AWS_ERROR_PKCS11_CKR_ARGUMENTS_BAD connecting MQTT with pkcs11 using ATECC608B

Question

AWS_ERROR_PKCS11_CKR_ARGUMENTS_BAD connecting MQTT with pkcs11 using ATECC608B

qcabrol opened this issue 7 months ago · 4 comments

Describe the bug

When calling the sample script 'pkcs11_connect.py'

the crypto element ATEC608B answers correctly and the provisioned private key is found
The sample script exits with AWS_ERROR_PKCS11_CKR_ARGUMENTS_BAD

awscrt.exceptions.AwsCrtError: AWS_ERROR_PKCS11_CKR_ARGUMENTS_BAD: A PKCS#11 (Cryptoki) library function failed with return value CKR_ARGUMENTS_BAD

Error AWS_ERROR_PKCS11_CKR_ARGUMENTS_BAD when connecting MQTT with pkcs11 using secure element ATECC608B

aws-sdk2-edited.log

Expected Behavior

The device connects (or attempts to connect) to the AWS IoT without a PKCS error.

Current Behavior

See description of the bug above

Reproduction Steps

ATECC608B crypto element on i2c0 bus with provisioned private key and securely booted
libcryptoauth v3.4.0 from Microchip
lipb11 0.4.11
aws-iot-device-sdk-python-v2 1.21.0

run (adapt parameters to the provisioned private key label, actual endpoint ...):
python3 pkcs11_connect.py --endpoint a***************-ats.iot.eu-central-1.amazonaws.com --cert ~/app/prod/res/gateway_cert.crt --pkcs11_lib /usr/lib/libcryptoauth.so --token_label 00ABC --key_label device --client_id my_device_id --port 8883 --ca_file ~/app/prod/res/root.pem --pin 1234 --verbosity Debug

Possible Solution

No response

Additional Information/Context

No response

SDK version used

1.21.0

Environment details (OS name and version, etc.)

Yocto Kirkstone on ARM: Linux sam9x60-curiosity-sd 6.1.55-linux4microchip-2023.10

Answer 1 · 2024-02-22T18:43:40.000Z

Can you confirm that the key you are using is valid and generated correctly by testing with your pkcs11 library?
Also if you could provide trace level logs that would have more information about why this might be failing.

Answer 2 · 2024-02-27T13:37:09.000Z

Hi @jmklix After aligning with Microchip, the issue seems to come from
https://github.com/awslabs/aws-c-io/blob/main/source/pkcs11_lib.c#L1051

"
In my opinion this line breaks the CAL: https://github.com/awslabs/aws-c-io/blob/main/source/pkcs11_lib.c#L1051

The AWS PKCS11 library wants to retrieve the signature length by passing a NUL pointer, but the CAL treats this as an error.

Adding the following patch to https://github.com/MicrochipTech/cryptoauthlib/blob/v3.4.0/lib/pkcs11/pkcs11_main.c#L620, and now the TLS connect seems to go through.

/**

 * \brief Sign the data in a single pass operation

 */

CK_RV C_Sign(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen)

{

  // Catch NULL signature from https://github.com/awslabs/aws-c-io/blob/main/source/pkcs11_lib.c#L1051, and return ECDSA secp256r1 signature length

  if (pSignature==NULL)

  {

    *pulSignatureLen = 64;

    return CKR_OK;

  }

"

We will now patch the libcryptoauth accordingly and submit a PR to their side

Answer 3 · 2024-02-27T17:38:43.000Z

I'm glad that you where able to figure out what was causing your error. Closing this issue because there is nothing that needs to be changed with this sdk. Please let us know if you run into any other problems with this sdk.

Answer 4 · 2024-02-27T17:39:00.000Z

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.