-
Notifications
You must be signed in to change notification settings - Fork 711
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
C_SignFinal failed: rv = CKR_GENERAL_ERROR with pkcs11-tool --test --login --pin XXXX #2953
Comments
Can you try using 0.24.0-rc2? There are some changes in this area c182852 |
There is not a lot of information in the debug output. the The output of Did you build with OpenSSL? (what version) This could be |
OS: Linux. Bult with openssl: 3.0.4 (computer 1,initial comment) and 3.1.4 (computer 2, this comment)
pkcs11-tool --test --login --pin XXXX :
pkcs11-tool -O
pkcs11-tool -M :
|
I do not have a way to test this, but you can try:
I suspect the card does not support doing SHA-1 based on comment: If it works please submit a PR. |
well, this changed the error message
doesn't the " SHA-1: OK " line mean, sha1 works as expected? |
This part is regarding digests and they are not implemented on the card. The IDPrime cards I was working with did not allow signatures with SHA-1: OpenSC/src/libopensc/card-idprime.c Line 955 in 516493e
I would propose to give it a try with SHA2. Unfortunately, the pkcs11-tool test still insist on trying SHA1 ... I think we should change this (or use sha-1 only after trying other more reasonable digests and not treat it as an error). |
same for each of the "sign" mechanisms listed by pkcs11-tool -M |
Do you have some more information about the idprime card you have? I assume this will be a wrong object reference in the security environment (error is 6A 88, which is DATA NOT FOUND). The debug log does not show the card detection phase and driver intialization, which might show up some more useful information, but given how the key IDs are guessed now, I am not sure if we will be able to figure them our for your card without seeing what the official driver does. |
It is an employee access card. I know that it can be used for windows logins. I do not have any more technical information. How can I find out what's the difference? wireshark? or do you know an easier way? |
when using the closed source safenet driver with opensc's pkcs11-tool, it looks like that
|
Yes, the safenet driver is the one that I meant by the "official one". I see that with this driver, it looks like the only If you would be getting the PSCS trace from the safenet driver, I would be interested in APDU with instruction 0x22 (set security environment -- second byte of the APDU): OpenSC/src/libopensc/iso7816.c Line 987 in 516493e
Then I would be interested in the initialization and what makes it different from the cards supporting also other digests. The APDUs with PIN will always have the instruction 0x20 (again, second byte of APDU) so you might be certainly interested to exclude these: OpenSC/src/libopensc/iso7816.c Line 1203 in 516493e
I am not aware of any public specification for the idprime cards. What is in opensc is implemented based on the observation of safenet driver does to various cards. But most of the APDU specification is described in the ISO 7816 standard, which is neither generally available, but the most important snippets are usually possible to find through google. |
when I change OpenSC/src/libopensc/card-idprime.c Lines 450 to 451 in 516493e
from 0x41 to 0x31, pkcs11-tool can succesfully sign using this card and opensc and firefox can use the certificate as client certificate. |
I am sorry for a delay, but the reply got lost in dozens of other mails I was handling last weeks. Thank you for having a look into this. Can you post a ATR of your card ( OpenSC/src/libopensc/card-idprime.c Line 494 in 516493e
Could it be that your card is IDPrime 3810, which is using the offset 0x31 and your is just mismatched for 830 by ATR? OpenSC/src/libopensc/card-idprime.c Line 447 in 516493e
|
the SACTool from the safenet driver package identifies it as
|
Thank you for the ATR, logs and information from the SACTool. Indeed, the ATR matches the 830 version exactly. I will try to go through the log to see if I will see something different from the 380 card I have, but I will have access to it only after a new year. Hopefully we will be able to figure out something from the SACTool output too. |
What's the status of this topic, is there anything to do? |
I am looking into this now. I did not have the cards at me. When comparing the output with the card I have, I see different CPCL data (unsurprisingly), but same OS version which I use for detection of some stuff in the driver. Containermap is redacted in the log but I am not sure if it can have something useful. While looking through the index file, there are some so far unknown objects for me.
I (and opensc now) understand only the last object (kxc00), which is the key object. My card has also the So from here we are left with the pinh file (this could contain some pin label or something, but I would need to see the content of the file. This could be collected by sending the APDU through opensc-tool:
Can you try to run this command and post the output? Other than that, my card with the same ATR reports all the other details very similar, including having a key in 02 07 DF, but the key reference is 0x41 for me. If you are ok to run the patched version of OpenSC until we will be able to figure out where does this magic number come from, thats probably the best bet for now. There still might be some APDUs that the official safenet driver sends to get information about key references, but more probably it will be just some magic number derived from some other bits where I did not find the connection yet. |
|
This is what the safenet driver is doing. Perhaps the FILE_NOT_FOUND responses influence its key reference choice.
btw, it seems to use instruction 0x21 instead of 0x20 for transmitting the pin |
This is $ opensc-tool -s "00 A4 08 00 02 02 06" -s "00 B0 00 00 00"
Interesting. I think I never saw a card to use the 0x21 for verify. According to the iso 7816-4:
Is the data field of the APDU just the PIN (potentially padded) or some more complicated structure?
Can you clarify what is the P1 value for this APDU? The iso specs do not mention any P1 value related to |
the bytes following
|
Thanks! This sounds like working also on my card:
And matches the applet version:
I am getting completely same output, so that does not sound like a difference that we could use, but certainly helpful to get some more information about applets in there. But it looks like it works also without selecting the particular file so I will add it to the driver too. So I am not sure if there would be something else I could do now. If it might help, I can provide you with a debug logs or traces from our card (as there is really nothing private on the test cards) so you can compare it to your traces, if you are interested. |
Yes, that would be great. If I had a dump of the apdu traffic between your card and the safenet driver while signing something, I could at least find out which part is relevant for the key reference selection. |
This comment was marked as off-topic.
This comment was marked as off-topic.
You have also IDPrime 380 card? Can you provide debug logs? |
No. It is Nitrokey 3C NFC. The bug is easily reproducing for me, so if you tell me how to enable debug logging, I will provide it. |
So please, in a new issue. This is about IDPrime cards. The |
@knecht Here are the APDU traces from |
Problem Description
pkcs11-tool --test --login --pin XXXX
results in
The text was updated successfully, but these errors were encountered: