JamieHunter
commented
1 year ago @majh Sorry for late responding to this. Are you still stuck? Can you give me more detail of symptoms you are seeing / errors in the error log?
Closed majh closed 1 year ago
JamieHunter
commented
1 year ago @majh Sorry for late responding to this. Are you still stuck? Can you give me more detail of symptoms you are seeing / errors in the error log?
majh
commented
1 year ago Hi @JamieHunter, thanks for your response. Here are the details I have
./cryptoauth_test
$ ecc608
Device Selected.
$ info -i i2c 1 -a 6a
revision:
00 00 60 02$ tng
Unity test run 1 of 1 TEST(tng_atca, tng_get_device_pubkey) PASS TEST(tng_atcacert_client, tng_atcacert_root_public_key) PASS TEST(tng_atcacert_client, tng_atcacert_root_cert) PASS TEST(tng_atcacert_client, tng_atcacert_max_signer_cert_size) PASS TEST(tng_atcacert_client, tng_atcacert_read_signer_cert) PASS TEST(tng_atcacert_client, tng_atcacert_signer_public_key_no_cert) PASS TEST(tng_atcacert_client, tng_atcacert_signer_public_key_cert) PASS TEST(tng_atcacert_client, tng_atcacert_max_device_cert_size) PASS TEST(tng_atcacert_client, tng_atcacert_read_device_cert_no_signer) PASS TEST(tng_atcacert_client, tng_atcacert_read_device_cert_signer) PASS TEST(tng_atcacert_client, tng_atcacert_device_public_key_no_cert) PASS TEST(tng_atcacert_client, tng_atcacert_device_public_key_cert) PASS
12 Tests 0 Failures 0 Ignored OK
* I can successfully query details with pkcs11 toolsroot@raspberrypi# pkcs11-tool --module /usr/lib/arm-linux-gnueabihf/libcryptoauth.so --list-slots 2> /dev/null Available slots: Slot 0 (0x0): 0_3_0 token label : device token manufacturer : Microchip Technology Inc token model : ATECC608A token flags : rng, token initialized hardware version : 0.2 firmware version : 255.255 serial num : 23BC526C69CFA001 pin min/max : 0/128
root@raspberrypi# p11tool --provider /usr/lib/arm-linux-gnueabihf/libcryptoauth.so --export "pkcs11:object=device;type=cert" 2> /dev/null -----BEGIN CERTIFICATE----- MIICIDCCAcWgAwIBAgIQeBNfnqNpyCi/D8yCTlxspDAKBggqhkjOPQQDAjBPMSEw HwYDVQQKDBhNaWNyb2NoaXAgVGVjaG5vbG9neSBJbmMxKjAoBgNVBAMMIUNyeXB0 byBBdXRoZW50aWNhdGlvbiBTaWduZXIgMjczMDAgFw0yMTA3MjkxNzAwMDBaGA8y MDQ5MDcyOTE3MDAwMFowQjEhMB8GA1UECgwYTWljcm9jaGlwIFRlY2hub2xvZ3kg SW5jMR0wGwYDVQQDDBRzbjAxMjNCQzUyNkM2OUNGQTAwMTBZMBMGByqGSM49AgEG CCqGSM49AwEHA0IABGkvQnJqsCIDzWfsz4u8+rFv4jPIDp7j/GxAOxTVcjoXdnab 8NxShqO0mPJ1TAcydNNvDoUtJ+20vcCsD7amdwujgY0wgYowKgYDVR0RBCMwIaQf MB0xGzAZBgNVBAUTEmV1aTQ4XzY4MjcxOTRDNDBDRDAMBgNVHRMBAf8EAjAAMA4G A1UdDwEB/wQEAwIDiDAdBgNVHQ4EFgQUjygzc1g+FTACQivoB+ReVGsatygwHwYD VR0jBBgwFoAU2Ey4uB9siZ9d68oHMrkkOTW+ZOwwCgYIKoZIzj0EAwIDSQAwRgIh APCymup1kd0u0FD3z2xOI2xKZT+tGSL1wzAhSjA4wDq4AiEAswc6crO7woapHp+8 6hulGWAb1Lk2KkccuuD9zIHFQqU= -----END CERTIFICATE-----
root@raspberrypi# pkcs11-tool --module pkcs11-tool --module /usr/lib/arm-linux-gnueabihf/libcryptoauth.so --list-objects 2> /dev/null Private Key Object; EC label: device ID: 8f283373583e153002422be807e45e546b1ab728 Usage: sign, derive Access: sensitive, always sensitive, never extractable Allowed mechanisms: ECDSA-KEY-PAIR-GEN,ECDSA,ECDSA-SHA256 Public Key Object; EC EC_POINT 256 bits EC_POINT: 044104692f42726ab02203cd67eccf8bbcfab16fe233c80e9ee3fc6c403b14d5723a1776769bf0dc5286a3b498f2754c073274d36f0e852d27edb4bdc0ac0fb6a6770b EC_PARAMS: 06082a8648ce3d030107 label: device ID: 8f283373583e153002422be807e45e546b1ab728 Usage: verify, derive Access: local Certificate Object; type = X.509 cert label: device ID: 8f283373583e153002422be807e45e546b1ab728 Certificate Object; type = X.509 cert label: signer subject: DN: O=Microchip Technology Inc, CN=Crypto Authentication Signer 2730 ID: d84cb8b81f6c899f5debca0732b9243935be64ec Private Key Object; EC label: device ID: 8f283373583e153002422be807e45e546b1ab728 Usage: sign, derive Access: sensitive, always sensitive, never extractable Allowed mechanisms: ECDSA-KEY-PAIR-GEN,ECDSA,ECDSA-SHA256 Public Key Object; EC EC_POINT 256 bits EC_POINT: 044104692f42726ab02203cd67eccf8bbcfab16fe233c80e9ee3fc6c403b14d5723a1776769bf0dc5286a3b498f2754c073274d36f0e852d27edb4bdc0ac0fb6a6770b EC_PARAMS: 06082a8648ce3d030107 label: device ID: 8f283373583e153002422be807e45e546b1ab728 Usage: verify, derive Access: local Certificate Object; type = X.509 cert label: device Certificate Object; type = X.509 cert label: signer Public Key Object; EC EC_POINT 256 bits EC_POINT: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 EC_PARAMS: 06082a8648ce3d030107 label: root ID: 0000000000000000000000000000000000000000 Usage: verify, derive Access: local
root@raspberrypi# pkcs11-tool --read-object --type cert --module /usr/lib/arm-linux-gnueabihf/libcryptoauth.so -a device 2> /dev/null |openssl x509 -inform der -outform pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 78:13:5f:9e:a3:69:c8:28:bf:0f:cc:82:4e:5c:6c:a4 Signature Algorithm: ecdsa-with-SHA256 Issuer: O = Microchip Technology Inc, CN = Crypto Authentication Signer 2730 Validity Not Before: Jul 29 17:00:00 2021 GMT Not After : Jul 29 17:00:00 2049 GMT Subject: O = Microchip Technology Inc, CN = sn0123BC526C69CFA001 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:69:2f:42:72:6a:b0:22:03:cd:67:ec:cf:8b:bc: fa:b1:6f:e2:33:c8:0e:9e:e3:fc:6c:40:3b:14:d5: 72:3a:17:76:76:9b:f0:dc:52:86:a3:b4:98:f2:75: 4c:07:32:74:d3:6f:0e:85:2d:27:ed:b4:bd:c0:ac: 0f:b6:a6:77:0b ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Subject Alternative Name: DirName:/serialNumber=eui48_6827194C40CD X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Agreement X509v3 Subject Key Identifier: 8F:28:33:73:58:3E:15:30:02:42:2B:E8:07:E4:5E:54:6B:1A:B7:28 X509v3 Authority Key Identifier: keyid:D8:4C:B8:B8:1F:6C:89:9F:5D:EB:CA:07:32:B9:24:39:35:BE:64:EC
Signature Algorithm: ecdsa-with-SHA256
30:46:02:21:00:f0:b2:9a:ea:75:91:dd:2e:d0:50:f7:cf:6c:
4e:23:6c:4a:65:3f:ad:19:22:f5:c3:30:21:4a:30:38:c0:3a:
b8:02:21:00:b3:07:3a:72:b3:bb:c2:86:a9:1e:9f:bc:ea:1b:
a5:19:60:1b:d4:b9:36:2a:47:1c:ba:e0:fd:cc:81:c5:42:a5
* I use greengrass 2.9.2, with the latest aws.greengrass.crypto.Pkcs11Provider.jar, but I can not get this to successfully use the ATECC608A, and consistently get greengrass failing. I can see that greengrasss is attempting to communicate with the device, but not with success.
