Signing Data using Private key

[nshah2588]

Hello,

We are trying to sign some data using Private Key stored on the token

As per this link:

https://gist.github.com/Jakuje/5a993d2b2d8a9cac35203599e49e6831

we created a command as below:

cat data | pkcs11-tool --id $ID -s -p $PIN -m RSA-PKCS > data.sig

When we run this command we are getting the below response:

Using slot 0 with a present token (0x0) Using signature algorithm RSA-PKCS error: PKCS11 function C_SignFinal failed: rv = CKR_ARGUMENTS_BAD (0x7) Aborting.

Not sure what we are missing.

Please advice.

[popovec]

I list the keys available on the token:

$ pkcs11-tool -O -l
Using slot 0 with a present token (0x0)
Logging in to "MyEID".
Please enter User PIN: 
Private Key Object; RSA 
  label:      Private Key
  ID:         fb537f1d7907d2ff576962fb869e3eee7e7ed384
  Usage:      decrypt, sign
  Access:     none
Public Key Object; RSA 2048 bits
  label:      Private Key
  ID:         fb537f1d7907d2ff576962fb869e3eee7e7ed384
  Usage:      encrypt, verify
  Access:     none

Data signing for the RSA PKCS mechanism must respect the key length (modulus). For a 2048-bit key, for example, this works: (Replace XXXXX with your pin, change the key ID according to your key that you found in the listing according to the example above).

dd if=data bs=128 count=1 |pkcs11-tool --id fb537f1d7907d2ff576962fb869e3eee7e7ed384 -s -p XXXXX -m RSA-PKCS

[nshah2588]

Here is my response from my token:

Using slot 0 with a present token (0x0) Logging in to "token". Please enter User PIN: Private Key Object; RSA label: ID: e56e4386b0401cb9fb538bb8797a65520fb32d6e Usage: decrypt, sign, unwrap Access: sensitive, always sensitive, never extractable Public Key Object; RSA 2048 bits label: ID: e56e4386b0401cb9fb538bb8797a65520fb32d6e Usage: encrypt, verify, wrap Access: none Certificate Object; type = X.509 cert label: Class3 Individual Test subject: DN: C=IN, xxxxxxxxxxxx serial: 6EC3057A41 ID: e56e4386b0401cb9fb538bb8797a65520fb32d6e Profile object 2491681568 profile_id: CKP_PUBLIC_CERTIFICATES_TOKEN (4)

So my command should be:

dd if=data bs=128 count=1 |pkcs11-tool --id e56e4386b0401cb9fb538bb8797a65520fb32d6e -s -p XXXXX -m RSA-PKCS

where XXXX is the pin. Correct?

[nshah2588]

Tried it either way.

dd if=data bs=128 count=1 |pkcs11-tool --id e56e4386b0401cb9fb538bb8797a65520fb32d6e -s -p xxxxxxx -m RSA-PKCS 1+0 records in 1+0 records out 128 bytes copied, 2.9787e-05 s, 4.3 MB/s Using slot 0 with a present token (0x0) Using signature algorithm RSA-PKCS error: PKCS11 function C_SignFinal failed: rv = CKR_ARGUMENTS_BAD (0x7) Aborting.

[popovec]

Here is another example (the mechanism has been changed to SHA1-RSA-PKCS, which allows us to sign any size of data):

pkcs11-tool -i data --id fb537f1d7907d2ff576962fb869e3eee7e7ed384 -s -m SHA1-RSA-PKCS -o signature

The switches -i and -o are used to specify the input file and the file where the resulting signature will be written.

Any problem can only be clarified through the debug log, which can be obtained, for example, by following this procedure:

OPENSC_DEBUG=3 pkcs11-tool -i data --id fb537f1d7907d2ff576962fb869e3eee7e7ed384 -s -m SHA1-RSA-PKCS -o signature 2>debug.log

[popovec]

For some reason, it is not possible to select the relevant file.

P:9978; T:0x140297548293952 15:33:27.899 [opensc-pkcs11] pkcs15-sec.c:86:select_key_file: called
P:9978; T:0x140297548293952 15:33:27.899 [opensc-pkcs11] card.c:850:sc_select_file: called; type=2, path=e828bd080fa00000036364796e6964::
P:9978; T:0x140297548293952 15:33:27.899 [opensc-pkcs11] card-entersafe.c:706:entersafe_select_file: called
P:9978; T:0x140297548293952 15:33:27.899 [opensc-pkcs11] card-entersafe.c:713:entersafe_select_file: current path (aid, valid): e828bd080fa00000036364796e6964:: (len: 15)
P:9978; T:0x140297548293952 15:33:27.899 [opensc-pkcs11] card-entersafe.c:608:entersafe_select_path: returning with: -1300 (Invalid arguments)
P:9978; T:0x140297548293952 15:33:27.900 [opensc-pkcs11] card.c:872:sc_select_file: 'SELECT' error: -1300 (Invalid arguments)
P:9978; T:0x140297548293952 15:33:27.900 [opensc-pkcs11] pkcs15-sec.c:121:select_key_file: sc_select_file() failed: -1300 (Invalid arguments)
P:9978; T:0x140297548293952 15:33:27.900 [opensc-pkcs11] pkcs15-sec.c:146:use_key: Unable to select private key file

I can't advise you more in this case.

[nshah2588]

Thank you for your feedback. We will look into this internally.

[nshah2588]

Hello,

Attached please find debug.log file.

We are trying to generate key pair using the command 00 46 and while trying to do that it is mandatory to do pin verification.

The PIN is being requested by OpenSC once and then a second time it is being picked up from the cache on Line #3161.

We want to be able to call the same pin verification command once again right after the selection of 3F 00 (on line 3195) and before calling the 00 46 command (on line 3311)

Also we are not able to understand in the flow why is the 3F 00 selected a total of 3 times. We understand the first and the second time selection but not why the command is invoked on Line 3195.

Kindly advice.

debug.log

[frankmorgner]

The PIN you entered was correct, but it obviously doesn't allow generation of key. Maybe because you entered the user PIN instead of the SO PIN (depending on the card profile). If you need more advice, please open a new issue since the original question is solved.