search

JackOfMostTrades / aws-kms-pkcs11

PKCS#11 Provider Using AWS KMS
MIT License
39 stars 17 forks source link

Error signing: Algorithm ECDSA_SHA_256 is incompatible with key spec ECC_NIST_P521 #18

Closed charltonstanley closed 2 years ago

charltonstanley commented 2 years ago

This is an awesome module!! Thanks for writing it.

I get an error when attempting to sign a CRL for a CA. Here is the error:

linux_user@hostname:~/tmp/devCA$ AWS_KMS_PKCS11_DEBUG=1 openssl ca -gencrl -verbose -config openssl.conf -engine pkcs11 -keyform engine -keyfile pkcs11:token=my-root-key -cert /home/linux_user/.step/certs/root_ca.crt -outdir /home/linux_user/tmp/ -md sha512
engine "pkcs11" set.
Using configuration from openssl.conf
AWS_KMS: Debug enabled.
AWS_KMS: Attempting to load config from path: /home/linux_user/.config/aws-kms-pkcs11/config.json
AWS_KMS: Skipping config because we couldn't open the file.
AWS_KMS: Attempting to load config from path: /etc/aws-kms-pkcs11/config.json
AWS_KMS: Parsing certificate for slot org-root-key from path /home/linux_user/.step/certs/root_ca.crt
AWS_KMS: Configured slots:
AWS_KMS:   mrk-628c80da7e3c41eea5784a8ba4c718b3
AWS_KMS: Getting public key for key mrk-628c80da7e3c41eea5784a8ba4c718b3
AWS_KMS: Successfully fetched public key data.
0 entries loaded from the database
generating index
making CRL
signing CRL
AWS_KMS: Error signing: Algorithm ECDSA_SHA_256 is incompatible with key spec ECC_NIST_P521.
AWS_KMS: Error signing: Algorithm ECDSA_SHA_256 is incompatible with key spec ECC_NIST_P521.
140016903943488:error:82068006:PKCS#11 module:pkcs11_ecdsa_sign:Function failed:p11_ec.c:409:
140016903943488:error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:../crypto/asn1/a_sign.c:224:
linux_user@hostname:~/tmp/devCA$

I'm not by any means a C/C++ developer but but looking at the source code, it seems that ECDSA_SHA_256 is hard coded as the signing algorithm. Could support for signing algorithm compatible with ECC_NIST_P521 be added by chance?

Thank you!

JackOfMostTrades commented 2 years ago

This project is way on my back burner so it took quite awhle for me to circle around to this, but I got ECC_NIST_P384 AND ECC_NIST_P521 keys support added just now and cut a new v0.0.7 release. If this is still something you're looking for, please try pulling it down and giving it a try. :)

charltonstanley commented 2 years ago

@JackOfMostTrades Finally managed to get back to this. This worked excellently. Thank you so much!

JackOfMostTrades commented 2 years ago

Awesome, thanks for confirming. :)