Getting error while importing certificate into AKiS SmartCard

[sanawershoukat]

Hi,

I'm getting error while importing certificate into AKiS SmartCard V2.2. I'm following Example2 to import certificate.

Here are the logs screenshot attached for the reference.

I'm using below certificate to import

-----BEGIN CERTIFICATE----- MIICzTCCAbegAwIBAgIBATALBgkqhkiG9w0BAQswKjELMAkGA1UEBhMCRU4xGzAZ BgNVBAMeEgB0AGUAcwB0AC0AYwBlAHIAdDAeFw0yMjA5MTIxODI2MzVaFw0yMzA5 MTIxODI2MzVaMCoxCzAJBgNVBAYTAkVOMRswGQYDVQQDHhIAdABlAHMAdAAtAGMA ZQByAHQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrQPyzjRE0S9nc 9gW3XCawP9Z2GsjJcaUwfSwy1VgfsOP3F3WMsVXZTKjNFdn3fTotQ9F3gTK0spLu 74gqL2LoWUYk1kAudkw4zpM31jA8ba1OHT0bmVVXA+ELW/l7hxHD8mig9J1dr0jk myUel4gIyB1Dw4elq+0jwfOq505qI4f3MxHYKu5JyJ7vOC0WZxl/UDypY3AT+X0W h9+RxVR6eteh5n6IdWC2BrS0YWyHpFfKtI0Uib29ef4hPCV8ydw8JAEniRIQx7Up CiHeqvWk4BW5VD+o/WSPxDBj69umv+mu8Ipgkm4Q+i87RxXXmVbCczK0y1Q1nfsb x4JKB5M7AgMBAAGjAjAAMAsGCSqGSIb3DQEBCwOCAQEAHe1sPHgQbpT7dCJD89aI K+RwGNglcjY8yozlAxq5Rkxc0ZLuK6hYySXz7dinKkay3o6S65Y9wveZWfWm4E0m rrUrFh0a/MryUNlbrnGoY96m9MypxW4azuPq1EbnBFdQ+n5cFDpWt40gDaEGDuOM spfVK6qyQ0S/RQcFB6EzegBgqAA+1efFF7C5klWfLIC8BT7IXmBavSi8RECQnMmb eYdhNX3OXTLmojCQPsfq/qjGIbT4WfIVVq14kKmJQnTtX3nwqUTqMDb6boNuG3m0 9vXHENqduVoabGTPC9RT9zUvF/HjJvfSHB+AaprbqBCzMq6NhpbjuouzkZTRSbQk ag== -----END CERTIFICATE-----

Thanks in advance. Sanawar

[microshine]

Just used this page for your certificate importing. It works fine.

Please try to generate a self-signed certificate using https://tools.fortifyapp.com Some PKCS#11 providers doesn't allow adding crypto objects via C_CopyObject function. Maybe the problem is in it. If so, I'd like to share a test script to check it out

import { Crypto } from "node-webcrypto-p11";

const library = "/usr/local/lib/softhsm/libsofthsm2.so";
const slot = 0;
const pin = "12345";

async function main() {
  const crypto = new Crypto({
    library,
    pin,
    slot,
    readWrite: true,
  });

