search

mode51software / vaultplugin-hsmpki

The Vault HSM PKI plugin overlays the modifications to the builtin PKI plugin that enable support for certificate signing using a Hardware Security Module via PKCS#11.
https://www.vaultproject.io/docs/plugin-portal
Mozilla Public License 2.0
19 stars 6 forks source link

CKR_ATTRIBUTE_VALUE_INVALID while generating keys with AWS CloudHSM #25

Open v1sion opened 2 years ago

v1sion commented 2 years ago

Hi @mode51software, great work on the plugin btw!! Was trying to use the plugin to generate keys on the AWS cloudHSM, but I'm getting a CKR_ATTRIBUTE_VALUE_INVALID during the key creation.

> vault write hsm-pki/root/generate/internal common_name="Root CA" ttl=87600h
Error writing data to hsm-pki/root/generate/internal: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/hsm-pki/root/generate/internal
Code: 400. Errors:

* pkcs11: 0x13: CKR_ATTRIBUTE_VALUE_INVALID

plugin config:

lib = "/opt/cloudhsm/lib/libcloudhsm_pkcs11.so"
slot_id = 1
pin = "vault_user:xxxxxx"
key_label = "vault"
connect_timeout_s = 10
read_timeout_s = 5

By its documentation, CloudHSM does not support all attributes https://docs.aws.amazon.com/cloudhsm/latest/userguide/pkcs11-attributes.html, https://docs.aws.amazon.com/cloudhsm/latest/userguide/ki-pkcs11-sdk.html, but I'm able to generate the keys using the pkcs11-tool, even though there is a similar warning, but the keys are created.

> pkcs11-tool --module /opt/cloudhsm/lib/libcloudhsm_pkcs11.so --login --pin "vault_user:xxxxx" --keypairgen --key-type rsa:2048  --label 'test7'
Using slot 0 with a present token (0x1)
Key pair generated:
Private Key Object; RSA
  label:      test7
  Usage:      decrypt, sign
C_GetAttributeValue failed with error CKR_ATTRIBUTE_TYPE_INVALID : 0x00000012
, unwrap
Public Key Object; RSA 2048 bits
  label:      test7
  Usage:      encrypt, verify, wrap

Any idea what could be?

mode51software commented 2 years ago

Hi @mode51software, great work on the plugin btw!!

Thanks @v1sion

Was trying to use the plugin to generate keys on the AWS cloudHSM, but I'm getting a CKR_ATTRIBUTE_VALUE_INVALID during the key creation.

I'll give it a go

v1sion commented 2 years ago

Hey @mode51software think I found the issue, is in the pkcs11helper rather than here. According to the CloudHSM documentation the CKA_MODIFIABLE attribute default value is TRUE and there is a caveat "This attribute is partially supported by the firmware and must be explicitly set only to the default value." also taking a look at the pkcs11 documentation CKA_MODIFIABLE default should be TRUE. But in the pkcs11helper https://github.com/mode51software/pkcs11helper/blob/master/pkg/pkcs11client/keyconfig.go#L191 this value is set to False. So changing this default should fix it.

mode51software commented 2 years ago

Hi @v1sion good spot.

Apologies for being slow. I have created a CloudHSM cluster on AWS but not tested yet.

v1sion commented 2 years ago

I did a quick test and it looks like it fixed the issue, https://github.com/mode51software/pkcs11helper/pull/21 let me know if it works for you!

v1sion commented 2 years ago

Btw when testing the cloudHSM with the pkcs11-tool I was only able to generate keys using the sdk v3 with ubuntu 16 for some weird reason. AWS support knowledge the bug in ubuntu 18 with sdk v3 and v5 though.

v1sion commented 2 years ago

Just tested the plugin with vault and I'm able to generate the keys and issue certs with the CKA_MODIFIABLE set to true 👍

mode51software commented 2 years ago

Nice one that's fantastic news. Thanks for figuring it out I'll update the doc and put this note in and link to your solution here for CloudHSM.