Zk_pkcs11 support for Raspberry PI 2B 32 bit

Hi,

I’ve just recently got my Zymbit 4I and starting to play around with it. I am running it on a Raspberry PI 2B (yes I know, it’s old). I’m getting “OverflowError: Python int too large to convert to C long” errors on running some simple Python code. I suspect that it’s becuase zkpkcs11 library only supports 64bit. Do I need to upgrade my Raspberry PI or is there a 32bit support for zkpkcs11 libs.

Thanks in advance

Sayed

Hi Sayed,

The zkpcs11 libraries are built for the platform and should be 32-bit. Can you explain in a little more detail what you are trying to do? Maybe include the python code that caused the error?

Bob

Hi Bob,

Thanks for your response. So, running the code below I get the following error:

import zymkey

data = bytearray(‘hello world!’)
encrypted_payload = zymkey.client.lock(data)
payload_sig = zymkey.client.sign(encrypted_payload)

I get the following error:

Traceback (most recent call last):
File “encrypt_test.py”, line 5, in
payload_sig = zymkey.client.sign(encrypted_payload)
File “/usr/local/lib/python2.7/dist-packages/zymkey/module.py”, line 340, in sign
sha256.update(src.encode(‘utf-8’))
AttributeError: ‘bytearray’ object has no attribute ‘encode’

When I change the var ‘data’ to just a string, I get the following error:

File “encrypt_test.py”, line 4, in
encrypted_payload = zymkey.client.lock(data)
File “/usr/local/lib/python2.7/dist-packages/zymkey/module.py”, line 213, in lock
raise AssertionError(‘bad return code %d’ % ret)
AssertionError: bad return code -2

Also running the below code I found on the community website,

import zkpkcs11

# Initialise our PKCS#11 library
lib = pkcs11.lib(os.environ[‘PKCS11_MODULE’])
token = lib.get_token(token_label=‘Zymkey’)

data = b’INPUT DATA’

# Open a session on our token
with token.open(user_pin=‘123456’) as session:
# Generate an AES key in this session
key = session.generate_key(pkcs11.KeyType.AES, 256)

# Get an initialisation vector
iv = session.generate_random(128) # AES blocks are fixed at 128 bits
# Encrypt our data
crypttext = key.encrypt(data, mechanism_param=iv)

I get the following error:

Traceback (most recent call last):
File “aes_gen.py”, line 1, in
import zkpkcs11
ImportError: No module named zkpkcs11

I’m quite familiar with Python, but cannot understanding the errors.

Thanks and regards

Abdul

You are getting the first error because sign() is expecting a digest as a hex string. You can turn your encoded data into a hex string with binascii.hexlify before passing to sign(),

import zymkey
import binascii

data = bytearray(‘hello world’)
encrypted_payload = binascii.hexlify(zymkey.client.lock(data))
payload_sig = zymkey.client.sign(encrypted_payload)

Your second attempt error is because if you give lock() a string, it assumes that is an absolute path to a file to lock(). If you give it data like you did in the first try, it will encrypt the data.

I’m going to have to get back to you on the zkpkcs11 module not found.

Bob

Hi Abdul,

I did some research and Zymbit has never released a zkpkcs Python module. No wonder you can’t find it! You mentioned you found the PKCS#11 code on the community website. Can you provide a link to that? I am not familiar with that example.

Bob

Hi Bob,

Sorry, my bad. The example is for the Python pics#11 wrapper API found on this website

https://python-pkcs11.readthedocs.io/en/latest/

I installed the wrapper and set the environment variable:

PKCS11_MODULE=/home/pi/.local/lib/python2.7/site-packages/pkcs11

This is the code and I’m running python 3

import pkcs11

# Initialise our PKCS#11 library
lib = pkcs11.lib(os.environ[‘PKCS11_MODULE’])
token = lib.get_token(token_label=‘Zymkey’)

data = b’INPUT DATA’

# Open a session on our token
with token.open(user_pin=‘123456’) as session:
# Generate an AES key in this session
key = session.generate_key(pkcs11.KeyType.AES, 256)

# Get an initialisation vector
iv = session.generate_random(128) # AES blocks are fixed at 128 bits
# Encrypt our data
crypttext = key.encrypt(data, mechanism_param=iv)

The error I get is:

Traceback (most recent call last):
File “aes_gen.py”, line 1, in
import pkcs11
ModuleNotFoundError: No module named ‘pkcs11’

I suspect that zymkey does not support that library module?

Hope this is clearer now. Again apologise for the wrong info

Abdul

Abdul,
Python3 is telling you that it can’t find the package ‘pkcs11’. You need to install this with pip.
python3 -m pip install python-pkcs11

Next, you need to export the environment variable PKCS11_MODULE and point it to the zymkey PKCS#11 library.
export PKCS11_MODULE=/usr/lib/libzk_pkcs11.so

Try this and let us know how it goes.

Hi Scott,

Yes. I made the changes and it worked fine. Thank you. On a separate note, can Zymkey be used in a BYOK scenario? A typical BYOK use case will be to generate a key using Zymkey and securely transport the key in into, say the KMS in AWS cloud? That way, although I am using the AWS native encryption platform, I am generating the keys and this use case will allow more control over the creation, lifecycle, and durability of my keys keys.

Thanks once again

Abdul