Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pkcs11-tool: return value is 0 when signature verification fails #3058

Closed
msalvinik opened this issue Mar 4, 2024 · 3 comments
Closed

pkcs11-tool: return value is 0 when signature verification fails #3058

msalvinik opened this issue Mar 4, 2024 · 3 comments

Comments

@msalvinik
Copy link

Problem Description

Not a real issue I suppose (​if it were a bug, it would have already been corrected).
This is a kind of an explanation request.
Why pkcs11-tool does not return an error code when a signature verification fails because signature is invalid?
I haven't found anything about return error codes in the wiki.
Without an error returned, usage of pkcs11-tool in scripts is not immediate because requires log parsing to find out if verification step is OK or failed.

Proposed Resolution

Return an error code for "algorithm" errors (but I could be wrong, because this could be the intended behavior)

Steps to reproduce

# signature OK
$ pkcs11-tool --verify --id ddccbbaa -m ECDSA-SHA1 -i testfile --signature-file testfile.sig
Using slot 0 with a present token (0x1)
Using signature algorithm ECDSA-SHA1
Signature is valid

# return value 0
$ echo $?
0

# now I deliberately pass a wrong signature (generated with another key) to obtain the signature error
$ pkcs11-tool --verify --id ddccbbaa -m ECDSA-SHA1 -i testfile --signature-file testfile.sig2
Using slot 0 with a present token (0x1)
Using signature algorithm ECDSA-SHA1
PKCS11:ERROR: sss_asymmetric_verify_digest Failed...
Invalid signature

# but the return value is 0, like after a successful signature verification 
$ echo $?
0

Logs
@Jakuje
Copy link
Member

Jakuje commented Mar 4, 2024

I would say that the pkcs11-tool is not designed for security and robust scripting. You can see in the code, the pkcs11 tool implements different operations and they are executed in the code-defined order, but do not return any return value:

https://github.com/OpenSC/OpenSC/blob/master/src/tools/pkcs11-tool.c#L1429

Supporting different return values for different operations would complicate stuff.

The other thing is that for the signature verification, one does not need the pkcs11 tool at all. The verification usually happens on some other place where the signing smart card/token is not available. It can be done without the smart card/token, just with the public key, that can be obtained from the pkcs11-tool with --read-object and for example openssl CLI that has more consistent exit codes.

@popovec
Copy link
Member

popovec commented Mar 4, 2024

Just for interest .. I use the following construct in my test scripts:

pkcs11-tool --verify -m ECDSA-SHA1 --id 61 --input-file file.txt --signature-file file.sig|grep -q "^Signature is valid$"
echo $?

@msalvinik
Copy link
Author

@Jakuje thanks for your comments: I imagined that those were the reasons. I just wanted to be sure that I undertsood correctly.
@popovec thanks for your suggestion: yes, I have something similar in my script.

I close the issue, hoping that could help someone will search for the same topic.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Jakuje @popovec @msalvinik