node-webcrypto-p11 icon indicating copy to clipboard operation
node-webcrypto-p11 copied to clipboard

Published 20 hours ago verified publisher icon PeculiarVentures

AKIS - CKR_BUFFER_TOO_SMALL error

Open atik-bunyamin opened this issue 6 months ago • 1 comments

Hi,

I have an AKIS card (v2.6.2) to store EC keys. I can sign any data by using bouncy castle in java but it throws CKR_BUFFER_TOO_SMALL error by using node-webcrypto-p11.

Key info is : sign {"crypto":"AKIS","algorithm":{"name":"ECDSA","hash":"SHA-384"},"key":{"algorithm":{"name":"ECDSA","hash":"SHA-384","namedCurve":"30820140020101303c06072a8648ce3d0101023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff30640430fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc0430b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef046104aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab73617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973020101","token":true,"sensitive":true,"label":"nes"},"type":"private","extractable":false,"usages":["sign"],"id":"da266a488f872eea0ff131c304e1c16fdba533c7"}}

I think it cannot identify curve. I have tested Safenet eToken 5100 with the same key and certificate then it works well (curve is P-384). But for AKIS, i got CKR_BUFFER_TOO_SMALL error.

Any comments?

atik-bunyamin avatar May 26 '25 15:05 atik-bunyamin

The problem is related to fixed buffer allocation in the graphene-pk11 library used by node-webcrypto-p11.

Root Cause

In the src/crypto/sign.ts file, hardcoded 1024-byte buffers are used for all signing operations:

// Line 55 - final() method
const sig = Buffer.alloc(1024);

// Line 76 - once() method 
const signature = Buffer.alloc(1024);

Why AKIS Cards Fail While SafeNet eToken 5100 Works

SafeNet eToken 5100:

  • Uses standard named curves (OID references)
  • P-384 = 1.3.132.0.34 = 7 bytes
  • Total signature data size: ~100-200 bytes

AKIS Cards:

  • Use explicit curve parameters in ASN.1 format instead of OIDs
  • For P-384 this includes:
    • Prime field p: 48 bytes
    • Curve coefficients a, b: 96 bytes
    • Base point G: 97 bytes (uncompressed format)
    • Order n: 48 bytes
    • ASN.1 structure overhead: ~50 bytes
  • Total: ~340-390 bytes for curve parameters alone
  • With signature data and metadata: 500-600+ bytes

Solution

Replace fixed buffers with dynamic memory allocation:

public final(): Buffer {
  // First call to get required buffer size
  let requiredLength = 0;
  try {
    this.lib.C_SignFinal(this.session.handle, null, (length) => { // requires pkcs11js update
      requiredLength = length;
    });
  } catch (error) {
    // Fallback for tokens that don't support size queries
    requiredLength = 4096;
  }

  const sig = Buffer.alloc(Math.max(requiredLength, 1024));
  return this.lib.C_SignFinal(this.session.handle, sig);
}

Similar changes are needed in the once() method, as well as in verify.ts and digest.ts files.

microshine avatar May 26 '25 17:05 microshine