search

Mastercard / pkcs11-tools

A set of tools to manage objects on PKCS#11 cryptographic tokens. Compatible with many PKCS#11 library, including major HSM brands, NSS and softoken.
Other
162 stars 33 forks source link

issues with eddsa after keygen #32

Closed jfgibbins closed 3 years ago

jfgibbins commented 3 years ago

Able to run keygen and ls using ed25519 and 448. but not other functions such as cat, req, mkcert, etc with eddsa. No issues with other tested algorithms such as prime256, etc. Believe to have a working install otherwise.

  1. setup system compile and install softhsm 2.6.1 with --enable-eddsa compile and install mastercard/pkcs11-tools install gnutls-utils 3.7.2 openssl 1.1.1k

  2. initialize softhsm token softhsm2-util --init-token --slot 0 --label "CA_G1" --so-pin password --pin 1111 softhsm2-util --sh

2a. Results Found token (9e4f3336-a231-b09b-b7dd-be8a5edc900b) with matching serial. The token (/var/lib/softhsm/tokens/9e4f3336-a231-b09b-b7dd-be8a5edc900b) has been deleted. The token has been initialized and is reassigned to slot 124920443 Available slots: Slot 124920443 Slot info: Description: SoftHSM slot ID 0x772227b Manufacturer ID: SoftHSM project Hardware version: 2.6 Firmware version: 2.6 Token present: yes Token info: Manufacturer ID: SoftHSM project Model: SoftHSM v2 Hardware version: 2.6 Firmware version: 2.6 Serial number: cecf60180772227b Initialized: yes User PIN init.: yes Label: CA_G1 Slot 1 Slot info: Description: SoftHSM slot ID 0x1 Manufacturer ID: SoftHSM project Hardware version: 2.6 Firmware version: 2.6 Token present: yes Token info: Manufacturer ID: SoftHSM project Model: SoftHSM v2 Hardware version: 2.6 Firmware version: 2.6 Serial number: Initialized: no User PIN init.: no Label:

  1. setup pkcs11-tools and generate keys export PKCS11LIB=/usr/local/lib/softhsm/libsofthsm2.so export PKCS11SLOT=0 export PKCS11TOKENLABEL=CA_G1 export PKCS11PASSWORD=1111

p11slotinfo (abbreviated to show relevant supported algorithms) PKCS#11 Library

Name : /usr/local/lib/softhsm/libsofthsm2.so Lib version : 2.6 API version : 2.40 Description : Implementation of PKCS11 Manufacturer: SoftHSM

Slot[0]

Slot Number : 124920443 Description : SoftHSM slot ID 0x772227b Manufacturer: SoftHSM project Slot Flags : [ CKF_TOKEN_PRESENT ]

Token

Label : CA_G1 Manufacturer: SoftHSM project

Token Flags : [ CKF_RNG CKF_LOGIN_REQUIRED CKF_USER_PIN_INITIALIZED CKF_RESTORE_KEY_NOT_NEEDED CKF_TOKEN_INITIALIZED ]

Mechanisms:

CKM_ECDH1_DERIVE --- --- --- --- --- --- --- --- --- --- --- der SW (00001050) CKM_ECDSA --- --- --- sig --- vfy --- --- --- --- --- --- SW (00001041) ec: F^p --- --- nam unc --- CKM_EC_EDWARDS_KEY_PAIR_GEN --- --- --- --- --- --- --- --- gkp --- --- --- SW (00001055) CKM_ECDSA_KEY_PAIR_GEN --- --- --- --- --- --- --- --- gkp --- --- --- SW (00001040) ec: F^p --- --- nam unc --- CKM_EDDSA --- --- --- sig --- vfy --- --- --- --- --- --- SW (00001057)

p11keygen -k ed -q ed448 -i test-448 p11keygen -k ed -q ed25519 -i test-25519

view with p11tool (test-25519 shows as type 25519 for private and public, test-448 shows as type 448 for public and 25519 for private) p11tool --provider /usr/local/lib/softhsm/libsofthsm2.so --list-all --login --set-pin=1111 Object 0: URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=cecf60180772227b;token=CA_G1;id=%87%44%23%DB%DA%B9%94%0D%B6%48%40%91%D7%27%7E%D2%B0%C6%A1%0B;object=test-25519;type=public Type: Public key (EdDSA (Ed25519)) Label: test-25519 ID: 87:44:23:db:da:b9:94:0d:b6:48:40:91:d7:27:7e:d2:b0:c6:a1:0b

Object 1: URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=cecf60180772227b;token=CA_G1;id=%87%44%23%DB%DA%B9%94%0D%B6%48%40%91%D7%27%7E%D2%B0%C6%A1%0B;object=test-25519;type=private Type: Private key (EdDSA (Ed25519)) Label: test-25519 Flags: CKA_PRIVATE; CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE; ID: 87:44:23:db:da:b9:94:0d:b6:48:40:91:d7:27:7e:d2:b0:c6:a1:0b

Object 2: URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=cecf60180772227b;token=CA_G1;id=%24%25%9C%A2%E2%A6%4B%40%B5%B4%AC%E6%A7%2C%BC%BF%BF%D9%92%D2;object=test-448;type=public Type: Public key (EdDSA (Ed448)) Label: test-448 ID: 24:25:9c:a2:e2:a6:4b:40:b5:b4:ac:e6:a7:2c:bc:bf:bf:d9:92:d2

Object 3: URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=cecf60180772227b;token=CA_G1;id=%24%25%9C%A2%E2%A6%4B%40%B5%B4%AC%E6%A7%2C%BC%BF%BF%D9%92%D2;object=test-448;type=private Type: Private key (EdDSA (Ed25519)) Label: test-448 Flags: CKA_PRIVATE; CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE; ID: 24:25:9c:a2:e2:a6:4b:40:b5:b4:ac:e6:a7:2c:bc:bf:bf:d9:92:d2

p11ls (shows correct for all, only command that seems to work) pubk/test-25519 tok,pub,r/w,loc,ed(ED25519) prvk/test-25519 tok,prv,r/w,loc,sen,ase,nxt,ed(ED25519) pubk/test-448 tok,pub,r/w,loc,ed(ED448) prvk/test-448 tok,prv,r/w,loc,sen,ase,nxt,ed(ED448)

p11more pubk (other commands such as p11cat, p11req, p11mkcert, etc produce this same result) OpenSSL ERROR at pkcs11_more.c:458 'error:2606A074:engine routines:ENGINE_by_id:no such engine' - (from crypto/engine/eng_list.c:334) OpenSSL ERROR at pkcs11_more.c:458 'error:2606A074:engine routines:ENGINE_by_id:no such engine' - (from crypto/engine/eng_list.c:334)

Expected behavior to generate, view, and utilize eddsa the same as other

Screenshots results as above

Operating System (please complete the following information): tested on fedora 34 ubuntu 20.04

Thank you

keldonin commented 3 years ago

Hello @jfgibbins , thanks for reporting your problem.

First of all, you might want to generate keys with some attributes (so you can sign and verify with them):

p11keygen -k ed -q ed448 -i test-448
p11keygen -k ed -q ed25519 -i test-25519

should be instead

p11keygen -k ed -q ed448 -i test-448 sign=true verify=true
p11keygen -k ed -q ed25519 -i test-25519 sign=true verify=true

Commands such as p11cat, p11more, etc... are using OpenSSL and are therefore initializing OpenSSL library; as such, regular OpenSSL library initialization takes place. If your configuration of OpenSSL has anything wrongly specified (the errors seem to suggest you are missing some OpenSSL engine) then the commands will fail to work. The fact you are using p11tool gives a hint that you are maybe adjusting your OpenSSL configuration file to e.g. use the libp11 engine.

As a first suggestion, I would recommend to check your OpenSSL setup, potentially reinstall it properly (with yum or dnf) and making sure that your openssl.conf is pristine. Check also if you have an OPENSSL_CONF environment variable defined, that may point to a different configuration file.

If all of that does not work, please refer to the installation instructions and build the toolkit from a statically linked OpenSSL.

Hope this can help you, please post the results of your investigation.

jfgibbins commented 3 years ago

thanks for the heads up on the additional attributes. I'm sure I'll be needing those. :) I added those in, but same results. For the setup, everything was done as listed above on fresh installs of fedora 34 and ubuntu 20.04. The openssl.cnf was untouched and version -a points to the installed version at /etc/pki/tls/openssl.cnf. No export of environment variable. libp11 isn't installed, I simply had gntls-utils installed as I knew some of the commands for viewing more details thatn softhsm shows on it's own. I'll give it a try later tonight on a fresh install with gnutls not even installed, just in case it threw something in under p11-kit. I will also take a look at statically linking openssl. I assume you mean as part of the pkcs11-tools build process

jfgibbins commented 3 years ago

I gave it another try with static linked installing only openssl and pkcs11-tools, pristine unmodified openssl.cnf. Still no luck. All the commands work with other algorithms, like prime256v1 with no issues. Commands only fail with ed25519 and ed448.

Just in case, I tried as well with openssl-pkcs(fedora) and libengine-pkcs-openssl(ubuntu) just in case(my original assumption was that the engine was needed as libp11 was integrated and compiled as part of your tool), always same issue.

keldonin commented 3 years ago

I'm sorry It didn't fix your problem, it helps anyway. I will try on a fresh Ubuntu and see how it goes. Stay tuned.

keldonin commented 3 years ago

I get a different error code:

$ ./with_softhsm src/p11more pubk
*** OpenSSL ERROR at pkcs11_more.c:458  'error:0D093074:asn1 encoding routines:d2i_ASN1_OBJECT:expecting an object' - (from ../crypto/asn1/a_object.c:235)
*** OpenSSL ERROR at pkcs11_more.c:458  'error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long' - (from ../crypto/asn1/asn1_lib.c:101)

There is definitely an issue to fix.

However I don't have the exact same errors as you. These are probably related anyway. FYI, I am using Ubuntu server 20.04.2 LTS, with OpenSSL 1.1.1f (and SoftHSM 2.6.1 compiled with EDDSA support)

jfgibbins commented 3 years ago

if using 1.1.1f on ubuntu vs the previous 1.1.1k on fedora, this is the error, very similiar to yours

openssl version OpenSSL 1.1.1f 31 Mar 2020

lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04.2 LTS Release: 20.04 Codename: focal

OpenSSL ERROR at pkcs11_more.c:458 'error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long' - (from ../crypto/asn1/asn1_lib.c:101) OpenSSL ERROR at pkcs11_more.c:458 'error:0D068066:asn1 encoding routines:asn1_check_tlen:bad object header' - (from ../crypto/asn1/tasn_dec.c:1137)

keldonin commented 3 years ago

Can you check out branch fix_issue_32 and report if it solves your issue? Please try on both platforms if you can.

If the fix works, I'll merge it back to the master branch.

Thanks,

keldonin commented 3 years ago

@jfgibbins, the changes have been committed to the master branch. As I haven't received any feeback from you, I'll consider this issue as closed. Let me know however if you still encounter issues.

jfgibbins commented 3 years ago

Sorry, I got caught up with a few things around here, including the holidays. Trying to catch up.