Compilation errors (invalid conversion)

Hi there,

Thanks for developing this! :) This PKCS11 plugin exactly what I need.

I'm planning to use it with RAUC.

I'm having trouble to compile it though, it ends up with these errors when making:

g++ -shared -fPIC -Wall -I /usr/include/opencryptoki -I/root/aws-sdk-cpp/include -fno-exceptions -std=c++11 aws_kms_pkcs11.cpp -o aws_kms_pkcs11.so \
    -Wl,--whole-archive \
    /root/aws-sdk-cpp/lib/libaws-checksums.a \
    /root/aws-sdk-cpp/lib/libaws-c-common.a \
    /root/aws-sdk-cpp/lib/libaws-c-event-stream.a \
    /root/aws-sdk-cpp/lib/libaws-cpp-sdk-core.a \
    /root/aws-sdk-cpp/lib/libaws-cpp-sdk-kms.a \
    -Wl,--no-whole-archive -lcrypto -ljson-c -lcurl
aws_kms_pkcs11.cpp: In function 'CK_RV C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR)':
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_GetMechanismList {aka long unsigned int (*)(long unsigned int, long unsigned int*, long unsigned int*)}' [-fpermissive]
            };
            ^
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_GetMechanismInfo {aka long unsigned int (*)(long unsigned int, long unsigned int, CK_MECHANISM_INFO*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_InitToken {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_InitPIN {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_SetPIN {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_GetSessionInfo {aka long unsigned int (*)(long unsigned int, CK_SESSION_INFO*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_GetOperationState {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_SetOperationState {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, long unsigned int, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_CreateObject {aka long unsigned int (*)(long unsigned int, CK_ATTRIBUTE*, long unsigned int, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_CopyObject {aka long unsigned int (*)(long unsigned int, long unsigned int, CK_ATTRIBUTE*, long unsigned int, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DestroyObject {aka long unsigned int (*)(long unsigned int, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_GetObjectSize {aka long unsigned int (*)(long unsigned int, long unsigned int, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_SetAttributeValue {aka long unsigned int (*)(long unsigned int, long unsigned int, CK_ATTRIBUTE*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_EncryptInit {aka long unsigned int (*)(long unsigned int, CK_MECHANISM*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_Encrypt {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_EncryptUpdate {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_EncryptFinal {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DecryptInit {aka long unsigned int (*)(long unsigned int, CK_MECHANISM*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_Decrypt {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DecryptUpdate {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DecryptFinal {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DigestInit {aka long unsigned int (*)(long unsigned int, CK_MECHANISM*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_Digest {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DigestUpdate {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DigestKey {aka long unsigned int (*)(long unsigned int, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DigestFinal {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_SignRecoverInit {aka long unsigned int (*)(long unsigned int, CK_MECHANISM*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_SignRecover {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_VerifyInit {aka long unsigned int (*)(long unsigned int, CK_MECHANISM*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_Verify {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_VerifyUpdate {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_VerifyFinal {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_VerifyRecoverInit {aka long unsigned int (*)(long unsigned int, CK_MECHANISM*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_VerifyRecover {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DigestEncryptUpdate {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DecryptDigestUpdate {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_SignEncryptUpdate {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DecryptVerifyUpdate {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_GenerateKey {aka long unsigned int (*)(long unsigned int, CK_MECHANISM*, CK_ATTRIBUTE*, long unsigned int, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_GenerateKeyPair {aka long unsigned int (*)(long unsigned int, CK_MECHANISM*, CK_ATTRIBUTE*, long unsigned int, CK_ATTRIBUTE*, long unsigned int, long unsigned int*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_WrapKey {aka long unsigned int (*)(long unsigned int, CK_MECHANISM*, long unsigned int, long unsigned int, unsigned char*, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_UnwrapKey {aka long unsigned int (*)(long unsigned int, CK_MECHANISM*, long unsigned int, unsigned char*, long unsigned int, CK_ATTRIBUTE*, long unsigned int, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_DeriveKey {aka long unsigned int (*)(long unsigned int, CK_MECHANISM*, long unsigned int, CK_ATTRIBUTE*, long unsigned int, long unsigned int*)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_SeedRandom {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_GenerateRandom {aka long unsigned int (*)(long unsigned int, unsigned char*, long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_GetFunctionStatus {aka long unsigned int (*)(long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_CancelFunction {aka long unsigned int (*)(long unsigned int)}' [-fpermissive]
aws_kms_pkcs11.cpp:769:12: error: invalid conversion from 'void*' to 'CK_C_WaitForSlotEvent {aka long unsigned int (*)(long unsigned int, long unsigned int*, void*)}' [-fpermissive]
Makefile:13: recipe for target 'aws_kms_pkcs11.so' failed
make: *** [aws_kms_pkcs11.so] Error 1

Any ideas?

I'm using gcc version: gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0

Looks like the -fpermissive error was made compulsory from gcc 4.5 onwards. https://stackoverflow.com/questions/10932479/in-gcc-how-to-mute-the-fpermissive-warning

Is it possible to fix these errors so I can compile? If not, how are you able to compile I'm a bit confused are you using gcc <= 4.5?

Here is my sample Dockerfile I'm using to attempt to compile:

FROM ubuntu:18.04
ARG AWS_CPP_SDK_VERSION=1.8.150
ARG AWS_CPP_SDK_SHA256SUM=YHruXDZ/CEKxgXXn5t8I7brILtSDzLNNXuvZ5qep0+Q=
ARG AWS_KMS_PKCS11_VERSION="v0.0.3"
ENV HOME=/root
RUN export DEBIAN_FRONTEND=noninteractive && \
    export PKG_CONFIG_PATH=/usr/lib/x86_64-linux-gnu/pkgconfig && \
    echo "Installing packages (this may take a while)..." && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends \
      curl ca-certificates wget tar bash cmake build-essential \
      gcc g++ cmake libcurl4-openssl-dev libssl-dev libopencryptoki-dev \
      libjson-c-dev git zlib1g-dev
SHELL ["/bin/bash","-c"]
RUN echo "Downloading aws-cpp-sdk v${AWS_CPP_SDK_VERSION} ..." && \
    curl -sLo "/tmp/aws-sdk-cpp.tar.gz" -L "https://github.com/aws/aws-sdk-cpp/archive/${AWS_CPP_SDK_VERSION}.tar.gz" && \
    if [[ "${AWS_CPP_SDK_SHA256SUM}" == "$(openssl dgst -sha256 -binary < "/tmp/aws-sdk-cpp.tar.gz" | openssl enc -base64)" ]]; then echo "sha256 matches for aws-cpp-sdk (${AWS_CPP_SDK_SHA256SUM})"; else exit 1; fi && \
    mkdir /aws-sdk-cpp-src && \
    tar -C /aws-sdk-cpp-src --strip-components=1 -zxf "/tmp/aws-sdk-cpp.tar.gz" && \
    rm "/tmp/aws-sdk-cpp.tar.gz" && \
    mkdir /aws-sdk-cpp-src/sdk_build && \
    cd /aws-sdk-cpp-src/sdk_build && \
    echo "Building aws-sdk-cpp ..." && \
    cmake .. -DCMAKE_BUILD_TYPE=Release \
             -DBUILD_ONLY=kms \
             -DENABLE_TESTING=OFF \
             -DCMAKE_INSTALL_PREFIX=$HOME/aws-sdk-cpp \
             -DBUILD_SHARED_LIBS=OFF && \
        make && \
    make install && \
    git -c advice.detachedHead=false \
      clone "https://github.com/JackOfMostTrades/aws-kms-pkcs11.git" \
      --depth=1 --branch="${AWS_KMS_PKCS11_VERSION}" \
      "/build/aws-kms-pkcs11"
RUN cd "/build/aws-kms-pkcs11" && \
    make

Hey Andy, FWIW I did my dev on this on Ubuntu 20.04 (focal) so that if you can use that that would probably be your best bet to get past the build issues you're seeing. But I can take a look at this error next week and see if I can figure it out.

