anyone tested spyrus token with pkcs11-tool?

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

anyone tested spyrus token with pkcs11-tool?

Sanaullah
Hi,

I am trying to generate the keys to spryus token using pkcs11-tool but getting errors. anyone tested it ?

pkcs11-tool.exe --module "C:\Users\san\Desktop\EnsignNG\SDK\WinLib\Win32\PKCS11sc.dll"  -l  --pin 1234  --keypairge
n  --key-type EC:prime256v1 --id 02 --slot 0
Key pair generated:
warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUT
E_TYPE_INVALID (0x12)

Private Key Object; RSA
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_T
YPE_INVALID (0x12)

  ID:         02
  Usage:      decrypt, sign, unwrapwarning: PKCS11 function C_GetAttributeValue(
DERIVE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)


warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = C
KR_ATTRIBUTE_TYPE_INVALID (0x12)

warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUT
E_TYPE_INVALID (0x12)

Public Key Objectwarning: PKCS11 function C_GetAttributeValue(MODULUS_BITS) fail
ed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

; RSA 0 bits
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_T
YPE_INVALID (0x12)

  ID:         02
  Usage:      encrypt, verify, wrap


C:\Users\san\Desktop\image-win32\openvpn\bin>pkcs11-tool.exe --module "C:\Users\
san\Desktop\EnsignNG\SDK\WinLib\Win32\PKCS11sc.dll" --login --test
Using slot 0 with a present token (0x0)
Logging in to "SPYRUS USB Token 0".
Please enter User PIN: C_SeedRandom() and C_GenerateRandom():
  ERR: C_GenerateRandom(buf1,100) failed: CKR_ARGUMENTS_BAD (0x7)
Digests:
  all 4 digest functions seem to work
  SHA-1: OK
error: PKCS11 function C_Sign failed: rv = CKR_FUNCTION_FAILED (0x6)

Aborting.

Regards,
Sanaullah

------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: anyone tested spyrus token with pkcs11-tool?

Douglas E. Engert


On 11/26/2013 5:00 AM, Sanaullah wrote:

> Hi,
>
> I am trying to generate the keys to spryus token using pkcs11-tool but getting errors. anyone tested it ?
>
> pkcs11-tool.exe --module "C:\Users\san\Desktop\EnsignNG\SDK\WinLib\Win32\PKCS11sc.dll"  -l  --pin 1234  --keypairge
> n  --key-type EC:prime256v1 --id 02 --slot 0
> Key pair generated:
> warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUT
> E_TYPE_INVALID (0x12)
>
> Private Key Object; RSA
> warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_T
> YPE_INVALID (0x12)
>
>    ID:         02
>    Usage:      decrypt, sign, unwrapwarning: PKCS11 function C_GetAttributeValue(
> DERIVE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
>
>
> warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = C
> KR_ATTRIBUTE_TYPE_INVALID (0x12)
>
> warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUT
> E_TYPE_INVALID (0x12)
>
> Public Key Objectwarning: PKCS11 function C_GetAttributeValue(MODULUS_BITS) fail
> ed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
>
> ; RSA 0 bits
> warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_T
> YPE_INVALID (0x12)
>
>    ID:         02
>    Usage:      encrypt, verify, wrap
>
>
> C:\Users\san\Desktop\image-win32\openvpn\bin>pkcs11-tool.exe --module "C:\Users\
> san\Desktop\EnsignNG\SDK\WinLib\Win32\PKCS11sc.dll" --login --test
> Using slot 0 with a present token (0x0)
> Logging in to "SPYRUS USB Token 0".
> Please enter User PIN: C_SeedRandom() and C_GenerateRandom():
>    ERR: C_GenerateRandom(buf1,100) failed: CKR_ARGUMENTS_BAD (0x7)
> Digests:
>    all 4 digest functions seem to work
>    SHA-1: OK
> error: PKCS11 function C_Sign failed: rv = CKR_FUNCTION_FAILED (0x6)

Sounds like your PKCS11sc.dll does not support many of the PKCS#11 functions.

Try using the OpenSC pkcs11-spy as the module, and have pkcs11-spy load
the PKCS11sc.dll.

>
> Aborting.
>
> Regards,
> Sanaullah
>
>
> ------------------------------------------------------------------------------
> Shape the Mobile Experience: Free Subscription
> Software experts and developers: Be at the forefront of tech innovation.
> Intel(R) Software Adrenaline delivers strategic insight and game-changing
> conversations that shape the rapidly evolving mobile landscape. Sign up now.
> http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: anyone tested spyrus token with pkcs11-tool?

Sanaullah

Here is the output from pkcs11-spy..

C:\Users\san\Desktop\image-win32\openvpn\bin>pkcs11-tool.exe --module "pkcs11-sp
y.dll"  -l  --pin 1234  --keypairgen  --key-type EC:prime256v1 --id 02 --slot 0
No slots.

C:\Users\san\Desktop\image-win32\openvpn\bin>pkcs11-tool.exe --module "pkcs11-sp
y.dll"  -l  --pin 1234  --keypairgen  --key-type EC:prime256v1 --id 02 --slot 0
Key pair generated:
warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUT
E_TYPE_INVALID (0x12)

Private Key Object; RSA
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_T
YPE_INVALID (0x12)

  ID:         02
  Usage:      decrypt, sign, unwrapwarning: PKCS11 function C_GetAttributeValue(
DERIVE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)


warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = C
KR_ATTRIBUTE_TYPE_INVALID (0x12)

warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUT
E_TYPE_INVALID (0x12)

Public Key Objectwarning: PKCS11 function C_GetAttributeValue(MODULUS_BITS) fail
ed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

; RSA 0 bits
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_T
YPE_INVALID (0x12)

  ID:         02
  Usage:      encrypt, verify, wrap


On Tue, Nov 26, 2013 at 7:19 PM, Douglas E. Engert <[hidden email]> wrote:


On 11/26/2013 5:00 AM, Sanaullah wrote:
> Hi,
>
> I am trying to generate the keys to spryus token using pkcs11-tool but getting errors. anyone tested it ?
>
> pkcs11-tool.exe --module "C:\Users\san\Desktop\EnsignNG\SDK\WinLib\Win32\PKCS11sc.dll"  -l  --pin 1234  --keypairge
> n  --key-type EC:prime256v1 --id 02 --slot 0
> Key pair generated:
> warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUT
> E_TYPE_INVALID (0x12)
>
> Private Key Object; RSA
> warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_T
> YPE_INVALID (0x12)
>
>    ID:         02
>    Usage:      decrypt, sign, unwrapwarning: PKCS11 function C_GetAttributeValue(
> DERIVE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
>
>
> warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = C
> KR_ATTRIBUTE_TYPE_INVALID (0x12)
>
> warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUT
> E_TYPE_INVALID (0x12)
>
> Public Key Objectwarning: PKCS11 function C_GetAttributeValue(MODULUS_BITS) fail
> ed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
>
> ; RSA 0 bits
> warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_T
> YPE_INVALID (0x12)
>
>    ID:         02
>    Usage:      encrypt, verify, wrap
>
>
> C:\Users\san\Desktop\image-win32\openvpn\bin>pkcs11-tool.exe --module "C:\Users\
> san\Desktop\EnsignNG\SDK\WinLib\Win32\PKCS11sc.dll" --login --test
> Using slot 0 with a present token (0x0)
> Logging in to "SPYRUS USB Token 0".
> Please enter User PIN: C_SeedRandom() and C_GenerateRandom():
>    ERR: C_GenerateRandom(buf1,100) failed: CKR_ARGUMENTS_BAD (0x7)
> Digests:
>    all 4 digest functions seem to work
>    SHA-1: OK
> error: PKCS11 function C_Sign failed: rv = CKR_FUNCTION_FAILED (0x6)

Sounds like your PKCS11sc.dll does not support many of the PKCS#11 functions.

Try using the OpenSC pkcs11-spy as the module, and have pkcs11-spy load
the PKCS11sc.dll.
>
> Aborting.
>
> Regards,
> Sanaullah
>
>
> ------------------------------------------------------------------------------
> Shape the Mobile Experience: Free Subscription
> Software experts and developers: Be at the forefront of tech innovation.
> Intel(R) Software Adrenaline delivers strategic insight and game-changing
> conversations that shape the rapidly evolving mobile landscape. Sign up now.
> http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel


------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: anyone tested spyrus token with pkcs11-tool?

Douglas E. Engert
That is not the output of spy. It will write an output file. On Windows, I am not
sure where it writes it. You can use the environment

On 11/26/2013 8:35 AM, Sanaullah wrote:
>
> Here is the output from pkcs11-spy..


This is not the output of spy. SPY will write an output file. I am not
sure where it writes it on Windows.  You can use the environment PKCS11SPY_OUTPUT
or look in the registry:
HKEY_LOCAL_MACHINE, "Software\\OpenSC Project\\PKCS11-Spy"
or
HKEY_CURRENT_USER, "Software\\OpenSC Project\\PKCS11-Spy"
for Output.

>
> C:\Users\san\Desktop\image-win32\openvpn\bin>pkcs11-tool.exe --module "pkcs11-sp
> y.dll"  -l  --pin 1234  --keypairgen  --key-type EC:prime256v1 --id 02 --slot 0
> No slots.
>
> C:\Users\san\Desktop\image-win32\openvpn\bin>pkcs11-tool.exe --module "pkcs11-sp
> y.dll"  -l  --pin 1234  --keypairgen  --key-type EC:prime256v1 --id 02 --slot 0
> Key pair generated:
> warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUT
> E_TYPE_INVALID (0x12)
>
> Private Key Object; RSA
> warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_T
> YPE_INVALID (0x12)
>
>    ID:         02
>    Usage:      decrypt, sign, unwrapwarning: PKCS11 function C_GetAttributeValue(
> DERIVE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
>
>
> warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = C
> KR_ATTRIBUTE_TYPE_INVALID (0x12)
>
> warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUT
> E_TYPE_INVALID (0x12)
>
> Public Key Objectwarning: PKCS11 function C_GetAttributeValue(MODULUS_BITS) fail
> ed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
>
> ; RSA 0 bits
> warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_T
> YPE_INVALID (0x12)
>
>    ID:         02
>    Usage:      encrypt, verify, wrap
>
>
> On Tue, Nov 26, 2013 at 7:19 PM, Douglas E. Engert <[hidden email] <mailto:[hidden email]>> wrote:
>
>
>
>     On 11/26/2013 5:00 AM, Sanaullah wrote:
>      > Hi,
>      >
>      > I am trying to generate the keys to spryus token using pkcs11-tool but getting errors. anyone tested it ?
>      >
>      > pkcs11-tool.exe --module "C:\Users\san\Desktop\EnsignNG\SDK\WinLib\Win32\PKCS11sc.dll"  -l  --pin 1234  --keypairge
>      > n  --key-type EC:prime256v1 --id 02 --slot 0
>      > Key pair generated:
>      > warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUT
>      > E_TYPE_INVALID (0x12)
>      >
>      > Private Key Object; RSA
>      > warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_T
>      > YPE_INVALID (0x12)
>      >
>      >    ID:         02
>      >    Usage:      decrypt, sign, unwrapwarning: PKCS11 function C_GetAttributeValue(
>      > DERIVE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
>      >
>      >
>      > warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = C
>      > KR_ATTRIBUTE_TYPE_INVALID (0x12)
>      >
>      > warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUT
>      > E_TYPE_INVALID (0x12)
>      >
>      > Public Key Objectwarning: PKCS11 function C_GetAttributeValue(MODULUS_BITS) fail
>      > ed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
>      >
>      > ; RSA 0 bits
>      > warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_T
>      > YPE_INVALID (0x12)
>      >
>      >    ID:         02
>      >    Usage:      encrypt, verify, wrap
>      >
>      >
>      > C:\Users\san\Desktop\image-win32\openvpn\bin>pkcs11-tool.exe --module "C:\Users\
>      > san\Desktop\EnsignNG\SDK\WinLib\Win32\PKCS11sc.dll" --login --test
>      > Using slot 0 with a present token (0x0)
>      > Logging in to "SPYRUS USB Token 0".
>      > Please enter User PIN: C_SeedRandom() and C_GenerateRandom():
>      >    ERR: C_GenerateRandom(buf1,100) failed: CKR_ARGUMENTS_BAD (0x7)
>      > Digests:
>      >    all 4 digest functions seem to work
>      >    SHA-1: OK
>      > error: PKCS11 function C_Sign failed: rv = CKR_FUNCTION_FAILED (0x6)
>
>     Sounds like your PKCS11sc.dll does not support many of the PKCS#11 functions.
>
>     Try using the OpenSC pkcs11-spy as the module, and have pkcs11-spy load
>     the PKCS11sc.dll.
>      >
>      > Aborting.
>      >
>      > Regards,
>      > Sanaullah
>      >
>      >
>      > ------------------------------------------------------------------------------
>      > Shape the Mobile Experience: Free Subscription
>      > Software experts and developers: Be at the forefront of tech innovation.
>      > Intel(R) Software Adrenaline delivers strategic insight and game-changing
>      > conversations that shape the rapidly evolving mobile landscape. Sign up now.
>      > http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
>      >
>      >
>      >
>      > _______________________________________________
>      > Opensc-devel mailing list
>      > [hidden email] <mailto:[hidden email]>
>      > https://lists.sourceforge.net/lists/listinfo/opensc-devel
>      >
>
>     --
>
>        Douglas E. Engert  <[hidden email] <mailto:[hidden email]>>
>        Argonne National Laboratory
>        9700 South Cass Avenue
>        Argonne, Illinois  60439
>        (630) 252-5444
>
>     ------------------------------------------------------------------------------
>     Shape the Mobile Experience: Free Subscription
>     Software experts and developers: Be at the forefront of tech innovation.
>     Intel(R) Software Adrenaline delivers strategic insight and game-changing
>     conversations that shape the rapidly evolving mobile landscape. Sign up now.
>     http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
>     _______________________________________________
>     Opensc-devel mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: anyone tested spyrus token with pkcs11-tool?

Sanaullah
Here is the outut of pkcs11-spy

C:\Users\san\Desktop\image-win32\openvpn\bin>pkcs11-tool.exe --module "pkcs11-spy.dll"  -l  --
keypairgen  --key-type EC:prime256v1 --id 02 --slot 0


*************** OpenSC PKCS#11 spy *****************
Loaded: "C:\Users\san\Desktop\EnsignNG\SDK\WinLib\Win32\PKCS11sc.dll"

0: C_GetFunctionList
2013-12-03 12:07:12.500
Returned:  0 CKR_OK

1: C_Initialize
2013-12-03 12:07:12.504
[in] pInitArgs = 00000000
Returned:  0 CKR_OK

2: C_GetSlotList
2013-12-03 12:07:12.518
[in] tokenPresent = 0x0
[out] pSlotList:
Count is 1
[out] *pulCount = 0x1
Returned:  0 CKR_OK

3: C_GetSlotList
2013-12-03 12:07:12.524
[in] tokenPresent = 0x0
[out] pSlotList:
Slot 0
[out] *pulCount = 0x1
Returned:  0 CKR_OK

4: C_OpenSession
2013-12-03 12:07:12.532
[in] slotID = 0x0
[in] flags = 0x6
pApplication=00000000
Notify=00000000
[out] *phSession = 0x333018
Returned:  0 CKR_OK

5: C_GetTokenInfo
2013-12-03 12:07:12.537
[in] slotID = 0x0
[out] pInfo:
      label:                  '              SPYRUS USB Token 0'
      manufacturerID:         'SPYRUS INC.                     '
      model:                  'Rosetta USB     '
      serialNumber:           '02000000E0001575'
      ulMaxSessionCount:       4096
      ulSessionCount:          1
      ulMaxRwSessionCount:     4096
      ulRwSessionCount:        1
      ulMaxPinLen:             20
      ulMinPinLen:             1
      ulTotalPublicMemory:     8000
      ulFreePublicMemory:      8000
      ulTotalPrivateMemory:    8000
      ulFreePrivateMemory:     8000
      hardwareVersion:         2.4
      firmwareVersion:         1.32
      time:                   '                '
      flags:                   40d
        CKF_RNG
        CKF_LOGIN_REQUIRED
        CKF_USER_PIN_INITIALIZED
        CKF_TOKEN_INITIALIZED
Returned:  0 CKR_OK
Logging in to "SPYRUS USB Token 0".
Please enter User PIN:
6: C_Login
2013-12-03 12:07:38.747
[in] hSession = 0x333018
[in] userType = CKU_USER
[in] pPin[ulPinLen] 01dced30 / 4
    00000000  31 32 33 34                                      1234
Returned:  0 CKR_OK

7: C_GenerateKeyPair
2013-12-03 12:07:39.795
[in] hSession = 0x333018
pMechanism->type=CKM_EC_KEY_PAIR_GEN
[in] pPublicKeyTemplate[7]:
    CKA_CLASS             CKO_PUBLIC_KEY
    CKA_TOKEN             True
    CKA_ENCRYPT           True
    CKA_VERIFY            True
    CKA_WRAP              True
    CKA_ECDSA_PARAMS      01dce350 / 10
    00000000  06 08 2A 86 48 CE 3D 03 01 07                    ..*.H.=...
    CKA_ID                00419060 / 1
    00000000  02                                               .
[in] pPrivateKeyTemplate[8]:
    CKA_CLASS             CKO_PRIVATE_KEY
    CKA_TOKEN             True
    CKA_PRIVATE           True
    CKA_SENSITIVE         True
    CKA_DECRYPT           True
    CKA_SIGN              True
    CKA_UNWRAP            True
    CKA_ID                00419060 / 1
    00000000  02                                               .
[out] hPublicKey = 0x3338c8
[out] hPrivateKey = 0x333948
Returned:  0 CKR_OK
Key pair generated:

8: C_GetAttributeValue
2013-12-03 12:07:39.914
[in] hSession = 0x333018
[in] hObject = 0x333948
[in] pTemplate[1]:
    CKA_CLASS             0028faa8 / 4
[out] pTemplate[1]:
    CKA_CLASS             CKO_PRIVATE_KEY
Returned:  0 CKR_OK

9: C_GetAttributeValue
2013-12-03 12:07:39.925
[in] hSession = 0x333018
[in] hObject = 0x333948
[in] pTemplate[1]:
    CKA_KEY_TYPE          0028fa48 / 4
[out] pTemplate[1]:
    CKA_KEY_TYPE          0028fa48 / -1
Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID
warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID
 (0x12)


10: C_GetAttributeValue
2013-12-03 12:07:39.940
[in] hSession = 0x333018
[in] hObject = 0x333948
[in] pTemplate[1]:
    CKA_CLASS             0028fa48 / 4
[out] pTemplate[1]:
    CKA_CLASS             CKO_PRIVATE_KEY
Returned:  0 CKR_OK
Private Key Object; RSA

11: C_GetAttributeValue
2013-12-03 12:07:39.940
[in] hSession = 0x333018
[in] hObject = 0x333948
[in] pTemplate[1]:
    CKA_LABEL             00000000 / 0
[out] pTemplate[1]:
    CKA_LABEL             00000000 / -1
Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0
x12)


12: C_GetAttributeValue
2013-12-03 12:07:39.942
[in] hSession = 0x333018
[in] hObject = 0x333948
[in] pTemplate[1]:
    CKA_ID                00000000 / 0
[out] pTemplate[1]:
    CKA_ID                00000000 / 1
Returned:  0 CKR_OK

13: C_GetAttributeValue
2013-12-03 12:07:39.942
[in] hSession = 0x333018
[in] hObject = 0x333948
[in] pTemplate[1]:
    CKA_ID                006889a0 / 1
[out] pTemplate[1]:
    CKA_ID                006889a0 / 1
    00000000  02                                               .
Returned:  0 CKR_OK
  ID:         02
  Usage:
14: C_GetAttributeValue
2013-12-03 12:07:39.947
[in] hSession = 0x333018
[in] hObject = 0x333948
[in] pTemplate[1]:
    CKA_DECRYPT           0028fa4b / 1
[out] pTemplate[1]:
    CKA_DECRYPT           True
Returned:  0 CKR_OK
decrypt
15: C_GetAttributeValue
2013-12-03 12:07:39.948
[in] hSession = 0x333018
[in] hObject = 0x333948
[in] pTemplate[1]:
    CKA_SIGN              0028fa4b / 1
[out] pTemplate[1]:
    CKA_SIGN              True
Returned:  0 CKR_OK
, sign
16: C_GetAttributeValue
2013-12-03 12:07:39.962
[in] hSession = 0x333018
[in] hObject = 0x333948
[in] pTemplate[1]:
    CKA_? (0x80000001)    0028fa4b / 1
[out] pTemplate[1]:
    CKA_? (0x80000001)    0028fa4b / -1
Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID

17: C_GetAttributeValue
2013-12-03 12:07:39.963
[in] hSession = 0x333018
[in] hObject = 0x333948
[in] pTemplate[1]:
    CKA_UNWRAP            0028fa4b / 1
[out] pTemplate[1]:
    CKA_UNWRAP            True
Returned:  0 CKR_OK
, unwrap
18: C_GetAttributeValue
2013-12-03 12:07:39.964
[in] hSession = 0x333018
[in] hObject = 0x333948
[in] pTemplate[1]:
    CKA_DERIVE            0028fa4b / 1
[out] pTemplate[1]:
    CKA_DERIVE            0028fa4b / -1
Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID
warning: PKCS11 function C_GetAttributeValue(DERIVE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (
0x12)



19: C_GetAttributeValue
2013-12-03 12:07:39.969
[in] hSession = 0x333018
[in] hObject = 0x333948
[in] pTemplate[1]:
    CKA_ALWAYS_AUTHENTICATE  0028fa4b / 1
[out] pTemplate[1]:
    CKA_ALWAYS_AUTHENTICATE  0028fa4b / -1
Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID
warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_T
YPE_INVALID (0x12)


20: C_GetAttributeValue
2013-12-03 12:07:39.975
[in] hSession = 0x333018
[in] hObject = 0x3338c8
[in] pTemplate[1]:
    CKA_CLASS             0028faa8 / 4
[out] pTemplate[1]:
    CKA_CLASS             CKO_PUBLIC_KEY
Returned:  0 CKR_OK

21: C_GetAttributeValue
2013-12-03 12:07:39.982
[in] hSession = 0x333018
[in] hObject = 0x3338c8
[in] pTemplate[1]:
    CKA_KEY_TYPE          0028fa48 / 4
[out] pTemplate[1]:
    CKA_KEY_TYPE          0028fa48 / -1
Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID
warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID
 (0x12)


22: C_GetAttributeValue
2013-12-03 12:07:39.990
[in] hSession = 0x333018
[in] hObject = 0x3338c8
[in] pTemplate[1]:
    CKA_CLASS             0028fa48 / 4
[out] pTemplate[1]:
    CKA_CLASS             CKO_PUBLIC_KEY
Returned:  0 CKR_OK
Public Key Object
23: C_GetAttributeValue
2013-12-03 12:07:39.996
[in] hSession = 0x333018
[in] hObject = 0x3338c8
[in] pTemplate[1]:
    CKA_MODULUS_BITS      0028fa48 / 4
[out] pTemplate[1]:
    CKA_MODULUS_BITS      0028fa48 / -1
Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID
warning: PKCS11 function C_GetAttributeValue(MODULUS_BITS) failed: rv = CKR_ATTRIBUTE_TYPE_INV
ALID (0x12)

; RSA 0 bits

24: C_GetAttributeValue
2013-12-03 12:07:40.003
[in] hSession = 0x333018
[in] hObject = 0x3338c8
[in] pTemplate[1]:
    CKA_LABEL             00000000 / 0
[out] pTemplate[1]:
    CKA_LABEL             00000000 / -1
Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0
x12)


25: C_GetAttributeValue
2013-12-03 12:07:40.013
[in] hSession = 0x333018
[in] hObject = 0x3338c8
[in] pTemplate[1]:
    CKA_ID                00000000 / 0
[out] pTemplate[1]:
    CKA_ID                00000000 / 1
Returned:  0 CKR_OK

26: C_GetAttributeValue
2013-12-03 12:07:40.021
[in] hSession = 0x333018
[in] hObject = 0x3338c8
[in] pTemplate[1]:
    CKA_ID                006889a0 / 1
[out] pTemplate[1]:
    CKA_ID                006889a0 / 1
    00000000  02                                               .
Returned:  0 CKR_OK
  ID:         02
  Usage:
27: C_GetAttributeValue
2013-12-03 12:07:40.028
[in] hSession = 0x333018
[in] hObject = 0x3338c8
[in] pTemplate[1]:
    CKA_ENCRYPT           0028fa4b / 1
[out] pTemplate[1]:
    CKA_ENCRYPT           True
Returned:  0 CKR_OK
encrypt
28: C_GetAttributeValue
2013-12-03 12:07:40.029
[in] hSession = 0x333018
[in] hObject = 0x3338c8
[in] pTemplate[1]:
    CKA_VERIFY            0028fa4b / 1
[out] pTemplate[1]:
    CKA_VERIFY            True
Returned:  0 CKR_OK
, verify
29: C_GetAttributeValue
2013-12-03 12:07:40.036
[in] hSession = 0x333018
[in] hObject = 0x3338c8
[in] pTemplate[1]:
    CKA_WRAP              0028fa4b / 1
[out] pTemplate[1]:
    CKA_WRAP              True
Returned:  0 CKR_OK
, wrap

30: C_CloseSession
2013-12-03 12:07:40.045
[in] hSession = 0x333018
Returned:  0 CKR_OK

31: C_Finalize
2013-12-03 12:07:40.045
Returned:  0 CKR_OK



On Tue, Nov 26, 2013 at 7:57 PM, Douglas E. Engert <[hidden email]> wrote:
That is not the output of spy. It will write an output file. On Windows, I am not
sure where it writes it. You can use the environment


On 11/26/2013 8:35 AM, Sanaullah wrote:

Here is the output from pkcs11-spy..


This is not the output of spy. SPY will write an output file. I am not
sure where it writes it on Windows.  You can use the environment PKCS11SPY_OUTPUT
or look in the registry:
HKEY_LOCAL_MACHINE, "Software\\OpenSC Project\\PKCS11-Spy"
or
HKEY_CURRENT_USER, "Software\\OpenSC Project\\PKCS11-Spy"
for Output.


C:\Users\san\Desktop\image-win32\openvpn\bin>pkcs11-tool.exe --module "pkcs11-sp
y.dll"  -l  --pin 1234  --keypairgen  --key-type EC:prime256v1 --id 02 --slot 0
No slots.

C:\Users\san\Desktop\image-win32\openvpn\bin>pkcs11-tool.exe --module "pkcs11-sp
y.dll"  -l  --pin 1234  --keypairgen  --key-type EC:prime256v1 --id 02 --slot 0
Key pair generated:
warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUT
E_TYPE_INVALID (0x12)

Private Key Object; RSA
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_T
YPE_INVALID (0x12)

   ID:         02
   Usage:      decrypt, sign, unwrapwarning: PKCS11 function C_GetAttributeValue(
DERIVE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)


warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = C
KR_ATTRIBUTE_TYPE_INVALID (0x12)

warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUT
E_TYPE_INVALID (0x12)

Public Key Objectwarning: PKCS11 function C_GetAttributeValue(MODULUS_BITS) fail
ed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

; RSA 0 bits
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_T
YPE_INVALID (0x12)

   ID:         02
   Usage:      encrypt, verify, wrap


On Tue, Nov 26, 2013 at 7:19 PM, Douglas E. Engert <[hidden email] <mailto:[hidden email]>> wrote:



    On 11/26/2013 5:00 AM, Sanaullah wrote:
     > Hi,
     >
     > I am trying to generate the keys to spryus token using pkcs11-tool but getting errors. anyone tested it ?
     >
     > pkcs11-tool.exe --module "C:\Users\san\Desktop\EnsignNG\SDK\WinLib\Win32\PKCS11sc.dll"  -l  --pin 1234  --keypairge
     > n  --key-type EC:prime256v1 --id 02 --slot 0
     > Key pair generated:
     > warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUT
     > E_TYPE_INVALID (0x12)
     >
     > Private Key Object; RSA
     > warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_T
     > YPE_INVALID (0x12)
     >
     >    ID:         02
     >    Usage:      decrypt, sign, unwrapwarning: PKCS11 function C_GetAttributeValue(
     > DERIVE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
     >
     >
     > warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = C
     > KR_ATTRIBUTE_TYPE_INVALID (0x12)
     >
     > warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUT
     > E_TYPE_INVALID (0x12)
     >
     > Public Key Objectwarning: PKCS11 function C_GetAttributeValue(MODULUS_BITS) fail
     > ed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
     >
     > ; RSA 0 bits
     > warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_T
     > YPE_INVALID (0x12)
     >
     >    ID:         02
     >    Usage:      encrypt, verify, wrap
     >
     >
     > C:\Users\san\Desktop\image-win32\openvpn\bin>pkcs11-tool.exe --module "C:\Users\
     > san\Desktop\EnsignNG\SDK\WinLib\Win32\PKCS11sc.dll" --login --test
     > Using slot 0 with a present token (0x0)
     > Logging in to "SPYRUS USB Token 0".
     > Please enter User PIN: C_SeedRandom() and C_GenerateRandom():
     >    ERR: C_GenerateRandom(buf1,100) failed: CKR_ARGUMENTS_BAD (0x7)
     > Digests:
     >    all 4 digest functions seem to work
     >    SHA-1: OK
     > error: PKCS11 function C_Sign failed: rv = CKR_FUNCTION_FAILED (0x6)

    Sounds like your PKCS11sc.dll does not support many of the PKCS#11 functions.

    Try using the OpenSC pkcs11-spy as the module, and have pkcs11-spy load
    the PKCS11sc.dll.
     >
     > Aborting.
     >
     > Regards,
     > Sanaullah
     >
     >
     > ------------------------------------------------------------------------------
     > Shape the Mobile Experience: Free Subscription
     > Software experts and developers: Be at the forefront of tech innovation.
     > Intel(R) Software Adrenaline delivers strategic insight and game-changing
     > conversations that shape the rapidly evolving mobile landscape. Sign up now.
     > http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
     >
     >
     >
     > _______________________________________________
     > Opensc-devel mailing list
     > [hidden email] <mailto:[hidden email]>
     > https://lists.sourceforge.net/lists/listinfo/opensc-devel
     >

    --

       Douglas E. Engert  <[hidden email] <mailto:[hidden email]>>

       Argonne National Laboratory
       9700 South Cass Avenue
       Argonne, Illinois  60439
       (630) 252-5444

    ------------------------------------------------------------------------------
    Shape the Mobile Experience: Free Subscription
    Software experts and developers: Be at the forefront of tech innovation.
    Intel(R) Software Adrenaline delivers strategic insight and game-changing
    conversations that shape the rapidly evolving mobile landscape. Sign up now.
    http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
    _______________________________________________
    Opensc-devel mailing list
    [hidden email] <mailto:[hidden email]>
    https://lists.sourceforge.net/lists/listinfo/opensc-devel



--

 Douglas E. Engert  <[hidden email]>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444


------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: anyone tested spyrus token with pkcs11-tool?

Douglas E. Engert


On 12/3/2013 1:10 AM, Sanaullah wrote:

> Here is the outut of pkcs11-spy
>
> C:\Users\san\Desktop\image-win32\openvpn\bin>pkcs11-tool.exe --module "pkcs11-spy.dll"  -l  --
> keypairgen  --key-type EC:prime256v1 --id 02 --slot 0
>
>
> *************** OpenSC PKCS#11 spy *****************
> Loaded: "C:\Users\san\Desktop\EnsignNG\SDK\WinLib\Win32\PKCS11sc.dll"
>
> 0: C_GetFunctionList
> 2013-12-03 12:07:12.500
> Returned:  0 CKR_OK
>
> 1: C_Initialize
> 2013-12-03 12:07:12.504
> [in] pInitArgs = 00000000
> Returned:  0 CKR_OK
>
> 2: C_GetSlotList
> 2013-12-03 12:07:12.518
> [in] tokenPresent = 0x0
> [out] pSlotList:
> Count is 1
> [out] *pulCount = 0x1
> Returned:  0 CKR_OK
>
> 3: C_GetSlotList
> 2013-12-03 12:07:12.524
> [in] tokenPresent = 0x0
> [out] pSlotList:
> Slot 0
> [out] *pulCount = 0x1
> Returned:  0 CKR_OK
>
> 4: C_OpenSession
> 2013-12-03 12:07:12.532
> [in] slotID = 0x0
> [in] flags = 0x6
> pApplication=00000000
> Notify=00000000
> [out] *phSession = 0x333018
> Returned:  0 CKR_OK
>
> 5: C_GetTokenInfo
> 2013-12-03 12:07:12.537
> [in] slotID = 0x0
> [out] pInfo:
>        label:                  '              SPYRUS USB Token 0'
>        manufacturerID:         'SPYRUS INC.                     '
>        model:                  'Rosetta USB     '
>        serialNumber:           '02000000E0001575'
>        ulMaxSessionCount:       4096
>        ulSessionCount:          1
>        ulMaxRwSessionCount:     4096
>        ulRwSessionCount:        1
>        ulMaxPinLen:             20
>        ulMinPinLen:             1
>        ulTotalPublicMemory:     8000
>        ulFreePublicMemory:      8000
>        ulTotalPrivateMemory:    8000
>        ulFreePrivateMemory:     8000
>        hardwareVersion:         2.4
>        firmwareVersion:         1.32
>        time:                   '                '
>        flags:                   40d
>          CKF_RNG
>          CKF_LOGIN_REQUIRED
>          CKF_USER_PIN_INITIALIZED
>          CKF_TOKEN_INITIALIZED
> Returned:  0 CKR_OK
> Logging in to "SPYRUS USB Token 0".
> Please enter User PIN:
> 6: C_Login
> 2013-12-03 12:07:38.747
> [in] hSession = 0x333018
> [in] userType = CKU_USER
> [in] pPin[ulPinLen] 01dced30 / 4
>      00000000  31 32 33 34                                      1234
> Returned:  0 CKR_OK
>
> 7: C_GenerateKeyPair
> 2013-12-03 12:07:39.795
> [in] hSession = 0x333018
> pMechanism->type=CKM_EC_KEY_PAIR_GEN
> [in] pPublicKeyTemplate[7]:
>      CKA_CLASS             CKO_PUBLIC_KEY
>      CKA_TOKEN             True
>      CKA_ENCRYPT           True
>      CKA_VERIFY            True
>      CKA_WRAP              True
>      CKA_ECDSA_PARAMS      01dce350 / 10
>      00000000  06 08 2A 86 48 CE 3D 03 01 07                    ..*.H.=...
>      CKA_ID                00419060 / 1
>      00000000  02                                               .
> [in] pPrivateKeyTemplate[8]:
>      CKA_CLASS             CKO_PRIVATE_KEY
>      CKA_TOKEN             True
>      CKA_PRIVATE           True
>      CKA_SENSITIVE         True
>      CKA_DECRYPT           True
>      CKA_SIGN              True
>      CKA_UNWRAP            True
>      CKA_ID                00419060 / 1
>      00000000  02                                               .
> [out] hPublicKey = 0x3338c8
> [out] hPrivateKey = 0x333948
> Returned:  0 CKR_OK
> Key pair generated:

The above says the keypair was generated.
Note: hPublicKey = 0x3338c8
and   hPrivateKey = 0x333948


But pkcs11-tool should not be setting CKA_ENCRYPT, CKA_DECRYPT, CKA_WRAP, CKA_UNWRAP
but should be setting CKA_DERIVE



The rest of this is plcs11-tool displaying some of the attributes of the keypair.

>
> 8: C_GetAttributeValue
> 2013-12-03 12:07:39.914
> [in] hSession = 0x333018
> [in] hObject = 0x333948
> [in] pTemplate[1]:
>      CKA_CLASS             0028faa8 / 4
> [out] pTemplate[1]:
>      CKA_CLASS             CKO_PRIVATE_KEY
> Returned:  0 CKR_OK
>
> 9: C_GetAttributeValue
> 2013-12-03 12:07:39.925
> [in] hSession = 0x333018
> [in] hObject = 0x333948
> [in] pTemplate[1]:
>      CKA_KEY_TYPE          0028fa48 / 4
> [out] pTemplate[1]:
>      CKA_KEY_TYPE          0028fa48 / -1
> Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID
> warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID
>   (0x12)
>

This should have returned CKK_ECDSA (0x0000003)
Are you sure the Spyrus supports ECC? Does their pkcs11 module support it?
Their card may support it, but their pkcs11 module may not or has a bug.
Asking for the CKA_KEY_TYPE must be supported if more then RSA keys
are supported. If only RSA is supported, there is no need to as what is the type
of key.

Run this command and see if
C:\Users\san\Desktop\image-win32\openvpn\bin>pkcs11-tool.exe --module "pkcs11-spy.dll" -M
and see if CKM_EC_KEY_PAIR_GEN is one of the mechanisms.

>
> 10: C_GetAttributeValue
> 2013-12-03 12:07:39.940
> [in] hSession = 0x333018
> [in] hObject = 0x333948
> [in] pTemplate[1]:
>      CKA_CLASS             0028fa48 / 4
> [out] pTemplate[1]:
>      CKA_CLASS             CKO_PRIVATE_KEY
> Returned:  0 CKR_OK
> Private Key Object; RSA
>
> 11: C_GetAttributeValue
> 2013-12-03 12:07:39.940
> [in] hSession = 0x333018
> [in] hObject = 0x333948
> [in] pTemplate[1]:
>      CKA_LABEL             00000000 / 0
> [out] pTemplate[1]:
>      CKA_LABEL             00000000 / -1
> Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID
> warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0
> x12)

Every pkcs11 object can have a label, So their pkcs11 should return length 0
if there is no label. but not CKR_ATTRIBUTE_TYPE_INVALID.


>
>
> 12: C_GetAttributeValue
> 2013-12-03 12:07:39.942
> [in] hSession = 0x333018
> [in] hObject = 0x333948
> [in] pTemplate[1]:
>      CKA_ID                00000000 / 0
> [out] pTemplate[1]:
>      CKA_ID                00000000 / 1
> Returned:  0 CKR_OK
>
> 13: C_GetAttributeValue
> 2013-12-03 12:07:39.942
> [in] hSession = 0x333018
> [in] hObject = 0x333948
> [in] pTemplate[1]:
>      CKA_ID                006889a0 / 1
> [out] pTemplate[1]:
>      CKA_ID                006889a0 / 1
>      00000000  02                                               .
> Returned:  0 CKR_OK
>    ID:         02
>    Usage:
> 14: C_GetAttributeValue
> 2013-12-03 12:07:39.947
> [in] hSession = 0x333018
> [in] hObject = 0x333948
> [in] pTemplate[1]:
>      CKA_DECRYPT           0028fa4b / 1
> [out] pTemplate[1]:
>      CKA_DECRYPT           True
> Returned:  0 CKR_OK

This does not look correct. EC keypairs can sign/verify and derive.
They can not encrypt/decrpt.

But this could be caused by pkcs11-tool setting these wrong.

> decrypt
> 15: C_GetAttributeValue
> 2013-12-03 12:07:39.948
> [in] hSession = 0x333018
> [in] hObject = 0x333948
> [in] pTemplate[1]:
>      CKA_SIGN              0028fa4b / 1
> [out] pTemplate[1]:
>      CKA_SIGN              True
> Returned:  0 CKR_OK
> , sign
> 16: C_GetAttributeValue
> 2013-12-03 12:07:39.962
> [in] hSession = 0x333018
> [in] hObject = 0x333948
> [in] pTemplate[1]:
>      CKA_? (0x80000001)    0028fa4b / 1
> [out] pTemplate[1]:
>      CKA_? (0x80000001)    0028fa4b / -1
> Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID
>
> 17: C_GetAttributeValue
> 2013-12-03 12:07:39.963
> [in] hSession = 0x333018
> [in] hObject = 0x333948
> [in] pTemplate[1]:
>      CKA_UNWRAP            0028fa4b / 1
> [out] pTemplate[1]:
>      CKA_UNWRAP            True
> Returned:  0 CKR_OK
> , unwrap
> 18: C_GetAttributeValue
> 2013-12-03 12:07:39.964
> [in] hSession = 0x333018
> [in] hObject = 0x333948
> [in] pTemplate[1]:
>      CKA_DERIVE            0028fa4b / 1
> [out] pTemplate[1]:
>      CKA_DERIVE            0028fa4b / -1
> Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID
> warning: PKCS11 function C_GetAttributeValue(DERIVE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (
> 0x12)

Their pkcs11 library does not know about CKA_DERIVE, sounds like they so not
support ECC.

>
>
>
> 19: C_GetAttributeValue
> 2013-12-03 12:07:39.969
> [in] hSession = 0x333018
> [in] hObject = 0x333948
> [in] pTemplate[1]:
>      CKA_ALWAYS_AUTHENTICATE  0028fa4b / 1
> [out] pTemplate[1]:
>      CKA_ALWAYS_AUTHENTICATE  0028fa4b / -1
> Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID
> warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_T
> YPE_INVALID (0x12)


Too bad, they do not support this either.

>
>
> 20: C_GetAttributeValue
> 2013-12-03 12:07:39.975
> [in] hSession = 0x333018
> [in] hObject = 0x3338c8
> [in] pTemplate[1]:
>      CKA_CLASS             0028faa8 / 4
> [out] pTemplate[1]:
>      CKA_CLASS             CKO_PUBLIC_KEY
> Returned:  0 CKR_OK
>
> 21: C_GetAttributeValue
> 2013-12-03 12:07:39.982
> [in] hSession = 0x333018
> [in] hObject = 0x3338c8
> [in] pTemplate[1]:
>      CKA_KEY_TYPE          0028fa48 / 4
> [out] pTemplate[1]:
>      CKA_KEY_TYPE          0028fa48 / -1
> Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID
> warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID
>   (0x12)
>
>
> 22: C_GetAttributeValue
> 2013-12-03 12:07:39.990
> [in] hSession = 0x333018
> [in] hObject = 0x3338c8
> [in] pTemplate[1]:
>      CKA_CLASS             0028fa48 / 4
> [out] pTemplate[1]:
>      CKA_CLASS             CKO_PUBLIC_KEY
> Returned:  0 CKR_OK
> Public Key Object
> 23: C_GetAttributeValue
> 2013-12-03 12:07:39.996
> [in] hSession = 0x333018
> [in] hObject = 0x3338c8
> [in] pTemplate[1]:
>      CKA_MODULUS_BITS      0028fa48 / 4
> [out] pTemplate[1]:
>      CKA_MODULUS_BITS      0028fa48 / -1
> Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID
> warning: PKCS11 function C_GetAttributeValue(MODULUS_BITS) failed: rv = CKR_ATTRIBUTE_TYPE_INV
> ALID (0x12)
>
> ; RSA 0 bits
>
> 24: C_GetAttributeValue
> 2013-12-03 12:07:40.003
> [in] hSession = 0x333018
> [in] hObject = 0x3338c8
> [in] pTemplate[1]:
>      CKA_LABEL             00000000 / 0
> [out] pTemplate[1]:
>      CKA_LABEL             00000000 / -1
> Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID
> warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0
> x12)
>
>
> 25: C_GetAttributeValue
> 2013-12-03 12:07:40.013
> [in] hSession = 0x333018
> [in] hObject = 0x3338c8
> [in] pTemplate[1]:
>      CKA_ID                00000000 / 0
> [out] pTemplate[1]:
>      CKA_ID                00000000 / 1
> Returned:  0 CKR_OK
>
> 26: C_GetAttributeValue
> 2013-12-03 12:07:40.021
> [in] hSession = 0x333018
> [in] hObject = 0x3338c8
> [in] pTemplate[1]:
>      CKA_ID                006889a0 / 1
> [out] pTemplate[1]:
>      CKA_ID                006889a0 / 1
>      00000000  02                                               .
> Returned:  0 CKR_OK
>    ID:         02
>    Usage:
> 27: C_GetAttributeValue
> 2013-12-03 12:07:40.028
> [in] hSession = 0x333018
> [in] hObject = 0x3338c8
> [in] pTemplate[1]:
>      CKA_ENCRYPT           0028fa4b / 1
> [out] pTemplate[1]:
>      CKA_ENCRYPT           True
> Returned:  0 CKR_OK
> encrypt
> 28: C_GetAttributeValue
> 2013-12-03 12:07:40.029
> [in] hSession = 0x333018
> [in] hObject = 0x3338c8
> [in] pTemplate[1]:
>      CKA_VERIFY            0028fa4b / 1
> [out] pTemplate[1]:
>      CKA_VERIFY            True
> Returned:  0 CKR_OK
> , verify
> 29: C_GetAttributeValue
> 2013-12-03 12:07:40.036
> [in] hSession = 0x333018
> [in] hObject = 0x3338c8
> [in] pTemplate[1]:
>      CKA_WRAP              0028fa4b / 1
> [out] pTemplate[1]:
>      CKA_WRAP              True
> Returned:  0 CKR_OK
> , wrap
>
> 30: C_CloseSession
> 2013-12-03 12:07:40.045
> [in] hSession = 0x333018
> Returned:  0 CKR_OK
>
> 31: C_Finalize
> 2013-12-03 12:07:40.045
> Returned:  0 CKR_OK
>

In a nut shell, their lib appears to not support some basic attributes,
and attributes for ECC. It may only support RSA. Ask Spyrus.

>
>
> On Tue, Nov 26, 2013 at 7:57 PM, Douglas E. Engert <[hidden email] <mailto:[hidden email]>> wrote:
>
>     That is not the output of spy. It will write an output file. On Windows, I am not
>     sure where it writes it. You can use the environment
>
>
>     On 11/26/2013 8:35 AM, Sanaullah wrote:
>
>
>         Here is the output from pkcs11-spy..
>
>
>
>     This is not the output of spy. SPY will write an output file. I am not
>     sure where it writes it on Windows.  You can use the environment PKCS11SPY_OUTPUT
>     or look in the registry:
>     HKEY_LOCAL_MACHINE, "Software\\OpenSC Project\\PKCS11-Spy"
>     or
>     HKEY_CURRENT_USER, "Software\\OpenSC Project\\PKCS11-Spy"
>     for Output.
>
>
>         C:\Users\san\Desktop\image-__win32\openvpn\bin>pkcs11-tool.__exe --module "pkcs11-sp
>         y.dll"  -l  --pin 1234  --keypairgen  --key-type EC:prime256v1 --id 02 --slot 0
>         No slots.
>
>         C:\Users\san\Desktop\image-__win32\openvpn\bin>pkcs11-tool.__exe --module "pkcs11-sp
>         y.dll"  -l  --pin 1234  --keypairgen  --key-type EC:prime256v1 --id 02 --slot 0
>         Key pair generated:
>         warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUT
>         E_TYPE_INVALID (0x12)
>
>         Private Key Object; RSA
>         warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_T
>         YPE_INVALID (0x12)
>
>             ID:         02
>             Usage:      decrypt, sign, unwrapwarning: PKCS11 function C_GetAttributeValue(
>         DERIVE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
>
>
>         warning: PKCS11 function C_GetAttributeValue(ALWAYS___AUTHENTICATE) failed: rv = C
>         KR_ATTRIBUTE_TYPE_INVALID (0x12)
>
>         warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUT
>         E_TYPE_INVALID (0x12)
>
>         Public Key Objectwarning: PKCS11 function C_GetAttributeValue(MODULUS___BITS) fail
>         ed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
>
>         ; RSA 0 bits
>         warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_T
>         YPE_INVALID (0x12)
>
>             ID:         02
>             Usage:      encrypt, verify, wrap
>
>
>         On Tue, Nov 26, 2013 at 7:19 PM, Douglas E. Engert <[hidden email] <mailto:[hidden email]> <mailto:[hidden email] <mailto:[hidden email]>>> wrote:
>
>
>
>              On 11/26/2013 5:00 AM, Sanaullah wrote:
>               > Hi,
>               >
>               > I am trying to generate the keys to spryus token using pkcs11-tool but getting errors. anyone tested it ?
>               >
>               > pkcs11-tool.exe --module "C:\Users\san\Desktop\__EnsignNG\SDK\WinLib\Win32\__PKCS11sc.dll"  -l  --pin 1234  --keypairge
>               > n  --key-type EC:prime256v1 --id 02 --slot 0
>               > Key pair generated:
>               > warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUT
>               > E_TYPE_INVALID (0x12)
>               >
>               > Private Key Object; RSA
>               > warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_T
>               > YPE_INVALID (0x12)
>               >
>               >    ID:         02
>               >    Usage:      decrypt, sign, unwrapwarning: PKCS11 function C_GetAttributeValue(
>               > DERIVE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
>               >
>               >
>               > warning: PKCS11 function C_GetAttributeValue(ALWAYS___AUTHENTICATE) failed: rv = C
>               > KR_ATTRIBUTE_TYPE_INVALID (0x12)
>               >
>               > warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUT
>               > E_TYPE_INVALID (0x12)
>               >
>               > Public Key Objectwarning: PKCS11 function C_GetAttributeValue(MODULUS___BITS) fail
>               > ed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
>               >
>               > ; RSA 0 bits
>               > warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_T
>               > YPE_INVALID (0x12)
>               >
>               >    ID:         02
>               >    Usage:      encrypt, verify, wrap
>               >
>               >
>               > C:\Users\san\Desktop\image-__win32\openvpn\bin>pkcs11-tool.__exe --module "C:\Users\
>               > san\Desktop\EnsignNG\SDK\__WinLib\Win32\PKCS11sc.dll" --login --test
>               > Using slot 0 with a present token (0x0)
>               > Logging in to "SPYRUS USB Token 0".
>               > Please enter User PIN: C_SeedRandom() and C_GenerateRandom():
>               >    ERR: C_GenerateRandom(buf1,100) failed: CKR_ARGUMENTS_BAD (0x7)
>               > Digests:
>               >    all 4 digest functions seem to work
>               >    SHA-1: OK
>               > error: PKCS11 function C_Sign failed: rv = CKR_FUNCTION_FAILED (0x6)
>
>              Sounds like your PKCS11sc.dll does not support many of the PKCS#11 functions.
>
>              Try using the OpenSC pkcs11-spy as the module, and have pkcs11-spy load
>              the PKCS11sc.dll.
>               >
>               > Aborting.
>               >
>               > Regards,
>               > Sanaullah
>               >
>               >
>               > ------------------------------__------------------------------__------------------
>               > Shape the Mobile Experience: Free Subscription
>               > Software experts and developers: Be at the forefront of tech innovation.
>               > Intel(R) Software Adrenaline delivers strategic insight and game-changing
>               > conversations that shape the rapidly evolving mobile landscape. Sign up now.
>               > http://pubads.g.doubleclick.__net/gampad/clk?id=63431311&iu=__/4140/ostg.clktrk <http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk>
>               >
>               >
>               >
>               > _________________________________________________
>               > Opensc-devel mailing list
>               > [hidden email] <mailto:[hidden email]> <mailto:[hidden email] <mailto:[hidden email]>>
>               > https://lists.sourceforge.net/__lists/listinfo/opensc-devel <https://lists.sourceforge.net/lists/listinfo/opensc-devel>
>               >
>
>              --
>
>                 Douglas E. Engert  <[hidden email] <mailto:[hidden email]> <mailto:[hidden email] <mailto:[hidden email]>>>
>
>                 Argonne National Laboratory
>                 9700 South Cass Avenue
>                 Argonne, Illinois  60439
>                 (630) 252-5444
>
>              ------------------------------__------------------------------__------------------
>              Shape the Mobile Experience: Free Subscription
>              Software experts and developers: Be at the forefront of tech innovation.
>              Intel(R) Software Adrenaline delivers strategic insight and game-changing
>              conversations that shape the rapidly evolving mobile landscape. Sign up now.
>         http://pubads.g.doubleclick.__net/gampad/clk?id=63431311&iu=__/4140/ostg.clktrk <http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk>
>              _________________________________________________
>              Opensc-devel mailing list
>         [hidden email] <mailto:[hidden email]> <mailto:[hidden email] <mailto:[hidden email]>>
>         https://lists.sourceforge.net/__lists/listinfo/opensc-devel <https://lists.sourceforge.net/lists/listinfo/opensc-devel>
>
>
>
>     --
>
>       Douglas E. Engert  <[hidden email] <mailto:[hidden email]>>
>       Argonne National Laboratory
>       9700 South Cass Avenue
>       Argonne, Illinois  60439
>       (630) 252-5444
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: anyone tested spyrus token with pkcs11-tool?

Sanaullah
I run the command pkcs11-tool.exe --module "pkcs11-spy.dll" -M , haven't seen the CKK_ECDSA but in the C_GetMechanismList there is CKM_ECDSA.

C:\Users\san\Desktop\image-win32\openvpn\bin>pkcs11-tool.exe --module "pkcs11-spy.dll" -M


*************** OpenSC PKCS#11 spy *****************
Loaded: "C:\Users\san\Desktop\EnsignNG\SDK\WinLib\Win32\PKCS11sc.dll"

0: C_GetFunctionList
2013-12-03 21:55:18.324
Returned:  0 CKR_OK

1: C_Initialize
2013-12-03 21:55:18.324
[in] pInitArgs = 00000000
Returned:  0 CKR_OK

2: C_GetSlotList
2013-12-03 21:55:18.331
[in] tokenPresent = 0x0
[out] pSlotList:
Count is 1
[out] *pulCount = 0x1
Returned:  0 CKR_OK

3: C_GetSlotList
2013-12-03 21:55:18.333
[in] tokenPresent = 0x0
[out] pSlotList:
Slot 0
[out] *pulCount = 0x1
Returned:  0 CKR_OK

4: C_GetSlotInfo
2013-12-03 21:55:18.336
[in] slotID = 0x0
[out] pInfo:
      slotDescription:        'SPYRUS USB Token 1              '
                              '                                '
      manufacturerID:         'SPYRUS                          '
      hardwareVersion:         0.0
      firmwareVersion:         0.0
      flags:                   7
        CKF_TOKEN_PRESENT
        CKF_REMOVABLE_DEVICE
        CKF_HW_SLOT
Returned:  0 CKR_OK
Using slot 0 with a present token (0x0)

5: C_GetMechanismList
2013-12-03 21:55:18.338
[in] slotID = 0x0
[out] pMechanismList[20]:
Count is 20
Returned:  0 CKR_OK

6: C_GetMechanismList
2013-12-03 21:55:18.338
[in] slotID = 0x0
[out] pMechanismList[20]:
 CKM_RSA_PKCS
 CKM_RSA_X_509
 CKM_ECDSA
 CKM_ECDSA_SHA1
 CKM_EC_KEY_PAIR_GEN
 CKM_ECDH1_DERIVE
 CKM_RC2_KEY_GEN
 CKM_RC2_CBC
 CKM_RC4_KEY_GEN
 CKM_RC4
 CKM_AES_KEY_GEN
 CKM_AES_CBC
 CKM_DES3_KEY_GEN
 CKM_DES3_CBC
 CKM_SHA_1
 Unknown Mechanism (00000255)
 CKM_SHA384
 CKM_SHA512
 CKM_MD5
 CKM_RSA_PKCS_KEY_PAIR_GEN
Returned:  0 CKR_OK
Supported mechanisms:
  RSA-PKCS
7: C_GetMechanismInfo
2013-12-03 21:55:18.343
[in] slotID = 0x0
 CKM_RSA_PKCS
[out] pInfo:
CKM_RSA_PKCS                  : min:1024 max:2048 flags:0x67B01 ( Hardware Encrypt Decrypt Sig
n SigRecov Verify VerRecov Wrap Unwrap )
Returned:  0 CKR_OK
, keySize={1024,2048}, hw, encrypt, decrypt, sign, sign_recover, verify, verify_recover, wrap,
 unwrap
  RSA-X-509
8: C_GetMechanismInfo
2013-12-03 21:55:18.352
[in] slotID = 0x0
 CKM_RSA_X_509
[out] pInfo:
CKM_RSA_X_509                 : min:1024 max:2048 flags:0x67B01 ( Hardware Encrypt Decrypt Sig
n SigRecov Verify VerRecov Wrap Unwrap )
Returned:  0 CKR_OK
, keySize={1024,2048}, hw, encrypt, decrypt, sign, sign_recover, verify, verify_recover, wrap,
 unwrap
  ECDSA
9: C_GetMechanismInfo
2013-12-03 21:55:18.357
[in] slotID = 0x0
 CKM_ECDSA
[out] pInfo:
CKM_ECDSA                     : min:256 max:521 flags:0x2801 ( Hardware Sign Verify )
Returned:  0 CKR_OK
, keySize={256,521}, hw, sign, verify
  ECDSA-SHA1
10: C_GetMechanismInfo
2013-12-03 21:55:18.362
[in] slotID = 0x0
 CKM_ECDSA_SHA1
[out] pInfo:
CKM_ECDSA_SHA1                : min:256 max:521 flags:0x2801 ( Hardware Sign Verify )
Returned:  0 CKR_OK
, keySize={256,521}, hw, sign, verify
  ECDSA-KEY-PAIR-GEN
11: C_GetMechanismInfo
2013-12-03 21:55:18.368
[in] slotID = 0x0
 CKM_EC_KEY_PAIR_GEN
[out] pInfo:
CKM_EC_KEY_PAIR_GEN           : min:256 max:521 flags:0x10001 ( Hardware KeyPair )
Returned:  0 CKR_OK
, keySize={256,521}, hw, generate_key_pair
  ECDH1-DERIVE
12: C_GetMechanismInfo
2013-12-03 21:55:18.370
[in] slotID = 0x0
 CKM_ECDH1_DERIVE
[out] pInfo:
CKM_ECDH1_DERIVE              : min:256 max:521 flags:0x80001 ( Hardware Derive )
Returned:  0 CKR_OK
, keySize={256,521}, hw, derive
  RC2-KEY-GEN
13: C_GetMechanismInfo
2013-12-03 21:55:18.376
[in] slotID = 0x0
 CKM_RC2_KEY_GEN
[out] pInfo:
CKM_RC2_KEY_GEN               : min:40 max:128 flags:0x8000 ( Generate )
Returned:  0 CKR_OK
, keySize={40,128}, generate
  RC2-CBC
14: C_GetMechanismInfo
2013-12-03 21:55:18.382
[in] slotID = 0x0
 CKM_RC2_CBC
[out] pInfo:
CKM_RC2_CBC                   : min:40 max:128 flags:0x300 ( Encrypt Decrypt )
Returned:  0 CKR_OK
, keySize={40,128}, encrypt, decrypt
  RC4-KEY-GEN
15: C_GetMechanismInfo
2013-12-03 21:55:18.384
[in] slotID = 0x0
 CKM_RC4_KEY_GEN
[out] pInfo:
CKM_RC4_KEY_GEN               : min:40 max:128 flags:0x8000 ( Generate )
Returned:  0 CKR_OK
, keySize={40,128}, generate
  RC4
16: C_GetMechanismInfo
2013-12-03 21:55:18.390
[in] slotID = 0x0
 CKM_RC4
[out] pInfo:
CKM_RC4                       : min:40 max:128 flags:0x300 ( Encrypt Decrypt )
Returned:  0 CKR_OK
, keySize={40,128}, encrypt, decrypt
  AES-KEY-GEN
17: C_GetMechanismInfo
2013-12-03 21:55:18.395
[in] slotID = 0x0
 CKM_AES_KEY_GEN
[out] pInfo:
CKM_AES_KEY_GEN               : min:16 max:32 flags:0x8001 ( Hardware Generate )
Returned:  0 CKR_OK
, keySize={16,32}, hw, generate
  AES-CBC
18: C_GetMechanismInfo
2013-12-03 21:55:18.397
[in] slotID = 0x0
 CKM_AES_CBC
[out] pInfo:
CKM_AES_CBC                   : min:16 max:32 flags:0x301 ( Hardware Encrypt Decrypt )
Returned:  0 CKR_OK
, keySize={16,32}, hw, encrypt, decrypt
  DES3-KEY-GEN
19: C_GetMechanismInfo
2013-12-03 21:55:18.404
[in] slotID = 0x0
 CKM_DES3_KEY_GEN
[out] pInfo:
CKM_DES3_KEY_GEN              : min:192 max:192 flags:0x8001 ( Hardware Generate )
Returned:  0 CKR_OK
, keySize={192,192}, hw, generate
  DES3-CBC
20: C_GetMechanismInfo
2013-12-03 21:55:18.409
[in] slotID = 0x0
 CKM_DES3_CBC
[out] pInfo:
CKM_DES3_CBC                  : min:192 max:192 flags:0x301 ( Hardware Encrypt Decrypt )
Returned:  0 CKR_OK
, keySize={192,192}, hw, encrypt, decrypt
  SHA-1
21: C_GetMechanismInfo
2013-12-03 21:55:18.412
[in] slotID = 0x0
 CKM_SHA_1
[out] pInfo:
CKM_SHA_1                     : min:0 max:0 flags:0x401 ( Hardware Digest )
Returned:  0 CKR_OK
, hw, digest
  mechtype-597
22: C_GetMechanismInfo
2013-12-03 21:55:18.417
[in] slotID = 0x0
 Unknown Mechanism (00000255)
[out] pInfo:
Unknown Mechanism (00000255) : min:0 max:0 flags:0x401 ( Hardware Digest )
Returned:  0 CKR_OK
, hw, digest
  SHA384
23: C_GetMechanismInfo
2013-12-03 21:55:18.423
[in] slotID = 0x0
 CKM_SHA384
[out] pInfo:
CKM_SHA384                    : min:0 max:0 flags:0x401 ( Hardware Digest )
Returned:  0 CKR_OK
, hw, digest
  SHA512
24: C_GetMechanismInfo
2013-12-03 21:55:18.424
[in] slotID = 0x0
 CKM_SHA512
[out] pInfo:
CKM_SHA512                    : min:0 max:0 flags:0x401 ( Hardware Digest )
Returned:  0 CKR_OK
, hw, digest
  MD5
25: C_GetMechanismInfo
2013-12-03 21:55:18.437
[in] slotID = 0x0
 CKM_MD5
[out] pInfo:
CKM_MD5                       : min:0 max:0 flags:0x400 ( Digest )
Returned:  0 CKR_OK
, digest
  RSA-PKCS-KEY-PAIR-GEN
26: C_GetMechanismInfo
2013-12-03 21:55:18.438
[in] slotID = 0x0
 CKM_RSA_PKCS_KEY_PAIR_GEN
[out] pInfo:
CKM_RSA_PKCS_KEY_PAIR_GEN     : min:1024 max:2048 flags:0x10001 ( Hardware KeyPair )
Returned:  0 CKR_OK
, keySize={1024,2048}, hw, generate_key_pair

27: C_Finalize
2013-12-03 21:55:18.439
Returned:  0 CKR_OK

C:\Users\san\Desktop\image-win32\openvpn\bin>


On Tue, Dec 3, 2013 at 9:29 PM, Douglas E. Engert <[hidden email]> wrote:


On 12/3/2013 1:10 AM, Sanaullah wrote:
Here is the outut of pkcs11-spy

C:\Users\san\Desktop\image-win32\openvpn\bin>pkcs11-tool.exe --module "pkcs11-spy.dll"  -l  --
keypairgen  --key-type EC:prime256v1 --id 02 --slot 0


*************** OpenSC PKCS#11 spy *****************
Loaded: "C:\Users\san\Desktop\EnsignNG\SDK\WinLib\Win32\PKCS11sc.dll"

0: C_GetFunctionList
2013-12-03 12:07:12.500
Returned:  0 CKR_OK

1: C_Initialize
2013-12-03 12:07:12.504
[in] pInitArgs = 00000000
Returned:  0 CKR_OK

2: C_GetSlotList
2013-12-03 12:07:12.518
[in] tokenPresent = 0x0
[out] pSlotList:
Count is 1
[out] *pulCount = 0x1
Returned:  0 CKR_OK

3: C_GetSlotList
2013-12-03 12:07:12.524
[in] tokenPresent = 0x0
[out] pSlotList:
Slot 0
[out] *pulCount = 0x1
Returned:  0 CKR_OK

4: C_OpenSession
2013-12-03 12:07:12.532
[in] slotID = 0x0
[in] flags = 0x6
pApplication=00000000
Notify=00000000
[out] *phSession = 0x333018
Returned:  0 CKR_OK

5: C_GetTokenInfo
2013-12-03 12:07:12.537
[in] slotID = 0x0
[out] pInfo:
       label:                  '              SPYRUS USB Token 0'
       manufacturerID:         'SPYRUS INC.                     '
       model:                  'Rosetta USB     '
       serialNumber:           '02000000E0001575'
       ulMaxSessionCount:       4096
       ulSessionCount:          1
       ulMaxRwSessionCount:     4096
       ulRwSessionCount:        1
       ulMaxPinLen:             20
       ulMinPinLen:             1
       ulTotalPublicMemory:     8000
       ulFreePublicMemory:      8000
       ulTotalPrivateMemory:    8000
       ulFreePrivateMemory:     8000
       hardwareVersion:         2.4
       firmwareVersion:         1.32
       time:                   '                '
       flags:                   40d
         CKF_RNG
         CKF_LOGIN_REQUIRED
         CKF_USER_PIN_INITIALIZED
         CKF_TOKEN_INITIALIZED
Returned:  0 CKR_OK
Logging in to "SPYRUS USB Token 0".
Please enter User PIN:
6: C_Login
2013-12-03 12:07:38.747
[in] hSession = 0x333018
[in] userType = CKU_USER
[in] pPin[ulPinLen] 01dced30 / 4
     00000000  31 32 33 34                                      1234
Returned:  0 CKR_OK

7: C_GenerateKeyPair
2013-12-03 12:07:39.795
[in] hSession = 0x333018
pMechanism->type=CKM_EC_KEY_PAIR_GEN
[in] pPublicKeyTemplate[7]:
     CKA_CLASS             CKO_PUBLIC_KEY
     CKA_TOKEN             True
     CKA_ENCRYPT           True
     CKA_VERIFY            True
     CKA_WRAP              True
     CKA_ECDSA_PARAMS      01dce350 / 10
     00000000  06 08 2A 86 48 CE 3D 03 01 07                    ..*.H.=...
     CKA_ID                00419060 / 1
     00000000  02                                               .
[in] pPrivateKeyTemplate[8]:
     CKA_CLASS             CKO_PRIVATE_KEY
     CKA_TOKEN             True
     CKA_PRIVATE           True
     CKA_SENSITIVE         True
     CKA_DECRYPT           True
     CKA_SIGN              True
     CKA_UNWRAP            True
     CKA_ID                00419060 / 1
     00000000  02                                               .
[out] hPublicKey = 0x3338c8
[out] hPrivateKey = 0x333948
Returned:  0 CKR_OK
Key pair generated:

The above says the keypair was generated.
Note: hPublicKey = 0x3338c8
and   hPrivateKey = 0x333948


But pkcs11-tool should not be setting CKA_ENCRYPT, CKA_DECRYPT, CKA_WRAP, CKA_UNWRAP
but should be setting CKA_DERIVE



The rest of this is plcs11-tool displaying some of the attributes of the keypair.



8: C_GetAttributeValue
2013-12-03 12:07:39.914
[in] hSession = 0x333018
[in] hObject = 0x333948
[in] pTemplate[1]:
     CKA_CLASS             0028faa8 / 4
[out] pTemplate[1]:
     CKA_CLASS             CKO_PRIVATE_KEY
Returned:  0 CKR_OK

9: C_GetAttributeValue
2013-12-03 12:07:39.925
[in] hSession = 0x333018
[in] hObject = 0x333948
[in] pTemplate[1]:
     CKA_KEY_TYPE          0028fa48 / 4
[out] pTemplate[1]:
     CKA_KEY_TYPE          0028fa48 / -1
Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID
warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID
  (0x12)


This should have returned CKK_ECDSA (0x0000003)
Are you sure the Spyrus supports ECC? Does their pkcs11 module support it?
Their card may support it, but their pkcs11 module may not or has a bug.
Asking for the CKA_KEY_TYPE must be supported if more then RSA keys
are supported. If only RSA is supported, there is no need to as what is the type
of key.

Run this command and see if
C:\Users\san\Desktop\image-win32\openvpn\bin>pkcs11-tool.exe --module "pkcs11-spy.dll" -M
and see if CKM_EC_KEY_PAIR_GEN is one of the mechanisms.



10: C_GetAttributeValue
2013-12-03 12:07:39.940
[in] hSession = 0x333018
[in] hObject = 0x333948
[in] pTemplate[1]:
     CKA_CLASS             0028fa48 / 4
[out] pTemplate[1]:
     CKA_CLASS             CKO_PRIVATE_KEY
Returned:  0 CKR_OK
Private Key Object; RSA

11: C_GetAttributeValue
2013-12-03 12:07:39.940
[in] hSession = 0x333018
[in] hObject = 0x333948
[in] pTemplate[1]:
     CKA_LABEL             00000000 / 0
[out] pTemplate[1]:
     CKA_LABEL             00000000 / -1
Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0
x12)

Every pkcs11 object can have a label, So their pkcs11 should return length 0
if there is no label. but not CKR_ATTRIBUTE_TYPE_INVALID.





12: C_GetAttributeValue
2013-12-03 12:07:39.942
[in] hSession = 0x333018
[in] hObject = 0x333948
[in] pTemplate[1]:
     CKA_ID                00000000 / 0
[out] pTemplate[1]:
     CKA_ID                00000000 / 1
Returned:  0 CKR_OK

13: C_GetAttributeValue
2013-12-03 12:07:39.942
[in] hSession = 0x333018
[in] hObject = 0x333948
[in] pTemplate[1]:
     CKA_ID                006889a0 / 1
[out] pTemplate[1]:
     CKA_ID                006889a0 / 1
     00000000  02                                               .
Returned:  0 CKR_OK
   ID:         02
   Usage:
14: C_GetAttributeValue
2013-12-03 12:07:39.947
[in] hSession = 0x333018
[in] hObject = 0x333948
[in] pTemplate[1]:
     CKA_DECRYPT           0028fa4b / 1
[out] pTemplate[1]:
     CKA_DECRYPT           True
Returned:  0 CKR_OK

This does not look correct. EC keypairs can sign/verify and derive.
They can not encrypt/decrpt.

But this could be caused by pkcs11-tool setting these wrong.


decrypt
15: C_GetAttributeValue
2013-12-03 12:07:39.948
[in] hSession = 0x333018
[in] hObject = 0x333948
[in] pTemplate[1]:
     CKA_SIGN              0028fa4b / 1
[out] pTemplate[1]:
     CKA_SIGN              True
Returned:  0 CKR_OK
, sign
16: C_GetAttributeValue
2013-12-03 12:07:39.962
[in] hSession = 0x333018
[in] hObject = 0x333948
[in] pTemplate[1]:
     CKA_? (0x80000001)    0028fa4b / 1
[out] pTemplate[1]:
     CKA_? (0x80000001)    0028fa4b / -1
Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID

17: C_GetAttributeValue
2013-12-03 12:07:39.963
[in] hSession = 0x333018
[in] hObject = 0x333948
[in] pTemplate[1]:
     CKA_UNWRAP            0028fa4b / 1
[out] pTemplate[1]:
     CKA_UNWRAP            True
Returned:  0 CKR_OK
, unwrap
18: C_GetAttributeValue
2013-12-03 12:07:39.964
[in] hSession = 0x333018
[in] hObject = 0x333948
[in] pTemplate[1]:
     CKA_DERIVE            0028fa4b / 1
[out] pTemplate[1]:
     CKA_DERIVE            0028fa4b / -1
Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID
warning: PKCS11 function C_GetAttributeValue(DERIVE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (
0x12)

Their pkcs11 library does not know about CKA_DERIVE, sounds like they so not
support ECC.





19: C_GetAttributeValue
2013-12-03 12:07:39.969
[in] hSession = 0x333018
[in] hObject = 0x333948
[in] pTemplate[1]:
     CKA_ALWAYS_AUTHENTICATE  0028fa4b / 1
[out] pTemplate[1]:
     CKA_ALWAYS_AUTHENTICATE  0028fa4b / -1
Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID
warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_T
YPE_INVALID (0x12)


Too bad, they do not support this either.




20: C_GetAttributeValue
2013-12-03 12:07:39.975
[in] hSession = 0x333018
[in] hObject = 0x3338c8
[in] pTemplate[1]:
     CKA_CLASS             0028faa8 / 4
[out] pTemplate[1]:
     CKA_CLASS             CKO_PUBLIC_KEY
Returned:  0 CKR_OK

21: C_GetAttributeValue
2013-12-03 12:07:39.982
[in] hSession = 0x333018
[in] hObject = 0x3338c8
[in] pTemplate[1]:
     CKA_KEY_TYPE          0028fa48 / 4
[out] pTemplate[1]:
     CKA_KEY_TYPE          0028fa48 / -1
Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID
warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID
  (0x12)


22: C_GetAttributeValue
2013-12-03 12:07:39.990
[in] hSession = 0x333018
[in] hObject = 0x3338c8
[in] pTemplate[1]:
     CKA_CLASS             0028fa48 / 4
[out] pTemplate[1]:
     CKA_CLASS             CKO_PUBLIC_KEY
Returned:  0 CKR_OK
Public Key Object
23: C_GetAttributeValue
2013-12-03 12:07:39.996
[in] hSession = 0x333018
[in] hObject = 0x3338c8
[in] pTemplate[1]:
     CKA_MODULUS_BITS      0028fa48 / 4
[out] pTemplate[1]:
     CKA_MODULUS_BITS      0028fa48 / -1
Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID
warning: PKCS11 function C_GetAttributeValue(MODULUS_BITS) failed: rv = CKR_ATTRIBUTE_TYPE_INV
ALID (0x12)

; RSA 0 bits

24: C_GetAttributeValue
2013-12-03 12:07:40.003
[in] hSession = 0x333018
[in] hObject = 0x3338c8
[in] pTemplate[1]:
     CKA_LABEL             00000000 / 0
[out] pTemplate[1]:
     CKA_LABEL             00000000 / -1
Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0
x12)


25: C_GetAttributeValue
2013-12-03 12:07:40.013
[in] hSession = 0x333018
[in] hObject = 0x3338c8
[in] pTemplate[1]:
     CKA_ID                00000000 / 0
[out] pTemplate[1]:
     CKA_ID                00000000 / 1
Returned:  0 CKR_OK

26: C_GetAttributeValue
2013-12-03 12:07:40.021
[in] hSession = 0x333018
[in] hObject = 0x3338c8
[in] pTemplate[1]:
     CKA_ID                006889a0 / 1
[out] pTemplate[1]:
     CKA_ID                006889a0 / 1
     00000000  02                                               .
Returned:  0 CKR_OK
   ID:         02
   Usage:
27: C_GetAttributeValue
2013-12-03 12:07:40.028
[in] hSession = 0x333018
[in] hObject = 0x3338c8
[in] pTemplate[1]:
     CKA_ENCRYPT           0028fa4b / 1
[out] pTemplate[1]:
     CKA_ENCRYPT           True
Returned:  0 CKR_OK
encrypt
28: C_GetAttributeValue
2013-12-03 12:07:40.029
[in] hSession = 0x333018
[in] hObject = 0x3338c8
[in] pTemplate[1]:
     CKA_VERIFY            0028fa4b / 1
[out] pTemplate[1]:
     CKA_VERIFY            True
Returned:  0 CKR_OK
, verify
29: C_GetAttributeValue
2013-12-03 12:07:40.036
[in] hSession = 0x333018
[in] hObject = 0x3338c8
[in] pTemplate[1]:
     CKA_WRAP              0028fa4b / 1
[out] pTemplate[1]:
     CKA_WRAP              True
Returned:  0 CKR_OK
, wrap

30: C_CloseSession
2013-12-03 12:07:40.045
[in] hSession = 0x333018
Returned:  0 CKR_OK

31: C_Finalize
2013-12-03 12:07:40.045
Returned:  0 CKR_OK


In a nut shell, their lib appears to not support some basic attributes,
and attributes for ECC. It may only support RSA. Ask Spyrus.



On Tue, Nov 26, 2013 at 7:57 PM, Douglas E. Engert <[hidden email] <mailto:[hidden email]>> wrote:

    That is not the output of spy. It will write an output file. On Windows, I am not
    sure where it writes it. You can use the environment


    On 11/26/2013 8:35 AM, Sanaullah wrote:


        Here is the output from pkcs11-spy..



    This is not the output of spy. SPY will write an output file. I am not
    sure where it writes it on Windows.  You can use the environment PKCS11SPY_OUTPUT
    or look in the registry:
    HKEY_LOCAL_MACHINE, "Software\\OpenSC Project\\PKCS11-Spy"
    or
    HKEY_CURRENT_USER, "Software\\OpenSC Project\\PKCS11-Spy"
    for Output.


        C:\Users\san\Desktop\image-__win32\openvpn\bin>pkcs11-tool.__exe --module "pkcs11-sp

        y.dll"  -l  --pin 1234  --keypairgen  --key-type EC:prime256v1 --id 02 --slot 0
        No slots.

        C:\Users\san\Desktop\image-__win32\openvpn\bin>pkcs11-tool.__exe --module "pkcs11-sp

        y.dll"  -l  --pin 1234  --keypairgen  --key-type EC:prime256v1 --id 02 --slot 0
        Key pair generated:
        warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUT
        E_TYPE_INVALID (0x12)

        Private Key Object; RSA
        warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_T
        YPE_INVALID (0x12)

            ID:         02
            Usage:      decrypt, sign, unwrapwarning: PKCS11 function C_GetAttributeValue(
        DERIVE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)


        warning: PKCS11 function C_GetAttributeValue(ALWAYS___AUTHENTICATE) failed: rv = C

        KR_ATTRIBUTE_TYPE_INVALID (0x12)

        warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUT
        E_TYPE_INVALID (0x12)

        Public Key Objectwarning: PKCS11 function C_GetAttributeValue(MODULUS___BITS) fail

        ed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

        ; RSA 0 bits
        warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_T
        YPE_INVALID (0x12)

            ID:         02
            Usage:      encrypt, verify, wrap


        On Tue, Nov 26, 2013 at 7:19 PM, Douglas E. Engert <[hidden email] <mailto:[hidden email]> <mailto:[hidden email] <mailto:[hidden email]>>> wrote:



             On 11/26/2013 5:00 AM, Sanaullah wrote:
              > Hi,
              >
              > I am trying to generate the keys to spryus token using pkcs11-tool but getting errors. anyone tested it ?
              >
              > pkcs11-tool.exe --module "C:\Users\san\Desktop\__EnsignNG\SDK\WinLib\Win32\__PKCS11sc.dll"  -l  --pin 1234  --keypairge

              > n  --key-type EC:prime256v1 --id 02 --slot 0
              > Key pair generated:
              > warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUT
              > E_TYPE_INVALID (0x12)
              >
              > Private Key Object; RSA
              > warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_T
              > YPE_INVALID (0x12)
              >
              >    ID:         02
              >    Usage:      decrypt, sign, unwrapwarning: PKCS11 function C_GetAttributeValue(
              > DERIVE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
              >
              >
              > warning: PKCS11 function C_GetAttributeValue(ALWAYS___AUTHENTICATE) failed: rv = C

              > KR_ATTRIBUTE_TYPE_INVALID (0x12)
              >
              > warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUT
              > E_TYPE_INVALID (0x12)
              >
              > Public Key Objectwarning: PKCS11 function C_GetAttributeValue(MODULUS___BITS) fail

              > ed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
              >
              > ; RSA 0 bits
              > warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_T
              > YPE_INVALID (0x12)
              >
              >    ID:         02
              >    Usage:      encrypt, verify, wrap
              >
              >
              > C:\Users\san\Desktop\image-__win32\openvpn\bin>pkcs11-tool.__exe --module "C:\Users\
              > san\Desktop\EnsignNG\SDK\__WinLib\Win32\PKCS11sc.dll" --login --test

              > Using slot 0 with a present token (0x0)
              > Logging in to "SPYRUS USB Token 0".
              > Please enter User PIN: C_SeedRandom() and C_GenerateRandom():
              >    ERR: C_GenerateRandom(buf1,100) failed: CKR_ARGUMENTS_BAD (0x7)
              > Digests:
              >    all 4 digest functions seem to work
              >    SHA-1: OK
              > error: PKCS11 function C_Sign failed: rv = CKR_FUNCTION_FAILED (0x6)

             Sounds like your PKCS11sc.dll does not support many of the PKCS#11 functions.

             Try using the OpenSC pkcs11-spy as the module, and have pkcs11-spy load
             the PKCS11sc.dll.
              >
              > Aborting.
              >
              > Regards,
              > Sanaullah
              >
              >
              > ------------------------------__------------------------------__------------------

              > Shape the Mobile Experience: Free Subscription
              > Software experts and developers: Be at the forefront of tech innovation.
              > Intel(R) Software Adrenaline delivers strategic insight and game-changing
              > conversations that shape the rapidly evolving mobile landscape. Sign up now.
              > http://pubads.g.doubleclick.__net/gampad/clk?id=63431311&iu=__/4140/ostg.clktrk <http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk>
              >
              >
              >
              > _________________________________________________
              > Opensc-devel mailing list
              > Opensc-devel@lists.__sourceforge.net <mailto:[hidden email]> <mailto:[hidden email]__sourceforge.net <mailto:[hidden email]>>
              > https://lists.sourceforge.net/__lists/listinfo/opensc-devel <https://lists.sourceforge.net/lists/listinfo/opensc-devel>
              >

             --

                Douglas E. Engert  <[hidden email] <mailto:[hidden email]> <mailto:[hidden email] <mailto:[hidden email]>>>


                Argonne National Laboratory
                9700 South Cass Avenue
                Argonne, Illinois  60439
                (630) 252-5444

             ------------------------------__------------------------------__------------------

             Shape the Mobile Experience: Free Subscription
             Software experts and developers: Be at the forefront of tech innovation.
             Intel(R) Software Adrenaline delivers strategic insight and game-changing
             conversations that shape the rapidly evolving mobile landscape. Sign up now.
        http://pubads.g.doubleclick.__net/gampad/clk?id=63431311&iu=__/4140/ostg.clktrk <http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk>
             _________________________________________________
             Opensc-devel mailing list
        Opensc-devel@lists.__sourceforge.net <mailto:[hidden email]> <mailto:[hidden email]__sourceforge.net <mailto:[hidden email]>>
        https://lists.sourceforge.net/__lists/listinfo/opensc-devel <https://lists.sourceforge.net/lists/listinfo/opensc-devel>




    --

      Douglas E. Engert  <[hidden email] <mailto:[hidden email]>>
      Argonne National Laboratory
      9700 South Cass Avenue
      Argonne, Illinois  60439
      (630) 252-5444



--

 Douglas E. Engert  <[hidden email]>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444


------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: anyone tested spyrus token with pkcs11-tool?

Douglas E. Engert


On 12/3/2013 11:01 AM, Sanaullah wrote:
> I run the command pkcs11-tool.exe --module "pkcs11-spy.dll" -M , haven't seen the CKK_ECDSA but in the C_GetMechanismList there is CKM_ECDSA.
>
> C:\Users\san\Desktop\image-win32\openvpn\bin>pkcs11-tool.exe --module "pkcs11-spy.dll" -M


Looks like their lib supported ECC.

All of the error messages you had from the original gen-keypair were after the key was generated.
So the card may have a keypair.


>
>
> *************** OpenSC PKCS#11 spy *****************
> Loaded: "C:\Users\san\Desktop\EnsignNG\SDK\WinLib\Win32\PKCS11sc.dll"
>
> 0: C_GetFunctionList
> 2013-12-03 21:55:18.324
> Returned:  0 CKR_OK
>
> 1: C_Initialize
> 2013-12-03 21:55:18.324
> [in] pInitArgs = 00000000
> Returned:  0 CKR_OK
>
> 2: C_GetSlotList
> 2013-12-03 21:55:18.331
> [in] tokenPresent = 0x0
> [out] pSlotList:
> Count is 1
> [out] *pulCount = 0x1
> Returned:  0 CKR_OK
>
> 3: C_GetSlotList
> 2013-12-03 21:55:18.333
> [in] tokenPresent = 0x0
> [out] pSlotList:
> Slot 0
> [out] *pulCount = 0x1
> Returned:  0 CKR_OK
>
> 4: C_GetSlotInfo
> 2013-12-03 21:55:18.336
> [in] slotID = 0x0
> [out] pInfo:
>        slotDescription:        'SPYRUS USB Token 1              '
>                                '                                '
>        manufacturerID:         'SPYRUS                          '
>        hardwareVersion:         0.0
>        firmwareVersion:         0.0
>        flags:                   7
>          CKF_TOKEN_PRESENT
>          CKF_REMOVABLE_DEVICE
>          CKF_HW_SLOT
> Returned:  0 CKR_OK
> Using slot 0 with a present token (0x0)
>
> 5: C_GetMechanismList
> 2013-12-03 21:55:18.338
> [in] slotID = 0x0
> [out] pMechanismList[20]:
> Count is 20
> Returned:  0 CKR_OK
>
> 6: C_GetMechanismList
> 2013-12-03 21:55:18.338
> [in] slotID = 0x0
> [out] pMechanismList[20]:
>   CKM_RSA_PKCS
>   CKM_RSA_X_509
>   CKM_ECDSA
>   CKM_ECDSA_SHA1
>   CKM_EC_KEY_PAIR_GEN
>   CKM_ECDH1_DERIVE
>   CKM_RC2_KEY_GEN
>   CKM_RC2_CBC
>   CKM_RC4_KEY_GEN
>   CKM_RC4
>   CKM_AES_KEY_GEN
>   CKM_AES_CBC
>   CKM_DES3_KEY_GEN
>   CKM_DES3_CBC
>   CKM_SHA_1
>   Unknown Mechanism (00000255)
>   CKM_SHA384
>   CKM_SHA512
>   CKM_MD5
>   CKM_RSA_PKCS_KEY_PAIR_GEN
> Returned:  0 CKR_OK
> Supported mechanisms:
>    RSA-PKCS
> 7: C_GetMechanismInfo
> 2013-12-03 21:55:18.343
> [in] slotID = 0x0
>   CKM_RSA_PKCS
> [out] pInfo:
> CKM_RSA_PKCS                  : min:1024 max:2048 flags:0x67B01 ( Hardware Encrypt Decrypt Sig
> n SigRecov Verify VerRecov Wrap Unwrap )
> Returned:  0 CKR_OK
> , keySize={1024,2048}, hw, encrypt, decrypt, sign, sign_recover, verify, verify_recover, wrap,
>   unwrap
>    RSA-X-509
> 8: C_GetMechanismInfo
> 2013-12-03 21:55:18.352
> [in] slotID = 0x0
>   CKM_RSA_X_509
> [out] pInfo:
> CKM_RSA_X_509                 : min:1024 max:2048 flags:0x67B01 ( Hardware Encrypt Decrypt Sig
> n SigRecov Verify VerRecov Wrap Unwrap )
> Returned:  0 CKR_OK
> , keySize={1024,2048}, hw, encrypt, decrypt, sign, sign_recover, verify, verify_recover, wrap,
>   unwrap
>    ECDSA
> 9: C_GetMechanismInfo
> 2013-12-03 21:55:18.357
> [in] slotID = 0x0
>   CKM_ECDSA
> [out] pInfo:
> CKM_ECDSA                     : min:256 max:521 flags:0x2801 ( Hardware Sign Verify )
> Returned:  0 CKR_OK
> , keySize={256,521}, hw, sign, verify
>    ECDSA-SHA1
> 10: C_GetMechanismInfo
> 2013-12-03 21:55:18.362
> [in] slotID = 0x0
>   CKM_ECDSA_SHA1
> [out] pInfo:
> CKM_ECDSA_SHA1                : min:256 max:521 flags:0x2801 ( Hardware Sign Verify )
> Returned:  0 CKR_OK
> , keySize={256,521}, hw, sign, verify
>    ECDSA-KEY-PAIR-GEN
> 11: C_GetMechanismInfo
> 2013-12-03 21:55:18.368
> [in] slotID = 0x0
>   CKM_EC_KEY_PAIR_GEN
> [out] pInfo:
> CKM_EC_KEY_PAIR_GEN           : min:256 max:521 flags:0x10001 ( Hardware KeyPair )
> Returned:  0 CKR_OK
> , keySize={256,521}, hw, generate_key_pair
>    ECDH1-DERIVE
> 12: C_GetMechanismInfo
> 2013-12-03 21:55:18.370
> [in] slotID = 0x0
>   CKM_ECDH1_DERIVE
> [out] pInfo:
> CKM_ECDH1_DERIVE              : min:256 max:521 flags:0x80001 ( Hardware Derive )
> Returned:  0 CKR_OK
> , keySize={256,521}, hw, derive
>    RC2-KEY-GEN
> 13: C_GetMechanismInfo
> 2013-12-03 21:55:18.376
> [in] slotID = 0x0
>   CKM_RC2_KEY_GEN
> [out] pInfo:
> CKM_RC2_KEY_GEN               : min:40 max:128 flags:0x8000 ( Generate )
> Returned:  0 CKR_OK
> , keySize={40,128}, generate
>    RC2-CBC
> 14: C_GetMechanismInfo
> 2013-12-03 21:55:18.382
> [in] slotID = 0x0
>   CKM_RC2_CBC
> [out] pInfo:
> CKM_RC2_CBC                   : min:40 max:128 flags:0x300 ( Encrypt Decrypt )
> Returned:  0 CKR_OK
> , keySize={40,128}, encrypt, decrypt
>    RC4-KEY-GEN
> 15: C_GetMechanismInfo
> 2013-12-03 21:55:18.384
> [in] slotID = 0x0
>   CKM_RC4_KEY_GEN
> [out] pInfo:
> CKM_RC4_KEY_GEN               : min:40 max:128 flags:0x8000 ( Generate )
> Returned:  0 CKR_OK
> , keySize={40,128}, generate
>    RC4
> 16: C_GetMechanismInfo
> 2013-12-03 21:55:18.390
> [in] slotID = 0x0
>   CKM_RC4
> [out] pInfo:
> CKM_RC4                       : min:40 max:128 flags:0x300 ( Encrypt Decrypt )
> Returned:  0 CKR_OK
> , keySize={40,128}, encrypt, decrypt
>    AES-KEY-GEN
> 17: C_GetMechanismInfo
> 2013-12-03 21:55:18.395
> [in] slotID = 0x0
>   CKM_AES_KEY_GEN
> [out] pInfo:
> CKM_AES_KEY_GEN               : min:16 max:32 flags:0x8001 ( Hardware Generate )
> Returned:  0 CKR_OK
> , keySize={16,32}, hw, generate
>    AES-CBC
> 18: C_GetMechanismInfo
> 2013-12-03 21:55:18.397
> [in] slotID = 0x0
>   CKM_AES_CBC
> [out] pInfo:
> CKM_AES_CBC                   : min:16 max:32 flags:0x301 ( Hardware Encrypt Decrypt )
> Returned:  0 CKR_OK
> , keySize={16,32}, hw, encrypt, decrypt
>    DES3-KEY-GEN
> 19: C_GetMechanismInfo
> 2013-12-03 21:55:18.404
> [in] slotID = 0x0
>   CKM_DES3_KEY_GEN
> [out] pInfo:
> CKM_DES3_KEY_GEN              : min:192 max:192 flags:0x8001 ( Hardware Generate )
> Returned:  0 CKR_OK
> , keySize={192,192}, hw, generate
>    DES3-CBC
> 20: C_GetMechanismInfo
> 2013-12-03 21:55:18.409
> [in] slotID = 0x0
>   CKM_DES3_CBC
> [out] pInfo:
> CKM_DES3_CBC                  : min:192 max:192 flags:0x301 ( Hardware Encrypt Decrypt )
> Returned:  0 CKR_OK
> , keySize={192,192}, hw, encrypt, decrypt
>    SHA-1
> 21: C_GetMechanismInfo
> 2013-12-03 21:55:18.412
> [in] slotID = 0x0
>   CKM_SHA_1
> [out] pInfo:
> CKM_SHA_1                     : min:0 max:0 flags:0x401 ( Hardware Digest )
> Returned:  0 CKR_OK
> , hw, digest
>    mechtype-597
> 22: C_GetMechanismInfo
> 2013-12-03 21:55:18.417
> [in] slotID = 0x0
>   Unknown Mechanism (00000255)
> [out] pInfo:
> Unknown Mechanism (00000255) : min:0 max:0 flags:0x401 ( Hardware Digest )
> Returned:  0 CKR_OK
> , hw, digest
>    SHA384
> 23: C_GetMechanismInfo
> 2013-12-03 21:55:18.423
> [in] slotID = 0x0
>   CKM_SHA384
> [out] pInfo:
> CKM_SHA384                    : min:0 max:0 flags:0x401 ( Hardware Digest )
> Returned:  0 CKR_OK
> , hw, digest
>    SHA512
> 24: C_GetMechanismInfo
> 2013-12-03 21:55:18.424
> [in] slotID = 0x0
>   CKM_SHA512
> [out] pInfo:
> CKM_SHA512                    : min:0 max:0 flags:0x401 ( Hardware Digest )
> Returned:  0 CKR_OK
> , hw, digest
>    MD5
> 25: C_GetMechanismInfo
> 2013-12-03 21:55:18.437
> [in] slotID = 0x0
>   CKM_MD5
> [out] pInfo:
> CKM_MD5                       : min:0 max:0 flags:0x400 ( Digest )
> Returned:  0 CKR_OK
> , digest
>    RSA-PKCS-KEY-PAIR-GEN
> 26: C_GetMechanismInfo
> 2013-12-03 21:55:18.438
> [in] slotID = 0x0
>   CKM_RSA_PKCS_KEY_PAIR_GEN
> [out] pInfo:
> CKM_RSA_PKCS_KEY_PAIR_GEN     : min:1024 max:2048 flags:0x10001 ( Hardware KeyPair )
> Returned:  0 CKR_OK
> , keySize={1024,2048}, hw, generate_key_pair
>
> 27: C_Finalize
> 2013-12-03 21:55:18.439
> Returned:  0 CKR_OK
>
> C:\Users\san\Desktop\image-win32\openvpn\bin>
>
>
> On Tue, Dec 3, 2013 at 9:29 PM, Douglas E. Engert <[hidden email] <mailto:[hidden email]>> wrote:
>
>
>
>     On 12/3/2013 1:10 AM, Sanaullah wrote:
>
>         Here is the outut of pkcs11-spy
>
>         C:\Users\san\Desktop\image-__win32\openvpn\bin>pkcs11-tool.__exe --module "pkcs11-spy.dll"  -l  --
>         keypairgen  --key-type EC:prime256v1 --id 02 --slot 0
>
>
>         *************** OpenSC PKCS#11 spy *****************
>         Loaded: "C:\Users\san\Desktop\__EnsignNG\SDK\WinLib\Win32\__PKCS11sc.dll"
>
>         0: C_GetFunctionList
>         2013-12-03 12:07:12.500
>         Returned:  0 CKR_OK
>
>         1: C_Initialize
>         2013-12-03 12:07:12.504
>         [in] pInitArgs = 00000000
>         Returned:  0 CKR_OK
>
>         2: C_GetSlotList
>         2013-12-03 12:07:12.518
>         [in] tokenPresent = 0x0
>         [out] pSlotList:
>         Count is 1
>         [out] *pulCount = 0x1
>         Returned:  0 CKR_OK
>
>         3: C_GetSlotList
>         2013-12-03 12:07:12.524
>         [in] tokenPresent = 0x0
>         [out] pSlotList:
>         Slot 0
>         [out] *pulCount = 0x1
>         Returned:  0 CKR_OK
>
>         4: C_OpenSession
>         2013-12-03 12:07:12.532
>         [in] slotID = 0x0
>         [in] flags = 0x6
>         pApplication=00000000
>         Notify=00000000
>         [out] *phSession = 0x333018
>         Returned:  0 CKR_OK
>
>         5: C_GetTokenInfo
>         2013-12-03 12:07:12.537
>         [in] slotID = 0x0
>         [out] pInfo:
>                 label:                  '              SPYRUS USB Token 0'
>                 manufacturerID:         'SPYRUS INC.                     '
>                 model:                  'Rosetta USB     '
>                 serialNumber:           '02000000E0001575'
>                 ulMaxSessionCount:       4096
>                 ulSessionCount:          1
>                 ulMaxRwSessionCount:     4096
>                 ulRwSessionCount:        1
>                 ulMaxPinLen:             20
>                 ulMinPinLen:             1
>                 ulTotalPublicMemory:     8000
>                 ulFreePublicMemory:      8000
>                 ulTotalPrivateMemory:    8000
>                 ulFreePrivateMemory:     8000
>                 hardwareVersion:         2.4
>                 firmwareVersion:         1.32
>                 time:                   '                '
>                 flags:                   40d
>                   CKF_RNG
>                   CKF_LOGIN_REQUIRED
>                   CKF_USER_PIN_INITIALIZED
>                   CKF_TOKEN_INITIALIZED
>         Returned:  0 CKR_OK
>         Logging in to "SPYRUS USB Token 0".
>         Please enter User PIN:
>         6: C_Login
>         2013-12-03 12:07:38.747
>         [in] hSession = 0x333018
>         [in] userType = CKU_USER
>         [in] pPin[ulPinLen] 01dced30 / 4
>               00000000  31 32 33 34                                      1234
>         Returned:  0 CKR_OK
>
>         7: C_GenerateKeyPair
>         2013-12-03 12:07:39.795
>         [in] hSession = 0x333018
>         pMechanism->type=CKM_EC_KEY___PAIR_GEN
>         [in] pPublicKeyTemplate[7]:
>               CKA_CLASS             CKO_PUBLIC_KEY
>               CKA_TOKEN             True
>               CKA_ENCRYPT           True
>               CKA_VERIFY            True
>               CKA_WRAP              True
>               CKA_ECDSA_PARAMS      01dce350 / 10
>               00000000  06 08 2A 86 48 CE 3D 03 01 07                    ..*.H.=...
>               CKA_ID                00419060 / 1
>               00000000  02                                               .
>         [in] pPrivateKeyTemplate[8]:
>               CKA_CLASS             CKO_PRIVATE_KEY
>               CKA_TOKEN             True
>               CKA_PRIVATE           True
>               CKA_SENSITIVE         True
>               CKA_DECRYPT           True
>               CKA_SIGN              True
>               CKA_UNWRAP            True
>               CKA_ID                00419060 / 1
>               00000000  02                                               .
>         [out] hPublicKey = 0x3338c8
>         [out] hPrivateKey = 0x333948
>         Returned:  0 CKR_OK
>         Key pair generated:
>
>
>     The above says the keypair was generated.
>     Note: hPublicKey = 0x3338c8
>     and   hPrivateKey = 0x333948
>
>
>     But pkcs11-tool should not be setting CKA_ENCRYPT, CKA_DECRYPT, CKA_WRAP, CKA_UNWRAP
>     but should be setting CKA_DERIVE
>
>
>
>     The rest of this is plcs11-tool displaying some of the attributes of the keypair.
>
>
>
>         8: C_GetAttributeValue
>         2013-12-03 12:07:39.914
>         [in] hSession = 0x333018
>         [in] hObject = 0x333948
>         [in] pTemplate[1]:
>               CKA_CLASS             0028faa8 / 4
>         [out] pTemplate[1]:
>               CKA_CLASS             CKO_PRIVATE_KEY
>         Returned:  0 CKR_OK
>
>         9: C_GetAttributeValue
>         2013-12-03 12:07:39.925
>         [in] hSession = 0x333018
>         [in] hObject = 0x333948
>         [in] pTemplate[1]:
>               CKA_KEY_TYPE          0028fa48 / 4
>         [out] pTemplate[1]:
>               CKA_KEY_TYPE          0028fa48 / -1
>         Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID
>         warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID
>            (0x12)
>
>
>     This should have returned CKK_ECDSA (0x0000003)
>     Are you sure the Spyrus supports ECC? Does their pkcs11 module support it?
>     Their card may support it, but their pkcs11 module may not or has a bug.
>     Asking for the CKA_KEY_TYPE must be supported if more then RSA keys
>     are supported. If only RSA is supported, there is no need to as what is the type
>     of key.
>
>     Run this command and see if
>     C:\Users\san\Desktop\image-__win32\openvpn\bin>pkcs11-tool.__exe --module "pkcs11-spy.dll" -M
>     and see if CKM_EC_KEY_PAIR_GEN is one of the mechanisms.
>
>
>
>         10: C_GetAttributeValue
>         2013-12-03 12:07:39.940
>         [in] hSession = 0x333018
>         [in] hObject = 0x333948
>         [in] pTemplate[1]:
>               CKA_CLASS             0028fa48 / 4
>         [out] pTemplate[1]:
>               CKA_CLASS             CKO_PRIVATE_KEY
>         Returned:  0 CKR_OK
>         Private Key Object; RSA
>
>         11: C_GetAttributeValue
>         2013-12-03 12:07:39.940
>         [in] hSession = 0x333018
>         [in] hObject = 0x333948
>         [in] pTemplate[1]:
>               CKA_LABEL             00000000 / 0
>         [out] pTemplate[1]:
>               CKA_LABEL             00000000 / -1
>         Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID
>         warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0
>         x12)
>
>
>     Every pkcs11 object can have a label, So their pkcs11 should return length 0
>     if there is no label. but not CKR_ATTRIBUTE_TYPE_INVALID.
>
>
>
>
>
>         12: C_GetAttributeValue
>         2013-12-03 12:07:39.942
>         [in] hSession = 0x333018
>         [in] hObject = 0x333948
>         [in] pTemplate[1]:
>               CKA_ID                00000000 / 0
>         [out] pTemplate[1]:
>               CKA_ID                00000000 / 1
>         Returned:  0 CKR_OK
>
>         13: C_GetAttributeValue
>         2013-12-03 12:07:39.942
>         [in] hSession = 0x333018
>         [in] hObject = 0x333948
>         [in] pTemplate[1]:
>               CKA_ID                006889a0 / 1
>         [out] pTemplate[1]:
>               CKA_ID                006889a0 / 1
>               00000000  02                                               .
>         Returned:  0 CKR_OK
>             ID:         02
>             Usage:
>         14: C_GetAttributeValue
>         2013-12-03 12:07:39.947
>         [in] hSession = 0x333018
>         [in] hObject = 0x333948
>         [in] pTemplate[1]:
>               CKA_DECRYPT           0028fa4b / 1
>         [out] pTemplate[1]:
>               CKA_DECRYPT           True
>         Returned:  0 CKR_OK
>
>
>     This does not look correct. EC keypairs can sign/verify and derive.
>     They can not encrypt/decrpt.
>
>     But this could be caused by pkcs11-tool setting these wrong.
>
>
>         decrypt
>         15: C_GetAttributeValue
>         2013-12-03 12:07:39.948
>         [in] hSession = 0x333018
>         [in] hObject = 0x333948
>         [in] pTemplate[1]:
>               CKA_SIGN              0028fa4b / 1
>         [out] pTemplate[1]:
>               CKA_SIGN              True
>         Returned:  0 CKR_OK
>         , sign
>         16: C_GetAttributeValue
>         2013-12-03 12:07:39.962
>         [in] hSession = 0x333018
>         [in] hObject = 0x333948
>         [in] pTemplate[1]:
>               CKA_? (0x80000001)    0028fa4b / 1
>         [out] pTemplate[1]:
>               CKA_? (0x80000001)    0028fa4b / -1
>         Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID
>
>         17: C_GetAttributeValue
>         2013-12-03 12:07:39.963
>         [in] hSession = 0x333018
>         [in] hObject = 0x333948
>         [in] pTemplate[1]:
>               CKA_UNWRAP            0028fa4b / 1
>         [out] pTemplate[1]:
>               CKA_UNWRAP            True
>         Returned:  0 CKR_OK
>         , unwrap
>         18: C_GetAttributeValue
>         2013-12-03 12:07:39.964
>         [in] hSession = 0x333018
>         [in] hObject = 0x333948
>         [in] pTemplate[1]:
>               CKA_DERIVE            0028fa4b / 1
>         [out] pTemplate[1]:
>               CKA_DERIVE            0028fa4b / -1
>         Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID
>         warning: PKCS11 function C_GetAttributeValue(DERIVE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (
>         0x12)
>
>
>     Their pkcs11 library does not know about CKA_DERIVE, sounds like they so not
>     support ECC.
>
>
>
>
>
>         19: C_GetAttributeValue
>         2013-12-03 12:07:39.969
>         [in] hSession = 0x333018
>         [in] hObject = 0x333948
>         [in] pTemplate[1]:
>               CKA_ALWAYS_AUTHENTICATE  0028fa4b / 1
>         [out] pTemplate[1]:
>               CKA_ALWAYS_AUTHENTICATE  0028fa4b / -1
>         Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID
>         warning: PKCS11 function C_GetAttributeValue(ALWAYS___AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_T
>         YPE_INVALID (0x12)
>
>
>
>     Too bad, they do not support this either.
>
>
>
>
>         20: C_GetAttributeValue
>         2013-12-03 12:07:39.975
>         [in] hSession = 0x333018
>         [in] hObject = 0x3338c8
>         [in] pTemplate[1]:
>               CKA_CLASS             0028faa8 / 4
>         [out] pTemplate[1]:
>               CKA_CLASS             CKO_PUBLIC_KEY
>         Returned:  0 CKR_OK
>
>         21: C_GetAttributeValue
>         2013-12-03 12:07:39.982
>         [in] hSession = 0x333018
>         [in] hObject = 0x3338c8
>         [in] pTemplate[1]:
>               CKA_KEY_TYPE          0028fa48 / 4
>         [out] pTemplate[1]:
>               CKA_KEY_TYPE          0028fa48 / -1
>         Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID
>         warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID
>            (0x12)
>
>
>         22: C_GetAttributeValue
>         2013-12-03 12:07:39.990
>         [in] hSession = 0x333018
>         [in] hObject = 0x3338c8
>         [in] pTemplate[1]:
>               CKA_CLASS             0028fa48 / 4
>         [out] pTemplate[1]:
>               CKA_CLASS             CKO_PUBLIC_KEY
>         Returned:  0 CKR_OK
>         Public Key Object
>         23: C_GetAttributeValue
>         2013-12-03 12:07:39.996
>         [in] hSession = 0x333018
>         [in] hObject = 0x3338c8
>         [in] pTemplate[1]:
>               CKA_MODULUS_BITS      0028fa48 / 4
>         [out] pTemplate[1]:
>               CKA_MODULUS_BITS      0028fa48 / -1
>         Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID
>         warning: PKCS11 function C_GetAttributeValue(MODULUS___BITS) failed: rv = CKR_ATTRIBUTE_TYPE_INV
>         ALID (0x12)
>
>         ; RSA 0 bits
>
>         24: C_GetAttributeValue
>         2013-12-03 12:07:40.003
>         [in] hSession = 0x333018
>         [in] hObject = 0x3338c8
>         [in] pTemplate[1]:
>               CKA_LABEL             00000000 / 0
>         [out] pTemplate[1]:
>               CKA_LABEL             00000000 / -1
>         Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID
>         warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0
>         x12)
>
>
>         25: C_GetAttributeValue
>         2013-12-03 12:07:40.013
>         [in] hSession = 0x333018
>         [in] hObject = 0x3338c8
>         [in] pTemplate[1]:
>               CKA_ID                00000000 / 0
>         [out] pTemplate[1]:
>               CKA_ID                00000000 / 1
>         Returned:  0 CKR_OK
>
>         26: C_GetAttributeValue
>         2013-12-03 12:07:40.021
>         [in] hSession = 0x333018
>         [in] hObject = 0x3338c8
>         [in] pTemplate[1]:
>               CKA_ID                006889a0 / 1
>         [out] pTemplate[1]:
>               CKA_ID                006889a0 / 1
>               00000000  02                                               .
>         Returned:  0 CKR_OK
>             ID:         02
>             Usage:
>         27: C_GetAttributeValue
>         2013-12-03 12:07:40.028
>         [in] hSession = 0x333018
>         [in] hObject = 0x3338c8
>         [in] pTemplate[1]:
>               CKA_ENCRYPT           0028fa4b / 1
>         [out] pTemplate[1]:
>               CKA_ENCRYPT           True
>         Returned:  0 CKR_OK
>         encrypt
>         28: C_GetAttributeValue
>         2013-12-03 12:07:40.029
>         [in] hSession = 0x333018
>         [in] hObject = 0x3338c8
>         [in] pTemplate[1]:
>               CKA_VERIFY            0028fa4b / 1
>         [out] pTemplate[1]:
>               CKA_VERIFY            True
>         Returned:  0 CKR_OK
>         , verify
>         29: C_GetAttributeValue
>         2013-12-03 12:07:40.036
>         [in] hSession = 0x333018
>         [in] hObject = 0x3338c8
>         [in] pTemplate[1]:
>               CKA_WRAP              0028fa4b / 1
>         [out] pTemplate[1]:
>               CKA_WRAP              True
>         Returned:  0 CKR_OK
>         , wrap
>
>         30: C_CloseSession
>         2013-12-03 12:07:40.045
>         [in] hSession = 0x333018
>         Returned:  0 CKR_OK
>
>         31: C_Finalize
>         2013-12-03 12:07:40.045
>         Returned:  0 CKR_OK
>
>
>     In a nut shell, their lib appears to not support some basic attributes,
>     and attributes for ECC. It may only support RSA. Ask Spyrus.
>
>
>
>         On Tue, Nov 26, 2013 at 7:57 PM, Douglas E. Engert <[hidden email] <mailto:[hidden email]> <mailto:[hidden email] <mailto:[hidden email]>>> wrote:
>
>              That is not the output of spy. It will write an output file. On Windows, I am not
>              sure where it writes it. You can use the environment
>
>
>              On 11/26/2013 8:35 AM, Sanaullah wrote:
>
>
>                  Here is the output from pkcs11-spy..
>
>
>
>              This is not the output of spy. SPY will write an output file. I am not
>              sure where it writes it on Windows.  You can use the environment PKCS11SPY_OUTPUT
>              or look in the registry:
>              HKEY_LOCAL_MACHINE, "Software\\OpenSC Project\\PKCS11-Spy"
>              or
>              HKEY_CURRENT_USER, "Software\\OpenSC Project\\PKCS11-Spy"
>              for Output.
>
>
>                  C:\Users\san\Desktop\image-____win32\openvpn\bin>pkcs11-tool.____exe --module "pkcs11-sp
>
>                  y.dll"  -l  --pin 1234  --keypairgen  --key-type EC:prime256v1 --id 02 --slot 0
>                  No slots.
>
>                  C:\Users\san\Desktop\image-____win32\openvpn\bin>pkcs11-tool.____exe --module "pkcs11-sp
>
>                  y.dll"  -l  --pin 1234  --keypairgen  --key-type EC:prime256v1 --id 02 --slot 0
>                  Key pair generated:
>                  warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUT
>                  E_TYPE_INVALID (0x12)
>
>                  Private Key Object; RSA
>                  warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_T
>                  YPE_INVALID (0x12)
>
>                      ID:         02
>                      Usage:      decrypt, sign, unwrapwarning: PKCS11 function C_GetAttributeValue(
>                  DERIVE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
>
>
>                  warning: PKCS11 function C_GetAttributeValue(ALWAYS_____AUTHENTICATE) failed: rv = C
>
>                  KR_ATTRIBUTE_TYPE_INVALID (0x12)
>
>                  warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUT
>                  E_TYPE_INVALID (0x12)
>
>                  Public Key Objectwarning: PKCS11 function C_GetAttributeValue(MODULUS_____BITS) fail
>
>                  ed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
>
>                  ; RSA 0 bits
>                  warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_T
>                  YPE_INVALID (0x12)
>
>                      ID:         02
>                      Usage:      encrypt, verify, wrap
>
>
>                  On Tue, Nov 26, 2013 at 7:19 PM, Douglas E. Engert <[hidden email] <mailto:[hidden email]> <mailto:[hidden email] <mailto:[hidden email]>> <mailto:[hidden email]
>         <mailto:[hidden email]> <mailto:[hidden email] <mailto:[hidden email]>>>> wrote:
>
>
>
>                       On 11/26/2013 5:00 AM, Sanaullah wrote:
>                        > Hi,
>                        >
>                        > I am trying to generate the keys to spryus token using pkcs11-tool but getting errors. anyone tested it ?
>                        >
>                        > pkcs11-tool.exe --module "C:\Users\san\Desktop\____EnsignNG\SDK\WinLib\Win32\____PKCS11sc.dll"  -l  --pin 1234  --keypairge
>
>                        > n  --key-type EC:prime256v1 --id 02 --slot 0
>                        > Key pair generated:
>                        > warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUT
>                        > E_TYPE_INVALID (0x12)
>                        >
>                        > Private Key Object; RSA
>                        > warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_T
>                        > YPE_INVALID (0x12)
>                        >
>                        >    ID:         02
>                        >    Usage:      decrypt, sign, unwrapwarning: PKCS11 function C_GetAttributeValue(
>                        > DERIVE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
>                        >
>                        >
>                        > warning: PKCS11 function C_GetAttributeValue(ALWAYS_____AUTHENTICATE) failed: rv = C
>
>                        > KR_ATTRIBUTE_TYPE_INVALID (0x12)
>                        >
>                        > warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUT
>                        > E_TYPE_INVALID (0x12)
>                        >
>                        > Public Key Objectwarning: PKCS11 function C_GetAttributeValue(MODULUS_____BITS) fail
>
>                        > ed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
>                        >
>                        > ; RSA 0 bits
>                        > warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_T
>                        > YPE_INVALID (0x12)
>                        >
>                        >    ID:         02
>                        >    Usage:      encrypt, verify, wrap
>                        >
>                        >
>                        > C:\Users\san\Desktop\image-____win32\openvpn\bin>pkcs11-tool.____exe --module "C:\Users\
>                        > san\Desktop\EnsignNG\SDK\____WinLib\Win32\PKCS11sc.dll" --login --test
>
>                        > Using slot 0 with a present token (0x0)
>                        > Logging in to "SPYRUS USB Token 0".
>                        > Please enter User PIN: C_SeedRandom() and C_GenerateRandom():
>                        >    ERR: C_GenerateRandom(buf1,100) failed: CKR_ARGUMENTS_BAD (0x7)
>                        > Digests:
>                        >    all 4 digest functions seem to work
>                        >    SHA-1: OK
>                        > error: PKCS11 function C_Sign failed: rv = CKR_FUNCTION_FAILED (0x6)
>
>                       Sounds like your PKCS11sc.dll does not support many of the PKCS#11 functions.
>
>                       Try using the OpenSC pkcs11-spy as the module, and have pkcs11-spy load
>                       the PKCS11sc.dll.
>                        >
>                        > Aborting.
>                        >
>                        > Regards,
>                        > Sanaullah
>                        >
>                        >
>                        > ------------------------------____----------------------------__--__------------------
>
>                        > Shape the Mobile Experience: Free Subscription
>                        > Software experts and developers: Be at the forefront of tech innovation.
>                        > Intel(R) Software Adrenaline delivers strategic insight and game-changing
>                        > conversations that shape the rapidly evolving mobile landscape. Sign up now.
>                        > http://pubads.g.doubleclick.____net/gampad/clk?id=63431311&iu=____/4140/ostg.clktrk <http://pubads.g.doubleclick.__net/gampad/clk?id=63431311&iu=__/4140/ostg.clktrk
>         <http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk>>
>                        >
>                        >
>                        >
>                        > ___________________________________________________
>                        > Opensc-devel mailing list
>                        > [hidden email] <http://sourceforge.net> <mailto:[hidden email] <mailto:[hidden email]>>
>         <mailto:Opensc-devel@lists. <mailto:Opensc-devel@lists.>__s__ourceforge.net <http://sourceforge.net> <mailto:[hidden email] <mailto:[hidden email]>>>
>                        > https://lists.sourceforge.net/____lists/listinfo/opensc-devel <https://lists.sourceforge.net/__lists/listinfo/opensc-devel>
>         <https://lists.sourceforge.__net/lists/listinfo/opensc-__devel <https://lists.sourceforge.net/lists/listinfo/opensc-devel>>
>                        >
>
>                       --
>
>                          Douglas E. Engert  <[hidden email] <mailto:[hidden email]> <mailto:[hidden email] <mailto:[hidden email]>> <mailto:[hidden email] <mailto:[hidden email]>
>         <mailto:[hidden email] <mailto:[hidden email]>>>>
>
>
>                          Argonne National Laboratory
>                          9700 South Cass Avenue
>                          Argonne, Illinois  60439
>                          (630) 252-5444
>
>                       ------------------------------____----------------------------__--__------------------
>
>                       Shape the Mobile Experience: Free Subscription
>                       Software experts and developers: Be at the forefront of tech innovation.
>                       Intel(R) Software Adrenaline delivers strategic insight and game-changing
>                       conversations that shape the rapidly evolving mobile landscape. Sign up now.
>         http://pubads.g.doubleclick.____net/gampad/clk?id=63431311&iu=____/4140/ostg.clktrk <http://pubads.g.doubleclick.__net/gampad/clk?id=63431311&iu=__/4140/ostg.clktrk
>         <http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk>>
>                       ___________________________________________________
>                       Opensc-devel mailing list
>                  [hidden email] <http://sourceforge.net> <mailto:[hidden email] <mailto:[hidden email]>> <mailto:Opensc-devel@lists.
>         <mailto:Opensc-devel@lists.>__s__ourceforge.net <http://sourceforge.net> <mailto:[hidden email] <mailto:[hidden email]>>>
>         https://lists.sourceforge.net/____lists/listinfo/opensc-devel <https://lists.sourceforge.net/__lists/listinfo/opensc-devel> <https://lists.sourceforge.__net/lists/listinfo/opensc-__devel
>         <https://lists.sourceforge.net/lists/listinfo/opensc-devel>>
>
>
>
>
>              --
>
>                Douglas E. Engert  <[hidden email] <mailto:[hidden email]> <mailto:[hidden email] <mailto:[hidden email]>>>
>                Argonne National Laboratory
>                9700 South Cass Avenue
>                Argonne, Illinois  60439
>                (630) 252-5444
>
>
>
>     --
>
>       Douglas E. Engert  <[hidden email] <mailto:[hidden email]>>
>       Argonne National Laboratory
>       9700 South Cass Avenue
>       Argonne, Illinois  60439
>       (630) 252-5444
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel