-
Notifications
You must be signed in to change notification settings - Fork 709
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Smartcard-HSM --keypairgen results in PKCS11 function C_GenerateKeyPair failed: rv = CKR_GENERAL_ERROR (0x5) #2947
Comments
Looks like an issue with the Identiv driver. There is no need to install the Identiv driver, as the token is natively supported by libccid. Please uninstall the driver and try again. |
Ok so I've removed the identiv driver, and it seems to be giving the same error. Ran with this command: OPENSC_DEBUG=9 pkcs11-tool --module /usr/lib/pkcs11-spy.so --login --pin -k --id 01 --key-type EC:prime256v1 opensc: https://gist.github.com/senortestamarck/a5f84cecb6480f4496f503229e9f6391 Could it be an issue with udev or libusb? I noticed this line: usb:04e6/5816:libudev:0:/dev/bus/usb/001/014 -- was looking through some other issue output it had something like :libusb-1.0: instead of :libudev: |
A few things: Was there a pin on the above command line? Do you need to use the PKCS11 CKU_SO (Security Officer) pin to generate the key? In opensc log:
The time from start of card to generate the key until failed was 1.691 seconds. Failure w 0x80100016 https://pcsclite.apdu.fr/api/group__ErrorCodes.html#gab02a33c2ef61f12a851dfe85c575d7cc PCSC log shows:
So this could be a timing problem with USB or some problem on the token. |
Thanks for your reply. Yes you are correct about the pin. I've also tried with the --so-pin option and it results in a not logged in error:
|
Switched the card to another USB bus, and key commands are now working. Closing the issue. |
Problem Description
The card is initialized, but when attempting to generate a keypair it fails with the following error:
error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_GENERAL_ERROR (0x5)
We are using pcsc-lite with the Linux driver downloaded from the manufacturer here: https://support.identiv.com/utrust-token-standard/
The OS on the machine is RHEL 7.4
Proposed Resolution
Generate keypair on HSM Smartcard with key-type EC:prime256v1
Steps to reproduce
OPENSC_DEBUG=9 pkcs11-tool --module /usr/lib/pkcs11-spy.so -vvvvvvvvv --login --pin -k --id 01 --key-type EC:prime256v1
Logs
opensc log: https://gist.github.com/senortestamarck/be56663f2cb09d8adad0b0e5c27acd94
pcscd: https://gist.github.com/senortestamarck/8153fd91bf5f7d21baabbb4fedcbe192
pkcs11-spy: https://gist.github.com/senortestamarck/6302e94a49a691580e09755624f95529
The text was updated successfully, but these errors were encountered: