Skip to content

Pin Query Fails On Macs #2386

New issue
New issue
Closed
Closed
Pin Query Fails On Macs#2386
@rbassett3

Description

@rbassett3
rbassett3
opened on Aug 14, 2021

OpenSC seems to be having some issue generating a query for my pin on Mac. I have a US Govt issued CAC card. Based on the terminal output of pkcs11-tool for other folks with a CAC (like what is posted here: #1533), I am expecting to have a pin query to login to the card and likely 4 additional queries for each certificate on the card. Instead I see the following.

pkcs11-tool --login --test 
Using slot 0 with a present token (0x0)
error: PKCS11 function C_Login failed: rv = CKR_GENERAL_ERROR (0x5)
Aborting.

If I manually input my pin I get a step further.

pkcs11-tool --login --test --pin=xxxxxxx
Using slot 0 with a present token (0x0)
C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  ERR: C_GenerateRandom failed: CKR_GENERAL_ERROR (0x5)
Digests:
  all 4 digest functions seem to work
  MD5: OK
  SHA-1: OK
  RIPEMD160: OK
Signatures (currently only for RSA)
  testing key 0 (CAC ID Certificate) 
  all 4 signature functions seem to work
  testing signature mechanisms:
    RSA-X-509: OK
    RSA-PKCS: OK
    SHA1-RSA-PKCS: OK
    MD5-RSA-PKCS: OK
    RIPEMD160-RSA-PKCS: OK
    SHA256-RSA-PKCS: OK
  testing key 1 (CAC Email Signature Certificate) with 1 mechanism
error: PKCS11 function C_Sign failed: rv = CKR_FUNCTION_FAILED (0x6)
Aborting.
    RSA-X-509: %

I also tried the --always-auth option but with the same behavior. In the logs, I see that --always-auth does not change the CKA_ALWAYS_AUTHENTICATE flag to TRUE as I expected it to, but that may be because I don't understand the internals well.

Relevant portion of a level 3 debug are here: https://pastebin.com/g6RP3xz6

I tried with version 22 and 21 and the result is the same. Also, this same issue (should ask for a pin but doesn't) is present when I try to digitally sign a pdf document in Adobe.

Any points on how to fix this is much appreciated.

Edit: I accessed the card on my Linux machine and confirmed my expected behavior (user login pin prompt and 4 context-specific prompts). Somehow this is mac specific.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions