PKCS11_store_certificate generates CKR_ATTRIBUTE_TYPE_INVALID error

mihaicristiantanase commented 9 months ago

I'm using the latest version of the library (master: 6c96847f1f52a5ccc76e8f8d14820cc4d6af1ecb) to write a certificate on a cryptographic device. The call to PKCS11_store_certificate function with an X509 object previously read from a PEM file (via PEM_read_X509 function) always returns -1 and the certificate is not written.

I have investigated the problem further and found out that this line (in function pkcs11_store_certificate of p11_cert.c):

rv = CRYPTOKI_call(ctx, C_CreateObject(session, tmpl.attrs, tmpl.nattr, &object));

returns a value of 18 (0x12) which, in the PKCS#11 standard is translated to CKR_ATTRIBUTE_TYPE_INVALID.

The process of finding the culprit was tiring but I've managed to reduce the problem to those lines:

pkcs11_addattr_var(&tmpl, CKA_NAME_HASH_ALGORITHM, ckm_md);
if (X509_pubkey_digest(x509,evp_md,md,&md_len))
    pkcs11_addattr(&tmpl, CKA_HASH_OF_SUBJECT_PUBLIC_KEY, md, md_len);

If those two attributes (CKA_NAME_HASH_ALGORITHM and CKA_HASH_OF_SUBJECT_PUBLIC_KEY) are not set, then the certificate is successfully written. If I keep the "CKA_NAME_HASH_ALGORITHM" attribute, then CRYPTOKI_call returns the same error (18). On the other hand, if I keep the "CKA_HASH_OF_SUBJECT_PUBLIC_KEY" attribute, then CRYPTOKI_call returns error 5 (CKR_GENERAL_ERROR).

This behaviors is identical on two different devices:

Manufacturer "Athena Smartcard Solutions", model "IDProtect";
Manufacturer "Gemalto", model "ID Prime MD";

Consulting the standard (http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html#_Toc416959712), it seems that this function sets up a wrong combination of attributes, that is, when CKA_VALUE is non-empty, CKA_URL must be empty, which permits ("can") CKA_HASH_OF_SUBJECT_PUBLIC_KEY to be empty.

My questions are:

Can CKA_NAME_HASH_ALGORITHM attribute be validated somehow before the call to PKCS#11 module?
Is there a reason for setting CKA_HASH_OF_SUBJECT_PUBLIC_KEY when the standard indicates that there's no need for it when CKA_VALUE is set?

dengert commented 9 months ago

Do you have a debugger? Can you step through the code?

Some possible problems:

Many of the function called are not checked for errors in pkcs11_store_certificate
ckm_md is not initialized,
"switch" statement at: https://github.com/OpenSC/libp11/blob/master/src/p11_cert.c#L233 has "default:" at beginning, rather the end. This may be OK, but may depend on compiler.
"default:" does not set ckm_md if evp_md_nid in not found. It should set ckm_md like other cases.
SHA-1 is not used in certificates for security reasons, and the SSL routines may not return it.
https://github.com/OpenSC/libp11/blob/master/src/p11_cert.c#L271 uses ckm_md which is one of the function that is failing.

If you certificate is using SHA1 it may cause this above problem.

mihaicristiantanase commented 9 months ago

I'm running MacOS Big Sur and I use LLDB to step through instructions. Here's a debugging flow of pkcs11_store_certificate function using an Athena Smartcard Solutions token:

