search

PeculiarVentures / fortify

Fortify enables web applications to use smart cards, local certificate stores and do certificate enrollment. This is the desktop application repository.
https://fortifyapp.com
Other
113 stars 32 forks source link

Accessing SafeNet eToken 5110+ CC (940B) results in CKR_FUNCTION_FAILED #566

Open casusbelli opened 9 months ago

casusbelli commented 9 months ago

Hi! I'm trying to use fortify to run a certificate installation using a SafeNet eToken 5110+ CC (940B) . When accessing the token, prior to opening the token password dialogue, fortify fails and reports CKR_FUNCTION_FAILED in the log. As this is a very generic error, how can i find out what the issue is? Logfile:

{ "level":"info", "message":"Logging status changed", "source":"logging", "timestamp":"2024-01-30T13:38:28.033Z", "value":true }{ "level":"error", "message":"Server event error", "source":"server", "timestamp":"2024-01-30T13:39:35.741Z" }{ "level":"info", "message":"Closing open disposable windows", "origin":"https://system.globalsign.com:55826", "source":"server", "timestamp":"2024-01-30T13:39:35.742Z" }{ "description":"", "event":"close", "level":"info", "message":"Close session", "reasonCode":1001, "remoteAddress":"https://system.globalsign.com:55826", "source":"server", "timestamp":"2024-01-30T13:39:35.743Z" }{ "level":"error", "message":"Server event error", "source":"server", "timestamp":"2024-01-30T13:39:44.328Z" }{ "level":"info", "message":"Closing open disposable windows", "origin":"https://tools.fortifyapp.com:51110", "source":"server", "timestamp":"2024-01-30T13:39:44.329Z" }{ "description":"", "event":"close", "level":"info", "message":"Close session", "reasonCode":1001, "remoteAddress":"https://tools.fortifyapp.com:51110", "source":"server", "timestamp":"2024-01-30T13:39:44.330Z" }{ "level":"info", "message":"Create a new connection", "origin":"https://system.globalsign.com", "source":"server", "timestamp":"2024-01-30T13:40:41.563Z" }{ "level":"info", "message":"Push session to stack", "origin":"https://system.globalsign.com", "source":"server", "timestamp":"2024-01-30T13:40:41.564Z" }{ "level":"warn", "message":"Cannot parse MessageSignedProtocol", "source":"server", "timestamp":"2024-01-30T13:40:41.616Z" }{{"level":"info","message":"Logging status changed","source":"logging","timestamp":"2024-01-30T13:38:28.033Z","value":true} {"level":"error","message":"Server event error","source":"server","timestamp":"2024-01-30T13:39:35.741Z"} {"level":"info","message":"Closing open disposable windows","origin":"https://system.globalsign.com:55826","source":"server","timestamp":"2024-01-30T13:39:35.742Z"} {"description":"","event":"close","level":"info","message":"Close session","reasonCode":1001,"remoteAddress":"https://system.globalsign.com:55826","source":"server","timestamp":"2024-01-30T13:39:35.743Z"} {"level":"error","message":"Server event error","source":"server","timestamp":"2024-01-30T13:39:44.328Z"} {"level":"info","message":"Closing open disposable windows","origin":"https://tools.fortifyapp.com:51110","source":"server","timestamp":"2024-01-30T13:39:44.329Z"} {"description":"","event":"close","level":"info","message":"Close session","reasonCode":1001,"remoteAddress":"https://tools.fortifyapp.com:51110","source":"server","timestamp":"2024-01-30T13:39:44.330Z"} {"level":"info","message":"Create a new connection","origin":"https://system.globalsign.com","source":"server","timestamp":"2024-01-30T13:40:41.563Z"} {"level":"info","message":"Push session to stack","origin":"https://system.globalsign.com","source":"server","timestamp":"2024-01-30T13:40:41.564Z"} {"level":"warn","message":"Cannot parse MessageSignedProtocol","source":"server","timestamp":"2024-01-30T13:40:41.616Z"} {"authorized":true,"level":"info","message":"Initialize secure session","origin":"https://system.globalsign.com","session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a","source":"server","timestamp":"2024-01-30T13:40:41.655Z"} {"action":"server/isLoggedIn","level":"info","message":"Run action","session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a","source":"server","timestamp":"2024-01-30T13:40:41.665Z"} {"action":"provider/action/info","level":"info","message":"Run action","session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a","source":"server","timestamp":"2024-01-30T13:40:41.698Z"} {"action":"provider/action/getCrypto","level":"info","message":"Run action","session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a","source":"server","timestamp":"2024-01-30T13:40:46.922Z"} {"action":"crypto/isLoggedIn","level":"info","message":"Run