-
Notifications
You must be signed in to change notification settings - Fork 712
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pkcs11-tool: return value is 0 when signature verification fails #3058
Comments
I would say that the pkcs11-tool is not designed for security and robust scripting. You can see in the code, the pkcs11 tool implements different operations and they are executed in the code-defined order, but do not return any return value: https://github.com/OpenSC/OpenSC/blob/master/src/tools/pkcs11-tool.c#L1429 Supporting different return values for different operations would complicate stuff. The other thing is that for the signature verification, one does not need the pkcs11 tool at all. The verification usually happens on some other place where the signing smart card/token is not available. It can be done without the smart card/token, just with the public key, that can be obtained from the pkcs11-tool with |
Just for interest .. I use the following construct in my test scripts:
|
Problem Description
Not a real issue I suppose (if it were a bug, it would have already been corrected).
This is a kind of an explanation request.
Why pkcs11-tool does not return an error code when a signature verification fails because signature is invalid?
I haven't found anything about return error codes in the wiki.
Without an error returned, usage of pkcs11-tool in scripts is not immediate because requires log parsing to find out if verification step is OK or failed.
Proposed Resolution
Return an error code for "algorithm" errors (but I could be wrong, because this could be the intended behavior)
Steps to reproduce
Logs
The text was updated successfully, but these errors were encountered: