graebm
commented
2 years ago Thanks for great writeup!
You're right that the CRT lib passes a mutex handler, but the CRT is also fine if the PKCS#11 library chooses to use OS locks instead. That code is here. The CRT lib DOES currently require the PKCS#11 lib to do some kind of locking, since the CRT lib may call into the PKCS#11 lib from multiple threads. A PKCS#11 library that doesn't support locking AT ALL would take some effort to support.
But looking at the CryptoAuthLib source code on Github, it DOES seems to support locking. That code is here. It will use the mutex handler if it's provided. And it will use its own locking functions if the CKF_OS_LOCKING_OK flag is passed but no mutex handler is provided.
That leaves us with a few possibilities: 1) Maybe I'm not looking at the same CryptoAuthLib source code as what you're using. 2) Maybe something about the way CryptoAuthLib is compiled for android messes up how it uses locks?
- Try doing your pure Java experiment again, but pass initialization arguments, with the
CKF_OS_LOCKING_OKflag set. Does that work or not? 3) Maybe there's an error when CryptoAuthLib tries to use the CRT's mutex handler. - Try turning on logging from the CRT lib, set system property
aws.crt.log.level=Debug. Do you see anything like "PKCS#11 CreateMutex() failed"?
Another thing you can do, to get visibility into this, is try to figure out how to turn on debug logging for CryptoAuthLib. I see stuff like this in their source code:
if (lib_ctx->create_mutex(&lib_ctx->mutex))
{
PKCS11_DEBUG("Create Failed\r\n");
return CKR_CANT_LOCK;It would really shine some light if we saw something like "Create Failed" appear in the logs.
oshoemaker
sbSteveK
Describe the bug
Greetings,
We are attempting to leverage an integrated secure element from Microchip (ATECC608A) running on android. The use of this device would appear to be supported using the aws-iot-device-sdk-java-v2 and a sample pubSub connect functionality is published with the SDK here:
https://github.com/aws/aws-iot-device-sdk-java-v2/blob/main/samples/Pkcs11Connect/src/main/java/pkcs11connect/Pkcs11Connect.java
There were some general issues running this on android. One was to make sure to use the aws-crt library specifically for android. There were some other issues around the arch label reported by our kernel (\"armv8l\") but those have been resolved.
I am unsure if at this point using the android version of the CRT lib is causing issues or if it is general compatibility issues taking a linux based approach on Android. The primary issue at this point is around threads and locking.
It appears that the CRT library attempts to create and pass in a mutex handler. This seems to silently fail on android and then reverts to using OS Locking as a backup. This functionality fails on android running inside of a Java APK.
Attempting to call .newMtlsPkcs11Builder(pkcs11Options) results in:
Exception encountered: software.amazon.awssdk.crt.CrtRuntimeException: TlsContext.tls_ctx_new: Failed to create new aws_tls_ctx (aws_last_error: AWS_ERROR_PKCS11_CKR_CANT_LOCK(1086), A PKCS#11 (Cryptoki) library function failed with return value CKR_CANT_LOCK) AWS_ERROR_PKCS11_CKR_CANT_LOCK(1086)
I have a JNI wrapper around the same PKCS11 lib and pass it a null pointer (No OS Locking and no mutex handler) and can successfully make calls with the device. Something similar to this:
Module module = Module.getInstance(\"/vendor/lib/libcryptoauth.so\", \"/vendor/lib/libcryptoauth.so\"); module.initialize(null); PKCS11 pkcs11 = module.getPKCS11Module();
CK_INFO info = pkcs11.C_GetInfo(); CK_SLOT_INFO slotInfo = pkcs11.C_GetSlotInfo(slotID); CK_TOKEN_INFO tokenInfo = pkcs11.C_GetTokenInfo(slotID);
This sets the mutex handler to null and osLocking to false.
I have a comment in the discussions section on GitHub here:
https://github.com/aws/aws-iot-device-sdk-java-v2/discussions/251
Supporting documentation:
PubSub with ATECC608: https://kickstartembedded.com/2022/04/24/raspberry-pi-atecc608-part-3-using-pkcs11-token-for-mqtt-pub-sub-with-aws-iot-core/?amp=1
PKCS11 Provider: https://docs.aws.amazon.com/greengrass/v2/developerguide/pkcs11-provider-component.html ARN(s): Does no apply
Expected Behavior
The expected behavior is that the PKCS11 implementation can be used on Android with the ATECC608A. This feature should behave the same on Android as it does on Linux.
Current Behavior
There are errors relating to locking/threading on the Android OS. This causes errors when attempting to initialize and use the PKCS11 library in the loT device SDK.
Attempting to call .newMtlsPkcs11Builder(pkcs11Options) results in:
Exception encountered: software.amazon.awssdk.crt.CrtRuntimeException: TlsContext.tls_ctx_new: Failed to create new aws_tls_ctx (aws_last_error: AWS_ERROR_PKCS11_CKR_CANT_LOCK(1086), A PKCS#11 (Cryptoki) library function failed with return value CKR_CANT_LOCK) AWS_ERROR_PKCS11_CKR_CANT_LOCK(1086)
Reproduction Steps
Current reproduction steps require Android 9.0, ATECC608A,Microchip's cryptoauthlib, the published android AWS CRT library, and the IoT device SDK. We compile the cryptoauthlib for android 9 (pkcs11 library) and supply this to the IoT sdk. At this point we attempt to initialize the mqtt connection and receive a locking error.
Exception encountered: software.amazon.awssdk.crt.CrtRuntimeException: TlsContext.tls_ctx_new: Failed to create new aws_tls_ctx (aws_last_error: AWS_ERROR_PKCS11_CKR_CANT_LOCK(1086), A PKCS#11 (Cryptoki) library function failed with return value CKR_CANT_LOCK) AWS_ERROR_PKCS11_CKR_CANT_LOCK(1086)
https://github.com/MicrochipTech/cryptoauthlib
Possible Solution
No response
Additional Information/Context
No response
SDK version used
1.9.3
Environment details (OS name and version, etc.)
Android 9.0