jackofmosttrades / aws-kms-pkcs11 Goto Github PK

View Code? Open in Web Editor NEW

38.0 38.0 16.0 75 KB

PKCS#11 Provider Using AWS KMS

License: MIT License

Makefile 9.63% C++ 72.85% C 17.52%

aws-kms-pkcs11's People

Contributors

Stargazers

Watchers

Forkers

rmcvey anubisant hongkongkiwi pierreliddle ozbenh pedigreetechnologies bcressey rillian iot-device-suite hansonchar gardenlinux eager-signal nkraetzschmar ppt-ogawa fuhry

aws-kms-pkcs11's Issues

No licence

Hi !

I am investigating using your library for binary signing. Unfortunately I can't really do so unless you provide some kind of licence by which I can use the code.

p11tool --list-certs not working

I haven't had a chance to debug further, but just in case you have an idea...

With all the latest fixes we did, I can list keys and certs with NSS fine, but if I try to use p11tool --list-certs, it gives me something like:

$ p11tool --list-certs pkcs11:token=test-sign-key
AWS_KMS: Debug enabled.
AWS_KMS: Attempting to load config from path: /home/ec2-user/.config/aws-kms-pkcs11/config.json
AWS_KMS: Skipping config because we couldn't open the file.
AWS_KMS: Attempting to load config from path: /etc/aws-kms-pkcs11/config.json
AWS_KMS: Parsing certificate for slot test-sign-key from path /home/ec2-user/test-sign-cert.pem
AWS_KMS: Configured slots:
AWS_KMS:   alias/test-sign-key
AWS_KMS: Getting public key for key alias/test-sign-key
AWS_KMS: Successfully fetched public key data.
No matching objects found

With ltrace, the last few lines look like:

gnutls_pkcs11_init(1, 0, 0x7fa85a4810e0, 0AWS_KMS: Debug enabled.
AWS_KMS: Attempting to load config from path: /home/ec2-user/.config/aws-kms-pkcs11/config.json
AWS_KMS: Skipping config because we couldn't open the file.
AWS_KMS: Attempting to load config from path: /etc/aws-kms-pkcs11/config.json
AWS_KMS: Parsing certificate for slot test-sign-key from path /home/ec2-user/test-sign-cert.pem
AWS_KMS: Configured slots:
AWS_KMS:   alias/test-sign-key
)                                             = 0
gnutls_pkcs11_set_pin_function(0x40a270, 0x7ffd99d67e60, 3, 0)                          = 0x7fa85a481fb8
gnutls_pkcs11_set_token_function(0x40a660, 0x7ffd99d67e60, 3, 0)                        = 0x7fa85a481fc8
gnutls_pkcs11_token_get_flags(0x7ffd99d682f7, 0x7ffd99d67d2c, 3, 0)                     = 0
gnutls_pkcs11_obj_list_import_url2(0x7ffd99d67d40, 0x7ffd99d67d34, 0x7ffd99d682f7, 3AWS_KMS: Getting public key for key alias/test-sign-key
AWS_KMS: Successfully fetched public key data.
)   = 0
fwrite("No matching objects found\n", 1, 26, 0x7fa859115680No matching objects found
)                            = 26
exit(0 <no return ...>

So it's somewhat not happy but not too sure why at this stage.

Error signing: Algorithm ECDSA_SHA_256 is incompatible with key spec ECC_NIST_P521

This is an awesome module!! Thanks for writing it.

I get an error when attempting to sign a CRL for a CA. Here is the error:

linux_user@hostname:~/tmp/devCA$ AWS_KMS_PKCS11_DEBUG=1 openssl ca -gencrl -verbose -config openssl.conf -engine pkcs11 -keyform engine -keyfile pkcs11:token=my-root-key -cert /home/linux_user/.step/certs/root_ca.crt -outdir /home/linux_user/tmp/ -md sha512
engine "pkcs11" set.
Using configuration from openssl.conf
AWS_KMS: Debug enabled.
AWS_KMS: Attempting to load config from path: /home/linux_user/.config/aws-kms-pkcs11/config.json
AWS_KMS: Skipping config because we couldn't open the file.
AWS_KMS: Attempting to load config from path: /etc/aws-kms-pkcs11/config.json
AWS_KMS: Parsing certificate for slot org-root-key from path /home/linux_user/.step/certs/root_ca.crt
AWS_KMS: Configured slots:
AWS_KMS:   mrk-628c80da7e3c41eea5784a8ba4c718b3
AWS_KMS: Getting public key for key mrk-628c80da7e3c41eea5784a8ba4c718b3
AWS_KMS: Successfully fetched public key data.
0 entries loaded from the database
generating index
making CRL
signing CRL
AWS_KMS: Error signing: Algorithm ECDSA_SHA_256 is incompatible with key spec ECC_NIST_P521.
AWS_KMS: Error signing: Algorithm ECDSA_SHA_256 is incompatible with key spec ECC_NIST_P521.
140016903943488:error:82068006:PKCS#11 module:pkcs11_ecdsa_sign:Function failed:p11_ec.c:409:
140016903943488:error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:../crypto/asn1/a_sign.c:224:
linux_user@hostname:~/tmp/devCA$

I'm not by any means a C/C++ developer but but looking at the source code, it seems that ECDSA_SHA_256 is hard coded as the signing algorithm. Could support for signing algorithm compatible with ECC_NIST_P521 be added by chance?

Thank you!

Compilation errors (invalid conversion)

Hi there,

Thanks for developing this! :) This PKCS11 plugin exactly what I need.

I'm planning to use it with RAUC.

I'm having trouble to compile it though, it ends up with these errors when making:

g++ -shared -fPIC -Wall -I /usr/include/opencryptoki -I/root/aws-sdk-cpp/include -fno-exceptions -std=c++11 aws_kms_pkcs11.cpp -o aws_kms_pkcs11.so \
    -Wl,--whole-archive \
    /root/aws-sdk-cpp/lib/libaws-checksums.a \
    /root/aws-sdk-cpp/lib/libaws-c-common.a \
    /root/aws-sdk-cpp/lib/libaws-c-event-stream.a \
    /root/aws-sdk-cpp/lib/libaws-cpp-sdk-core.a \
    /root/aws-sdk-cpp/lib/libaws-cpp-sdk-kms.a \
    -Wl,--no-whole-archive -lcrypto -ljson-c -lcurl
aws_kms_pkcs11.cpp: In function 'CK_RV C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR)':
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_GetMechanismList {aka long unsigned int (*)(long unsigned int, long unsigned int*, long unsigned int*)}' [-fpermissive]
            };
            ^
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_GetMechanismInfo {aka long unsigned int (*)(long unsigned int, long unsigned int, CK_MECHANISM_INFO*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_InitToken {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_InitPIN {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_SetPIN {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_GetSessionInfo {aka long unsigned int (*)(long unsigned int, CK_SESSION_INFO*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_GetOperationState {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_SetOperationState {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, long unsigned int, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_CreateObject {aka long unsigned int (*)(long unsigned int, CK_ATTRIBUTE*, long unsigned int, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_CopyObject {aka long unsigned int (*)(long unsigned int, long unsigned int, CK_ATTRIBUTE*, long unsigned int, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DestroyObject {aka long unsigned int (*)(long unsigned int, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_GetObjectSize {aka long unsigned int (*)(long unsigned int, long unsigned int, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_SetAttributeValue {aka long unsigned int (*)(long unsigned int, long unsigned int, CK_ATTRIBUTE*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_EncryptInit {aka long unsigned int (*)(long unsigned int, CK_MECHANISM*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_Encrypt {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_EncryptUpdate {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_EncryptFinal {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DecryptInit {aka long unsigned int (*)(long unsigned int, CK_MECHANISM*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_Decrypt {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DecryptUpdate {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DecryptFinal {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DigestInit {aka long unsigned int (*)(long unsigned int, CK_MECHANISM*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_Digest {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DigestUpdate {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DigestKey {aka long unsigned int (*)(long unsigned int, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DigestFinal {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_SignRecoverInit {aka long unsigned int (*)(long unsigned int, CK_MECHANISM*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_SignRecover {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_VerifyInit {aka long unsigned int (*)(long unsigned int, CK_MECHANISM*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_Verify {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_VerifyUpdate {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_VerifyFinal {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_VerifyRecoverInit {aka long unsigned int (*)(long unsigned int, CK_MECHANISM*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_VerifyRecover {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DigestEncryptUpdate {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DecryptDigestUpdate {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_SignEncryptUpdate {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DecryptVerifyUpdate {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_GenerateKey {aka long unsigned int (*)(long unsigned int, CK_MECHANISM*, CK_ATTRIBUTE*, long unsigned int, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_GenerateKeyPair {aka long unsigned int (*)(long unsigned int, CK_MECHANISM*, CK_ATTRIBUTE*, long unsigned int, CK_ATTRIBUTE*, long unsigned int, long unsigned int*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_WrapKey {aka long unsigned int (*)(long unsigned int, CK_MECHANISM*, long unsigned int, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_UnwrapKey {aka long unsigned int (*)(long unsigned int, CK_MECHANISM*, long unsigned int, unsigned char*, long unsigned int, CK_ATTRIBUTE*, long unsigned int, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DeriveKey {aka long unsigned int (*)(long unsigned int, CK_MECHANISM*, long unsigned int, CK_ATTRIBUTE*, long unsigned int, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_SeedRandom {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_GenerateRandom {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_GetFunctionStatus {aka long unsigned int (*)(long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_CancelFunction {aka long unsigned int (*)(long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_WaitForSlotEvent {aka long unsigned int (*)(long unsigned int, long unsigned int*, void*)}' [-fpermissive]
Makefile:13: recipe for target 'aws_kms_pkcs11.so' failed
make: *** [aws_kms_pkcs11.so] Error 1

Any ideas?

Signing Kernel Modules - Certificate not found

Hi Ian,

Thanks for the help with RAUC. I'm on to the next mission which is to sign kernel modules after building.

I've just tested using openssl and everything seems ok, but when I attempt to build the krenel it shows error:

  EXTRACT_CERTS   pkcs11:
AWS_KMS: Debug enabled.
AWS_KMS: Attempting to load config from path: /etc/aws-kms-pkcs11/config.json
AWS_KMS: Attempting to load config from path: /root/.config/aws-kms-pkcs11/config.json
AWS_KMS: Skipping config because we couldn't open the file.
AWS_KMS: Configured to use AWS key: 8e6426ad-dbd5-4b86-8446-b8adc503904c
AWS_KMS: Configured to use AWS region: us-west-1
  GZIP    kernel/config_data.gz
  CHK     kernel/config_data.h
  UPD     kernel/config_data.h
  CC      kernel/configs.o
  LD      kernel/built-in.o
AWS_KMS: Successfully fetched public key data.
Certificate not found.
At main.c:135:
- SSL error:FFFFFFFF80066065:pkcs11 engine:ctx_ctrl_load_cert:object not found: eng_back.c:593
extract-cert: Get X.509 from PKCS#11: Success
rm: cannot remove 'certs/signing_key.x509': No such file or directory
make[1]: *** [certs/Makefile:98: certs/signing_key.x509] Error 1
make: *** [Makefile:1029: certs] Error 2
make: Leaving directory '/root/kernel'

Any ideas what could cause this?

To build a kernel module with signing I've got this set in my kernel config:

---- snip ----
CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_SHA256=y
CONFIG_MODULE_SIG_KEY="pkcs11:"
----- snip ----

aarch64 releases?

Is it possible to add aarch64 to the releases section?

Some ideas for future :)

Thanks for the hard work! Just wanted to throw some ideas out there (please feel free to ignore if out of scope).

The ability to lookup a key in PEM format for returning would be quite helpful for me, I'm right now using exec-with-secrets to populate the environment variables from aws-sm then I have another script to dump it to a file and generate the config for PKCS11, but skipping the dump step would be handy.

Just a side point, I think storing certificates in aws-secrets-manager is quite elegant because Lambda's can be written to automatically rotate the certificates if needed at any point and it's part of that system running in the background.

Here's some suggestions for future

Plugin system for storing/retrieving public certificates. So far we have file/directly in json config, but I could image more. Later plugins could be written for aws-secretstore, S3 or REST API. That means we can do PKI signing via the pkcs11 plugin without caring about where the certificates are stored. For now, this is a separate process to grab the cert and fill in the json config file.
Add option to return additional fields for the keys, these can be populated via the config file, e.g. kms, version (populated from pkcs11 code version)
Return key description of AWS key (description is stored in aws)
Add ability to lookup a key by KMS Key Alias instead of key_id
Add ability to use a pin code stored in either config file in plaintext, or a pre-encrypted string (can be decrypted with a kms key)

[Question] Is this library working for OpenSSL v3?

Hi there,

I compiled the library against OpenSSL v3 and saw some compilation "OSSL_DEPRECATED" warnings. Is the library working with OpenSSL v3?

Thanks!

Problems with GPG

Hi! First of all, thank you very much for this awesome work!

I'm having issues using GPG with this module. Working with a RSA_4096 key, I'm able to create the certificate and the GPG Agent is able to discover it:

OK Pleased to meet you
SCD LEARN
gpg-agent[68961]: no running SCdaemon - starting it
gpg-agent[68961]: DBG: first connection to SCdaemon established
S SERIALNO D2760001240111503131233D17681111
S APPTYPE PKCS11
S KEY-FRIEDNLY 97AF68BD18212B1E98A5FAA8B562EDA8A3DD6ECC /CN=oscar.test on my-signing-key
S CERTINFO 101 aws_kms/0/0/my\x2Dsigning\x2Dkey/39613163393832652D356365662D343238662D623766392D373862343763616462633266
S KEYPAIRINFO 97AF68BD18212B1E98A5FAA8B562EDA8A3DD6ECC aws_kms/0/0/my\x2Dsigning\x2Dkey/39613163393832652D356365662D343238662D623766392D373862343763616462633266
OK

However, when I try to gpg --expert --full-generate-key it fails in the last step:

...
GnuPG needs to construct a user ID to identify your key.

Real name: my-signing-key
Email address: 
Comment: 
You selected this USER-ID:
    "my-signing-key"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
gpg: signing failed: Card error
gpg: make_keysig_packet failed: Card error
Key generation failed: Card error

Here is the related part in the GPG Agent logs:

DBG: chan_11 <- OK
detected card with S/N D2760001240111503131233D17681111
DBG: encoded hash: 30 51 30 0D 06 09 60 86 48 01 65 03 04 02 03 05 00 04 40 37 8D 27 23 04 74 FE E8 F3 88 2C A0 75 75 D0 DE 0F D0 1C 39 7E FA 5A 68 B0 0A 19 60 C0 02 AA 05 B7 74 F5 52 93 AB BF 11 56 01 43 70 FC 21 9B 34 0B 03 04 24 B7 2E D3 62 9C 84 16 1C D4 37 68 0A
DBG: chan_11 -> SETDATA 3051300D060960864801650304020305000440378D27230474FEE8F3882CA07575D0DE0FD01C397EFA5A68B00A1960C002AA05B774F55293ABBF1156014370FC219B340B030424B72ED3629C84161CD437680A
DBG: chan_11 <- OK
DBG: chan_11 -> PKSIGN --hash=sha512 aws_kms/0/0/my\x2Dsigning\x2Dkey/39613163393832652D356365662D343238662D623766392D373862343763616462633266
DBG: agent_cache_housekeeping
DBG: chan_11 <- ERR 108 Card error <Unspecified source>
smartcard signing failed: Card error
command 'PKSIGN' failed: Card error
DBG: chan_10 -> ERR 67108972 Card error <GPG Agent>
DBG: chan_10 <- [eof]

And here is a log section of the gnupg-pkcs11-scd I think it's related:

PKCS#11: _pkcs11h_session_findObjects return rv=0-'CKR_OK', *p_objects_found=0
PKCS#11: _pkcs11h_session_getObjectById return rv=512-'CKR_FUNCTION_REJECTED', *p_handle=ffffffffffffffff
PKCS#11: _pkcs11h_certificate_resetSession return rv=512-'CKR_FUNCTION_REJECTED'
PKCS#11: __pkcs11h_certificate_getKeyAttributes return rv=512-'CKR_FUNCTION_REJECTED'
PKCS#11: pkcs11h_certificate_signAny return rv=512-'CKR_FUNCTION_REJECTED', *p_target_size=000000000000007f
PKCS#11: pkcs11h_certificate_freeCertificate entry certificate=0x55a827611660
PKCS#11: _pkcs11h_session_release entry session=0x55a827617190
PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK'

I attach the full logs for both, GPG Agent and gnupg-pkcs11-scd

gpg-agent.log
gnupg-pkcs11-scd.log

I'm working on an Ubuntu 22.04 system with:

gpg (GnuPG) 2.2.27
gpg-agent (GnuPG) 2.2.27
libgcrypt 1.9.4
gnupg-pkcs11-scd 0.9.2

Thanks!

Trouble with RSA 2048 cert signing

I've been successfully using ECC keys for signing, but now I need to create a root rsa CA. I've created a 2048 KMS RSA key.

I'm using the following line:

export CONFIG="
[req]
distinguished_name=dn
[ dn ]
"
export PKCS11_MODULE_PATH=/usr/lib/x86_64-linux-gnu/pkcs11/aws_kms_pkcs11.so
openssl req -x509 -config <(echo "$CONFIG") -key "pkcs11:token=root-ca-rsa" -engine pkcs11 -keyform engine -out /tmp/root-ca-rsa.pem -days 36500 -subj "/C=US/ST=Test/L=Test/O=Test/OU=Test/CN=My CA/[email protected]/" -addext basicConstraints=critical,CA:TRUE

engine "pkcs11" set.
AWS_KMS: Debug enabled.
AWS_KMS: Attempting to load config from path: /root/.config/aws-kms-pkcs11/config.json
AWS_KMS: Skipping config because we couldn't open the file.
AWS_KMS: Attempting to load config from path: /etc/aws-kms-pkcs11/config.json
AWS_KMS: Configured slots:
AWS_KMS:   fa86ae01-9c74-4156-8b1a-721a589580d2
AWS_KMS: Getting public key for key fa86ae01-9c74-4156-8b1a-721a589580d2
AWS_KMS: Successfully fetched public key data.
AWS_KMS: Error signing: Digest is invalid length for algorithm RSASSA_PKCS1_V1_5_SHA_256.
139878421697856:error:8207A006:PKCS#11 module:pkcs11_private_encrypt:Function failed:p11_rsa.c:116:
139878421697856:error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:../crypto/asn1/a_sign.c:224:

I can successfully perform a signing operation using openssl debug (as we've used before).

signing via openssl fails

I'm having an odd error:

AWS_KMS: Invalid data length for SHA256 RSA signature: 2560

Looking at the code, something isn't right (or I'm missing something ?)

    Aws::KMS::Model::SignRequest req;
    req.SetKeyId(slot.GetKmsKeyId());
    switch (session->sign_mechanism) {
        case CKM_ECDSA:
            req.SetMessage(Aws::Utils::CryptoBuffer(Aws::Utils::ByteBuffer(pData, ulDataLen)));
            req.SetMessageType(Aws::KMS::Model::MessageType::DIGEST);
            req.SetSigningAlgorithm(Aws::KMS::Model::SigningAlgorithmSpec::ECDSA_SHA_256);
            break;
        case CKM_RSA_PKCS:
            if (ulDataLen <= 32) {
                req.SetMessage(Aws::Utils::CryptoBuffer(Aws::Utils::ByteBuffer(pData, ulDataLen)));
            } else if (has_prefix(pData, ulDataLen, rsa_id_sha256, sizeof(rsa_id_sha256))) {
                // Strip the digest algorithm identifier if it has been provided
                req.SetMessage(Aws::Utils::CryptoBuffer(Aws::Utils::ByteBuffer(pData + sizeof(rsa_id_sha256), ulDataLen - sizeof(rsa_id_sha256))));
            } else {
                debug("Invalid data length for SHA256 RSA signature: %d", ulDataLen);
                return CKR_ARGUMENTS_BAD;
            }
            req.SetMessageType(Aws::KMS::Model::MessageType::DIGEST);
            req.SetSigningAlgorithm(Aws::KMS::Model::SigningAlgorithmSpec::RSASSA_PKCS1_V1_5_SHA_256);
            break;
        default:
            return CKR_ARGUMENTS_BAD;
    }

So look at the RSA case. First why that business with trying to strip a prefix ? Under what circumstances would the data buffer to be signed be prefixed ? Where is that documented ? I couldn't find anything ...

Then you apply a limit of 32-bytes to the message that can be signed (but only in the non-prefix case, yuou don't check for a limit in the prefix case). However, openssl is passing us 2560 bytes.... (and afaik KMS can sign up to 4096 bytes).

What am I missing here ? :-)

When using remotely via p11-kit "server", keys aren't found

This is a slightly convoluted scenario (but I need it to use this from a chroot). Dumping the data here, I will try to debug later

Don't enable in p11-kit (ie, take out aws-kms-pkcs11.module) from /usr/share/p11-kit/modules or /etc/pkcs11/modules
Setup a server:

p11-kit server --provider /usr/lib64/pkcs11/aws_kms_pkcs11.so pkcs11:token=test-sign-key -f

(I use -f to easily ctrl-C)

Copy somewhere the output P11_KIT_SERVER_ADDRESS

Setup a client in .config/pkcs11/modules/p11-kit-client.module as follow

module: /usr/lib64/pkcs11/p11-kit-client.so

paste the P11_KIT_SERVER_ADDRESS

From this point p11-kit should use the client token which talks to the server which talks to aws-kms-pkcs11:

$ p11tool --list-all pkcs11:token=test-sign-key
Object 0:
	URL: pkcs11:token=test-sign-key;id=%61%6C%69%61%73%2F%74%65%73%74%2D%73%69%67%6E%2D%6B%65%79;object=test-sign-key;type=cert
	Type: X.509 Certificate
	Label: test-sign-key
	ID: 61:6c:69:61:73:2f:74:65:73:74:2d:73:69:67:6e:2d:6b:65:79

$ p11tool --list-keys pkcs11:token=test-sign-key
No matching objects found

Precompiled .so does not seem to work

Following instructions and using the pre-compiled module gives these errors:

osslsigncode sign -verbose -h sha256     -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so     -pkcs11module /usr/lib/x86_64-linux-gnu/pkcs11/aws_kms_pkcs11.so     -certs mycert.pem -key 'pkcs11:' -in /etc/hosts -out /tmp/hosts.signed
Engine "pkcs11" set.
Unable to load module /usr/lib/x86_64-linux-gnu/pkcs11/aws_kms_pkcs11.so
Unable to load module /usr/lib/x86_64-linux-gnu/pkcs11/aws_kms_pkcs11.so
PKCS11_get_private_key returned NULL
Failed to load private key pkcs11:
140102532925248:error:81065401:libp11:pkcs11_CTX_load:Unable to load PKCS#11 module:p11_load.c:77:
140102532925248:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../crypto/engine/eng_pkey.c:78:
Failed

ssh-add produces the following error:

ssh-add -s /usr/lib/x86_64-linux-gnu/pkcs11/aws_kms_pkcs11.so
Enter passphrase for PKCS#11:
Could not add card "/usr/lib/x86_64-linux-gnu/pkcs11/aws_kms_pkcs11.so": agent refused operation

The module is available and I have chmod +x:

ls -lh /usr/lib/x86_64-linux-gnu/pkcs11/aws_kms_pkcs11.so
-rwxr-xr-x 1 root root 3.8M Feb 27 05:45 /usr/lib/x86_64-linux-gnu/pkcs11/aws_kms_pkcs11.so

The config is available here:

cat /etc/aws-kms-pkcs11/config.json
{
  "kms_key_id": "xxxx-xxxxx-xxxxxx-xxxxx-xxxxxxxx",
  "aws_region": "us-west-1"
}

Any ideas what could cause this error? I couldn't find a way to get better debug information about what hte problem is.

Allow config.json slot entries without kms_key_id to return only certificate

I was wondering if it's possible to add the feature to allow skipping lookup from KMS if I exclude the kms_key_id?

So, I'm hoping to have something like this, that means I can mix a signing key, with root-certs using the same mechanism. e.g. when using rauc:
rauc bundle --keyring='pkcs11:token=dev-root-ca' --intermediate='pkcs11:token=dev-int-ca'--cert='pkcs11:token=dev-leaf' --key='pkcs11:token=dev-leaf' input_dir/ my_bundle.raucb

So the config.json would look like this:

{
  "slots": [
    {
      "label": "dev-root-ca",
      "certificate": "<mycert>"
    },
    {
      "label": "dev-int-ca",
      "certificate": "<mycert>"
    },
    {
      "label": "dev-leaf",
      "kms_key_id": "1234",
      "aws_region": "us-west-1",
      "certificate": "<signing_cert_base64>"
    }
  ]
 }

Suggestion: Supporting additional slots?

I have a suggestion for improvement for the plugin.

How do you think about multiple slots for the PKCS plugin? For example, right now we have:
"kms_key_id": "......"
In the current case, it would default to slot 0

This is superseeded by kms_key_ids key (if set), in that case the kms_key_id is ignored and the kms_key_ids array key is used instead.

So, the config could look like this:

"kms_key_ids": [{
   "kms_key_id": "<slot0_kms_id>",
   "aws_region": "us-west-1"
 },
 {
   "kms_key_id": "<slot1_kms_id>",
   "aws_region": "us-west-2"
  },
  ...........
]

This way, it can use the array index as the slot index and we can pass an arbitrary number of slot items via PKCS11 plugin (upto the number of slots the pkcs11 protocol supports).

Ofcourse this can currently be supported by changing the config each time you want to use it, but I thought it could be nice to natively support it.

Set model/manufactorer for returned tokens

Hi there,

Is it possible to set the model and/or manufactorer for each token to 'aws' or a string defined in config?

I would like to use this pkcs11 url to only show the tokens from this plugin:
p11tool --list-token pkcs11:model=aws

jackofmosttrades / aws-kms-pkcs11 Goto Github PK

aws-kms-pkcs11's People

Contributors

Stargazers

Watchers

Forkers

aws-kms-pkcs11's Issues

Recommend Projects

Recommend Topics

Recommend Org