Support for PKCS#11 Modules without Certificates

[rkeene]

I have a PKCS#11 module which has objects with CKA_CLASS of CKO_PUBLIC_KEY and CKO_PRIVATE_KEY but not CKO_CERTIFICATE.

I tried to use this with gnupg-pkcs11-scd0.10.0 but it was not able to find any keys. It called C_FindObjects() looking for objects where CKA_CLASS is set to CKO_CERTIFICATE, but did not look for public keys.

[alonbl]

Hi, The minimum supported setup of PKCS#11 is a certificate on public area and a private key in private area. You may create a self-signed certificate in order to make it work, see[1] for more information. Regards,

[1] https://github.com/OpenSC/libp11

[rkeene]

Hi. I'm not sure what you mean by that. The PKCS#11 module I wrote only exports a CKO_PUBLIC_KEY and CKO_PRIVATE_KEY and is compliant with PKCS#11 v2.20.

The link you provided didn't explain anything further -- what was I supposed to see there ?

[alonbl]

The PKCS#11 spec is very flexible, almost all in optional, very hard to understand what is "compliant", there are more best practices than compliance tests.

Please add support for CKO_CERTIFICATE and load a self-signed certificate with the public key. The CKO_PUBLIC_KEY is optional and not used in this configuration.

[rkeene]

What does gnupg-pkcs11-scd use from the CKO_CERTIFICATE beyond the Public Key ?

[alonbl]

Regardless for the fact that gpg-gnupg-scd is supporting both gpg and gpgsm.

I already replied, the best practice of MVP for PKCS#11 provider is a private key at private section and X.509 certificate at public section, this is how pkcs11-helper implemented and hence the minimum requirement for gnupg-pkcs11-scd.

Rationals:

1. a public key which is not signed is worth very little
2. X.509 certificate has public key embedded
3. as device has limited storage there is no need to store both certificate which is required for X.509 operations and public key

[rkeene]

My question was regarding what attributes do I need to put into the certificate I generate for gnupg-pkcs11-scd to be able to use it.

I updated my PKCS#11 to generate X.509v3 certificates from the public key -- initially without a valid signature assuming gnupkg-pkcs11-scd wasn't going to check the signature (and creating a valid signature is more work on the backing HSM). This did not work.

I've just updated it to produce a valid signature, and still gnupg-pkcs11-scd does not appear to see it.

Certificate generated:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 48 (0x30)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN = Dummy
        Validity
            Not Before: Jan  1 00:00:00 2022 GMT
            Not After : Jan  1 00:00:00 2042 GMT
        Subject: CN = Dummy
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:94:55:97:56:d0:04:a0:22:1d:c8:eb:49:79:f0:
                    57:2c:b7:04:6f:b1:9e:3a:9e:17:88:1c:b2:76:1a:
                    cd:b2:54:1c:e3:db:2f:a0:68:94:9a:5d:57:f8:74:
                    4f:47:3e:78:be:87:7f:35:b8:90:3b:f1:a3:58:51:
                    b6:b5:6d:e2:56
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: ecdsa-with-SHA256
    Signature Value:
        30:46:02:21:00:a7:b8:0e:45:66:91:ec:5a:b0:ab:f4:12:0a:
        63:df:9d:c1:4a:0a:a5:b7:aa:27:b5:17:56:1d:a7:11:52:ff:
        be:02:21:00:9b:c2:a7:f1:3f:20:22:c3:2e:bd:07:8c:61:89:
        3e:2e:c8:61:01:d6:2e:c4:a5:27:6c:c3:10:bd:23:dc:98:3a
-----BEGIN CERTIFICATE-----
MIIBJjCBzKADAgECAgEwMAoGCCqGSM49BAMCMBAxDjAMBgNVBAMMBUR1bW15MCIY
DzIwMjIwMTAxMDAwMDAwWhgPMjA0MjAxMDEwMDAwMDBaMBAxDjAMBgNVBAMMBUR1
bW15MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElFWXVtAEoCIdyOtJefBXLLcE
b7GeOp4XiByydhrNslQc49svoGiUml1X+HRPRz54vod/NbiQO/GjWFG2tW3iVqMT
MBEwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNJADBGAiEAp7gORWaR7Fqw
q/QSCmPfncFKCqW3qie1F1YdpxFS/74CIQCbwqfxPyAiwy69B4xhiT4uyGEB1i7E
pSdswxC9I9yYOg==
-----END CERTIFICATE-----

