EldoS | Feel safer!

Software components for data protection, secure storage and transfer

PKCS#11 Over Vista

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.
#2304
Posted: 02/14/2007 16:29:58
by Santiago Castaño (Standard support level)
Joined: 04/16/2006
Posts: 155

Hi!,

I've got Vista Final 6.0.6000 RTM (Purchased). And I cannot load the PKCS#11 library of eToken USB PRO (I've installed Aladdin WSO_1.5 that has support for Vista). I've attached a screenshot showing the error.

I've tried to execute the cryptotokendemo also with admin privileges without luck.

With FireFox or Thunderbird I can load the PKCS#11 eToken device without problems so i think that the problem is related to SBB?

Does anyone knows any clues? I'm quite new to Vista (I suppose all of us are newbies still in Vista :p).

P.S.: no problems with CryptoAPI if this is interesting

Regards


#2306
Posted: 02/15/2007 03:19:27
by Eugene Mayevski (EldoS Corp.)

The error is returned by PKCS#11 DLL in a call to some function. Check what function returns this error code.


Sincerely yours
Eugene Mayevski
#2309
Posted: 02/15/2007 04:53:40
by Santiago Castaño (Standard support level)
Joined: 04/16/2006
Posts: 155

Hi!,

I've installed Dephi7 on Vista and installed SBB 5.0.106 in it.

The error is in the LoadModule call:
Code
...
    pulCount := 0;
    pSlotList := nil;
    PKCS11CheckError(TPKCS11GetSlotListFunc(aModule.FuncArray[PKCS11_GetSlotList])(CK_B_FALSE, pSlotList[0], pulCount));
    if pulCount > 0 then
    begin
      GetMem(pSlotList, pulCount * sizeof(CK_SLOT_ID));
      try
        PKCS11CheckError(TPKCS11GetSlotListFunc(aModule.FuncArray[PKCS11_GetSlotList])(CK_B_FALSE, pSlotList[0], pulCount));
        for i := 0 to pulCount - 1 do
        begin
          SlotInfo := TElPKCS11SlotInfo.Create;
          aModule.FSlotList.Add(SlotInfo);
          SlotInfo.FModule := aModule;
          SlotInfo.FSlotID := pSlotList[i];
          SlotInfo.Refresh; //error here
        end;
      finally
        FreeMem(pSlotList);
      end;
    end;
...

The refresh routine calls

...
  // read token info, if token is present
  CKRes :=
    TPKCS11GetTokenInfoFunc(FModule.FuncArray[PKCS11_GetTokenInfo])(FSlotID, RTokenInfo);
  if CKRes = CKR_OK then
...


In that last call of the refresh routine, CKRes=6 (CKR_FUNCTION_FAILED).

As a quick test, if I comment the call to .Refresh the module is well loaded (but a strange thing is that I have 17 empty Slots -pulcount-!! :p). But as the slots are not filled with data...

Is this information valuable?

Regards
#2310
Posted: 02/15/2007 05:08:24
by Eugene Mayevski (EldoS Corp.)

It is possible that FSlotID is invalid for some reason. Maybe when Refresh is called for the last time, the device information has been re-read or the driver has been reloaded. You need to debug this stuff ...


You can't exclude the call to Refresh for obvious reasons.


Sincerely yours
Eugene Mayevski
#2311
Posted: 02/15/2007 05:23:36
by Santiago Castaño (Standard support level)
Joined: 04/16/2006
Posts: 155

Ok, I'm pleased to invetigate it, but i'll need your help...

Here's what i have now:
If i replace SlotInfo.Refresh; with Try SlotInfo.Refresh;except end; it works, I can see two slots with info and 15 more without nothing :p.

Other test:
If I replace:
Code
    PKCS11CheckError(TPKCS11GetSlotListFunc(aModule.FuncArray[PKCS11_GetSlotList])(CK_B_FALSE, pSlotList[0], pulCount));
    if pulCount > 0 then
    begin
      GetMem(pSlotList, pulCount * sizeof(CK_SLOT_ID));
      try
        PKCS11CheckError(TPKCS11GetSlotListFunc(aModule.FuncArray[PKCS11_GetSlotList])(CK_B_FALSE, pSlotList[0], pulCount));

with:
Code
    PKCS11CheckError(TPKCS11GetSlotListFunc(aModule.FuncArray[PKCS11_GetSlotList])(CK_B_TRUE, pSlotList[0], pulCount));
    if pulCount > 0 then
    begin
      GetMem(pSlotList, pulCount * sizeof(CK_SLOT_ID));
      try
        PKCS11CheckError(TPKCS11GetSlotListFunc(aModule.FuncArray[PKCS11_GetSlotList])(CK_B_TRUE, pSlotList[0], pulCount));

I only get 1 slot (the one that is connected with the bulb green) and can access it without problems.

So the thing is that the calls to get the pulCount returns slots that doesn't exists and because of that, then SBB tries to access them it gives the exceptions. If I ignore those exceptions or force to return only the inserted slots It runs.

How can I (or better, you) know what slotsIDs are invalid? They have ID's 1..16 (no strange thing).

To clarify things, with Aladdin eToken USB PRO I used to always have 2-3 slots (AKS idfh 0, AKS idfh 1 and maybe AKS idfh VR)

Any clues wich way to go now?
#2312
Posted: 02/15/2007 05:37:09
by Santiago Castaño (Standard support level)
Joined: 04/16/2006
Posts: 155

More information:

FSlotID=0 has slotDescription=AKS idfh 0 (the one that has the bulb green, the etoken is inserted)
FSlotID=1 has slotDescription=AKS idfh 1 (There's no etoken inserted in there)
FSlotID=2...FSlotID=16 has slotDescription=EMPTY (they shouldn't exists).

The thing is that the only one that doesn't return error 6 on GetTokenInfo function is the FSlotID=0. If I inspect the variables and modify them to point the first slot to FSlotID=1 it also rises the error.

So the errors are:
- There are more slots than It's supposed to be
- Only the slots that have a token inserted don't raise exception.

P.S.: If i extract the eToken, the FSlotID=0 (AKS idfh 0) also rises exception 6 on GetTokenInfo function.

The strange thing is that this doesn't happens to Thunderbird or FF; and it didn't happened over XP (but the drivers from Aladdin are supposed to be different in Vista).
#2313
Posted: 02/15/2007 05:47:43
by Santiago Castaño (Standard support level)
Joined: 04/16/2006
Posts: 155

Ok, the final Fix (I always make bad fix, so tell me if this doesn't make sense):

In the .Refresh routine, add another test for FTokenPresent:
Code
...
  else if (CKRes = CKR_FUNCTION_FAILED) then
  begin
    FTokenPresent := false;
  end
...


In the LoadModule routine, make a test if SlotDescription is Empty to delete that slot:
Code
...
SlotInfo.Refresh;
if SlotInfo.SlotDescription='' then aModule.FSlotList.Remove(SlotInfo);
...


Is there anything wrong with that fix? Is it going to make more problems (I don't want to change your code :p).

What do you think?
#2314
Posted: 02/15/2007 05:52:39
by Eugene Mayevski (EldoS Corp.)

Here's how PKCS#11 drivers [are supposed to] work:
you configure them via GUI for how many slots you allocate. The drivers report the configured number of slots. We get information about all slots with the above calls. Your change makes the code incorrect (although working in your particular case). One must be able to obtain information about *slots*, and not just inserted tokens.

The only idea I have is to first call GetSlotList for all slots, and if this fails, then for used slots only.

Quote
Santiago Castaño wrote:
P.S.: If i extract the eToken, the FSlotID=0 (AKS idfh 0) also rises exception 6 on GetTokenInfo function.


Guess why :))


Sincerely yours
Eugene Mayevski
#2315
Posted: 02/15/2007 06:03:00
by Santiago Castaño (Standard support level)
Joined: 04/16/2006
Posts: 155

What about my fix if I make more complex the SlotDescription test (Maybe some slot has empty description in any device and I don't want to loose that slot):

Code
SlotInfo.Refresh;
if (SlotInfo.SlotDescription='') and (not SlotInfo.FTokenPresent) then aModule.FSlotList.Remove(SlotInfo); //as FTokenPresent as been marked as False is there is some error, filter deeply


Don't you use eToken from Aladdin? I think also that it should be good if you publish a list of tokens and smartcards that you've tested and work 100% with SBB (to recomend to use them to our customers). I supposed you'll use Aladdin as they're one of the big ones no?
#2316
Posted: 02/15/2007 06:20:21
by Eugene Mayevski (EldoS Corp.)

Quote
Santiago Castaño wrote:
In the LoadModule routine, make a test if SlotDescription is Empty to delete that slot:

...
SlotInfo.Refresh;
if SlotInfo.SlotDescription='' then aModule.FSlotList.Remove(SlotInfo);
...


Is there anything wrong with that fix? Is it going to make more problems (I don't want to change your code :p).


This is wrong. One might need to have information about slots.

Quote
Santiago Castaño wrote:
Don't you use eToken from Aladdin? I think also that it should be good if you publish a list of tokens and smartcards that you've tested and work 100% with SBB (to recomend to use them to our customers).


Nothing works 100%. Tomorrow another monkey is hired to the dev.team of PKCS#11 vendor, and all 100% become void.


Sincerely yours
Eugene Mayevski
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 7893 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!