aws / aws-iot-device-sdk-python-v2

Next generation AWS IoT Client SDK for Python using the AWS Common Runtime
Apache License 2.0
409 stars 212 forks source link

PKCS11: EC key support #295

Closed sckulkarni246 closed 2 years ago

sckulkarni246 commented 2 years ago

Is your feature request related to a problem? Please describe. I am trying to use the pkcs11_pubsub.py on a Raspberry Pi connected to a Microchip ATECC608. Microchip's cryptoauthlib is configured as a PKCS11 provider - the same is correctly working with p11tool, able to generate CSRs, etc. However, I am not able to use it with the pkcs11_pubsub.py as the SDK seems to support only RSA keys as of today.

Describe the solution you'd like It would be a fantastic to have support for EC keys as well so that secure elements like ATECC608 can be used to build more secure end nodes. Seems this support is already there on microcontroller SDK.

Describe alternatives you've considered No alternatives possible as the support does not exist.

Additional context Below is my output with the p11tool - clearly showing a private key that should be usable by anything that supports PKCS11. Eg: openssl.

pi@raspberrypi:~/parrytech-stuff/rpihat-sim7600/cal-app $ p11tool --provider /usr/lib/arm-linux-gnueabihf/libcryptoauth.so --list-all
Object 0:
    URL: pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=231606F750596A01;token=00ABC;object=device;type=private
    Type: Private key (EC/ECDSA-SECP256R1)
    Label: device
    Flags: CKA_PRIVATE; CKA_SENSITIVE; 
    ID: 

Object 1:
    URL: pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=231606F750596A01;token=00ABC;object=device;type=public
    Type: Public key (EC/ECDSA-SECP256R1)
    Label: device
    ID: 

Object 2:
    URL: pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=231606F750596A01;token=00ABC;object=device;type=cert
    Type: X.509 Certificate (EC/ECDSA-SECP256R1)
    Expires: Fri Jan  1 04:53:23 2038
    Label: device
    ID: 

Object 3:
    URL: pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=231606F750596A01;token=00ABC;object=signer;type=cert
    Type: X.509 Certificate (EC/ECDSA-SECP256R1)
    Expires: Fri Jan  1 04:53:23 2038
    Label: signer
    Flags: CKA_CERTIFICATE_CATEGORY=CA; CKA_TRUSTED; 
    ID:

Below is my output that tells me that EC keys are unsupported in AWS IoT SDK (Python). Note the run time error at the end.

(vpython) pi@raspberrypi:~/parrytech-stuff/rpihat-sim7600/aws-iot-device-sdk-python-v2/samples $ python pkcs11_pubsub.py --endpoint "avu39804vjdlk-ats.iot.us-west-2.amazonaws.com" --cert baa4f78dafbe4e7b0d822f603f8c18468650a93a8855a1950265be952de73ab7-certificate.pem.crt --pkcs11-lib /usr/lib/arm-linux-gnueabihf/libcryptoauth.so --pin 1234 --token-label "00ABC" --slot-id "0" --key-label "device"
Loading PKCS#11 library '/usr/lib/arm-linux-gnueabihf/libcryptoauth.so' ...
Loaded!
Traceback (most recent call last):
  File "/home/pi/parrytech-stuff/rpihat-sim7600/aws-iot-device-sdk-python-v2/samples/pkcs11_pubsub.py", line 80, in <module>
    mqtt_connection = mqtt_connection_builder.mtls_with_pkcs11(
  File "/home/pi/parrytech-stuff/rpihat-sim7600/vpython/lib/python3.9/site-packages/awsiot/mqtt_connection_builder.py", line 311, in mtls_with_pkcs11
    return _builder(tls_ctx_options, **kwargs)
  File "/home/pi/parrytech-stuff/rpihat-sim7600/vpython/lib/python3.9/site-packages/awsiot/mqtt_connection_builder.py", line 194, in _builder
    tls_ctx = awscrt.io.ClientTlsContext(tls_ctx_options)
  File "/home/pi/parrytech-stuff/rpihat-sim7600/vpython/lib/python3.9/site-packages/awscrt/io.py", line 564, in __init__
    self._binding = _awscrt.client_tls_ctx_new(
RuntimeError: 1076 (AWS_ERROR_PKCS11_KEY_TYPE_UNSUPPORTED): PKCS#11 key type not supported

Look forward to hearing from the dev team on ways to go about this!

Regards, Shashank

graebm commented 2 years ago

There is work in progress to support EC keys: https://github.com/awslabs/aws-c-io/pull/479

sckulkarni246 commented 2 years ago

Thank you for this update @graebm - I will track the progress there. Looks like the support will be available soon.

Regards, Shashank

sckulkarni246 commented 2 years ago

Hi @graebm - will this feature be available in the SDK any time soon?

Regards, Shashank

graebm commented 2 years ago

Released in version 1.11.0!

github-actions[bot] commented 2 years ago

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.