search

pyauth / python-pkcs11

PKCS#11/Cryptoki support for Python
MIT License
147 stars 70 forks source link

Error getting objects in Centos8 #103

Open SantiagoAndresHurtado opened 3 years ago

SantiagoAndresHurtado commented 3 years ago

Hi!

SO: Centos 8.2.2004 library version: python-pkcs11(0.7.0) python version: python3.8

I'm trying to read a certificate from my token (epass2003) but i get this error:

Traceback (most recent call last): File "test.py", line 131, in <module> signer('aGFzaCBzaGEyNTY=', 'qwerty123456', 1) File "test.py", line 109, in signer for obj in session.get_objects(attrs=None): File "pkcs11/_pkcs11.pyx", line 322, in pkcs11._pkcs11.SearchIter.__next__ File "pkcs11/_pkcs11.pyx", line 678, in pkcs11._pkcs11.Object._make File "pkcs11/_pkcs11.pyx", line 733, in pkcs11._pkcs11.Object.__getitem__ File "pkcs11/_utils.pyx", line 35, in pkcs11._pkcs11._unpack_attributes File "/usr/local/lib64/python3.6/site-packages/pkcs11/defaults.py", line 132, in <lambda> lambda v: type_(unpack(v))) File "/usr/lib64/python3.6/enum.py", line 293, in __call__ return cls.__new__(cls, value) File "/usr/lib64/python3.6/enum.py", line 535, in __new__ return cls._missing_(value) File "/usr/lib64/python3.6/enum.py", line 548, in _missing_ raise ValueError("%r is not a valid %s" % (value, cls.__name__)) ValueError: 94390496264193 is not a valid ObjectClass

If i execute the same code in Ubuntu flavour it works fine!

librarylibcastle.zip

danni commented 3 years ago

It sounds like there's some mismatch in the type of something. What compiler toolchain are you using on what architecture? What pkcs#11 library?

SantiagoAndresHurtado commented 3 years ago

Hi!

I am not really sure what a toolchain is, but i give you some information that can be useful.

Command executed: yum list installed | grep gcc

gcc.x86_64 8.3.1-5.el8.0.2 @AppStream gcc-c++.x86_64 8.3.1-5.el8.0.2 @AppStream libgcc.x86_64 8.3.1-5.el8.0.2 @anaconda

SO: Centos 8.2.2004 Architecture: x86_64 Kernel: 4.18.0-193.19.1.el8_2.x86_64 Processor: Intel(R) Xeon(R) Bronze 3106 CPU @ 1.70GHz Library version: python-pkcs11(0.7.0) Python version: python3.8 gcc version: 8.3.1 20191121 (Red Hat 8.3.1-5) (GCC)

.so library: librarylibcastle.zip

Thanks for your help!

danni commented 3 years ago

Do you have the complete build log?

SantiagoAndresHurtado commented 3 years ago

¿How can i get it?

I downloaded the repo and installed it with: python3 setup.py build > output.txt In console appears:

warning: pkcs11/_pkcs11.pyx:237:70: Use boundscheck(False) for faster access warning: pkcs11/_pkcs11.pyx:608:63: Use boundscheck(False) for faster access warning: pkcs11/_pkcs11.pyx:634:51: Use boundscheck(False) for faster access warning: pkcs11/_pkcs11.pyx:674:64: Use boundscheck(False) for faster access warning: pkcs11/_pkcs11.pyx:921:56: Use boundscheck(False) for faster access warning: pkcs11/_pkcs11.pyx:965:74: Use boundscheck(False) for faster access warning: pkcs11/_pkcs11.pyx:975:67: Use boundscheck(False) for faster access warning: pkcs11/_pkcs11.pyx:1012:55: Use boundscheck(False) for faster access warning: pkcs11/_pkcs11.pyx:1056:74: Use boundscheck(False) for faster access warning: pkcs11/_pkcs11.pyx:1066:67: Use boundscheck(False) for faster access warning: pkcs11/_pkcs11.pyx:1102:52: Use boundscheck(False) for faster access warning: pkcs11/_pkcs11.pyx:1143:65: Use boundscheck(False) for faster access warning: pkcs11/_pkcs11.pyx:1235:59: Use boundscheck(False) for faster access warning: pkcs11/_pkcs11.pyx:1496:64: Use boundscheck(False) for faster access

And in the log file (output.txt):

running build running build_py creating build creating build/lib.linux-x86_64-3.6 creating build/lib.linux-x86_64-3.6/pkcs11 copying pkcs11/init.py -> build/lib.linux-x86_64-3.6/pkcs11 copying pkcs11/constants.py -> build/lib.linux-x86_64-3.6/pkcs11 copying pkcs11/defaults.py -> build/lib.linux-x86_64-3.6/pkcs11 copying pkcs11/exceptions.py -> build/lib.linux-x86_64-3.6/pkcs11 copying pkcs11/mechanisms.py -> build/lib.linux-x86_64-3.6/pkcs11 copying pkcs11/types.py -> build/lib.linux-x86_64-3.6/pkcs11 creating build/lib.linux-x86_64-3.6/pkcs11/util copying pkcs11/util/init.py -> build/lib.linux-x86_64-3.6/pkcs11/util copying pkcs11/util/dh.py -> build/lib.linux-x86_64-3.6/pkcs11/util copying pkcs11/util/dsa.py -> build/lib.linux-x86_64-3.6/pkcs11/util copying pkcs11/util/ec.py -> build/lib.linux-x86_64-3.6/pkcs11/util copying pkcs11/util/rsa.py -> build/lib.linux-x86_64-3.6/pkcs11/util copying pkcs11/util/x509.py -> build/lib.linux-x86_64-3.6/pkcs11/util running egg_info creating python_pkcs11.egg-info writing python_pkcs11.egg-info/PKG-INFO writing dependency_links to python_pkcs11.egg-info/dependency_links.txt writing requirements to python_pkcs11.egg-info/requires.txt writing top-level names to python_pkcs11.egg-info/top_level.txt writing manifest file 'python_pkcs11.egg-info/SOURCES.txt' cythoning pkcs11/_pkcs11.pyx to pkcs11/_pkcs11.c writing manifest file 'python_pkcs11.egg-info/SOURCES.txt' copying pkcs11/_errors.pyx -> build/lib.linux-x86_64-3.6/pkcs11 copying pkcs11/_mswin.pxd -> build/lib.linux-x86_64-3.6/pkcs11 copying pkcs11/_pkcs11.c -> build/lib.linux-x86_64-3.6/pkcs11 copying pkcs11/_pkcs11.pyx -> build/lib.linux-x86_64-3.6/pkcs11 copying pkcs11/_pkcs11_defn.pxd -> build/lib.linux-x86_64-3.6/pkcs11 copying pkcs11/_utils.pyx -> build/lib.linux-x86_64-3.6/pkcs11 running build_ext building 'pkcs11._pkcs11' extension creating build/temp.linux-x86_64-3.6 creating build/temp.linux-x86_64-3.6/pkcs11 gcc -pthread -Wno-unused-result -Wsign-compare -DDYNAMIC_ANNOTATIONS_ENABLED=1 -DNDEBUG -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -D_GNU_SOURCE -fPIC -fwrapv -fPIC -I/usr/include/python3.6m -c pkcs11/_pkcs11.c -o build/temp.linux-x86_64-3.6/pkcs11/_pkcs11.o gcc -pthread -shared -Wl,-z,relro -Wl,-z,now -g build/temp.linux-x86_64-3.6/pkcs11/_pkcs11.o -L/usr/lib64 -lpython3.6m -o build/lib.linux-x86_64-3.6/pkcs11/_pkcs11.cpython-36m-x86_64-linux-gnu.so

thanks!

danni commented 3 years ago

Okay, I think this is the same bug as https://github.com/danni/python-pkcs11/issues/70 but maybe in a different place. The epass lib doesn't set the higher bytes of the value, just the lower bytes, and so we're relying on what's in the stack.

Add some debugging around line 744 of _pkcs11.pyx and see what value is before we send it to the HSM. I'm guessing it hasn't been zeroed correctly.

SantiagoAndresHurtado commented 3 years ago

Hi!

I made some debug:

__make Object_class does not appear in console

_getitem_ key is equal to 0

__setitem__ key and value do not appear in console

If I execute the same code in Ubuntu Server 20.04 instead of Centos 8.2.2004 it works well. ¿Could the error be something else instead of the Library?