$ lldb ./build/store_certificate -- /usr/local/lib/libASEP11.dylib 00000000 demo1-certificate.pem demo1
(lldb) target create "./build/store_certificate"
Current executable set to 'build/store_certificate' (x86_64).
(lldb) settings set -- target.run-args  "/usr/local/lib/libASEP11.dylib" "00000000" "demo1-certificate.pem" "demo1"
(lldb) b pkcs11_store_certificate
Breakpoint 1: where = libp11.3.dylib`pkcs11_store_certificate + 64 at p11_cert.c:199:34, address = 0x0000000000003fb0
(lldb) r
Process 2252 launched: 'build/store_certificate' (x86_64)
libp11.3.dylib was compiled with optimization - stepping may behave oddly; variables may not be available.
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
    frame #0: 0x000000010012bfb0 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:199:34 [opt]
   196  int pkcs11_store_certificate(PKCS11_SLOT_private *slot, X509 *x509, char *label,
   197                  unsigned char *id, size_t id_len, PKCS11_CERT **ret_cert)
   198  {
-> 199          PKCS11_CTX_private *ctx = slot->ctx;
   200          CK_SESSION_HANDLE session;
   201          CK_OBJECT_HANDLE object;
   202          int rv, r = -1;
Target 0: (store_certificate) stopped.
(lldb) n
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010012bfb4 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:204:6 [opt]
   201          CK_OBJECT_HANDLE object;
   202          int rv, r = -1;
   203          int signature_nid;
-> 204          int evp_md_nid = NID_sha1;
   205          const EVP_MD* evp_md;
   206          unsigned char md[EVP_MAX_MD_SIZE];
   207          unsigned int md_len;
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010012bfc2 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:208:18 [opt]
   205          const EVP_MD* evp_md;
   206          unsigned char md[EVP_MAX_MD_SIZE];
   207          unsigned int md_len;
-> 208          PKCS11_TEMPLATE tmpl = {0};
   209          CK_OBJECT_CLASS class_certificate = CKO_CERTIFICATE;
   210          CK_CERTIFICATE_TYPE certificate_x509 = CKC_X_509;
   211          CK_MECHANISM_TYPE ckm_md;
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010012bfcc libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:209:18 [opt]
   206          unsigned char md[EVP_MAX_MD_SIZE];
   207          unsigned int md_len;
   208          PKCS11_TEMPLATE tmpl = {0};
-> 209          CK_OBJECT_CLASS class_certificate = CKO_CERTIFICATE;
   210          CK_CERTIFICATE_TYPE certificate_x509 = CKC_X_509;
   211          CK_MECHANISM_TYPE ckm_md;
   212
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010012bfd7 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:210:22 [opt]
   207          unsigned int md_len;
   208          PKCS11_TEMPLATE tmpl = {0};
   209          CK_OBJECT_CLASS class_certificate = CKO_CERTIFICATE;
-> 210          CK_CERTIFICATE_TYPE certificate_x509 = CKC_X_509;
   211          CK_MECHANISM_TYPE ckm_md;
   212
   213          /* First, make sure we have a session */
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010012bfe9 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:214:6 [opt]
   211          CK_MECHANISM_TYPE ckm_md;
   212
   213          /* First, make sure we have a session */
-> 214          if (pkcs11_get_session(slot, 1, &session))
   215                  return -1;
   216
   217          /* Now build the template */
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010012c01f libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:218:2 [opt]
   215                  return -1;
   216
   217          /* Now build the template */
-> 218          pkcs11_addattr_var(&tmpl, CKA_CLASS, class_certificate);
   219          pkcs11_addattr_bool(&tmpl, CKA_TOKEN, TRUE);
   220          pkcs11_addattr_var(&tmpl, CKA_CERTIFICATE_TYPE, certificate_x509);
   221          pkcs11_addattr_obj(&tmpl, CKA_SUBJECT,
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010012c02e libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:219:2 [opt]
   216
   217          /* Now build the template */
   218          pkcs11_addattr_var(&tmpl, CKA_CLASS, class_certificate);
-> 219          pkcs11_addattr_bool(&tmpl, CKA_TOKEN, TRUE);
   220          pkcs11_addattr_var(&tmpl, CKA_CERTIFICATE_TYPE, certificate_x509);
   221          pkcs11_addattr_obj(&tmpl, CKA_SUBJECT,
   222                  (pkcs11_i2d_fn)i2d_X509_NAME, X509_get_subject_name(x509));
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010012c047 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:220:2 [opt]
   217          /* Now build the template */
   218          pkcs11_addattr_var(&tmpl, CKA_CLASS, class_certificate);
   219          pkcs11_addattr_bool(&tmpl, CKA_TOKEN, TRUE);
-> 220          pkcs11_addattr_var(&tmpl, CKA_CERTIFICATE_TYPE, certificate_x509);
   221          pkcs11_addattr_obj(&tmpl, CKA_SUBJECT,
   222                  (pkcs11_i2d_fn)i2d_X509_NAME, X509_get_subject_name(x509));
   223          pkcs11_addattr_obj(&tmpl, CKA_ISSUER,
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010012c060 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:222:33 [opt]
   219          pkcs11_addattr_bool(&tmpl, CKA_TOKEN, TRUE);
   220          pkcs11_addattr_var(&tmpl, CKA_CERTIFICATE_TYPE, certificate_x509);
   221          pkcs11_addattr_obj(&tmpl, CKA_SUBJECT,
-> 222                  (pkcs11_i2d_fn)i2d_X509_NAME, X509_get_subject_name(x509));
   223          pkcs11_addattr_obj(&tmpl, CKA_ISSUER,
   224                  (pkcs11_i2d_fn)i2d_X509_NAME, X509_get_issuer_name(x509));
   225
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010012c068 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:221:2 [opt]
   218          pkcs11_addattr_var(&tmpl, CKA_CLASS, class_certificate);
   219          pkcs11_addattr_bool(&tmpl, CKA_TOKEN, TRUE);
   220          pkcs11_addattr_var(&tmpl, CKA_CERTIFICATE_TYPE, certificate_x509);
-> 221          pkcs11_addattr_obj(&tmpl, CKA_SUBJECT,
   222                  (pkcs11_i2d_fn)i2d_X509_NAME, X509_get_subject_name(x509));
   223          pkcs11_addattr_obj(&tmpl, CKA_ISSUER,
   224                  (pkcs11_i2d_fn)i2d_X509_NAME, X509_get_issuer_name(x509));
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010012c082 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:224:33 [opt]
   221          pkcs11_addattr_obj(&tmpl, CKA_SUBJECT,
   222                  (pkcs11_i2d_fn)i2d_X509_NAME, X509_get_subject_name(x509));
   223          pkcs11_addattr_obj(&tmpl, CKA_ISSUER,
-> 224                  (pkcs11_i2d_fn)i2d_X509_NAME, X509_get_issuer_name(x509));
   225
   226          /* Get digest algorithm from x509 certificate */
   227  #if OPENSSL_VERSION_NUMBER >= 0x10002000L || ( defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x3050000fL )
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010012c08a libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:223:2 [opt]
   220          pkcs11_addattr_var(&tmpl, CKA_CERTIFICATE_TYPE, certificate_x509);
   221          pkcs11_addattr_obj(&tmpl, CKA_SUBJECT,
   222                  (pkcs11_i2d_fn)i2d_X509_NAME, X509_get_subject_name(x509));
-> 223          pkcs11_addattr_obj(&tmpl, CKA_ISSUER,
   224                  (pkcs11_i2d_fn)i2d_X509_NAME, X509_get_issuer_name(x509));
   225
   226          /* Get digest algorithm from x509 certificate */
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010012c09d libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:228:18 [opt]
   225
   226          /* Get digest algorithm from x509 certificate */
   227  #if OPENSSL_VERSION_NUMBER >= 0x10002000L || ( defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x3050000fL )
-> 228          signature_nid = X509_get_signature_nid(x509);
   229  #else
   230          signature_nid = OBJ_obj2nid(x509->sig_alg->algorithm);
   231  #endif
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010012c0a9 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:232:2 [opt]
   229  #else
   230          signature_nid = OBJ_obj2nid(x509->sig_alg->algorithm);
   231  #endif
-> 232          OBJ_find_sigid_algs(signature_nid, &evp_md_nid, NULL);
   233          switch (evp_md_nid) {
   234          default:
   235                  evp_md_nid = NID_sha1;
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010012c0b2 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:233:10 [opt]
   230          signature_nid = OBJ_obj2nid(x509->sig_alg->algorithm);
   231  #endif
   232          OBJ_find_sigid_algs(signature_nid, &evp_md_nid, NULL);
-> 233          switch (evp_md_nid) {
   234          default:
   235                  evp_md_nid = NID_sha1;
   236                  /* fall through */
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010012c10e libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:244:10 [opt]
   241                  ckm_md = CKM_SHA224;
   242                  break;
   243          case NID_sha256:
-> 244                  ckm_md = CKM_SHA256;
   245                  break;
   246          case NID_sha512:
   247                  ckm_md = CKM_SHA512;
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010012c190 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:268:11 [opt]
   265  #endif
   266          }
   267
-> 268          evp_md = EVP_get_digestbynid(evp_md_nid);
   269
   270          /* Set hash algorithm; default is SHA-1 */
   271          pkcs11_addattr_var(&tmpl, CKA_NAME_HASH_ALGORITHM, ckm_md);
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010012c1ab libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:271:2 [opt]
   268          evp_md = EVP_get_digestbynid(evp_md_nid);
   269
   270          /* Set hash algorithm; default is SHA-1 */
-> 271          pkcs11_addattr_var(&tmpl, CKA_NAME_HASH_ALGORITHM, ckm_md);
   272          if (X509_pubkey_digest(x509,evp_md,md,&md_len))
   273                  pkcs11_addattr(&tmpl, CKA_HASH_OF_SUBJECT_PUBLIC_KEY, md, md_len);
   274
Target 0: (store_certificate) stopped.
(lldb) po ckm_md
592

