config with pkcs11 key fails to load context

[qrkourier]

ziti-edge-tunnel 0.20.9 says:

(1408540)[        0.012]   ERROR ziti-sdk:ziti.c:169 load_tls() /github/workspace/build/_deps/ziti-sdk-c-src/library/ziti.c:159 - parse_getopt(q, "slot", slot, sizeof(slot)) => -13 (Unknown error -13)
(1408540)[        0.012]   ERROR ziti-sdk:ziti.c:236 ziti_init_opts() /github/workspace/build/_deps/ziti-sdk-c-src/library/ziti.c:214 - load_tls(cfg, &tls) => -13 (Configuration is invalid)
(1408540)[        0.012]   ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:1109 load_id_cb() identity[/tmp/yubikey2.json] failed to load: failed to initialize ziti

zitify 0.1.0 says:

(1406655)[        0.000]   ERROR ziti-sdk:ziti.c:169 load_tls() /home/runner/work/zitify/build/_deps/ziti-src/library/ziti.c:159 - parse_getopt(q, "slot", slot, sizeof
(slot)) => -13 (Unknown error -13)                                                                                                                                     (1406655)[        0.000]   ERROR ziti-sdk:ziti.c:236 ziti_init_opts() /home/runner/work/zitify/build/_deps/ziti-src/library/ziti.c:214 - load_tls(cfg, &tls) => -13 (Co
nfiguration is invalid)                                                                                                                                                

config JSON has:

$ jq .id.key /tmp/yubikey2.json
"pkcs11:///usr/local/lib/libykcs11.so?id=03&pin=123456"

Config was created by ziti-tunnel built from a recent rev. Will repro with release binary if requested.

$ ziti-tunnel enroll --jwt /tmp/yubikey2.jwt --identity /tmp/yubikey2.json --key "pkcs11:///usr/local/lib/libykcs11.so?id=03&pin=${HSM_PIN}"                  
INFO    using engine : pkcs11                         
INFO    using driver: /usr/local/lib/libykcs11.so     _context=pkcs11
WARNING slot not specified, using first slot reported by the driver (0)  _context=pkcs11
INFO    using driver: /usr/local/lib/libykcs11.so     _context=pkcs11

Key pair was generated with latest release candidate of OpenSC 0.23.0 (rc2)

$ pkcs11-tool --module /usr/local/lib/libykcs11.so --keypairgen --key-type EC:prime256v1 --usage-sign --usage-decrypt --login --id 03 --login-type so --so-pin $HSM_SOPIN --label "ken ec key"
Using slot 0 with a present token (0x0)
Key pair generated:
Private Key Object; EC
  label:      Private key for Key Management
  ID:         03
  Usage:      decrypt, sign
  Access:     sensitive, always sensitive, never extractable, local
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104dd1c5a24954c5a535c36cd765287978e6902cc4a3bb595f62b831097f0aecd01fb2177a1ce9c06ca9234104984a91367d186c202e7c66cb64d08f8da469a6b2e
  EC_PARAMS:  06082a8648ce3d030107
  label:      Public key for Key Management
  ID:         03
  Usage:      encrypt, verify
  Access:     local

[qrkourier]

Possibly related https://github.com/openziti/ziti/issues/351

[qrkourier]

I reproduced this issue with ziti edge enroll instead of enrolling with ziti-tunnel. I tried the workaround proposed in the other, possibly related, issue, which was to change the value of the slot param to 0 and got the same error message.

parse_getopt(q, "slot", slot, sizeof(slot)) => -13 (Unknown error -13)

[ekoby]

is ziti-edge-tunnel linked against OpenSSL?

[qrkourier]

Yes, the ziti-edge-tunnel example was linked against OpenSSL, not mbedTLS. I used 0.20.18 below to reproduce at TRACE level.

❯ ./ziti version
NAME             VERSION
ziti             v0.27.2

❯ ./ziti edge enroll --jwt /tmp/pkcs11test1.jwt --key "pkcs11:///usr/local/lib/libykcs11.so?id=03&pin=123456" --out /tmp/pkcs11test1.json 

INFO    using engine : pkcs11                        
INFO    using driver: /usr/local/lib/libykcs11.so     _context=pkcs11
WARNING slot not specified, using first slot reported by the driver (0)  _context=pkcs11
INFO    using driver: /usr/local/lib/libykcs11.so     _context=pkcs11
WARNING slot not specified, using first slot reported by the driver (0)  _context=pkcs11
INFO    enrolled successfully. identity file written to: /tmp/pkcs11test1.json 

❯ jq .id.key /tmp/pkcs11test1.json 
"pkcs11:///usr/local/lib/libykcs11.so?id=03&pin=123456"

❯ ziti-edge-tunnel version
v0.20.18-local

❯ ldd $(which ziti-edge-tunnel)
        linux-vdso.so.1 (0x00007fffa39a6000)
        libssl.so.3 => /lib/x86_64-linux-gnu/libssl.so.3 (0x00007f7ba8b5c000)
        libcrypto.so.3 => /lib/x86_64-linux-gnu/libcrypto.so.3 (0x00007f7ba8600000)
        libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f7ba8a75000)
        libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f7baaf0b000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f7ba8200000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f7baaf45000)

❯ ziti-edge-tunnel run-host --identity /tmp/pkcs11test1.json --verbose 6                                     
(1778738)[        0.000]    INFO ziti-sdk:utils.c:173 ziti_log_set_level() set log level: root=6/TRACE
(1778738)[        0.000]    INFO tunnel-sdk:ziti_tunnel.c:60 create_tunneler_ctx() Ziti Tunneler SDK (v0.20.18-local)
(1778738)[        0.000]    WARN ziti-edge-tunnel:ziti-edge-tunnel.c:686 start_cmd_socket() failed to open IPC socket op=[uv_pipe_bind(&cmd_server, sockfile)] err=-98[address already in use]
(1778738)[        0.000]    WARN ziti-edge-tunnel:ziti-edge-tunnel.c:804 start_event_socket() failed to open IPC socket op=[uv_pipe_bind(&event_server, eventsockfile)] err=-98[address already in use]
(1778738)[        0.000]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:864 load_ziti_async() attempting to load ziti instance from file[/tmp/pkcs11test1.json]
(1778738)[        0.000]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:871 load_ziti_async() loading ziti instance from /tmp/pkcs11test1.json
(1778738)[        0.000]    INFO ziti-sdk:utils.c:173 ziti_log_set_level() set log level: root=6/TRACE
(1778738)[        0.000]   ERROR ziti-sdk:ziti.c:169 load_tls() /github/workspace/build/_deps/ziti-sdk-c-src/library/ziti.c:159 - parse_getopt(q, "slot", slot, sizeof(slot)) => -13 (Unknown error -13)
(1778738)[        0.000]   ERROR ziti-sdk:ziti.c:236 ziti_init_opts() /github/workspace/build/_deps/ziti-sdk-c-src/library/ziti.c:214 - load_tls(cfg, &tls) => -13 (Configuration is invalid)
(1778738)[        0.000]   ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:1109 load_id_cb() identity[/tmp/pkcs11test1.json] failed to load: failed to initialize ziti
(1778738)[        0.000]    WARN ziti-edge-tunnel:instance.c:39 find_tunnel_identity() Identity ztx[/tmp/pkcs11test1.json] is not loaded yet or already removed.
(1778738)[        0.000]   ERROR ziti-edge-tunnel:instance-config.c:136 save_tunnel_status_to_file() Could not copy config file [/var/lib/ziti/config.json] to backup config file, the config might not exists at the moment
(1778738)[        0.000]   ERROR ziti-edge-tunnel:instance-config.c:142 save_tunnel_status_to_file() Could not open config file /var/lib/ziti/config.json to store the tunnel status data
(1778738)[        0.000]   TRACE ziti-edge-tunnel:instance-config.c:160 save_tunnel_status_to_file() Cleaning up resources used for the backup of tunnel config file /var/lib/ziti/config.json
About to run tunnel service that hosts services... ziti-edge-tunnel%                                                                                                  

[ekoby]

pkcs11 is not supported by OpenSSL engine (uv-mbed). Here is the issue openziti/uv-mbed#125

[qrkourier]

I'm getting the same message "Configuration is invalid" with Mbed-TLS.

