Comments (10)
It looks like the problem comes from C_SignInit() failed: 0x00000063
In that case you should report the problem to the PKCS#11 library used with pam-pkcs11. In your case OpenSC.
from pam_pkcs11.
@LudovicRousseau this is the key loaded in smard card is it ok ?
Private EC Key [PIV AUTH key]
Object Flags : [0x1], private
Usage : [0x4], sign
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
FieldLength : 256
Key ref : 154 (0x9A)
Native : yes
Auth ID : 01
ID : 01
MD:guid : 0x'30
from pam_pkcs11.
Looks like pam_pkcs11 in pkcs11_lib.c only supports RSA and sha1.
sign_value() routine at line 1722 has:
Line 1726 only defines sha1
Line 1739 only supports CKK_RSA But not clear why line 1743 and 1744 did not return -1;
line 1746 : SHA1(data, length, &hash[15]);
line 1752: set_error("C_SignInit() failed: 0x%08lX", rv);
from pam_pkcs11.
@dengert so there is no support for ecdsa -sha256 :D ?
also i cant add keys to ssh agent (using PIN)
$ ssh-add -s /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so
Enter passphrase for PKCS#11:
Could not add card "/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so": agent refused operation
and i have two files (debian sid)
/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
how i can determine version of those libs (excluding dpkg) some headr md5 sha?
could be a curve related issue ?
i have gen private key with openssl as:
ecparam -param_enc named_curve -name prime256v1
on yubico site there are witting
"Follow the notes and try to use brew SSH and explicitly use those binaries not the default ssh.
Alternatively, try using YKCS11 https://developers.yubico.com/yubico-pi ... notes.html"
@LudovicRousseau can i use YKCS11 with pam pkcs11?
https://developers.yubico.com/yubico-piv-tool/YKCS11_release_notes.html
from pam_pkcs11.
could problem lie in -param_enc
explicit vs named_curve ??
ps using explicit i cant upload key to yubikey as
Unknown EC curve 0
Unable to import private key
from pam_pkcs11.
The issue appears to be with the pam_pkcs11 that pre-dates ECDSA or SHA256 and only has support for RSA and SHA1. The sign_value() routine is computing the signature hash then calling C_SignInit and c_Sign to sign the hash which includes the OID of the hash algroithm and the hash.
For RSA, PKCS#11 defines many mechanisms that do the hash, padding and signature, internally but for ECDSA there is only CKM_ECDSA (no hash) and CKM_ECDSA_SHA1 (do the SHA1 then do the ECDSA internally) So for other hashes, the applications has to do the hash using OpenSSL for example or use PKCS#11 or one of the CKM_SHA* mechanisms, then pass this hash to the CKM_ECDSA. There is no requirement that a PKCS#11 implementation implement these hash only mechanisms. (OpenSC pkcs11 does if compiled with OpenSSL which is normally done) I don't know if the YKCS11 does or not.
pkcs11-tool -M can be used to see what mechanisms are supported for the card.
pkcs11_lib.c contains two versions of many routines including sign_value, one if using NSS and one if using OpenSSL. Both sign-value routines should be rewritten to support ECDSA. The OpenSSL version could use the OpenSSL digest routines to produce the hashes. Note unlike RSA signatures which include the OID of the hash algorithm, ECDSA does not.
The problem is not with the yubikey.
from pam_pkcs11.
@danger @LudovicRousseau
I do not "sit" (don't know if there is an idiom in English for what i want tray to say :) ) in cryptography and c .. I know at most Java so I can not help much & second i have no time ... I miss additional 48 hours a day ;/ but it would be nice for someone to make use of EC maybe @a-dma or @klali could provide some help :P
https://www.cryptsoft.com/pkcs11doc/v220/group__SEC__12__3__6__ECDSA__WITHOUT__HASHING.html
Using slot 0 with a present token (0x0)
Supported mechanisms:
SHA-1, digest
SHA256, digest
SHA384, digest
SHA512, digest
MD5, digest
RIPEMD160, digest
GOSTR3411, digest
**ECDSA, keySize={256,384}, hw, sign, other flags=0x1800000**
ECDH1-COFACTOR-DERIVE, keySize={256,384}, hw, derive, other flags=0x1800000
ECDH1-DERIVE, keySize={256,384}, hw, derive, other flags=0x1800000
RSA-X-509, keySize={1024,3072}, hw, decrypt, sign, verify
RSA-PKCS, keySize={1024,3072}, hw, decrypt, sign, verify
SHA1-RSA-PKCS, keySize={1024,3072}, sign, verify
SHA256-RSA-PKCS, keySize={1024,3072}, sign, verify
SHA384-RSA-PKCS, keySize={1024,3072}, sign, verify
SHA512-RSA-PKCS, keySize={1024,3072}, sign, verify
MD5-RSA-PKCS, keySize={1024,3072}, sign, verify
RIPEMD160-RSA-PKCS, keySize={1024,3072}, sign, verify
related:
https://bitbucket.org/PyKCS11/pykcs11/issues/23/ckm-ecdsa-creating-signatures
Yubico/yubico-piv-tool#83
http://osxr.org/android/ident?_i=CKM_ECDSA
https://bugzilla.mozilla.org/show_bug.cgi?id=327667
https://www.oasis-open.org/committees/download.php/50265/CKM_ECDSA_FIPS_186_4_v02.pdf
https://sourceforge.net/p/opencryptoki/opencryptoki/ci/3400be830fade6f2ea3c80d044f88f9d240ef9b0/tree/usr/lib/pkcs11/cca_stdll/sign_mgr.c?diff=12a8280869bcc2a96a4acd175db166bde6f255ae
https://bugzilla.mozilla.org/show_bug.cgi?id=613496
http://nullege.com/projects/show/27986
https://lists.mindrot.org/pipermail/openssh-unix-dev/2015-October/034440.html
http://markmail.org/message/37ihqvplwwaicpmk
https://chromium.googlesource.com/chromiumos/third_party/opencryptoki/+/3400be830fade6f2ea3c80d044f88f9d240ef9b0%5E!/
from pam_pkcs11.
Ran into this issue (and the somewhat confusing error message), so i did a quick patch to v0.6.10 to get things working with openssl for me atleast:
01_priv_key_type.patch.txt
02_ecdsa_sha256.patch.txt
03_signature_length.patch.txt
from pam_pkcs11.
Thanks @sovaeta I used your 3 patches.
I also modified the second one to add support of OpenSSL 1.1 in addition to 1.0.
This issue should be closed now.
Please test the current git code and open a new issue if needed.
from pam_pkcs11.
Latest git working nicely for me, thanks!
from pam_pkcs11.
Related Issues (20)
- C_Sign fails with 0x00000007 after inserting pin HOT 9
- Endless Loop on signature size HOT 10
- pkcs11_make_hash_link util does not work HOT 1
- CRLs online fail to process after download and offline ones cause a segfault HOT 6
- PKCS11 module crashes when no CRL defined for card HOT 2
- EVP_VerifyFinal() failed with EC cert on 0.6.11 HOT 5
- make pkcs11_module option "slot_description" a substring match
- A lot of patches...
- Provide pam-auth-update configuration file?
- cannot build on fedora 32 HOT 1
- Segmentation fault (core dumped) with Estonian ID card HOT 2
- EVP_VerifyFinal() failed: error:0D078079:asn1 encoding routines:asn1_item_embed_d2i:field missing HOT 6
- Possible openssh_mapper error with SSH v1 key
- EVP_VerifyFinal() failed: invalid padding
- pkcs11_make_hash_link fails when file names contain whitespaces HOT 4
- mapper heap-buffer-overflow HOT 2
- ldap_get_certificate(): no matching entries
- Check crl_offline failed when openssl works HOT 1
- Crl_online even if all certificates are available on crl URI
- verify_crl() failed: getting the issuer's public key failed
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pam_pkcs11.