Closed mihaicristiantanase closed 9 months ago
Do you have a debugger? Can you step through the code?
Some possible problems:
pkcs11_store_certificate
ckm_md
is not initialized,ckm_md
if evp_md_nid
in not found. It should set ckm_md
like other cases.https://github.com/OpenSC/libp11/blob/master/src/p11_cert.c#L271 uses ckm_md
which is one of the function that is failing.
If you certificate is using SHA1 it may cause this above problem.
I'm running MacOS Big Sur and I use LLDB to step through instructions. Here's a debugging flow of pkcs11_store_certificate function using an Athena Smartcard Solutions token:
$ lldb ./build/store_certificate -- /usr/local/lib/libASEP11.dylib 00000000 demo1-certificate.pem demo1
(lldb) target create "./build/store_certificate"
Current executable set to 'build/store_certificate' (x86_64).
(lldb) settings set -- target.run-args "/usr/local/lib/libASEP11.dylib" "00000000" "demo1-certificate.pem" "demo1"
(lldb) b pkcs11_store_certificate
Breakpoint 1: where = libp11.3.dylib`pkcs11_store_certificate + 64 at p11_cert.c:199:34, address = 0x0000000000003fb0
(lldb) r
Process 2252 launched: 'build/store_certificate' (x86_64)
libp11.3.dylib was compiled with optimization - stepping may behave oddly; variables may not be available.
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
frame #0: 0x000000010012bfb0 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:199:34 [opt]
196 int pkcs11_store_certificate(PKCS11_SLOT_private *slot, X509 *x509, char *label,
197 unsigned char *id, size_t id_len, PKCS11_CERT **ret_cert)
198 {
-> 199 PKCS11_CTX_private *ctx = slot->ctx;
200 CK_SESSION_HANDLE session;
201 CK_OBJECT_HANDLE object;
202 int rv, r = -1;
Target 0: (store_certificate) stopped.
(lldb) n
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010012bfb4 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:204:6 [opt]
201 CK_OBJECT_HANDLE object;
202 int rv, r = -1;
203 int signature_nid;
-> 204 int evp_md_nid = NID_sha1;
205 const EVP_MD* evp_md;
206 unsigned char md[EVP_MAX_MD_SIZE];
207 unsigned int md_len;
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010012bfc2 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:208:18 [opt]
205 const EVP_MD* evp_md;
206 unsigned char md[EVP_MAX_MD_SIZE];
207 unsigned int md_len;
-> 208 PKCS11_TEMPLATE tmpl = {0};
209 CK_OBJECT_CLASS class_certificate = CKO_CERTIFICATE;
210 CK_CERTIFICATE_TYPE certificate_x509 = CKC_X_509;
211 CK_MECHANISM_TYPE ckm_md;
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010012bfcc libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:209:18 [opt]
206 unsigned char md[EVP_MAX_MD_SIZE];
207 unsigned int md_len;
208 PKCS11_TEMPLATE tmpl = {0};
-> 209 CK_OBJECT_CLASS class_certificate = CKO_CERTIFICATE;
210 CK_CERTIFICATE_TYPE certificate_x509 = CKC_X_509;
211 CK_MECHANISM_TYPE ckm_md;
212
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010012bfd7 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:210:22 [opt]
207 unsigned int md_len;
208 PKCS11_TEMPLATE tmpl = {0};
209 CK_OBJECT_CLASS class_certificate = CKO_CERTIFICATE;
-> 210 CK_CERTIFICATE_TYPE certificate_x509 = CKC_X_509;
211 CK_MECHANISM_TYPE ckm_md;
212
213 /* First, make sure we have a session */
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010012bfe9 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:214:6 [opt]
211 CK_MECHANISM_TYPE ckm_md;
212
213 /* First, make sure we have a session */
-> 214 if (pkcs11_get_session(slot, 1, &session))
215 return -1;
216
217 /* Now build the template */
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010012c01f libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:218:2 [opt]
215 return -1;
216
217 /* Now build the template */
-> 218 pkcs11_addattr_var(&tmpl, CKA_CLASS, class_certificate);
219 pkcs11_addattr_bool(&tmpl, CKA_TOKEN, TRUE);
220 pkcs11_addattr_var(&tmpl, CKA_CERTIFICATE_TYPE, certificate_x509);
221 pkcs11_addattr_obj(&tmpl, CKA_SUBJECT,
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010012c02e libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:219:2 [opt]
216
217 /* Now build the template */
218 pkcs11_addattr_var(&tmpl, CKA_CLASS, class_certificate);
-> 219 pkcs11_addattr_bool(&tmpl, CKA_TOKEN, TRUE);
220 pkcs11_addattr_var(&tmpl, CKA_CERTIFICATE_TYPE, certificate_x509);
221 pkcs11_addattr_obj(&tmpl, CKA_SUBJECT,
222 (pkcs11_i2d_fn)i2d_X509_NAME, X509_get_subject_name(x509));
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010012c047 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:220:2 [opt]
217 /* Now build the template */
218 pkcs11_addattr_var(&tmpl, CKA_CLASS, class_certificate);
219 pkcs11_addattr_bool(&tmpl, CKA_TOKEN, TRUE);
-> 220 pkcs11_addattr_var(&tmpl, CKA_CERTIFICATE_TYPE, certificate_x509);
221 pkcs11_addattr_obj(&tmpl, CKA_SUBJECT,
222 (pkcs11_i2d_fn)i2d_X509_NAME, X509_get_subject_name(x509));
223 pkcs11_addattr_obj(&tmpl, CKA_ISSUER,
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010012c060 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:222:33 [opt]
219 pkcs11_addattr_bool(&tmpl, CKA_TOKEN, TRUE);
220 pkcs11_addattr_var(&tmpl, CKA_CERTIFICATE_TYPE, certificate_x509);
221 pkcs11_addattr_obj(&tmpl, CKA_SUBJECT,
-> 222 (pkcs11_i2d_fn)i2d_X509_NAME, X509_get_subject_name(x509));
223 pkcs11_addattr_obj(&tmpl, CKA_ISSUER,
224 (pkcs11_i2d_fn)i2d_X509_NAME, X509_get_issuer_name(x509));
225
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010012c068 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:221:2 [opt]
218 pkcs11_addattr_var(&tmpl, CKA_CLASS, class_certificate);
219 pkcs11_addattr_bool(&tmpl, CKA_TOKEN, TRUE);
220 pkcs11_addattr_var(&tmpl, CKA_CERTIFICATE_TYPE, certificate_x509);
-> 221 pkcs11_addattr_obj(&tmpl, CKA_SUBJECT,
222 (pkcs11_i2d_fn)i2d_X509_NAME, X509_get_subject_name(x509));
223 pkcs11_addattr_obj(&tmpl, CKA_ISSUER,
224 (pkcs11_i2d_fn)i2d_X509_NAME, X509_get_issuer_name(x509));
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010012c082 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:224:33 [opt]
221 pkcs11_addattr_obj(&tmpl, CKA_SUBJECT,
222 (pkcs11_i2d_fn)i2d_X509_NAME, X509_get_subject_name(x509));
223 pkcs11_addattr_obj(&tmpl, CKA_ISSUER,
-> 224 (pkcs11_i2d_fn)i2d_X509_NAME, X509_get_issuer_name(x509));
225
226 /* Get digest algorithm from x509 certificate */
227 #if OPENSSL_VERSION_NUMBER >= 0x10002000L || ( defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x3050000fL )
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010012c08a libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:223:2 [opt]
220 pkcs11_addattr_var(&tmpl, CKA_CERTIFICATE_TYPE, certificate_x509);
221 pkcs11_addattr_obj(&tmpl, CKA_SUBJECT,
222 (pkcs11_i2d_fn)i2d_X509_NAME, X509_get_subject_name(x509));
-> 223 pkcs11_addattr_obj(&tmpl, CKA_ISSUER,
224 (pkcs11_i2d_fn)i2d_X509_NAME, X509_get_issuer_name(x509));
225
226 /* Get digest algorithm from x509 certificate */
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010012c09d libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:228:18 [opt]
225
226 /* Get digest algorithm from x509 certificate */
227 #if OPENSSL_VERSION_NUMBER >= 0x10002000L || ( defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x3050000fL )
-> 228 signature_nid = X509_get_signature_nid(x509);
229 #else
230 signature_nid = OBJ_obj2nid(x509->sig_alg->algorithm);
231 #endif
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010012c0a9 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:232:2 [opt]
229 #else
230 signature_nid = OBJ_obj2nid(x509->sig_alg->algorithm);
231 #endif
-> 232 OBJ_find_sigid_algs(signature_nid, &evp_md_nid, NULL);
233 switch (evp_md_nid) {
234 default:
235 evp_md_nid = NID_sha1;
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010012c0b2 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:233:10 [opt]
230 signature_nid = OBJ_obj2nid(x509->sig_alg->algorithm);
231 #endif
232 OBJ_find_sigid_algs(signature_nid, &evp_md_nid, NULL);
-> 233 switch (evp_md_nid) {
234 default:
235 evp_md_nid = NID_sha1;
236 /* fall through */
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010012c10e libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:244:10 [opt]
241 ckm_md = CKM_SHA224;
242 break;
243 case NID_sha256:
-> 244 ckm_md = CKM_SHA256;
245 break;
246 case NID_sha512:
247 ckm_md = CKM_SHA512;
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010012c190 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:268:11 [opt]
265 #endif
266 }
267
-> 268 evp_md = EVP_get_digestbynid(evp_md_nid);
269
270 /* Set hash algorithm; default is SHA-1 */
271 pkcs11_addattr_var(&tmpl, CKA_NAME_HASH_ALGORITHM, ckm_md);
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010012c1ab libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:271:2 [opt]
268 evp_md = EVP_get_digestbynid(evp_md_nid);
269
270 /* Set hash algorithm; default is SHA-1 */
-> 271 pkcs11_addattr_var(&tmpl, CKA_NAME_HASH_ALGORITHM, ckm_md);
272 if (X509_pubkey_digest(x509,evp_md,md,&md_len))
273 pkcs11_addattr(&tmpl, CKA_HASH_OF_SUBJECT_PUBLIC_KEY, md, md_len);
274
Target 0: (store_certificate) stopped.
(lldb) po ckm_md
592
(lldb) po/x ckm_md
0x0000000000000250
(lldb) n
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010012c1c5 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:272:6 [opt]
269
270 /* Set hash algorithm; default is SHA-1 */
271 pkcs11_addattr_var(&tmpl, CKA_NAME_HASH_ALGORITHM, ckm_md);
-> 272 if (X509_pubkey_digest(x509,evp_md,md,&md_len))
273 pkcs11_addattr(&tmpl, CKA_HASH_OF_SUBJECT_PUBLIC_KEY, md, md_len);
274
275 pkcs11_addattr_obj(&tmpl, CKA_VALUE, (pkcs11_i2d_fn)i2d_X509, x509);
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010012c1d4 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:273:61 [opt]
270 /* Set hash algorithm; default is SHA-1 */
271 pkcs11_addattr_var(&tmpl, CKA_NAME_HASH_ALGORITHM, ckm_md);
272 if (X509_pubkey_digest(x509,evp_md,md,&md_len))
-> 273 pkcs11_addattr(&tmpl, CKA_HASH_OF_SUBJECT_PUBLIC_KEY, md, md_len);
274
275 pkcs11_addattr_obj(&tmpl, CKA_VALUE, (pkcs11_i2d_fn)i2d_X509, x509);
276 if (label)
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010012c1ef libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:275:2 [opt]
272 if (X509_pubkey_digest(x509,evp_md,md,&md_len))
273 pkcs11_addattr(&tmpl, CKA_HASH_OF_SUBJECT_PUBLIC_KEY, md, md_len);
274
-> 275 pkcs11_addattr_obj(&tmpl, CKA_VALUE, (pkcs11_i2d_fn)i2d_X509, x509);
276 if (label)
277 pkcs11_addattr_s(&tmpl, CKA_LABEL, label);
278 if (id && id_len)
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010012c20a libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:276:6 [opt]
273 pkcs11_addattr(&tmpl, CKA_HASH_OF_SUBJECT_PUBLIC_KEY, md, md_len);
274
275 pkcs11_addattr_obj(&tmpl, CKA_VALUE, (pkcs11_i2d_fn)i2d_X509, x509);
-> 276 if (label)
277 pkcs11_addattr_s(&tmpl, CKA_LABEL, label);
278 if (id && id_len)
279 pkcs11_addattr(&tmpl, CKA_ID, id, id_len);
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010012c216 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:277:3 [opt]
274
275 pkcs11_addattr_obj(&tmpl, CKA_VALUE, (pkcs11_i2d_fn)i2d_X509, x509);
276 if (label)
-> 277 pkcs11_addattr_s(&tmpl, CKA_LABEL, label);
278 if (id && id_len)
279 pkcs11_addattr(&tmpl, CKA_ID, id, id_len);
280
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010012c223 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:278:6 [opt]
275 pkcs11_addattr_obj(&tmpl, CKA_VALUE, (pkcs11_i2d_fn)i2d_X509, x509);
276 if (label)
277 pkcs11_addattr_s(&tmpl, CKA_LABEL, label);
-> 278 if (id && id_len)
279 pkcs11_addattr(&tmpl, CKA_ID, id, id_len);
280
281 /* Now call the pkcs11 module to create the object */
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010012c23b libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:279:3 [opt]
276 if (label)
277 pkcs11_addattr_s(&tmpl, CKA_LABEL, label);
278 if (id && id_len)
-> 279 pkcs11_addattr(&tmpl, CKA_ID, id, id_len);
280
281 /* Now call the pkcs11 module to create the object */
282 rv = CRYPTOKI_call(ctx, C_CreateObject(session, tmpl.attrs, tmpl.nattr, &object));
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010012c248 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:282:7 [opt]
279 pkcs11_addattr(&tmpl, CKA_ID, id, id_len);
280
281 /* Now call the pkcs11 module to create the object */
-> 282 rv = CRYPTOKI_call(ctx, C_CreateObject(session, tmpl.attrs, tmpl.nattr, &object));
283
284 /* Zap all memory allocated when building the template */
285 pkcs11_zap_attrs(&tmpl);
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010012c276 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:285:2 [opt]
282 rv = CRYPTOKI_call(ctx, C_CreateObject(session, tmpl.attrs, tmpl.nattr, &object));
283
284 /* Zap all memory allocated when building the template */
-> 285 pkcs11_zap_attrs(&tmpl);
286
287 /* Gobble the key object */
288 if (rv == CKR_OK) {
Target 0: (store_certificate) stopped.