* Greengrass logs look likeava.util.concurrent.CompletionException: software.amazon.awssdk.crt.mqtt.MqttException: Error during getting mqtt connection builder at java.base/java.util.concurrent.CompletableFuture.encodeThrowable(CompletableFuture.java:331) at java.base/java.util.concurrent.CompletableFuture.uniComposeStage(CompletableFuture.java:1099) at java.base/java.util.concurrent.CompletableFuture.thenCompose(CompletableFuture.java:2235) at com.aws.greengrass.mqttclient.AwsIotMqttClient.connect(AwsIotMqttClient.java:239) at com.aws.greengrass.mqttclient.AwsIotMqttClient.subscribe(AwsIotMqttClient.java:158) at com.aws.greengrass.mqttclient.MqttClient.subscribe(MqttClient.java:409) at com.aws.greengrass.mqttclient.WrapperMqttClientConnection.subscribe(WrapperMqttClientConnection.java:73) at com.aws.greengrass.deployment.IotJobsClientWrapper.SubscribeToDescribeJobExecutionAccepted(IotJobsClientWrapper.java:198) at software.amazon.awssdk.iot.iotjobs.IotJobsClient.SubscribeToDescribeJobExecutionAccepted(IotJobsClient.java:601) at com.aws.greengrass.deployment.IotJobsHelper.subscribeToGetNextJobDescription(IotJobsHelper.java:522) at com.aws.greengrass.deployment.IotJobsHelper.subscribeToJobsTopics(IotJobsHelper.java:481) at com.aws.greengrass.deployment.IotJobsHelper.lambda$setupCommWithIotJobs$5(IotJobsHelper.java:343) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:829) Caused by: software.amazon.awssdk.crt.mqtt.MqttException: Error during getting mqtt connection builder at com.aws.greengrass.mqttclient.MqttClient.lambda$new$0(MqttClient.java:184) at com.aws.greengrass.mqttclient.MqttClient.lambda$getNewMqttClient$17(MqttClient.java:800) at com.aws.greengrass.mqttclient.AwsIotMqttClient.establishConnection(AwsIotMqttClient.java:261) ... 14 more
* I've attached a log of stdout when running greengrass with _-DPKCS11_DEBUG_ENABLE=ON_, where GG appears to be attempting to use the library, but without success.
* I've also attached a log of stdout when used successfully with other pkcs11 tools
* Is there any other info I can provide ?
Thanks for your assistance.
[pkcs11-tool.read-cert.good.txt](https://github.com/MicrochipTech/cryptoauthlib/files/10551384/pkcs11-tool.read-cert.good.txt)
[gg-loader.bad.txt](https://github.com/MicrochipTech/cryptoauthlib/files/10551385/gg-loader.bad.txt)Look for an access grant to a debug tool I wrote - https://github.com/JamieHunter/pkcs11-java-test - dependencies will need updating to latest. To enable aws-c-io debugging, set up environment like: export JAVA_OPTS="-Djavax.net.debug=all -Daws.crt.log.destination=File -Daws.crt.log.filename=awscrt.log -Daws.crt.log.level=Trace -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005"
This example also enables Java debugging. the file "awscrt.log" will get created in same directory as tool (or same directory as Nucleus).
majh
commented
1 year ago Confirmed working for me with Greengrass 2.9.2 and ATECC608A/B with d4f3b1abe58 version of cryptoauthlib. It does not work for me with v3.4.1 of cryptoauthlib. I notice that there are a number of changes in PKCS11 related areas after the working version - these seem to prevent successful operation somehow. I'm not clear on exactly why v3.4.1 works with other pkcs11 tools, ie p11tool/pkcs11-tool, but not Greengrass.
JamieHunter
commented
1 year ago The problem will be related to how different tools interact with the library. In particular, in this case, the pattern of calls and expectations of Java interaction with the library are different to pkcs11-tool's interaction with the library.
@bryan-hunt what will be useful to help debug this?
user-redans
commented
1 year ago Hi @majh ,
Can you provide us your '/var/lib/cryptoauthlib/0.conf' file?
I don't know why, but in my case all objects are empty!
pi@raspberrypi: pkcs11-tool --module /usr/lib/libcryptoauth.so --list-objects
Using slot 0 with a present token (0x0)
Data object 2
label: ''
application: <empty>
app_id: <empty>
flags: <empty>
Data object 3
label: ''
application: <empty>
app_id: <empty>
flags: <empty>
Data object 4
label: ''
application: <empty>
app_id: <empty>
flags: <empty>
Data object 5
label: ''
application: <empty>
app_id: <empty>
flags: <empty>
Data object 6
label: ''
application: <empty>
app_id: <empty>
flags: <empty>
Data object 7
label: ''
application: <empty>
app_id: <empty>
flags: <empty>
I was wondering if anyone has got an ATECC608 device integrated with Greengrass V2, so that Greengrass V2 was able to use the ATECC608 device via PKCS11. I have seen some commits in cryptoauthlib to support this, and I know that a recent version of greengrass should be required for EC keys - but i'm running v2.9.2, with its PKCS11Provider.jar, and I haven't been able to successfully get this to work. Are there any examples of this working ? @JamieHunter Do you happen to know ?
I can happily use it with openssl and p11tool.
root@tegra:~/gg# p11tool --provider /usr/lib/libcryptoauth.so --list-tokens Token 0: URL: pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=XXXXXXXXXXX;token=MCHP Label: MCHP Type: Hardware token Manufacturer: Microchip Technology Inc Model: ATECC608A Serial: XXXXXXXXXXX Module: (null)