search

OpenSC / pam_pkcs11

This Linux-PAM login module allows a X.509 certificate based user login
GNU Lesser General Public License v2.1
63 stars 51 forks source link

unable to sign using ecdsa-with-SHA256 #23

Closed c3ph3us closed 5 years ago

c3ph3us commented 7 years ago

in short:

DEBUG:pam_pkcs11.c:637: certificate is valid and matches the user
Sprawdzanie podpisu
DEBUG:pkcs11_lib.c:1765: reading 128 random bytes from /dev/urandom
DEBUG:pkcs11_lib.c:1784: random-value[128] = [3e:47:aa:...:cf]
DEBUG:pkcs11_lib.c:1726: hash[35] = [...:51:d3:14:...:af]
ERROR:pam_pkcs11.c:690: sign_value() failed: C_SignInit() failed: 0x00000063
Błąd 2340: Podpisanie nie powiodło się

full explanations here

http://crypto.stackexchange.com/questions/40277/ec-signing-using-pkcs11-failed-c-signinit-failed-0x00000063

LudovicRousseau commented 7 years ago

It looks like the problem comes from C_SignInit() failed: 0x00000063 In that case you should report the problem to the PKCS#11 library used with pam-pkcs11. In your case OpenSC.

c3ph3us commented 7 years ago

@LudovicRousseau this is the key loaded in smard card is it ok ? 

 Private EC Key [PIV AUTH key]
Object Flags   : [0x1], private
Usage          : [0x4], sign
Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
FieldLength    : 256
Key ref        : 154 (0x9A)
Native         : yes
Auth ID        : 01
ID             : 01
MD:guid        : 0x'30
dengert commented 7 years ago

Looks like pam_pkcs11 in pkcs11_lib.c only supports RSA and sha1.

sign_value() routine at line 1722 has:

Line 1726 only defines sha1 Line 1739 only supports CKK_RSA But not clear why line 1743 and 1744 did not return -1; line 1746 : SHA1(data, length, &hash[15]);

line 1752: set_error("C_SignInit() failed: 0x%08lX", rv);

c3ph3us commented 7 years ago

@dengert so there is no support for ecdsa -sha256 :D ?

also i cant add keys to ssh agent (using PIN) 

   $ ssh-add -s /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so 
  Enter passphrase for PKCS#11: 
  Could not add card "/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so": agent refused operation

and i have two files (debian sid)

   /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so 
   /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

how i can determine version of those libs (excluding dpkg) some headr md5 sha?

could be a curve related issue ? i have gen private key with openssl as:

   ecparam -param_enc named_curve  -name prime256v1

on yubico site there are witting 

 "Follow the notes and try to use brew SSH and explicitly use those binaries not the default ssh.
 Alternatively, try using YKCS11 https://developers.yubico.com/yubico-pi ... notes.html"

@LudovicRousseau can i use YKCS11 with pam pkcs11?

https://developers.yubico.com/yubico-piv-tool/YKCS11_release_notes.html

c3ph3us commented 7 years ago

could problem lie in -param_enc explicit vs named_curve ??

ps using explicit i cant upload key to yubikey as 

 Unknown EC curve 0
 Unable to import private key
dengert commented 7 years ago

The issue appears to be with the pam_pkcs11 that pre-dates ECDSA or SHA256 and only has support for RSA and SHA1. The sign_value() routine is computing the signature hash then calling C_SignInit and c_Sign to sign the hash which includes the OID of the hash algroithm and the hash.

For RSA, PKCS#11 defines many mechanisms that do the hash, padding and signature, internally but for ECDSA there is only CKM_ECDSA (no hash) and CKM_ECDSA_SHA1 (do the SHA1 then do the ECDSA internally) So for other hashes, the applications has to do the hash using OpenSSL for example or use PKCS#11 or one of the CKM_SHA* mechanisms, then pass this hash to the CKM_ECDSA. There is no requirement that a PKCS#11 implementation implement these hash only mechanisms. (OpenSC pkcs11 does if compiled with OpenSSL which is normally done) I don't know if the YKCS11 does or not.

pkcs11-tool -M can be used to see what mechanisms are supported for the card.

pkcs11_lib.c contains two versions of many routines including sign_value, one if using NSS and one if using OpenSSL. Both sign-value routines should be rewritten to support ECDSA. The OpenSSL version could use the OpenSSL digest routines to produce the hashes. Note unlike RSA signatures which include the OID of the hash algorithm, ECDSA does not.

The problem is not with the yubikey.

c3ph3us commented 7 years ago

@danger @LudovicRousseau I do not "sit" (don't know if there is an idiom in English for what i want tray to say :) ) in cryptography and c .. I know at most Java so I can not help much & second i have no time ... I miss additional 48 hours a day ;/ but it would be nice for someone to make use of EC maybe @a-dma or @klali could provide some help :P

https://www.cryptsoft.com/pkcs11doc/v220/group__SEC__12__3__6__ECDSA__WITHOUT__HASHING.html

 Using slot 0 with a present token (0x0)
 Supported mechanisms:
   SHA-1, digest
   SHA256, digest
   SHA384, digest
   SHA512, digest
   MD5, digest
   RIPEMD160, digest
   GOSTR3411, digest
   **ECDSA, keySize={256,384}, hw, sign, other flags=0x1800000**
   ECDH1-COFACTOR-DERIVE, keySize={256,384}, hw, derive, other flags=0x1800000
   ECDH1-DERIVE, keySize={256,384}, hw, derive, other flags=0x1800000
   RSA-X-509, keySize={1024,3072}, hw, decrypt, sign, verify
   RSA-PKCS, keySize={1024,3072}, hw, decrypt, sign, verify
   SHA1-RSA-PKCS, keySize={1024,3072}, sign, verify
   SHA256-RSA-PKCS, keySize={1024,3072}, sign, verify
   SHA384-RSA-PKCS, keySize={1024,3072}, sign, verify
   SHA512-RSA-PKCS, keySize={1024,3072}, sign, verify
   MD5-RSA-PKCS, keySize={1024,3072}, sign, verify
   RIPEMD160-RSA-PKCS, keySize={1024,3072}, sign, verify

related:

https://bitbucket.org/PyKCS11/pykcs11/issues/23/ckm-ecdsa-creating-signatures https://github.com/Yubico/yubico-piv-tool/issues/83 http://osxr.org/android/ident?_i=CKM_ECDSA https://bugzilla.mozilla.org/show_bug.cgi?id=327667 https://www.oasis-open.org/committees/download.php/50265/CKM_ECDSA_FIPS_186_4_v02.pdf https://sourceforge.net/p/opencryptoki/opencryptoki/ci/3400be830fade6f2ea3c80d044f88f9d240ef9b0/tree/usr/lib/pkcs11/cca_stdll/sign_mgr.c?diff=12a8280869bcc2a96a4acd175db166bde6f255ae https://bugzilla.mozilla.org/show_bug.cgi?id=613496 http://nullege.com/projects/show/27986 https://lists.mindrot.org/pipermail/openssh-unix-dev/2015-October/034440.html http://markmail.org/message/37ihqvplwwaicpmk https://chromium.googlesource.com/chromiumos/third_party/opencryptoki/+/3400be830fade6f2ea3c80d044f88f9d240ef9b0%5E!/

sovaeta commented 5 years ago

Ran into this issue (and the somewhat confusing error message), so i did a quick patch to v0.6.10 to get things working with openssl for me atleast:

01_priv_key_type.patch.txt 02_ecdsa_sha256.patch.txt 03_signature_length.patch.txt

LudovicRousseau commented 5 years ago

Thanks @sovaeta I used your 3 patches. I also modified the second one to add support of OpenSSL 1.1 in addition to 1.0.

This issue should be closed now. Please test the current git code and open a new issue if needed.

sovaeta commented 5 years ago

Latest git working nicely for me, thanks!