Probable Reasons For CKR_GENERAL_ERROR From C_Login #3064
Comments
|
I think we would need the OpenSC debug log to see what is going on there with the token. The pkcs11 spy trace looks completely reasonable to the extent I can see just from the function names. If it is just one user, it might be anything from lose wire or worn out memory in the token, but again, without opensc debug its hard to guess if it could be inside of opensc or the token itself. The epass tokens encrypt the pin so there is a possiblity that we do it somehow wrong, which causes random failures. But I did not see this issue with the tokens we have in CI over last couple of months: https://gitlab.com/redhat-crypto/OpenSC/-/pipelines?page=1&scope=all&ref=epass2003 There were also many changes to the driver over the last years so OpenSC version information would be useful too. |
As far as epass2003 is concerned, I don't think we have a problem here, the PIN entered by the user is hashed and then authenticated using external auth. External auth in this case uses hashed PIN as a key to encrypt the challenge from the card. Without a more precise log, it is not possible to analyze why C_Login fails. |
|
Alright, thanks for the feedback thus far. I'll see if I can have the user get some more detailed logs. |
NoMoreFood
changed the title
|
This may be related to #2843 To help identify your ePass2003 type can you run: |
Problem Description
I'm the developer of PuTTY CAC and have a user of a FEITIAN token that is occasionally receiving a CKR_GENERAL_ERROR from C_Login "randomly". Since I have many, many users I do not think I'm doing anything wrong with my code but anything is possible. I'm willing to dive into OpenSC code so I'm reaching out here for any ideas before I take that leap.
Proposed Resolution
Unknown
Steps to reproduce
I had the user run the spy library and here are the following transactions (all of which are successful with CKR_OK) up until C_Login, which fails with CKR_GENERAL_ERROR "randomly".
1: C_Initialize
2: C_GetSlotList
3: C_GetSlotList
4: C_OpenSession
5: C_FindObjectsInit
6: C_FindObjects
7: C_FindObjectsFinal
8: C_GetAttributeValue
9: C_GetAttributeValue
10: C_CloseSession
11: C_GetSlotList
12: C_GetSlotList
13: C_GetTokenInfo
14: C_OpenSession
15: C_FindObjectsInit
16: C_FindObjects
17: C_FindObjectsFinal
18: C_GetAttributeValue
19: C_GetAttributeValue
20: C_GetAttributeValue
21: C_GetAttributeValue
22: C_CloseSession
23: C_GetSlotList
24: C_GetSlotList
25: C_GetTokenInfo
26: C_OpenSession
27: C_FindObjectsInit
28: C_FindObjects
29: C_FindObjectsFinal
30: C_GetAttributeValue
31: C_GetAttributeValue
32: C_GetAttributeValue
33: C_GetAttributeValue
34: C_CloseSession
35: C_GetSlotList
36: C_GetSlotList
37: C_GetTokenInfo
38: C_OpenSession
39: C_FindObjectsInit
40: C_FindObjects
41: C_FindObjectsFinal
42: C_GetAttributeValue
43: C_GetAttributeValue
44: C_GetAttributeValue
45: C_GetAttributeValue
46: C_CloseSession
47: C_GetSlotList
48: C_GetSlotList
49: C_GetTokenInfo
50: C_OpenSession
51: C_FindObjectsInit
52: C_FindObjects
53: C_FindObjectsFinal
54: C_GetAttributeValue
55: C_GetAttributeValue
56: C_GetAttributeValue
57: C_GetAttributeValue
58: C_CloseSession
59: C_GetSlotList
60: C_GetSlotList
61: C_GetTokenInfo
62: C_OpenSession
63: C_FindObjectsInit
64: C_FindObjects
65: C_FindObjectsFinal
66: C_GetAttributeValue
67: C_GetAttributeValue
68: C_GetAttributeValue
69: C_GetAttributeValue
70: C_CloseSession
71: C_GetSlotList
72: C_GetSlotList
73: C_GetTokenInfo
74: C_OpenSession
75: C_FindObjectsInit
76: C_FindObjects
77: C_FindObjectsFinal
78: C_GetAttributeValue
79: C_GetAttributeValue
80: C_GetAttributeValue
81: C_GetAttributeValue
82: C_CloseSession
83: C_GetSlotList
84: C_GetSlotList
85: C_GetTokenInfo
86: C_OpenSession
87: C_FindObjectsInit
88: C_FindObjects
89: C_FindObjectsFinal
90: C_GetAttributeValue
91: C_GetAttributeValue
92: C_FindObjectsInit
93: C_FindObjects
94: C_FindObjectsFinal
95: C_Login
The text was updated successfully, but these errors were encountered: