-
Notifications
You must be signed in to change notification settings - Fork 711
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SC-HSM PKCS11 function C_SignFinal failed: rv = CKR_GENERAL_ERROR (0x5) on OpenSC 0.21 & 0.22 #2493
Comments
It could be related to: #2469 |
Hi, I have the same issue on my Mac Mini running macOS 10.15.7 Catalina with OpenSC 0.22.0. With OpenSC 0.20.0 it's working and I can use my smartcard for login. I investigated this issue with two partitions on my Mac - one my current working partition with OpenSC 0.20.0, second a fresh Catalina-installation with OpenSC 0.22.0. I used my Siemens Employee Smartcard with an Omnikey CardMan 3121 USB card reader. The command line used reads as follows: The log of the terminal output can be found in the following files: opensc_debug5_20.txt As far as I can understand the debug output the problem seems to start after the input of the User PIN (See line 3039 in opensc_debug5_20.txt and line 3176 in opensc_debug5_22.txt). The code of 0.20.0 calls 'code-cardos.c:cardos_pin_cmd' and sends the PIN to the smart card (Outgoing/Incoming ADPU with PIN) whereas 0.22.0 returns directly from 'sec.c:sc_pin_cmd' with 'success/code 0'. This is the most obvious difference I could find - hopefully I could save some work for you. Best regards and many thanks for OpenSC so far :-) Matthias |
The problem is not with the PIN. d06f23e is covering up the fact that the debug was turned off at this point. It should at least log in it turning off debugging, and the log when it turns it back on. @frankmorgner can you look at this? The real problem is with line 3905 Line 21:
The "Assuming that the reader supports transceiving short length APDUs only" may be a problem too, as the failing command is using extended APDU. line 92 in one and 98 the other:
db41cd9ab was the last big commit in 2020, but prior to this from 2005, 2006, where in card-cardos.c: In both dumps the outgoing APDU There are two different readers https://ccid.apdu.fr/#readers says the 076B:3021 (same vid:pid) for both do not support extended APDU. But one of them does or some lower level code is handling it. Mac Mini vs two partitions on your Mac could be an issue. Different pcsc or ccid drivers |
Hmm... I must admit I really forgot that I installed a quite old driver (Release date 15 Jan 2018) from Omnikey on my main partition whereas on the fresh installed OS I did not and tried to use whatever macOS uses for this device. The reader is of course always the same (i.e. identical) device and it is labeled "CardMan 3121" on the housing of the reader. Probably the OmniKey-driver only knows about a 3021 device - predecessor device perhaps. Can I determine if the driver is still working? Anyway - the mentioned driver is still available for download: Thanks for reading the logs and for your explanation. Regards - Matthias |
OK, now it becomes embarrassing : Installing the driver solved the problem. All certificates on the card are recognised and I was asked to link the authentication certificate to my user account. I'm still not asked for the PIN at the login screen when booting from the 'fresh-install-partition', but I'm sure that's a macOS problem - on my main partition I will be asked for the PIN. The card reader is still not listed in the keychain.app as described in the OpenSC-Wiki for macOS, but that's more a blemish(?). Again thank you very much for your support, Doug. |
Bonjour |
Issue resolved |
Bonjour Community & Support,
I have SmartCard-HSM with an RSA-2048 bit key and certificate which fails with pkcs11-tool (OpenSC version 0.21 & 0.22) and receive
PKCS11 function C_SignFinal failed: rv = CKR_GENERAL_ERROR (0x5) on OpenSC 0.21 & 0.22
but works perfectly fine with pkcs11-tool (OpenSC version 0.15)
################################################################
OUTPUT on OpenSC 0.21 & 0.22 on Debian 11
pkcs11-tool -l -t
Using slot 0 with a present token (0x0)
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
seeding (C_SeedRandom) not supported
seems to be OK
Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
RIPEMD160: OK
Signatures (currently only for RSA)
testing key 0 (httpdcert)
error: PKCS11 function C_SignFinal failed: rv = CKR_GENERAL_ERROR (0x5)
Aborting.
################################################################
################################################################
OUTPUT on OpenSC 0.15 on Windows Server 2019
C:\Program Files (x86)\OpenSC Project\OpenSC\tools>pkcs11-tool.exe -t -l
Using slot 1 with a present token (0x1)
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN: 2022-01-20 12:34:47.201 cannot lock memory, sensitive data may be paged to disk
C_SeedRandom() and C_GenerateRandom():
seeding (C_SeedRandom) not supported
seems to be OK
Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
RIPEMD160: OK
Signatures (currently only RSA signatures)
testing key 0 (httpdcert)
all 4 signature functions seem to work
testing signature mechanisms:
RSA-X-509: OK
RSA-PKCS: OK
SHA1-RSA-PKCS: OK
MD5-RSA-PKCS: OK
RIPEMD160-RSA-PKCS: OK
SHA256-RSA-PKCS: OK
Verify (currently only for RSA):
testing key 0 (httpdcert)
RSA-X-509: OK
RSA-PKCS: OK
SHA1-RSA-PKCS: OK
MD5-RSA-PKCS: OK
RIPEMD160-RSA-PKCS: OK
Unwrap: not implemented
Decryption (RSA)
testing key 0 (httpdcert)
RSA-X-509: OK
RSA-PKCS: OK
No errors
C:\Program Files (x86)\OpenSC Project\OpenSC\tools>
The text was updated successfully, but these errors were encountered: