Skip to content
This repository has been archived by the owner on Sep 3, 2024. It is now read-only.

Accessing SafeNet eToken 5110+ CC (940B) results in CKR_FUNCTION_FAILED #566

Open
casusbelli opened this issue Feb 1, 2024 · 2 comments
Open

Accessing SafeNet eToken 5110+ CC (940B) results in CKR_FUNCTION_FAILED #566

casusbelli opened this issue Feb 1, 2024 · 2 comments

Comments

@casusbelli
Copy link

Hi!
I'm trying to use fortify to run a certificate installation using a SafeNet eToken 5110+ CC (940B) .
When accessing the token, prior to opening the token password dialogue, fortify fails and reports CKR_FUNCTION_FAILED in the log. As this is a very generic error, how can i find out what the issue is? Logfile:

{
"level":"info",
"message":"Logging status changed",
"source":"logging",
"timestamp":"2024-01-30T13:38:28.033Z",
"value":true
}{
"level":"error",
"message":"Server event error",
"source":"server",
"timestamp":"2024-01-30T13:39:35.741Z"
}{
"level":"info",
"message":"Closing open disposable windows",
"origin":"https://system.globalsign.com:55826",
"source":"server",
"timestamp":"2024-01-30T13:39:35.742Z"
}{
"description":"",
"event":"close",
"level":"info",
"message":"Close session",
"reasonCode":1001,
"remoteAddress":"https://system.globalsign.com:55826",
"source":"server",
"timestamp":"2024-01-30T13:39:35.743Z"
}{
"level":"error",
"message":"Server event error",
"source":"server",
"timestamp":"2024-01-30T13:39:44.328Z"
}{
"level":"info",
"message":"Closing open disposable windows",
"origin":"https://tools.fortifyapp.com:51110",
"source":"server",
"timestamp":"2024-01-30T13:39:44.329Z"
}{
"description":"",
"event":"close",
"level":"info",
"message":"Close session",
"reasonCode":1001,
"remoteAddress":"https://tools.fortifyapp.com:51110",
"source":"server",
"timestamp":"2024-01-30T13:39:44.330Z"
}{
"level":"info",
"message":"Create a new connection",
"origin":"https://system.globalsign.com",
"source":"server",
"timestamp":"2024-01-30T13:40:41.563Z"
}{
"level":"info",
"message":"Push session to stack",
"origin":"https://system.globalsign.com",
"source":"server",
"timestamp":"2024-01-30T13:40:41.564Z"
}{
"level":"warn",
"message":"Cannot parse MessageSignedProtocol",
"source":"server",
"timestamp":"2024-01-30T13:40:41.616Z"
}{{"level":"info","message":"Logging status changed","source":"logging","timestamp":"2024-01-30T13:38:28.033Z","value":true}
{"level":"error","message":"Server event error","source":"server","timestamp":"2024-01-30T13:39:35.741Z"}
{"level":"info","message":"Closing open disposable windows","origin":"https://system.globalsign.com:55826","source":"server","timestamp":"2024-01-30T13:39:35.742Z"}
{"description":"","event":"close","level":"info","message":"Close session","reasonCode":1001,"remoteAddress":"https://system.globalsign.com:55826","source":"server","timestamp":"2024-01-30T13:39:35.743Z"}
{"level":"error","message":"Server event error","source":"server","timestamp":"2024-01-30T13:39:44.328Z"}
{"level":"info","message":"Closing open disposable windows","origin":"https://tools.fortifyapp.com:51110","source":"server","timestamp":"2024-01-30T13:39:44.329Z"}
{"description":"","event":"close","level":"info","message":"Close session","reasonCode":1001,"remoteAddress":"https://tools.fortifyapp.com:51110","source":"server","timestamp":"2024-01-30T13:39:44.330Z"}
{"level":"info","message":"Create a new connection","origin":"https://system.globalsign.com","source":"server","timestamp":"2024-01-30T13:40:41.563Z"}
{"level":"info","message":"Push session to stack","origin":"https://system.globalsign.com","source":"server","timestamp":"2024-01-30T13:40:41.564Z"}
{"level":"warn","message":"Cannot parse MessageSignedProtocol","source":"server","timestamp":"2024-01-30T13:40:41.616Z"}
{"authorized":true,"level":"info","message":"Initialize secure session","origin":"https://system.globalsign.com","session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a","source":"server","timestamp":"2024-01-30T13:40:41.655Z"}
{"action":"server/isLoggedIn","level":"info","message":"Run action","session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a","source":"server","timestamp":"2024-01-30T13:40:41.665Z"}
{"action":"provider/action/info","level":"info","message":"Run action","session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a","source":"server","timestamp":"2024-01-30T13:40:41.698Z"}
{"action":"provider/action/getCrypto","level":"info","message":"Run action","session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a","source":"server","timestamp":"2024-01-30T13:40:46.922Z"}
{"action":"crypto/isLoggedIn","level":"info","message":"Run action","provider":"73f88f9556d905ecedfa3ba18b0b6386549cf18fbc6b7f7c2a6b0f6bbb3bcd6b","session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a","source":"server","timestamp":"2024-01-30T13:40:46.949Z"}
{"crypto":"SafeNet 5110 (940 B) ","level":"info","message":"crypto/isLoggedIn","source":"server-api","timestamp":"2024-01-30T13:40:46.950Z"}
{"action":"crypto/subtle/generateKey","level":"info","message":"Run action","provider":"73f88f9556d905ecedfa3ba18b0b6386549cf18fbc6b7f7c2a6b0f6bbb3bcd6b","session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a","source":"server","timestamp":"2024-01-30T13:40:46.978Z"}
{"algorithm":{"hash":"SHA-256","name":"RSASSA-PKCS1-V1_5","sensitive":false,"token":false},"crypto":"SafeNet 5110 (940 B) ","extractable":false,"kyUsages":["sign","verify"],"level":"info","message":"generateKey","source":"server-api","timestamp":"2024-01-30T13:40:46.980Z"}
{"action":"crypto/subtle/exportKey","level":"info","message":"Run action","provider":"73f88f9556d905ecedfa3ba18b0b6386549cf18fbc6b7f7c2a6b0f6bbb3bcd6b","session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a","source":"server","timestamp":"2024-01-30T13:40:48.585Z"}
{"crypto":"SafeNet 5110 (940 B) ","format":"spki","key":{"algorithm":{"hash":"SHA-256","label":"RSA","name":"RSASSA-PKCS1-v1_5","sensitive":false,"token":false},"extractable":true,"id":"36761d25a43bc20867c44dd7c6ac6709","type":"public","usages":["verify"]},"level":"info","message":"exportKey","source":"server-api","timestamp":"2024-01-30T13:40:48.587Z"}
{"action":"crypto/subtle/sign","level":"info","message":"Run action","provider":"73f88f9556d905ecedfa3ba18b0b6386549cf18fbc6b7f7c2a6b0f6bbb3bcd6b","session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a","source":"server","timestamp":"2024-01-30T13:40:48.626Z"}
{"algorithm":{"hash":"SHA-256","name":"RSASSA-PKCS1-v1_5"},"crypto":"SafeNet 5110 (940 B) ","key":{"algorithm":{"hash":"SHA-256","label":"RSA","name":"RSASSA-PKCS1-v1_5","sensitive":false,"token":false},"extractable":false,"id":"36761d25a43bc20867c44dd7c6ac6709","type":"private","usages":["sign"]},"level":"info","message":"sign","source":"server-api","timestamp":"2024-01-30T13:40:48.628Z"}
