search

JackOfMostTrades / aws-kms-pkcs11

PKCS#11 Provider Using AWS KMS
MIT License
39 stars 17 forks source link

Is this expected output from pkcs11-tool? #35

Closed pcolmer closed 2 weeks ago

pcolmer commented 2 weeks ago

I'm experimenting with the possibility of using KMS to store certificates generated by a firmware code signing tool, and then using aws-kms-pkcs11 as the bridge between the code signing tool and KMS, so that I don't have to keep the certificates on the filing system.

I've managed to import the keys into KMS and I've created a config.json file for aws-kms-pkcs11 that lists the different keys and IDs.

If I run pkcs11-tool --module /home/ec2-user/aws_kms_pkcs11.x86_64.so -I --list-objects --pin 123456, I get this output:

Cryptoki version 2.4
Manufacturer
Library           (ver 0.0)
Using slot 0 with a present token (0x0)
Private Key Object; RSA
  label:      CA1_sha256_4096_65537_v3_ca_key
  ID:         38643831613439622d356633632d343437302d393037382d303938313331326434356562
warning: PKCS11 function C_GetAttributeValue(DECRYPT) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

warning: PKCS11 function C_GetAttributeValue(SIGN_RECOVER) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

warning: PKCS11 function C_GetAttributeValue(UNWRAP) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

warning: PKCS11 function C_GetAttributeValue(DERIVE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

  Usage:      sign
warning: PKCS11 function C_GetAttributeValue(ALWAYS_SENSITIVE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

warning: PKCS11 function C_GetAttributeValue(NEVER_EXTRACTABLE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

warning: PKCS11 function C_GetAttributeValue(LOCAL) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

  Access:     sensitive
Certificate Object; type = X.509 cert
  label:      CA1_sha256_4096_65537_v3_ca_key
  subject:    DN: CN=CA1_sha256_4096_65537_v3_ca
  serial:     513274270EA7482FA4EF6CF71C293A9F25AF77A6
  ID:         38643831613439622d356633632d343437302d393037382d303938313331326434356562

Are those warnings to be expected?

Where should I be placing aws-kms-pkcs11.x864_64.so so that PKCS#11 URIs work? Does it matter, so long as I define PKCS11_MODULE_PATH, or is that dependent on the PKCS#11 library being used by the tool?

Many thanks

JackOfMostTrades commented 2 weeks ago

I think those warnings are expected; I hadn't tested with pkcs11-tools specifically but the module implements the bare minimum that's need to support signing operations with PKCS#11-aware tools and so there's and bunch of attributes that weren't implemented.

Where you put the aws-kms-pkcs11.x864_64.so file and whether PKCS11_MODULE_PATH is respected will probably depend on the tool (and even the distro), but on Ubuntu at least putting it in /usr/lib/x86_64-linux-gnu/pkcs11/ has worked for me.