search

ThalesGroup / pycryptoki

Python interface to SafeNet's PKCS11 library implementation
Apache License 2.0
60 stars 23 forks source link

Trying to sign a binary Cert with a private key on HSM (CKR_DATA_LEN_RANGE Error) #25

Closed Quietghost closed 3 years ago

Quietghost commented 3 years ago

Hi,

i am currently trying to use the c_sign method to sign a binary certificate with a private key stored on a Luna HSM with the following code:

from pycryptoki.session_management import (c_initialize_ex, c_finalize_ex,
                                           c_open_session_ex, c_close_session_ex,
                                           login_ex)
from pycryptoki.object_attr_lookup import c_find_objects_ex
from pycryptoki.defines import (CKM_AES_KEY_GEN,
                                CKA_LABEL,
                                CKA_ENCRYPT,
                                CKA_DECRYPT,
                                CKA_TOKEN,
                                CKA_CLASS,
                                CKA_KEY_TYPE,
                                CKK_AES,
                                CKO_SECRET_KEY,
                                CKA_SENSITIVE,
                                CKA_WRAP,
                                CKA_UNWRAP,
                                CKA_DERIVE,
                                CKA_VALUE_LEN,
                                CKA_EXTRACTABLE,
                                CKA_PRIVATE,
                                CKM_RSA_PKCS)
from pycryptoki.encryption import c_decrypt_ex
from pycryptoki.conversions import to_bin, to_bytestring, from_bin, from_bytestring
from pycryptoki.mechanism import Mechanism
from pycryptoki.sign_verify import c_sign_ex
import logging

logging.basicConfig(level=logging.DEBUG)

with open('DSC-abn.der', 'rb') as file:
    raw_data = file.read()

print(raw_data)

c_initialize_ex()
session = c_open_session_ex(0)      # 0 = slot number
login_ex(session, 0, 'myKey')        # 'userpin' = token password

template = {CKA_LABEL: b"my_label"}

keys = c_find_objects_ex(session, template, 1)
nbup_key = keys.pop(0) # Use the first key found.

mechanism = Mechanism(mech_type=CKM_RSA_PKCS)

#list_data = from_bin(raw_data)

retcode, signed_data = c_sign_ex(session, nbup_key, raw_data  , mechanism, output_buffer=None)

print(retcode, signed_data)

c_close_session_ex(session)
c_finalize_ex()

But I get the following error and I cannot solve it and cannot find any clue in the official documentation:

INFO:pycryptoki.session_management:Initializing Cryptoki Library
WARNING:pycryptoki.cryptoki.helpers:No DLL Path or Chyrstoki.conf path set in defaults.py looking up DLL path in /etc/Chrystoki.conf
DEBUG:pycryptoki.cryptoki.helpers:Searching /etc/Chrystoki.conf for Chrystoki DLL path...
INFO:pycryptoki.cryptoki.helpers:Using DLL at location: /usr/lib/libCryptoki2_64.so
DEBUG:pycryptoki.cryptoki.helpers:Cryptoki call: C_Initialize(None)
DEBUG:pycryptoki.exceptions:Call to c_initialize returned CKR_OK (0x0)
DEBUG:pycryptoki.cryptoki.helpers:Cryptoki call: C_OpenSession(c_ulong(0), c_ulong(6), c_void_p(140590178565736), <CFunctionType object at 0x7fddb1608818>, <pycryptoki.cryptoki.c_defs.LP_c_ulong object at 0x7fddb1611510>)
INFO:pycryptoki.session_management:C_OpenSession: Opening Session. slot=0
DEBUG:pycryptoki.exceptions:Call to c_open_session returned CKR_OK (0x0)
INFO:pycryptoki.session_management:C_Login: user_type=1, slot=0, password=***
DEBUG:pycryptoki.cryptoki.helpers:Cryptoki call: C_Login(1, c_ulong(1), <pycryptoki.cryptoki.c_defs.LP_c_ubyte object at 0x7fddb1611488>, c_ulong(19))
DEBUG:pycryptoki.exceptions:Call to login returned CKR_OK (0x0)
DEBUG:pycryptoki.cryptoki.helpers:Cryptoki call: C_FindObjectsInit(1, <pycryptoki.attributes.CK_ATTRIBUTE_Array_1 object at 0x7fddb1611268>, c_ulong(1))
DEBUG:pycryptoki.cryptoki.helpers:Cryptoki call: C_FindObjects(1, <pycryptoki.object_attr_lookup.c_ulong_Array_1 object at 0x7fddb1611510>, c_ulong(1), <cparam 'P' (0x7fddb16115e8)>)
DEBUG:pycryptoki.cryptoki.helpers:Cryptoki call: C_FindObjectsFinal(1)
DEBUG:pycryptoki.exceptions:Call to c_find_objects returned CKR_OK (0x0)
DEBUG:pycryptoki.cryptoki.helpers:Cryptoki call: C_SignInit(1, <cparam 'P' (0x7fddb1a492b8)>, c_ulong(93))
DEBUG:pycryptoki.cryptoki.helpers:Cryptoki call: C_Sign(1, <pycryptoki.cryptoki.c_defs.LP_c_ubyte object at 0x7fddb1611730>, c_ulong(2054), None, <pycryptoki.cryptoki.c_defs.LP_c_ulong object at 0x7fddb1611950>)
DEBUG:pycryptoki.exceptions:Call to c_sign returned CKR_DATA_LEN_RANGE (0x21)
Traceback (most recent call last):
  File "sign.py", line 48, in <module>
    retcode, signed_data = c_sign_ex(session, nbup_key, raw_data  , mechanism, output_buffer=None)
  File "/usr/lib/python3.6/site-packages/pycryptoki/exceptions.py", line 81, in luna_function_exception_handle
    check_luna_exception(ret, luna_function, args, kwargs)
  File "/usr/lib/python3.6/site-packages/pycryptoki/exceptions.py", line 131, in check_luna_exception
    raise LunaCallException(ret, luna_function.__name__, arg_string)
pycryptoki.exceptions.LunaCallException: 
    Function: c_sign
    Error: CKR_DATA_LEN_RANGE
    Error Code: 0x21
    Arguments:
        h_session: 1
        h_key: 93
        data_to_sign: 30820802308205eaa003[...]72be674692f76905be32
    mechanism: 
        NullMech(mech_type: CKM_RSA_PKCS)
        output_buffer: None

Can you help me or point me in the correct direction?

Thanks.

astraw38 commented 3 years ago

I assume your key size is 2048?

CKM_RSA_PKCS has an input size limit of k-11 (where k is the modulus size of your key in bytes -- 2048/8).

You most likely want to use a hash-and-sign mechanism (like CKM_SHA512_RSA_PKCS_PSS), or hash your data before attempting to sign it.