CKR_USER_NOT_LOGGED_IN Error when Signing ZIP file with Sectigo USB eToken

Hey everyone,

I have tried to sign a zip file with module-signer code from GitHub - inductiveautomation/module-signer: A utility that signs modules for use in Ignition to create MODL file.

We are using Sectigo USB eToken for signing.

When we try to sign our ZIP File which contains more than one file, we get this error in the figure below:

As you can see, the first file /hmi-protection-gateway-1.0.0.jar was successfully signed, but the second file /module.xml failed.
Also, it does not matter which files I have tried to sign or the order, it’s just stopped working when attempting to sign the second file.

I have tried to debug this, and I have found the exact line where the code raises an exception:

The line code 634 failed and raised this exception:

Nothing that I have tried so far to solve this error works… Any suggestions would be appreciated!

Thanks,
Ben

I’m not familiar with the Sectigo product, but I suspect you have the cert installed under the wrong slot ID. Standard slots 0x9a, 0x9c, 0x9d, and 0x9e have different expectations for PIN usage. This Yubikey document spells them out:

https://developers.yubico.com/PIV/Introduction/Certificate_slots.html

Note 9a and 9d allow multiple signing operations after a single PIN application. 9c needs the PIN for every one. Look for similar information about your Sectigo device. The Yubikey doc implies that non-standard IDs may have configurable behavior.

I use slot 0x9a for module signing.

Possibly some actionable information here: Unable to sign using PKCS#11 token · Issue #42 · kaikramer/keystore-explorer · GitHub

I think I hit the same block on a YubiKey 5 NFC using the default signing slot 9c in enhancing ignition-module-tools' gradle-module-plugin to incorporate PKCS#11 signing support.

Then it was possible to hack around that (for now) using Phil's slot 9a trick above.

Longer term I think a password callback handler like the ones mentioned in the link in Kevin's post may be needed to use the YK5's "proper" slot and other HSMs that re-challenge on signing operations. I am a little worried for the potential of every HSM actiing a little differently. [1]

This work is in my fork on GitHub. The relevant commits are 6824b81 and bbd1ccd.

[1] See Nitrokey attempt stalling out immediately, for example.

1 Like

Draft PR.

inductiveautomation/ignition-module-tools#43

1 Like
1 Like

Will test next week.

1 Like