harrison314 / BouncyHsm

Bouncy Hsm is a software simulator of HSM and smartcard simulator with HTML UI, REST API and PKCS#11 interface.
BSD 3-Clause "New" or "Revised" License
61 stars 3 forks source link

Issue running pkcs.11.GetAttributeValue against boolean attributes #4

Closed shawnkeating closed 9 months ago

shawnkeating commented 10 months ago

First off - love this package. It has been great for experimenting with PKCS11 and having some visibility into what I'm creating on the HSM. Definitely prefer it over softHSM. But I did run into one issue:

If I try to grab attribute values from keys stored in the HSM, the pkcs11.GetAttributeValue works fine unless the attribute is boolean, in which case it fails. Hard to know exactly where it fails but the function works fine with softHSM so pretty sure its on the HSM side. Here is the function I'm running.

`func ListObjects(lib string, pin string, slot uint) { p, session := activateToken(lib, pin, slot) //helper function to set up connection defer deactivateToken(p, session) //helper function to tear down connection

listattr := []*pkcs11.Attribute{
    pkcs11.NewAttribute(pkcs11.CKA_LABEL, nil),
    pkcs11.NewAttribute(pkcs11.CKA_ID, nil),
    pkcs11.NewAttribute(pkcs11.CKA_CLASS, nil),
    pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, nil),
    pkcs11.NewAttribute(pkcs11.CKA_EXTRACTABLE, nil),
}
p.FindObjectsInit(session, []*pkcs11.Attribute{pkcs11.NewAttribute(pkcs11.CKA_PRIVATE, true)})
handles, _, _ := p.FindObjects(session, 5)
for _, handle := range handles {
    values, err := p.GetAttributeValue(session, handle, listattr)
    if err != nil {
        fmt.Printf("An error occurred retrieving the key attribute values. Error: %s", err.Error())
    }
    cls := keyClassToString(values[2].Value) // converts []byte to class string
    ts := keyTypeToString(values[3].Value) // converts []byte to key type string
    ex := keyBytetoBool(values[4].Value)  //converts []byte to boolean
    fmt.Println("---------------------------------------------------------------")
    fmt.Printf("The found key has handle: %d with the following properties:\n", handle)
    fmt.Printf("KeyClass: %s\nKeytype: %s\nLabel: %s\nID: %s\nExportable: %t\n", cls, ts, values[0].Value, values[1].Value, ex)
}

}`

harrison314 commented 10 months ago

Thanks for the feedback. 👍

What operating system does this show up on?

And what architecture (x86 or x64) does BouncyHsm.Pkcs11Lib have?

shawnkeating commented 10 months ago

Hi,

Running on Ubuntu 20.04 in WSL2 on Windows10. Its x86_64.

Shawn Keating

PKI Systems Engineer

[cid:ea84867a-3502-4306-925b-53d9143e588f]


From: Jozef Gajdoš @.> Sent: Wednesday, January 17, 2024 8:18 PM To: harrison314/BouncyHsm @.> Cc: Shawn Keating @.>; Author @.> Subject: Re: [harrison314/BouncyHsm] Issue running pkcs.11.GetAttributeValue against boolean attributes (Issue #4)

Thanks for the feedback. 👍

What operating system does this show up on?

And what architecture (x86 or x64) does BouncyHsm.Pkcs11Lib have?

— Reply to this email directly, view it on GitHubhttps://github.com/harrison314/BouncyHsm/issues/4#issuecomment-1896478757, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A6JKUA3D2U4KFXI7P2EXGZ3YPAPZLAVCNFSM6AAAAABB6IEGAWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOJWGQ3TQNZVG4. You are receiving this because you authored the thread.Message ID: @.***>

harrison314 commented 10 months ago

I have an idea what the problem might be. Would I need a byte field value that converts to a bool (values[4].Value)?

And if possible also the value from SoftHSM.

shawnkeating commented 10 months ago

Yeah, it gets returned as a single byte (from spew.Dump). This is the raw return from softHSM.

(*pkcs11.Attribute)(0xc00031ae00)({ Type: (uint) 354, Value: ([]uint8) (len=1 cap=1) { 00000000 00 |.| }

When I run the function against bouncyHSM I get this error:

ERROR: Error in sock_writerequest (line 342) - Connection error. IP: 127.0.0.1 Error: unknown ERROR: Failed call remote endpoint in function C_GetAttributeValue An error occurred retrieving the key attribute values. Error: pkcs11: 0x30: CKR_DEVICE_ERROR([]*pkcs11.Attribute)

panic: runtime error: index out of range [2] with length 0

Like its getting back more information than its expecting, or in a different format.

Shawn Keating

PKI Systems Engineer

[cid:48d53d06-8520-45b3-9028-a572b2a4de07]


From: Jozef Gajdoš @.> Sent: Wednesday, January 17, 2024 8:34 PM To: harrison314/BouncyHsm @.> Cc: Shawn Keating @.>; Author @.> Subject: Re: [harrison314/BouncyHsm] Issue running pkcs.11.GetAttributeValue against boolean attributes (Issue #4)

I have an idea what the problem might be. Would I need a byte field value that converts to a bool (values[4].Value)?

And if possible also the value from SoftHSM.

— Reply to this email directly, view it on GitHubhttps://github.com/harrison314/BouncyHsm/issues/4#issuecomment-1896523000, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A6JKUA5M3LJPV36AMWLLFK3YPARVHAVCNFSM6AAAAABB6IEGAWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOJWGUZDGMBQGA. You are receiving this because you authored the thread.Message ID: @.***>

harrison314 commented 10 months ago

I managed to reproduce the error with a better error message: Error in sock_writerequest (line 317) - Connection error. IP: 127.0.0.1 Error: Address family not supported by protocol.

The problem manifests itself only on linux and only when calling C_GetAttributeValue with CK_ATTRIBUTE_PTR pTemplate which has more than 4 items.

shawnkeating commented 10 months ago

Interesting. Seems a lot of internal calls when requesting values over PKCS11. Not a straightforward interface.

I came across another issue while I have you here. I was trying to issue x509 certs with large RSA keys (4096 and 3072) and the HSM hung during the signing process. I was able to sign using the same function call with ECC keys but not the large RSA. Tested against softHSM and was able to sign the certs.

Thanks!

Shawn Keating

PKI Systems Engineer

[cid:19b1e445-bfb2-4d01-bcb7-6e0834c719bf]


From: Jozef Gajdoš @.> Sent: Thursday, January 18, 2024 8:19 PM To: harrison314/BouncyHsm @.> Cc: Shawn Keating @.>; Author @.> Subject: Re: [harrison314/BouncyHsm] Issue running pkcs.11.GetAttributeValue against boolean attributes (Issue #4)

I managed to reproduce the error with a better error message: Error in sock_writerequest (line 317) - Connection error. IP: 127.0.0.1 Error: Address family not supported by protocol.

The problem manifests itself only on linux and only when calling C_GetAttributeValue with CK_ATTRIBUTE_PTR pTemplate which has more than 4 items.

— Reply to this email directly, view it on GitHubhttps://github.com/harrison314/BouncyHsm/issues/4#issuecomment-1899069678, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A6JKUAZ7RJJNB6IHUIR5MJ3YPFYUTAVCNFSM6AAAAABB6IEGAWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOJZGA3DSNRXHA. You are receiving this because you authored the thread.

harrison314 commented 10 months ago

Interesting. Seems a lot of internal calls when requesting values over PKCS11. Not a straightforward interface.

This problem is a bug in the native Pkcs11 library code, the fix will probably take me some time, but I'm working on it.

I came across another issue while I have you here. I was trying to issue x509 certs with large RSA keys (4096 and 3072) and the HSM hung during the signing process. I was able to sign using the same function call with ECC keys but not the large RSA. Tested against softHSM and was able to sign the certs.

Generating large RSA keys is slow, with a 4094-bit key it takes more than a minute on a real smart card and tens of seconds on an HSM.

In BouncyHSM I used to add "Speed mode" for this when creating a slot. But I have the slow down parameters set incorrectly and it takes too long to create 4k RSA keys, so I still recommend using the "Without speed restrictions" mode. I plan to fix it.

harrison314 commented 9 months ago

I managed to find the cause of the problem and it was fixed. Currently, the fix is in the master branch (it is possible to build via github actions) and it will be included in the next release.

shawnkeating commented 9 months ago

Great, thanks Josef!

Shawn Keating

PKI Systems Engineer

[cid:6bd69bba-1f0d-4c78-bb68-7e8dcf253c1f]


From: Jozef Gajdoš @.> Sent: Tuesday, January 23, 2024 7:08 PM To: harrison314/BouncyHsm @.> Cc: Shawn Keating @.>; Author @.> Subject: Re: [harrison314/BouncyHsm] Issue running pkcs.11.GetAttributeValue against boolean attributes (Issue #4)

I managed to find the cause of the problem and it was fixed. Currently, the fix is in the master branch (it is possible to build via github actions) and it will be included in the next release.

— Reply to this email directly, view it on GitHubhttps://github.com/harrison314/BouncyHsm/issues/4#issuecomment-1906634993, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A6JKUA6DVA4GSK4SZ4M5XPTYP74AZAVCNFSM6AAAAABB6IEGAWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBWGYZTIOJZGM. You are receiving this because you authored the thread.Message ID: @.***>