EldoS | Feel safer!

Software components for data protection, secure storage and transfer

PKI Exception CKR_FUNCTION_FAILED

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#37063
Posted: 06/22/2016 15:16:59
by Marcelo  (Standard support level)
Joined: 01/28/2014
Posts: 17

Hi

I'm testin a new usb token (I'm using the SSB component for a couple of year) and have an exception when try to sign a file (I can read the slots and the certificates)

Code
   Dim processor As New SBCAdES.TElCAdESSignatureProcessor()
   Dim cms As New SBCMS.TElSignedCMSMessage()
            Try
                cms.CreateNew(buf, 0, buf.Length)
                Dim sig As SBCMS.TElCMSSignature = cms.Signatures(cms.AddSignature())
                sig.DigestAlgorithm = SBConstants.Unit.SB_ALGORITHM_DGST_SHA256
                processor.Signature = sig

                processor.CreateT(CertSt.Certificates(CertId), tspClient)

Exception:
Quote

SBPKCS11Base.EElPKCS11Error: PKCS#11 error CKR_FUNCTION_FAILED in function C_Sign in SBPKCS11Base.__Global.PKCS11CheckError(Int64 HLib, Int32 FunctionCode, UInt32 ResultCode) in SBCryptoProvPKCS11.TElPKCS11CryptoProvider.SignPKI(TElCustomCryptoContext Context, Byte[] Buffer, Int32 StartIndex, Int32 Size, Byte[]& OutBuffer, Int32 OutStartIndex, Int32& OutSize) in SBCryptoProvPKCS11.TElPKCS11CryptoProvider.SignFinal(TElCustomCryptoContext Context, Byte[]& Buffer, Int32 StartIndex, Int32& Size, TElCPParameters Params, TSBProgressFunc ProgressFunc, Object ProgressData) in SBPublicKeyCrypto.TElRSAPublicKeyCrypto.SignFinal() in SBPublicKeyCrypto.TElPublicKeyCrypto.InternalSignDetached() in SBPublicKeyCrypto.TElPublicKeyCrypto.SignDetached(Byte[] InBuffer, Int32 InIndex, Int32 InSize, Byte[]& OutBuffer, Int32 OutIndex, Int32& OutSize) in SBCMS.TElCMSSignature.SignSubject(TElX509Certificate Cert, Boolean Remote, TSBCMSRemoteSignCallback SignCallback, Boolean ExternalHashCalculation, Object
Param, Boolean AsyncOperation, TElDCAsyncState& State) in SBCMS.TElCMSSignature.InternalSign(TElX509Certificate Cert, TElCustomCertStorage Chain, Boolean Remote, TSBCMSRemoteSignCallback SignCallback, Boolean ExternalHashCalculation, Object Param) in SBCMS.TElCMSSignature.Sign(TElX509Certificate Cert, TElCustomCertStorage Chain) in SBCAdES.TElCAdESSignatureProcessor.Sign(TElX509Certificate Cert, TElCustomCertStorage Chain) in SBCAdES.TElCAdESSignatureProcessor.CreateT(TElX509Certificate Cert, TElCustomCertStorage Chain, Byte[] ContentType, TElCustomTSPClient TSPClient) in SBCAdES.TElCAdESSignatureProcessor.CreateT(TElX509Certificate Cert, TElCustomTSPClient TSPClient) in PKIUtil.PKIUtil.SignTimeStampFile(String FileInput, String FileOutput, EnumTipoDll TipoDll, Int32 SlotId, Int32 CertId, String TimeStampUrl, String TimeStampUser, String TimeStampPass)


Thanks, Marcelo
#37064
Posted: 06/22/2016 15:34:21
by Eugene Mayevski (EldoS Corp.)

Thank you for your post.

In your case the token returns the error during the sign operation. It's hard to guess the reason, as the error code is generic and the call stack itself doesn't reveal anything as well.

The first thing to do is to try the latest version of SecureBlackbox. I see that you have a license for version 12, and probably are using this version. Meanwhile we introduces different improvements in versions 13 and 14, some of which improve compatibility with various hardware.

So you are welcome to install and test the evaluation version of SecureBlackbox 14 to see if the problem persists. If the problem is gone, then upgrading would be the right solution. If the problem persists, we would try to investigate it, yet if any changes are required, they would go only to the version 15.


Sincerely yours
Eugene Mayevski
#37068
Posted: 06/22/2016 16:10:42
by Eugene Mayevski (EldoS Corp.)

On a side note it would help a lot if you used CODE button located above the text entry box (alternatively you can write [ CODE ] and [ /CODE ] tags by hand) to mark the beginning and the end of the code blocks in your messages. This would enable syntax highlighting and line numbering on the code and make it easier for analysis.


Sincerely yours
Eugene Mayevski
#37088
Posted: 06/23/2016 06:01:36
by Marcelo  (Standard support level)
Joined: 01/28/2014
Posts: 17

Hi Eugene,

I've tested with the version 14, but it doesn't work either and have the same error. Where can i do to investigate the problem?

Thanks, Marcelo.
#37090
Posted: 06/23/2016 10:02:55
by Eugene Mayevski (EldoS Corp.)

The very first step is to comment out SHA256 algorithm and see if the error persists. There's a possibility that the device just doesn't support SHA256.


Sincerely yours
Eugene Mayevski
#37092
Posted: 06/23/2016 11:16:42
by Marcelo  (Standard support level)
Joined: 01/28/2014
Posts: 17

Hi,

I try your suggestion, use algorithm SHA1, but it doesn't work. I saw that the certificate usage is "Non repudiation", but i can sign a file with this certificate using dike. Any ideas?

Thanks, Marcelo.
#37093
Posted: 06/23/2016 11:29:15
by Eugene Mayevski (EldoS Corp.)

Quote
marcelo wrote:
I try your suggestion, use algorithm SHA1, but it doesn't work.


Are you getting the same error?

Quote
marcelo wrote:
I saw that the certificate usage is "Non repudiation", but i can sign a file with this certificate using dike. Any ideas?


The key usage should not be relevant in your case. It's some device or driver glitch. I don't know what Dike is, but are you sure that they use PKCS#11 interface and not CryptoAPI to access the device?


Sincerely yours
Eugene Mayevski
#37094
Posted: 06/23/2016 11:35:19
by Marcelo  (Standard support level)
Joined: 01/28/2014
Posts: 17

Quote
Are you getting the same error?


Yes, the same error.

Quote
The key usage should not be relevant in your case. It's some device or driver glitch.

On the same device i have another certificate, and thre's no error signing with this one.
Quote
I don't know what Dike is, but are you sure that they use PKCS#11 interface and not CryptoAPI to access the device?


Dike is a Italian sign program. I think it use PKCS#11 but i'm not so sure.
#37095
Posted: 06/23/2016 11:38:41
by Eugene Mayevski (EldoS Corp.)

Quote
marcelo wrote:
On the same device i have another certificate, and thre's no error signing with this one.


Hmm. Could you please insert the check of the value of TElX509Certificate.PrivateKeyExists property of the certificate which you are trying to use? It can be that the private key is not properly associated with the certificate.

Quote
marcelo wrote:
Dike is a Italian sign program. I think it use PKCS#11 but i'm not so sure.


Let's put it differently - do you need to specify the path to the PKCS#11 driver in this Dike application? If not, then it works via CryptoAPI. In this case you also can try accessing the device via CryptoAPI (TElWinCertStorage) and see if signing works this way.


Sincerely yours
Eugene Mayevski
#37096
Posted: 06/23/2016 11:55:31
by Marcelo  (Standard support level)
Joined: 01/28/2014
Posts: 17

Quote
Could you please insert the check of the value of TElX509Certificate.PrivateKeyExists property of the certificate which you are trying to use?


The value is true.

Quote
do you need to specify the path to the PKCS#11 driver in this Dike application?

Dike use PCKS#11. Also both device certificate doesn't appear on windows store.

Fyi, with SHA1 the exception is
Code
SBPKCS11Base.EElPKCS11Error: PKCS#11 error CKR_FUNCTION_FAILED in function C_Sign     in SBPKCS11Base.__Global.PKCS11CheckError(Int64 HLib, Int32 FunctionCode, UInt32 ResultCode)     in SBCryptoProvPKCS11.TElPKCS11CryptoProvider.SignPKI(TElCustomCryptoContext Context, Byte[] Buffer, Int32 StartIndex, Int32 Size, Byte[]& OutBuffer, Int32 OutStartIndex, Int32& OutSize)     in SBCryptoProvPKCS11.TElPKCS11CryptoProvider.SignFinal(TElCustomCryptoContext Context, Byte[]& Buffer, Int32 StartIndex, Int32& Size, TElCPParameters Params, TSBProgressFunc ProgressFunc, Object ProgressData)     in SBPublicKeyCrypto.TElRSAPublicKeyCrypto.SignFinal()     in SBPublicKeyCrypto.TElPublicKeyCrypto.InternalSignDetached()     in SBPublicKeyCrypto.TElPublicKeyCrypto.SignDetached(Byte[] InBuffer, Int32 InIndex, Int32 InSize, Byte[]& OutBuffer, Int32 OutIndex, Int32& OutSize)     in SBCMS.TElCMSSignature.SignSubject(TElX509Certificate Cert, Boolean Remote, TSBCMSRemoteSignCallback SignCa
llback, Boolean ExternalHashCalculation, Object Param, Boolean AsyncOperation, TElDCAsyncState& State)     in SBCMS.TElCMSSignature.InternalSign(TElX509Certificate Cert, TElCustomCertStorage Chain, Boolean Remote, TSBCMSRemoteSignCallback SignCallback, Boolean ExternalHashCalculation, Object Param)     in SBCMS.TElCMSSignature.Sign(TElX509Certificate Cert, TElCustomCertStorage Chain)     in SBCAdES.TElCAdESSignatureProcessor.Sign(TElX509Certificate Cert, TElCustomCertStorage Chain)     in SBCAdES.TElCAdESSignatureProcessor.CreateBES(TElX509Certificate Cert, TElCustomCertStorage Chain, Byte[] ContentType)     in SBCAdES.TElCAdESSignatureProcessor.CreateBES(TElX509Certificate Cert)     in PKIUtil.PKIUtil.SignFile(String FileInput, String FileOutput, EnumTipoDll TipoDll, Int32 SlotId, Int32 CertId)
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 2171 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!