On Fri, May 28, 2021, 10:38 PM Andy @.***> wrote:

I'm using gcc --version gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0

Looks like the fpermissive error was made compulsory from gcc 4.5 onwards.

Is it possible to fix these errors so I can compile? If not, how are you able to compile?

Here is my dockerfile I'm using to compile:

FROM ubuntu:18.04 AS awspkcs11-builder ARG AWS_CPP_SDK_VERSION=1.8.150 ARG AWS_CPP_SDK_SHA256SUM=YHruXDZ/CEKxgXXn5t8I7brILtSDzLNNXuvZ5qep0+Q= ARG AWS_KMS_PKCS11_VERSION="v0.0.3" ENV HOME=/root RUN export DEBIAN_FRONTEND=noninteractive && \ export PKG_CONFIG_PATH=/usr/lib/x86_64-linux-gnu/pkgconfig && \ echo "Installing packages (this may take a while)..." && \ apt-get update -qq && \ apt-get install -qq -y --no-install-recommends \ curl ca-certificates wget tar bash cmake build-essential \ gcc g++ cmake libcurl4-openssl-dev libssl-dev libopencryptoki-dev \ libjson-c-dev git zlib1g-dev SHELL ["/bin/bash","-c"] RUN echo "Downloading aws-cpp-sdk v${AWS_CPP_SDK_VERSION} ..." && \ curl -sLo "/tmp/aws-sdk-cpp.tar.gz" -L "https://github.com/aws/aws-sdk-cpp/archive/${AWS_CPP_SDK_VERSION}.tar.gz" && \ if [[ "${AWS_CPP_SDK_SHA256SUM}" == "$(openssl dgst -sha256 -binary < "/tmp/aws-sdk-cpp.tar.gz" | openssl enc -base64)" ]]; then echo "sha256 matches for aws-cpp-sdk (${AWS_CPP_SDK_SHA256SUM})"; else exit 1; fi && \ mkdir /aws-sdk-cpp-src && \ tar -C /aws-sdk-cpp-src --strip-components=1 -zxf "/tmp/aws-sdk-cpp.tar.gz" && \ rm "/tmp/aws-sdk-cpp.tar.gz" && \ mkdir /aws-sdk-cpp-src/sdk_build && \ cd /aws-sdk-cpp-src/sdk_build && \ echo "Building aws-sdk-cpp ..." && \ cmake .. -DCMAKE_BUILD_TYPE=Release \ -DBUILD_ONLY=kms \ -DENABLE_TESTING=OFF \ -DCMAKE_INSTALL_PREFIX=$HOME/aws-sdk-cpp \ -DBUILD_SHARED_LIBS=OFF && \ make && \ make install && \ git -c advice.detachedHead=false \ clone "https://github.com/JackOfMostTrades/aws-kms-pkcs11.git" \ --depth=1 --branch="${AWS_KMS_PKCS11_VERSION}" \ "/build/aws-kms-pkcs11" RUN cd "/build/aws-kms-pkcs11" && \ make
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<https://github.com/JackOfMostTrades/aws-kms-pkcs11/issues/2#issuecomment-850774615>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAHWNHS3GVODTEBKRCXA4Y3TQB4VHANCNFSM45X4VCDQ>
.

Ok, just pushed a commit that I think resolves this. gcc was unhappy about me setting a NULL_PTR for unsupported functions in my function list. I updated this to set actual function values that return a CKR_FUNCTION_NOT_SUPPORTED error code which is more correct anyway. Seems to compile properly on bionic now based on my testing.

Thanks a lot! It can compile correctly now building the master branch :-)

It appears as if the library can load correctly now as I don't get loading errors.

I'm still having an issue running it, this could be a user error but unsure what I'm missing... With the debug flag set (thanks for adding this!) I get the following:

Engine "pkcs11" set.
AWS_KMS: Debug enabled.
AWS_KMS: Attempting to load config from path: /etc/aws-kms-pkcs11/config.json
AWS_KMS: Attempting to load config from path: /root/.config/aws-kms-pkcs11/config.json
AWS_KMS: Skipping config because we couldn't open the file.
AWS_KMS: Configured to use AWS key: 8e6426ad-dbd5-4b86-8446-b8adc503904c
AWS_KMS: Configured to use AWS region: us-west-1
Found slot without user PIN
Found slot without user PIN
PKCS11_get_private_key returned NULL
Failed to load private key pkcs11:
140025985730368:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:876:
140025985730368:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../crypto/engine/eng_pkey.c:78:
Failed

I've got these certificate settings:

**Key ID** 
8e6426ad-dbd5-4b86-8446-b8adc503904c
**Key Type**
Asymmetric
**Origin**
AWS_KMS
**Key Spec**
ECC_NIST_P256
**Key Usage**
Sign and verify
**Signing algorithms**
ECDSA_SHA_256

Confirmed we have aws creds with printenv

AWS_SECRET_ACCESS_KEY=XXXXXXXXXXX
AWS_DEFAULT_REGION=us-west-1
AWS_ACCESS_KEY_ID=XXXXXXXX

Config file in /etc/aws-kms-pkcs11/config.json shows this:

{
  "kms_key_id": "8e6426ad-dbd5-4b86-8446-b8adc503904c",
  "aws_region": "us-west-1"
}

Downloaded public key provided by aws web for this kms key .... assuming this is what I should provide?

For reference, I'm running with this cli:

AWS_KMS_PKCS11_DEBUG=1 osslsigncode sign -h sha256 -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so -pkcs11module /usr/lib/x86_64-linux-gnu/pkcs11/aws_kms_pkcs11.so -certs /etc/aws-kms-pkcs11/kms-test.crt -key pkcs11: -in /etc/hosts -out /tmp/hosts.signed

Side note: why do I need to pass my kms public certificate to osslsigncode if it pulls it from the kms id (based on the log you provided)?

Hmm, still not an obvious problem that I'm seeing. I've found that if you run an interactive openssl CLI you can load the pkcs11 engine with VERBOSE turned on. Getting that debug info from the underlying engine might help us figure out where it's running into issues talking to the pkcs11 provider. Here's an example that you could follow that might provide more insight (obviously update the module path below):

$ echo foo | openssl dgst -sha256 -binary > foo
$ AWS_KMS_PKCS11_DEBUG=1 openssl
OpenSSL> engine pkcs11 -pre VERBOSE -pre MODULE_PATH:/home/ihaken/src/aws-kms-pkcs11/aws_kms_pkcs11.so
(pkcs11) pkcs11 engine
[Success]: VERBOSE
[Success]: MODULE_PATH:/home/ihaken/src/aws-kms-pkcs11/aws_kms_pkcs11.so
OpenSSL> pkeyutl -engine pkcs11 -sign -inkey pkcs11: -keyform engine -out foo.sig -in foo
engine "pkcs11" set.
PKCS#11: Initializing the engine
AWS_KMS: Debug enabled.
AWS_KMS: Attempting to load config from path: /etc/aws-kms-pkcs11/config.json
AWS_KMS: Attempting to load config from path: /home/ihaken/.config/aws-kms-pkcs11/config.json
AWS_KMS: Skipping config because we couldn't open the file.
AWS_KMS: Configured to use AWS key: 8050fe98-6549-4415-bf96-2e1ae3659edb
AWS_KMS: Configured to use AWS region: us-east-1
Found 1 slot
Loading private key "pkcs11:"
Looking in slot -1 for key: 
[0]                            no pin            (no label)
Found slot:  
Found token: 
AWS_KMS: Successfully fetched public key data.
Found 1 private key:
AWS_KMS: Successfully called KMS to do a signing operation.
OpenSSL>

Side note: why do I need to pass my kms public certificate to osslsigncode if it pulls it from the kms id (based on the log you provided)?

The certificate passed into osslsigncode isn't just the public key, it's a code signing certificate, usually from some third-party issuer (like Digicert). The cert is specific to the code-signing use-case because that certificate actually gets embedded in the executable so that clients can extract it and verify the signature. I don't think this is needed for your target use-case (RAUC).

Here's my output:

# echo foo | openssl dgst -sha256 -binary > foo

# echo '{"kms_key_id":"8e6426ad-dbd5-4b86-8446-b8adc503904c","aws_region":"us-west-1"}' > '/etc/aws-kms-pkcs11/config.json'

# printenv | grep "AWS_"
AWS_SECRET_ACCESS_KEY=XXXXXXXXXXXXXXX
AWS_DEFAULT_REGION=us-west-1
AWS_REGION=us-west-1
AWS_ACCESS_KEY_ID=XXXXXXXXXXXXXXX

# AWS_KMS_PKCS11_DEBUG=1 openssl
OpenSSL> engine pkcs11 -pre VERBOSE -pre MODULE_PATH:/usr/lib/x86_64-linux-gnu/pkcs11/aws_kms_pkcs11.so
(pkcs11) pkcs11 engine
[Success]: VERBOSE
[Success]: MODULE_PATH:/usr/lib/x86_64-linux-gnu/pkcs11/aws_kms_pkcs11.so
OpenSSL> pkeyutl -engine pkcs11 -sign -inkey pkcs11: -keyform engine -out foo.sig -in foo
engine "pkcs11" set.
PKCS#11: Initializing the engine
AWS_KMS: Debug enabled.
AWS_KMS: Attempting to load config from path: /etc/aws-kms-pkcs11/config.json
AWS_KMS: Attempting to load config from path: /root/.config/aws-kms-pkcs11/config.json
AWS_KMS: Skipping config because we couldn't open the file.
AWS_KMS: Configured to use AWS key: 8e6426ad-dbd5-4b86-8446-b8adc503904c
AWS_KMS: Configured to use AWS region: us-west-1
Found 1 slot
Loading private key "pkcs11:"
Looking in slot -1 for key:
[0]                            no pin            (no label)
Found slot without user PIN
Loading private key "pkcs11:"
Looking in slot -1 for key:
[0]                            no pin            (no label)
Found slot without user PIN
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
140589372973504:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:876:
140589372973504:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../crypto/engine/eng_pkey.c:78:
unable to load Private Key
pkeyutl: Error initializing context
error in pkeyutl
OpenSSL>

I'm thinking it might be a permissions error? when I first ran it this morning I forgot to add the environment variables for AWS and it shows the same error. After adding those it shows the same error.

May I know what IAM policy your using? Here's my current policy for AWS. It's pretty basic and I suppose it should have everything it needs.

{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-3",
    "Statement": [
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<account_id>:user/<username>"
            },
            "Action": "kms:*",
            "Resource": "*"
        }
    ]
}

Here are some additional awscli debug commands:

# aws kms describe-key --key-id "8e6426ad-dbd5-4b86-8446-b8adc503904c"
{
    "KeyMetadata": {
        "AWSAccountId": "<account_id>",
        "KeyId": "8e6426ad-dbd5-4b86-8446-b8adc503904c",
        "Arn": "arn:aws:kms:us-west-1:<account_id>:key/8e6426ad-dbd5-4b86-8446-b8adc503904c",
        "CreationDate": 1622275762.638,
        "Enabled": true,
        "Description": "",
        "KeyUsage": "SIGN_VERIFY",
        "KeyState": "Enabled",
        "Origin": "AWS_KMS",
        "KeyManager": "CUSTOMER",
        "CustomerMasterKeySpec": "ECC_NIST_P256",
        "SigningAlgorithms": [
            "ECDSA_SHA_256"
        ]
    }
}

# aws kms get-public-key --key-id "8e6426ad-dbd5-4b86-8446-b8adc503904c"
{
    "KeyId": "arn:aws:kms:us-west-1:<account_id>:key/8e6426ad-dbd5-4b86-8446-b8adc503904c",
    "PublicKey": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwJUue3Bc4WadvRXmG6ztFLPIVSDySLrBNqJJ1Tx7RwQuiTvtCDXmFjWU6gz/U/EEIfIMZlqCqcg6Ur3Ka5ntHg==",
    "CustomerMasterKeySpec": "ECC_NIST_P256",
    "KeyUsage": "SIGN_VERIFY",
    "SigningAlgorithms": [
        "ECDSA_SHA_256"
    ]
}

# aws kms sign --key-id "8e6426ad-dbd5-4b86-8446-b8adc503904c" --message "hello" --signing-algorithm ECDSA_SHA_256
{
    "KeyId": "arn:aws:kms:us-west-1:<account_id>:key/8e6426ad-dbd5-4b86-8446-b8adc503904c",
    "Signature": "MEUCIBs+vcZCBgCWSD+uB/7psbjA+3Et/Cdb2AqvvDMaorHcAiEAppSQcMYXn5tyLoWBGnD1MZTf15WPMD3rZc/1qgYWrtQ=",
    "SigningAlgorithm": "ECDSA_SHA_256"
}

UPDATE: SUCCESS!

It looks like it does not work with ubuntu:18.04..... I've used this exact dockerfile and it fails (as with my debug above). However, if I run the exact same Dockerfile but change to ubuntu:20.04 then it works perfectly.

I wonder what causes this?

FROM ubuntu:18.04 AS awspkcs11-builder
ARG AWS_CPP_SDK_VERSION=1.8.150
ARG AWS_CPP_SDK_SHA256SUM=YHruXDZ/CEKxgXXn5t8I7brILtSDzLNNXuvZ5qep0+Q=
ARG AWS_KMS_PKCS11_VERSION="master"
ENV HOME=/root
RUN export DEBIAN_FRONTEND=noninteractive && \
    export PKG_CONFIG_PATH=/usr/lib/x86_64-linux-gnu/pkgconfig && \
    echo "Updating Apt Packages ..." && \
    apt-get update -qq && \
    echo "Installing Apt Packages (this may take a while)..." && \
    apt-get install -qq -y --no-install-recommends -o=Dpkg::Use-Pty=0 \
      curl ca-certificates wget tar bash cmake build-essential \
      gcc g++ cmake libcurl4-openssl-dev libssl-dev libopencryptoki-dev \
      libjson-c-dev git zlib1g-dev \
      libengine-pkcs11-openssl1.1
SHELL ["/bin/bash","-c"]
RUN echo "Downloading aws-cpp-sdk v${AWS_CPP_SDK_VERSION} ..." && \
    curl -sLo "/tmp/aws-sdk-cpp.tar.gz" -L "https://github.com/aws/aws-sdk-cpp/archive/${AWS_CPP_SDK_VERSION}.tar.gz" && \
    if [[ "${AWS_CPP_SDK_SHA256SUM}" == "$(openssl dgst -sha256 -binary < "/tmp/aws-sdk-cpp.tar.gz" | openssl enc -base64)" ]]; then echo "sha256 matches for aws-cpp-sdk (${AWS_CPP_SDK_SHA256SUM})"; else exit 1; fi && \
    mkdir /aws-sdk-cpp-src && \
    tar -C /aws-sdk-cpp-src --strip-components=1 -zxf "/tmp/aws-sdk-cpp.tar.gz" && \
    rm "/tmp/aws-sdk-cpp.tar.gz" && \
    mkdir /aws-sdk-cpp-src/sdk_build && \
    cd /aws-sdk-cpp-src/sdk_build && \
    echo "Building aws-sdk-cpp ..." && \
    cmake .. -DCMAKE_BUILD_TYPE=Release \
             -DBUILD_ONLY=kms \
             -DENABLE_TESTING=OFF \
             -DCMAKE_INSTALL_PREFIX=$HOME/aws-sdk-cpp \
             -DBUILD_SHARED_LIBS=OFF && \
        make && \
    make install
RUN if [ "$AWS_KMS_PKCS11_VERSION" == "master" ]; then export AWS_KMS_PKCS11_VER_NICE="latest"; else export AWS_KMS_PKCS11_VER_NICE="v${AWS_KMS_PKCS11_VERSION}"; fi && \
    echo "Cloning aws-kms-pkcs1 ${AWS_KMS_PKCS11_VER_NICE} ..." && \
    git -c advice.detachedHead=false \
      clone "https://github.com/JackOfMostTrades/aws-kms-pkcs11.git" \
      --depth=1 --branch="${AWS_KMS_PKCS11_VERSION}" \
      "/build/aws-kms-pkcs11" && \
    echo "Buildilng aws-kms-pkcs1 ..." && \
    cd "/build/aws-kms-pkcs11" && \
    make && \
    echo "Built into /build/aws-kms-pkcs11"

For reference here's the successful debug:

AWS_KMS_PKCS11_DEBUG=1 openssl
OpenSSL> engine pkcs11 -pre VERBOSE -pre MODULE_PATH:/build/aws-kms-pkcs11/aws_kms_pkcs11.so
(pkcs11) pkcs11 engine
[Success]: VERBOSE
[Success]: MODULE_PATH:/build/aws-kms-pkcs11/aws_kms_pkcs11.so
OpenSSL>
OpenSSL> pkeyutl -engine pkcs11 -sign -inkey pkcs11: -keyform engine -out foo.sig -in foo
engine "pkcs11" set.
PKCS#11: Initializing the engine
AWS_KMS: Debug enabled.
AWS_KMS: Attempting to load config from path: /etc/aws-kms-pkcs11/config.json
AWS_KMS: Attempting to load config from path: /root/.config/aws-kms-pkcs11/config.json
AWS_KMS: Skipping config because we couldn't open the file.
AWS_KMS: Configured to use AWS key: 8e6426ad-dbd5-4b86-8446-b8adc503904c
AWS_KMS: Configured to use AWS region: us-west-1
Found 1 slot
Loading private key "pkcs11:"
Looking in slot -1 for key:
[0]                            no pin            (no label)
Found slot:
Found token:
AWS_KMS: Successfully fetched public key data.
Found 1 private key:
AWS_KMS: Successfully called KMS to do a signing operation.

Wow, I was definitely barking up the wrong tree with the debugging I was doing. Glad you figured out that a different ubuntu version does the trick. I'll see if I can reproduce with 18.04 and dig down into whatever the issue is. But it sounds like you're at least unblocked in the mean time.

Ok, it turns out we were hitting this bug in the openssl pkcs11 engine, which was rejecting pkcs11 private keys that don't have PINs (which is how this is implemented). It turns out this fix is in the libp11 version in Ubuntu focal but not bionic.

I've added a note about this and some of the debug tips we picked up in the README.

Having addressed that, I also got around to testing this module with RAUC and confirmed it works as expected (on ubuntu 20.04, anyway). I've added that example to the README as well now. Hope it works for you too!

Awesome!! This is really great thank you for the help, I'm currently rebuilding my dockers now for ubuntu 20.04 for testing.

I'm glad to know what the issue was, because strange unknowable bugs are a bit worrying.

As an aside, I'm also working on using this for Kernel module signing, which is another adventure ;) If I can get success with that I will report back for the README.

FYR: Your project is now listed on the RAUC documentation: https://rauc.readthedocs.io/en/latest/advanced.html?highlight=aws#pkcs-11-support

JackOfMostTrades / aws-kms-pkcs11

Compilation errors (invalid conversion) #2