search

PeculiarVentures / graphene

A simple layer for interacting with PKCS #11 / PKCS11 / CryptoKI for Node in TypeScript. (Keywords: Javascript, PKCS#11, Crypto, Smart Card, HSM)
MIT License
167 stars 34 forks source link

Sign/Verify example error #84

Open yurikilian opened 7 years ago

yurikilian commented 7 years ago

Hi,

I'm using a SafeSign SmartCard (/usr/lib/libaetpkss.so.3) to test the lib using the Signing/Verifying example (https://github.com/PeculiarVentures/graphene#signing--verifying) but not getting success.

Always the verify returns false.

Is that a problem? How can I get more debug information? I'm normally using the SmartCard in another applications...

Thanks

microshine commented 7 years ago

Which mechanism do you use for signing and verifying? Could you share source code of signing and verifying?

yurikilian commented 7 years ago

Yes, of course, is the same as the example except the lib that I'm loading. See below:


var graphene = require("graphene-pk11");
var Module = graphene.Module;

var lib = "/usr/lib/libaetpkss.so.3";

var mod = Module.load(lib, "SafeSign");
mod.initialize();

var slot = mod.getSlots(0);
if (slot.flags & graphene.SlotFlag.TOKEN_PRESENT) {
    var session = slot.open();
    session.login("MyPassword");

    // generate RSA key pair
    var keys = session.generateKeyPair(graphene.KeyGenMechanism.RSA, {
        keyType: graphene.KeyType.RSA,
        modulusBits: 1024,
        publicExponent: new Buffer([3]),
        token: false,
        verify: true,
        encrypt: true,
        wrap: true
    }, {
        keyType: graphene.KeyType.RSA,
        token: false,
        sign: true,
        decrypt: true,
        unwrap: true
    });

    // sign content
    var sign = session.createSign("SHA1_RSA_PKCS", keys.privateKey);
    sign.update("simple text 1");
    sign.update("simple text 2");
    var signature = sign.final();
    console.log("Signature RSA-SHA1:", signature.toString("hex"));
    // verify content
    var verify = session.createVerify("SHA1_RSA_PKCS", keys.publicKey);
    verify.update("simple text 1");
    verify.update("simple text 2");
    var verify_result = verify.final(signature);
    //At this point, the result is FALSE
    console.log("Signature RSA-SHA1 verify:", verify_result);

    session.logout();
    session.close();
}
else {
    console.error("Slot is not initialized");
}

mod.finalize();

Thanks

microshine commented 7 years ago

it's interesting. I checked code you sent me with SoftHSM and pvpkcs11. It works for me image

Could you try to use once instead of update/final?

microshine commented 7 years ago 
var data = 'simple text 1';
data += 'simple text 2';

// sign content
var sign = session.createSign('SHA1_RSA_PKCS', keys.privateKey);
var signature = sign.once(data);
console.log('Signature RSA-SHA1:', signature.toString('hex'));
// verify content
var verify = session.createVerify('SHA1_RSA_PKCS', keys.publicKey);
var verifyResult = verify.once(data, signature);
// At this point, the result is FALSE
console.log('Signature RSA-SHA1 verify:', verifyResult);
yurikilian commented 7 years ago

No success :/ 

 // sign content
    var sign = session.createSign("SHA1_RSA_PKCS", keys.privateKey);
    var data = 'simple text 1';
    data += 'simple text 2';
    var signature = sign.once(data);

    console.log("Signature RSA-SHA1:", signature.toString("hex"));
    // verify content
    var verify = session.createVerify("SHA1_RSA_PKCS", keys.publicKey);
    var verify_result = verify.once(data, signature);
    //At this point, the result is FALSE
    console.log("Signature RSA-SHA1 verify:", verify_result);
microshine commented 7 years ago

Could you print private data from you token, signature value and list of supported algorithms?

You need to update generation template too

// generate RSA key pair
  var keys = session.generateKeyPair(graphene.KeyGenMechanism.RSA, {
    keyType: graphene.KeyType.RSA,
    modulusBits: 1024,
    publicExponent: Buffer.from([1,0,1]),
    verify: true,
    encrypt: true,
    wrap: true,
    token: false,
}, {
    keyType: graphene.KeyType.RSA,
    token: false,
    sign: true,
    decrypt: true,
    unwrap: true,
    token: false,
    private: false,
    sensitive: false,
    extractable: true,
  });
// Print keys data
console.log("Private key");
console.log(keys.privateKey.getAttribute("publicExponent").toString("base64"));
console.log(keys.privateKey.getAttribute("modulus").toString("base64"));
console.log(keys.privateKey.getAttribute("privateExponent").toString("base64"));
console.log(keys.privateKey.getAttribute("prime1").toString("base64"));
console.log(keys.privateKey.getAttribute("prime2").toString("base64"));
console.log(keys.privateKey.getAttribute("exp1").toString("base64"));
console.log(keys.privateKey.getAttribute("exp2").toString("base64"));
console.log(keys.privateKey.getAttribute("coefficient").toString("base64"));
console.log("Public key");
console.log(keys.publicKey.getAttribute("publicExponent").toString("base64"));
console.log(keys.publicKey.getAttribute("modulus").toString("base64"));
// List of mechanisms
const mechs =  slot.getMechanisms();
for (var i=0; i< mechs.length; i++){
    var mech = mechs.items(i);
    console.log(mech.name);
}
microshine commented 7 years ago

I've got SafeNet iKey 2032. It works for me too

image

renatodantas commented 6 years ago

I was having the same experience of @yurikilian, but after change this line: publicExponent: new Buffer([3]), to: publicExponent: Buffer.from([1,0,1]), the verifier starts to return true. I think that solved the problem.

Is this Buffer value resolves all situations or I should expect something different based on any parameter?

BTW, congrats for the API, it's amazing.