search

openziti / ziti-tunnel-sdk-c

Apache License 2.0
44 stars 17 forks source link

Error loading PKCS#11 identity #962

Open bengcooper opened 1 week ago

bengcooper commented 1 week ago

I am receiving the following error when trying to load an identity loaded onto a YubiKey via PKCS#11 in ziti-edge-tunnel v1.1.3:

[        0.000]    WARN ziti-edge-tunnel:instance.c:40 find_tunnel_identity() Identity ztx[/opt/openziti/etc/identities/yubikey-test.json] is not loaded yet or already removed.
[        0.010]   ERROR ziti-sdk:ziti.c:168 init_tls_from_config() /__w/ziti-tunnel-sdk-c/ziti-tunnel-sdk-c/build/_deps/ziti-sdk-c-src/library/ziti.c:158 - load_key_internal(tls, &pk, cfg->id.key) => -13 (Unknown error -13)
[        0.010]   ERROR ziti-sdk:ziti.c:1940 ziti_context_run() /__w/ziti-tunnel-sdk-c/ziti-tunnel-sdk-c/build/_deps/ziti-sdk-c-src/library/ziti.c:1925 - load_tls(&ztx->config, &tls) => -13 (configuration is invalid)
[        0.010]   ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:1142 load_id_cb() identity[/opt/openziti/etc/identities/yubikey-test.json] failed to load: failed to initialize ziti

The identity was created with ziti CLI v1.1.8, and enrolled with a local build (as openziti/ziti#1231 hasn't released yet).

The command used to create the certificate on the YubiKey was:

pkcs11-tool --module /usr/lib/libykcs11.so --keypairgen --key-type EC:prime256v1 --usage-sign --usage-decrypt --login --id 01 --login-type so --so-pin <redacted> --label defaultkey

And the (redacted) identity JSON file after enrolling is:

{
  "ztAPI": "https://openziti.example.com:443/edge/client/v1",
  "ztAPIs": null,
  "configTypes": null,
  "id": {
    "key": "pkcs11:///usr/lib/libykcs11.so?id=01&pin=123456",
    "cert": "pem:-----BEGIN CERTIFICATE-----\nredacted\n-----END CERTIFICATE-----\n",
    "ca": "pem:-----BEGIN CERTIFICATE-----\nredacted\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nredacted\n-----END CERTIFICATE-----\n"
  },
  "enableHa": false
}
ekoby commented 1 week ago

PKCS#11 is not supported in 1.x releases

do you mind trying with the latest 2.0.0 pre-release binaries (available here)?

bengcooper commented 1 week ago

I've updated to v2.0.0-alpha17 and the issue is still occurring:

[        0.000]    WARN ziti-edge-tunnel:instance.c:39 find_tunnel_identity() Identity ztx[/opt/openziti/etc/identities/yubikey-test2.json] is not loaded yet or already removed.
[        0.011]    WARN ziti-sdk:model_support.c:202 model_parse() json parse error: expected comment
[        0.011]    WARN ziti-sdk:model_support.c:202 model_parse() json parse error: expected comment
[        0.011]   ERROR ziti-sdk:ziti.c:130 init_tls_from_config() /__w/ziti-tunnel-sdk-c/ziti-tunnel-sdk-c/build/_deps/ziti-sdk-c-src/library/ziti.c:120 - load_key_internal(tls, &pk, cfg->id.key) => -13 (Unknown error -13)
[        0.011]   ERROR ziti-sdk:ziti.c:460 ziti_init_async() invalid TLS config: configuration is invalid
[        0.011]    WARN tunnel-cbs:ziti_tunnel_ctrl.c:906 on_ziti_event() ziti_ctx controller connections failed: configuration is invalid
[        0.011]   ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:1233 on_event() ztx[/opt/openziti/etc/identities/yubikey-test2.json] failed to connect to controller due to configuration is invalidon_event() ztx[/opt/openziti/etc/identities/yubikey-test2.json] failed to connect to controller due to configuration is invalid

The JSON parse error appears for each identity so it's potentially not related.

dmuensterer commented 6 days ago

Is pkcs11:///usr/lib/libykcs11.so?id=01&pin=123456 actually readable, i.e. did you check if this isn't a ziti problem?