Can't unlock token - wrong Pin was presented

[Scottapotamas]

System Setup

• Using SafenetSign.exe 0.2.0 from Github releases download.
• Digicert EV token.
• Windows 10 Enterprise 1903 running as a virtual machine, with the USB token passed through.
• Attempting to sign a .exe which was generated by go, and a .msi generated by wixtoolset
• I have remote access to the windows machine through SSH, and a VNC connection to the host linux box which can see the vm's display output.

Steps

"Digicert Certificate Utility for Windows" is able to sign the exe, with the normal OS smartcard prompt used for PIN entry.

Using the following command:

> C:\ev-sign\publish\SafenetSign.exe 0cf50ef7039ffc481654808c07acfb36530eee3c p1[ 16 chars redacted ]13 user wb[redacted pass]N3 http://timestamp.digicert.com pe arc.exe -v

Gives the following output:

Validating certificate thumbprint
Converting thumbprint to bytes
Acquiring cryptographic context
Setting PIN
Signing operation failed. Error details:
The card cannot be accessed because the wrong PIN was presented. (Exception from HRESULT: 0x8010006B)

---

I have validated multiple times that the PIN is correct, the container-name from SafeNet is correct, and the fingerprint is correct.

Any thoughts?

[Scottapotamas]

I think its possible that a ^ character in my password was escaping somewhere, the password was an autogenerated one, and another password I've tried with more 'normal' characters got further along,

Validating certificate thumbprint
Converting thumbprint to bytes
Acquiring cryptographic context
Setting PIN
Opening system-level cryptographic store 131072/MY
Retrieving certificate from the store
Signing operation failed. Error details:
Cannot find object or property. (Exception from HRESULT: 0x80092004)

When run on a CLI running graphically rather than headless, the windows Smartcard UI prompts for the pin...

[mareklinka]

Yeah, the first problem might have been an escaping problem. The other looks more like the certificate cannot be found. Are you sure the certificate in question is in the User store and not the Machine store?

[Scottapotamas]

It invokes the graphical windows smart card dialog prompt, so I'd presume User is correct in that case? Machine fails with the same error but no graphical prompt...

[mareklinka]

If the regular UI comes up, it looks like the application either didn't set the correct PIN (the PIN was set, otherwise the process would exit sooner but there are several types of PINs for these providers) or maybe there is some other complication in the way which the tool cannot handle.

As reported earlier by another user, it might be possible to use SignTool for the signing, would you mind giving that a try? See #8 .

[Scottapotamas]

Suprisingly it seems like signtool works, though I had to try a few different versions of signtool.exe to get it to stick... When I had tried that method previously I couldn't get it to run without graphically prompting or failing.

For anyone else reading this, I had issues with signtool.exe in windows-sdk versions earlier than early 2019. It might be relevant that the Digicert token was issued in the first week of October 2019 and my token does not allow exporting the cert as seen in some of the older stackoverflow posts.

[Scottapotamas]

Thanks @mareklinka for your work on this tool, and your help!

[mareklinka]

Glad you managed to to get it working! Yeah, if the token doesn't allow that kind of export, it's probably why my tool cannot deal with it. Probably requires different parameters when accessing the cert or something.

That's the trouble with a tool like this - there is so many different token/cert setups out there and since they contain secrets, it's impossible to debug against them :) Nonetheless, glad you found a working solution.