search

aws / rolesanywhere-credential-helper

Apache License 2.0
125 stars 34 forks source link

PKCS11 ARM Mac: Failed to load provider library p11-kit-proxy.dylib #58

Open zack-is-cool opened 10 months ago

zack-is-cool commented 10 months ago

I'm on an M2 macbook using aws_signing_helper v1.1.1. I'm trying to use PKCS11 to authenticate to AWS using the --certificate option, mainly because I want to use the --reuse-pin option and that doesn't seem to work with the --cert-selector option.

--cert-selector='Key=x509Serial,Value=<MYSERIAL>' works as expected, but --certificate 'pkcs11:<ANYTHING>' throws an error

./aws_signing_helper  read-certificate-data --certificate 'pkcs11:object-type=cert' --debug
2023/10/20 12:40:02 Failed to load provider library p11-kit-proxy.dylib

I have p11-kit installed via homebrew, I've tried specifying the path to the library with the switch --pkcs11-lib '/opt/homebrew/Cellar/p11-kit/0.25.0/lib/libp11-kit.0.dylib', but I get the same error, just with the new path I specified.

./aws_signing_helper version  
1.1.1

brew list p11-kit | grep p11-kit-proxy.dylib 
/opt/homebrew/Cellar/p11-kit/0.25.0/lib/p11-kit-proxy.dylib
benbridts commented 6 months ago

I have this problem too (also using M2 Mac), but get one step further by building my own binary:

~$ brew install p11-kit
# downloaded
~$ ./aws-signing-helper read-certificate-data --certificate 'pkcs11:'
2024/02/28 09:13:52 Failed to load provider library p11-kit-proxy.dylib

~$ ./aws-signing-helper read-certificate-data --certificate 'pkcs11:' --pkcs11-lib /opt/homebrew/lib/p11-kit-proxy.dylib
2024/02/28 09:15:55 Failed to load provider library /opt/homebrew/lib/p11-kit-proxy.dylib
# build
~$ ./build/bin/aws_signing_helper read-certificate-data --certificate "pkcs11:"
2024/02/28 09:16:23 Failed to load provider library p11-kit-proxy.dylib

~$ ./build/bin/aws_signing_helper read-certificate-data --certificate "pkcs11:" --pkcs11-lib /opt/homebrew/lib/p11-kit-proxy.dylib
2024/02/28 09:16:54 no matching slots

Edit:

I've tested some more and the other tools also have trouble finding slots with p11-kit-proxy:

brew install yubico-piv-tool
~$ p11ls -l /opt/homebrew/lib/p11-kit-proxy.dylib
PKCS#11 module slot list:

~$ p11ls -l  /opt/homebrew/lib/libykcs11.dylib
PKCS#11 module slot list:
Slot index: 0
----------------
Description : Yubico YubiKey OTP+FIDO+CCID                                    
Token Label : YubiKey PIV #...           
Manufacturer: Yubico (www.yubico.com)         
 ./build/bin/aws_signing_helper read-certificate-data --certificate "pkcs11:" --pkcs11-lib   /opt/homebrew/lib/libykcs11.dylib
Matching identities
1) [...] "CN=Yubico PIV Authentication" [...]
2) [...] "CN=Yubico PIV Authentication" [...]
3) [...] "CN=Yubico PIV Attestation" [...]
4) [...] "CN=YubiKey PIV Attestation 9a" [...]
5) [...] "CN=YubiKey PIV Attestation 9d" [...]

So this seems to be a combination of the build not fully working on ARM/M2, and p11-kit-proxy not finding the right slots

thepatrick commented 4 months ago

This is what I used successfully on an M3 MacBook Pro (after using brew to install ykman and opensc, expect the path to opensc-pkcs11.so to change over time):

build/bin/aws_signing_helper serve \
  --profile-arn MY_PROFILE_ARN \
  --role-arn MY_ROLE_ARN \
  --trust-anchor-arn MY_TRUST_ANCHOR_ARN \
  --certificate "pkcs11:type=cert?pin-value=MY_PIN" \
  --pkcs11-lib /opt/homebrew/Cellar/opensc/0.25.1/lib/opensc-pkcs11.so

My certificate is in 9a (This is yubikey specific, which is what I test with on my Macs. Don't do this on a yubikey you care about unless you know exactly what it's doing):

ykman piv reset
ykman piv keys generate 9a pub-yubi.key
ykman piv certificates request 9a --subject 'CN=...' pub-yubi.key csr.pem
# obtained a certificate from my CA as "signed.crt"
ykman piv certificates import 9a signed.crt