action","provider":"73f88f9556d905ecedfa3ba18b0b6386549cf18fbc6b7f7c2a6b0f6bbb3bcd6b","session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a","source":"server","timestamp":"2024-01-30T13:40:46.949Z"} {"crypto":"SafeNet 5110 (940 B) ","level":"info","message":"crypto/isLoggedIn","source":"server-api","timestamp":"2024-01-30T13:40:46.950Z"} {"action":"crypto/subtle/generateKey","level":"info","message":"Run action","provider":"73f88f9556d905ecedfa3ba18b0b6386549cf18fbc6b7f7c2a6b0f6bbb3bcd6b","session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a","source":"server","timestamp":"2024-01-30T13:40:46.978Z"} {"algorithm":{"hash":"SHA-256","name":"RSASSA-PKCS1-V1_5","sensitive":false,"token":false},"crypto":"SafeNet 5110 (940 B) ","extractable":false,"kyUsages":["sign","verify"],"level":"info","message":"generateKey","source":"server-api","timestamp":"2024-01-30T13:40:46.980Z"} {"action":"crypto/subtle/exportKey","level":"info","message":"Run action","provider":"73f88f9556d905ecedfa3ba18b0b6386549cf18fbc6b7f7c2a6b0f6bbb3bcd6b","session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a","source":"server","timestamp":"2024-01-30T13:40:48.585Z"} {"crypto":"SafeNet 5110 (940 B) ","format":"spki","key":{"algorithm":{"hash":"SHA-256","label":"RSA","name":"RSASSA-PKCS1-v1_5","sensitive":false,"token":false},"extractable":true,"id":"36761d25a43bc20867c44dd7c6ac6709","type":"public","usages":["verify"]},"level":"info","message":"exportKey","source":"server-api","timestamp":"2024-01-30T13:40:48.587Z"} {"action":"crypto/subtle/sign","level":"info","message":"Run action","provider":"73f88f9556d905ecedfa3ba18b0b6386549cf18fbc6b7f7c2a6b0f6bbb3bcd6b","session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a","source":"server","timestamp":"2024-01-30T13:40:48.626Z"} {"algorithm":{"hash":"SHA-256","name":"RSASSA-PKCS1-v1_5"},"crypto":"SafeNet 5110 (940 B) ","key":{"algorithm":{"hash":"SHA-256","label":"RSA","name":"RSASSA-PKCS1-v1_5","sensitive":false,"token":false},"extractable":false,"id":"36761d25a43bc20867c44dd7c6ac6709","type":"private","usages":["sign"]},"level":"info","message":"sign","source":"server-api","timestamp":"2024-01-30T13:40:48.628Z"} {"action":"crypto/certificateStorage/import","level":"info","message":"Run action","provider":"73f88f9556d905ecedfa3ba18b0b6386549cf18fbc6b7f7c2a6b0f6bbb3bcd6b","session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a","source":"server","timestamp":"2024-01-30T13:40:48.685Z"} {"algorithm":{"hash":"SHA-256","name":"RSASSA-PKCS1-V1_5"},"crypto":"SafeNet 5110 (940 B) ","format":"raw","keyUsages":["sign","verify"],"level":"info","message":"certStorage/importCert","source":"server-api","timestamp":"2024-01-30T13:40:48.687Z"} {"action":"crypto/keyStorage/setItem","level":"info","message":"Run action","provider":"73f88f9556d905ecedfa3ba18b0b6386549cf18fbc6b7f7c2a6b0f6bbb3bcd6b","session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a","source":"server","timestamp":"2024-01-30T13:40:48.730Z"} {"crypto":"SafeNet 5110 (940 B) ","key":{"algorithm":{"hash":"SHA-256","label":"RSA","name":"RSASSA-PKCS1-v1_5","sensitive":false,"token":false},"extractable":false,"id":"36761d25a43bc20867c44dd7c6ac6709","type":"private","usages":["sign"]},"level":"info","message":"keyStorage/setItem","source":"server-api","timestamp":"2024-01-30T13:40:48.732Z"} {"error":"CKR_FUNCTION_FAILED","level":"error","message":"Server event error","source":"server","timestamp":"2024-01-30T13:40:48.779Z"} "authorized":true, "level":"info", "message":"Initialize secure session", "origin":"https://system.globalsign.com", "session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a", "source":"server", "timestamp":"2024-01-30T13:40:41.655Z" }{ "action":"server/isLoggedIn", "level":"info", "message":"Run action", "session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a", "source":"server", "timestamp":"2024-01-30T13:40:41.665Z" }{ "action":"provider/action/info", "level":"info", "message":"Run action", "session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a", "source":"server", "timestamp":"2024-01-30T13:40:41.698Z" }{ "action":"provider/action/getCrypto", "level":"info", "message":"Run action", "session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a", "source":"server", "timestamp":"2024-01-30T13:40:46.922Z" }{ "action":"crypto/isLoggedIn", "level":"info", "message":"Run