fix: support for utimaco

[Direktor799]

When using p11ls & p11od with Utimaco HSM, there are lots of attribute types that Utimaco doesn't support.

PKCS11LIB=* CS_PKCS11_R2_CFG=* PKCS11SLOT=* PKCS11PASSWORD=* p11ls
Attribute 0x40000213 not found.
Error CKR_ATTRIBUTE_TYPE_INVALID occurred.
Attribute 0x40000213 not found.
Error CKR_ATTRIBUTE_TYPE_INVALID occurred.
Attribute 0x40000213 not found.
Error CKR_ATTRIBUTE_TYPE_INVALID occurred.

PKCS11LIB=* CS_PKCS11_R2_CFG=* PKCS11SLOT=* PKCS11PASSWORD=* p11od
Attribute 0x00000171 not found.
Error CKR_ATTRIBUTE_TYPE_INVALID occurred.
Attribute 0x00000171 not found.
Error CKR_ATTRIBUTE_TYPE_INVALID occurred.
Attribute 0x00000171 not found.
Error CKR_ATTRIBUTE_TYPE_INVALID occurred.

I found out all the attributes, and exclude them with the '--with-utimaco' flag

[keldonin]

Hi @Direktor799 , thanks a lot for your PR. Just to make things clear, the error messages you describe, are these coming to the standard output or standard error? Is there any possibility you adjust the configuration file instead, to route these errors to a log file? The reason I'm asking is to avoid inserting too much specific code in the code base, for errors that are expected - it is expected that not all HSMs will support all attributes, and that's fine. However, the HSM is not supposed to clutter the output with error reporting. Can you reveal which version of the vendor library you are using in this case? Thanks,

[Direktor799]

Hi @keldonin, thanks for replying. The logs are from stderr, and I can redirect it to a log file. But the problem is that it's also not showing other valid attributes. This is what I got with p11od after redirecting logs:

CKA_TOKEN/{01}:

CKA_TOKEN/{01}:

And this is what I got using p11od complied with --with-utimaco:

CKA_TOKEN/{01}:
 CKA_CLASS:
  0000  04 00 00 00 00 00 00 00                            CKO_SECRET_KEY
 CKA_TOKEN:
  0000  01                                                 CK_TRUE
 CKA_PRIVATE:
  0000  01                                                 CK_TRUE
 CKA_LABEL:
  0000  6b 6d 73 20 6d 61 73 74 65 72 20 6b 65 79          kms master key
 CKA_TRUSTED:
  0000  00                                                 CK_FALSE
 CKA_CHECK_VALUE:
  0000  d9 17 50                                           ..P
......
CKA_TOKEN/{01}:
 CKA_CLASS:
  0000  04 00 00 00 00 00 00 00                            CKO_SECRET_KEY
 CKA_TOKEN:
  0000  01                                                 CK_TRUE
 CKA_PRIVATE:
  0000  01                                                 CK_TRUE
 CKA_LABEL:
  0000  6b 6d 73 20 6d 61 73 74 65 72 20 6b 65 79          kms master key
 CKA_TRUSTED:
  0000  00                                                 CK_FALSE
 CKA_CHECK_VALUE:
  0000  67 4e 11                                           gN.
......

When it comes it p11ls, it's

seck/???unlabelled object???          ses,pub,r/o,imp,NSE,NAS,WXT,rsa
seck/???unlabelled object???          ses,pub,r/o,imp,NSE,NAS,WXT,rsa

vs

seck/kms master key                   tok,prv,r/w,loc,enc,dec,sig,vfy,wra,unw,sen,ase,XTR,WXT,aes(128)
seck/kms master key                   tok,prv,r/w,loc,enc,dec,sig,vfy,wra,unw,sen,ase,nxt,aes(128)

FYI, I'm using libcs_pkcs11_R2.so.

[keldonin]

This is what I got with p11od after redirecting logs:

CKA_TOKEN/{01}:

CKA_TOKEN/{01}:

Well, this is effectively not expected. However, this looks more like a vendor implementation issue than something that needs to be changed on the toolkit, as CKR_ATTRIBUTE_TYPE_INVALID is generally OK, since the PKCS#11 library should nevertheless process all other valid attributes, according to the spec.

To help the case, would you mind:

• compiling & installing libpkcs11shim from here https://github.com/Mastercard/libpkcs11shim.git

• using the shim library to capture the log of PKCS#11 calls; if you are using the with_utimaco wrapper script, that's easy:

  $ SHIM=capture.log with_utimaco p11od

  If you are not using the wrapper, you will have to set PKCS11SHIM and PKCS11SHIM_OUTPUT environment variables accordingly, and obviously set libpkcs11shim.so as the library to load with the tooklit.

• share the output that triggers the issue.

Can you also check if you are running the latest version of Utimaco software (client library)?

Thanks for your contribution!

[keldonin]

FYI, I'm using libcs_pkcs11_R2.so.

Would you mind sending the output of p11slotinfo please?

[Direktor799]

• share the output that triggers the issue.

  [cnt] 0000000000000017 - C_GetAttributeValue
  [pid] 3095006
  [ppd] 3050063
  [tid] 3095006
  [tic] 2023-08-23 21:49:32.935400
  [in ] hSession = 0x110f58d
  [in ] hObject = 0x6
  [in ] pTemplate[28]: 
  CKA_TOKEN             0000000000000000 / 0
  CKA_PRIVATE           0000000000000000 / 0
  CKA_MODIFIABLE        0000000000000000 / 0
  CKA_LABEL             0000000000000000 / 0
  CKA_KEY_TYPE          0000000000000000 / 0
  CKA_ID                0000000000000000 / 0
  CKA_START_DATE        0000000000000000 / 0
  CKA_END_DATE          0000000000000000 / 0
  CKA_DERIVE            0000000000000000 / 0
  CKA_DERIVE_TEMPLATE   0000000000000000 / 0
  CKA_LOCAL             0000000000000000 / 0
  CKA_KEY_GEN_MECHANISM 0000000000000000 / 0
  CKA_ALLOWED_MECHANISMS  0000000000000000 / 0
  CKA_ENCRYPT           0000000000000000 / 0
  CKA_DECRYPT           0000000000000000 / 0
  CKA_SIGN              0000000000000000 / 0
  CKA_VERIFY            0000000000000000 / 0
  CKA_WRAP              0000000000000000 / 0
  CKA_WRAP_TEMPLATE     0000000000000000 / 0
  CKA_UNWRAP            0000000000000000 / 0
  CKA_UNWRAP_TEMPLATE   0000000000000000 / 0
  CKA_SENSITIVE         0000000000000000 / 0
  CKA_ALWAYS_SENSITIVE  0000000000000000 / 0
  CKA_EXTRACTABLE       0000000000000000 / 0
  CKA_NEVER_EXTRACTABLE 0000000000000000 / 0
  CKA_TRUSTED           0000000000000000 / 0
  CKA_WRAP_WITH_TRUSTED  0000000000000000 / 0
  CKA_VALUE_LEN         0000000000000000 / 0
  [out] pTemplate[28]: 
  CKA_TOKEN             0000000000000000 / 0
  CKA_PRIVATE           0000000000000000 / 0
  CKA_MODIFIABLE        0000000000000000 / 0
  CKA_LABEL             0000000000000000 / 0
  CKA_KEY_TYPE          0000000000000000 / 0
  CKA_ID                0000000000000000 / 0
  CKA_START_DATE        0000000000000000 / 0
  CKA_END_DATE          0000000000000000 / 0
  CKA_DERIVE            0000000000000000 / 0
  CKA_DERIVE_TEMPLATE   0000000000000000 / 0
  CKA_LOCAL             0000000000000000 / 0
  CKA_KEY_GEN_MECHANISM 0000000000000000 / 0
  CKA_ALLOWED_MECHANISMS  0000000000000000 / 0
  CKA_ENCRYPT           0000000000000000 / 0
  CKA_DECRYPT           0000000000000000 / 0
  CKA_SIGN              0000000000000000 / 0
  CKA_VERIFY            0000000000000000 / 0
  CKA_WRAP              0000000000000000 / 0
  CKA_WRAP_TEMPLATE     0000000000000000 / 0
  CKA_UNWRAP            0000000000000000 / 0
  CKA_UNWRAP_TEMPLATE   0000000000000000 / 0
  CKA_SENSITIVE         0000000000000000 / 0
  CKA_ALWAYS_SENSITIVE  0000000000000000 / 0
  CKA_EXTRACTABLE       0000000000000000 / 0
  CKA_NEVER_EXTRACTABLE 0000000000000000 / 0
  CKA_TRUSTED           0000000000000000 / 0
  CKA_WRAP_WITH_TRUSTED  0000000000000000 / 0
  CKA_VALUE_LEN         0000000000000000 / 0
  [toc] 2023-08-23 21:49:32.935745
  [lap] 0.000345
  [ret] 18 CKR_ATTRIBUTE_TYPE_INVALID

  ......
  CKA_? (0xde436a74)    00000000005609c0 / 0
  CKA_? (0xde436975)    00000000005609e0 / 0
  CKA_? (0xde43698a)    0000000000560a00 / 0
  [toc] 2023-08-23 21:53:26.128254
  [lap] 0.000407
  [ret] 18 CKR_ATTRIBUTE_TYPE_INVALID

Would you mind sending the output of p11slotinfo please?

PKCS#11 Library
---------------
Name        : ./pkcs11/r2/libcs_pkcs11_R2.so
Lib version : 2.59
API version : 2.40
Description : CryptoServer PKCS#11 Library R2 
Manufacturer: Utimaco IS GmbH
......

Which part of slotinfo do you need?

[keldonin]

Thanks again for the prompt reply. From my standpoint, this issue seems to be dating, and it is my understanding it has been solved on the R3 (for sure) and R2 platform as well. You might not be running the latest library version. Do you have the possibility to upgrade to the latest version? It's maybe worth contacting Utimaco support to get a fixed version of their library.

About the library version you run, I guess it be part of the name of the firmware, inside your install directory (ex: 4.32.0-3).

[Direktor799]

So the problem is that I'm not using the newest firmware or library. And I don't think I can update the library since it need to update the firmware as well. Guess I have to stick with my fork now. Thank you for your help, I'm closing this PR since it's not a general issue.

[keldonin]

@Direktor799, thank you for your understanding. I would recommend you to reach out to vendor support, as the firmware can be easily updated on this platform. We truly appreciate your contribution, feel free to post other issues & PR candidates; anything that can help evolving the tool is welcome!