I am attempting to create an AES 256 key on an ACOS5-64 smartcard and OMNIKEY 3121 card reader, using PKCS11 in python (using the PyKCS11 library). So far, all the "standard" operations seem to work with regards to asymmetric crypto. I have run plenty of code samples and pkcs11-tool commands, to initialize the token, set/change PINs, create RSA keypairs, etc. So, the drivers are all functional (pcscd, CCID, PKCS11 middleware).
The following code is causing a problem:
from PyKCS11 import *
import getpass
libacospkcs = '/usr/lib/libacospkcs11.so'
def createTokenAES256(lbl):
pkcs11 = PyKCS11Lib()
pkcs11.load(libacospkcs)
theOnlySlot = pkcs11.getSlotList()[0]
session = pkcs11.openSession(theOnlySlot, CKF_SERIAL_SESSION | CKF_RW_SESSION)
PIN = getpass.getpass('Enter User PIN to login:')
session.login(PIN)
t = pkcs11.getTokenInfo(theOnlySlot)
print t.label
print t.model
print t.serialNumber
template = (
(CKA_CLASS, CKO_SECRET_KEY),
(CKA_KEY_TYPE, CKK_AES),
(CKA_VALUE_LEN, 32),
(CKA_LABEL, "A"),
(CKA_PRIVATE, True),
(CKA_SENSITIVE, True),
(CKA_ENCRYPT, True),
(CKA_DECRYPT, True),
(CKA_TOKEN, True),
(CKA_WRAP, True),
(CKA_UNWRAP, True),
(CKA_EXTRACTABLE, False))
ckattr = session._template2ckattrlist(template)
m = LowLevel.CK_MECHANISM()
m.mechanism = LowLevel.CKM_AES_KEY_GEN
key = LowLevel.CK_OBJECT_HANDLE()
returnValue = pkcs11.lib.C_GenerateKey( session.session, m, ckattr, key)
if returnValue != CKR_OK:
raise PyKCS11Error(returnValue)
# Now run the method to create the key
createTokenAES256('TestAESKey')
However, I get an error when running it:
~/projects/smartcard $ python testpkcs11again.py
Enter User PIN to login:
Token #A
ACOS5-64
30A740C8704A
Traceback (most recent call last):
File "testcreateaes.py", line 43, in <module>
createTokenAES256('TestAESKey')
File "testcreateaes.py", line 40, in createTokenAES256
raise PyKCS11Error(returnValue)
PyKCS11.PyKCS11Error: CKR_ATTRIBUTE_VALUE_INVALID (0x00000013)
The thing is that if I switch the CKA_TOKEN line to False, then it "works". Of course, by setting that to false, it makes the key a session object instead of a token object (i.e. after I logout, the key is wiped). Using pkcs11-tool with --list-objects, the key is not there. I can use the ACSCMU (GUI tool for token admin), I can create an AES key in the "Secret Key Manager" and it does create a persistent key. But I have no way to see what the ACSCMU is doing to make it persistent (it may not be using PKCS11 at all).
If I had to guess the problem, I'd guess that it has to do with the session. If CKA_TOKEN=True is invalid, then it seems the token is not actually in RW mode (as suggested by the CKF_RW_SESSION in the 9th line). So far, I'm not sure what else to try or how to debug this.
Aucun commentaire:
Enregistrer un commentaire