EldoS | Feel safer!

Software components for data protection, secure storage and transfer

SBB + OpenSC

Posted: 12/14/2014 16:20:23
by Adolfo García (Basic support level)
Joined: 12/14/2014
Posts: 14


I'm currently evaluating SBB for a project we need to develop. Below I decribe my setup.

- Debian "Testing" (Linux 16.3)
- SBB 12.0.263, C++ Edition
- GNU GCC 4.9
- OpenSC 0.13.0

- Athena ASEDrive IIIe USB V2C
- Athena IDProtect (JavaCard 2.2.2)

I'm trying to use the pkcs11 certificate storage, but it throws an exception after calling the Open() member function:

SecureBlackbox library exception: EElPKCS11ModuleError(Message: 'PKCS#11 provider DLL doesn't export all required functions (error code is 0)', ErrorCode: 0x00000000)

I read a post in the forum about a problem with OpenSC, but it was way too old (2007). So I was wondering if you have any recent experience using it with SBB, or if you can recommend another provider that does work.
Thanks in advance.
Posted: 12/15/2014 00:23:37
by Vsevolod Ievgiienko (Team)

Thank you for contacting us.

It seems that you are trying to use wrong .so library as PKCS#11 driver. Please check this.
Posted: 12/15/2014 00:40:51
by Eugene Mayevski (Team)

Unfortunately so far we have only negative experience with linux open-source, including PKCS#11 drivers. Yet you need to re-check that the module you are trying to load indeed doesn't have all functions exported properly. If you are sure that the file is correct, please tell us where we can pick that file. Please either provide an URL and the name of the file here OR post the file itself to the HelpDesk.

Sincerely yours
Eugene Mayevski
Posted: 12/15/2014 15:16:50
by Adolfo García (Basic support level)
Joined: 12/14/2014
Posts: 14

Thanks for your replies. The OpenSC I'm using was built from source, but indeed, I was using the incorrect .so. Instead of using opensc-pkcs11.so, I was using libopensc.so.
So now it does work using that provider, but a memory error is produced. Using Valgrind, I was able to trace the error:

Jump to the invalid address stated on the next line
in QSbb::openCertStorage() in /home/myuser/Code/app/src/qsbb.cpp:42
Address 0x58e0000000000000 is not stack'd, malloc'd or (recently) free'd 1: 0x58e0000000000000
2: /home/myuser/Code/build-app-Desktop_Qt_5_4_0_GCC_64bit-Debug/libsbb.so
3: /home/myuser/Code/build-app-Desktop_Qt_5_4_0_GCC_64bit-Debug/libsbb.so
4: SecureBlackbox::TElPKCS11CertStorage::Open() in /home/myuser/Code/sbb/linux64/WrapperSources/cpp/sbpkcs11certstorage.cpp:94
5: QSbb::openCertStorage() in /home/myuser/Code/app/src/qsbb.cpp:42
6: main in /home/myuser/Code/app/src/main.cpp:19

Lines 40-42:

pkcs11CertStorage = new TElPKCS11CertStorage(0);

For an example of the bug, check this simple testcase: https://www.dropbox.com/s/3uo6oph61a65npd/test.7z?dl=0
Run make, and then valgrind ./test
You will need to have the OpenSC libraries installed (see test.cpp for a link to the sources).
Posted: 12/16/2014 11:56:25
by Dmytro Bogatskyy (Team)


Thank you for the sample.
The problem is following: The PKCS#11 structures in the OpenSC has 8 byte alignment (default for 64-bit system). But the PKCS #11 convention on packing is that PKCS#11 structures should be 1-byte aligned.
To fix this, you can rebuild the OpenSC with enabled CRYPTOKI_FORCE_WIN32 define. This define will enable packing in opensc/src/pkcs11/pkcs11.h header.

We will consider adding a workaround/additional options to support such libraries from scratch.

P.S. By the way, there is Samples\PKIBlackbox\PKCS11Storage sample that you can use as a reference.
Posted: 12/18/2014 00:32:33
by Adolfo García (Basic support level)
Joined: 12/14/2014
Posts: 14

Hello Dmytro, thanks for the help.
I tried that, but it results in a compilation error.

I do:

./configure --prefix=/usr

Then, a bunch of warnings are produced.
And finally, the make process halts because of the following error:

libpkcs11.c:83:1: error: expected '{' at end of input
libpkcs11.c:83:1: warning: control reaches end of non-void function [-Wreturn-type]

Can you please describe further how you got to compile it with that option enabled.
Posted: 12/18/2014 01:24:17
by Eugene Mayevski (Team)

You need to ask help with compilation from OpenSC developers, not from us. We are not related to OpenSC and don't provide support for it.

Sincerely yours
Eugene Mayevski
Posted: 12/18/2014 03:53:57
by Dmytro Bogatskyy (Team)


Looks like CRYPTOKI_FORCE_WIN32 define has some downsides. I have successfully build OpenSC library by moving "#pragma pack(push, ...)" and "#pragma pack(pop, ...)" operators out of "#if" block in opensc/src/pkcs11/pkcs11.h header. Please, try to do the same.
Posted: 12/18/2014 19:13:26
by Adolfo García (Basic support level)
Joined: 12/14/2014
Posts: 14

Thanks Dmytro, that worked!



Topic viewed 1324 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!