jackofmosttrades / aws-kms-pkcs11 Goto Github PK
View Code? Open in Web Editor NEWPKCS#11 Provider Using AWS KMS
License: MIT License
PKCS#11 Provider Using AWS KMS
License: MIT License
Hi there,
I compiled the library against OpenSSL v3 and saw some compilation "OSSL_DEPRECATED" warnings. Is the library working with OpenSSL v3?
Thanks!
Hi! First of all, thank you very much for this awesome work!
I'm having issues using GPG with this module. Working with a RSA_4096 key, I'm able to create the certificate and the GPG Agent is able to discover it:
OK Pleased to meet you
SCD LEARN
gpg-agent[68961]: no running SCdaemon - starting it
gpg-agent[68961]: DBG: first connection to SCdaemon established
S SERIALNO D2760001240111503131233D17681111
S APPTYPE PKCS11
S KEY-FRIEDNLY 97AF68BD18212B1E98A5FAA8B562EDA8A3DD6ECC /CN=oscar.test on my-signing-key
S CERTINFO 101 aws_kms/0/0/my\x2Dsigning\x2Dkey/39613163393832652D356365662D343238662D623766392D373862343763616462633266
S KEYPAIRINFO 97AF68BD18212B1E98A5FAA8B562EDA8A3DD6ECC aws_kms/0/0/my\x2Dsigning\x2Dkey/39613163393832652D356365662D343238662D623766392D373862343763616462633266
OK
However, when I try to gpg --expert --full-generate-key
it fails in the last step:
...
GnuPG needs to construct a user ID to identify your key.
Real name: my-signing-key
Email address:
Comment:
You selected this USER-ID:
"my-signing-key"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
gpg: signing failed: Card error
gpg: make_keysig_packet failed: Card error
Key generation failed: Card error
Here is the related part in the GPG Agent logs:
DBG: chan_11 <- OK
detected card with S/N D2760001240111503131233D17681111
DBG: encoded hash: 30 51 30 0D 06 09 60 86 48 01 65 03 04 02 03 05 00 04 40 37 8D 27 23 04 74 FE E8 F3 88 2C A0 75 75 D0 DE 0F D0 1C 39 7E FA 5A 68 B0 0A 19 60 C0 02 AA 05 B7 74 F5 52 93 AB BF 11 56 01 43 70 FC 21 9B 34 0B 03 04 24 B7 2E D3 62 9C 84 16 1C D4 37 68 0A
DBG: chan_11 -> SETDATA 3051300D060960864801650304020305000440378D27230474FEE8F3882CA07575D0DE0FD01C397EFA5A68B00A1960C002AA05B774F55293ABBF1156014370FC219B340B030424B72ED3629C84161CD437680A
DBG: chan_11 <- OK
DBG: chan_11 -> PKSIGN --hash=sha512 aws_kms/0/0/my\x2Dsigning\x2Dkey/39613163393832652D356365662D343238662D623766392D373862343763616462633266
DBG: agent_cache_housekeeping
DBG: chan_11 <- ERR 108 Card error <Unspecified source>
smartcard signing failed: Card error
command 'PKSIGN' failed: Card error
DBG: chan_10 -> ERR 67108972 Card error <GPG Agent>
DBG: chan_10 <- [eof]
And here is a log section of the gnupg-pkcs11-scd
I think it's related:
PKCS#11: _pkcs11h_session_findObjects return rv=0-'CKR_OK', *p_objects_found=0
PKCS#11: _pkcs11h_session_getObjectById return rv=512-'CKR_FUNCTION_REJECTED', *p_handle=ffffffffffffffff
PKCS#11: _pkcs11h_certificate_resetSession return rv=512-'CKR_FUNCTION_REJECTED'
PKCS#11: __pkcs11h_certificate_getKeyAttributes return rv=512-'CKR_FUNCTION_REJECTED'
PKCS#11: pkcs11h_certificate_signAny return rv=512-'CKR_FUNCTION_REJECTED', *p_target_size=000000000000007f
PKCS#11: pkcs11h_certificate_freeCertificate entry certificate=0x55a827611660
PKCS#11: _pkcs11h_session_release entry session=0x55a827617190
PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK'
I attach the full logs for both, GPG Agent and gnupg-pkcs11-scd
gpg-agent.log
gnupg-pkcs11-scd.log
I'm working on an Ubuntu 22.04 system with:
Thanks!
Hi there,
Thanks for developing this! :) This PKCS11 plugin exactly what I need.
I'm planning to use it with RAUC.
I'm having trouble to compile it though, it ends up with these errors when making:
g++ -shared -fPIC -Wall -I /usr/include/opencryptoki -I/root/aws-sdk-cpp/include -fno-exceptions -std=c++11 aws_kms_pkcs11.cpp -o aws_kms_pkcs11.so \
-Wl,--whole-archive \
/root/aws-sdk-cpp/lib/libaws-checksums.a \
/root/aws-sdk-cpp/lib/libaws-c-common.a \
/root/aws-sdk-cpp/lib/libaws-c-event-stream.a \
/root/aws-sdk-cpp/lib/libaws-cpp-sdk-core.a \
/root/aws-sdk-cpp/lib/libaws-cpp-sdk-kms.a \
-Wl,--no-whole-archive -lcrypto -ljson-c -lcurl
aws_kms_pkcs11.cpp: In function 'CK_RV C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR)':
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_GetMechanismList {aka long unsigned int (*)(long unsigned int, long unsigned int*, long unsigned int*)}' [-fpermissive]
};
^
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_GetMechanismInfo {aka long unsigned int (*)(long unsigned int, long unsigned int, CK_MECHANISM_INFO*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_InitToken {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_InitPIN {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_SetPIN {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_GetSessionInfo {aka long unsigned int (*)(long unsigned int, CK_SESSION_INFO*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_GetOperationState {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_SetOperationState {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, long unsigned int, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_CreateObject {aka long unsigned int (*)(long unsigned int, CK_ATTRIBUTE*, long unsigned int, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_CopyObject {aka long unsigned int (*)(long unsigned int, long unsigned int, CK_ATTRIBUTE*, long unsigned int, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DestroyObject {aka long unsigned int (*)(long unsigned int, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_GetObjectSize {aka long unsigned int (*)(long unsigned int, long unsigned int, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_SetAttributeValue {aka long unsigned int (*)(long unsigned int, long unsigned int, CK_ATTRIBUTE*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_EncryptInit {aka long unsigned int (*)(long unsigned int, CK_MECHANISM*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_Encrypt {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_EncryptUpdate {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_EncryptFinal {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DecryptInit {aka long unsigned int (*)(long unsigned int, CK_MECHANISM*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_Decrypt {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DecryptUpdate {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DecryptFinal {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DigestInit {aka long unsigned int (*)(long unsigned int, CK_MECHANISM*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_Digest {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DigestUpdate {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DigestKey {aka long unsigned int (*)(long unsigned int, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DigestFinal {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_SignRecoverInit {aka long unsigned int (*)(long unsigned int, CK_MECHANISM*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_SignRecover {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_VerifyInit {aka long unsigned int (*)(long unsigned int, CK_MECHANISM*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_Verify {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_VerifyUpdate {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_VerifyFinal {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_VerifyRecoverInit {aka long unsigned int (*)(long unsigned int, CK_MECHANISM*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_VerifyRecover {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DigestEncryptUpdate {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DecryptDigestUpdate {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_SignEncryptUpdate {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DecryptVerifyUpdate {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_GenerateKey {aka long unsigned int (*)(long unsigned int, CK_MECHANISM*, CK_ATTRIBUTE*, long unsigned int, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_GenerateKeyPair {aka long unsigned int (*)(long unsigned int, CK_MECHANISM*, CK_ATTRIBUTE*, long unsigned int, CK_ATTRIBUTE*, long unsigned int, long unsigned int*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_WrapKey {aka long unsigned int (*)(long unsigned int, CK_MECHANISM*, long unsigned int, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_UnwrapKey {aka long unsigned int (*)(long unsigned int, CK_MECHANISM*, long unsigned int, unsigned char*, long unsigned int, CK_ATTRIBUTE*, long unsigned int, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DeriveKey {aka long unsigned int (*)(long unsigned int, CK_MECHANISM*, long unsigned int, CK_ATTRIBUTE*, long unsigned int, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_SeedRandom {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_GenerateRandom {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_GetFunctionStatus {aka long unsigned int (*)(long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_CancelFunction {aka long unsigned int (*)(long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_WaitForSlotEvent {aka long unsigned int (*)(long unsigned int, long unsigned int*, void*)}' [-fpermissive]
Makefile:13: recipe for target 'aws_kms_pkcs11.so' failed
make: *** [aws_kms_pkcs11.so] Error 1
Any ideas?
Is it possible to add aarch64 to the releases section?
I have a suggestion for improvement for the plugin.
How do you think about multiple slots for the PKCS plugin? For example, right now we have:
"kms_key_id": "......"
In the current case, it would default to slot 0
This is superseeded by kms_key_ids key (if set), in that case the kms_key_id is ignored and the kms_key_ids array key is used instead.
So, the config could look like this:
"kms_key_ids": [{
"kms_key_id": "<slot0_kms_id>",
"aws_region": "us-west-1"
},
{
"kms_key_id": "<slot1_kms_id>",
"aws_region": "us-west-2"
},
...........
]
This way, it can use the array index as the slot index and we can pass an arbitrary number of slot items via PKCS11 plugin (upto the number of slots the pkcs11 protocol supports).
Ofcourse this can currently be supported by changing the config each time you want to use it, but I thought it could be nice to natively support it.
I haven't had a chance to debug further, but just in case you have an idea...
With all the latest fixes we did, I can list keys and certs with NSS fine, but if I try to use p11tool --list-certs, it gives me something like:
$ p11tool --list-certs pkcs11:token=test-sign-key
AWS_KMS: Debug enabled.
AWS_KMS: Attempting to load config from path: /home/ec2-user/.config/aws-kms-pkcs11/config.json
AWS_KMS: Skipping config because we couldn't open the file.
AWS_KMS: Attempting to load config from path: /etc/aws-kms-pkcs11/config.json
AWS_KMS: Parsing certificate for slot test-sign-key from path /home/ec2-user/test-sign-cert.pem
AWS_KMS: Configured slots:
AWS_KMS: alias/test-sign-key
AWS_KMS: Getting public key for key alias/test-sign-key
AWS_KMS: Successfully fetched public key data.
No matching objects found
With ltrace, the last few lines look like:
gnutls_pkcs11_init(1, 0, 0x7fa85a4810e0, 0AWS_KMS: Debug enabled.
AWS_KMS: Attempting to load config from path: /home/ec2-user/.config/aws-kms-pkcs11/config.json
AWS_KMS: Skipping config because we couldn't open the file.
AWS_KMS: Attempting to load config from path: /etc/aws-kms-pkcs11/config.json
AWS_KMS: Parsing certificate for slot test-sign-key from path /home/ec2-user/test-sign-cert.pem
AWS_KMS: Configured slots:
AWS_KMS: alias/test-sign-key
) = 0
gnutls_pkcs11_set_pin_function(0x40a270, 0x7ffd99d67e60, 3, 0) = 0x7fa85a481fb8
gnutls_pkcs11_set_token_function(0x40a660, 0x7ffd99d67e60, 3, 0) = 0x7fa85a481fc8
gnutls_pkcs11_token_get_flags(0x7ffd99d682f7, 0x7ffd99d67d2c, 3, 0) = 0
gnutls_pkcs11_obj_list_import_url2(0x7ffd99d67d40, 0x7ffd99d67d34, 0x7ffd99d682f7, 3AWS_KMS: Getting public key for key alias/test-sign-key
AWS_KMS: Successfully fetched public key data.
) = 0
fwrite("No matching objects found\n", 1, 26, 0x7fa859115680No matching objects found
) = 26
exit(0 <no return ...>
So it's somewhat not happy but not too sure why at this stage.
I've been successfully using ECC keys for signing, but now I need to create a root rsa CA. I've created a 2048 KMS RSA key.
I'm using the following line:
export CONFIG="
[req]
distinguished_name=dn
[ dn ]
"
export PKCS11_MODULE_PATH=/usr/lib/x86_64-linux-gnu/pkcs11/aws_kms_pkcs11.so
openssl req -x509 -config <(echo "$CONFIG") -key "pkcs11:token=root-ca-rsa" -engine pkcs11 -keyform engine -out /tmp/root-ca-rsa.pem -days 36500 -subj "/C=US/ST=Test/L=Test/O=Test/OU=Test/CN=My CA/[email protected]/" -addext basicConstraints=critical,CA:TRUE
engine "pkcs11" set.
AWS_KMS: Debug enabled.
AWS_KMS: Attempting to load config from path: /root/.config/aws-kms-pkcs11/config.json
AWS_KMS: Skipping config because we couldn't open the file.
AWS_KMS: Attempting to load config from path: /etc/aws-kms-pkcs11/config.json
AWS_KMS: Configured slots:
AWS_KMS: fa86ae01-9c74-4156-8b1a-721a589580d2
AWS_KMS: Getting public key for key fa86ae01-9c74-4156-8b1a-721a589580d2
AWS_KMS: Successfully fetched public key data.
AWS_KMS: Error signing: Digest is invalid length for algorithm RSASSA_PKCS1_V1_5_SHA_256.
139878421697856:error:8207A006:PKCS#11 module:pkcs11_private_encrypt:Function failed:p11_rsa.c:116:
139878421697856:error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:../crypto/asn1/a_sign.c:224:
I can successfully perform a signing operation using openssl debug (as we've used before).
I'm having an odd error:
AWS_KMS: Invalid data length for SHA256 RSA signature: 2560
Looking at the code, something isn't right (or I'm missing something ?)
Aws::KMS::Model::SignRequest req;
req.SetKeyId(slot.GetKmsKeyId());
switch (session->sign_mechanism) {
case CKM_ECDSA:
req.SetMessage(Aws::Utils::CryptoBuffer(Aws::Utils::ByteBuffer(pData, ulDataLen)));
req.SetMessageType(Aws::KMS::Model::MessageType::DIGEST);
req.SetSigningAlgorithm(Aws::KMS::Model::SigningAlgorithmSpec::ECDSA_SHA_256);
break;
case CKM_RSA_PKCS:
if (ulDataLen <= 32) {
req.SetMessage(Aws::Utils::CryptoBuffer(Aws::Utils::ByteBuffer(pData, ulDataLen)));
} else if (has_prefix(pData, ulDataLen, rsa_id_sha256, sizeof(rsa_id_sha256))) {
// Strip the digest algorithm identifier if it has been provided
req.SetMessage(Aws::Utils::CryptoBuffer(Aws::Utils::ByteBuffer(pData + sizeof(rsa_id_sha256), ulDataLen - sizeof(rsa_id_sha256))));
} else {
debug("Invalid data length for SHA256 RSA signature: %d", ulDataLen);
return CKR_ARGUMENTS_BAD;
}
req.SetMessageType(Aws::KMS::Model::MessageType::DIGEST);
req.SetSigningAlgorithm(Aws::KMS::Model::SigningAlgorithmSpec::RSASSA_PKCS1_V1_5_SHA_256);
break;
default:
return CKR_ARGUMENTS_BAD;
}
So look at the RSA case. First why that business with trying to strip a prefix ? Under what circumstances would the data buffer to be signed be prefixed ? Where is that documented ? I couldn't find anything ...
Then you apply a limit of 32-bytes to the message that can be signed (but only in the non-prefix case, yuou don't check for a limit in the prefix case). However, openssl is passing us 2560 bytes.... (and afaik KMS can sign up to 4096 bytes).
What am I missing here ? :-)
This is an awesome module!! Thanks for writing it.
I get an error when attempting to sign a CRL for a CA. Here is the error:
linux_user@hostname:~/tmp/devCA$ AWS_KMS_PKCS11_DEBUG=1 openssl ca -gencrl -verbose -config openssl.conf -engine pkcs11 -keyform engine -keyfile pkcs11:token=my-root-key -cert /home/linux_user/.step/certs/root_ca.crt -outdir /home/linux_user/tmp/ -md sha512
engine "pkcs11" set.
Using configuration from openssl.conf
AWS_KMS: Debug enabled.
AWS_KMS: Attempting to load config from path: /home/linux_user/.config/aws-kms-pkcs11/config.json
AWS_KMS: Skipping config because we couldn't open the file.
AWS_KMS: Attempting to load config from path: /etc/aws-kms-pkcs11/config.json
AWS_KMS: Parsing certificate for slot org-root-key from path /home/linux_user/.step/certs/root_ca.crt
AWS_KMS: Configured slots:
AWS_KMS: mrk-628c80da7e3c41eea5784a8ba4c718b3
AWS_KMS: Getting public key for key mrk-628c80da7e3c41eea5784a8ba4c718b3
AWS_KMS: Successfully fetched public key data.
0 entries loaded from the database
generating index
making CRL
signing CRL
AWS_KMS: Error signing: Algorithm ECDSA_SHA_256 is incompatible with key spec ECC_NIST_P521.
AWS_KMS: Error signing: Algorithm ECDSA_SHA_256 is incompatible with key spec ECC_NIST_P521.
140016903943488:error:82068006:PKCS#11 module:pkcs11_ecdsa_sign:Function failed:p11_ec.c:409:
140016903943488:error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:../crypto/asn1/a_sign.c:224:
linux_user@hostname:~/tmp/devCA$
I'm not by any means a C/C++ developer but but looking at the source code, it seems that ECDSA_SHA_256
is hard coded as the signing algorithm. Could support for signing algorithm compatible with ECC_NIST_P521
be added by chance?
Thank you!
This is a slightly convoluted scenario (but I need it to use this from a chroot). Dumping the data here, I will try to debug later
Don't enable in p11-kit (ie, take out aws-kms-pkcs11.module) from /usr/share/p11-kit/modules or /etc/pkcs11/modules
Setup a server:
p11-kit server --provider /usr/lib64/pkcs11/aws_kms_pkcs11.so pkcs11:token=test-sign-key -f
(I use -f to easily ctrl-C)
Copy somewhere the output P11_KIT_SERVER_ADDRESS
module: /usr/lib64/pkcs11/p11-kit-client.so
From this point p11-kit should use the client token which talks to the server which talks to aws-kms-pkcs11:
$ p11tool --list-all pkcs11:token=test-sign-key
Object 0:
URL: pkcs11:token=test-sign-key;id=%61%6C%69%61%73%2F%74%65%73%74%2D%73%69%67%6E%2D%6B%65%79;object=test-sign-key;type=cert
Type: X.509 Certificate
Label: test-sign-key
ID: 61:6c:69:61:73:2f:74:65:73:74:2d:73:69:67:6e:2d:6b:65:79
$ p11tool --list-keys pkcs11:token=test-sign-key
No matching objects found
Hi Ian,
Thanks for the help with RAUC. I'm on to the next mission which is to sign kernel modules after building.
I've just tested using openssl and everything seems ok, but when I attempt to build the krenel it shows error:
EXTRACT_CERTS pkcs11:
AWS_KMS: Debug enabled.
AWS_KMS: Attempting to load config from path: /etc/aws-kms-pkcs11/config.json
AWS_KMS: Attempting to load config from path: /root/.config/aws-kms-pkcs11/config.json
AWS_KMS: Skipping config because we couldn't open the file.
AWS_KMS: Configured to use AWS key: 8e6426ad-dbd5-4b86-8446-b8adc503904c
AWS_KMS: Configured to use AWS region: us-west-1
GZIP kernel/config_data.gz
CHK kernel/config_data.h
UPD kernel/config_data.h
CC kernel/configs.o
LD kernel/built-in.o
AWS_KMS: Successfully fetched public key data.
Certificate not found.
At main.c:135:
- SSL error:FFFFFFFF80066065:pkcs11 engine:ctx_ctrl_load_cert:object not found: eng_back.c:593
extract-cert: Get X.509 from PKCS#11: Success
rm: cannot remove 'certs/signing_key.x509': No such file or directory
make[1]: *** [certs/Makefile:98: certs/signing_key.x509] Error 1
make: *** [Makefile:1029: certs] Error 2
make: Leaving directory '/root/kernel'
Any ideas what could cause this?
To build a kernel module with signing I've got this set in my kernel config:
---- snip ----
CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_SHA256=y
CONFIG_MODULE_SIG_KEY="pkcs11:"
----- snip ----
Hi there,
Is it possible to set the model and/or manufactorer for each token to 'aws' or a string defined in config?
I would like to use this pkcs11 url to only show the tokens from this plugin:
p11tool --list-token pkcs11:model=aws
Hi !
I am investigating using your library for binary signing. Unfortunately I can't really do so unless you provide some kind of licence by which I can use the code.
I wanted to use this library on MacOS, I have successfully got it working: #31
The CircleCI build process may need a slight tweak as I had to tweak the Makefile to get it working (so that everything is sourced from pkg-config including OpenSSL).
Be great to get this merged and building a darwin_amd64 release :D
Following instructions and using the pre-compiled module gives these errors:
osslsigncode sign -verbose -h sha256 -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so -pkcs11module /usr/lib/x86_64-linux-gnu/pkcs11/aws_kms_pkcs11.so -certs mycert.pem -key 'pkcs11:' -in /etc/hosts -out /tmp/hosts.signed
Engine "pkcs11" set.
Unable to load module /usr/lib/x86_64-linux-gnu/pkcs11/aws_kms_pkcs11.so
Unable to load module /usr/lib/x86_64-linux-gnu/pkcs11/aws_kms_pkcs11.so
PKCS11_get_private_key returned NULL
Failed to load private key pkcs11:
140102532925248:error:81065401:libp11:pkcs11_CTX_load:Unable to load PKCS#11 module:p11_load.c:77:
140102532925248:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../crypto/engine/eng_pkey.c:78:
Failed
ssh-add produces the following error:
ssh-add -s /usr/lib/x86_64-linux-gnu/pkcs11/aws_kms_pkcs11.so
Enter passphrase for PKCS#11:
Could not add card "/usr/lib/x86_64-linux-gnu/pkcs11/aws_kms_pkcs11.so": agent refused operation
The module is available and I have chmod +x:
ls -lh /usr/lib/x86_64-linux-gnu/pkcs11/aws_kms_pkcs11.so
-rwxr-xr-x 1 root root 3.8M Feb 27 05:45 /usr/lib/x86_64-linux-gnu/pkcs11/aws_kms_pkcs11.so
The config is available here:
cat /etc/aws-kms-pkcs11/config.json
{
"kms_key_id": "xxxx-xxxxx-xxxxxx-xxxxx-xxxxxxxx",
"aws_region": "us-west-1"
}
Any ideas what could cause this error? I couldn't find a way to get better debug information about what hte problem is.
Thanks for the hard work! Just wanted to throw some ideas out there (please feel free to ignore if out of scope).
The ability to lookup a key in PEM format for returning would be quite helpful for me, I'm right now using exec-with-secrets to populate the environment variables from aws-sm then I have another script to dump it to a file and generate the config for PKCS11, but skipping the dump step would be handy.
Just a side point, I think storing certificates in aws-secrets-manager is quite elegant because Lambda's can be written to automatically rotate the certificates if needed at any point and it's part of that system running in the background.
Here's some suggestions for future
I was wondering if it's possible to add the feature to allow skipping lookup from KMS if I exclude the kms_key_id
?
So, I'm hoping to have something like this, that means I can mix a signing key, with root-certs using the same mechanism. e.g. when using rauc:
rauc bundle --keyring='pkcs11:token=dev-root-ca' --intermediate='pkcs11:token=dev-int-ca'--cert='pkcs11:token=dev-leaf' --key='pkcs11:token=dev-leaf' input_dir/ my_bundle.raucb
So the config.json would look like this:
{
"slots": [
{
"label": "dev-root-ca",
"certificate": "<mycert>"
},
{
"label": "dev-int-ca",
"certificate": "<mycert>"
},
{
"label": "dev-leaf",
"kms_key_id": "1234",
"aws_region": "us-west-1",
"certificate": "<signing_cert_base64>"
}
]
}
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.