action", "provider":"73f88f9556d905ecedfa3ba18b0b6386549cf18fbc6b7f7c2a6b0f6bbb3bcd6b", "session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a", "source":"server", "timestamp":"2024-01-30T13:40:46.949Z" }{ "crypto":"SafeNet 5110 (940 B) ", "level":"info", "message":"crypto/isLoggedIn", "source":"server-api", "timestamp":"2024-01-30T13:40:46.950Z" }{ "action":"crypto/subtle/generateKey", "level":"info", "message":"Run action", "provider":"73f88f9556d905ecedfa3ba18b0b6386549cf18fbc6b7f7c2a6b0f6bbb3bcd6b", "session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a", "source":"server", "timestamp":"2024-01-30T13:40:46.978Z" }{ "algorithm":{ "hash":"SHA-256", "name":"RSASSA-PKCS1-V1_5", "sensitive":false, "token":false }, "crypto":"SafeNet 5110 (940 B) ", "extractable":false, "kyUsages":[ "sign", "verify" ], "level":"info", "message":"generateKey", "source":"server-api", "timestamp":"2024-01-30T13:40:46.980Z" }{ "action":"crypto/subtle/exportKey", "level":"info", "message":"Run action", "provider":"73f88f9556d905ecedfa3ba18b0b6386549cf18fbc6b7f7c2a6b0f6bbb3bcd6b", "session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a", "source":"server", "timestamp":"2024-01-30T13:40:48.585Z" }{ "crypto":"SafeNet 5110 (940 B) ", "format":"spki", "key":{ "algorithm":{ "hash":"SHA-256", "label":"RSA", "name":"RSASSA-PKCS1-v1_5", "sensitive":false, "token":false }, "extractable":true, "id":"36761d25a43bc20867c44dd7c6ac6709", "type":"public", "usages":[ "verify" ] }, "level":"info", "message":"exportKey", "source":"server-api", "timestamp":"2024-01-30T13:40:48.587Z" }{ "action":"crypto/subtle/sign", "level":"info", "message":"Run action", "provider":"73f88f9556d905ecedfa3ba18b0b6386549cf18fbc6b7f7c2a6b0f6bbb3bcd6b", "session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a", "source":"server", "timestamp":"2024-01-30T13:40:48.626Z" }{ "algorithm":{ "hash":"SHA-256", "name":"RSASSA-PKCS1-v1_5" }, "crypto":"SafeNet 5110 (940 B) ", "key":{ "algorithm":{ "hash":"SHA-256", "label":"RSA", "name":"RSASSA-PKCS1-v1_5", "sensitive":false, "token":false }, "extractable":false, "id":"36761d25a43bc20867c44dd7c6ac6709", "type":"private", "usages":[ "sign" ] }, "level":"info", "message":"sign", "source":"server-api", "timestamp":"2024-01-30T13:40:48.628Z" }{ "action":"crypto/certificateStorage/import", "level":"info", "message":"Run action", "provider":"73f88f9556d905ecedfa3ba18b0b6386549cf18fbc6b7f7c2a6b0f6bbb3bcd6b", "session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a", "source":"server", "timestamp":"2024-01-30T13:40:48.685Z" }{ "algorithm":{ "hash":"SHA-256", "name":"RSASSA-PKCS1-V1_5" }, "crypto":"SafeNet 5110 (940 B) ", "format":"raw", "keyUsages":[ "sign", "verify" ], "level":"info", "message":"certStorage/importCert", "source":"server-api", "timestamp":"2024-01-30T13:40:48.687Z" }{ "action":"crypto/keyStorage/setItem", "level":"info", "message":"Run action", "provider":"73f88f9556d905ecedfa3ba18b0b6386549cf18fbc6b7f7c2a6b0f6bbb3bcd6b", "session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a", "source":"server", "timestamp":"2024-01-30T13:40:48.730Z" }{ "crypto":"SafeNet 5110 (940 B) ", "key":{ "algorithm":{ "hash":"SHA-256", "label":"RSA", "name":"RSASSA-PKCS1-v1_5", "sensitive":false, "token":false }, "extractable":false, "id":"36761d25a43bc20867c44dd7c6ac6709", "type":"private", "usages":[ "sign" ] }, "level":"info", "message":"keyStorage/setItem", "source":"server-api", "timestamp":"2024-01-30T13:40:48.732Z" }{ "error":"CKR_FUNCTION_FAILED", "level":"error", "message":"Server event error", "source":"server", "timestamp":"2024-01-30T13:40:48.779Z" }

microshine commented 9 months ago

The issue might stem from the SafeNet eToken 5110+ CC (940B) not supporting key creation through the C_CopyObject, which is employed by the crypto/keyStorage/setItem method. Try setting the token: true flag for the key algorithm during its generation. This will enable key generation on the token without the use of C_CopyObject.

await crypto.subtle.generateKey({...alg, token: true, sensitive: true}, false, ["sign", "verify"])

This example facilitates the invocation of C_GenerateKeyPair and sets values for the CKA_TOKEN and CKA_SENSITIVE keys.

casusbelli commented 9 months ago

Thanks for the feedback. In the meantime I was able to access the token with fortifyapp default settings in a freshly set up Windows 11 VM. So this issue seems to be related to Windows 10 or some other aspect of a system which has been around quite a while and has lot's of tool installations. The immediate issue is solved for me, therefore. Anything interesting I can collect for this, still?