Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue running pkcs.11.GetAttributeValue against boolean attributes #4

Closed
shawnkeating opened this issue Jan 17, 2024 · 9 comments · Fixed by #5
Closed

Issue running pkcs.11.GetAttributeValue against boolean attributes #4

shawnkeating opened this issue Jan 17, 2024 · 9 comments · Fixed by #5

Comments

@shawnkeating
Copy link

First off - love this package. It has been great for experimenting with PKCS11 and having some visibility into what I'm creating on the HSM. Definitely prefer it over softHSM. But I did run into one issue:

If I try to grab attribute values from keys stored in the HSM, the pkcs11.GetAttributeValue works fine unless the attribute is boolean, in which case it fails. Hard to know exactly where it fails but the function works fine with softHSM so pretty sure its on the HSM side. Here is the function I'm running.

`func ListObjects(lib string, pin string, slot uint) {
p, session := activateToken(lib, pin, slot) //helper function to set up connection
defer deactivateToken(p, session) //helper function to tear down connection

listattr := []*pkcs11.Attribute{
	pkcs11.NewAttribute(pkcs11.CKA_LABEL, nil),
	pkcs11.NewAttribute(pkcs11.CKA_ID, nil),
	pkcs11.NewAttribute(pkcs11.CKA_CLASS, nil),
	pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, nil),
	pkcs11.NewAttribute(pkcs11.CKA_EXTRACTABLE, nil),
}
p.FindObjectsInit(session, []*pkcs11.Attribute{pkcs11.NewAttribute(pkcs11.CKA_PRIVATE, true)})
handles, _, _ := p.FindObjects(session, 5)
for _, handle := range handles {
	values, err := p.GetAttributeValue(session, handle, listattr)
	if err != nil {
		fmt.Printf("An error occurred retrieving the key attribute values. Error: %s", err.Error())
	}
	cls := keyClassToString(values[2].Value) // converts []byte to class string
	ts := keyTypeToString(values[3].Value) // converts []byte to key type string
	ex := keyBytetoBool(values[4].Value)  //converts []byte to boolean
	fmt.Println("---------------------------------------------------------------")
	fmt.Printf("The found key has handle: %d with the following properties:\n", handle)
	fmt.Printf("KeyClass: %s\nKeytype: %s\nLabel: %s\nID: %s\nExportable: %t\n", cls, ts, values[0].Value, values[1].Value, ex)
}

}`
@harrison314
Copy link
Owner

Thanks for the feedback. 👍

What operating system does this show up on?

And what architecture (x86 or x64) does BouncyHsm.Pkcs11Lib have?

@shawnkeating
Copy link
Author

shawnkeating commented Jan 17, 2024 via email

@harrison314
Copy link
Owner

I have an idea what the problem might be. Would I need a byte field value that converts to a bool (values[4].Value)?

And if possible also the value from SoftHSM.

@shawnkeating
Copy link
Author

shawnkeating commented Jan 17, 2024 via email

harrison314 added a commit that referenced this issue Jan 18, 2024
@harrison314
#4 Improved error logging for tcp sockets (linux).
be0d016
harrison314 added a commit that referenced this issue Jan 18, 2024
@harrison314
#4 Add example program.
f932e03
@harrison314
Copy link
Owner

I managed to reproduce the error with a better error message: Error in sock_writerequest (line 317) - Connection error. IP: 127.0.0.1 Error: Address family not supported by protocol.

The problem manifests itself only on linux and only when calling C_GetAttributeValue with CK_ATTRIBUTE_PTR pTemplate which has more than 4 items.

@shawnkeating
Copy link
Author

shawnkeating commented Jan 18, 2024 via email

@harrison314
Copy link
Owner

Interesting. Seems a lot of internal calls when requesting values over PKCS11. Not a straightforward interface.

This problem is a bug in the native Pkcs11 library code, the fix will probably take me some time, but I'm working on it.

I came across another issue while I have you here. I was trying to issue x509 certs with large RSA keys (4096 and 3072) and the HSM hung during the signing process. I was able to sign using the same function call with ECC keys but not the large RSA. Tested against softHSM and was able to sign the certs.

Generating large RSA keys is slow, with a 4094-bit key it takes more than a minute on a real smart card and tens of seconds on an HSM.

In BouncyHSM I used to add "Speed mode" for this when creating a slot. But I have the slow down parameters set incorrectly and it takes too long to create 4k RSA keys, so I still recommend using the "Without speed restrictions" mode. I plan to fix it.

harrison314 added a commit that referenced this issue Jan 19, 2024
@harrison314
#4 Add test for GetAttributeValue_SecretKeyMoreValues_Success
fdb2a7f
harrison314 added a commit that referenced this issue Jan 19, 2024
@harrison314
#4 Fix loglevel reading in native lib.
f827953
harrison314 added a commit that referenced this issue Jan 23, 2024
@harrison314
#4 Update tcpTransport - fix problem
75af3ea
@harrison314 harrison314 linked a pull request Jan 23, 2024 that will close this issue
4 issue running pkcs11getattributevalue against boolean attributes #5
Merged
@harrison314
Copy link
Owner

I managed to find the cause of the problem and it was fixed. Currently, the fix is in the master branch (it is possible to build via github actions) and it will be included in the next release.

@shawnkeating
Copy link
Author

shawnkeating commented Jan 24, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

4 issue running pkcs11getattributevalue against boolean attributes harrison314/BouncyHsm
2 participants
@harrison314 @shawnkeating