Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signing via website demo - CKR_FUNCTION_FAILED (unresolved: re-post from the old forum) #19

Open
Inso2008 opened this issue Nov 6, 2024 · 1 comment
Open

Signing via website demo - CKR_FUNCTION_FAILED (unresolved: re-post from the old forum) #19

Inso2008 opened this issue Nov 6, 2024 · 1 comment

Comments

@Inso2008
Copy link

Inso2008 commented Nov 6, 2024

Hello,

I am restarting an issue from the old forum (PeculiarVentures/fortify#581) because it still hasn't reach some conclusion.

I have valid certificate for testing purposes (it works elsewhere), but am unable to make it happen due to some unspecific error. I have newest build of Fortify (v2.0.3) installed on several machines (all Windows x64). I tried on various browsers (screen from Chrome v130.0.6723.92 console here:
chrome_CKR_FUNKCTION_FAILED
).

From the log from Fortify:
fortify.log.txt
It looks like it is the same problem as before, so here is PVPKCS11 log:
PVPKCS11.log
and certificate info:
CertificateInformation.txt

Hope it will help to possibly diagnose the problem.
Thank you for your time.
@microshine
Copy link

@Inso2008 thank you for bringing this issue to our attention and providing detailed logs and certificate information—it greatly helps in diagnosing the problem.

Based on the logs and the error message you provided:

NTException(0x80090029) NCryptSignHash The requested operation is not supported.

It appears that the issue may originate at the pvpkcs11 level, specifically in how it handles the NCryptSignHash function during the signing operation.

Possible Cause

The error code 0x80090029 corresponds to NTE_NOT_SUPPORTED, which suggests that the operation being requested is not supported by the cryptographic provider or the key. In the pvpkcs11 code snippet, the NCryptSignHash function is called with the BCRYPT_PAD_PKCS1 flag:

status = NCryptSignHash(
    key->GetNKey()->Get(),
    &paddingInfo,
    hash,
    hashLen,
    NULL,
    0,
    &ulSignatureLen,
    BCRYPT_PAD_PKCS1 // This flag might be incorrect
);

However, according to Microsoft's documentation, when using NCryptSignHash, the padding flags should be prefixed with NCRYPT_PAD_ instead of BCRYPT_PAD_. The BCRYPT_PAD_* flags are intended for use with the BCrypt* functions, whereas the NCrypt* functions expect NCRYPT_PAD_* flags.

Next Steps

I will attempt to reproduce this issue on my end using a similar certificate and environment. I will test the function with NCRYPT_PAD_* flag to confirm if it resolves the problem. If it does, I will work on integrating the fix into the pvpkcs11 module and release an updated version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@microshine @Inso2008