AWS_ERROR_PKCS11_CKR_ARGUMENTS_BAD connecting MQTT with pkcs11 using ATECC608B
qcabrol opened this issue · 4 comments
Describe the bug
When calling the sample script 'pkcs11_connect.py'
- the crypto element ATEC608B answers correctly and the provisioned private key is found
- The sample script exits with AWS_ERROR_PKCS11_CKR_ARGUMENTS_BAD
awscrt.exceptions.AwsCrtError: AWS_ERROR_PKCS11_CKR_ARGUMENTS_BAD: A PKCS#11 (Cryptoki) library function failed with return value CKR_ARGUMENTS_BAD
Error AWS_ERROR_PKCS11_CKR_ARGUMENTS_BAD when connecting MQTT with pkcs11 using secure element ATECC608B
Expected Behavior
The device connects (or attempts to connect) to the AWS IoT without a PKCS error.
Current Behavior
See description of the bug above
Reproduction Steps
- ATECC608B crypto element on i2c0 bus with provisioned private key and securely booted
- libcryptoauth v3.4.0 from Microchip
- lipb11 0.4.11
- aws-iot-device-sdk-python-v2 1.21.0
run (adapt parameters to the provisioned private key label, actual endpoint ...):
python3 pkcs11_connect.py --endpoint a***************-ats.iot.eu-central-1.amazonaws.com --cert ~/app/prod/res/gateway_cert.crt --pkcs11_lib /usr/lib/libcryptoauth.so --token_label 00ABC --key_label device --client_id my_device_id --port 8883 --ca_file ~/app/prod/res/root.pem --pin 1234 --verbosity Debug
Possible Solution
No response
Additional Information/Context
No response
SDK version used
1.21.0
Environment details (OS name and version, etc.)
Yocto Kirkstone on ARM: Linux sam9x60-curiosity-sd 6.1.55-linux4microchip-2023.10
Can you confirm that the key you are using is valid and generated correctly by testing with your pkcs11 library?
Also if you could provide trace level logs that would have more information about why this might be failing.
Hi @jmklix After aligning with Microchip, the issue seems to come from
https://github.com/awslabs/aws-c-io/blob/main/source/pkcs11_lib.c#L1051
"
In my opinion this line breaks the CAL: https://github.com/awslabs/aws-c-io/blob/main/source/pkcs11_lib.c#L1051
The AWS PKCS11 library wants to retrieve the signature length by passing a NUL pointer, but the CAL treats this as an error.
Adding the following patch to https://github.com/MicrochipTech/cryptoauthlib/blob/v3.4.0/lib/pkcs11/pkcs11_main.c#L620, and now the TLS connect seems to go through.
/**
* \brief Sign the data in a single pass operation
*/
CK_RV C_Sign(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen)
{
// Catch NULL signature from https://github.com/awslabs/aws-c-io/blob/main/source/pkcs11_lib.c#L1051, and return ECDSA secp256r1 signature length
if (pSignature==NULL)
{
*pulSignatureLen = 64;
return CKR_OK;
}
"
We will now patch the libcryptoauth accordingly and submit a PR to their side
I'm glad that you where able to figure out what was causing your error. Closing this issue because there is nothing that needs to be changed with this sdk. Please let us know if you run into any other problems with this sdk.
This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.