Singing big files

When I try to sign a binary file of 2 MB with
pkcs11-tool.exe --sign --input-file tempfile.bin -m ECDSA-SHA256--output-file signature.bin -v --ID {private_key_id}
The signature verification always fails, but the signing command itself says everything is OK.

It seems the HSM is not able to process files bigger than about 1k. That might be logical as it could also take a very long time to calculate the SHA with the HSM but why doesn’t it complain the file is too big and just aborts the signing.

Most likely the same problem occurs when we want to verify a big file

You don’t need or maybe even should not need to verify the signature using the HSM, which are usually slower devices… Verification can be done in the software using the public key.

This is a limitation of many smartcard-based devices … can you try to hash the binary with sha256 first and then sign the result with ECDSA?

I understand why it’s not working and how to work around by making a SHA upfront, what is also much faster :grinning:. But the problem I have there is no feedback the size is too big, and it just returns an invalid signature :unamused: and giving the suggestion everything is fine.

Using OpenSC 0.26.1 on FreeBSD I got the following when the tempfile.bin that contains 2048 zero bytes:

+ pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --sign --input-file tempfile.bin -m ECDSA-SHA256 --output-file signature.bin -v -l -p 648219
Using slot 0 with a present token (0x0)
Using signature algorithm ECDSA-SHA256
error: PKCS11 function C_SignFinal failed: rv = CKR_DATA_LEN_RANGE (0x21)
Aborting.

With a two megabytes of zeros, I got:

+ pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --sign --input-file tempfile.bin -m ECDSA-SHA256 --output-file signature.bin -v -l -p 648219
Using slot 0 with a present token (0x0)
Using signature algorithm ECDSA-SHA256
error: PKCS11 function C_SignFinal failed: rv = CKR_ARGUMENTS_BAD (0x7)
Aborting.

In the 2 megabyte case, it didn’t even bother sending the data to the card.