search

alonbl / gnupg-pkcs11-scd

PKCS#11 GnuPG SCD
http://gnupg-pkcs11.sourceforge.net/
Other
68 stars 17 forks source link

Cannot sign, asks PIN-code, but no success #45

Open savely-krasovsky opened 2 years ago

savely-krasovsky commented 2 years ago

My problem is similar to #25. It allows me to enter pin 5 times but with no success, cannot sign anything...

gpg-agent.conf:

scdaemon-program /usr/bin/gnupg-pkcs11-scd
pinentry-program /usr/bin/pinentry-gnome3

(tried various pinentries)

gnupg-pkcs11-scd.conf:

providers pkcs11
provider-pkcs11-library /usr/lib/opensc-pkcs11.so

log-file ~/.gnupg/gnupg-pkcs11-scd.log
verbose
debug-all

It seems like I use correct versions from Arch Linux community repo.

$ pacman -Q pkcs11-helper gnupg-pkcs11-scd
pkcs11-helper 1.29.0-1
gnupg-pkcs11-scd 0.10.0-1

pkcs11-helper seems to be dynamically linked:

ldd /usr/bin/gnupg-pkcs11-scd
    ...
    libpkcs11-helper.so.1 => /usr/lib/libpkcs11-helper.so.1
    ...

gnupg-pkcs11-scd.log: https://gist.github.com/L11R/448a10648259f1b78fde2a0f0544a4f1

alonbl commented 2 years ago

Hi,

This is the wired thing:

gnupg-pkcs11-scd[7199.1976341312]: PKCS#11: __pkcs11h_certificate_doPrivateOperation op rv=32
gnupg-pkcs11-scd[7199.1976341312]: PKCS#11: __pkcs11h_certificate_doPrivateOperation return rv=32-'CKR_DATA_INVALID', *p_target_size=0000000000000100
gnupg-pkcs11-scd[7199.1976341312]: PKCS#11: pkcs11h_certificate_sign return rv=32-'CKR_DATA_INVALID', *p_target_size=0000000000000100

For piv_II/PKCS\x2315\x20emulated/463f1fbe5e803789/\xD0\x9A\xD1\x80\xD0\xB0\xD1\x81\xD0\xBE\xD0\xB2\xD1\x81\xD0\xBA\xD0\xB8\xD0\xB9\x20\xD0\xA1\xD0\xB0\xD0\xB2\xD0\xB5\x2E\x2E\x2E/SIGN_key.

The only place CKR_DATA_INVALID is returned in yubico-piv-tool is in ykcs11/openssl_utils.c::do_strip_DER_encoding_from_ECSIG:

  if(BN_bn2bin_fixed(x, data, sig_len / 2) <= 0) {
    rv = CKR_DATA_INVALID;
    goto strip_der_cleanup;
  }

  if(BN_bn2bin_fixed(y, data + sig_len / 2, sig_len / 2) <= 0) {
    rv = CKR_DATA_INVALID;
    goto strip_der_cleanup;
  }

Which is called when YKPIV_ALGO_ECCP384, but we do not support ECC, how come it reached this type of key?

Can you please confirm that your certificate and key are of ECC?

Thanks, Alon

savely-krasovsky commented 2 years ago

@alonbl hm, no, I use RSA2048 key!

alonbl commented 2 years ago

Please start over with a clean gnupg home, show exactly how you edit the keys and the version of gnupg.

savely-krasovsky commented 2 years ago

@alonbl So I:

  1. Removed everything from ~/.gnupg except gnupg-pkcs11-scd.conf, gpg-agent.conf and trustlist.txt
  2. Imported cert from PIV slot 9c to gpgsm: pkcs11-tool -r --type cert -d 02 | gpgsm --import
  3. gpgsm -K
    Output 
    gpgsm -K
/home/savely/.gnupg/pubring.kbx
-------------------------------
          ID: 0xC65527BF
         S/N: 7C0015DC524D63ED8C4C97453600000015DC52
       (dec): 2765299843404999686984638424547328786517318738
      Issuer: /CN=WHQ-SUBCA01/DC=sovcombank/DC=group
     Subject: /CN=Красовский Савелий Игоревич/OU=kzn/OU=uk/OU=Users/OU=SCB/EMail=krasovskiisi@sovcombank.ru/DC=sovcombank/DC=group
         aka: krasovskiisi@sovcombank.ru
    validity: 2022-08-08 07:50:19 through 2023-08-08 07:50:19
    key type: 2048 bit RSA
   key usage: digitalSignature keyEncipherment
ext key usage: clientAuth (suggested), emailProtection (suggested), 1.3.6.1.4.1.311.10.3.4 (suggested)
 fingerprint: BD:CC:F3:12:24:A5:49:85:E9:F6:B3:E0:69:6B:AA:77:C6:55:27:BF
    sha2 fpr: 5A:D1:7B:3B:74:BF:71:BD:FE:0C:F2:2B:C1:FD:BD:D4:7E:7D:98:77:90:AD:A7:03:B7:8C:D2:20:35:EB:57:1D
    card s/n: D2760001240111503131F1CE8DF71111
  4. echo "test" | LANG=en gpgsm -s (and it asked pin only once, but I tried few times)
    Output 
    gpgsm: Note: non-critical certificate policy not allowed
gpgsm: Note: non-critical certificate policy not allowed
gpgsm: DBG: adding certificates at level -2
gpgsm: error creating signature: Card error
  5. gnupg-pkcs11-scd.log: https://gist.github.com/L11R/554ba7122534455fa846b7167f21738f
gpg --version
gpg (GnuPG) 2.2.38
savely-krasovsky commented 2 years ago

But I got the same behavior (asking 5 times pin before the error) after doing this:

  1. gpgconf --kill all
  2. gpg-agent --server gpg-connect-agent << EOF
RELOADAGENT
EOF

    https://gist.github.com/L11R/0c20ddddce5a8d678ae0ca94dea002f1

alonbl commented 2 years ago

Different error now:

gnupg-pkcs11-scd[2560.1227113280]: PKCS#11: key_prompt/pin_prompt hook return rv=0
gnupg-pkcs11-scd[2560.1227113280]: PKCS#11: _pkcs11h_session_login_context C_Login rv=48-'CKR_DEVICE_ERROR'
gnupg-pkcs11-scd[2560.1227113280]: PKCS#11: _pkcs11h_session_login_context return rv=48-'CKR_DEVICE_ERROR'
gnupg-pkcs11-scd[2560.1227113280]: PKCS#11: _pkcs11h_session_login return rv=48-'CKR_DEVICE_ERROR'

Probably permission problem or pcscd down.

alonbl commented 2 years ago

Can you please check the yubikey PKCS#11 Provider instead of opensc?

savely-krasovsky commented 2 years ago

@alonbl pcscd worked as should. Switching to YKCS#11 from aur/yubico-piv-tool package helped! Strange, because in other cases opensc was enough.

alonbl commented 2 years ago

On Sat, 3 Sep 2022 at 20:43 Savely Krasovsky @.***> wrote:

@alonbl https://github.com/alonbl pcscd worked as should. Switching to YKCS#11 from aur/yubico-piv-tool package helped! Strange, because in other cases opensc was enough.

Ok, this is probably a bug(s) in opensc. I cannot explain the device error in login. I cannot explain the data error in sign.