\PKCS11-Spy"
for "Module"

If it can not load the module it returns CKR_GENERAL_ERROR
If it can load it it will fprintf(spy_output, "Loaded: \"%s\"\n", module);

C_GetFunctionList is the first PKCS11 call for all all applications. I suspect it can not find the opensc-pkcs11.dll or it will not load.

[f4b0]

The only thing i can see in the pkcs11-spy.log is

*************** OpenSC PKCS#11 spy *****************

Below you can see the my environment variable setup and the path to the dll.

i think that looks ok but i get still the same error.

[dengert]

OpenSC windows developers need to look at:
(1) Nightly Windows builds are incomplete and will not install.
(2) pkcs11-spy.dll not installed in 0.18.0
(3) paths to opensc-pkcs11.dll changed in 0.18.0 causing FireFox and Thunderbird to security device path changed. The DLL is the found and can see the reader, but crashes when a card is inserted.

Well, I had been running with 0.17.0 on Windows 10 Pro 64. with 1803 installed in May. In 0.17.0 the registry was as above, and the opensc-pkcs11.dll was in system32.

But today I tried to install nightly build https://github.com/OpenSC/Nightly/blob/2018-08-27_b5a6f9aa/OpenSC-win32_vs14-Release.msi It was only 56kb (to small) and would not install.

So trying https://github.com/OpenSC/OpenSC/releases/download/0.18.0/OpenSC-0.18.0-win32_vs12-Release.msi (the current 0.18.0) It installed, but pkcs11-spy.dll was not instlled and opensc-pkcs11.dll was installed in a different location, as show in your scren shot above.

So I do not have a pkcs11-spy.dll but you do. Not sure why you do and I don't. And my Firefox and Thunderbird need to be updated for new locations. Changing the security device path to point to the new opensc-pkcs11.dll it can see the reader, but Thunderbird crashes when a smart card is inserted.

IIRC, the opensc-pkcs11 used to be installed in system32 for security reasons, so LSA could use them during login.

From your pkcs1-spy log, it looks like SPY loaded, but it could not load the opensc-pkcs11.dll.

With now path in Thunderbird security device, it can see the reader, but crashs when smart card inserted.

[f4b0]

ok i tried more things with different openSC 32bit versions and my Yubikeys.

Problem1:
the result of the following command in v0.17.0

C:\Program Files (x86)\OpenSC Project\OpenSC\tools>pkcs11-tool.exe --modul="c:\Program Files (x86)\OpenSC Project\PKCS11-Spy\pkcs11-spy.dll" -t
Using slot 2 with a present token (0x8)
C_SeedRandom() and C_GenerateRandom():
seeding (C_SeedRandom) not supported
seems to be OK
Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
RIPEMD160: OK
Signature: not a R/W session, skipping signature tests
Verify: not a R/W session, skipping verify tests
Key unwrap: not a R/W session, skipping key unwrap tests
Decryption: not a R/W session, skipping decryption tests
No errors

When i run the same command on the same machine but with v0.18.0 i get the following output.

C:\Program Files (x86)\OpenSC Project\OpenSC\tools>pkcs11-tool.exe --module="c:\Program Files (x86)\OpenSC Project\PKCS11-Spy\pkcs11-spy.dll" -t
sc_dlopen failed: LoadLibrary/GetProcAddress failed
C_GetFunctionList failed 5error: Failed to load pkcs11 module
Aborting.

That means i have to use v0.17.0 because v0.18.0 makes trouble in any way, ok
So i switched back to v0.17.0

Problem 2:
I can not read the serial number of the yubikey. I need this because there are more keys connected to the System for different services

When i run the command to list the readers:

C:\Program Files (x86)\OpenSC Project\OpenSC\tools>opensc-tool.exe -l
Detected readers (pcsc)
Nr. Card Features Name
0 Yes Broadcom Corp Contacted SmartCard 0
1 Yes Broadcom Corp Contactless SmartCard 0
2 Yes Yubico Yubikey 4 OTP+U2F+CCID 0

looks good ok, but when i try to read the serial number from my Yubikey i get the following.

C:\Program Files (x86)\OpenSC Project\OpenSC\tools>opensc-tool.exe --serial -r2
sc_card_ctl(*, SC_CARDCTL_GET_SERIALNR, *) failed

[dengert]

Let me correct some of the statements above.
I must have downloaded the nightly builds incorrectly. Down loading the full zip file with all the releases
appears to have the full MSI files.

The missing pkcs11-spy may be caused by using "Typical". "Custom" appear to have installed it.

But I am not finding the opensc-pkcs11.dll in either system32 or OpenSC-Project. still looking.

[frankmorgner]

libykcs11-1.dll requires more libraries, that are in the same directory. Please make sure that you your working directory is the same directory where these dependencies are located or move them to the SYSTEMWOW32 folder.

Again, please note that Yubico recommends OpenSC in favor of libykcs11-1.dll! So you shouldn't use it in the first place.

[dengert]

See this comment:
#1461 (comment)
I should fix your problem.

[f4b0]

Hi, i installed the software of the link above and i have still the same poblem.
I tried the following:

opensc-tool.exe --info

C:\Program Files (x86)\OpenSC Project\OpenSC\tools>opensc-tool.exe --info
OpenSC 0.19.0 [Microsoft 1900]
Enabled features:pcsc openssl zlib

opensc-tool.exe --serial

C:\Program Files (x86)\OpenSC Project\OpenSC\tools>opensc-tool.exe --serial
Using reader with a card: Yubico Yubikey 4 OTP+U2F+CCID 0
sc_card_ctl(*, SC_CARDCTL_GET_SERIALNR, *) failed

pkcs11-tool.exe --module="c:\Program Files (x86)\OpenSC Project\PKCS11-Spy\pkcs11-spy.dll" -t

C:\Program Files (x86)\OpenSC Project\OpenSC\tools>pkcs11-tool.exe --module="c:\Program Files (x86)\OpenSC Project\PKCS11-Spy\pkcs11-spy.dll" -t
sc_dlopen failed: LoadLibrary/GetProcAddress failed
C_GetFunctionList failed 5error: Failed to load pkcs11 module
Aborting.

pkcs11-tool.exe -t

C:\Program Files (x86)\OpenSC Project\OpenSC\tools>pkcs11-tool.exe -t
Using slot 0 with a present token (0x0)
C_SeedRandom() and C_GenerateRandom():
seeding (C_SeedRandom) not supported
seems to be OK
Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
RIPEMD160: OK
Signature: not a R/W session, skipping signature tests
Verify: not a R/W session, skipping verify tests
Key unwrap: not a R/W session, skipping key unwrap tests
Decryption: not a R/W session, skipping decryption tests
No errors

content of pkcs11-spy.txt log

*************** OpenSC PKCS#11 spy *****************

Can i do more tests? Thanks

[dengert]

Spy can not fine the opensc-pkcs11.dll to load. See #1464
Not sure if this same issue applies to 0.18.0

Simple solution for now would be to use regedit to change Module path to be in pkcs11 directory rather minidriver directory in:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\OpenSC Project\PKCS11-Spy
HKEY_LOCAL_MACHINE\SOFTWARE\OpenSC Project\PKCS11-Spy

This may also work to test with Pkcs11Interop.

You may also need to add to registry Output to point to a writable file for the spy log.

You may want to test signatures, so add --login to pkcs11-tool test:
pkcs11-tool.exe -t --login

[frankmorgner]

Here is what I did on Win10 Pro 64bit with win32 installer of 0.19.0-rc1 and Yubikey NEO CCID:

cd yubico-piv-tool-1.6.1-win32\bin
set PKCS11SPY=libykcs11-1.dll
"C:\Program Files (x86)\OpenSC Project\OpenSC\pkcs11-tool.exe" --test --module="C:\Program Files (x86)\OpenSC Project\PKCS11-Spy\pkcs11-spy.dll"

It errors on random number generation (it does not fail to load the module), which doesn't seem to be implemented by libykcs11-1.dll. Hence, I cannot reproduce the first of your problems; everything works as expected for me.

This is what I did to check your second problem:

"C:\Program Files (x86)\OpenSC Project\OpenSC\opensc-tool.exe" --serial

It prints the serial number as expected. Hence, I cannot reproduce the second of your problems.

If I'm not mistaken, the Yubikey doesn't expose PIV/PGP when in U2F mode. Have you ever initialized your token with keys and certificates as described by Yubico? Please consult Yubico for support!

[mouse07410]

1. ykcs11 should be used only to generate keys with Yubikey-specific attributes. For everything else - opensc-pkcs11.

2. I'm not sure what you mean by "U2F mode". My Yubikeys do all the three (PIV, OpenPGP, U2F) - but of course on different web sites. I.e., a site that requires PIV auth, won't use U2F, and vs. versa.

And they are implemented by different applets on the token.

[dengert]

Sounds like 3 different issues:

Trying to get SPY to work so we can see more.

Is your card initialized, pkcs11-tool --test --login would show with or without spy. if not initalized how to initialize the card with PIV (or OpenPGP) and keys and certificates. (The serial number for PIV comes from the CHUID which the Yubico-piv-tool can generate.)

Getting pkcs11Interopt to use the OpenSC PKCS11 module with a properly initialized card.