(lldb) po/x ckm_md
0x0000000000000250

(lldb) n
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010012c1c5 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:272:6 [opt]
   269
   270          /* Set hash algorithm; default is SHA-1 */
   271          pkcs11_addattr_var(&tmpl, CKA_NAME_HASH_ALGORITHM, ckm_md);
-> 272          if (X509_pubkey_digest(x509,evp_md,md,&md_len))
   273                  pkcs11_addattr(&tmpl, CKA_HASH_OF_SUBJECT_PUBLIC_KEY, md, md_len);
   274
   275          pkcs11_addattr_obj(&tmpl, CKA_VALUE, (pkcs11_i2d_fn)i2d_X509, x509);
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010012c1d4 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:273:61 [opt]
   270          /* Set hash algorithm; default is SHA-1 */
   271          pkcs11_addattr_var(&tmpl, CKA_NAME_HASH_ALGORITHM, ckm_md);
   272          if (X509_pubkey_digest(x509,evp_md,md,&md_len))
-> 273                  pkcs11_addattr(&tmpl, CKA_HASH_OF_SUBJECT_PUBLIC_KEY, md, md_len);
   274
   275          pkcs11_addattr_obj(&tmpl, CKA_VALUE, (pkcs11_i2d_fn)i2d_X509, x509);
   276          if (label)
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010012c1ef libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:275:2 [opt]
   272          if (X509_pubkey_digest(x509,evp_md,md,&md_len))
   273                  pkcs11_addattr(&tmpl, CKA_HASH_OF_SUBJECT_PUBLIC_KEY, md, md_len);
   274
-> 275          pkcs11_addattr_obj(&tmpl, CKA_VALUE, (pkcs11_i2d_fn)i2d_X509, x509);
   276          if (label)
   277                  pkcs11_addattr_s(&tmpl, CKA_LABEL, label);
   278          if (id && id_len)
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010012c20a libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:276:6 [opt]
   273                  pkcs11_addattr(&tmpl, CKA_HASH_OF_SUBJECT_PUBLIC_KEY, md, md_len);
   274
   275          pkcs11_addattr_obj(&tmpl, CKA_VALUE, (pkcs11_i2d_fn)i2d_X509, x509);
-> 276          if (label)
   277                  pkcs11_addattr_s(&tmpl, CKA_LABEL, label);
   278          if (id && id_len)
   279                  pkcs11_addattr(&tmpl, CKA_ID, id, id_len);
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010012c216 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:277:3 [opt]
   274
   275          pkcs11_addattr_obj(&tmpl, CKA_VALUE, (pkcs11_i2d_fn)i2d_X509, x509);
   276          if (label)
-> 277                  pkcs11_addattr_s(&tmpl, CKA_LABEL, label);
   278          if (id && id_len)
   279                  pkcs11_addattr(&tmpl, CKA_ID, id, id_len);
   280
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010012c223 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:278:6 [opt]
   275          pkcs11_addattr_obj(&tmpl, CKA_VALUE, (pkcs11_i2d_fn)i2d_X509, x509);
   276          if (label)
   277                  pkcs11_addattr_s(&tmpl, CKA_LABEL, label);
-> 278          if (id && id_len)
   279                  pkcs11_addattr(&tmpl, CKA_ID, id, id_len);
   280
   281          /* Now call the pkcs11 module to create the object */
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010012c23b libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:279:3 [opt]
   276          if (label)
   277                  pkcs11_addattr_s(&tmpl, CKA_LABEL, label);
   278          if (id && id_len)
-> 279                  pkcs11_addattr(&tmpl, CKA_ID, id, id_len);
   280
   281          /* Now call the pkcs11 module to create the object */
   282          rv = CRYPTOKI_call(ctx, C_CreateObject(session, tmpl.attrs, tmpl.nattr, &object));
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010012c248 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:282:7 [opt]
   279                  pkcs11_addattr(&tmpl, CKA_ID, id, id_len);
   280
   281          /* Now call the pkcs11 module to create the object */
-> 282          rv = CRYPTOKI_call(ctx, C_CreateObject(session, tmpl.attrs, tmpl.nattr, &object));
   283
   284          /* Zap all memory allocated when building the template */
   285          pkcs11_zap_attrs(&tmpl);
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010012c276 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:285:2 [opt]
   282          rv = CRYPTOKI_call(ctx, C_CreateObject(session, tmpl.attrs, tmpl.nattr, &object));
   283
   284          /* Zap all memory allocated when building the template */
-> 285          pkcs11_zap_attrs(&tmpl);
   286
   287          /* Gobble the key object */
   288          if (rv == CKR_OK) {
Target 0: (store_certificate) stopped.
(lldb) po/x rv
0x00000012

(lldb) po rv
18

(lldb) n
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010012c280 libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id="demo1", id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:288:9 [opt]
   285          pkcs11_zap_attrs(&tmpl);
   286
   287          /* Gobble the key object */
-> 288          if (rv == CKR_OK) {
   289                  r = pkcs11_init_cert(slot, session, object, ret_cert);
   290          }
   291          pkcs11_put_session(slot, session);
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010012c2ab libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id=<unavailable>, id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:291:27 [opt]
   288          if (rv == CKR_OK) {
   289                  r = pkcs11_init_cert(slot, session, object, ret_cert);
   290          }
-> 291          pkcs11_put_session(slot, session);
   292
   293          CRYPTOKI_checkerr(CKR_F_PKCS11_STORE_CERTIFICATE, rv);
   294          return r;
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010012c2ba libp11.3.dylib`pkcs11_store_certificate(slot=0x0000000100723f50, x509=0x0000000101006640, label="demo1_label", id=<unavailable>, id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:293:2 [opt]
   290          }
   291          pkcs11_put_session(slot, session);
   292
-> 293          CRYPTOKI_checkerr(CKR_F_PKCS11_STORE_CERTIFICATE, rv);
   294          return r;
   295  }
   296
Target 0: (store_certificate) stopped.
(lldb)
Process 2252 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010012c2f4 libp11.3.dylib`pkcs11_store_certificate(slot=<unavailable>, x509=0x0000000101006640, label="demo1_label", id=<unavailable>, id_len=5, ret_cert=0x0000000000000000) at p11_cert.c:295:1 [opt]
   292
   293          CRYPTOKI_checkerr(CKR_F_PKCS11_STORE_CERTIFICATE, rv);
   294          return r;
-> 295  }
   296
   297  /* vim: set noexpandtab: */
Target 0: (store_certificate) stopped.
(lldb)

The value of ckm_md:

(lldb) po/x ckm_md
0x0000000000000250

It's CKM_SHA256 (pkcs11.h)

#define CKM_SHA256            (0x250UL)

Also, as mentioned in the description above, the value of rv:

(lldb) po/x rv
0x00000012

is CKR_ATTRIBUTE_TYPE_INVALID.

dengert commented 9 months ago

OK, it looks like the template is built correctly and the failure is in C_CreateObject which is in PKCS11 module you are using. What pkcs11 module are you using?

It is possible that the module did not implement support for CKA_NAME_HASH_ALGORITHM attribute.

You may have to debug the pkcs11 module.

Another tool is "pkcs11-spy: which can be inserted between libp11 and the module to log pkcs11 calls. See https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC It can work between any pkcs11 application and any pkcs11 module.

mihaicristiantanase commented 9 months ago

I'm using libASEP11.dylib module (it comes with Athena token software).

You are right about the module not being able to recognize the CKA_NAME_HASH_ALGORITHM attribute. At least, this is what the logs indicate. Here's a log obtained by using the PKCS11-LOGGER (https://github.com/Pkcs11Interop/pkcs11-logger/releases/download/v2.2.0/pkcs11-logger-x64.dylib):

