Closed Direktor799 closed 10 months ago
Hi @Direktor799 , thanks a lot for your PR. Just to make things clear, the error messages you describe, are these coming to the standard output or standard error? Is there any possibility you adjust the configuration file instead, to route these errors to a log file? The reason I'm asking is to avoid inserting too much specific code in the code base, for errors that are expected - it is expected that not all HSMs will support all attributes, and that's fine. However, the HSM is not supposed to clutter the output with error reporting. Can you reveal which version of the vendor library you are using in this case? Thanks,
Hi @keldonin, thanks for replying. The logs are from stderr, and I can redirect it to a log file. But the problem is that it's also not showing other valid attributes.
This is what I got with p11od
after redirecting logs:
CKA_TOKEN/{01}:
CKA_TOKEN/{01}:
And this is what I got using p11od
complied with --with-utimaco
:
CKA_TOKEN/{01}:
CKA_CLASS:
0000 04 00 00 00 00 00 00 00 CKO_SECRET_KEY
CKA_TOKEN:
0000 01 CK_TRUE
CKA_PRIVATE:
0000 01 CK_TRUE
CKA_LABEL:
0000 6b 6d 73 20 6d 61 73 74 65 72 20 6b 65 79 kms master key
CKA_TRUSTED:
0000 00 CK_FALSE
CKA_CHECK_VALUE:
0000 d9 17 50 ..P
......
CKA_TOKEN/{01}:
CKA_CLASS:
0000 04 00 00 00 00 00 00 00 CKO_SECRET_KEY
CKA_TOKEN:
0000 01 CK_TRUE
CKA_PRIVATE:
0000 01 CK_TRUE
CKA_LABEL:
0000 6b 6d 73 20 6d 61 73 74 65 72 20 6b 65 79 kms master key
CKA_TRUSTED:
0000 00 CK_FALSE
CKA_CHECK_VALUE:
0000 67 4e 11 gN.
......
When it comes it p11ls
, it's
seck/???unlabelled object??? ses,pub,r/o,imp,NSE,NAS,WXT,rsa
seck/???unlabelled object??? ses,pub,r/o,imp,NSE,NAS,WXT,rsa
vs
seck/kms master key tok,prv,r/w,loc,enc,dec,sig,vfy,wra,unw,sen,ase,XTR,WXT,aes(128)
seck/kms master key tok,prv,r/w,loc,enc,dec,sig,vfy,wra,unw,sen,ase,nxt,aes(128)
FYI, I'm using libcs_pkcs11_R2.so
.
This is what I got with
p11od
after redirecting logs:CKA_TOKEN/{01}: CKA_TOKEN/{01}:
Well, this is effectively not expected. However, this looks more like a vendor implementation issue than something that needs to be changed on the toolkit, as CKR_ATTRIBUTE_TYPE_INVALID
is generally OK, since the PKCS#11 library should nevertheless process all other valid attributes, according to the spec.
To help the case, would you mind:
libpkcs11shim
from here https://github.com/Mastercard/libpkcs11shim.gitusing the shim library to capture the log of PKCS#11 calls;
if you are using the with_utimaco
wrapper script, that's easy:
$ SHIM=capture.log with_utimaco p11od
If you are not using the wrapper, you will have to set PKCS11SHIM
and PKCS11SHIM_OUTPUT
environment variables accordingly, and obviously set libpkcs11shim.so
as the library to load with the tooklit.
Can you also check if you are running the latest version of Utimaco software (client library)?
Thanks for your contribution!
FYI, I'm using
libcs_pkcs11_R2.so
.
Would you mind sending the output of p11slotinfo
please?
- share the output that triggers the issue.
