C_Sign fails with 0x00000007 after inserting pin

[Ranguna]

Hello, I compiled and installed all the necessary packages and configured /etc/pam_pkcs11/subject_mapping with my smart card's subject data, that I got from pkcs11_inspect. I also added and linked the required CA certificates in /etc/pam_pkcs11/cacerts. I added the following line to /etc/pam.d/sudo:

#%PAM-1.0

auth sufficient /usr/local/lib/security/pam_pkcs11.so debug

** the rest of the unchanged commands **

But whenever I try to use sudo and type my pin, I get this (snip from the actual log):

Checking signature
DEBUG:pkcs11_lib.c:139: reading 128 random bytes from /dev/urandom
DEBUG:pkcs11_lib.c:157: random-value[128] = [6d:86:47:...:e8]
DEBUG:pkcs11_lib.c:1734: private key type: 0x00000000
DEBUG:pkcs11_lib.c:1804: hash[51] = [...:58:12:56:...:03]
ERROR:pam_pkcs11.c:717: sign_value() failed: C_Sign() failed: 0x00000007
Error 2340: Signing failed
DEBUG:mapper_mgr.c:213: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() subject
DEBUG:mapper_mgr.c:148: Module subject is static: don't remove
DEBUG:mapper_mgr.c:137: calling mapper_module_end() null
DEBUG:mapper_mgr.c:148: Module null is static: don't remove
DEBUG:pkcs11_lib.c:1490: logout user
DEBUG:pkcs11_lib.c:1497: closing the PKCS #11 session
DEBUG:pkcs11_lib.c:1503: releasing keys and certificates
Sorry, try again.

Complete Log:

``` luis@CTW00632:~$ sudo -i Smartcard authentication starts DEBUG:pam_config.c:248: Using config file /etc/pam_pkcs11/pam_pkcs11.conf DEBUG:pam_pkcs11.c:335: username = [luis] DEBUG:pam_pkcs11.c:346: loading pkcs #11 module... DEBUG:pkcs11_lib.c:1000: PKCS #11 module = [/usr/lib/opensc-pkcs11.so] DEBUG:pkcs11_lib.c:1016: module permissions: uid = 0, gid = 0, mode = 755 DEBUG:pkcs11_lib.c:1026: loading module /usr/lib/opensc-pkcs11.so DEBUG:pkcs11_lib.c:1034: getting function list DEBUG:pam_pkcs11.c:361: initialising pkcs #11 module... DEBUG:pkcs11_lib.c:1180: module information: DEBUG:pkcs11_lib.c:1181: - version: 2.20 DEBUG:pkcs11_lib.c:1182: - manufacturer: OpenSC Project DEBUG:pkcs11_lib.c:1183: - flags: 0000 DEBUG:pkcs11_lib.c:1184: - library description: OpenSC smartcard framework DEBUG:pkcs11_lib.c:1185: - library version: 0.19 DEBUG:pkcs11_lib.c:1077: number of slots (a): 3 DEBUG:pkcs11_lib.c:1100: number of slots (b): 3 DEBUG:pkcs11_lib.c:1112: slot 1: DEBUG:pkcs11_lib.c:1122: - description: Alcor Micro AU9560 00 00 DEBUG:pkcs11_lib.c:1123: - manufacturer: Generic DEBUG:pkcs11_lib.c:1124: - flags: 0007 DEBUG:pkcs11_lib.c:1126: - token: DEBUG:pkcs11_lib.c:1132: - label: Auth PIN (CARTAO DE CIDADAO) DEBUG:pkcs11_lib.c:1133: - manufacturer: GEMALTO DEBUG:pkcs11_lib.c:1134: - model: PKCS#15 emulated DEBUG:pkcs11_lib.c:1135: - serial: **removed** DEBUG:pkcs11_lib.c:1136: - flags: 040c DEBUG:pkcs11_lib.c:1112: slot 2: DEBUG:pkcs11_lib.c:1122: - description: Alcor Micro **removed** DEBUG:pkcs11_lib.c:1123: - manufacturer: Generic DEBUG:pkcs11_lib.c:1124: - flags: 0007 DEBUG:pkcs11_lib.c:1126: - token: DEBUG:pkcs11_lib.c:1132: - label: Sign PIN (CARTAO DE CIDADAO) DEBUG:pkcs11_lib.c:1133: - manufacturer: GEMALTO DEBUG:pkcs11_lib.c:1134: - model: PKCS#15 emulated DEBUG:pkcs11_lib.c:1135: - serial: **removed** DEBUG:pkcs11_lib.c:1136: - flags: 4040c DEBUG:pkcs11_lib.c:1112: slot 3: DEBUG:pkcs11_lib.c:1122: - description: Alcor Micro **removed** DEBUG:pkcs11_lib.c:1123: - manufacturer: Generic DEBUG:pkcs11_lib.c:1124: - flags: 0007 DEBUG:pkcs11_lib.c:1126: - token: DEBUG:pkcs11_lib.c:1132: - label: Address PIN (CARTAO DE CIDADAO) DEBUG:pkcs11_lib.c:1133: - manufacturer: GEMALTO DEBUG:pkcs11_lib.c:1134: - model: PKCS#15 emulated DEBUG:pkcs11_lib.c:1135: - serial: **removed** DEBUG:pkcs11_lib.c:1136: - flags: 040c Portuguese ID Card found. DEBUG:pkcs11_lib.c:1411: opening a new PKCS #11 session for slot 1 Welcome Auth PIN (CARTAO DE CIDADAO)! Portuguese ID Card PIN: DEBUG:pkcs11_lib.c:1430: login as user CKU_USER DEBUG:pkcs11_lib.c:1624: Saving Certificate #1: DEBUG:pkcs11_lib.c:1626: - type: 00 DEBUG:pkcs11_lib.c:1627: - id: 45 DEBUG:pkcs11_lib.c:1624: Saving Certificate #2: DEBUG:pkcs11_lib.c:1626: - type: 00 DEBUG:pkcs11_lib.c:1627: - id: 52 DEBUG:pkcs11_lib.c:1624: Saving Certificate #3: DEBUG:pkcs11_lib.c:1626: - type: 00 DEBUG:pkcs11_lib.c:1627: - id: 50 DEBUG:pkcs11_lib.c:1659: Found 3 certificates in token DEBUG:mapper_mgr.c:172: Retrieveing mapper module list DEBUG:mapper_mgr.c:73: Loading static module for mapper 'subject' DEBUG:mapper_mgr.c:196: Inserting mapper [subject] into list DEBUG:mapper_mgr.c:73: Loading static module for mapper 'null' DEBUG:mapper_mgr.c:196: Inserting mapper [null] into list DEBUG:pam_pkcs11.c:578: verifying the certificate #1 verifying certificate DEBUG:cert_vfy.c:370: Adding hashdir lookup to x509_store DEBUG:cert_vfy.c:382: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT checks DEBUG:cert_vfy.c:482: certificate is valid DEBUG:cert_vfy.c:226: crl policy: 0 DEBUG:cert_vfy.c:229: no revocation-check performed DEBUG:cert_vfy.c:496: certificate has not been revoked DEBUG:mapper_mgr.c:306: Mapper module subject match() returns 1 DEBUG:pam_pkcs11.c:664: certificate is valid and matches the user Checking signature DEBUG:pkcs11_lib.c:139: reading 128 random bytes from /dev/urandom DEBUG:pkcs11_lib.c:157: random-value[128] = [1b:e5:51:...:2e] DEBUG:pkcs11_lib.c:1734: private key type: 0x00000000 DEBUG:pkcs11_lib.c:1804: hash[51] = [...:38:cc:32:...:74] DEBUG:pkcs11_lib.c:1826: increased signature buffer-length to 256 ERROR:pam_pkcs11.c:717: sign_value() failed: C_Sign() failed: 0x00000007 Error 2340: Signing failed DEBUG:mapper_mgr.c:213: unloading mapper module list DEBUG:mapper_mgr.c:137: calling mapper_module_end() subject DEBUG:mapper_mgr.c:148: Module subject is static: don't remove DEBUG:mapper_mgr.c:137: calling mapper_module_end() null DEBUG:mapper_mgr.c:148: Module null is static: don't remove DEBUG:pkcs11_lib.c:1490: logout user DEBUG:pkcs11_lib.c:1497: closing the PKCS #11 session DEBUG:pkcs11_lib.c:1503: releasing keys and certificates Sorry, try again. Smartcard authentication starts DEBUG:pam_config.c:248: Using config file /etc/pam_pkcs11/pam_pkcs11.conf DEBUG:pam_pkcs11.c:335: username = [luis] DEBUG:pam_pkcs11.c:346: loading pkcs #11 module... DEBUG:pkcs11_lib.c:1000: PKCS #11 module = [/usr/lib/opensc-pkcs11.so] DEBUG:pkcs11_lib.c:1016: module permissions: uid = 0, gid = 0, mode = 755 DEBUG:pkcs11_lib.c:1026: loading module /usr/lib/opensc-pkcs11.so DEBUG:pkcs11_lib.c:1034: getting function list DEBUG:pam_pkcs11.c:361: initialising pkcs #11 module... DEBUG:pkcs11_lib.c:1180: module information: DEBUG:pkcs11_lib.c:1181: - version: 2.20 DEBUG:pkcs11_lib.c:1182: - manufacturer: OpenSC Project DEBUG:pkcs11_lib.c:1183: - flags: 0000 DEBUG:pkcs11_lib.c:1184: - library description: OpenSC smartcard framework DEBUG:pkcs11_lib.c:1185: - library version: 0.19 DEBUG:pkcs11_lib.c:1077: number of slots (a): 3 DEBUG:pkcs11_lib.c:1100: number of slots (b): 3 DEBUG:pkcs11_lib.c:1112: slot 1: DEBUG:pkcs11_lib.c:1122: - description: Alcor Micro **removed** DEBUG:pkcs11_lib.c:1123: - manufacturer: Generic DEBUG:pkcs11_lib.c:1124: - flags: 0007 DEBUG:pkcs11_lib.c:1126: - token: DEBUG:pkcs11_lib.c:1132: - label: Auth PIN (CARTAO DE CIDADAO) DEBUG:pkcs11_lib.c:1133: - manufacturer: GEMALTO DEBUG:pkcs11_lib.c:1134: - model: PKCS#15 emulated DEBUG:pkcs11_lib.c:1135: - serial: **removed** DEBUG:pkcs11_lib.c:1136: - flags: 040c DEBUG:pkcs11_lib.c:1112: slot 2: DEBUG:pkcs11_lib.c:1122: - description: Alcor Micro **removed** DEBUG:pkcs11_lib.c:1123: - manufacturer: Generic DEBUG:pkcs11_lib.c:1124: - flags: 0007 DEBUG:pkcs11_lib.c:1126: - token: DEBUG:pkcs11_lib.c:1132: - label: Sign PIN (CARTAO DE CIDADAO) DEBUG:pkcs11_lib.c:1133: - manufacturer: GEMALTO DEBUG:pkcs11_lib.c:1134: - model: PKCS#15 emulated DEBUG:pkcs11_lib.c:1135: - serial: **removed** DEBUG:pkcs11_lib.c:1136: - flags: 4040c DEBUG:pkcs11_lib.c:1112: slot 3: DEBUG:pkcs11_lib.c:1122: - description: Alcor Micro **removed** DEBUG:pkcs11_lib.c:1123: - manufacturer: Generic DEBUG:pkcs11_lib.c:1124: - flags: 0007 DEBUG:pkcs11_lib.c:1126: - token: DEBUG:pkcs11_lib.c:1132: - label: Address PIN (CARTAO DE CIDADAO) DEBUG:pkcs11_lib.c:1133: - manufacturer: GEMALTO DEBUG:pkcs11_lib.c:1134: - model: PKCS#15 emulated DEBUG:pkcs11_lib.c:1135: - serial: **removed** DEBUG:pkcs11_lib.c:1136: - flags: 040c Portuguese ID Card found. DEBUG:pkcs11_lib.c:1411: opening a new PKCS #11 session for slot 1 Welcome Auth PIN (CARTAO DE CIDADAO)! Portuguese ID Card PIN: ```

This file says that 0x00000007 is CKR_ARGUMENTS_BAD.

I believe the first time h->fl->C_Sign runs, it returns CKR_BUFFER_TOO_SMALL, and in the second loop with signature_length of 256, it fails.

pkcs11-tool -M returns this:

Using slot 0 with a present token (0x0)
Supported mechanisms:
  SHA-1, digest
  SHA256, digest
  SHA384, digest
  SHA512, digest
  MD5, digest
  RIPEMD160, digest
  GOSTR3411, digest
  RSA-PKCS, keySize={512,2048}, hw, decrypt, sign, verify
  SHA1-RSA-PKCS, keySize={512,2048}, sign, verify
  SHA256-RSA-PKCS, keySize={512,2048}, sign, verify
  MD5-RSA-PKCS, keySize={512,2048}, sign, verify
  RIPEMD160-RSA-PKCS, keySize={512,2048}, sign, verify
  RSA-PKCS-KEY-PAIR-GEN, keySize={512,2048}, generate_key_pair

Why am I getting sign_value() failed: C_Sign() failed: 0x00000007 ?

[Ranguna]

Anyone ?

[wolneykien]

I believe the first time h->fl->C_Sign runs, it returns CKR_BUFFER_TOO_SMALL, and in the second loop with signature_length of 256, it fails.

What about the length of the hash it tries to sign?

[Ranguna]

What about the length of the hash it tries to sign?

Since USE_HASH_SHA1 it not defined, I believe it's using SHA256, so 256 bits (32 bytes). I think it's this line.

[Ranguna]

Can anyone help me here ?

[wolneykien]

You are the only person who has access to your token, isn't it? The CKR_ARGUMENTS_BAD means that the length of the hash is wrong, or that the private key (which corresponds to the session argument) that is going to be used for signature isn't suitable for that kind of signature. Thus, you need to check in a debugger the actual length of the hash and the ID of the key (and the mechanism too).

[Ranguna]

@wolneykien will do, thank you 👌

[wolneykien]

Any news?

[Ranguna]

Sorry, I've been kind of busy with work and some other personal projects. I'll see if I can get the time to work on this issue this or next week.

[mskalski]

Well, some cards have upper limit for size of data can be successfully signed, but according to available mechanism list (where it supports SHA256-RSA-PKCS) it should correctly sign well-formatted signature data as in pam_pkcs11 (See https://github.com/OpenSC/pam_pkcs11/blob/master/src/common/pkcs11_lib.c#L1768 ).

To be sure that is not the case, you can use your PKCS#11 module in opensc's pkcs11-tool first to to list your keys on card and then to try make a signature:

$ pkcs11-tool --module <your-module.so> -O -l
$ dd if=/dev/urandom bs=51 count=1 | pkcs11-tool --module <your-module.so> --sign \
  --pin <your-card-pin> --id <your-rsa-key-id> -m RSA-PKCS

or second one (which is correct data for RSA PKCS#1 v1.5 signature with SHA-256):

printf  "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01\x05\x00\x04\x20%32s" '' | \
   pkcs11-tool --module <your-module.so> --sign  --pin <your-card-pin> \
   --id <your-rsa-key-id> -m RSA-PKCS

If it is the same error, then your card (or rather PKCS#11 library that returns support for SHA256-RSA-PKCS mechanism) is blamed

So possibly it is bug in PKCS#11 implementation. Some libraries incorrectly assume the first call for C_Sign() is with NULL in pSignature parameter, maybe just here returns error on small signature_length parameter. Can you share with details of smartcard and/or PKCS#11 implementation?

Try my PR #40, which also increases size of first-time buffer for getting signature.