0x00004a09 : 0x0eb6ae00 : ****************************** 2023-09-27 15:39:17 ***
0x00004a09 : 0x0eb6ae00 : PKCS11-LOGGER 2.2.0
0x00004a09 : 0x0eb6ae00 : PKCS#11 logging proxy module
0x00004a09 : 0x0eb6ae00 : Developed as a part of the Pkcs11Interop project
0x00004a09 : 0x0eb6ae00 : Please visit www.pkcs11interop.net for more information
0x00004a09 : 0x0eb6ae00 : ****************************** 2023-09-27 15:39:17 ***
0x00004a09 : 0x0eb6ae00 : Successfuly loaded /usr/local/lib/libASEP11.dylib
0x00004a09 : 0x0eb6ae00 : Memory contents are dumped without endianness conversion
0x00004a09 : 0x0eb6ae00 : ****************************** 2023-09-27 15:39:17 ***
0x00004a09 : 0x0eb6ae00 : Calling C_GetFunctionList
0x00004a09 : 0x0eb6ae00 : Input
0x00004a09 : 0x0eb6ae00 :  ppFunctionList: 0x7f80efc32950
0x00004a09 : 0x0eb6ae00 : Output
0x00004a09 : 0x0eb6ae00 :  Note: Returning function list of PKCS11-LOGGER
0x00004a09 : 0x0eb6ae00 : Returning 0 (CKR_OK)
0x00004a09 : 0x0eb6ae00 : ****************************** 2023-09-27 15:39:17 ***
0x00004a09 : 0x0eb6ae00 : Calling C_Initialize
0x00004a09 : 0x0eb6ae00 : Input
0x00004a09 : 0x0eb6ae00 :  pInitArgs: 0x7ffee4786680
0x00004a09 : 0x0eb6ae00 :   CreateMutex: 0x0
0x00004a09 : 0x0eb6ae00 :   DestroyMutex: 0x0
0x00004a09 : 0x0eb6ae00 :   LockMutex: 0x0
0x00004a09 : 0x0eb6ae00 :   UnlockMutex: 0x0
0x00004a09 : 0x0eb6ae00 :   Flags: 2
0x00004a09 : 0x0eb6ae00 :    CKF_LIBRARY_CANT_CREATE_OS_THREADS: FALSE
0x00004a09 : 0x0eb6ae00 :    CKF_OS_LOCKING_OK: TRUE
0x00004a09 : 0x0eb6ae00 :   pReserved: 0x0
0x00004a09 : 0x0eb6ae00 : Returning 0 (CKR_OK)
0x00004a09 : 0x0eb6ae00 : ****************************** 2023-09-27 15:39:17 ***
0x00004a09 : 0x0eb6ae00 : Calling C_GetInfo
0x00004a09 : 0x0eb6ae00 : Input
0x00004a09 : 0x0eb6ae00 :  pInfo: 0x7ffee47866b0
0x00004a09 : 0x0eb6ae00 : Output
0x00004a09 : 0x0eb6ae00 :  pInfo: 0x7ffee47866b0
0x00004a09 : 0x0eb6ae00 :   cryptokiVersion:
0x00004a09 : 0x0eb6ae00 :    major: 2
0x00004a09 : 0x0eb6ae00 :    minor: 20
0x00004a09 : 0x0eb6ae00 :   manufacturerID: Athena Smartcard Solutions
0x00004a09 : 0x0eb6ae00 :   flags: 0
0x00004a09 : 0x0eb6ae00 :   libraryDescription: ASE Cryptoki
0x00004a09 : 0x0eb6ae00 :   libraryVersion:
0x00004a09 : 0x0eb6ae00 :    major: 3
0x00004a09 : 0x0eb6ae00 :    minor: 1
0x00004a09 : 0x0eb6ae00 : Returning 0 (CKR_OK)
0x00004a09 : 0x0eb6ae00 : ****************************** 2023-09-27 15:39:17 ***
0x00004a09 : 0x0eb6ae00 : Calling C_GetSlotList
0x00004a09 : 0x0eb6ae00 : Input
0x00004a09 : 0x0eb6ae00 :  tokenPresent: 0
0x00004a09 : 0x0eb6ae00 :  pSlotList: 0x0
0x00004a09 : 0x0eb6ae00 :  pulCount: 0x7ffee4786688
0x00004a09 : 0x0eb6ae00 :  *pulCount: 0
0x00004a09 : 0x0eb6ae00 : Output
0x00004a09 : 0x0eb6ae00 :  pSlotList: 0x0
0x00004a09 : 0x0eb6ae00 :  pulCount: 0x7ffee4786688
0x00004a09 : 0x0eb6ae00 :  *pulCount: 1
0x00004a09 : 0x0eb6ae00 : Returning 0 (CKR_OK)
0x00004a09 : 0x0eb6ae00 : ****************************** 2023-09-27 15:39:17 ***
0x00004a09 : 0x0eb6ae00 : Calling C_GetSlotList
0x00004a09 : 0x0eb6ae00 : Input
0x00004a09 : 0x0eb6ae00 :  tokenPresent: 0
0x00004a09 : 0x0eb6ae00 :  pSlotList: 0x7f80efd040d0
0x00004a09 : 0x0eb6ae00 :  pulCount: 0x7ffee4786688
0x00004a09 : 0x0eb6ae00 :  *pulCount: 1
0x00004a09 : 0x0eb6ae00 : Output
0x00004a09 : 0x0eb6ae00 :  pSlotList: 0x7f80efd040d0
0x00004a09 : 0x0eb6ae00 :  pSlotList[0]: 0
0x00004a09 : 0x0eb6ae00 :  pulCount: 0x7ffee4786688
0x00004a09 : 0x0eb6ae00 :  *pulCount: 1
0x00004a09 : 0x0eb6ae00 : Returning 0 (CKR_OK)
0x00004a09 : 0x0eb6ae00 : ****************************** 2023-09-27 15:39:17 ***
0x00004a09 : 0x0eb6ae00 : Calling C_GetSlotInfo
0x00004a09 : 0x0eb6ae00 : Input
0x00004a09 : 0x0eb6ae00 :  slotID: 0
0x00004a09 : 0x0eb6ae00 :  pInfo: 0x7ffee4786690
0x00004a09 : 0x0eb6ae00 : Output
0x00004a09 : 0x0eb6ae00 :  pInfo: 0x7ffee4786690
0x00004a09 : 0x0eb6ae00 :   slotDescription: Athena IDProtect Key v2
0x00004a09 : 0x0eb6ae00 :   manufacturerID:
0x00004a09 : 0x0eb6ae00 :   flags: 7
0x00004a09 : 0x0eb6ae00 :    CKF_TOKEN_PRESENT: TRUE