Output from gpg-agent:

OK Pleased to meet you
RELOADAGENT
gpg-agent[3745896]: SIGHUP received - re-reading configuration and flushing cache
gpg-agent[3745896]: reading options from '/home/rkeene/.gnupg/gpg-agent.conf'
OK
SCD LEARN
gnupg-pkcs11-scd[3745913.2586269504]: Listening to socket '/tmp/gnupg-pkcs11-scd.DSuMEs/agent.S'
gnupg-pkcs11-scd[3745913.2586269504]: accepting connection
gnupg-pkcs11-scd[3745913]: chan_0 -> OK PKCS#11 smart-card server for GnuPG ready
gnupg-pkcs11-scd[3745913.2586269504]: processing connection
gnupg-pkcs11-scd[3745913]: chan_0 <- GETINFO socket_name
gnupg-pkcs11-scd[3745913]: chan_0 -> D /tmp/gnupg-pkcs11-scd.DSuMEs/agent.S
gnupg-pkcs11-scd[3745913]: chan_0 -> OK
gnupg-pkcs11-scd[3745913]: chan_0 <- LEARN
gnupg-pkcs11-scd[3745913]: chan_0 -> S SERIALNO D2760001240111503131B7DD41D51111
gnupg-pkcs11-scd[3745913]: chan_0 -> S APPTYPE PKCS11
S SERIALNO D2760001240111503131B7DD41D51111
S APPTYPE PKCS11
gnupg-pkcs11-scd[3745913]: chan_0 -> OK
OK
gnupg-pkcs11-scd[3745913]: chan_0 <- RESTART
gnupg-pkcs11-scd[3745913]: chan_0 -> OK
gnupg-pkcs11-scd[3745913]: chan_0 <- [eof]
gnupg-pkcs11-scd[3745913.2586269504]: post-processing connection
gnupg-pkcs11-scd[3745913.2586269504]: accepting connection
gnupg-pkcs11-scd[3745913.2586269504]: cleanup connection
gnupg-pkcs11-scd[3745913.2586269504]: Terminating

I can confirm it is fetching data from my PKCS#11 module:

C_OpenSession(): Returning CKR_OK (0)
C_FindObjectsInit(): Called.
C_FindObjectsInit(): Returning CKR_OK (0)
C_FindObjects(): Called.
C_FindObjects(): Processing identity:0
C_FindObjects():   Checking for attribute 0x00000000 (CKO_CLASS) in identity:0...
C_FindObjects():     Value looking for:  (curr_attr->pValue/8 = {01, 00, 00, 00, 00, 00, 00, 00}) (CKA_CERTIFICATE)
C_FindObjects():     ... found matching type ...
C_FindObjects():     ... our value:  (curr_id->attributes[sess_attr_idx].pValue/8 = {01, 00, 00, 00, 00, 00, 00, 00})
C_FindObjects():        ... found exact match
C_FindObjects():   ... All 1 attributes checked for found, adding identity:0 to returned list
C_FindObjects(): Processing identity:1
C_FindObjects():   Checking for attribute 0x00000000 in identity:1...
C_FindObjects():     Value looking for:  (curr_attr->pValue/8 = {01, 00, 00, 00, 00, 00, 00, 00})
C_FindObjects():     ... found matching type ...
C_FindObjects():     ... our value:  (curr_id->attributes[sess_attr_idx].pValue/8 = {02, 00, 00, 00, 00, 00, 00, 00})
C_FindObjects():   ... Not all 1 (only found 0) attributes checked for found, not adding identity:1
C_FindObjects(): Processing identity:2
C_FindObjects():   Checking for attribute 0x00000000 in identity:2...
C_FindObjects():     Value looking for:  (curr_attr->pValue/8 = {01, 00, 00, 00, 00, 00, 00, 00})
C_FindObjects():     ... found matching type ...
C_FindObjects():     ... our value:  (curr_id->attributes[sess_attr_idx].pValue/8 = {03, 00, 00, 00, 00, 00, 00, 00})
C_FindObjects():   ... Not all 1 (only found 0) attributes checked for found, not adding identity:2
C_FindObjects(): Returning CKR_OK (0), num objects = 1
C_FindObjects(): Called.
C_FindObjects(): Returning CKR_OK (0), num objects = 0
C_FindObjectsFinal(): Called.
...
C_GetAttributeValue(): Called.
C_GetAttributeValue(): Looking for attribute 0x00000102 (CKA_ID) (identity:0) ...
C_GetAttributeValue():  ... found it, pValue = 0x5556b397da30, ulValueLen = 2
C_GetAttributeValue(): Looking for attribute 0x00000011 (CKA_VALUE) (identity:0) ...
C_GetAttributeValue():  ... found it, pValue = 0x5556b397d8d0, ulValueLen = 298 <- This is the certificate 
C_GetAttributeValue(): Returning CKR_OK (0)

FWIW, The particular device I am using does not support storing certificates, only key pairs.

[alonbl]

The pairing between certificate object and private key object is done using the CKA_ID attribute, both should have the same value.

In the LEARN command I can see that no objects where returned that meet CKO_CERTIFICATE.

[rkeene]

For every object with objectclass CKO_CERTIFICATE there is a CKO_PRIVATE_KEY object (and also CKO_PUBLIC_KEY object) that has the same CKA_ID value. Those are the above identity:1 (CKO_PUBLIC_KEY) and identity:2 (CKO_PRIVATE_KEY).

gnupkg-pkcs11-scd didn't search for this, it only searched for objects where CKA_CLASS is 0x1 (CKO_CERTIFICATE). It then read the CKA_ID and CKA_VALUE from that object, and did nothing else. Full log follows.

For all 3 objects, the value of CKA_ID is the following 2 bytes: 00 01

Here are all 3 objects (but again, gnupg-pkcs11-scd did not search for anything other than certificates):

  Object Info (object 1):
    [1]            CKA_CLASS: 01 00 00 00 00 00 00 00 ;; 0x55c6a05b9030/8
    [1]            CKA_TOKEN: 01 ;; 0x55c6a05b9050/1
    [1]            CKA_LABEL: RSK
    [1]          CKA_PRIVATE: (not found)
    [1]               CKA_ID: 00 01 ;; 0x55c6a05b9090/2
    [1]    CKA_SERIAL_NUMBER: 02 01 30 ;; 0x55c6a05b90b0/3
    [1]          CKA_SUBJECT: \x30\x10\x31\x0e\x30\x0c\x06\x03\x55\x04\x03\x0c\x05\x44\x75\x6d\x6d\x79 ;; 0x55c6a05b90d0/18
    [1]           CKA_ISSUER: \x30\x10\x31\x0e\x30\x0c\x06\x03\x55\x04\x03\x0c\x05\x44\x75\x6d\x6d\x79 ;; 0x55c6a05b90f0/18
    [1]          CKA_PRIVATE: (not found)
    [1] CKA_CERTIFICATE_TYPE: 00 00 00 00 00 00 00 00 ;; 0x55c6a05b9110/8
    [1]         CKA_KEY_TYPE: (not found)
    [1]             CKA_SIGN: 00 ;; 0x55c6a05b9130/1
    [1]            CKA_VALUE: 0x55c6a05b83f0/297
  Object Info (object 2):
    [2]            CKA_CLASS: 02 00 00 00 00 00 00 00 ;; 0x55c6a05b90f0/8
    [2]            CKA_TOKEN: 01 ;; 0x55c6a05b90d0/1
    [2]            CKA_LABEL: RSK
    [2]          CKA_PRIVATE: (not found)
    [2]               CKA_ID: 00 01 ;; 0x55c6a05b9090/2
    [2]    CKA_SERIAL_NUMBER: (not found)
    [2]          CKA_SUBJECT: (not found)
    [2]           CKA_ISSUER: (not found)
    [2]          CKA_PRIVATE: (not found)
    [2] CKA_CERTIFICATE_TYPE: (not found)
    [2]         CKA_KEY_TYPE: 03 00 00 00 00 00 00 00 ;; 0x55c6a05b9070/8
    [2]             CKA_SIGN: 00 ;; 0x55c6a05b9050/1
    [2]            CKA_VALUE: 0x55c6a05b9150/72
  Object Info (object 3):
    [3]            CKA_CLASS: 03 00 00 00 00 00 00 00 ;; 0x55c6a05b9050/8
    [3]            CKA_TOKEN: 01 ;; 0x55c6a05b9070/1
    [3]            CKA_LABEL: RSK
    [3]          CKA_PRIVATE: (not found)
    [3]               CKA_ID: 00 01 ;; 0x55c6a05b90b0/2
    [3]    CKA_SERIAL_NUMBER: (not found)
    [3]          CKA_SUBJECT: (not found)
    [3]           CKA_ISSUER: (not found)
    [3]          CKA_PRIVATE: (not found)
    [3] CKA_CERTIFICATE_TYPE: (not found)
    [3]         CKA_KEY_TYPE: 03 00 00 00 00 00 00 00 ;; 0x55c6a05b90d0/8
    [3]             CKA_SIGN: 01 ;; 0x55c6a05b90f0/1
    [3]            CKA_VALUE: (not found)

