PKCS#11 Support

ZYMKEY4
1

PKCS#11 support for Zymkey is now available from our main repo for Raspbian Jessie/Stretch/Buster and Ubuntu Bionic 64-bit. This package is called zkpkcs11 and can be installed on existing installations with:

sudo apt -y update
sudo apt -y upgrade

If you are working off of a fresh install of the Zymbit host packages as detailed in Getting Started, package zkpkcs11 will come over automatically.

We have based the zkpkcs11 package on the SoftHSM2 source code. We have added 2 extra features to this:

  1. Zymkey private keys can be used for signing by specifying --use-zkslot when creating a new key object with zk_pkcs11-util. This only applies to NIST-P256 (secp256r1) for Zymkey 4i. Future Zymbit products will support secp256k1 as well.
  2. Even though SoftHSM2 does key wrapping to protect its key objects, Zymbit goes a step further and protects all key material in its private object store with its data lock/unlock feature, even for slots that are Zymkey does not support, such as RSA. For example, if you wanted to setup a zkpkcs11 slot that was RSA, you could do that as well and, even though all actions would be done by OpenSSL in software on the host computer rather than the Zymkey, Zymkey would still use its lock/unlock feature to protect the generated RSA private key.

Example:
Let’s say you need to create a slot that uses Zymkey as the root of trust for ECDSA signature generation as part of a framework like AWS Greengrass.

  1. First, add your user account to the group zkpkcs11:
    sudo usermod -a -G zk_pkcs11 <username>
  2. Exit and re-enter your ssh or console session for the new group to take effect.
  3. Initialize a new token at slot 0:
    zk_pkcs11-util --init-token --slot 0 --label "greengrass"
    Enter the SO PIN and the User PIN when prompted. Be sure to note the new slot reassignment when the message The token has been initialized and is reassigned to slot <new slot number> shows up.
  4. Create a new key object which specifies that a zymkey private key slot should be used. Here we’ll use Zymkey key slot 2:
    zk_pkcs11-util --use-zkslot 2 --slot <new slot number> --label iotkey --id 0000
    Be sure to use the slot reassignment that was printed out in step 3.

That’s it! You should now have a PKCS#11 object defined that knows how to use Zymkey when that slot is called out.

2

When I give command
sudo usermod -a -G zkpkcs11 username
I’m getting response like this
usermod:group ‘zkpkcs11’ does not exist

what is the issue?

3

There was a typo in our post. The group name is ‘zk_pkcs11’.

4

Thank you.But Now it is telling
usermode:user ‘username’ does not exist

how and where to create user?

5

The username is whatever your account username is. For example, the default user on Raspbian is ‘pi’, so the command would be:
sudo usermod -a -G zk_pkcs11 pi

7

I got this error while creating a new key object:

$ zk_pkcs11-util --init-token --slot 0 --label "greengrass"
=== SO PIN (4-255 characters) ===
Please enter SO PIN: ****
Please reenter SO PIN: ****
=== User PIN (4-255 characters) ===
Please enter user PIN: ****
Please reenter user PIN: ****
The token has been initialized and is reassigned to slot 419907394
$ zk_pkcs11-util --use-zkslot 2 --slot 419907394 --label iotkey --id 0000
=== User PIN (4-255 characters) ===
Please enter user PIN: ****
Please reenter user PIN: ****
ERROR: Could not save the private key in the token. Maybe the algorithm is not supported.
8

We’ll look into this soon.

1 Like
9

Hi Micah,
I tried the same two commands and did not get any error. Can you confirm which model PI you are using, as well as the OS version? Do you have the Zymkey installed and bound, i.e. is the blue LED flashing once every three seconds?

10

Hey Bob,

I’m using a Raspberry Pi 4 Model B Rev 1.2 on:

$ uname -a
Linux server 5.3.0-1023-raspi2 #25~18.04.1-Ubuntu SMP Tue Apr 14 13:23:56 UTC 2020 aarch64 aarch64 aarch64 GNU/Linux

Yes, the Zymkey is installed and bound. I’m using its lock and unlock functions through the Python API successfully.

11

Thank you for the information. I see the same issue as you now. We’ll look into it.

1 Like
12

I am trying to use the pkcs#11 support of the Zymkey4 on a RPi 5 with Raspberry Pi OS 64-bit.
This is the list of Zymkey packages installed:

image
image1013×132 9.77 KB

I have followed the description found in the example here. The commands for init-token and use-zkslot seem to succeed, but I get an error when I try to use the slot with awsiotsdk. The call to mqtt_connection_builder.mtls_with_pkcs11 (from awsiot) fails with error: “RuntimeError: 1074 (AWS_ERROR_PKCS11_TOKEN_NOT_FOUND): Could not pick PKCS#11 token matching search criteria (none found, or multiple found)”. I have tried both with and without token_label (greengrass) and private_key_label (iotkey).

This is part of the output from the python script where the library path, slot id and labels used are printed in the log:

loglevel=INFO message=Loading PKCS#11 library: "/usr/lib/libzk_pkcs11.so", using slot id: "961662786", token label: "greengrass", private key label: "iotkey"
Traceback (most recent call last):
...
  File "/***/***.py", line 40, in __init__
    connection = mqtt_connection_builder.mtls_with_pkcs11(
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "***/venv/lib/python3.11/site-packages/awsiot/mqtt_connection_builder.py", line 351, in mtls_with_pkcs11
    return _builder(tls_ctx_options, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "***/venv/lib/python3.11/site-packages/awsiot/mqtt_connection_builder.py", line 231, in _builder
    tls_ctx = awscrt.io.ClientTlsContext(tls_ctx_options)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "***/venv/lib/python3.11/site-packages/awscrt/io.py", line 596, in __init__
    self._binding = _awscrt.client_tls_ctx_new(
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^
RuntimeError: 1074 (AWS_ERROR_PKCS11_TOKEN_NOT_FOUND): Could not pick PKCS#11 token matching search criteria (none found, or multiple found)

This is the output of

zk_pkcs11-util --show-slots

image
image744×316 7.02 KB

This is the output of

pkcs11-tool --module /usr/lib/libzk_pkcs11.so --label iotkey --list-object

but the command prints the same public key object over and over again in what seems to be an infinite loop, I have to use ctrl-C to stop it.
image

I would very much appreciate help with these issues. Thank you.

13

Sorry you’re having trouble. If you could provide the code that is causing the errors, I’d be better able to see where things might be going wrong.

Thanks!
dg

14

Thank you for responding so quickly.

The test script in the zip file will not need all the requirements in the requirements.txt, but it reflects the env used.
zymkey_test.zip (1.8 KB)

15

Hi grfo, do you find the solution? We have the same problem here.
Thanks.
Chill

16

Hi davidgs,
Is there a solution for the problem faced by grfo?

Thanks.
Chill

17

I can now confirm this behavior and will escalate this with our engineering team.

dg

18

Thank you for your prompt response. Let me introduce my situation.

I noticed that zymbit supports PKCS11, and the AWS IoT device client also supports secure elements. I attempted to use the AWS IoT device client to log in with zymbit’s private key.

I referred to this tutorial: AWS IoT Device Client Secure Element README.

When executing the following method:

$ ./aws-iot-device-client --enable-secure-element [true|false] --pkcs11-lib [your/path/to/pkcs#11/library] --secure-element-pin [User PIN of PKCS#11 token] --secure-element-key-label [key-label] --secure-element-slot-id [token-slot-id] --secure-element-token-label [token-label]

I encountered the following error:

[DEBUG] [2024-06-27T06:01:45Z] [0000007fb666dd40] [pkcs11] - Loading PKCS#11. file:'/tmp/lib/libzk_pkcs11.so' C_Initialize:yes
[INFO] [2024-06-27T06:01:45Z] [0000007fb666dd40] [pkcs11] - id=0x7fa0000d50: PKCS#11 loaded. file:'/tmp/lib/libzk_pkcs11.so' cryptokiVersion:2.40 manufacturerID:'SoftHSM' flags:0x6E656D656C706D49 libraryDescription:'tation of PKCS11        ' libraryVersion:0.0 C_Initialize:CKR_OK
[TRACE] [2024-06-27T06:01:45Z] [0000007fb666dd40] [pkcs11] - id=0x7fa0000d50: Found 2 slots with tokens. Picking one...
[TRACE] [2024-06-27T06:01:45Z] [0000007fb666dd40] [pkcs11] - id=0x7fa0000d50: Ignoring PKCS#11 token because slot 0 doesn't match 4747930165
[DEBUG] [2024-06-27T06:01:45Z] [0000007fb666dd40] [pkcs11] - id=0x7fa0000d50: Selected PKCS#11 token. slot:4747930165 label:'Chill' manufacturerID:'SoftHSM project' model:'SoftHSM v2' serialNumber:'6ae720ee9affaa35' flags:0x0000042D sessionCount:1099511627775/4294967295 rwSessionCount:18446744073709551615/18446744069414584324 freePublicMemory:0/3472333810982467120 freePrivateMemory:0/0 hardwareVersion:0.0 firmwareVersion:0.0
[DEBUG] [2024-06-27T06:01:45Z] [0000007fb666dd40] [pkcs11] - id=0x7fa0000d50 session=1: Session opened on slot 4747930165
[DEBUG] [2024-06-27T06:01:45Z] [0000007fb666dd40] [pkcs11] - id=0x7fa0000d50 session=1: User logged in
[ERROR] [2024-06-27T06:01:45Z] [0000007fb666dd40] [pkcs11] - id=0x7fa0000d50 session=1: Failed to find private key on PKCS#11 token which matches search criteria
[DEBUG] [2024-06-27T06:01:45Z] [0000007fb666dd40] [pkcs11] - id=0x7fa0000d50 session=1: Session closed
[ERROR] [2024-06-27T06:01:45Z] [0000007fb666dd40] [mqtt-client] - id=0x7fb666c850: Error initializing TLS context from PKCS11 options
[DEBUG] [2024-06-27T06:01:45Z] [0000007fb666dd40] [pkcs11] - id=0x7fa0000d50: Unloading PKCS#11. C_Finalize:omit

I checked, and the private key should exist.

p11tool --provider=/tmp/lib/libzk_pkcs11.so --login --list-all "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6ae720ee9affaa35;token=Chill" --debug 9
Setting log level to 9
|<2>| p11: Initializing module: /tmp/lib/libzk_pkcs11.so
|<2>| p11: No login requested.
Token 'Chill' with URL 'pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6ae720ee9affaa35;token=Chill' requires user PIN
Enter PIN:
|<2>| p11: Login result = ok (0)
|<3>| ASSERT: ../../lib/pkcs11.c[pkcs11_import_object]:2173
|<2>| unknown pkcs11 object class 3
|<3>| ASSERT: ../../lib/pkcs11.c[pkcs11_import_object]:2145
|<3>| ASSERT: ../../lib/pkcs11.c[pkcs11_import_object]:2159
|<3>| ASSERT: ../../lib/pkcs11.c[pkcs11_import_object]:2168
|<3>| ASSERT: ../../lib/pkcs11.c[find_multi_objs_cb]:3360
|<3>| ASSERT: ../../lib/pkcs11.c[find_multi_objs_cb]:3138
Object 0:
        URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6ae720ee9affaa35;token=Chill;id=%00%00;object=iotkey
        Type: Unknown
        Label: iotkey
        Flags: CKA_PRIVATE; CKA_SENSITIVE;
        ID: 00:00

This situation is quite similar to grfo’s case, with the difference being that he used the SDK while I am using the client.

19

Hey folks,

There was indeed a bug/regression introduced that we did not catch. We have issued a fix, and added a test to make sure that such a regression does not reappear.

To fix this, run the following:

$ sudo apt remove --purge zkpkcs11
$ sudo apt update
$ sudo apt install zkpkcs11

That will ensure that you have the new (fixed) version of the zkpkcs11 package. I have verified that this fix works on my Pi 4 and Pi 5 so hopefully it will also work for you.

Let me know if you’re still having trouble after applying this fix.

Best Regards,
dg

20

Could you please start a new topic with this issue so that we may address it separately?

It helps us keep the forum organized and easy to find answers if we keep topics focused on one problem at a time.

Thanks!
dg

21

Hi dg,
I have started a new topic here:

Please help us resolve the problem. Thank you.
Chill