0x00004a09 : 0x0eb6ae00 :    CKF_REMOVABLE_DEVICE: TRUE
0x00004a09 : 0x0eb6ae00 :    CKF_HW_SLOT: TRUE
0x00004a09 : 0x0eb6ae00 :   hardwareVersion:
0x00004a09 : 0x0eb6ae00 :    major: 1
0x00004a09 : 0x0eb6ae00 :    minor: 0
0x00004a09 : 0x0eb6ae00 :   firmwareVersion:
0x00004a09 : 0x0eb6ae00 :    major: 1
0x00004a09 : 0x0eb6ae00 :    minor: 0
0x00004a09 : 0x0eb6ae00 : Returning 0 (CKR_OK)
0x00004a09 : 0x0eb6ae00 : ****************************** 2023-09-27 15:39:17 ***
0x00004a09 : 0x0eb6ae00 : Calling C_GetTokenInfo
0x00004a09 : 0x0eb6ae00 : Input
0x00004a09 : 0x0eb6ae00 :  slotID: 0
0x00004a09 : 0x0eb6ae00 :  pInfo: 0x7ffee4786550
0x00004a09 : 0x0eb6ae00 : Output
0x00004a09 : 0x0eb6ae00 :  pInfo: 0x7ffee4786550
0x00004a09 : 0x0eb6ae00 :   label: <hidden>
0x00004a09 : 0x0eb6ae00 :   manufacturerID: Athena Smartcard Solutions
0x00004a09 : 0x0eb6ae00 :   model: IDProtect
0x00004a09 : 0x0eb6ae00 :   serialNumber: <hidden>
0x00004a09 : 0x0eb6ae00 :   flags: 1037
0x00004a09 : 0x0eb6ae00 :    CKF_RNG: TRUE
0x00004a09 : 0x0eb6ae00 :    CKF_WRITE_PROTECTED: FALSE
0x00004a09 : 0x0eb6ae00 :    CKF_LOGIN_REQUIRED: TRUE
0x00004a09 : 0x0eb6ae00 :    CKF_USER_PIN_INITIALIZED: TRUE
0x00004a09 : 0x0eb6ae00 :    CKF_RESTORE_KEY_NOT_NEEDED: FALSE
0x00004a09 : 0x0eb6ae00 :    CKF_CLOCK_ON_TOKEN: FALSE
0x00004a09 : 0x0eb6ae00 :    CKF_PROTECTED_AUTHENTICATION_PATH: FALSE
0x00004a09 : 0x0eb6ae00 :    CKF_DUAL_CRYPTO_OPERATIONS: FALSE
0x00004a09 : 0x0eb6ae00 :    CKF_TOKEN_INITIALIZED: TRUE
0x00004a09 : 0x0eb6ae00 :    CKF_SECONDARY_AUTHENTICATION: FALSE
0x00004a09 : 0x0eb6ae00 :    CKF_USER_PIN_COUNT_LOW: FALSE
0x00004a09 : 0x0eb6ae00 :    CKF_USER_PIN_FINAL_TRY: FALSE
0x00004a09 : 0x0eb6ae00 :    CKF_USER_PIN_LOCKED: FALSE
0x00004a09 : 0x0eb6ae00 :    CKF_USER_PIN_TO_BE_CHANGED: FALSE
0x00004a09 : 0x0eb6ae00 :    CKF_SO_PIN_COUNT_LOW: FALSE
0x00004a09 : 0x0eb6ae00 :    CKF_SO_PIN_FINAL_TRY: FALSE
0x00004a09 : 0x0eb6ae00 :    CKF_SO_PIN_LOCKED: FALSE
0x00004a09 : 0x0eb6ae00 :    CKF_SO_PIN_TO_BE_CHANGED: FALSE
0x00004a09 : 0x0eb6ae00 :   ulMaxSessionCount: 1000
0x00004a09 : 0x0eb6ae00 :   ulSessionCount: 0
0x00004a09 : 0x0eb6ae00 :   ulMaxRwSessionCount: 1000
0x00004a09 : 0x0eb6ae00 :   ulRwSessionCount: 0
0x00004a09 : 0x0eb6ae00 :   ulMaxPinLen: 16
0x00004a09 : 0x0eb6ae00 :   ulMinPinLen: 4
0x00004a09 : 0x0eb6ae00 :   ulTotalPublicMemory: 18446744073709551615
0x00004a09 : 0x0eb6ae00 :   ulFreePublicMemory: 30824
0x00004a09 : 0x0eb6ae00 :   ulTotalPrivateMemory: 18446744073709551615
0x00004a09 : 0x0eb6ae00 :   ulFreePrivateMemory: 30824
0x00004a09 : 0x0eb6ae00 :   hardwareVersion:
0x00004a09 : 0x0eb6ae00 :    major: 1
0x00004a09 : 0x0eb6ae00 :    minor: 0
0x00004a09 : 0x0eb6ae00 :   firmwareVersion:
0x00004a09 : 0x0eb6ae00 :    major: 1
0x00004a09 : 0x0eb6ae00 :    minor: 0
0x00004a09 : 0x0eb6ae00 :   utcTime:
0x00004a09 : 0x0eb6ae00 : Returning 0 (CKR_OK)
0x00004a09 : 0x0eb6ae00 : ****************************** 2023-09-27 15:39:18 ***
0x00004a09 : 0x0eb6ae00 : Calling C_CloseAllSessions
0x00004a09 : 0x0eb6ae00 : Input
0x00004a09 : 0x0eb6ae00 :  slotID: 0
0x00004a09 : 0x0eb6ae00 : Returning 0 (CKR_OK)
0x00004a09 : 0x0eb6ae00 : ****************************** 2023-09-27 15:39:18 ***
0x00004a09 : 0x0eb6ae00 : Calling C_OpenSession
0x00004a09 : 0x0eb6ae00 : Input
0x00004a09 : 0x0eb6ae00 :  slotID: 0
0x00004a09 : 0x0eb6ae00 :  flags: 6
0x00004a09 : 0x0eb6ae00 :   CKF_RW_SESSION: TRUE
0x00004a09 : 0x0eb6ae00 :   CKF_SERIAL_SESSION: TRUE
0x00004a09 : 0x0eb6ae00 :  pApplication: 0x0
0x00004a09 : 0x0eb6ae00 :  Notify: 0x0
0x00004a09 : 0x0eb6ae00 :  phSession: 0x7ffee4786670
0x00004a09 : 0x0eb6ae00 :  *phSession: 140732731516528
0x00004a09 : 0x0eb6ae00 : Output
0x00004a09 : 0x0eb6ae00 :  phSession: 0x7ffee4786670
0x00004a09 : 0x0eb6ae00 :  *phSession: 1
0x00004a09 : 0x0eb6ae00 : Returning 0 (CKR_OK)
0x00004a09 : 0x0eb6ae00 : ****************************** 2023-09-27 15:39:18 ***
0x00004a09 : 0x0eb6ae00 : Calling C_Login
0x00004a09 : 0x0eb6ae00 : Input
