You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Not a real issue I suppose (if it were a bug, it would have already been corrected).
This is a kind of an explanation request.
Why pkcs11-tool does not return an error code when a signature verification fails because signature is invalid?
I haven't found anything about return error codes in the wiki.
Without an error returned, usage of pkcs11-tool in scripts is not immediate because requires log parsing to find out if verification step is OK or failed.
Proposed Resolution
Return an error code for "algorithm" errors (but I could be wrong, because this could be the intended behavior)
Steps to reproduce
# signature OK
$ pkcs11-tool --verify --id ddccbbaa -m ECDSA-SHA1 -i testfile --signature-file testfile.sig
Using slot 0 with a present token (0x1)
Using signature algorithm ECDSA-SHA1
Signature is valid
# return value 0
$ echo$?
0
# now I deliberately pass a wrong signature (generated with another key) to obtain the signature error
$ pkcs11-tool --verify --id ddccbbaa -m ECDSA-SHA1 -i testfile --signature-file testfile.sig2
Using slot 0 with a present token (0x1)
Using signature algorithm ECDSA-SHA1
PKCS11:ERROR: sss_asymmetric_verify_digest Failed...
Invalid signature
# but the return value is 0, like after a successful signature verification
$ echo$?
0
Logs
The text was updated successfully, but these errors were encountered:
I would say that the pkcs11-tool is not designed for security and robust scripting. You can see in the code, the pkcs11 tool implements different operations and they are executed in the code-defined order, but do not return any return value:
Supporting different return values for different operations would complicate stuff.
The other thing is that for the signature verification, one does not need the pkcs11 tool at all. The verification usually happens on some other place where the signing smart card/token is not available. It can be done without the smart card/token, just with the public key, that can be obtained from the pkcs11-tool with --read-object and for example openssl CLI that has more consistent exit codes.
@Jakuje thanks for your comments: I imagined that those were the reasons. I just wanted to be sure that I undertsood correctly. @popovec thanks for your suggestion: yes, I have something similar in my script.
I close the issue, hoping that could help someone will search for the same topic.
Problem Description
Not a real issue I suppose (if it were a bug, it would have already been corrected).
This is a kind of an explanation request.
Why pkcs11-tool does not return an error code when a signature verification fails because signature is invalid?
I haven't found anything about return error codes in the wiki.
Without an error returned, usage of pkcs11-tool in scripts is not immediate because requires log parsing to find out if verification step is OK or failed.
Proposed Resolution
Return an error code for "algorithm" errors (but I could be wrong, because this could be the intended behavior)
Steps to reproduce
Logs
The text was updated successfully, but these errors were encountered: