Open zack-is-cool opened 10 months ago
I have this problem too (also using M2 Mac), but get one step further by building my own binary:
~$ brew install p11-kit
# downloaded
~$ ./aws-signing-helper read-certificate-data --certificate 'pkcs11:'
2024/02/28 09:13:52 Failed to load provider library p11-kit-proxy.dylib
~$ ./aws-signing-helper read-certificate-data --certificate 'pkcs11:' --pkcs11-lib /opt/homebrew/lib/p11-kit-proxy.dylib
2024/02/28 09:15:55 Failed to load provider library /opt/homebrew/lib/p11-kit-proxy.dylib
# build
~$ ./build/bin/aws_signing_helper read-certificate-data --certificate "pkcs11:"
2024/02/28 09:16:23 Failed to load provider library p11-kit-proxy.dylib
~$ ./build/bin/aws_signing_helper read-certificate-data --certificate "pkcs11:" --pkcs11-lib /opt/homebrew/lib/p11-kit-proxy.dylib
2024/02/28 09:16:54 no matching slots
Edit:
I've tested some more and the other tools also have trouble finding slots with p11-kit-proxy:
brew install yubico-piv-tool
~$ p11ls -l /opt/homebrew/lib/p11-kit-proxy.dylib
PKCS#11 module slot list:
~$ p11ls -l /opt/homebrew/lib/libykcs11.dylib
PKCS#11 module slot list:
Slot index: 0
----------------
Description : Yubico YubiKey OTP+FIDO+CCID
Token Label : YubiKey PIV #...
Manufacturer: Yubico (www.yubico.com)
./build/bin/aws_signing_helper read-certificate-data --certificate "pkcs11:" --pkcs11-lib /opt/homebrew/lib/libykcs11.dylib
Matching identities
1) [...] "CN=Yubico PIV Authentication" [...]
2) [...] "CN=Yubico PIV Authentication" [...]
3) [...] "CN=Yubico PIV Attestation" [...]
4) [...] "CN=YubiKey PIV Attestation 9a" [...]
5) [...] "CN=YubiKey PIV Attestation 9d" [...]
So this seems to be a combination of the build not fully working on ARM/M2, and p11-kit-proxy not finding the right slots
This is what I used successfully on an M3 MacBook Pro (after using brew to install ykman
and opensc
, expect the path to opensc-pkcs11.so to change over time):
build/bin/aws_signing_helper serve \
--profile-arn MY_PROFILE_ARN \
--role-arn MY_ROLE_ARN \
--trust-anchor-arn MY_TRUST_ANCHOR_ARN \
--certificate "pkcs11:type=cert?pin-value=MY_PIN" \
--pkcs11-lib /opt/homebrew/Cellar/opensc/0.25.1/lib/opensc-pkcs11.so
My certificate is in 9a (This is yubikey specific, which is what I test with on my Macs. Don't do this on a yubikey you care about unless you know exactly what it's doing):
ykman piv reset
ykman piv keys generate 9a pub-yubi.key
ykman piv certificates request 9a --subject 'CN=...' pub-yubi.key csr.pem
# obtained a certificate from my CA as "signed.crt"
ykman piv certificates import 9a signed.crt
I'm on an M2 macbook using aws_signing_helper v1.1.1. I'm trying to use PKCS11 to authenticate to AWS using the
--certificate
option, mainly because I want to use the--reuse-pin
option and that doesn't seem to work with the--cert-selector
option.--cert-selector='Key=x509Serial,Value=<MYSERIAL>'
works as expected, but--certificate 'pkcs11:<ANYTHING>'
throws an errorI have p11-kit installed via homebrew, I've tried specifying the path to the library with the switch
--pkcs11-lib '/opt/homebrew/Cellar/p11-kit/0.25.0/lib/libp11-kit.0.dylib'
, but I get the same error, just with the new path I specified.