Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Smartcard-HSM --keypairgen results in PKCS11 function C_GenerateKeyPair failed: rv = CKR_GENERAL_ERROR (0x5) #2947

Closed
senortestamarck opened this issue Nov 29, 2023 · 5 comments
Closed

Smartcard-HSM --keypairgen results in PKCS11 function C_GenerateKeyPair failed: rv = CKR_GENERAL_ERROR (0x5) #2947

senortestamarck opened this issue Nov 29, 2023 · 5 comments

Comments

@senortestamarck
Copy link

Problem Description

The card is initialized, but when attempting to generate a keypair it fails with the following error:

error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_GENERAL_ERROR (0x5)

We are using pcsc-lite with the Linux driver downloaded from the manufacturer here: https://support.identiv.com/utrust-token-standard/

The OS on the machine is RHEL 7.4

Proposed Resolution

Generate keypair on HSM Smartcard with key-type EC:prime256v1

Steps to reproduce

OPENSC_DEBUG=9 pkcs11-tool --module /usr/lib/pkcs11-spy.so -vvvvvvvvv --login --pin -k --id 01 --key-type EC:prime256v1

Logs

Linux96(root)> pcscd --version
pcsc-lite version 2.0.0.
Copyright (C) 1999-2002 by David Corcoran <corcoran@musclecard.com>.
Copyright (C) 2001-2022 by Ludovic Rousseau <ludovic.rousseau@free.fr>.
Copyright (C) 2003-2004 by Damien Sauveron <sauveron@labri.fr>.
Report bugs to <pcsclite-muscle@lists.infradead.org>.
Enabled features: Linux x86_64-unknown-linux-gnu libsystemd serial usb libudev usbdropdir=/usr/local/lib/pcsc/drivers ipcdir=/run/pcscd filter configdir=/usr/local/etc/reader.conf.d
MAX_READERNAME: 128, PCSCLITE_MAX_READERS_CONTEXTS: 16

> pkcs11-tool -L
Available slots:
Slot 0 (0x0): Identiv uTrust 3512 SAM slot Token [CCID Interface] (55512030...
  token label        : SmartCard-HSM (UserPIN)
  token manufacturer : www.CardContact.de
  token model        : PKCS#15 emulated
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 24.13
  firmware version   : 3.5
  serial num         : DECC0900154
  pin min/max        : 6/15

opensc log: https://gist.github.com/senortestamarck/be56663f2cb09d8adad0b0e5c27acd94

pcscd: https://gist.github.com/senortestamarck/8153fd91bf5f7d21baabbb4fedcbe192

pkcs11-spy: https://gist.github.com/senortestamarck/6302e94a49a691580e09755624f95529
@CardContact
Copy link
Member

Looks like an issue with the Identiv driver.

There is no need to install the Identiv driver, as the token is natively supported by libccid.

Please uninstall the driver and try again.

@senortestamarck
Copy link
Author

Ok so I've removed the identiv driver, and it seems to be giving the same error. Ran with this command:

OPENSC_DEBUG=9 pkcs11-tool --module /usr/lib/pkcs11-spy.so --login --pin -k --id 01 --key-type EC:prime256v1

opensc: https://gist.github.com/senortestamarck/a5f84cecb6480f4496f503229e9f6391
pcscd: https://gist.github.com/senortestamarck/4ba82f8a38a3816925683baffb59d8b7
spy: https://gist.github.com/senortestamarck/eb79f1cedecafd80118f1a74b56e1837

Could it be an issue with udev or libusb? I noticed this line: usb:04e6/5816:libudev:0:/dev/bus/usb/001/014 -- was looking through some other issue output it had something like :libusb-1.0: instead of :libudev:

@dengert
Copy link
Member

dengert commented Dec 1, 2023

A few things:
OPENSC_DEBUG=9 pkcs11-tool --module /usr/lib/pkcs11-spy.so --login --pin -k --id 01 --key-type EC:prime256v1

Was there a pin on the above command line?
In the OpenSC log it looks like 000000 which was accepted. 00 20 00 81 06 30 30 30 30 30 30

Do you need to use the PKCS11 CKU_SO (Security Officer) pin to generate the key?
If so, add --pin-type so and set --pin tot the SO pin.
Or don't add --pin and respond to the pin prompt.

In opensc log:

P:28170; T:0x140194287458432 17:07:52.372 [opensc-pkcs11] card-sc-hsm.c:1688:sc_hsm_generate_keypair: called
...
P:28170; T:0x140194287458432 17:07:52.372 [opensc-pkcs11] reader-pcsc.c:326:pcsc_transmit: 
Outgoing APDU (265 bytes):
...
P:28170; T:0x140194287458432 17:07: [opensc-pkcs11] reader-pcsc.c:244:pcsc_internal_transmit: called
P:28170; T:0x140194287458432 17:07:54.063 [opensc-pkcs11] reader-pcsc.c:273:pcsc_internal_transmit: Identiv uTrust 3512 SAM slot Token [CCID Interface] (55512030608814) 00 00:SCardTransmit/Control failed: 0x80100016

The time from start of card to generate the key until failed was 1.691 seconds. Failure w 0x80100016 https://pcsclite.apdu.fr/api/group__ErrorCodes.html#gab02a33c2ef61f12a851dfe85c575d7cc

PCSC log shows:

00000003 winscard.c:1591:SCardTransmit() Send Protocol: T=1
00000025 APDU: 00 46 01 00 00 01 00 5F 29 01 00 42 09 55 54 43 41 30 30 30 30 31 7F 49 81 DA 06 0A 04 00 7F 00 07 02 02 02 02 03 81 20 FF FF FF FF 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF 82 20 FF FF FF FF 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FC 83 20 5A C6 35 D8 AA 3A 93 E7 B3 EB BD 55 76 98 86 BC 65 1D 06 B0 CC 53 B0 F6 3B CE 3C 3E 27 D2 60 4B 84 41 04 6B 17 D1 F2 E1 2C 42 47 F8 BC E6 E5 63 A4 40 F2 77 03 7D 81 2D EB 33 A0 F4 A1 39 45 D8 98 C2 96 4F E3 42 E2 FE 1A 7F 9B 8E E7 EB 4A 7C 0F 9E 16 2B CE 33 57 6B 31 5E CE CB B6 40 68 37 BF 51 F5 85 20 FF FF FF FF 00 00 00 00 FF FF FF FF FF FF FF FF BC E6 FA AD A7 17 9E 84 F3 B9 CA C2 FC 63 25 51 87 01 01 5F 20 10 44 45 43 43 30 39 30 30 31 35 34 30 30 30 30 31 00 00 
00000004 ifdhandler.c:1408:IFDHTransmitToICC() usb:04e6/5816:libudev:0:/dev/bus/usb/001/014 (lun: 0)
01690931 commands.c:1572:CCID_Receive Card absent or mute
00000014 openct/proto-t1.c:212:t1_transceive() fatal: transmit/receive failed
00000007 SW: 
00000003 ifdwrapper.c:543:IFDTransmit() Card not transacted: 612
00000002 winscard.c:1616:SCardTransmit() Card not transacted: rv=SCARD_E_NOT_TRANSACTED
00000002 winscard.c:1644:SCardTransmit() UnrefReader() count was: 2
00000003 winscard_svc.c:695:ContextThread() TRANSMIT for client 13, rv=SCARD_E_NOT_TRANSACTED

So this could be a timing problem with USB or some problem on the token.

@senortestamarck
Copy link
Author

senortestamarck commented Dec 4, 2023
edited

Thanks for your reply. Yes you are correct about the pin. I've also tried with the --so-pin option and it results in a not logged in error:

Linux96(root)> pkcs11-tool --module /usr/lib/pkcs11-spy.so --login --login-type so --so-pin 0000000000000000 -k --id 01 --key-type EC:prime256v1
Using slot 0 with a present token (0x0)
error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_USER_NOT_LOGGED_IN (0x101)
Aborting.


Linux96(root)> pkcs11-tool --login --login-type so --so-pin 0000000000000000 -O
Using slot 0 with a present token (0x0)
Profile object 22486208
  profile_id:          CKP_PUBLIC_CERTIFICATES_TOKEN (4)

@senortestamarck
Copy link
Author

Switched the card to another USB bus, and key commands are now working. Closing the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dengert @CardContact @senortestamarck