0x00004a09 : 0x0eb6ae00 :  hSession: 1
0x00004a09 : 0x0eb6ae00 :  userType: 1 (CKU_USER)
0x00004a09 : 0x0eb6ae00 :  pPin: 0x7ffee47869a7
0x00004a09 : 0x0eb6ae00 :  *pPin: *** Intentionally hidden ***
0x00004a09 : 0x0eb6ae00 :  ulPinLen: 8
0x00004a09 : 0x0eb6ae00 : Returning 0 (CKR_OK)
0x00004a09 : 0x0eb6ae00 : ****************************** 2023-09-27 15:39:18 ***
0x00004a09 : 0x0eb6ae00 : Calling C_GetSessionInfo
0x00004a09 : 0x0eb6ae00 : Input
0x00004a09 : 0x0eb6ae00 :  hSession: 1
0x00004a09 : 0x0eb6ae00 :  pInfo: 0x7ffee4786270
0x00004a09 : 0x0eb6ae00 : Output
0x00004a09 : 0x0eb6ae00 :  pInfo: 0x7ffee4786270
0x00004a09 : 0x0eb6ae00 :   slotID: 0
0x00004a09 : 0x0eb6ae00 :   state: 3 (CKS_RW_USER_FUNCTIONS)
0x00004a09 : 0x0eb6ae00 :   flags: 6
0x00004a09 : 0x0eb6ae00 :    CKF_RW_SESSION: TRUE
0x00004a09 : 0x0eb6ae00 :    CKF_SERIAL_SESSION: TRUE
0x00004a09 : 0x0eb6ae00 :   ulDeviceError: 0
0x00004a09 : 0x0eb6ae00 : Returning 0 (CKR_OK)
0x00004a09 : 0x0eb6ae00 : ****************************** 2023-09-27 15:39:18 ***
0x00004a09 : 0x0eb6ae00 : Calling C_CreateObject
0x00004a09 : 0x0eb6ae00 : Input
0x00004a09 : 0x0eb6ae00 :  hSession: 1
0x00004a09 : 0x0eb6ae00 :  pTemplate: 0x7ffee47862e0
0x00004a09 : 0x0eb6ae00 :  ulCount: 10
0x00004a09 : 0x0eb6ae00 :   *** Begin attribute template ***
0x00004a09 : 0x0eb6ae00 :   Attribute 0
0x00004a09 : 0x0eb6ae00 :    Attribute: 0 (CKA_CLASS)
0x00004a09 : 0x0eb6ae00 :    pValue: 0x7ffee47865e8
0x00004a09 : 0x0eb6ae00 :    ulValueLen: 8
0x00004a09 : 0x0eb6ae00 :    *pValue: HEX(0100000000000000)
0x00004a09 : 0x0eb6ae00 :   Attribute 1
0x00004a09 : 0x0eb6ae00 :    Attribute: 1 (CKA_TOKEN)
0x00004a09 : 0x0eb6ae00 :    pValue: 0x10b4a0448
0x00004a09 : 0x0eb6ae00 :    ulValueLen: 1
0x00004a09 : 0x0eb6ae00 :    *pValue: HEX(01)
0x00004a09 : 0x0eb6ae00 :   Attribute 2
0x00004a09 : 0x0eb6ae00 :    Attribute: 128 (CKA_CERTIFICATE_TYPE)
0x00004a09 : 0x0eb6ae00 :    pValue: 0x7ffee47865f0
0x00004a09 : 0x0eb6ae00 :    ulValueLen: 8
0x00004a09 : 0x0eb6ae00 :    *pValue: HEX(0000000000000000)
0x00004a09 : 0x0eb6ae00 :   Attribute 3
0x00004a09 : 0x0eb6ae00 :    Attribute: 257 (CKA_SUBJECT)
0x00004a09 : 0x0eb6ae00 :    pValue: 0x7f80f18048e0
0x00004a09 : 0x0eb6ae00 :    ulValueLen: 91
0x00004a09 : 0x0eb6ae00 :    *pValue: HEX(<hidden>)
0x00004a09 : 0x0eb6ae00 :   Attribute 4
0x00004a09 : 0x0eb6ae00 :    Attribute: 129 (CKA_ISSUER)
0x00004a09 : 0x0eb6ae00 :    pValue: 0x7f80f1804940
0x00004a09 : 0x0eb6ae00 :    ulValueLen: 103
0x00004a09 : 0x0eb6ae00 :    *pValue: HEX(<hidden>)
0x00004a09 : 0x0eb6ae00 :   Attribute 5
0x00004a09 : 0x0eb6ae00 :    Attribute: 140 (Unknown)
0x00004a09 : 0x0eb6ae00 :    pValue: 0x7ffee4786638
0x00004a09 : 0x0eb6ae00 :    ulValueLen: 8
0x00004a09 : 0x0eb6ae00 :    *pValue: HEX(5002000000000000)
0x00004a09 : 0x0eb6ae00 :   Attribute 6
0x00004a09 : 0x0eb6ae00 :    Attribute: 138 (CKA_HASH_OF_SUBJECT_PUBLIC_KEY)
0x00004a09 : 0x0eb6ae00 :    pValue: 0x7ffee4786640
0x00004a09 : 0x0eb6ae00 :    ulValueLen: 32
0x00004a09 : 0x0eb6ae00 :    *pValue: HEX(<hidden>)
0x00004a09 : 0x0eb6ae00 :   Attribute 7
0x00004a09 : 0x0eb6ae00 :    Attribute: 17 (CKA_VALUE)
0x00004a09 : 0x0eb6ae00 :    pValue: 0x7f80f200ba00
0x00004a09 : 0x0eb6ae00 :    ulValueLen: 1736
0x00004a09 : 0x0eb6ae00 :    *pValue: HEX(<hidden>)
0x00004a09 : 0x0eb6ae00 :   Attribute 8
0x00004a09 : 0x0eb6ae00 :    Attribute: 3 (CKA_LABEL)
0x00004a09 : 0x0eb6ae00 :    pValue: 0x7f80efd04a10
0x00004a09 : 0x0eb6ae00 :    ulValueLen: 11
0x00004a09 : 0x0eb6ae00 :    *pValue: HEX(64656D6F315F6C6162656C)
0x00004a09 : 0x0eb6ae00 :   Attribute 9
0x00004a09 : 0x0eb6ae00 :    Attribute: 258 (CKA_ID)
0x00004a09 : 0x0eb6ae00 :    pValue: 0x7ffee47869e1
0x00004a09 : 0x0eb6ae00 :    ulValueLen: 5
0x00004a09 : 0x0eb6ae00 :    *pValue: HEX(64656D6F31)
0x00004a09 : 0x0eb6ae00 :   *** End attribute template ***
0x00004a09 : 0x0eb6ae00 :  phObject: 0x7ffee47865e0
0x00004a09 : 0x0eb6ae00 :  *phObject: 1
0x00004a09 : 0x0eb6ae00 : Returning 18 (CKR_ATTRIBUTE_TYPE_INVALID)

