Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS_ERROR_PKCS11_CKR_ARGUMENTS_BAD connecting MQTT with pkcs11 using ATECC608B #561

Closed
qcabrol opened this issue Feb 16, 2024 · 4 comments
Closed
Assignees
Labels
bug This issue is a bug. p2 This is a standard priority issue

Comments

@qcabrol
Copy link

qcabrol commented Feb 16, 2024

Describe the bug

When calling the sample script 'pkcs11_connect.py'

  • the crypto element ATEC608B answers correctly and the provisioned private key is found
  • The sample script exits with AWS_ERROR_PKCS11_CKR_ARGUMENTS_BAD

awscrt.exceptions.AwsCrtError: AWS_ERROR_PKCS11_CKR_ARGUMENTS_BAD: A PKCS#11 (Cryptoki) library function failed with return value CKR_ARGUMENTS_BAD

Error AWS_ERROR_PKCS11_CKR_ARGUMENTS_BAD when connecting MQTT with pkcs11 using secure element ATECC608B

aws-sdk2-edited.log

Expected Behavior

The device connects (or attempts to connect) to the AWS IoT without a PKCS error.

Current Behavior

See description of the bug above

Reproduction Steps

  • ATECC608B crypto element on i2c0 bus with provisioned private key and securely booted
  • libcryptoauth v3.4.0 from Microchip
  • lipb11 0.4.11
  • aws-iot-device-sdk-python-v2 1.21.0

run (adapt parameters to the provisioned private key label, actual endpoint ...):
python3 pkcs11_connect.py --endpoint a***************-ats.iot.eu-central-1.amazonaws.com --cert ~/app/prod/res/gateway_cert.crt --pkcs11_lib /usr/lib/libcryptoauth.so --token_label 00ABC --key_label device --client_id my_device_id --port 8883 --ca_file ~/app/prod/res/root.pem --pin 1234 --verbosity Debug

Possible Solution

No response

Additional Information/Context

No response

SDK version used

1.21.0

Environment details (OS name and version, etc.)

Yocto Kirkstone on ARM: Linux sam9x60-curiosity-sd 6.1.55-linux4microchip-2023.10

@jmklix
Copy link
Member

jmklix commented Feb 22, 2024

Can you confirm that the key you are using is valid and generated correctly by testing with your pkcs11 library?
Also if you could provide trace level logs that would have more information about why this might be failing.

@jmklix jmklix added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 2 days. p2 This is a standard priority issue and removed needs-triage This issue or PR still needs to be triaged. labels Feb 22, 2024
@jmklix jmklix self-assigned this Feb 22, 2024
@qcabrol
Copy link
Author

qcabrol commented Feb 27, 2024

Hi @jmklix After aligning with Microchip, the issue seems to come from
https://github.com/awslabs/aws-c-io/blob/main/source/pkcs11_lib.c#L1051

"
In my opinion this line breaks the CAL: https://github.com/awslabs/aws-c-io/blob/main/source/pkcs11_lib.c#L1051

The AWS PKCS11 library wants to retrieve the signature length by passing a NUL pointer, but the CAL treats this as an error.

Adding the following patch to https://github.com/MicrochipTech/cryptoauthlib/blob/v3.4.0/lib/pkcs11/pkcs11_main.c#L620, and now the TLS connect seems to go through.

/**

 * \brief Sign the data in a single pass operation

 */

CK_RV C_Sign(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen)

{

  // Catch NULL signature from https://github.com/awslabs/aws-c-io/blob/main/source/pkcs11_lib.c#L1051, and return ECDSA secp256r1 signature length

  if (pSignature==NULL)

  {

    *pulSignatureLen = 64;

    return CKR_OK;

  }

"

We will now patch the libcryptoauth accordingly and submit a PR to their side

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 2 days. label Feb 27, 2024
@jmklix
Copy link
Member

jmklix commented Feb 27, 2024

I'm glad that you where able to figure out what was causing your error. Closing this issue because there is nothing that needs to be changed with this sdk. Please let us know if you run into any other problems with this sdk.

@jmklix jmklix closed this as completed Feb 27, 2024
Copy link

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug This issue is a bug. p2 This is a standard priority issue
Projects
None yet
Development

No branches or pull requests

2 participants