Comments (1)
I have tried to run that code 4-5 times and It have broken something on my smartcard. I cannot sign documents with other software, except Dike, nor re-execute that code (it throws CKR_GENERAL_ERROR exception on executing GenerateKeyPair method on the session object ).
My first guess would be that memory got full on your device. Usually CKR_DEVICE_MEMORY
is returned in such case but I've also seen plenty of implementations returning CKR_GENERAL_ERROR
.
Our unit tests (code samples) create/generate temporary objects/keys with "Pkcs11Interop" label for each test method. If the test is successful these objects are deleted. If test fails these objects are not deleted mostly to keep the code simple but sometimes they may also be useful for further manual troubleshooting.
When the device memory gets full you can use some management tool like Pkcs11Admin to safely delete all left-over objects with "Pkcs11Interop" label.
The problem may be related to the CKA_ID generated in a random way when it calls:
Helpers.GenerateKeyPair(session, out publicKey, out privateKey);
and in that helper class, in the GenerateKeyPair method:
byte[] ckaId = session.GenerateRandom(20);
So it can interfere with some CKA_ID if the two CKA_IDs match.
I believe that multiple keys with the same value of CKA_ID
attribute should not present a problem in general. This topic is addressed in PKCS#11 specification v2.20 chapter 10.7.2 ...
The CKA_ID field is intended to distinguish among multiple keys. In the case of public and private keys, this field assists in handling multiple keys held by the same subject; the key identifier for a public key and its corresponding private key should be the same. The key identifier should also be the same as for the corresponding certificate, if one exists. Cryptoki does not enforce these associations, however. (See Section 10.6 for further commentary.)
... and chapter 10.6.3 ...
The CKA_ID attribute is intended as a means of distinguishing multiple publickey/private-key pairs held by the same subject (whether stored in the same token or not). (Since the keys are distinguished by subject name as well as identifier, it is possible that keys for different subjects may have the same CKA_ID value without introducing any ambiguity.)
It is intended in the interests of interoperability that the subject name and key identifier for a certificate will be the same as those for the corresponding public and private keys (though it is not required that all be stored in the same token). However, Cryptoki does not enforce this association, or even the uniqueness of the key identifier for a given subject; in particular, an application may leave the key identifier empty.
However some vendor specific requirements for the value of CKA_ID
attribute may exist and it would be best to discuss them with the vendor.
I don't know where the bug resides, and unfortunately I cannot provide more information because I had to return back the usb token to the certification authority.
That's a pity. It would be an interesting thing to analyze and troubleshoot.
I suggest to use keys from the card and not to generate a new pair. It was done on another project from the same author ( Pkcs7SignatureGenerator ).
Currently I don't plan to change the way our unit tests work but I may add some comments describing code behavior. The main idea behind generating new objects for each test method was not to mess in any way with the existing objects/keys because they may be valuable. For example I would not be happy if my encryption key got accidentally deleted.
Has someone encountered that problem?
Up until now you are the first one to report such problems.
from pkcs11interop.
Related Issues (20)
- Missing attribute CKA_NAME_HASH_ALGORITHM
- problem in Pkcs11Interop with new dll from epass 2003
- CKR_OPERATION_NOT_INITIALIZED in multithreaded application
- Missing param represents object handle
- Method C_Login returned CKR_SESSION_HANDLE_INVALID
- Incorrect CK_VERSION string value
- Get Key Value From HSM
- Not able to use C_Sign with yubikey PIV slot with CKA_ALWAYS_AUTHENTICATE HOT 5
- Linux : NativeULong as System.UInt32 causes error while accessing CK_GCM_PARAMS structure from PKCS11 standards HOT 2
- mac os compile problem MAUI .net core 7.0 how to fix ?
- SafeNet Data Objects HOT 7
- ComputeDigest/CreateDigestInfo - with newest Pkcs11Interop - how to ?
- C_Sign returned CKR_OPERATION_NOT_INITIALIZED in multithreaded application
- C_Encrypt with AES mechanism always returns with CKR_GENERAL_ERROR HOT 1
- C_FindObjects does return with nothing while running application in docker
- C_FindObjects does return with nothing while running application in docker HOT 3
- session.Decrypt returning garbage characters appended in PKCS#11 Multipart Decryption with Pkcs11Interop v 4.x.x
- CKR_DATA_INVALID when attempting to sign data using SignPath Cryptoki library HOT 6
- Getting a shared unique identifier for a smart card using PKCS#11 and CSP/minidriver HOT 2
- [Issue] PKCS11Interop.dll version 1.3.0 getting issue "The specified module could not be found"
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pkcs11interop.