  const pem = "-----BEGIN CERTIFICATE-----\n" +
    "MIICzTCCAbegAwIBAgIBATALBgkqhkiG9w0BAQswKjELMAkGA1UEBhMCRU4xGzAZ\n" +
    "BgNVBAMeEgB0AGUAcwB0AC0AYwBlAHIAdDAeFw0yMjA5MTIxODI2MzVaFw0yMzA5\n" +
    "MTIxODI2MzVaMCoxCzAJBgNVBAYTAkVOMRswGQYDVQQDHhIAdABlAHMAdAAtAGMA\n" +
    "ZQByAHQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrQPyzjRE0S9nc\n" +
    "9gW3XCawP9Z2GsjJcaUwfSwy1VgfsOP3F3WMsVXZTKjNFdn3fTotQ9F3gTK0spLu\n" +
    "74gqL2LoWUYk1kAudkw4zpM31jA8ba1OHT0bmVVXA+ELW/l7hxHD8mig9J1dr0jk\n" +
    "myUel4gIyB1Dw4elq+0jwfOq505qI4f3MxHYKu5JyJ7vOC0WZxl/UDypY3AT+X0W\n" +
    "h9+RxVR6eteh5n6IdWC2BrS0YWyHpFfKtI0Uib29ef4hPCV8ydw8JAEniRIQx7Up\n" +
    "CiHeqvWk4BW5VD+o/WSPxDBj69umv+mu8Ipgkm4Q+i87RxXXmVbCczK0y1Q1nfsb\n" +
    "x4JKB5M7AgMBAAGjAjAAMAsGCSqGSIb3DQEBCwOCAQEAHe1sPHgQbpT7dCJD89aI\n" +
    "K+RwGNglcjY8yozlAxq5Rkxc0ZLuK6hYySXz7dinKkay3o6S65Y9wveZWfWm4E0m\n" +
    "rrUrFh0a/MryUNlbrnGoY96m9MypxW4azuPq1EbnBFdQ+n5cFDpWt40gDaEGDuOM\n" +
    "spfVK6qyQ0S/RQcFB6EzegBgqAA+1efFF7C5klWfLIC8BT7IXmBavSi8RECQnMmb\n" +
    "eYdhNX3OXTLmojCQPsfq/qjGIbT4WfIVVq14kKmJQnTtX3nwqUTqMDb6boNuG3m0\n" +
    "9vXHENqduVoabGTPC9RT9zUvF/HjJvfSHB+AaprbqBCzMq6NhpbjuouzkZTRSbQk\n" +
    "ag==\n" +
    "-----END CERTIFICATE-----";

  try {
    // create x509 certificate in session
    const cert = await crypto.certStorage.importCert("pem", pem, { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" }, ["sign", "verify"]);
    // copy cert to the token
    await crypto.certStorage.setItem(cert);

    console.log("Certificate has been add into the token via C_CopyObject");
  } catch (e) {
    // create and add c509 certificate into the token
    await crypto.certStorage.importCert("pem", pem, { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256", token: true }, ["sign", "verify"]);

    console.log("Certificate has been add into the token via C_CreateObject");
  } finally {
    crypto.close();
  }
}

main().catch(e => {
  console.error(e);
  process.exit(1);
});

Could you run this NodeJS script (just update library and pin)? I don't know your OS. Fortify should use one of these libs

    {
      "id": "F4460DEC1A2DB75426614475E0C814C3CA849845",
      "name": "AKIS",
      "file": {
        "windows": {
          "x86": "%WINDIR/System32/akisp11.dll",
          "x64": "%WINDIR/SysWOW64/akisp11.dll"
        },
        "linux": "/usr/lib/bit4id/libbit4opki.so",
        "osx": "/usr/lib/bit4id/libbit4opki.dylib"
      }
    },

[sanawershoukat]

Hi @microshine

I have execute the above example but facing the below error

I have tried different combinations with above example to import the certificate but not successful. AKiS card version is V2.2

Thanks in advance.

[microshine]

Is it possible to enable logging for your PKCS11 library to understand which attribute is wrong?

Each manufacturer of PKCS11 library allow to do it. Because PKCS11 API returns code error and doesn't allow getting detailed information about the error

[bunyaminatik]

We have imported the certificate when we set token to true. But we have another issue for now. The key ids and x509 id are not matched. Because of that, it is imported another keys into card also. But the public key already exists. Can we specify the key of imported Cert before import?

[microshine]

Can we specify the key of imported Cert before import?

It's impossible. I think we should improve our node-webcrypto-p11 module and make it possible to find out the existing public key (if it exists), reuse the id. Only one way to link keys with the certificate is comparing public keys.

https://github.com/PeculiarVentures/node-webcrypto-p11/blob/master/src/certs/x509.ts#L59-L67

[sanawershoukat]

I tried to make changes in x509.ts file but it seems hashSPKI is undefined as I printed the console info.

I also tried to provide the hardcoded value of public key id that I get from the console logs but still that didn't work.

I also tried to get the keyID from Cryptokey class by passing the publicKey.p11Object but still didn't work.

I hope I got the solution soon.