Here is the full log of things gnupg-pkcs11-scd did with the PKCS#11 module:

$ gpg-agent --server gpg-connect-agent 
OK Pleased to meet you
RELOADAGENT
gpg-agent[3746094]: SIGHUP received - re-reading configuration and flushing cache
gpg-agent[3746094]: reading options from '/home/rkeene/.gnupg/gpg-agent.conf'
OK
SCD LEARN
C_GetFunctionList(): Called.
C_GetFunctionList(): Returning CKR_OK (0)
C_Initialize(): Called.
C_Initialize(): Returning CKR_OK (0)
C_GetInfo(): Called.
C_GetInfo(): Returning CKR_OK (0)
gnupg-pkcs11-scd[3746095.2285307712]: Listening to socket '/tmp/gnupg-pkcs11-scd.fpQcX7/agent.S'
gnupg-pkcs11-scd[3746095.2285307712]: accepting connection
gnupg-pkcs11-scd[3746095]: chan_0 -> OK PKCS#11 smart-card server for GnuPG ready
gnupg-pkcs11-scd[3746095.2285307712]: processing connection
gnupg-pkcs11-scd[3746095]: chan_0 <- GETINFO socket_name
gnupg-pkcs11-scd[3746095]: chan_0 -> D /tmp/gnupg-pkcs11-scd.fpQcX7/agent.S
gnupg-pkcs11-scd[3746095]: chan_0 -> OK
gnupg-pkcs11-scd[3746095]: chan_0 <- LEARN
C_GetSlotList(): Called.
C_GetSlotList(): Returning CKR_OK (0)
C_GetSlotList(): Called.
C_GetSlotList(): Returning CKR_OK (0)
C_GetTokenInfo(): Called.
C_GetTokenInfo(): Returning CKR_OK (0)
gnupg-pkcs11-scd[3746095]: chan_0 -> S SERIALNO D2760001240111503131B7DD41D51111
gnupg-pkcs11-scd[3746095]: chan_0 -> S APPTYPE PKCS11
S SERIALNO D2760001240111503131B7DD41D51111C_GetSlotList(): 
Called.
S APPTYPE PKCS11
C_GetSlotList(): Returning CKR_OK (0)
C_GetSlotList(): Called.
C_GetSlotList(): Returning CKR_OK (0)
C_GetTokenInfo(): Called.
C_GetTokenInfo(): EcDSA NIST P-256 Key  (key/65 = {04, 94, 55, 97, 56, d0, 04, a0, 22, 1d, c8, eb, 49, 79, f0, 57, 2c, b7, 04, 6f, b1, 9e, 3a, 9e, 17, 88, 1c, b2, 76, 1a, cd, b2, 54, 1c, e3, db, 2f, a0, 68, 94, 9a, 5d, 57, f8, 74, 4f, 47, 3e, 78, be, 87, 7f, 35, b8, 90, 3b, f1, a3, 58, 51, b6, b5, 6d, e2, 56})
C_GetTokenInfo(): DER encoded Key:  (der_encoded_key/72 = {30, 46, 02, 21, 00, 94, 55, 97, 56, d0, 04, a0, 22, 1d, c8, eb, 49, 79, f0, 57, 2c, b7, 04, 6f, b1, 9e, 3a, 9e, 17, 88, 1c, b2, 76, 1a, cd, b2, 54, 02, 21, 00, 54, 1c, e3, db, 2f, a0, 68, 94, 9a, 5d, 57, f8, 74, 4f, 47, 3e, 78, be, 87, 7f, 35, b8, 90, 3b, f1, a3, 58, 51, b6, b5, 6d, e2})
C_GetTokenInfo(): Returning CKR_OK (0)
C_GetSlotList(): Called.
C_GetSlotList(): Returning CKR_OK (0)
C_GetSlotList(): Called.
C_GetSlotList(): Returning CKR_OK (0)
C_GetTokenInfo(): Called.
C_GetTokenInfo(): EcDSA NIST P-256 Key  (key/65 = {04, 94, 55, 97, 56, d0, 04, a0, 22, 1d, c8, eb, 49, 79, f0, 57, 2c, b7, 04, 6f, b1, 9e, 3a, 9e, 17, 88, 1c, b2, 76, 1a, cd, b2, 54, 1c, e3, db, 2f, a0, 68, 94, 9a, 5d, 57, f8, 74, 4f, 47, 3e, 78, be, 87, 7f, 35, b8, 90, 3b, f1, a3, 58, 51, b6, b5, 6d, e2, 56})
