Open Ranguna opened 4 years ago
Anyone ?
I believe the first time
h->fl->C_Sign
runs, it returnsCKR_BUFFER_TOO_SMALL
, and in the second loop withsignature_length
of 256, it fails.
What about the length of the hash it tries to sign?
What about the length of the hash it tries to sign?
Since USE_HASH_SHA1
it not defined, I believe it's using SHA256, so 256 bits (32 bytes).
I think it's this line.
Can anyone help me here ?
You are the only person who has access to your token, isn't it? The CKR_ARGUMENTS_BAD
means that the length of the hash is wrong, or that the private key (which corresponds to the session
argument) that is going to be used for signature isn't suitable for that kind of signature. Thus, you need to check in a debugger the actual length of the hash and the ID of the key (and the mechanism too).
@wolneykien will do, thank you 👌
Any news?
Sorry, I've been kind of busy with work and some other personal projects. I'll see if I can get the time to work on this issue this or next week.
Well, some cards have upper limit for size of data can be successfully signed, but according to available mechanism list (where it supports SHA256-RSA-PKCS
) it should correctly sign well-formatted signature data as in pam_pkcs11 (See https://github.com/OpenSC/pam_pkcs11/blob/master/src/common/pkcs11_lib.c#L1768 ).
To be sure that is not the case, you can use your PKCS#11 module in opensc's pkcs11-tool
first to to list your keys on card and then to try make a signature:
$ pkcs11-tool --module <your-module.so> -O -l
$ dd if=/dev/urandom bs=51 count=1 | pkcs11-tool --module <your-module.so> --sign \
--pin <your-card-pin> --id <your-rsa-key-id> -m RSA-PKCS
or second one (which is correct data for RSA PKCS#1 v1.5 signature with SHA-256):
printf "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01\x05\x00\x04\x20%32s" '' | \
pkcs11-tool --module <your-module.so> --sign --pin <your-card-pin> \
--id <your-rsa-key-id> -m RSA-PKCS
If it is the same error, then your card (or rather PKCS#11 library that returns support for SHA256-RSA-PKCS
mechanism) is blamed
So possibly it is bug in PKCS#11 implementation. Some libraries incorrectly assume the first call for C_Sign()
is with NULL in pSignature parameter, maybe just here returns error on small signature_length
parameter. Can you share with details of smartcard and/or PKCS#11 implementation?
Try my PR #40, which also increases size of first-time buffer for getting signature.
Hello, I compiled and installed all the necessary packages and configured
/etc/pam_pkcs11/subject_mapping
with my smart card's subject data, that I got frompkcs11_inspect
. I also added and linked the required CA certificates in/etc/pam_pkcs11/cacerts
. I added the following line to/etc/pam.d/sudo
:But whenever I try to use sudo and type my pin, I get this (snip from the actual log):
Complete Log:
``` luis@CTW00632:~$ sudo -i Smartcard authentication starts DEBUG:pam_config.c:248: Using config file /etc/pam_pkcs11/pam_pkcs11.conf DEBUG:pam_pkcs11.c:335: username = [luis] DEBUG:pam_pkcs11.c:346: loading pkcs #11 module... DEBUG:pkcs11_lib.c:1000: PKCS #11 module = [/usr/lib/opensc-pkcs11.so] DEBUG:pkcs11_lib.c:1016: module permissions: uid = 0, gid = 0, mode = 755 DEBUG:pkcs11_lib.c:1026: loading module /usr/lib/opensc-pkcs11.so DEBUG:pkcs11_lib.c:1034: getting function list DEBUG:pam_pkcs11.c:361: initialising pkcs #11 module... DEBUG:pkcs11_lib.c:1180: module information: DEBUG:pkcs11_lib.c:1181: - version: 2.20 DEBUG:pkcs11_lib.c:1182: - manufacturer: OpenSC Project DEBUG:pkcs11_lib.c:1183: - flags: 0000 DEBUG:pkcs11_lib.c:1184: - library description: OpenSC smartcard framework DEBUG:pkcs11_lib.c:1185: - library version: 0.19 DEBUG:pkcs11_lib.c:1077: number of slots (a): 3 DEBUG:pkcs11_lib.c:1100: number of slots (b): 3 DEBUG:pkcs11_lib.c:1112: slot 1: DEBUG:pkcs11_lib.c:1122: - description: Alcor Micro AU9560 00 00 DEBUG:pkcs11_lib.c:1123: - manufacturer: Generic DEBUG:pkcs11_lib.c:1124: - flags: 0007 DEBUG:pkcs11_lib.c:1126: - token: DEBUG:pkcs11_lib.c:1132: - label: Auth PIN (CARTAO DE CIDADAO) DEBUG:pkcs11_lib.c:1133: - manufacturer: GEMALTO DEBUG:pkcs11_lib.c:1134: - model: PKCS#15 emulated DEBUG:pkcs11_lib.c:1135: - serial: **removed** DEBUG:pkcs11_lib.c:1136: - flags: 040c DEBUG:pkcs11_lib.c:1112: slot 2: DEBUG:pkcs11_lib.c:1122: - description: Alcor Micro **removed** DEBUG:pkcs11_lib.c:1123: - manufacturer: Generic DEBUG:pkcs11_lib.c:1124: - flags: 0007 DEBUG:pkcs11_lib.c:1126: - token: DEBUG:pkcs11_lib.c:1132: - label: Sign PIN (CARTAO DE CIDADAO) DEBUG:pkcs11_lib.c:1133: - manufacturer: GEMALTO DEBUG:pkcs11_lib.c:1134: - model: PKCS#15 emulated DEBUG:pkcs11_lib.c:1135: - serial: **removed** DEBUG:pkcs11_lib.c:1136: - flags: 4040c DEBUG:pkcs11_lib.c:1112: slot 3: DEBUG:pkcs11_lib.c:1122: - description: Alcor Micro **removed** DEBUG:pkcs11_lib.c:1123: - manufacturer: Generic DEBUG:pkcs11_lib.c:1124: - flags: 0007 DEBUG:pkcs11_lib.c:1126: - token: DEBUG:pkcs11_lib.c:1132: - label: Address PIN (CARTAO DE CIDADAO) DEBUG:pkcs11_lib.c:1133: - manufacturer: GEMALTO DEBUG:pkcs11_lib.c:1134: - model: PKCS#15 emulated DEBUG:pkcs11_lib.c:1135: - serial: **removed** DEBUG:pkcs11_lib.c:1136: - flags: 040c Portuguese ID Card found. DEBUG:pkcs11_lib.c:1411: opening a new PKCS #11 session for slot 1 Welcome Auth PIN (CARTAO DE CIDADAO)! Portuguese ID Card PIN: DEBUG:pkcs11_lib.c:1430: login as user CKU_USER DEBUG:pkcs11_lib.c:1624: Saving Certificate #1: DEBUG:pkcs11_lib.c:1626: - type: 00 DEBUG:pkcs11_lib.c:1627: - id: 45 DEBUG:pkcs11_lib.c:1624: Saving Certificate #2: DEBUG:pkcs11_lib.c:1626: - type: 00 DEBUG:pkcs11_lib.c:1627: - id: 52 DEBUG:pkcs11_lib.c:1624: Saving Certificate #3: DEBUG:pkcs11_lib.c:1626: - type: 00 DEBUG:pkcs11_lib.c:1627: - id: 50 DEBUG:pkcs11_lib.c:1659: Found 3 certificates in token DEBUG:mapper_mgr.c:172: Retrieveing mapper module list DEBUG:mapper_mgr.c:73: Loading static module for mapper 'subject' DEBUG:mapper_mgr.c:196: Inserting mapper [subject] into list DEBUG:mapper_mgr.c:73: Loading static module for mapper 'null' DEBUG:mapper_mgr.c:196: Inserting mapper [null] into list DEBUG:pam_pkcs11.c:578: verifying the certificate #1 verifying certificate DEBUG:cert_vfy.c:370: Adding hashdir lookup to x509_store DEBUG:cert_vfy.c:382: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT checks DEBUG:cert_vfy.c:482: certificate is valid DEBUG:cert_vfy.c:226: crl policy: 0 DEBUG:cert_vfy.c:229: no revocation-check performed DEBUG:cert_vfy.c:496: certificate has not been revoked DEBUG:mapper_mgr.c:306: Mapper module subject match() returns 1 DEBUG:pam_pkcs11.c:664: certificate is valid and matches the user Checking signature DEBUG:pkcs11_lib.c:139: reading 128 random bytes from /dev/urandom DEBUG:pkcs11_lib.c:157: random-value[128] = [1b:e5:51:...:2e] DEBUG:pkcs11_lib.c:1734: private key type: 0x00000000 DEBUG:pkcs11_lib.c:1804: hash[51] = [...:38:cc:32:...:74] DEBUG:pkcs11_lib.c:1826: increased signature buffer-length to 256 ERROR:pam_pkcs11.c:717: sign_value() failed: C_Sign() failed: 0x00000007 Error 2340: Signing failed DEBUG:mapper_mgr.c:213: unloading mapper module list DEBUG:mapper_mgr.c:137: calling mapper_module_end() subject DEBUG:mapper_mgr.c:148: Module subject is static: don't remove DEBUG:mapper_mgr.c:137: calling mapper_module_end() null DEBUG:mapper_mgr.c:148: Module null is static: don't remove DEBUG:pkcs11_lib.c:1490: logout user DEBUG:pkcs11_lib.c:1497: closing the PKCS #11 session DEBUG:pkcs11_lib.c:1503: releasing keys and certificates Sorry, try again. Smartcard authentication starts DEBUG:pam_config.c:248: Using config file /etc/pam_pkcs11/pam_pkcs11.conf DEBUG:pam_pkcs11.c:335: username = [luis] DEBUG:pam_pkcs11.c:346: loading pkcs #11 module... DEBUG:pkcs11_lib.c:1000: PKCS #11 module = [/usr/lib/opensc-pkcs11.so] DEBUG:pkcs11_lib.c:1016: module permissions: uid = 0, gid = 0, mode = 755 DEBUG:pkcs11_lib.c:1026: loading module /usr/lib/opensc-pkcs11.so DEBUG:pkcs11_lib.c:1034: getting function list DEBUG:pam_pkcs11.c:361: initialising pkcs #11 module... DEBUG:pkcs11_lib.c:1180: module information: DEBUG:pkcs11_lib.c:1181: - version: 2.20 DEBUG:pkcs11_lib.c:1182: - manufacturer: OpenSC Project DEBUG:pkcs11_lib.c:1183: - flags: 0000 DEBUG:pkcs11_lib.c:1184: - library description: OpenSC smartcard framework DEBUG:pkcs11_lib.c:1185: - library version: 0.19 DEBUG:pkcs11_lib.c:1077: number of slots (a): 3 DEBUG:pkcs11_lib.c:1100: number of slots (b): 3 DEBUG:pkcs11_lib.c:1112: slot 1: DEBUG:pkcs11_lib.c:1122: - description: Alcor Micro **removed** DEBUG:pkcs11_lib.c:1123: - manufacturer: Generic DEBUG:pkcs11_lib.c:1124: - flags: 0007 DEBUG:pkcs11_lib.c:1126: - token: DEBUG:pkcs11_lib.c:1132: - label: Auth PIN (CARTAO DE CIDADAO) DEBUG:pkcs11_lib.c:1133: - manufacturer: GEMALTO DEBUG:pkcs11_lib.c:1134: - model: PKCS#15 emulated DEBUG:pkcs11_lib.c:1135: - serial: **removed** DEBUG:pkcs11_lib.c:1136: - flags: 040c DEBUG:pkcs11_lib.c:1112: slot 2: DEBUG:pkcs11_lib.c:1122: - description: Alcor Micro **removed** DEBUG:pkcs11_lib.c:1123: - manufacturer: Generic DEBUG:pkcs11_lib.c:1124: - flags: 0007 DEBUG:pkcs11_lib.c:1126: - token: DEBUG:pkcs11_lib.c:1132: - label: Sign PIN (CARTAO DE CIDADAO) DEBUG:pkcs11_lib.c:1133: - manufacturer: GEMALTO DEBUG:pkcs11_lib.c:1134: - model: PKCS#15 emulated DEBUG:pkcs11_lib.c:1135: - serial: **removed** DEBUG:pkcs11_lib.c:1136: - flags: 4040c DEBUG:pkcs11_lib.c:1112: slot 3: DEBUG:pkcs11_lib.c:1122: - description: Alcor Micro **removed** DEBUG:pkcs11_lib.c:1123: - manufacturer: Generic DEBUG:pkcs11_lib.c:1124: - flags: 0007 DEBUG:pkcs11_lib.c:1126: - token: DEBUG:pkcs11_lib.c:1132: - label: Address PIN (CARTAO DE CIDADAO) DEBUG:pkcs11_lib.c:1133: - manufacturer: GEMALTO DEBUG:pkcs11_lib.c:1134: - model: PKCS#15 emulated DEBUG:pkcs11_lib.c:1135: - serial: **removed** DEBUG:pkcs11_lib.c:1136: - flags: 040c Portuguese ID Card found. DEBUG:pkcs11_lib.c:1411: opening a new PKCS #11 session for slot 1 Welcome Auth PIN (CARTAO DE CIDADAO)! Portuguese ID Card PIN: ```
This file says that 0x00000007 is CKR_ARGUMENTS_BAD.
I believe the first time h->fl->C_Sign runs, it returns
CKR_BUFFER_TOO_SMALL
, and in the second loop withsignature_length
of 256, it fails.pkcs11-tool -M
returns this:Why am I getting
sign_value() failed: C_Sign() failed: 0x00000007
?