Ubuntu, call to C_Sign is failing (return 7)

redosk commented 6 years ago

On Ubuntu, using the official binaries with my Luxtrust signing stick, I can choose the certificate, enter the PIN, then I got the following error :

2018-08-03 13:31:13 [23497] parse() [chrome-host.cpp:61] Message size: 3570 2018-08-03 13:31:13 [23497] parse() [chrome-host.cpp:71] Message (3570): {"type":"SIGN","cert":"","hashtype":"SHA-256","lang":"en","info":"","nonce":"250dmhhh2o3umzas","src":"page.js","origin":"https://personal.url.fr","tab":2918} 2018-08-03 13:31:13 [23497] atrList() [PKCS11Path.cpp:69] found reader: Gemalto USB Shell Token V2 (2F948309) 00 00 2018-08-03 13:31:13 [23497] atrList() [PKCS11Path.cpp:82] Set ATR = 3B7D96000080318065B0830201F383009000 for reader Gemalto USB Shell Token V2 (2F948309) 00 00 2018-08-03 13:31:13 [23497] getPkcs11ModulePath() [PKCS11Path.cpp:165] Unknown ATR '3B7D96000080318065B0830201F383009000' using default module 'opensc-pkcs11.so' 2018-08-03 13:31:13 [23497] C_GetFunctionList() [PKCS11CardManager.h:125] return value 0 2018-08-03 13:31:13 [23497] PKCS11CardManager() [PKCS11CardManager.h:126] initializing module opensc-pkcs11.so 2018-08-03 13:31:15 [23497] C_Initialize() [PKCS11CardManager.h:127] return value 0 2018-08-03 13:31:15 [23497] C_GetSlotList() [PKCS11CardManager.h:154] return value 0 2018-08-03 13:31:15 [23497] tokens() [PKCS11CardManager.h:155] slotCount = 1 2018-08-03 13:31:15 [23497] C_GetSlotList() [PKCS11CardManager.h:157] return value 0 2018-08-03 13:31:15 [23497] C_GetTokenInfo() [PKCS11CardManager.h:164] return value 0 2018-08-03 13:31:15 [23497] C_OpenSession() [PKCS11CardManager.h:170] return value 0 2018-08-03 13:31:15 [23497] C_FindObjectsInit() [PKCS11CardManager.h:88] return value 0 2018-08-03 13:31:15 [23497] C_FindObjects() [PKCS11CardManager.h:91] return value 0 2018-08-03 13:31:15 [23497] C_FindObjectsFinal() [PKCS11CardManager.h:92] return value 0 2018-08-03 13:31:15 [23497] C_GetAttributeValue() [PKCS11CardManager.h:71] return value 0 2018-08-03 13:31:15 [23497] C_GetAttributeValue() [PKCS11CardManager.h:74] return value 0 2018-08-03 13:31:15 [23497] C_GetAttributeValue() [PKCS11CardManager.h:71] return value 0 2018-08-03 13:31:15 [23497] C_GetAttributeValue() [PKCS11CardManager.h:74] return value 0 2018-08-03 13:31:15 [23497] C_GetAttributeValue() [PKCS11CardManager.h:71] return value 0 2018-08-03 13:31:15 [23497] C_GetAttributeValue() [PKCS11CardManager.h:74] return value 0 2018-08-03 13:31:15 [23497] C_GetAttributeValue() [PKCS11CardManager.h:71] return value 0 2018-08-03 13:31:15 [23497] C_GetAttributeValue() [PKCS11CardManager.h:74] return value 0 2018-08-03 13:31:15 [23497] C_GetAttributeValue() [PKCS11CardManager.h:71] return value 0 2018-08-03 13:31:15 [23497] C_GetAttributeValue() [PKCS11CardManager.h:74] return value 0 2018-08-03 13:31:15 [23497] C_GetAttributeValue() [PKCS11CardManager.h:71] return value 0 2018-08-03 13:31:15 [23497] C_GetAttributeValue() [PKCS11CardManager.h:74] return value 0 2018-08-03 13:31:15 [23497] C_GetAttributeValue() [PKCS11CardManager.h:71] return value 0 2018-08-03 13:31:15 [23497] C_GetAttributeValue() [PKCS11CardManager.h:74] return value 0 2018-08-03 13:31:15 [23497] C_GetAttributeValue() [PKCS11CardManager.h:71] return value 0 2018-08-03 13:31:15 [23497] C_GetAttributeValue() [PKCS11CardManager.h:74] return value 0 2018-08-03 13:31:15 [23497] C_CloseSession() [PKCS11CardManager.h:188] return value 0 2018-08-03 13:31:18 [23497] C_OpenSession() [PKCS11CardManager.h:197] return value 0 2018-08-03 13:31:18 [23497] C_Login() [PKCS11CardManager.h:198] return value 0 2018-08-03 13:31:18 [23497] C_FindObjectsInit() [PKCS11CardManager.h:88] return value 0 2018-08-03 13:31:18 [23497] C_FindObjects() [PKCS11CardManager.h:91] return value 0 2018-08-03 13:31:18 [23497] C_FindObjectsFinal() [PKCS11CardManager.h:92] return value 0 2018-08-03 13:31:18 [23497] sign() [PKCS11CardManager.h:206] found 1 private keys in slot, using key ID cefc19c0 2018-08-03 13:31:18 [23497] C_GetAttributeValue() [PKCS11CardManager.h:210] return value 0 2018-08-03 13:31:18 [23497] C_SignInit() [PKCS11CardManager.h:213] return value 0 2018-08-03 13:31:18 [23497] C_Sign() [PKCS11CardManager.h:239] return value 0 2018-08-03 13:31:18 [23497] C_Sign() [PKCS11CardManager.h:241] return value 7 2018-08-03 13:31:18 [23497] C_Finalize() [PKCS11CardManager.h:133] return value 0 2018-08-03 13:31:18 [23497] write() [chrome-host.cpp:132] Response(69) { "nonce": "250dmhhh2o3umzas", "result": "technical_error" }

Return 7 from the second call to C_Sign is CKR_ARGUMENTS_BAD, so I don't understand what's wrong... For information signatureLength after the 1st call to C_Sign is equal to 256

Here is the output of the demo : This is sign.html running on Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.62 Safari/537.36 sign() clicked on Fri, 03 Aug 2018 11:40:32 GMT Signing SHA-256: 413140d54372f9baf481d4c54e2d5c7bcf28fd6087000280e07976121dd54af2 Debug: hwcrypto.js 0.0.13 with Chrome native messaging extension 0.0.29/1.0.7.498 Using certificate: -----BEGIN CERTIFICATE-----

-----END CERTIFICATE----- sign() failed: Error: technical_error

metsma commented 6 years ago

Do you use opensc-pkcs11? can you send opensc logs

redosk commented 6 years ago

Here is the log :

0x7feef426d7c0 15:37:27.974 [opensc-pkcs11] pkcs15-sec.c:320:sc_pkcs15_compute_signature: called 0x7feef426d7c0 15:37:27.974 [opensc-pkcs11] pkcs15-sec.c:368:sc_pkcs15_compute_signature: supported algorithm flags 0x8000021A, private key usage 0x20C 0x7feef426d7c0 15:37:27.974 [opensc-pkcs11] padding.c:284:sc_get_encoding_flags: called 0x7feef426d7c0 15:37:27.974 [opensc-pkcs11] padding.c:288:sc_get_encoding_flags: iFlags 0x12, card capabilities 0x8000021A 0x7feef426d7c0 15:37:27.974 [opensc-pkcs11] padding.c:317:sc_get_encoding_flags: pad flags 0x10, secure algorithm flags 0x2 0x7feef426d7c0 15:37:27.974 [opensc-pkcs11] padding.c:318:sc_get_encoding_flags: returning with: 0 (Success) 0x7feef426d7c0 15:37:27.974 [opensc-pkcs11] pkcs15-sec.c:419:sc_pkcs15_compute_signature: DEE flags:0x00000012 alg_info->flags:0x8000021a pad:0x00000010 sec:0x00000002 0x7feef426d7c0 15:37:27.974 [opensc-pkcs11] padding.c:243:sc_pkcs1_encode: called 0x7feef426d7c0 15:37:27.974 [opensc-pkcs11] padding.c:247:sc_pkcs1_encode: hash algorithm 0x10, pad algorithm 0x0 0x7feef426d7c0 15:37:27.974 [opensc-pkcs11] padding.c:266:sc_pkcs1_encode: returning with: 0 (Success) 0x7feef426d7c0 15:37:27.974 [opensc-pkcs11] card.c:407:sc_lock: called 0x7feef426d7c0 15:37:27.974 [opensc-pkcs11] card.c:449:sc_lock: returning with: 0 (Success) 0x7feef426d7c0 15:37:27.974 [opensc-pkcs11] sec.c:74:sc_set_security_env: called 0x7feef426d7c0 15:37:27.974 [opensc-pkcs11] card-gemsafeV1.c:435:gemsafe_set_security_env: called 0x7feef426d7c0 15:37:27.974 [opensc-pkcs11] apdu.c:554:sc_transmit_apdu: called 0x7feef426d7c0 15:37:27.974 [opensc-pkcs11] card.c:407:sc_lock: called 0x7feef426d7c0 15:37:27.974 [opensc-pkcs11] card.c:449:sc_lock: returning with: 0 (Success) 0x7feef426d7c0 15:37:27.974 [opensc-pkcs11] apdu.c:521:sc_transmit: called 0x7feef426d7c0 15:37:27.974 [opensc-pkcs11] apdu.c:371:sc_single_transmit: called 0x7feef426d7c0 15:37:27.974 [opensc-pkcs11] apdu.c:378:sc_single_transmit: CLA:0, INS:22, P1:41, P2:B6, data(6) 0x7fff5864b5a0 0x7feef426d7c0 15:37:27.974 [opensc-pkcs11] reader-pcsc.c:283:pcsc_transmit: reader 'Gemalto USB Shell Token V2 (2F948309) 00 00' 0x7feef426d7c0 15:37:27.974 [opensc-pkcs11] reader-pcsc.c:284:pcsc_transmit: Outgoing APDU (11 bytes): 00 22 41 B6 06 80 01 02 84 01 03 ."A........ 0x7feef426d7c0 15:37:27.974 [opensc-pkcs11] reader-pcsc.c:212:pcsc_internal_transmit: called 0x7feef426d7c0 15:37:27.985 [opensc-pkcs11] reader-pcsc.c:293:pcsc_transmit: Incoming APDU (2 bytes): 90 00 .. 0x7feef426d7c0 15:37:27.985 [opensc-pkcs11] apdu.c:390:sc_single_transmit: returning with: 0 (Success) 0x7feef426d7c0 15:37:27.985 [opensc-pkcs11] apdu.c:543:sc_transmit: returning with: 0 (Success) 0x7feef426d7c0 15:37:27.985 [opensc-pkcs11] card.c:459:sc_unlock: called 0x7feef426d7c0 15:37:27.985 [opensc-pkcs11] sec.c:78:sc_set_security_env: returning with: 0 (Success) 0x7feef426d7c0 15:37:27.985 [opensc-pkcs11] sec.c:58:sc_compute_signature: called 0x7feef426d7c0 15:37:27.985 [opensc-pkcs11] card-gemsafeV1.c:461:gemsafe_compute_signature: called 0x7feef426d7c0 15:37:27.985 [opensc-pkcs11] card-gemsafeV1.c:467:gemsafe_compute_signature: error: input data too long: 51 bytes 0x7feef426d7c0 15:37:27.985 [opensc-pkcs11] sec.c:62:sc_compute_signature: returning with: -1300 (Invalid arguments) 0x7feef426d7c0 15:37:27.985 [opensc-pkcs11] card.c:459:sc_unlock: called 0x7feef426d7c0 15:37:27.985 [opensc-pkcs11] pkcs15-sec.c:454:sc_pkcs15_compute_signature: use_key() failed: -1300 (Invalid arguments) 0x7feef426d7c0 15:37:27.985 [opensc-pkcs11] card.c:459:sc_unlock: called 0x7feef426d7c0 15:37:27.985 [opensc-pkcs11] reader-pcsc.c:662:pcsc_unlock: called 0x7feef426d7c0 15:37:27.991 [opensc-pkcs11] framework-pkcs15.c:3743:pkcs15_prkey_sign: Sign complete. Result -1300. 0x7feef426d7c0 15:37:27.991 [opensc-pkcs11] misc.c:61:sc_to_cryptoki_error_common: libopensc return value: -1300 (Invalid arguments) 0x7feef426d7c0 15:37:27.991 [opensc-pkcs11] mechanism.c:462:sc_pkcs11_signature_final: returning with: 7 0x7feef426d7c0 15:37:27.991 [opensc-pkcs11] mechanism.c:327:sc_pkcs11_sign_final: returning with: 7 0x7feef426d7c0 15:37:27.991 [opensc-pkcs11] pkcs11-object.c:701:C_Sign: C_Sign() = CKR_ARGUMENTS_BAD 0x7feef426d7c0 15:37:27.992 [opensc-pkcs11] pkcs11-global.c:311:C_Finalize: C_Finalize() 0x7feef426d7c0 15:37:27.992 [opensc-pkcs11] ctx.c:845:sc_cancel: called 0x7feef426d7c0 15:37:27.992 [opensc-pkcs11] reader-pcsc.c:712:pcsc_cancel: called

So the error is here : 0x7feef426d7c0 15:37:27.985 [opensc-pkcs11] card-gemsafeV1.c:467:gemsafe_compute_signature: error: input data too long: 51 bytes

metsma commented 6 years ago

https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/card-gemsafeV1.c#L463-L469 Can you try to sign with SHA1 seems like the card does not support better digest method

redosk commented 6 years ago

That's right, I can sign SHA1... Thanks !

redosk commented 6 years ago

Hi,

Sorry to re-open, but I can sign sha256 using pkcs11-tool :

echo -n "coucou" |pkcs11-tool --slot-index 0 --pin 0000 -s --id 12312313131231 -m SHA256-RSA-PKCS

There is a difference between SHA1 and SHA256 signing using pkcs11-tool :

For SHA1, it sends the following ADPU : 00 2A 90 A0 25 90 23 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 5E D2 5A F7 B1 ED 23 FB 00 12 2E 13 D7 F7 4C 4D 82 62 AC D8 Which corresponds to this asn1 :
```
SEQUENCE {
SEQUENCE {
  OBJECTIDENTIFIER 1.3.14.3.2.26 (id_sha1)
  NULL   
}
OCTETSTRING 5ED25AF7B1ED23FB00122E13D7F74C4D8262ACD8
}
```
For SHA256 (110812f67fa1e1f0117f6f3d70241c1a42a7b07711a93c2477cc516d9042f9db), it sends directlty the sum, without ASN1 headers : 00 2A 90 A0 22 90 20 11 08 12 F6 7F A1 E1 F0 11 7F 6F 3D 70 24 1C 1A 42 A7 B0 77 11 A9 3C 24 77 CC 51 6D 90 42 F9 DB

Monitoring how chrome-token-signing works, it sends the same ADPU for SHA1. So I think that it wants to send the ASN1 headers too for SHA256, leading to the excess of data to sign. Couldn't it send the SHA256 sum as raw data, as pkcs11-tool does ?

metsma commented 6 years ago

It is required by RSA PKCS1 standard

redosk commented 6 years ago

In fact there must be an ADPU sent by pkcs11-tool before the payload to be signed that tells the smartcard that the data is SHA256, as the signature produced is conform :

SHA1 :

$ openssl rsautl -verify -inkey cert.key -in sha1.sig -pubin |openssl asn1parse -inform DER
0:d=0  hl=2 l=  33 cons: SEQUENCE          
2:d=1  hl=2 l=   9 cons: SEQUENCE          
4:d=2  hl=2 l=   5 prim: OBJECT            :sha1
11:d=2  hl=2 l=   0 prim: NULL              
13:d=1  hl=2 l=  20 prim: OCTET STRING      [HEX DUMP]:5ED25AF7B1ED23FB00122E13D7F74C4D8262ACD8

SHA256 :

$ openssl rsautl -verify -inkey cert.key -in sha256.sig -pubin |openssl asn1parse -inform DER
0:d=0  hl=2 l=  49 cons: SEQUENCE          
2:d=1  hl=2 l=  13 cons: SEQUENCE          
4:d=2  hl=2 l=   9 prim: OBJECT            :sha256
15:d=2  hl=2 l=   0 prim: NULL              
17:d=1  hl=2 l=  32 prim: OCTET STRING      [HEX DUMP]:110812F67FA1E1F0117F6F3D70241C1A42A7B07711A93C2477CC516D9042F9DB

redosk commented 6 years ago

Headers of the data signed by pkcs11-tool are equal to the one used here (https://github.com/open-eid/chrome-token-signing/blob/master/host-shared/PKCS11CardManager.h#L224).

As pkcs11-tool is handling sha256 correctly and is not aware of the particularity of each smartcard, I think that correct handling of the sha256 hash and correct ADPU are successfully sent sent because of the parameters sent in the call to C_SignInit. I don't think there are other differences that could explain why opensc-tool is able to sign sha256 and chrome-token-signing is not able to. So I will try to compare the parameters sent to C_SignInit from each (I think for pkcs11-tool it happens here : https://github.com/OpenSC/OpenSC/blob/master/src/tools/pkcs11-tool.c#L1795) when I'll be able to...

open-eid / chrome-token-signing

Ubuntu, call to C_Sign is failing (return 7) #113