The line:

0x00004a09 : 0x0eb6ae00 :    Attribute: 140 (Unknown)

Restating my first question, is there a way to detect whether or not an attribute is valid in the loaded PKCS#11 module?

dengert commented 9 months ago

C_GetInfo returns a CK_INFO with a CK_VERSION cryptokiVersion; which in trace says 2.20.

PKCS11-v.2.40 defines:

#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY  0x0000008AUL
#define CKA_HASH_OF_ISSUER_PUBLIC_KEY   0x0000008BUL
#define CKA_NAME_HASH_ALGORITHM         0x0000008CUL

But pkcs11-2.20 does not define CKA_NAME_HASH_ALGORITHM It also says: "CKA_HASH_OF_SUBJECT_PUBLIC_KEY Byte array SHA-1 hash of the subject public key (default empty)" Even though it does define CKM_SHA256, but for CKA_HASH_OF_SUBJECT_PUBLIC_KEY

Can CKA_NAME_HASH_ALGORITHM attribute be validated somehow before the call to PKCS#11 module?

Yes by version number.

Is there a reason for setting CKA_HASH_OF_SUBJECT_PUBLIC_KEY when the standard indicates that there's no need for it when CKA_VALUE is set?

Since 2.20 it requires SHA-1 and you are passing a SHA256 hash its the wrong size.

So it looks like your PKCS11 module is supporting 2.20 as defined.

dengert commented 9 months ago

You may want to submit a PR to test for version <= 2.20 so CKA_HASH_OF_SUBJECT_PUBLIC_KEY and CKA_NAME_HASH_ALGORITHM are not added to the template.

If you really require CKA_HASH_OF_SUBJECT_PUBLIC_KEY make the hash is SHA1.

mihaicristiantanase commented 9 months ago

Thank you for clarifying the issue.

I'll come back with a PR as soon as it's ready.

mtrojnar commented 9 months ago

Fixed with https://github.com/OpenSC/libp11/pull/519.

OpenSC / libp11

PKCS11_store_certificate generates CKR_ATTRIBUTE_TYPE_INVALID error #518