search

OpenSC / libp11

PKCS#11 wrapper library
GNU Lesser General Public License v2.1
307 stars 187 forks source link

Current master hangs up on PIN prompt (?) #123

Closed mouse07410 closed 7 years ago

mouse07410 commented 8 years ago

Mac OS X. Weird situation. I suspect it is related to cleaning the appropriate PKCS11 module. Would like help proving it (and obviously, fixing it :).

Update: it hangs after the requested operation (signature in this case) has been completed, so the signature file is produced and written to disk (before the application freezes up).

It hangs up when invoked "normally":

$ openssl dgst -engine pkcs11 -keyform engine -sign "pkcs11:manufacturer=piv_II;object=SIGN%20key;type=private" -sha384 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -out /tmp/derive.26192.text.sig /tmp/derive.26192.text
engine "pkcs11" set.
PKCS#11 token PIN: 
^C      [have to kill this hanging process]
$

When I invoke it with PKCSSPY, however, it completes correctly (PKCS11SPY=/Library/OpenSC/lib/opensc-pkcs11.dylib):

PKCS11_MODULE_PATH=/Library/OpenSC/lib/pkcs11-spy.dylib openssl dgst -engine pkcs11 -keyform engine -sign "pkcs11:manufacturer=piv_II;object=SIGN%20key;type=private" -sha384 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -out /tmp/derive.74923.text.sig /tmp/derive.74923.text

*************** OpenSC PKCS#11 spy *****************
Loaded: "/Library/OpenSC/lib/opensc-pkcs11.dylib"

0: C_GetFunctionList
2016-10-13 10:30:34.223
Returned:  0 CKR_OK

1: C_Initialize
2016-10-13 10:30:34.224
[in] pInitArgs = 0x7fff560da5b0
     flags: 2
       CKF_OS_LOCKING_OK
Returned:  0 CKR_OK

2: C_GetInfo
2016-10-13 10:30:34.953
[out] pInfo: 
      cryptokiVersion:         2.20
      manufacturerID:         'OpenSC Project                  '
      flags:                   0
      libraryDescription:     'OpenSC smartcard framework      '
      libraryVersion:          0.16
Returned:  0 CKR_OK
. . . . .
87: C_Sign
2016-10-13 10:30:37.731
[in] hSession = 0x7fdbb3004e00
[in] pData[ulDataLen] 00007fdbb160be30 / 256
    00000000  19 C7 12 37 09 18 52 8A 8B B1 53 ED B7 B3 7D A6  ...7..R...S...}.
    00000010  AC 2D CA 07 AF 57 26 14 6F 1C 45 93 B5 76 6F 7C  .-...W&.o.E..vo|
    00000020  CD F2 EF 02 73 1B D8 24 24 FE C6 97 D5 1E E2 67  ....s..$$......g
    00000030  03 A3 70 3C BD 82 CA 2F B7 16 34 61 D2 A3 46 57  ..p<.../..4a..FW
    00000040  56 B2 D2 8E E6 FD D0 B9 5F C0 67 8C 83 9C 61 82  V......._.g...a.
    00000050  35 A5 00 EE 4C C1 03 97 44 83 7C 5E C2 C7 70 85  5...L...D.|^..p.
    00000060  1A 77 53 1D 79 D3 1C F9 D5 86 A9 80 67 2E EE 9C  .wS.y.......g...
    00000070  F6 36 E0 6C AF 5A 07 70 29 56 36 5C D1 77 2D F8  .6.l.Z.p)V6\.w-.
    00000080  EF 1E 60 4F CF 02 51 2F 00 32 AE 0E EB BA 9E 80  ..`O..Q/.2......
    00000090  E9 37 3E 05 B0 6D 5B 56 04 FB A4 26 90 5B 12 67  .7>..m[V...&.[.g
    000000A0  50 0F C8 64 57 D1 75 AE EB FA AC 13 CB 76 5F 76  P..dW.u......v_v
    000000B0  06 04 2E E9 83 BA BA 05 E5 76 75 6D C4 8B 42 7A  .........vum..Bz
    000000C0  BB 03 73 65 79 F2 49 46 98 42 34 1E 28 2B 8B C1  ..sey.IF.B4.(+..
    000000D0  3F 7C 19 D1 D8 9A 8A 75 37 6C E8 88 0A EC E8 3A  ?|.....u7l.....:
    000000E0  10 51 34 AE 06 5A 8C E5 5B 1F 70 EE 93 0E 23 F5  .Q4..Z..[.p...#.
    000000F0  0B 4A 57 A9 32 86 BD 35 C9 76 EB C5 AD 81 80 BC  .JW.2..5.v......
[out] pSignature[*pulSignatureLen] 00007fdbb2801000 / 256
    00000000  74 08 82 C2 1A A6 46 ED BF 50 80 EB DB C9 49 8C  t.....F..P....I.
    00000010  53 42 3A 01 ED A1 E4 E3 8C 7A F4 E7 C2 4D 08 13  SB:......z...M..
    00000020  35 BB 9D EB C8 FC 6D 5F 7F E8 1E 3D 4C B4 83 16  5.....m_..=L...
    00000030  56 22 A8 51 8C 9A D9 55 87 BE DA 4F 4C 5B 9D AA  V".Q...U...OL[..
    00000040  1F 1E D1 70 3F 1F AC 29 D5 E0 2F 49 8C D0 CF ED  ...p?..)../I....
    00000050  80 69 7F C6 46 74 A4 25 25 70 E6 FE DB 0C 5D 70  .i.Ft.%%p....]p
    00000060  95 06 B6 8A 4C 75 0E 3F 8C 4E 32 60 F5 79 6C 46  ....Lu.?.N2`.ylF
    00000070  38 D0 B6 A6 05 46 EB 3E F0 79 A9 0C AA C0 DD 9A  8....F.>.y......
    00000080  7F E5 BA E8 FD DF 2C 31 CC A5 1A 18 49 93 B8 47  .....,1....I..G
    00000090  37 5A D7 1C BF 15 0B 40 91 DB 5E 40 36 9D 3C 29  7Z.....@..^@6.<)
    000000A0  97 05 FD 3D F3 01 AB AF 25 DA 8F DE CA CD 5D 55  ...=....%.....]U
    000000B0  03 DD DD 8C 3E 89 75 B5 6D 75 12 F0 F1 FC C4 12  ....>.u.mu......
    000000C0  D5 97 4C 6E C8 17 1E AA BE 3E 47 E1 71 AB 72 2E  ..Ln.....>G.q.r.
    000000D0  CC 1D 6F A0 B8 81 59 BA 34 D9 E7 90 6D 14 71 BE  ..o...Y.4...m.q.
    000000E0  1B 81 E8 3C C0 9E 0C 53 DC F2 EE FE 3D FD E6 60  ...<...S....=..`
    000000F0  FF BD 28 CD E3 37 C8 8D 2C 78 FC C6 88 F3 71 9E  ..(..7..,x....q.
Returned:  0 CKR_OK

88: C_CloseAllSessions
2016-10-13 10:30:38.402
[in] slotID = 0x0
Returned:  224 CKR_TOKEN_NOT_PRESENT

89: C_CloseAllSessions
2016-10-13 10:30:38.403
[in] slotID = 0x4
Returned:  0 CKR_OK

90: C_Finalize
2016-10-13 10:30:38.403
Returned:  0 CKR_OK
$

The resulting signature is verifiable in both cases (when it completed normally via PKCS11SPY, and when I killed the hanging openssl process):

$ openssl dgst -engine pkcs11 -keyform engine -verify "pkcs11:manufacturer=piv_II;object=SIGN%20pubkey;type=public" -sha384 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature /tmp/derive.26192.text.sig /tmp/derive.26192.text
engine "pkcs11" set.
Verified OK
$

This is probably relevant:

$ p11-kit list-modules
p11-kit-trust: p11-kit-trust.so
    library-description: PKCS#11 Kit Trust Module
    library-manufacturer: PKCS#11 Kit
    library-version: 0.23
    token: Default Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.23
        flags:
               write-protected
               token-initialized
    token: System Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.23
        flags:
               write-protected
               token-initialized
opensc: /Library/OpenSC/lib/opensc-pkcs11.so
    library-description: OpenSC smartcard framework
    library-manufacturer: OpenSC Project
    library-version: 0.16
    token: PIV Card Holder pin (PIV_II)
        manufacturer: piv_II
        model: PKCS#15 emulated
        serial-number: 4ff5d59a2a23a8ad
        flags:
               rng
               login-required
               user-pin-initialized
               token-initialized
softhsm2: /opt/local/lib/softhsm/libsofthsm2.so
    library-description: Implementation of PKCS11
    library-manufacturer: SoftHSM
    library-version: 2.1
    token: Botan PKCS#11 tests
        manufacturer: SoftHSM project
        model: SoftHSM v2
        serial-number: e2f49c07fc2bf221
        hardware-version: 2.1
        firmware-version: 2.1
        flags:
               rng
               login-required
               user-pin-initialized
               restore-key-not-needed
               token-initialized
    token: 
        manufacturer: SoftHSM project
        model: SoftHSM v2
        serial-number: 
        hardware-version: 2.1
        firmware-version: 2.1
        flags:
               rng
               login-required
               restore-key-not-needed
               so-pin-locked
               so-pin-to-be-changed
ykcs11: /usr/local/lib/libykcs11.dylib
    library-description: PKCS#11 PIV Library (SP-800-73)
    library-manufacturer: Yubico (www.yubico.com)
    library-version: 1.42
    token: YubiKey PIV
        manufacturer: Yubico
        model: YubiKey NEO
        serial-number: 1234
        hardware-version: 144.17
        firmware-version: 1.4
        flags:
               rng
               login-required
               user-pin-initialized
               token-initialized
$
mtrojnar commented 7 years ago

That is precisely C_Finalize that causes the deadlock here. Only calling C_Finalize instead of unloading the module completely won't help.

matthauck commented 7 years ago

Ah. I see.