C_GetTokenInfo(): DER encoded Key:  (der_encoded_key/72 = {30, 46, 02, 21, 00, 94, 55, 97, 56, d0, 04, a0, 22, 1d, c8, eb, 49, 79, f0, 57, 2c, b7, 04, 6f, b1, 9e, 3a, 9e, 17, 88, 1c, b2, 76, 1a, cd, b2, 54, 02, 21, 00, 54, 1c, e3, db, 2f, a0, 68, 94, 9a, 5d, 57, f8, 74, 4f, 47, 3e, 78, be, 87, 7f, 35, b8, 90, 3b, f1, a3, 58, 51, b6, b5, 6d, e2})
C_GetTokenInfo(): Returning CKR_OK (0)
C_OpenSession(): Called.
C_OpenSession(): Returning CKR_OK (0)
C_FindObjectsInit(): Called.
C_FindObjectsInit(): Returning CKR_OK (0)
C_FindObjects(): Called.
C_FindObjects(): Processing identity:0
C_FindObjects():   Checking for attribute 0x00000000 in identity:0...
C_FindObjects():     Value looking for:  (curr_attr->pValue/8 = {01, 00, 00, 00, 00, 00, 00, 00})
C_FindObjects():     ... found matching type ...
C_FindObjects():     ... our value:  (curr_id->attributes[sess_attr_idx].pValue/8 = {01, 00, 00, 00, 00, 00, 00, 00})
C_FindObjects():        ... found exact match
C_FindObjects():   ... All 1 attributes checked for found, adding identity:0 to returned list
C_FindObjects(): Processing identity:1
C_FindObjects():   Checking for attribute 0x00000000 in identity:1...
C_FindObjects():     Value looking for:  (curr_attr->pValue/8 = {01, 00, 00, 00, 00, 00, 00, 00})
C_FindObjects():     ... found matching type ...
C_FindObjects():     ... our value:  (curr_id->attributes[sess_attr_idx].pValue/8 = {02, 00, 00, 00, 00, 00, 00, 00})
C_FindObjects():   ... Not all 1 (only found 0) attributes checked for found, not adding identity:1
C_FindObjects(): Processing identity:2
C_FindObjects():   Checking for attribute 0x00000000 in identity:2...
C_FindObjects():     Value looking for:  (curr_attr->pValue/8 = {01, 00, 00, 00, 00, 00, 00, 00})
C_FindObjects():     ... found matching type ...
C_FindObjects():     ... our value:  (curr_id->attributes[sess_attr_idx].pValue/8 = {03, 00, 00, 00, 00, 00, 00, 00})
C_FindObjects():   ... Not all 1 (only found 0) attributes checked for found, not adding identity:2
C_FindObjects(): Returning CKR_OK (0), num objects = 1
C_FindObjects(): Called.
C_FindObjects(): Returning CKR_OK (0), num objects = 0
C_FindObjectsFinal(): Called.
C_FindObjectsFinal(): Returning CKR_OK (0)
C_GetAttributeValue(): Called.
C_GetAttributeValue(): Looking for attribute 0x00000102 (identity:0) ...
C_GetAttributeValue():  ... found it, pValue = 0x5556b397da30, ulValueLen = 2
C_GetAttributeValue(): Looking for attribute 0x00000011 (identity:0) ...
C_GetAttributeValue():  ... found it, pValue = 0x5556b397d8d0, ulValueLen = 298
C_GetAttributeValue(): Returning CKR_OK (0)
C_GetAttributeValue(): Called.
C_GetAttributeValue(): Looking for attribute 0x00000102 (identity:0) ...
C_GetAttributeValue():  ... found it, pValue = 0x5556b397da30, ulValueLen = 2
C_GetAttributeValue(): Looking for attribute 0x00000011 (identity:0) ...
C_GetAttributeValue():  ... found it, pValue = 0x5556b397d8d0, ulValueLen = 298
C_GetAttributeValue(): Returning CKR_OK (0)
gnupg-pkcs11-scd[3746095]: chan_0 -> OK
OK

