Comments (14)
alonbl
commented on August 17, 2024
Hi,
The minimum supported setup of PKCS#11 is a certificate on public area and a private key in private area.
You may create a self-signed certificate in order to make it work, see[1] for more information.
Regards,
[1] https://github.com/OpenSC/libp11
from gnupg-pkcs11-scd.
rkeene
commented on August 17, 2024
Hi. I'm not sure what you mean by that. The PKCS#11 module I wrote only exports a CKO_PUBLIC_KEY and CKO_PRIVATE_KEY and is compliant with PKCS#11 v2.20.
The link you provided didn't explain anything further -- what was I supposed to see there ?
from gnupg-pkcs11-scd.
alonbl
commented on August 17, 2024
The PKCS#11 spec is very flexible, almost all in optional, very hard to understand what is "compliant", there are more best practices than compliance tests.
Please add support for CKO_CERTIFICATE and load a self-signed certificate with the public key. The CKO_PUBLIC_KEY is optional and not used in this configuration.
from gnupg-pkcs11-scd.
rkeene
commented on August 17, 2024
What does gnupg-pkcs11-scd use from the CKO_CERTIFICATE beyond the Public Key ?
from gnupg-pkcs11-scd.
alonbl
commented on August 17, 2024
Regardless for the fact that gpg-gnupg-scd is supporting both gpg and gpgsm.
I already replied, the best practice of MVP for PKCS#11 provider is a private key at private section and X.509 certificate at public section, this is how pkcs11-helper implemented and hence the minimum requirement for gnupg-pkcs11-scd.
Rationals:
- a public key which is not signed is worth very little
- X.509 certificate has public key embedded
- as device has limited storage there is no need to store both certificate which is required for X.509 operations and public key
from gnupg-pkcs11-scd.
rkeene
commented on August 17, 2024
My question was regarding what attributes do I need to put into the certificate I generate for gnupg-pkcs11-scd to be able to use it.
I updated my PKCS#11 to generate X.509v3 certificates from the public key -- initially without a valid signature assuming gnupkg-pkcs11-scd wasn't going to check the signature (and creating a valid signature is more work on the backing HSM). This did not work.
I've just updated it to produce a valid signature, and still gnupg-pkcs11-scd does not appear to see it.
Certificate generated:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 48 (0x30)
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN = Dummy
Validity
Not Before: Jan 1 00:00:00 2022 GMT
Not After : Jan 1 00:00:00 2042 GMT
Subject: CN = Dummy
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:94:55:97:56:d0:04:a0:22:1d:c8:eb:49:79:f0:
57:2c:b7:04:6f:b1:9e:3a:9e:17:88:1c:b2:76:1a:
cd:b2:54:1c:e3:db:2f:a0:68:94:9a:5d:57:f8:74:
4f:47:3e:78:be:87:7f:35:b8:90:3b:f1:a3:58:51:
b6:b5:6d:e2:56
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:46:02:21:00:a7:b8:0e:45:66:91:ec:5a:b0:ab:f4:12:0a:
63:df:9d:c1:4a:0a:a5:b7:aa:27:b5:17:56:1d:a7:11:52:ff:
be:02:21:00:9b:c2:a7:f1:3f:20:22:c3:2e:bd:07:8c:61:89:
3e:2e:c8:61:01:d6:2e:c4:a5:27:6c:c3:10:bd:23:dc:98:3a
-----BEGIN CERTIFICATE-----
MIIBJjCBzKADAgECAgEwMAoGCCqGSM49BAMCMBAxDjAMBgNVBAMMBUR1bW15MCIY
DzIwMjIwMTAxMDAwMDAwWhgPMjA0MjAxMDEwMDAwMDBaMBAxDjAMBgNVBAMMBUR1
bW15MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElFWXVtAEoCIdyOtJefBXLLcE
b7GeOp4XiByydhrNslQc49svoGiUml1X+HRPRz54vod/NbiQO/GjWFG2tW3iVqMT
MBEwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNJADBGAiEAp7gORWaR7Fqw
q/QSCmPfncFKCqW3qie1F1YdpxFS/74CIQCbwqfxPyAiwy69B4xhiT4uyGEB1i7E
pSdswxC9I9yYOg==
-----END CERTIFICATE-----
Output from gpg-agent:
OK Pleased to meet you
RELOADAGENT
gpg-agent[3745896]: SIGHUP received - re-reading configuration and flushing cache
gpg-agent[3745896]: reading options from '/home/rkeene/.gnupg/gpg-agent.conf'
OK
SCD LEARN
gnupg-pkcs11-scd[3745913.2586269504]: Listening to socket '/tmp/gnupg-pkcs11-scd.DSuMEs/agent.S'
gnupg-pkcs11-scd[3745913.2586269504]: accepting connection
gnupg-pkcs11-scd[3745913]: chan_0 -> OK PKCS#11 smart-card server for GnuPG ready
gnupg-pkcs11-scd[3745913.2586269504]: processing connection
gnupg-pkcs11-scd[3745913]: chan_0 <- GETINFO socket_name
gnupg-pkcs11-scd[3745913]: chan_0 -> D /tmp/gnupg-pkcs11-scd.DSuMEs/agent.S
gnupg-pkcs11-scd[3745913]: chan_0 -> OK
gnupg-pkcs11-scd[3745913]: chan_0 <- LEARN
gnupg-pkcs11-scd[3745913]: chan_0 -> S SERIALNO D2760001240111503131B7DD41D51111
gnupg-pkcs11-scd[3745913]: chan_0 -> S APPTYPE PKCS11
S SERIALNO D2760001240111503131B7DD41D51111
S APPTYPE PKCS11
gnupg-pkcs11-scd[3745913]: chan_0 -> OK
OK
gnupg-pkcs11-scd[3745913]: chan_0 <- RESTART
gnupg-pkcs11-scd[3745913]: chan_0 -> OK
gnupg-pkcs11-scd[3745913]: chan_0 <- [eof]
gnupg-pkcs11-scd[3745913.2586269504]: post-processing connection
gnupg-pkcs11-scd[3745913.2586269504]: accepting connection
gnupg-pkcs11-scd[3745913.2586269504]: cleanup connection
gnupg-pkcs11-scd[3745913.2586269504]: Terminating
I can confirm it is fetching data from my PKCS#11 module:
C_OpenSession(): Returning CKR_OK (0)
C_FindObjectsInit(): Called.
C_FindObjectsInit(): Returning CKR_OK (0)
C_FindObjects(): Called.
C_FindObjects(): Processing identity:0
C_FindObjects(): Checking for attribute 0x00000000 (CKO_CLASS) in identity:0...
C_FindObjects(): Value looking for: (curr_attr->pValue/8 = {01, 00, 00, 00, 00, 00, 00, 00}) (CKA_CERTIFICATE)
C_FindObjects(): ... found matching type ...
C_FindObjects(): ... our value: (curr_id->attributes[sess_attr_idx].pValue/8 = {01, 00, 00, 00, 00, 00, 00, 00})
C_FindObjects(): ... found exact match
C_FindObjects(): ... All 1 attributes checked for found, adding identity:0 to returned list
C_FindObjects(): Processing identity:1
C_FindObjects(): Checking for attribute 0x00000000 in identity:1...
C_FindObjects(): Value looking for: (curr_attr->pValue/8 = {01, 00, 00, 00, 00, 00, 00, 00})
C_FindObjects(): ... found matching type ...
C_FindObjects(): ... our value: (curr_id->attributes[sess_attr_idx].pValue/8 = {02, 00, 00, 00, 00, 00, 00, 00})
C_FindObjects(): ... Not all 1 (only found 0) attributes checked for found, not adding identity:1
C_FindObjects(): Processing identity:2
C_FindObjects(): Checking for attribute 0x00000000 in identity:2...
C_FindObjects(): Value looking for: (curr_attr->pValue/8 = {01, 00, 00, 00, 00, 00, 00, 00})
C_FindObjects(): ... found matching type ...
C_FindObjects(): ... our value: (curr_id->attributes[sess_attr_idx].pValue/8 = {03, 00, 00, 00, 00, 00, 00, 00})
C_FindObjects(): ... Not all 1 (only found 0) attributes checked for found, not adding identity:2
C_FindObjects(): Returning CKR_OK (0), num objects = 1
C_FindObjects(): Called.
C_FindObjects(): Returning CKR_OK (0), num objects = 0
C_FindObjectsFinal(): Called.
...
C_GetAttributeValue(): Called.
C_GetAttributeValue(): Looking for attribute 0x00000102 (CKA_ID) (identity:0) ...
C_GetAttributeValue(): ... found it, pValue = 0x5556b397da30, ulValueLen = 2
C_GetAttributeValue(): Looking for attribute 0x00000011 (CKA_VALUE) (identity:0) ...
C_GetAttributeValue(): ... found it, pValue = 0x5556b397d8d0, ulValueLen = 298 <- This is the certificate
C_GetAttributeValue(): Returning CKR_OK (0)
FWIW, The particular device I am using does not support storing certificates, only key pairs.
from gnupg-pkcs11-scd.
alonbl
commented on August 17, 2024
The pairing between certificate object and private key object is done using the CKA_ID attribute, both should have the same value.
In the LEARN command I can see that no objects where returned that meet CKO_CERTIFICATE.
from gnupg-pkcs11-scd.
rkeene
commented on August 17, 2024
For every object with objectclass CKO_CERTIFICATE there is a CKO_PRIVATE_KEY object (and also CKO_PUBLIC_KEY object) that has the same CKA_ID value. Those are the above identity:1 (CKO_PUBLIC_KEY) and identity:2 (CKO_PRIVATE_KEY).
gnupkg-pkcs11-scd didn't search for this, it only searched for objects where CKA_CLASS is 0x1 (CKO_CERTIFICATE). It then read the CKA_ID and CKA_VALUE from that object, and did nothing else. Full log follows.
For all 3 objects, the value of CKA_ID is the following 2 bytes: 00 01
Here are all 3 objects (but again, gnupg-pkcs11-scd did not search for anything other than certificates):
Object Info (object 1):
[1] CKA_CLASS: 01 00 00 00 00 00 00 00 ;; 0x55c6a05b9030/8
[1] CKA_TOKEN: 01 ;; 0x55c6a05b9050/1
[1] CKA_LABEL: RSK
[1] CKA_PRIVATE: (not found)
[1] CKA_ID: 00 01 ;; 0x55c6a05b9090/2
[1] CKA_SERIAL_NUMBER: 02 01 30 ;; 0x55c6a05b90b0/3
[1] CKA_SUBJECT: \x30\x10\x31\x0e\x30\x0c\x06\x03\x55\x04\x03\x0c\x05\x44\x75\x6d\x6d\x79 ;; 0x55c6a05b90d0/18
[1] CKA_ISSUER: \x30\x10\x31\x0e\x30\x0c\x06\x03\x55\x04\x03\x0c\x05\x44\x75\x6d\x6d\x79 ;; 0x55c6a05b90f0/18
[1] CKA_PRIVATE: (not found)
[1] CKA_CERTIFICATE_TYPE: 00 00 00 00 00 00 00 00 ;; 0x55c6a05b9110/8
