Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ATECC608 and Greengrass V2 integration with PKCS11 #328

Closed
majh opened this issue Jan 20, 2023 · 6 comments
Closed

ATECC608 and Greengrass V2 integration with PKCS11 #328

majh opened this issue Jan 20, 2023 · 6 comments

Comments

@majh
Copy link

majh commented Jan 20, 2023
edited
Loading

I was wondering if anyone has got an ATECC608 device integrated with Greengrass V2, so that Greengrass V2 was able to use the ATECC608 device via PKCS11.
I have seen some commits in cryptoauthlib to support this, and I know that a recent version of greengrass should be required for EC keys - but i'm running v2.9.2, with its PKCS11Provider.jar, and I haven't been able to successfully get this to work.
Are there any examples of this working ? @JamieHunter Do you happen to know ?

I can happily use it with openssl and p11tool.
root@tegra:~/gg# p11tool --provider /usr/lib/libcryptoauth.so --list-tokens Token 0: URL: pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=XXXXXXXXXXX;token=MCHP Label: MCHP Type: Hardware token Manufacturer: Microchip Technology Inc Model: ATECC608A Serial: XXXXXXXXXXX Module: (null)
@JamieHunter
Copy link
Contributor

@majh Sorry for late responding to this. Are you still stuck? Can you give me more detail of symptoms you are seeing / errors in the error log?

@majh
Copy link
Author

majh commented Jan 31, 2023

Hi @JamieHunter, thanks for your response. Here are the details I have

  • I use v3.4.1 of cryptoauthtools, build and install on raspberry pi 4, raspian 11
  • ATECC608A TNG connected to PI via I2C bus 1, header pins 3 (SDA1), 4(SCL1), 3v3/GND. Note that I have also tried on the ATECC608B on a different piece of hardware with the same issues occuring.
  • I can query with cryptoauth_test to verify version, and 'tng' tests complete successfully. Note that I need to change baud rate from 400000 to 100000 in atca_test_config.c
./cryptoauth_test 
$ ecc608
Device Selected.
$ info -i i2c 1 -a 6a
revision:
00 00 60 02

$ tng

Unity test run 1 of 1
TEST(tng_atca, tng_get_device_pubkey) PASS
TEST(tng_atcacert_client, tng_atcacert_root_public_key) PASS
TEST(tng_atcacert_client, tng_atcacert_root_cert) PASS
TEST(tng_atcacert_client, tng_atcacert_max_signer_cert_size) PASS
TEST(tng_atcacert_client, tng_atcacert_read_signer_cert) PASS
TEST(tng_atcacert_client, tng_atcacert_signer_public_key_no_cert) PASS
TEST(tng_atcacert_client, tng_atcacert_signer_public_key_cert) PASS
TEST(tng_atcacert_client, tng_atcacert_max_device_cert_size) PASS
TEST(tng_atcacert_client, tng_atcacert_read_device_cert_no_signer) PASS
TEST(tng_atcacert_client, tng_atcacert_read_device_cert_signer) PASS
TEST(tng_atcacert_client, tng_atcacert_device_public_key_no_cert) PASS
TEST(tng_atcacert_client, tng_atcacert_device_public_key_cert) PASS

-----------------------
12 Tests 0 Failures 0 Ignored 
OK
  • I can successfully query details with pkcs11 tools
root@raspberrypi# pkcs11-tool --module  /usr/lib/arm-linux-gnueabihf/libcryptoauth.so --list-slots 2> /dev/null
Available slots:
Slot 0 (0x0): 0_3_0
  token label        : device
  token manufacturer : Microchip Technology Inc
  token model        : ATECC608A
  token flags        : rng, token initialized
  hardware version   : 0.2
  firmware version   : 255.255
  serial num         : 23BC526C69CFA001
  pin min/max        : 0/128

root@raspberrypi# p11tool --provider /usr/lib/arm-linux-gnueabihf/libcryptoauth.so --export "pkcs11:object=device;type=cert"  2> /dev/null
-----BEGIN CERTIFICATE-----
MIICIDCCAcWgAwIBAgIQeBNfnqNpyCi/D8yCTlxspDAKBggqhkjOPQQDAjBPMSEw
HwYDVQQKDBhNaWNyb2NoaXAgVGVjaG5vbG9neSBJbmMxKjAoBgNVBAMMIUNyeXB0
byBBdXRoZW50aWNhdGlvbiBTaWduZXIgMjczMDAgFw0yMTA3MjkxNzAwMDBaGA8y
MDQ5MDcyOTE3MDAwMFowQjEhMB8GA1UECgwYTWljcm9jaGlwIFRlY2hub2xvZ3kg
SW5jMR0wGwYDVQQDDBRzbjAxMjNCQzUyNkM2OUNGQTAwMTBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABGkvQnJqsCIDzWfsz4u8+rFv4jPIDp7j/GxAOxTVcjoXdnab
8NxShqO0mPJ1TAcydNNvDoUtJ+20vcCsD7amdwujgY0wgYowKgYDVR0RBCMwIaQf
MB0xGzAZBgNVBAUTEmV1aTQ4XzY4MjcxOTRDNDBDRDAMBgNVHRMBAf8EAjAAMA4G
A1UdDwEB/wQEAwIDiDAdBgNVHQ4EFgQUjygzc1g+FTACQivoB+ReVGsatygwHwYD
VR0jBBgwFoAU2Ey4uB9siZ9d68oHMrkkOTW+ZOwwCgYIKoZIzj0EAwIDSQAwRgIh
APCymup1kd0u0FD3z2xOI2xKZT+tGSL1wzAhSjA4wDq4AiEAswc6crO7woapHp+8
6hulGWAb1Lk2KkccuuD9zIHFQqU=
-----END CERTIFICATE-----

root@raspberrypi# pkcs11-tool --module pkcs11-tool --module /usr/lib/arm-linux-gnueabihf/libcryptoauth.so --list-objects 2> /dev/null
Private Key Object; EC
  label:      device
  ID:         8f283373583e153002422be807e45e546b1ab728
  Usage:      sign, derive
  Access:     sensitive, always sensitive, never extractable
  Allowed mechanisms: ECDSA-KEY-PAIR-GEN,ECDSA,ECDSA-SHA256
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104692f42726ab02203cd67eccf8bbcfab16fe233c80e9ee3fc6c403b14d5723a1776769bf0dc5286a3b498f2754c073274d36f0e852d27edb4bdc0ac0fb6a6770b
  EC_PARAMS:  06082a8648ce3d030107
  label:      device
  ID:         8f283373583e153002422be807e45e546b1ab728
  Usage:      verify, derive
  Access:     local
Certificate Object; type = X.509 cert
  label:      device
  ID:         8f283373583e153002422be807e45e546b1ab728
Certificate Object; type = X.509 cert
  label:      signer
  subject:    DN: O=Microchip Technology Inc, CN=Crypto Authentication Signer 2730
  ID:         d84cb8b81f6c899f5debca0732b9243935be64ec
Private Key Object; EC
  label:      device
  ID:         8f283373583e153002422be807e45e546b1ab728
  Usage:      sign, derive
  Access:     sensitive, always sensitive, never extractable
  Allowed mechanisms: ECDSA-KEY-PAIR-GEN,ECDSA,ECDSA-SHA256
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104692f42726ab02203cd67eccf8bbcfab16fe233c80e9ee3fc6c403b14d5723a1776769bf0dc5286a3b498f2754c073274d36f0e852d27edb4bdc0ac0fb6a6770b
  EC_PARAMS:  06082a8648ce3d030107
  label:      device
  ID:         8f283373583e153002422be807e45e546b1ab728
  Usage:      verify, derive
  Access:     local
Certificate Object; type = X.509 cert
  label:      device
Certificate Object; type = X.509 cert
  label:      signer
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
  EC_PARAMS:  06082a8648ce3d030107
  label:      root
  ID:         0000000000000000000000000000000000000000
  Usage:      verify, derive
  Access:     local

root@raspberrypi# pkcs11-tool --read-object  --type cert --module /usr/lib/arm-linux-gnueabihf/libcryptoauth.so -a device 2> /dev/null |openssl x509 -inform der -outform pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            78:13:5f:9e:a3:69:c8:28:bf:0f:cc:82:4e:5c:6c:a4
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: O = Microchip Technology Inc, CN = Crypto Authentication Signer 2730
        Validity
            Not Before: Jul 29 17:00:00 2021 GMT
            Not After : Jul 29 17:00:00 2049 GMT
        Subject: O = Microchip Technology Inc, CN = sn0123BC526C69CFA001
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:69:2f:42:72:6a:b0:22:03:cd:67:ec:cf:8b:bc:
                    fa:b1:6f:e2:33:c8:0e:9e:e3:fc:6c:40:3b:14:d5:
                    72:3a:17:76:76:9b:f0:dc:52:86:a3:b4:98:f2:75:
                    4c:07:32:74:d3:6f:0e:85:2d:27:ed:b4:bd:c0:ac:
                    0f:b6:a6:77:0b
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DirName:/serialNumber=eui48_6827194C40CD
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Agreement
            X509v3 Subject Key Identifier: 
                8F:28:33:73:58:3E:15:30:02:42:2B:E8:07:E4:5E:54:6B:1A:B7:28
            X509v3 Authority Key Identifier: 
                keyid:D8:4C:B8:B8:1F:6C:89:9F:5D:EB:CA:07:32:B9:24:39:35:BE:64:EC

    Signature Algorithm: ecdsa-with-SHA256
         30:46:02:21:00:f0:b2:9a:ea:75:91:dd:2e:d0:50:f7:cf:6c:
         4e:23:6c:4a:65:3f:ad:19:22:f5:c3:30:21:4a:30:38:c0:3a:
         b8:02:21:00:b3:07:3a:72:b3:bb:c2:86:a9:1e:9f:bc:ea:1b:
         a5:19:60:1b:d4:b9:36:2a:47:1c:ba:e0:fd:cc:81:c5:42:a5
  • I use greengrass 2.9.2, with the latest aws.greengrass.crypto.Pkcs11Provider.jar, but I can not get this to successfully use the ATECC608A, and consistently get greengrass failing. I can see that greengrasss is attempting to communicate with the device, but not with success.
  • Greengrass logs look like
ava.util.concurrent.CompletionException: software.amazon.awssdk.crt.mqtt.MqttException: Error during getting mqtt connection builder
      at java.base/java.util.concurrent.CompletableFuture.encodeThrowable(CompletableFuture.java:331)
      at java.base/java.util.concurrent.CompletableFuture.uniComposeStage(CompletableFuture.java:1099)
      at java.base/java.util.concurrent.CompletableFuture.thenCompose(CompletableFuture.java:2235)
      at com.aws.greengrass.mqttclient.AwsIotMqttClient.connect(AwsIotMqttClient.java:239)
      at com.aws.greengrass.mqttclient.AwsIotMqttClient.subscribe(AwsIotMqttClient.java:158)
      at com.aws.greengrass.mqttclient.MqttClient.subscribe(MqttClient.java:409)
      at com.aws.greengrass.mqttclient.WrapperMqttClientConnection.subscribe(WrapperMqttClientConnection.java:73)
      at com.aws.greengrass.deployment.IotJobsClientWrapper.SubscribeToDescribeJobExecutionAccepted(IotJobsClientWrapper.java:198)
      at software.amazon.awssdk.iot.iotjobs.IotJobsClient.SubscribeToDescribeJobExecutionAccepted(IotJobsClient.java:601)
      at com.aws.greengrass.deployment.IotJobsHelper.subscribeToGetNextJobDescription(IotJobsHelper.java:522)
      at com.aws.greengrass.deployment.IotJobsHelper.subscribeToJobsTopics(IotJobsHelper.java:481)
      at com.aws.greengrass.deployment.IotJobsHelper.lambda$setupCommWithIotJobs$5(IotJobsHelper.java:343)
      at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
      at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
      at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
      at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
      at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: software.amazon.awssdk.crt.mqtt.MqttException: Error during getting mqtt connection builder
      at com.aws.greengrass.mqttclient.MqttClient.lambda$new$0(MqttClient.java:184)
      at com.aws.greengrass.mqttclient.MqttClient.lambda$getNewMqttClient$17(MqttClient.java:800)
      at com.aws.greengrass.mqttclient.AwsIotMqttClient.establishConnection(AwsIotMqttClient.java:261)
      ... 14 more
  • I've attached a log of stdout when running greengrass with -DPKCS11_DEBUG_ENABLE=ON, where GG appears to be attempting to use the library, but without success.
  • I've also attached a log of stdout when used successfully with other pkcs11 tools
  • Is there any other info I can provide ?

Thanks for your assistance.

pkcs11-tool.read-cert.good.txt
gg-loader.bad.txt

@JamieHunter
Copy link
Contributor

Look for an access grant to a debug tool I wrote - https://github.com/JamieHunter/pkcs11-java-test - dependencies will need updating to latest. To enable aws-c-io debugging, set up environment like:
export JAVA_OPTS="-Djavax.net.debug=all -Daws.crt.log.destination=File -Daws.crt.log.filename=awscrt.log -Daws.crt.log.level=Trace -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005"

This example also enables Java debugging. the file "awscrt.log" will get created in same directory as tool (or same directory as Nucleus).

@majh
Copy link
Author

majh commented Feb 6, 2023

Confirmed working for me with Greengrass 2.9.2 and ATECC608A/B with d4f3b1abe58 version of cryptoauthlib. It does not work for me with v3.4.1 of cryptoauthlib.
I notice that there are a number of changes in PKCS11 related areas after the working version - these seem to prevent successful operation somehow. I'm not clear on exactly why v3.4.1 works with other pkcs11 tools, ie p11tool/pkcs11-tool, but not Greengrass.

@majh majh closed this as completed Feb 6, 2023
@JamieHunter
Copy link
Contributor

The problem will be related to how different tools interact with the library. In particular, in this case, the pattern of calls and expectations of Java interaction with the library are different to pkcs11-tool's interaction with the library.

@bryan-hunt what will be useful to help debug this?

@user-redans
Copy link

user-redans commented Mar 7, 2023
edited
Loading

Hi @majh ,

Can you provide us your '/var/lib/cryptoauthlib/0.conf' file?

I don't know why, but in my case all objects are empty!

pi@raspberrypi: pkcs11-tool --module /usr/lib/libcryptoauth.so --list-objects
Using slot 0 with a present token (0x0)
Data object 2
label: ''
application: <empty>
app_id: <empty>
flags: <empty>
Data object 3
label: ''
application: <empty>
app_id: <empty>
flags: <empty>
Data object 4
label: ''
application: <empty>
app_id: <empty>
flags: <empty>
Data object 5
label: ''
application: <empty>
app_id: <empty>
flags: <empty>
Data object 6
label: ''
application: <empty>
app_id: <empty>
flags: <empty>
Data object 7
label: ''
application: <empty>
app_id: <empty>
flags: <empty>

@majh majh mentioned this issue Dec 10, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@majh @JamieHunter @user-redans