^Cgnupg-pkcs11-scd[3746095]: chan_0 <- [error: Bad file descriptor]
gnupg-pkcs11-scd[3746095.2285307712]: assuan_process failed: Bad file descriptor
gnupg-pkcs11-scd[3746095.2285307712]: post-processing connection
gnupg-pkcs11-scd[3746095.2285307712]: accepting connection
gnupg-pkcs11-scd[3746095.2285307712]: cleanup connection
gnupg-pkcs11-scd[3746095.2285307712]: Terminating
gnupg-pkcs11-scd[3746095.2285135424]: Thread command terminate
gnupg-pkcs11-scd[3746095.2285135424]: Cleaning up threads

C_Finalize(): Called.
C_CloseSession(): Called.
C_CloseSession(): 
C_CloseSession(): Returning CKR_OK (0)
C_Finalize(): Returning CKR_OK (0)

[alonbl]

Hi,

The private key object usage is deferred as much as possible so that user is asked for PIN only when a private key operation is performed. It is expected that all certificates are enumerated out of the public area, for each certificate which is supported (RSA). You will see more information if you put the following in gnupg pkcs11 configuration:

log-file /tmp/gpk.log
verbose
debug-all

Please understand this is working for many provider, please try to find what's wrong with the implementation you wrote.

Thanks,

[rkeene]

I don't think there's anything wrong with the PKCS#11 module I've implemented, and there doesn't seem to be anything you've described that it's doing incorrectly. I think the issue is on the gnupkg-pkcs11-scd side.

Per https://github.com/alonbl/gnupg-pkcs11-scd/issues/17#issuecomment-1003440957 EC certificates are also supported (which I am, as noted above) using -- yet you only mentioned RSA. Is there a reason for that ?

Enabling those logs does not help any.

$ gpg-agent --server gpg-connect-agent
...
SCD LEARN
...
C_FindObjectsFinal(): Returning CKR_OK (0)
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: _pkcs11h_session_findObjects return rv=0-'CKR_OK', *p_objects_found=1
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: _pkcs11h_session_getObjectAttributes entry session=0x564c40f85d00, object=1, attrs=0x7fff740803c0, count=2
C_GetAttributeValue(): Called.
C_GetAttributeValue(): Looking for attribute 0x00000102 (identity:0) ...
C_GetAttributeValue():  ... found it, pValue = 0x564c40f7f040, ulValueLen = 2
C_GetAttributeValue(): Looking for attribute 0x00000011 (identity:0) ...
C_GetAttributeValue():  ... found it, pValue = 0x564c40f7eee0, ulValueLen = 297
C_GetAttributeValue(): Returning CKR_OK (0)
C_GetAttributeValue(): Called.
C_GetAttributeValue(): Looking for attribute 0x00000102 (identity:0) ...
C_GetAttributeValue():  ... found it, pValue = 0x564c40f7f040, ulValueLen = 2
C_GetAttributeValue(): Looking for attribute 0x00000011 (identity:0) ...
C_GetAttributeValue():  ... found it, pValue = 0x564c40f7eee0, ulValueLen = 297
C_GetAttributeValue(): Returning CKR_OK (0)
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: _pkcs11h_session_getObjectAttributes return rv=0-'CKR_OK'
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: _pkcs11h_certificate_newCertificateId entry p_certificate_id=0x7fff74080398
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: _pkcs11h_certificate_newCertificateId return rv=0-'CKR_OK', *p_certificate_id=0x564c40f7ff60
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_token_duplicateTokenId entry to=0x564c40f7ff60 form=0x564c40f7e140
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_token_duplicateTokenId return rv=0-'CKR_OK', *to=0x564c40f80390
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: __pkcs11h_certificate_updateCertificateIdDescription entry certificate_id=0x564c40f7ff60
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: __pkcs11h_openssl_ex_data_free entered - parent=0x564c40fd6420, ptr=(nil), ad=0x564c40fd6460, idx=1, argl=0, argp=0x7fc598bc1ac3
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: __pkcs11h_certificate_updateCertificateIdDescription return displayName='/CN=Dummy on RSK'
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: _pkcs11h_session_freeObjectAttributes entry attrs=0x7fff740803c0, count=2
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: _pkcs11h_session_freeObjectAttributes return
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: _pkcs11h_certificate_enumSessionCertificates return rv=0-'CKR_OK'
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: _pkcs11h_session_release entry session=0x564c40f85d00
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK'
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x564c40f7dca0
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0x564c40f7ff08 form=0x564c40f7ff60
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', *to=0x564c40f7dc80
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: __pkcs11h_certificate_splitCertificateIdList entry cert_id_all=0x564c40f7ff00, p_cert_id_issuers_list=0x7fff740805a8, p_cert_id_end_list=0x7fff740805a0
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0x564c40fd6558 form=0x564c40f7dc80
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', *to=0x564c40fd7c00
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: __pkcs11h_certificate_splitCertificateIdList return rv=0-'CKR_OK'
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_freeCertificateIdList entry cert_id_list=0x564c40f7ff00
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0x564c40f7dc80
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x564c40fd7790
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_freeCertificateId return
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_freeCertificateIdList return
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_enumCertificateIds return rv=0-'CKR_OK'
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_create entry certificate_id=0x564c40fd7c00, user_data=0x564c40f7c6a0, mask_prompt=00000007, pin_cache_period=-1, p_certificate=0x7fff74080478
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0x564c40fd76b0 form=0x564c40fd7c00
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', *to=0x564c40fd7790
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: _pkcs11h_session_getSessionByTokenId entry token_id=0x564c40f7dc80, p_session=0x564c40fd76c8
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: Using cached session
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: _pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK', *p_session=0x564c40f85d00
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_create return rv=0-'CKR_OK' *p_certificate=0x564c40fd76b0
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_getCertificateBlob entry certificate=0x564c40fd76b0, certificate_blob=(nil), *p_certificate_blob_size=0000000000000000
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK'
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_getCertificateBlob entry certificate=0x564c40fd76b0, certificate_blob=0x564c40fd7340, *p_certificate_blob_size=0000000000000129
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK'
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_freeCertificate entry certificate=0x564c40fd76b0
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: _pkcs11h_session_release entry session=0x564c40f85d00
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK'
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0x564c40fd7790
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x564c40f7dc80
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_freeCertificateId return
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_freeCertificate return
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: __pkcs11h_openssl_ex_data_free entered - parent=0x564c40fd62b0, ptr=(nil), ad=0x564c40fd62f0, idx=1, argl=0, argp=0x7fc598bc1ac3
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_freeCertificateIdList entry cert_id_list=0x564c40fd6550
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0x564c40fd7c00
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x564c40fd8030
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_freeCertificateId return
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_freeCertificateIdList return
gnupg-pkcs11-scd[3760148]: chan_0 -> OK

[alonbl]

gnupg-pkcs11-scd does not support ec

[rkeene]

Thanks for the update. I'll add support for it.

Shouldn't this be documented somewhere other than an issue that was closed as completed with a comment saying it works in v0.9.3 ?

Should work with gnupg-pkcs11-scd-0.9.3

alonbl closed this as completed on Dec 31, 2021

[alonbl]

17 fixed an issue which cause the entire certificate enum process fail because of existence of one or more EC certificates.

patches are more than welcomed.

Closing this one.

[rkeene]

Note to future readers, even though this issue is "closed as completed", it is not completed -- certificates are still required.