[1] CKA_KEY_TYPE: (not found)
[1] CKA_SIGN: 00 ;; 0x55c6a05b9130/1
[1] CKA_VALUE: 0x55c6a05b83f0/297
Object Info (object 2):
[2] CKA_CLASS: 02 00 00 00 00 00 00 00 ;; 0x55c6a05b90f0/8
[2] CKA_TOKEN: 01 ;; 0x55c6a05b90d0/1
[2] CKA_LABEL: RSK
[2] CKA_PRIVATE: (not found)
[2] CKA_ID: 00 01 ;; 0x55c6a05b9090/2
[2] CKA_SERIAL_NUMBER: (not found)
[2] CKA_SUBJECT: (not found)
[2] CKA_ISSUER: (not found)
[2] CKA_PRIVATE: (not found)
[2] CKA_CERTIFICATE_TYPE: (not found)
[2] CKA_KEY_TYPE: 03 00 00 00 00 00 00 00 ;; 0x55c6a05b9070/8
[2] CKA_SIGN: 00 ;; 0x55c6a05b9050/1
[2] CKA_VALUE: 0x55c6a05b9150/72
Object Info (object 3):
[3] CKA_CLASS: 03 00 00 00 00 00 00 00 ;; 0x55c6a05b9050/8
[3] CKA_TOKEN: 01 ;; 0x55c6a05b9070/1
[3] CKA_LABEL: RSK
[3] CKA_PRIVATE: (not found)
[3] CKA_ID: 00 01 ;; 0x55c6a05b90b0/2
[3] CKA_SERIAL_NUMBER: (not found)
[3] CKA_SUBJECT: (not found)
[3] CKA_ISSUER: (not found)
[3] CKA_PRIVATE: (not found)
[3] CKA_CERTIFICATE_TYPE: (not found)
[3] CKA_KEY_TYPE: 03 00 00 00 00 00 00 00 ;; 0x55c6a05b90d0/8
[3] CKA_SIGN: 01 ;; 0x55c6a05b90f0/1
[3] CKA_VALUE: (not found)
Here is the full log of things gnupg-pkcs11-scd did with the PKCS#11 module:
$ gpg-agent --server gpg-connect-agent
OK Pleased to meet you
RELOADAGENT
gpg-agent[3746094]: SIGHUP received - re-reading configuration and flushing cache
gpg-agent[3746094]: reading options from '/home/rkeene/.gnupg/gpg-agent.conf'
OK
SCD LEARN
C_GetFunctionList(): Called.
C_GetFunctionList(): Returning CKR_OK (0)
C_Initialize(): Called.
C_Initialize(): Returning CKR_OK (0)
C_GetInfo(): Called.
C_GetInfo(): Returning CKR_OK (0)
gnupg-pkcs11-scd[3746095.2285307712]: Listening to socket '/tmp/gnupg-pkcs11-scd.fpQcX7/agent.S'
gnupg-pkcs11-scd[3746095.2285307712]: accepting connection
gnupg-pkcs11-scd[3746095]: chan_0 -> OK PKCS#11 smart-card server for GnuPG ready
gnupg-pkcs11-scd[3746095.2285307712]: processing connection
gnupg-pkcs11-scd[3746095]: chan_0 <- GETINFO socket_name
gnupg-pkcs11-scd[3746095]: chan_0 -> D /tmp/gnupg-pkcs11-scd.fpQcX7/agent.S
gnupg-pkcs11-scd[3746095]: chan_0 -> OK
gnupg-pkcs11-scd[3746095]: chan_0 <- LEARN
C_GetSlotList(): Called.
C_GetSlotList(): Returning CKR_OK (0)
C_GetSlotList(): Called.
C_GetSlotList(): Returning CKR_OK (0)
C_GetTokenInfo(): Called.
C_GetTokenInfo(): Returning CKR_OK (0)
gnupg-pkcs11-scd[3746095]: chan_0 -> S SERIALNO D2760001240111503131B7DD41D51111
gnupg-pkcs11-scd[3746095]: chan_0 -> S APPTYPE PKCS11
S SERIALNO D2760001240111503131B7DD41D51111C_GetSlotList():
Called.
S APPTYPE PKCS11
C_GetSlotList(): Returning CKR_OK (0)
C_GetSlotList(): Called.
C_GetSlotList(): Returning CKR_OK (0)
C_GetTokenInfo(): Called.
C_GetTokenInfo(): EcDSA NIST P-256 Key (key/65 = {04, 94, 55, 97, 56, d0, 04, a0, 22, 1d, c8, eb, 49, 79, f0, 57, 2c, b7, 04, 6f, b1, 9e, 3a, 9e, 17, 88, 1c, b2, 76, 1a, cd, b2, 54, 1c, e3, db, 2f, a0, 68, 94, 9a, 5d, 57, f8, 74, 4f, 47, 3e, 78, be, 87, 7f, 35, b8, 90, 3b, f1, a3, 58, 51, b6, b5, 6d, e2, 56})
C_GetTokenInfo(): DER encoded Key: (der_encoded_key/72 = {30, 46, 02, 21, 00, 94, 55, 97, 56, d0, 04, a0, 22, 1d, c8, eb, 49, 79, f0, 57, 2c, b7, 04, 6f, b1, 9e, 3a, 9e, 17, 88, 1c, b2, 76, 1a, cd, b2, 54, 02, 21, 00, 54, 1c, e3, db, 2f, a0, 68, 94, 9a, 5d, 57, f8, 74, 4f, 47, 3e, 78, be, 87, 7f, 35, b8, 90, 3b, f1, a3, 58, 51, b6, b5, 6d, e2})
C_GetTokenInfo(): Returning CKR_OK (0)
C_GetSlotList(): Called.
C_GetSlotList(): Returning CKR_OK (0)
C_GetSlotList(): Called.
C_GetSlotList(): Returning CKR_OK (0)
C_GetTokenInfo(): Called.
C_GetTokenInfo(): EcDSA NIST P-256 Key (key/65 = {04, 94, 55, 97, 56, d0, 04, a0, 22, 1d, c8, eb, 49, 79, f0, 57, 2c, b7, 04, 6f, b1, 9e, 3a, 9e, 17, 88, 1c, b2, 76, 1a, cd, b2, 54, 1c, e3, db, 2f, a0, 68, 94, 9a, 5d, 57, f8, 74, 4f, 47, 3e, 78, be, 87, 7f, 35, b8, 90, 3b, f1, a3, 58, 51, b6, b5, 6d, e2, 56})
C_GetTokenInfo(): DER encoded Key: (der_encoded_key/72 = {30, 46, 02, 21, 00, 94, 55, 97, 56, d0, 04, a0, 22, 1d, c8, eb, 49, 79, f0, 57, 2c, b7, 04, 6f, b1, 9e, 3a, 9e, 17, 88, 1c, b2, 76, 1a, cd, b2, 54, 02, 21, 00, 54, 1c, e3, db, 2f, a0, 68, 94, 9a, 5d, 57, f8, 74, 4f, 47, 3e, 78, be, 87, 7f, 35, b8, 90, 3b, f1, a3, 58, 51, b6, b5, 6d, e2})
C_GetTokenInfo(): Returning CKR_OK (0)
C_OpenSession(): Called.
C_OpenSession(): Returning CKR_OK (0)
C_FindObjectsInit(): Called.
C_FindObjectsInit(): Returning CKR_OK (0)
C_FindObjects(): Called.
C_FindObjects(): Processing identity:0
C_FindObjects(): Checking for attribute 0x00000000 in identity:0...
C_FindObjects(): Value looking for: (curr_attr->pValue/8 = {01, 00, 00, 00, 00, 00, 00, 00})
C_FindObjects(): ... found matching type ...
C_FindObjects(): ... our value: (curr_id->attributes[sess_attr_idx].pValue/8 = {01, 00, 00, 00, 00, 00, 00, 00})
C_FindObjects(): ... found exact match
C_FindObjects(): ... All 1 attributes checked for found, adding identity:0 to returned list
C_FindObjects(): Processing identity:1
C_FindObjects(): Checking for attribute 0x00000000 in identity:1...
C_FindObjects(): Value looking for: (curr_attr->pValue/8 = {01, 00, 00, 00, 00, 00, 00, 00})
C_FindObjects(): ... found matching type ...
C_FindObjects(): ... our value: (curr_id->attributes[sess_attr_idx].pValue/8 = {02, 00, 00, 00, 00, 00, 00, 00})
C_FindObjects(): ... Not all 1 (only found 0) attributes checked for found, not adding identity:1
C_FindObjects(): Processing identity:2
C_FindObjects(): Checking for attribute 0x00000000 in identity:2...
C_FindObjects(): Value looking for: (curr_attr->pValue/8 = {01, 00, 00, 00, 00, 00, 00, 00})
C_FindObjects(): ... found matching type ...
C_FindObjects(): ... our value: (curr_id->attributes[sess_attr_idx].pValue/8 = {03, 00, 00, 00, 00, 00, 00, 00})
C_FindObjects(): ... Not all 1 (only found 0) attributes checked for found, not adding identity:2
C_FindObjects(): Returning CKR_OK (0), num objects = 1
C_FindObjects(): Called.
C_FindObjects(): Returning CKR_OK (0), num objects = 0
C_FindObjectsFinal(): Called.
C_FindObjectsFinal(): Returning CKR_OK (0)
C_GetAttributeValue(): Called.
C_GetAttributeValue(): Looking for attribute 0x00000102 (identity:0) ...
C_GetAttributeValue(): ... found it, pValue = 0x5556b397da30, ulValueLen = 2
C_GetAttributeValue(): Looking for attribute 0x00000011 (identity:0) ...
C_GetAttributeValue(): ... found it, pValue = 0x5556b397d8d0, ulValueLen = 298
C_GetAttributeValue(): Returning CKR_OK (0)
C_GetAttributeValue(): Called.
C_GetAttributeValue(): Looking for attribute 0x00000102 (identity:0) ...
C_GetAttributeValue(): ... found it, pValue = 0x5556b397da30, ulValueLen = 2
C_GetAttributeValue(): Looking for attribute 0x00000011 (identity:0) ...
C_GetAttributeValue(): ... found it, pValue = 0x5556b397d8d0, ulValueLen = 298
C_GetAttributeValue(): Returning CKR_OK (0)
gnupg-pkcs11-scd[3746095]: chan_0 -> OK
OK
^Cgnupg-pkcs11-scd[3746095]: chan_0 <- [error: Bad file descriptor]
gnupg-pkcs11-scd[3746095.2285307712]: assuan_process failed: Bad file descriptor
gnupg-pkcs11-scd[3746095.2285307712]: post-processing connection
gnupg-pkcs11-scd[3746095.2285307712]: accepting connection
gnupg-pkcs11-scd[3746095.2285307712]: cleanup connection
gnupg-pkcs11-scd[3746095.2285307712]: Terminating
gnupg-pkcs11-scd[3746095.2285135424]: Thread command terminate
gnupg-pkcs11-scd[3746095.2285135424]: Cleaning up threads
C_Finalize(): Called.
C_CloseSession(): Called.
C_CloseSession():
C_CloseSession(): Returning CKR_OK (0)
C_Finalize(): Returning CKR_OK (0)
from gnupg-pkcs11-scd.
alonbl
commented on August 17, 2024
Hi,
The private key object usage is deferred as much as possible so that user is asked for PIN only when a private key operation is performed.
It is expected that all certificates are enumerated out of the public area, for each certificate which is supported (RSA).
You will see more information if you put the following in gnupg pkcs11 configuration:
log-file /tmp/gpk.log
verbose
debug-all
Please understand this is working for many provider, please try to find what's wrong with the implementation you wrote.
Thanks,
from gnupg-pkcs11-scd.
rkeene
commented on August 17, 2024
I don't think there's anything wrong with the PKCS#11 module I've implemented, and there doesn't seem to be anything you've described that it's doing incorrectly. I think the issue is on the gnupkg-pkcs11-scd side.
Per #17 (comment) EC certificates are also supported (which I am, as noted above) using -- yet you only mentioned RSA. Is there a reason for that ?
Enabling those logs does not help any.
$ gpg-agent --server gpg-connect-agent
...
SCD LEARN
...
C_FindObjectsFinal(): Returning CKR_OK (0)
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: _pkcs11h_session_findObjects return rv=0-'CKR_OK', *p_objects_found=1
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: _pkcs11h_session_getObjectAttributes entry session=0x564c40f85d00, object=1, attrs=0x7fff740803c0, count=2
C_GetAttributeValue(): Called.
C_GetAttributeValue(): Looking for attribute 0x00000102 (identity:0) ...
C_GetAttributeValue(): ... found it, pValue = 0x564c40f7f040, ulValueLen = 2
C_GetAttributeValue(): Looking for attribute 0x00000011 (identity:0) ...
C_GetAttributeValue(): ... found it, pValue = 0x564c40f7eee0, ulValueLen = 297
C_GetAttributeValue(): Returning CKR_OK (0)
C_GetAttributeValue(): Called.
C_GetAttributeValue(): Looking for attribute 0x00000102 (identity:0) ...
C_GetAttributeValue(): ... found it, pValue = 0x564c40f7f040, ulValueLen = 2
C_GetAttributeValue(): Looking for attribute 0x00000011 (identity:0) ...
C_GetAttributeValue(): ... found it, pValue = 0x564c40f7eee0, ulValueLen = 297
C_GetAttributeValue(): Returning CKR_OK (0)
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: _pkcs11h_session_getObjectAttributes return rv=0-'CKR_OK'
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: _pkcs11h_certificate_newCertificateId entry p_certificate_id=0x7fff74080398
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: _pkcs11h_certificate_newCertificateId return rv=0-'CKR_OK', *p_certificate_id=0x564c40f7ff60
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_token_duplicateTokenId entry to=0x564c40f7ff60 form=0x564c40f7e140
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_token_duplicateTokenId return rv=0-'CKR_OK', *to=0x564c40f80390
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: __pkcs11h_certificate_updateCertificateIdDescription entry certificate_id=0x564c40f7ff60
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: __pkcs11h_openssl_ex_data_free entered - parent=0x564c40fd6420, ptr=(nil), ad=0x564c40fd6460, idx=1, argl=0, argp=0x7fc598bc1ac3
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: __pkcs11h_certificate_updateCertificateIdDescription return displayName='/CN=Dummy on RSK'
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: _pkcs11h_session_freeObjectAttributes entry attrs=0x7fff740803c0, count=2
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: _pkcs11h_session_freeObjectAttributes return
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: _pkcs11h_certificate_enumSessionCertificates return rv=0-'CKR_OK'
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: _pkcs11h_session_release entry session=0x564c40f85d00
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK'
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x564c40f7dca0
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0x564c40f7ff08 form=0x564c40f7ff60
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', *to=0x564c40f7dc80
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: __pkcs11h_certificate_splitCertificateIdList entry cert_id_all=0x564c40f7ff00, p_cert_id_issuers_list=0x7fff740805a8, p_cert_id_end_list=0x7fff740805a0
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0x564c40fd6558 form=0x564c40f7dc80
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', *to=0x564c40fd7c00
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: __pkcs11h_certificate_splitCertificateIdList return rv=0-'CKR_OK'
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_freeCertificateIdList entry cert_id_list=0x564c40f7ff00
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0x564c40f7dc80
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x564c40fd7790
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_freeCertificateId return
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_freeCertificateIdList return
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_enumCertificateIds return rv=0-'CKR_OK'
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_create entry certificate_id=0x564c40fd7c00, user_data=0x564c40f7c6a0, mask_prompt=00000007, pin_cache_period=-1, p_certificate=0x7fff74080478
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0x564c40fd76b0 form=0x564c40fd7c00
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', *to=0x564c40fd7790
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: _pkcs11h_session_getSessionByTokenId entry token_id=0x564c40f7dc80, p_session=0x564c40fd76c8
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: Using cached session
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: _pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK', *p_session=0x564c40f85d00
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_create return rv=0-'CKR_OK' *p_certificate=0x564c40fd76b0
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_getCertificateBlob entry certificate=0x564c40fd76b0, certificate_blob=(nil), *p_certificate_blob_size=0000000000000000
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK'
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_getCertificateBlob entry certificate=0x564c40fd76b0, certificate_blob=0x564c40fd7340, *p_certificate_blob_size=0000000000000129
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK'
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_freeCertificate entry certificate=0x564c40fd76b0
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: _pkcs11h_session_release entry session=0x564c40f85d00
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK'
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0x564c40fd7790
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x564c40f7dc80
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_freeCertificateId return
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_freeCertificate return
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: __pkcs11h_openssl_ex_data_free entered - parent=0x564c40fd62b0, ptr=(nil), ad=0x564c40fd62f0, idx=1, argl=0, argp=0x7fc598bc1ac3
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_freeCertificateIdList entry cert_id_list=0x564c40fd6550
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0x564c40fd7c00
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x564c40fd8030
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_freeCertificateId return
gnupg-pkcs11-scd[3760148.2560096064]: PKCS#11: pkcs11h_certificate_freeCertificateIdList return
gnupg-pkcs11-scd[3760148]: chan_0 -> OK
from gnupg-pkcs11-scd.
alonbl
commented on August 17, 2024
gnupg-pkcs11-scd does not support ec
from gnupg-pkcs11-scd.
rkeene
commented on August 17, 2024
Thanks for the update. I'll add support for it.
Shouldn't this be documented somewhere other than an issue that was closed as completed with a comment saying it works in v0.9.3 ?
Should work with gnupg-pkcs11-scd-0.9.3
alonbl closed this as completed on Dec 31, 2021
from gnupg-pkcs11-scd.
alonbl
commented on August 17, 2024
#17 fixed an issue which cause the entire certificate enum process fail because of existence of one or more EC certificates.
patches are more than welcomed.
Closing this one.
from gnupg-pkcs11-scd.
rkeene
commented on August 17, 2024
Note to future readers, even though this issue is "closed as completed", it is not completed -- certificates are still required.
from gnupg-pkcs11-scd.
Related Issues (20)
- safenet HSM card not found with gpg 2.2.9 HOT 15
- Support for SSH authentication HOT 6
- gpg 2.3.x regression HOT 25
- Select slot/token and env for library in configuration HOT 9
- Utimaco problem: Bad session key HOT 8
- Documentation Isuse for Yubikey with OpenSC HOT 5
- Yubikey - Multiple PIV Certs encryption/signing issue HOT 8
- Problem in loading keys to the gpg HOT 8
- 9.3 release segfaults on PKAUTH command
- 9.3 release always requires PIN for signing operation HOT 7
- gpg2 --card-status fails to list any key HOT 4
- why importing same key from same token in different machine lead to different keyids HOT 1
- Instructions on compiling for Windows HOT 3
- Cannot sign, asks PIN-code, but no success HOT 9
- gpg --expert --full-generate-key fails to recognize card HOT 1
- Command GETATTR APPTYPE and $DISPSERIALNO is not implemented HOT 13
- Can this interface support Yubikey 5? HOT 11
- gpg --sign not triggering pin entry using a key with 'always authenticate' HOT 10
- ERR 41 Wrong public key algorithm <Unspecified source> HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gnupg-pkcs11-scd.