Unable to sign using PKCS11Signer

[ihegde]

Hi,
Has anyone got PKCS11 signing working with ePass2003 token?

The terminology of certificate label /id/key_id/key_label etc seem to be different, so I first printed it and tried passing the same values. Still getting error, so wondering if I'm not looking at the right object.

with _simple_sess() as sess:
    for cert in sess.get_objects():
       print(cert[Attribute.LABEL])
       print(cert[Attribute.ID])

Above label and Id are printing, so that means I got the library, session and certificate.

I tried many ways to get the signer, but it always gives one or the other error:

1.             signer = pkcs11.PKCS11Signer(
                sess, cert_label='mylabel', other_certs_to_pull=default_other_certs,
                bulk_fetch=True, prefer_pss=True
            )
   

pkcs11.exceptions.PKCS11Error: Could not find cert with label '..'

2.          signer = pkcs11.PKCS11Signer(
                sess, cert_id=b'{3.......}\x00', key_id=b'7......0', other_certs_to_pull=default_other_certs,
                bulk_fetch=True, prefer_pss=True
            )
   

This throws: pkcs11.exceptions.NoSuchKey: No key matching {<Attribute.CLASS>: <ObjectClass.PRIVATE_KEY>, <Attribute.ID>: b'7...'
3. signer = pkcs11.PKCS11Signer(
sess, cert_label='mylabel', signing_cert=cert, other_certs_to_pull=default_other_certs,
bulk_fetch=True, prefer_pss=True
)

Traceback (most recent call last):
.....site-packages\pyhanko_certvalidator\registry.py", line 137, in register
if cert.issuer_serial in self.certs:
AttributeError: 'Certificate' object has no attribute 'issuer_serial'

[MatthiasValvekens]

I'm not familiar with the specific token you mention, but your discovery routine is a little off:

with _simple_sess() as sess:
    for cert in sess.get_objects():
       print(cert[Attribute.LABEL])
       print(cert[Attribute.ID])

get_objects() will return many more things than just certificates, in general. Things like private keys, public keys, maybe even curve parameters and whatnot: those are all separate. You'll want to at least separate these out by object class (Attribute.CLASS) to figure out how to proceed.

FWIW, in order to sign over PKCS#11, you just need a private key handle. The associated certificates can be read from the PKCS#11 token, but you can also provision them out-of-band if necessary, so I'd focus on figuring out how to access the key first.

[MatthiasValvekens]

What do you have in default_other_certs? I get the impression that there's a mixup happening between asn1crypto-style Certificate objects (those should have issuer_serial), and Certificate objects from some other library (possibly pkcs11).

[ihegde]

What should be there in default_other_certs? :) I did not change it from the sample code
default_other_certs = ('root', 'interm')

Also it is not a asn1crypto style Certificate then, so I'll not use that approach.

[MatthiasValvekens]

Ah, I see, you copied that piece of code from the tests. Better to leave it out then either way, but even so it's kind of weird that it would cause the error you're seeing.

Any chance you could verify the type of the object that's throwing the error using a debugger? A more complete stack trace for the error would also help, maybe there's something else amiss.

[ihegde]

Sorry couldn't reply, was off for a few days. Yes I was referring to test code.
I am able to get through the above errors. went through the cert_label and cert_id route. Also, below code works for a pfx file if I replace the signer assignment by signer = signers.SimpleSigner.load_pkcs12(..... I'm just replacing the signer with the PKCS11Signer. Is this the right thing to do?
With this, facing an error at the last step of signing. It seems to be an assertion error in the pkcs11 module, any idea what might be wrong?

inf = open(ipfilename, 'rb')
w = IncrementalPdfFileWriter(inf)
sig_name = 'Signature1'
fields.append_signature_field(
w, sig_field_spec=fields.SigFieldSpec(
sig_name,
on_page=0,
box=(515, 527, 720, 597)
)
)

meta = signers.PdfSignatureMetadata(field_name=sig_name)
sess = _simple_sess()
signer = pkcs11.PKCS11Signer(
sess, cert_label=certlabel, cert_id=certid,
bulk_fetch=True, prefer_pss=True
)

pdf_signer = signers.PdfSigner(
meta, signer=signer, stamp_style=stamp.TextStampStyle(
stamp_text='Digitally Signed by XYZ',
text_box_style=text.TextBoxStyle(font=opentype.GlyphAccumulatorFactory('../font/NotoSans-Regular.ttf'), font_size=10,
),
border_width=0,
#background=images.PdfImage('stamp.png')
),
)
outf = open(opfilename, 'wb')
pdf_signer.sign_pdf(w, output=outf)

outf.close()
inf.close()

pdf_signer.sign_pdf throws error with following call stack:

Traceback (most recent call last):
File "p11sign.py", line 196, in
pdf_signer.sign_pdf(w, output=outf)
File "\venv\lib\site-packages\pyhanko\sign\signers\pdf_signer.py", line 1258, in sign_pdf
result = asyncio.run(
File "C:\Program Files (x86)\Python38-32\lib\asyncio\runners.py", line 43, in run
return loop.run_until_complete(main)
File "C:\Program Files (x86)\Python38-32\lib\asyncio\base_events.py", line 608, in run_until_complete
return future.result()
File "\venv\lib\site-packages\pyhanko\sign\signers\pdf_signer.py", line 1332, in async_sign_pdf
post_signing_doc = await tbs_document.perform_signature(
File "venv\lib\site-packages\pyhanko\sign\signers\pdf_signer.py", line 2140, in perform_signature
signature_cms = await signer.async_sign(
File "\venv\lib\site-packages\pyhanko\sign\signers\pdf_cms.py", line 810, in async_sign
return await self.async_sign_prescribed_attributes(
File "\venv\lib\site-packages\pyhanko\sign\signers\pdf_cms.py", line 868, in async_sign_prescribed_attributes
signature = await self.async_sign_raw(
File "\venv\lib\site-packages\pyhanko\sign\pkcs11.py", line 574, in async_sign_raw
return await loop.run_in_executor(None, _perform_signature)
File "C:\Program Files (x86)\Python38-32\lib\concurrent\futures\thread.py", line 57, in run
result = self.fn(*self.args, **self.kwargs)
File "\venv\lib\site-packages\pyhanko\sign\pkcs11.py", line 568, in _perform_signature
signature = kh.sign(data, **spec.sign_kwargs)
File "\venv\lib\site-packages\pkcs11\types.py", line 939, in sign
return self._sign(data, **kwargs)
File "pkcs11\_pkcs11.pyx", line 1072, in pkcs11._pkcs11.SignMixin._sign
File "pkcs11\_pkcs11.pyx", line 1074, in pkcs11._pkcs11.SignMixin._sign
File "pkcs11\_errors.pyx", line 88, in pkcs11._pkcs11.assertRV
pkcs11.exceptions.GeneralError

[MatthiasValvekens]

Your general approach looks correct to me, but the root cause for that error looks very hard to diagnose without knowing more about the PKCS#11 implementation that you're using...

Comparing your stack trace against the source of python-pkcs11 at the latest release tag, it looks like the call to C_SignInit is failing: https://github.com/danni/python-pkcs11/blob/0dc94bd5b88f344278a08f02f9ed9f86b6478d7b/pkcs11/_pkcs11.pyx#L1074.

Unfortunately, the error code isn't exactly informative... Any chance that your PKCS#11 library keeps a log somewhere that you could check? In cases like this, vendor-specific logging info usually gets you to a solution faster. Maybe it's some kind of authentication issue?

[acuartango]

Hi,
I have test pkcs11 sign with a phisical PKCS11 smartcard from "https://www.bit4id.com". I had troubles if i didn't use " --cert-label" clause...

I'll explain how i did it in Ubuntu 22.04 . First you need your smartcard's "label" text (Will ask you your PIN). The module "libbit4ipki.so" is from our smartcard's manufacturer, contained in the driver, that installs in this location:

pkcs11-tool --module /usr/lib/bit4id/libbit4ipki.so -O -l

I can sign with this command (after some test&error). The second is with invisible signature. The field is a internal label visible with Acrobat when you show the signature:

pyhanko --verbose sign addsig --field "1/100,100,300,200/My Name" pkcs11 --lib /usr/lib/libbit4ipki.so --cert-label "NOMBRE APELLIDO1 APELLIDO2 - 11111111H" original.pdf original_signed.pdf

pyhanko --verbose sign addsig --field "Nugbe" pkcs11 --lib /usr/lib/libbit4ipki.so  --cert-label "NOMBRE APELLIDO1 APELLIDO2 - 11111111H" original.pdf original_signed.pdf

Hope will help you or anybody!

[ihegde]

hi @acuartango, Thanks for the guidance. Unfortunately I'm unable to use CLI because the label seems to have a special character that the command line is not recognizing. I'm able to use it through python code only after saving it to a variable and passing the same to the PKCS11Signer. I'll try this on some other DSC when I get access to one.