(lldb) po/x rv
0x00000012
(lldb) po rv
18
(lldb) n
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010012c280 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:288:9 [opt]
285 pkcs11_zap_attrs(&tmpl);
286
287 /* Gobble the key object */
-> 288 if (rv == CKR_OK) {
289 r = pkcs11_init_cert(slot, session, object, ret_cert);
290 }
291 pkcs11_put_session(slot, session);
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010012c2ab libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id=<unavailable>, id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:291:27 [opt]
288 if (rv == CKR_OK) {
289 r = pkcs11_init_cert(slot, session, object, ret_cert);
290 }
-> 291 pkcs11_put_session(slot, session);
292
293 CRYPTOKI_checkerr(CKR_F_PKCS11_STORE_CERTIFICATE, rv);
294 return r;
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010012c2ba libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id=<unavailable>, id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:293:2 [opt]
290 }
291 pkcs11_put_session(slot, session);
292
-> 293 CRYPTOKI_checkerr(CKR_F_PKCS11_STORE_CERTIFICATE, rv);
294 return r;
295 }
296
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
frame #0: 0x000000010012c2f4 libp11.3.dylib`pkcs11_store_certificate(slot=<unavailable>, x509=0x0000000101006640, label="demo1_label", id=<unavailable>, id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:295:1 [opt]
292
293 CRYPTOKI_checkerr(CKR_F_PKCS11_STORE_CERTIFICATE, rv);
294 return r;
-> 295 }
296
297 /* vim: set noexpandtab: */
Target 0: (store_certificate) stopped.
(lldb)
The value of ckm_md:
(lldb) po/x ckm_md
0x0000000000000250
It's CKM_SHA256 (pkcs11.h)
#define CKM_SHA256 (0x250UL)
Also, as mentioned in the description above, the value of rv:
(lldb) po/x rv
0x00000012
is CKR_ATTRIBUTE_TYPE_INVALID.
OK, it looks like the template is built correctly and the failure is in C_CreateObject which is in PKCS11 module you are using. What pkcs11 module are you using?
It is possible that the module did not implement support for CKA_NAME_HASH_ALGORITHM attribute.
You may have to debug the pkcs11 module.
Another tool is "pkcs11-spy: which can be inserted between libp11 and the module to log pkcs11 calls. See https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC It can work between any pkcs11 application and any pkcs11 module.
I'm using libASEP11.dylib module (it comes with Athena token software).
You are right about the module not being able to recognize the CKA_NAME_HASH_ALGORITHM attribute. At least, this is what the logs indicate. Here's a log obtained by using the PKCS11-LOGGER (https://github.com/Pkcs11Interop/pkcs11-logger/releases/download/v2.2.0/pkcs11-logger-x64.dylib):
0x00004a09 : 0x0eb6ae00 : ****************************** 2023-09-27 15:39:17 ***
0x00004a09 : 0x0eb6ae00 : PKCS11-LOGGER 2.2.0
0x00004a09 : 0x0eb6ae00 : PKCS#11 logging proxy module
0x00004a09 : 0x0eb6ae00 : Developed as a part of the Pkcs11Interop project
0x00004a09 : 0x0eb6ae00 : Please visit www.pkcs11interop.net for more information
0x00004a09 : 0x0eb6ae00 : ****************************** 2023-09-27 15:39:17 ***
0x00004a09 : 0x0eb6ae00 : Successfuly loaded /usr/local/lib/libASEP11.dylib
0x00004a09 : 0x0eb6ae00 : Memory contents are dumped without endianness conversion
0x00004a09 : 0x0eb6ae00 : ****************************** 2023-09-27 15:39:17 ***
0x00004a09 : 0x0eb6ae00 : Calling C_GetFunctionList
0x00004a09 : 0x0eb6ae00 : Input
0x00004a09 : 0x0eb6ae00 : ppFunctionList: 0x7f80efc32950
0x00004a09 : 0x0eb6ae00 : Output
0x00004a09 : 0x0eb6ae00 : Note: Returning function list of PKCS11-LOGGER
0x00004a09 : 0x0eb6ae00 : Returning 0 (CKR_OK)
0x00004a09 : 0x0eb6ae00 : ****************************** 2023-09-27 15:39:17 ***
0x00004a09 : 0x0eb6ae00 : Calling C_Initialize
0x00004a09 : 0x0eb6ae00 : Input
0x00004a09 : 0x0eb6ae00 : pInitArgs: 0x7ffee4786680
0x00004a09 : 0x0eb6ae00 : CreateMutex: 0x0
0x00004a09 : 0x0eb6ae00 : DestroyMutex: 0x0
0x00004a09 : 0x0eb6ae00 : LockMutex: 0x0
0x00004a09 : 0x0eb6ae00 : UnlockMutex: 0x0
0x00004a09 : 0x0eb6ae00 : Flags: 2
0x00004a09 : 0x0eb6ae00 : CKF_LIBRARY_CANT_CREATE_OS_THREADS: FALSE
0x00004a09 : 0x0eb6ae00 : CKF_OS_LOCKING_OK: TRUE
0x00004a09 : 0x0eb6ae00 : pReserved: 0x0
0x00004a09 : 0x0eb6ae00 : Returning 0 (CKR_OK)
0x00004a09 : 0x0eb6ae00 : ****************************** 2023-09-27 15:39:17 ***
0x00004a09 : 0x0eb6ae00 : Calling C_GetInfo
0x00004a09 : 0x0eb6ae00 : Input
0x00004a09 : 0x0eb6ae00 : pInfo: 0x7ffee47866b0
0x00004a09 : 0x0eb6ae00 : Output
0x00004a09 : 0x0eb6ae00 : pInfo: 0x7ffee47866b0
0x00004a09 : 0x0eb6ae00 : cryptokiVersion:
0x00004a09 : 0x0eb6ae00 : major: 2
0x00004a09 : 0x0eb6ae00 : minor: 20
0x00004a09 : 0x0eb6ae00 : manufacturerID: Athena Smartcard Solutions
0x00004a09 : 0x0eb6ae00 : flags: 0
0x00004a09 : 0x0eb6ae00 : libraryDescription: ASE Cryptoki
0x00004a09 : 0x0eb6ae00 : libraryVersion:
0x00004a09 : 0x0eb6ae00 : major: 3
0x00004a09 : 0x0eb6ae00 : minor: 1
0x00004a09 : 0x0eb6ae00 : Returning 0 (CKR_OK)
0x00004a09 : 0x0eb6ae00 : ****************************** 2023-09-27 15:39:17 ***
0x00004a09 : 0x0eb6ae00 : Calling C_GetSlotList
0x00004a09 : 0x0eb6ae00 : Input
0x00004a09 : 0x0eb6ae00 : tokenPresent: 0
0x00004a09 : 0x0eb6ae00 : pSlotList: 0x0
0x00004a09 : 0x0eb6ae00 : pulCount: 0x7ffee4786688
0x00004a09 : 0x0eb6ae00 : *pulCount: 0
0x00004a09 : 0x0eb6ae00 : Output
0x00004a09 : 0x0eb6ae00 : pSlotList: 0x0
0x00004a09 : 0x0eb6ae00 : pulCount: 0x7ffee4786688
0x00004a09 : 0x0eb6ae00 : *pulCount: 1
0x00004a09 : 0x0eb6ae00 : Returning 0 (CKR_OK)
0x00004a09 : 0x0eb6ae00 : ****************************** 2023-09-27 15:39:17 ***
0x00004a09 : 0x0eb6ae00 : Calling C_GetSlotList
0x00004a09 : 0x0eb6ae00 : Input
0x00004a09 : 0x0eb6ae00 : tokenPresent: 0
0x00004a09 : 0x0eb6ae00 : pSlotList: 0x7f80efd040d0
0x00004a09 : 0x0eb6ae00 : pulCount: 0x7ffee4786688
0x00004a09 : 0x0eb6ae00 : *pulCount: 1
0x00004a09 : 0x0eb6ae00 : Output
0x00004a09 : 0x0eb6ae00 : pSlotList: 0x7f80efd040d0
0x00004a09 : 0x0eb6ae00 : pSlotList[0]: 0
0x00004a09 : 0x0eb6ae00 : pulCount: 0x7ffee4786688
0x00004a09 : 0x0eb6ae00 : *pulCount: 1
0x00004a09 : 0x0eb6ae00 : Returning 0 (CKR_OK)
0x00004a09 : 0x0eb6ae00 : ****************************** 2023-09-27 15:39:17 ***
0x00004a09 : 0x0eb6ae00 : Calling C_GetSlotInfo
0x00004a09 : 0x0eb6ae00 : Input
0x00004a09 : 0x0eb6ae00 : slotID: 0
0x00004a09 : 0x0eb6ae00 : pInfo: 0x7ffee4786690
0x00004a09 : 0x0eb6ae00 : Output
0x00004a09 : 0x0eb6ae00 : pInfo: 0x7ffee4786690
0x00004a09 : 0x0eb6ae00 : slotDescription: Athena IDProtect Key v2
0x00004a09 : 0x0eb6ae00 : manufacturerID:
0x00004a09 : 0x0eb6ae00 : flags: 7
0x00004a09 : 0x0eb6ae00 : CKF_TOKEN_PRESENT: TRUE
0x00004a09 : 0x0eb6ae00 : CKF_REMOVABLE_DEVICE: TRUE
0x00004a09 : 0x0eb6ae00 : CKF_HW_SLOT: TRUE
0x00004a09 : 0x0eb6ae00 : hardwareVersion:
0x00004a09 : 0x0eb6ae00 : major: 1
0x00004a09 : 0x0eb6ae00 : minor: 0
0x00004a09 : 0x0eb6ae00 : firmwareVersion:
0x00004a09 : 0x0eb6ae00 : major: 1
0x00004a09 : 0x0eb6ae00 : minor: 0
0x00004a09 : 0x0eb6ae00 : Returning 0 (CKR_OK)
0x00004a09 : 0x0eb6ae00 : ****************************** 2023-09-27 15:39:17 ***
0x00004a09 : 0x0eb6ae00 : Calling C_GetTokenInfo
0x00004a09 : 0x0eb6ae00 : Input
0x00004a09 : 0x0eb6ae00 : slotID: 0
0x00004a09 : 0x0eb6ae00 : pInfo: 0x7ffee4786550
0x00004a09 : 0x0eb6ae00 : Output
0x00004a09 : 0x0eb6ae00 : pInfo: 0x7ffee4786550
0x00004a09 : 0x0eb6ae00 : label: <hidden>
0x00004a09 : 0x0eb6ae00 : manufacturerID: Athena Smartcard Solutions
0x00004a09 : 0x0eb6ae00 : model: IDProtect
0x00004a09 : 0x0eb6ae00 : serialNumber: <hidden>
0x00004a09 : 0x0eb6ae00 : flags: 1037
0x00004a09 : 0x0eb6ae00 : CKF_RNG: TRUE
0x00004a09 : 0x0eb6ae00 : CKF_WRITE_PROTECTED: FALSE
0x00004a09 : 0x0eb6ae00 : CKF_LOGIN_REQUIRED: TRUE
0x00004a09 : 0x0eb6ae00 : CKF_USER_PIN_INITIALIZED: TRUE
0x00004a09 : 0x0eb6ae00 : CKF_RESTORE_KEY_NOT_NEEDED: FALSE
0x00004a09 : 0x0eb6ae00 : CKF_CLOCK_ON_TOKEN: FALSE
0x00004a09 : 0x0eb6ae00 : CKF_PROTECTED_AUTHENTICATION_PATH: FALSE
0x00004a09 : 0x0eb6ae00 : CKF_DUAL_CRYPTO_OPERATIONS: FALSE
0x00004a09 : 0x0eb6ae00 : CKF_TOKEN_INITIALIZED: TRUE
0x00004a09 : 0x0eb6ae00 : CKF_SECONDARY_AUTHENTICATION: FALSE
0x00004a09 : 0x0eb6ae00 : CKF_USER_PIN_COUNT_LOW: FALSE
0x00004a09 : 0x0eb6ae00 : CKF_USER_PIN_FINAL_TRY: FALSE
0x00004a09 : 0x0eb6ae00 : CKF_USER_PIN_LOCKED: FALSE
0x00004a09 : 0x0eb6ae00 : CKF_USER_PIN_TO_BE_CHANGED: FALSE
0x00004a09 : 0x0eb6ae00 : CKF_SO_PIN_COUNT_LOW: FALSE
0x00004a09 : 0x0eb6ae00 : CKF_SO_PIN_FINAL_TRY: FALSE
0x00004a09 : 0x0eb6ae00 : CKF_SO_PIN_LOCKED: FALSE
0x00004a09 : 0x0eb6ae00 : CKF_SO_PIN_TO_BE_CHANGED: FALSE
0x00004a09 : 0x0eb6ae00 : ulMaxSessionCount: 1000
0x00004a09 : 0x0eb6ae00 : ulSessionCount: 0
0x00004a09 : 0x0eb6ae00 : ulMaxRwSessionCount: 1000
0x00004a09 : 0x0eb6ae00 : ulRwSessionCount: 0
0x00004a09 : 0x0eb6ae00 : ulMaxPinLen: 16
0x00004a09 : 0x0eb6ae00 : ulMinPinLen: 4
0x00004a09 : 0x0eb6ae00 : ulTotalPublicMemory: 18446744073709551615
0x00004a09 : 0x0eb6ae00 : ulFreePublicMemory: 30824
0x00004a09 : 0x0eb6ae00 : ulTotalPrivateMemory: 18446744073709551615
0x00004a09 : 0x0eb6ae00 : ulFreePrivateMemory: 30824
0x00004a09 : 0x0eb6ae00 : hardwareVersion:
0x00004a09 : 0x0eb6ae00 : major: 1
0x00004a09 : 0x0eb6ae00 : minor: 0
0x00004a09 : 0x0eb6ae00 : firmwareVersion:
0x00004a09 : 0x0eb6ae00 : major: 1
0x00004a09 : 0x0eb6ae00 : minor: 0
0x00004a09 : 0x0eb6ae00 : utcTime:
0x00004a09 : 0x0eb6ae00 : Returning 0 (CKR_OK)
0x00004a09 : 0x0eb6ae00 : ****************************** 2023-09-27 15:39:18 ***
0x00004a09 : 0x0eb6ae00 : Calling C_CloseAllSessions
0x00004a09 : 0x0eb6ae00 : Input
0x00004a09 : 0x0eb6ae00 : slotID: 0
0x00004a09 : 0x0eb6ae00 : Returning 0 (CKR_OK)
0x00004a09 : 0x0eb6ae00 : ****************************** 2023-09-27 15:39:18 ***
0x00004a09 : 0x0eb6ae00 : Calling C_OpenSession
0x00004a09 : 0x0eb6ae00 : Input
0x00004a09 : 0x0eb6ae00 : slotID: 0
0x00004a09 : 0x0eb6ae00 : flags: 6
0x00004a09 : 0x0eb6ae00 : CKF_RW_SESSION: TRUE
0x00004a09 : 0x0eb6ae00 : CKF_SERIAL_SESSION: TRUE
0x00004a09 : 0x0eb6ae00 : pApplication: 0x0
0x00004a09 : 0x0eb6ae00 : Notify: 0x0
0x00004a09 : 0x0eb6ae00 : phSession: 0x7ffee4786670
0x00004a09 : 0x0eb6ae00 : *phSession: 140732731516528
0x00004a09 : 0x0eb6ae00 : Output
0x00004a09 : 0x0eb6ae00 : phSession: 0x7ffee4786670
0x00004a09 : 0x0eb6ae00 : *phSession: 1
0x00004a09 : 0x0eb6ae00 : Returning 0 (CKR_OK)
0x00004a09 : 0x0eb6ae00 : ****************************** 2023-09-27 15:39:18 ***
0x00004a09 : 0x0eb6ae00 : Calling C_Login
0x00004a09 : 0x0eb6ae00 : Input
0x00004a09 : 0x0eb6ae00 : hSession: 1
0x00004a09 : 0x0eb6ae00 : userType: 1 (CKU_USER)
0x00004a09 : 0x0eb6ae00 : pPin: 0x7ffee47869a7
0x00004a09 : 0x0eb6ae00 : *pPin: *** Intentionally hidden ***
0x00004a09 : 0x0eb6ae00 : ulPinLen: 8
0x00004a09 : 0x0eb6ae00 : Returning 0 (CKR_OK)
0x00004a09 : 0x0eb6ae00 : ****************************** 2023-09-27 15:39:18 ***
0x00004a09 : 0x0eb6ae00 : Calling C_GetSessionInfo
0x00004a09 : 0x0eb6ae00 : Input
0x00004a09 : 0x0eb6ae00 : hSession: 1
0x00004a09 : 0x0eb6ae00 : pInfo: 0x7ffee4786270
0x00004a09 : 0x0eb6ae00 : Output
0x00004a09 : 0x0eb6ae00 : pInfo: 0x7ffee4786270
0x00004a09 : 0x0eb6ae00 : slotID: 0
0x00004a09 : 0x0eb6ae00 : state: 3 (CKS_RW_USER_FUNCTIONS)
0x00004a09 : 0x0eb6ae00 : flags: 6
0x00004a09 : 0x0eb6ae00 : CKF_RW_SESSION: TRUE
0x00004a09 : 0x0eb6ae00 : CKF_SERIAL_SESSION: TRUE
0x00004a09 : 0x0eb6ae00 : ulDeviceError: 0
0x00004a09 : 0x0eb6ae00 : Returning 0 (CKR_OK)
0x00004a09 : 0x0eb6ae00 : ****************************** 2023-09-27 15:39:18 ***
0x00004a09 : 0x0eb6ae00 : Calling C_CreateObject
0x00004a09 : 0x0eb6ae00 : Input
0x00004a09 : 0x0eb6ae00 : hSession: 1
0x00004a09 : 0x0eb6ae00 : pTemplate: 0x7ffee47862e0
0x00004a09 : 0x0eb6ae00 : ulCount: 10
0x00004a09 : 0x0eb6ae00 : *** Begin attribute template ***
0x00004a09 : 0x0eb6ae00 : Attribute 0
0x00004a09 : 0x0eb6ae00 : Attribute: 0 (CKA_CLASS)
0x00004a09 : 0x0eb6ae00 : pValue: 0x7ffee47865e8
0x00004a09 : 0x0eb6ae00 : ulValueLen: 8
0x00004a09 : 0x0eb6ae00 : *pValue: HEX(0100000000000000)
0x00004a09 : 0x0eb6ae00 : Attribute 1
0x00004a09 : 0x0eb6ae00 : Attribute: 1 (CKA_TOKEN)
0x00004a09 : 0x0eb6ae00 : pValue: 0x10b4a0448
0x00004a09 : 0x0eb6ae00 : ulValueLen: 1
0x00004a09 : 0x0eb6ae00 : *pValue: HEX(01)
0x00004a09 : 0x0eb6ae00 : Attribute 2
0x00004a09 : 0x0eb6ae00 : Attribute: 128 (CKA_CERTIFICATE_TYPE)
0x00004a09 : 0x0eb6ae00 : pValue: 0x7ffee47865f0
0x00004a09 : 0x0eb6ae00 : ulValueLen: 8
0x00004a09 : 0x0eb6ae00 : *pValue: HEX(0000000000000000)
0x00004a09 : 0x0eb6ae00 : Attribute 3
0x00004a09 : 0x0eb6ae00 : Attribute: 257 (CKA_SUBJECT)
0x00004a09 : 0x0eb6ae00 : pValue: 0x7f80f18048e0
0x00004a09 : 0x0eb6ae00 : ulValueLen: 91
0x00004a09 : 0x0eb6ae00 : *pValue: HEX(<hidden>)
0x00004a09 : 0x0eb6ae00 : Attribute 4
0x00004a09 : 0x0eb6ae00 : Attribute: 129 (CKA_ISSUER)
0x00004a09 : 0x0eb6ae00 : pValue: 0x7f80f1804940
0x00004a09 : 0x0eb6ae00 : ulValueLen: 103
0x00004a09 : 0x0eb6ae00 : *pValue: HEX(<hidden>)
0x00004a09 : 0x0eb6ae00 : Attribute 5
0x00004a09 : 0x0eb6ae00 : Attribute: 140 (Unknown)
0x00004a09 : 0x0eb6ae00 : pValue: 0x7ffee4786638
0x00004a09 : 0x0eb6ae00 : ulValueLen: 8
0x00004a09 : 0x0eb6ae00 : *pValue: HEX(5002000000000000)
0x00004a09 : 0x0eb6ae00 : Attribute 6
0x00004a09 : 0x0eb6ae00 : Attribute: 138 (CKA_HASH_OF_SUBJECT_PUBLIC_KEY)
0x00004a09 : 0x0eb6ae00 : pValue: 0x7ffee4786640
0x00004a09 : 0x0eb6ae00 : ulValueLen: 32
0x00004a09 : 0x0eb6ae00 : *pValue: HEX(<hidden>)
0x00004a09 : 0x0eb6ae00 : Attribute 7
0x00004a09 : 0x0eb6ae00 : Attribute: 17 (CKA_VALUE)
0x00004a09 : 0x0eb6ae00 : pValue: 0x7f80f200ba00
0x00004a09 : 0x0eb6ae00 : ulValueLen: 1736
0x00004a09 : 0x0eb6ae00 : *pValue: HEX(<hidden>)
0x00004a09 : 0x0eb6ae00 : Attribute 8
0x00004a09 : 0x0eb6ae00 : Attribute: 3 (CKA_LABEL)
0x00004a09 : 0x0eb6ae00 : pValue: 0x7f80efd04a10
0x00004a09 : 0x0eb6ae00 : ulValueLen: 11
0x00004a09 : 0x0eb6ae00 : *pValue: HEX(64656D6F315F6C6162656C)
0x00004a09 : 0x0eb6ae00 : Attribute 9
0x00004a09 : 0x0eb6ae00 : Attribute: 258 (CKA_ID)
0x00004a09 : 0x0eb6ae00 : pValue: 0x7ffee47869e1
0x00004a09 : 0x0eb6ae00 : ulValueLen: 5
0x00004a09 : 0x0eb6ae00 : *pValue: HEX(64656D6F31)
0x00004a09 : 0x0eb6ae00 : *** End attribute template ***
0x00004a09 : 0x0eb6ae00 : phObject: 0x7ffee47865e0
0x00004a09 : 0x0eb6ae00 : *phObject: 1
0x00004a09 : 0x0eb6ae00 : Returning 18 (CKR_ATTRIBUTE_TYPE_INVALID)
The line:
0x00004a09 : 0x0eb6ae00 : Attribute: 140 (Unknown)
Restating my first question, is there a way to detect whether or not an attribute is valid in the loaded PKCS#11 module?
C_GetInfo returns a CK_INFO with a CK_VERSION cryptokiVersion; which in trace says 2.20.
PKCS11-v.2.40 defines:
#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY 0x0000008AUL
#define CKA_HASH_OF_ISSUER_PUBLIC_KEY 0x0000008BUL
#define CKA_NAME_HASH_ALGORITHM 0x0000008CUL
But pkcs11-2.20 does not define CKA_NAME_HASH_ALGORITHM
It also says: "CKA_HASH_OF_SUBJECT_PUBLIC_KEY Byte array SHA-1 hash of the subject public
key (default empty)" Even though it does define CKM_SHA256, but for CKA_HASH_OF_SUBJECT_PUBLIC_KEY
Can CKA_NAME_HASH_ALGORITHM attribute be validated somehow before the call to PKCS#11 module?
Yes by version number.
Is there a reason for setting CKA_HASH_OF_SUBJECT_PUBLIC_KEY when the standard indicates that there's no need for it when CKA_VALUE is set?
Since 2.20 it requires SHA-1 and you are passing a SHA256 hash its the wrong size.
So it looks like your PKCS11 module is supporting 2.20 as defined.
You may want to submit a PR to test for version <= 2.20 so CKA_HASH_OF_SUBJECT_PUBLIC_KEY and CKA_NAME_HASH_ALGORITHM are not added to the template.
If you really require CKA_HASH_OF_SUBJECT_PUBLIC_KEY make the hash is SHA1.
Thank you for clarifying the issue.
I'll come back with a PR as soon as it's ready.
Fixed with https://github.com/OpenSC/libp11/pull/519.
I'm using the latest version of the library (master: 6c96847f1f52a5ccc76e8f8d14820cc4d6af1ecb) to write a certificate on a cryptographic device. The call to PKCS11_store_certificate function with an X509 object previously read from a PEM file (via PEM_read_X509 function) always returns -1 and the certificate is not written.
I have investigated the problem further and found out that this line (in function pkcs11_store_certificate of p11_cert.c):
returns a value of 18 (0x12) which, in the PKCS#11 standard is translated to CKR_ATTRIBUTE_TYPE_INVALID.
The process of finding the culprit was tiring but I've managed to reduce the problem to those lines:
If those two attributes (CKA_NAME_HASH_ALGORITHM and CKA_HASH_OF_SUBJECT_PUBLIC_KEY) are not set, then the certificate is successfully written. If I keep the "CKA_NAME_HASH_ALGORITHM" attribute, then CRYPTOKI_call returns the same error (18). On the other hand, if I keep the "CKA_HASH_OF_SUBJECT_PUBLIC_KEY" attribute, then CRYPTOKI_call returns error 5 (CKR_GENERAL_ERROR).
This behaviors is identical on two different devices:
Consulting the standard (http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html#_Toc416959712), it seems that this function sets up a wrong combination of attributes, that is, when CKA_VALUE is non-empty, CKA_URL must be empty, which permits ("can") CKA_HASH_OF_SUBJECT_PUBLIC_KEY to be empty.
My questions are: