Using ATECC608B with p11tool raises "please insert token" message

[andreas-meissner]

Hi, we want to use ATECC608B-TFLXTLS as a PKCS#11 token to be usable with OpenSSL as a key store in our product. After doing all the configuration stuff with the Trust Platform Design Suite we now have the ATECC608B-TFLXTLS-PROTO as well as verification examples of our own configuration available for integration. Access to the devices works fine in cryptoauth_test utility:

$ ecc608 -i i2c 0 -a 0x6C

Device Selected.

$ sernum

serial number:
01 23 F9 17 BA 84 91 E1 01

$ info

revision:
00 00 60 03

$ readcfg

01 23 F9 17 00 00 60 03  BA 84 91 E1 01 61 59 00
6C 00 00 01 85 00 82 00  85 20 85 20 85 20 8F 46
8F 0F 9F 8F 0F 0F 8F 0F  0F 8F 0F 8F 0F 8F 0F 0F
0D 1F 0F 8F FF FF FF FF  00 00 00 00 FF FF FF FF
00 00 00 00 00 00 07 F7  00 69 76 00 00 00 00 00
00 00 00 00 00 00 00 00  FF FF 0E 60 00 00 00 00
53 10 53 00 73 00 73 00  73 00 38 00 7C 00 1C 00
3C 00 1A 00 1C 00 10 00  1C 00 30 00 12 00 30 00

$ lockstat

Config Zone: LOCKED
Data Zone  : LOCKED

Then I followed https://github.com/MicrochipTech/cryptoauthlib/tree/main/app/pkcs11#readme and https://github.com/MicrochipTech/cryptoauthlib/wiki/PKCS11-TNGTLS to set up the devices as PKCS#11 targets usable by p11tool for basic testing and verification.

p11tool is able to see the token:

p11tool --list-tokens
Token 0:
    URL: pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=23F917BA8491E101;token=MCHP
    Label: MCHP
    Type: Hardware token, Trust module
    Flags: RNG, uPIN uninitialized
    Manufacturer: Microchip Technology Inc
    Model: ATECC608A
    Serial: 23F917BA8491E101
    Module: /usr/lib/libcryptoauth.so

But in difference to the mentioned instructions I get the following message when trying to make use of the ATECC608B devices:

p11tool --list-all
Object 0:
    URL: pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=23F917BA8491E101;token=MCHP;object=device;type=private
Please insert token 'MCHP' in slot and press enter

or

p11tool --export-pubkey "pkcs11:token=MCHP;object=device;type=private" 
warning: --login was not specified and it may be required for this operation.
warning: no --outfile was specified and the public key will be printed on screen.
Please insert token 'MCHP' in slot and press enter

I've also enabled the cryptoauthlib debug messages and had a deeper look at the source code of p11tool, but it is still unclear to me why there is this difference in the behavior compared to the instructions.

What could I probably be missing here?

Used software versions are:

• cryptoauthlib v3.3.3
• libp11 v0.4.10
• p11-kit v0.23.16.1
• gnutls v3.6.13

cryptoauthlib.conf:

filestore = /var/lib/cryptoauthlib

0.conf:

label = MCHP
interface = i2c,0x6C,0
device = ATECC608-TFLXTLS

cryptoauthlib.module:

module: /usr/lib/libcryptoauth.so
critical: yes
trust-policy: yes
managed: yes
log-calls: no

pkcs11.conf:

user-config: merge

Thanks, Andreas

[andreas-meissner]

Issue is raised in pkcs11_find.c by alignment conflict between pkcs11_find_template_cache[] byte array (may be down to 1-byte alignment on strong size optimization) and its usage to store CK_ATTRIBUTE structs (4-byte alignment due to first member is an unsigned long). The cast of CK_ATTRIBUTE pointers on this byte-array produces invalid results / undefined behavior / unaligned access exceptions (when active) if these alignments do not match.

[github-actions[bot]]

This issue has been marked as stale - please confirm the issue still exists with the latest version of the library and update the issue if it remains

[andreas-meissner]

This issue has been marked as stale - please confirm the issue still exists with the latest version of the library and update the issue if it remains

Issue still exists in v3.4.1

[github-actions[bot]]

This issue has been marked as stale - please confirm the issue still exists with the latest version of the library and update the issue if it remains