[cnt] 0000000000000017 - C_GetAttributeValue [pid] 3095006 [ppd] 3050063 [tid] 3095006 [tic] 2023-08-23 21:49:32.935400 [in ] hSession = 0x110f58d [in ] hObject = 0x6 [in ] pTemplate[28]: CKA_TOKEN 0000000000000000 / 0 CKA_PRIVATE 0000000000000000 / 0 CKA_MODIFIABLE 0000000000000000 / 0 CKA_LABEL 0000000000000000 / 0 CKA_KEY_TYPE 0000000000000000 / 0 CKA_ID 0000000000000000 / 0 CKA_START_DATE 0000000000000000 / 0 CKA_END_DATE 0000000000000000 / 0 CKA_DERIVE 0000000000000000 / 0 CKA_DERIVE_TEMPLATE 0000000000000000 / 0 CKA_LOCAL 0000000000000000 / 0 CKA_KEY_GEN_MECHANISM 0000000000000000 / 0 CKA_ALLOWED_MECHANISMS 0000000000000000 / 0 CKA_ENCRYPT 0000000000000000 / 0 CKA_DECRYPT 0000000000000000 / 0 CKA_SIGN 0000000000000000 / 0 CKA_VERIFY 0000000000000000 / 0 CKA_WRAP 0000000000000000 / 0 CKA_WRAP_TEMPLATE 0000000000000000 / 0 CKA_UNWRAP 0000000000000000 / 0 CKA_UNWRAP_TEMPLATE 0000000000000000 / 0 CKA_SENSITIVE 0000000000000000 / 0 CKA_ALWAYS_SENSITIVE 0000000000000000 / 0 CKA_EXTRACTABLE 0000000000000000 / 0 CKA_NEVER_EXTRACTABLE 0000000000000000 / 0 CKA_TRUSTED 0000000000000000 / 0 CKA_WRAP_WITH_TRUSTED 0000000000000000 / 0 CKA_VALUE_LEN 0000000000000000 / 0 [out] pTemplate[28]: CKA_TOKEN 0000000000000000 / 0 CKA_PRIVATE 0000000000000000 / 0 CKA_MODIFIABLE 0000000000000000 / 0 CKA_LABEL 0000000000000000 / 0 CKA_KEY_TYPE 0000000000000000 / 0 CKA_ID 0000000000000000 / 0 CKA_START_DATE 0000000000000000 / 0 CKA_END_DATE 0000000000000000 / 0 CKA_DERIVE 0000000000000000 / 0 CKA_DERIVE_TEMPLATE 0000000000000000 / 0 CKA_LOCAL 0000000000000000 / 0 CKA_KEY_GEN_MECHANISM 0000000000000000 / 0 CKA_ALLOWED_MECHANISMS 0000000000000000 / 0 CKA_ENCRYPT 0000000000000000 / 0 CKA_DECRYPT 0000000000000000 / 0 CKA_SIGN 0000000000000000 / 0 CKA_VERIFY 0000000000000000 / 0 CKA_WRAP 0000000000000000 / 0 CKA_WRAP_TEMPLATE 0000000000000000 / 0 CKA_UNWRAP 0000000000000000 / 0 CKA_UNWRAP_TEMPLATE 0000000000000000 / 0 CKA_SENSITIVE 0000000000000000 / 0 CKA_ALWAYS_SENSITIVE 0000000000000000 / 0 CKA_EXTRACTABLE 0000000000000000 / 0 CKA_NEVER_EXTRACTABLE 0000000000000000 / 0 CKA_TRUSTED 0000000000000000 / 0 CKA_WRAP_WITH_TRUSTED 0000000000000000 / 0 CKA_VALUE_LEN 0000000000000000 / 0 [toc] 2023-08-23 21:49:32.935745 [lap] 0.000345 [ret] 18 CKR_ATTRIBUTE_TYPE_INVALID
...... CKA_? (0xde436a74) 00000000005609c0 / 0 CKA_? (0xde436975) 00000000005609e0 / 0 CKA_? (0xde43698a) 0000000000560a00 / 0 [toc] 2023-08-23 21:53:26.128254 [lap] 0.000407 [ret] 18 CKR_ATTRIBUTE_TYPE_INVALID
Would you mind sending the output of
p11slotinfo
please?PKCS#11 Library --------------- Name : ./pkcs11/r2/libcs_pkcs11_R2.so Lib version : 2.59 API version : 2.40 Description : CryptoServer PKCS#11 Library R2 Manufacturer: Utimaco IS GmbH ......
Which part of slotinfo do you need?
Thanks again for the prompt reply. From my standpoint, this issue seems to be dating, and it is my understanding it has been solved on the R3 (for sure) and R2 platform as well. You might not be running the latest library version. Do you have the possibility to upgrade to the latest version? It's maybe worth contacting Utimaco support to get a fixed version of their library.
About the library version you run, I guess it be part of the name of the firmware, inside your install directory (ex: 4.32.0-3
).
So the problem is that I'm not using the newest firmware or library. And I don't think I can update the library since it need to update the firmware as well. Guess I have to stick with my fork now. Thank you for your help, I'm closing this PR since it's not a general issue.
@Direktor799, thank you for your understanding. I would recommend you to reach out to vendor support, as the firmware can be easily updated on this platform. We truly appreciate your contribution, feel free to post other issues & PR candidates; anything that can help evolving the tool is welcome!
When using p11ls & p11od with Utimaco HSM, there are lots of attribute types that Utimaco doesn't support.
I found out all the attributes, and exclude them with the '--with-utimaco' flag