{"action":"crypto/certificateStorage/import","level":"info","message":"Run action","provider":"73f88f9556d905ecedfa3ba18b0b6386549cf18fbc6b7f7c2a6b0f6bbb3bcd6b","session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a","source":"server","timestamp":"2024-01-30T13:40:48.685Z"}
{"algorithm":{"hash":"SHA-256","name":"RSASSA-PKCS1-V1_5"},"crypto":"SafeNet 5110 (940 B) ","format":"raw","keyUsages":["sign","verify"],"level":"info","message":"certStorage/importCert","source":"server-api","timestamp":"2024-01-30T13:40:48.687Z"}
{"action":"crypto/keyStorage/setItem","level":"info","message":"Run action","provider":"73f88f9556d905ecedfa3ba18b0b6386549cf18fbc6b7f7c2a6b0f6bbb3bcd6b","session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a","source":"server","timestamp":"2024-01-30T13:40:48.730Z"}
{"crypto":"SafeNet 5110 (940 B) ","key":{"algorithm":{"hash":"SHA-256","label":"RSA","name":"RSASSA-PKCS1-v1_5","sensitive":false,"token":false},"extractable":false,"id":"36761d25a43bc20867c44dd7c6ac6709","type":"private","usages":["sign"]},"level":"info","message":"keyStorage/setItem","source":"server-api","timestamp":"2024-01-30T13:40:48.732Z"}
{"error":"CKR_FUNCTION_FAILED","level":"error","message":"Server event error","source":"server","timestamp":"2024-01-30T13:40:48.779Z"}
"authorized":true,
"level":"info",
"message":"Initialize secure session",
"origin":"https://system.globalsign.com",
"session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a",
"source":"server",
"timestamp":"2024-01-30T13:40:41.655Z"
}{
"action":"server/isLoggedIn",
"level":"info",
"message":"Run action",
"session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a",
"source":"server",
"timestamp":"2024-01-30T13:40:41.665Z"
}{
"action":"provider/action/info",
"level":"info",
"message":"Run action",
"session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a",
"source":"server",
"timestamp":"2024-01-30T13:40:41.698Z"
}{
"action":"provider/action/getCrypto",
"level":"info",
"message":"Run action",
"session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a",
"source":"server",
"timestamp":"2024-01-30T13:40:46.922Z"
}{
"action":"crypto/isLoggedIn",
"level":"info",
"message":"Run action",
"provider":"73f88f9556d905ecedfa3ba18b0b6386549cf18fbc6b7f7c2a6b0f6bbb3bcd6b",
"session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a",
"source":"server",
"timestamp":"2024-01-30T13:40:46.949Z"
}{
"crypto":"SafeNet 5110 (940 B) ",
"level":"info",
"message":"crypto/isLoggedIn",
"source":"server-api",
"timestamp":"2024-01-30T13:40:46.950Z"
}{
"action":"crypto/subtle/generateKey",
"level":"info",
"message":"Run action",
"provider":"73f88f9556d905ecedfa3ba18b0b6386549cf18fbc6b7f7c2a6b0f6bbb3bcd6b",
"session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a",
"source":"server",
"timestamp":"2024-01-30T13:40:46.978Z"
}{
"algorithm":{
"hash":"SHA-256",
"name":"RSASSA-PKCS1-V1_5",
"sensitive":false,
"token":false
},
"crypto":"SafeNet 5110 (940 B) ",
"extractable":false,
"kyUsages":[
"sign",
"verify"
],
"level":"info",
"message":"generateKey",
"source":"server-api",
"timestamp":"2024-01-30T13:40:46.980Z"
}{
"action":"crypto/subtle/exportKey",
"level":"info",
"message":"Run action",
"provider":"73f88f9556d905ecedfa3ba18b0b6386549cf18fbc6b7f7c2a6b0f6bbb3bcd6b",
"session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a",
"source":"server",
"timestamp":"2024-01-30T13:40:48.585Z"
}{
"crypto":"SafeNet 5110 (940 B) ",
"format":"spki",
"key":{
"algorithm":{
"hash":"SHA-256",
"label":"RSA",
"name":"RSASSA-PKCS1-v1_5",
"sensitive":false,
"token":false
},
"extractable":true,
"id":"36761d25a43bc20867c44dd7c6ac6709",
"type":"public",
"usages":[
"verify"
]
},
"level":"info",
"message":"exportKey",
"source":"server-api",
"timestamp":"2024-01-30T13:40:48.587Z"
}{
"action":"crypto/subtle/sign",
"level":"info",
"message":"Run action",
"provider":"73f88f9556d905ecedfa3ba18b0b6386549cf18fbc6b7f7c2a6b0f6bbb3bcd6b",
"session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a",
"source":"server",
"timestamp":"2024-01-30T13:40:48.626Z"
}{
"algorithm":{
"hash":"SHA-256",
"name":"RSASSA-PKCS1-v1_5"
},
"crypto":"SafeNet 5110 (940 B) ",
"key":{
"algorithm":{
"hash":"SHA-256",
"label":"RSA",
"name":"RSASSA-PKCS1-v1_5",
"sensitive":false,
"token":false
},
"extractable":false,
"id":"36761d25a43bc20867c44dd7c6ac6709",
"type":"private",
"usages":[
"sign"
]
},
"level":"info",
"message":"sign",
"source":"server-api",
"timestamp":"2024-01-30T13:40:48.628Z"
}{
"action":"crypto/certificateStorage/import",
"level":"info",
"message":"Run action",
"provider":"73f88f9556d905ecedfa3ba18b0b6386549cf18fbc6b7f7c2a6b0f6bbb3bcd6b",
"session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a",
"source":"server",
"timestamp":"2024-01-30T13:40:48.685Z"
}{
"algorithm":{
"hash":"SHA-256",
"name":"RSASSA-PKCS1-V1_5"
},
"crypto":"SafeNet 5110 (940 B) ",
"format":"raw",
"keyUsages":[
"sign",
"verify"
],
"level":"info",
"message":"certStorage/importCert",
"source":"server-api",
"timestamp":"2024-01-30T13:40:48.687Z"
}{
"action":"crypto/keyStorage/setItem",
"level":"info",
"message":"Run action",
"provider":"73f88f9556d905ecedfa3ba18b0b6386549cf18fbc6b7f7c2a6b0f6bbb3bcd6b",
"session":"ac07c9c2d5b0d616a16503e6b75750ba4d61522707f659954e0d38b68363cc0a",
"source":"server",
"timestamp":"2024-01-30T13:40:48.730Z"
}{
"crypto":"SafeNet 5110 (940 B) ",
"key":{
"algorithm":{
"hash":"SHA-256",
"label":"RSA",
"name":"RSASSA-PKCS1-v1_5",
"sensitive":false,
"token":false
},
"extractable":false,
"id":"36761d25a43bc20867c44dd7c6ac6709",
"type":"private",
"usages":[
"sign"
]
},
"level":"info",
"message":"keyStorage/setItem",
"source":"server-api",
"timestamp":"2024-01-30T13:40:48.732Z"
}{
"error":"CKR_FUNCTION_FAILED",
"level":"error",
"message":"Server event error",
"source":"server",
"timestamp":"2024-01-30T13:40:48.779Z"
}
@microshine
Copy link
Collaborator

The issue might stem from the SafeNet eToken 5110+ CC (940B) not supporting key creation through the C_CopyObject, which is employed by the crypto/keyStorage/setItem method. Try setting the token: true flag for the key algorithm during its generation. This will enable key generation on the token without the use of C_CopyObject.

await crypto.subtle.generateKey({...alg, token: true, sensitive: true}, false, ["sign", "verify"])

This example facilitates the invocation of C_GenerateKeyPair and sets values for the CKA_TOKEN and CKA_SENSITIVE keys.

@casusbelli
Copy link
Author

Thanks for the feedback. In the meantime I was able to access the token with fortifyapp default settings in a freshly set up Windows 11 VM. So this issue seems to be related to Windows 10 or some other aspect of a system which has been around quite a while and has lot's of tool installations.
The immediate issue is solved for me, therefore. Anything interesting I can collect for this, still?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@microshine @casusbelli