CKR_ATTRIBUTE_TYPE_INVALID when using opensc pkcs11-tool with SoftHSM module

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

CKR_ATTRIBUTE_TYPE_INVALID when using opensc pkcs11-tool with SoftHSM module

dchilton+opensc
Hi

I built softhsm 1.2.0 and initialized a token.

I built opensc,

opensc-tool --info
  opensc 0.12.0 [gcc  4.5.2 20110419 [gcc-4_5-branch revision 172703]]
  Enabled features: zlib readline openssl pcsc(libpcsclite.so.1)

and can use its pkcs11-tool to query the softhsm db,

pkcs11-tool --module=/usr/local/lib/libsofthsm.so \
--show-info --list-token-slots --list-mechanisms
        Cryptoki version 2.20
        Manufacturer     SoftHSM
        Library          Implementation of PKCS11 (ver 1.2)
        Available slots:
                Slot 0 (0x0): SoftHSM
                  token label:   TEST_Token
                  token manuf:   SoftHSM
                  token model:   SoftHSM
                  token flags:   rng, login required, PIN initialized,
                  token initialized, other flags=0x40
                  serial num  :  1
        Using slot 0 with a present token (0x0)
        Supported mechanisms:
          RSA-PKCS-KEY-PAIR-GEN, keySize={512,4096}, generate_key_pair
          RSA-PKCS, keySize={512,4096}, sign, verify
          RSA-X-509, keySize={512,4096}, sign, verify
          MD5, digest
          RIPEMD160, digest
          SHA-1, digest
          SHA256, digest
          SHA384, digest
          SHA512, digest
          MD5-RSA-PKCS, keySize={512,4096}, sign, verify
          RIPEMD160-RSA-PKCS, keySize={512,4096}, sign, verify
          SHA1-RSA-PKCS, keySize={512,4096}, sign, verify
          SHA256-RSA-PKCS, keySize={512,4096}, sign, verify
          SHA384-RSA-PKCS, keySize={512,4096}, sign, verify
          SHA512-RSA-PKCS, keySize={512,4096}, sign, verify

when I try to generate a keypair, it says 'keypair generated', but also
fires a warning,

pkcs11-tool --module=/usr/local/lib/libsofthsm.so \
--login --pin 1234 \
--keypairgen --key-type rsa:2048 --id 01 --label zone_key
        Using slot 0 with a present token (0x0)
        Key pair generated:
        Private Key Object; RSA
          label:      zone_key
          ID:         01
          Usage:      decrypt, sign, unwrap
        warning: PKCS11 function
        C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv =
        CKR_ATTRIBUTE_TYPE_INVALID (0x12)

        Public Key Object; RSA 2048 bits
          label:      zone_key
          ID:         01
          Usage:      encrypt, verify, wrap


I haven't figured out yet how to list/output those generated keys to
convince myself it worked :-/

What's that 'warning' about, and how to fix it?  And how do I list
generated keypairs?

DCh
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: CKR_ATTRIBUTE_TYPE_INVALID when using opensc pkcs11-tool with SoftHSM module

Felipe Blauth
Hello,

2011/4/28 <[hidden email]>
Hi

I built softhsm 1.2.0 and initialized a token.

I built opensc,

opensc-tool --info
 opensc 0.12.0 [gcc  4.5.2 20110419 [gcc-4_5-branch revision 172703]]
 Enabled features: zlib readline openssl pcsc(libpcsclite.so.1)

and can use its pkcs11-tool to query the softhsm db,

pkcs11-tool --module=/usr/local/lib/libsofthsm.so \
--show-info --list-token-slots --list-mechanisms
       Cryptoki version 2.20
       Manufacturer     SoftHSM
       Library          Implementation of PKCS11 (ver 1.2)
       Available slots:
               Slot 0 (0x0): SoftHSM
                 token label:   TEST_Token
                 token manuf:   SoftHSM
                 token model:   SoftHSM
                 token flags:   rng, login required, PIN initialized,
                 token initialized, other flags=0x40
                 serial num  :  1
       Using slot 0 with a present token (0x0)
       Supported mechanisms:
         RSA-PKCS-KEY-PAIR-GEN, keySize={512,4096}, generate_key_pair
         RSA-PKCS, keySize={512,4096}, sign, verify
         RSA-X-509, keySize={512,4096}, sign, verify
         MD5, digest
         RIPEMD160, digest
         SHA-1, digest
         SHA256, digest
         SHA384, digest
         SHA512, digest
         MD5-RSA-PKCS, keySize={512,4096}, sign, verify
         RIPEMD160-RSA-PKCS, keySize={512,4096}, sign, verify
         SHA1-RSA-PKCS, keySize={512,4096}, sign, verify
         SHA256-RSA-PKCS, keySize={512,4096}, sign, verify
         SHA384-RSA-PKCS, keySize={512,4096}, sign, verify
         SHA512-RSA-PKCS, keySize={512,4096}, sign, verify

when I try to generate a keypair, it says 'keypair generated', but also
fires a warning,

pkcs11-tool --module=/usr/local/lib/libsofthsm.so \
--login --pin 1234 \
--keypairgen --key-type rsa:2048 --id 01 --label zone_key
       Using slot 0 with a present token (0x0)
       Key pair generated:
       Private Key Object; RSA
         label:      zone_key
         ID:         01
         Usage:      decrypt, sign, unwrap
       warning: PKCS11 function
       C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv =
       CKR_ATTRIBUTE_TYPE_INVALID (0x12)

       Public Key Object; RSA 2048 bits
         label:      zone_key
         ID:         01
         Usage:      encrypt, verify, wrap


I haven't figured out yet how to list/output those generated keys to
convince myself it worked :-/

What's that 'warning' about, and how to fix it?  And how do I list
generated keypairs?

You can list your keys with:
pkcs11-tool --module /usr/local/lib/libsofthsm.so --login -O

About the warning, it looks like your PKCS #11 module does not define the CKA_ALWAYS_AUTHENTICATE attribute (which is part of PKCS #11 specification). 

DCh
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user


_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: CKR_ATTRIBUTE_TYPE_INVALID when using opensc pkcs11-tool with SoftHSM module

dchilton+opensc
Hi,

> pkcs11-tool --module /usr/local/lib/libsofthsm.so --login -O

Thanks.

> About the warning, it looks like your PKCS #11 module does not define the
> CKA_ALWAYS_AUTHENTICATE attribute (which is part of PKCS #11
> specification).

the pkcs#11 module i'm using is from SoftHSM v1.2.0

checking, it looks like it's defined ...

cd /usr/local/src/softhsm-1.2.0
grep CKA_ALWAYS_AUTHENTICATE ./src/lib/cryptoki_compat/pkcs11.h -A3 -B3
 #define CKA_EC_POINT                    (0x181)
 #define CKA_SECONDARY_AUTH              (0x200)
 #define CKA_AUTH_PIN_FLAGS              (0x201)
 #define CKA_ALWAYS_AUTHENTICATE         (0x202)
 #define CKA_WRAP_WITH_TRUSTED           (0x210)
 #define CKA_HW_FEATURE_TYPE             (0x300)
 #define CKA_RESET_ON_INIT               (0x301)

Dch
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: CKR_ATTRIBUTE_TYPE_INVALID when using opensc pkcs11-tool with SoftHSM module

Jean-Michel Pouré - GOOZE
In reply to this post by Felipe Blauth
Le vendredi 29 avril 2011 à 02:24 -0300, Felipe Blauth a écrit :
>         What's that 'warning' about, and how to fix it?  And how do I
>         list
>         generated keypairs?

Try:
pkcs15-tool --list-keys


Kind regards,
--
                  Jean-Michel Pouré - Gooze - http://www.gooze.eu

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user