❯ jq .id.key /tmp/pkcs11test1.json
"pkcs11:///usr/local/lib/libykcs11.so?id=03&pin=123456"

❯ ldd ./ziti-edge-tunnel
        linux-vdso.so.1 (0x00007ffd6cca4000)
        libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f504966b000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f5049666000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f5049661000)
        librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f504965c000)
        libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f5049648000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f5046c00000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f5049778000)

❯ ./ziti-edge-tunnel version
v0.20.18

❯ ./ziti-edge-tunnel run-host --identity /tmp/pkcs11test1.json --verbose 6
(1811541)[        0.000]    INFO ziti-sdk:utils.c:173 ziti_log_set_level() set log level: root=6/TRACE
(1811541)[        0.000]    INFO tunnel-sdk:ziti_tunnel.c:60 create_tunneler_ctx() Ziti Tunneler SDK (v0.20.18)
(1811541)[        0.000]    WARN ziti-edge-tunnel:ziti-edge-tunnel.c:686 start_cmd_socket() failed to open IPC socket op=[uv_pipe_bind(&cmd_server, sockfile)] err=-98[address already in use]
(1811541)[        0.000]    WARN ziti-edge-tunnel:ziti-edge-tunnel.c:804 start_event_socket() failed to open IPC socket op=[uv_pipe_bind(&event_server, eventsockfile)] err=-98[address already in use]
(1811541)[        0.000]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:864 load_ziti_async() attempting to load ziti instance from file[/tmp/pkcs11test1.json]
(1811541)[        0.000]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:871 load_ziti_async() loading ziti instance from /tmp/pkcs11test1.json
(1811541)[        0.000]    INFO ziti-sdk:utils.c:173 ziti_log_set_level() set log level: root=6/TRACE
(1811541)[        0.000]   ERROR ziti-sdk:ziti.c:169 load_tls() /__w/ziti-tunnel-sdk-c/ziti-tunnel-sdk-c/build/_deps/ziti-sdk-c-src/library/ziti.c:159 - parse_getopt(q, "slot", slot, sizeof(slot)) => -13 (Unknown error -13)
(1811541)[        0.000]   ERROR ziti-sdk:ziti.c:236 ziti_init_opts() /__w/ziti-tunnel-sdk-c/ziti-tunnel-sdk-c/build/_deps/ziti-sdk-c-src/library/ziti.c:214 - load_tls(cfg, &tls) => -13 (Configuration is invalid)
(1811541)[        0.000]   ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:1109 load_id_cb() identity[/tmp/pkcs11test1.json] failed to load: failed to initialize ziti
(1811541)[        0.000]    WARN ziti-edge-tunnel:instance.c:39 find_tunnel_identity() Identity ztx[/tmp/pkcs11test1.json] is not loaded yet or already removed.
(1811541)[        0.000]   ERROR ziti-edge-tunnel:instance-config.c:136 save_tunnel_status_to_file() Could not copy config file [/var/lib/ziti/config.json] to backup config file, the config might not exists at the moment
(1811541)[        0.000]   ERROR ziti-edge-tunnel:instance-config.c:142 save_tunnel_status_to_file() Could not open config file /var/lib/ziti/config.json to store the tunnel status data
(1811541)[        0.000]   TRACE ziti-edge-tunnel:instance-config.c:160 save_tunnel_status_to_file() Cleaning up resources used for the backup of tunnel config file /var/lib/ziti/config.json
About to run tunnel service that hosts services... ziti-edge-tunnel%                                                                                                                                                                                                                                                                           

[qrkourier]

I can reproduce this issue with ziti-prox-c release v0.31.0-142.

❯ jq .id.key /tmp/pkcs11test4.json
"pkcs11:///usr/local/lib/libykcs11.so?id=03&pin=123456"

❯ ./ziti-prox-c run -c /tmp/pkcs11test4.json -b 'zedsDemoHttpHttpbin':127.0.0.1:8080
(1553844)[        0.000]   ERROR ziti-sdk:ziti.c:169 load_tls() /home/runner/work/ziti-sdk-c/ziti-sdk-c/library/ziti.c:159 - parse_getopt(q, "slot", slot, sizeof(slot)) => -13 (Unknown error -13)
(1553844)[        0.000]   ERROR ziti-sdk:ziti.c:234 ziti_init_opts() /home/runner/work/ziti-sdk-c/ziti-sdk-c/library/ziti.c:213 - load_tls(&cfg, &tls) => -13 (Configuration is invalid)

❯ ./ziti-prox-c version
0.31.0-142

[ekoby]

due to this https://github.com/openziti/tlsuv/issues/136

[qrkourier]

Potentially-related issue in tunnel SDK repo: https://github.com/openziti/ziti-tunnel-sdk-c/issues/591

[ekoby]

fixed with #508