enroll ignores pkcs11 key source #591

qrkourier · 2023-01-24T18:20:40Z

I expected enrollment to produce a config with a pkcs11:// URI to private key slot in HSM, but instead a new private key was generated for the identity.

❯ ziti-edge-tunnel enroll --jwt /tmp/pkcs11test2.jwt --key "pkcs11:///usr/local/lib/libykcs11.so?id=03&pin=123456" --identity /tmp/pkcs11test2.json 
(1780067)[        0.000]    INFO ziti-sdk:utils.c:173 ziti_log_set_level() set log level: root=3/INFO
(1780067)[        0.000]    INFO ziti-sdk:utils.c:173 ziti_log_set_level() set log level: root=3/INFO
(1780067)[        0.000]    INFO ziti-sdk:ziti_enroll.c:92 ziti_enroll() Ziti C SDK version 0.30.9 @743d7f8(HEAD) starting enrollment at (2023-01-24T18:18:03.317)
(1780067)[        0.000]    INFO ziti-sdk:ziti_ctrl.c:407 ziti_ctrl_init() ctrl[7ce7e424-6a92-4ff2-9459-ebbba32346fa.production.netfoundry.io] ziti controller client initialized
(1780067)[        0.072]    INFO ziti-sdk:ziti_enroll.c:41 verify_controller_jwt() verifying JWT signature
(1780067)[        0.101]    INFO ziti-sdk:ziti_ctrl.c:407 ziti_ctrl_init() ctrl[7ce7e424-6a92-4ff2-9459-ebbba32346fa.production.netfoundry.io] ziti controller client initialized

❯ jq .id.key /tmp/pkcs11test2.json
"-----BEGIN PRIVATE KEY-----\nMIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgkX8RdBmoPLKjy44K\nsTd0eCToKFjD/XaTTE9RpoN31UmhRANCAAS/oVFQu/mcEldvw6QaRkNmgnzYPrU3\ntWbqjW85njvd/tvBQXJGZ/8ULCGh/KUPWk0aFGyYa61jgPeLcoTmzMn2\n-----END PRIVATE KEY-----\n"

The text was updated successfully, but these errors were encountered:

qrkourier · 2023-01-24T18:21:32Z

I used the OpenSSL-linked redistributable Debian packaging of v0.20.18.

qrkourier · 2023-01-30T17:27:22Z

In another issue I learned that builds of ziti-edge-tunnel with MBed-TLS are expected to work with PKCS11 keys, but builds with OpenSSL are not expected to work.

I reproduced the issue with an MBed-TLS build of ziti-edge-tunnel (the GitHub release binary v0.20.18).

❯ ldd ./ziti-edge-tunnel 
        linux-vdso.so.1 (0x00007fff833fa000)
        libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fe8a1854000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fe8a184f000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fe8a184a000)
        librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fe8a1845000)
        libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007fe8a1831000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe89ee00000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fe8a1962000)

❯ ./ziti-edge-tunnel version
v0.20.18

❯ ./ziti-edge-tunnel enroll --jwt /tmp/pkcs11test3.jwt --key "pkcs11:///usr/local/lib/libykcs11.so?id=03&pin=123456" --identity /tmp/pkcs11test3.json 
(1533479)[        0.000]    INFO ziti-sdk:utils.c:173 ziti_log_set_level() set log level: root=3/INFO
(1533479)[        0.000]    INFO ziti-sdk:utils.c:173 ziti_log_set_level() set log level: root=3/INFO
(1533479)[        0.000]    INFO ziti-sdk:ziti_enroll.c:94 ziti_enroll() Ziti C SDK version 0.30.9 @743d7f8(HEAD) starting enrollment at (2023-01-30T17:24:39.586)
(1533479)[        0.000]    INFO ziti-sdk:ziti_ctrl.c:407 ziti_ctrl_init() ctrl[7ce7e424-6a92-4ff2-9459-ebbba32346fa.production.netfoundry.io] ziti controller client initialized
(1533479)[        0.074]    INFO ziti-sdk:ziti_enroll.c:41 verify_controller_jwt() verifying JWT signature
(1533479)[        0.127]    INFO ziti-sdk:ziti_ctrl.c:407 ziti_ctrl_init() ctrl[7ce7e424-6a92-4ff2-9459-ebbba32346fa.production.netfoundry.io] ziti controller client initialized

❯ jq .id.key /tmp/pkcs11test3.json
"-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMBqWqrIgUQNYzZEdVBoukZPQ7nVD87e0E7fmvY3lGFLoAoGCCqGSM49\nAwEHoUQDQgAE8/oE9zpjdGb1YDuEwdaKZ/EPUXbbmtPLPx5kGkGcWcyyi6iL45ek\ngOg9iqgQeBmjYvkMrb1MMDNsZfgzeqXPKA==\n-----END EC PRIVATE KEY-----\n"

qrkourier · 2023-08-02T20:50:58Z

I can still reproduce this problem in 0.21.5 and with pre-release 0.22.0.

The symptom is the private key is unexpectedly generated when ziti-edge-tunnel enroll --key is provided with a PKCS#11 URI. After populating both with a private key, I obtained the same result with either slot id=01 or id=03. The Yubikey Manager (ykman CLI and ykman-gui) have workflows to populate these slots with a certificate backed by a private key that is generated on the Yubikey. This results in a private key with id=01 when slot 9a (authN) is used, and id=03 when slot 9d (key mgmt) is used.

❯ /tmp/ziti-edge-tunnel version
v0.22.0

❯ /tmp/ziti-edge-tunnel enroll --key "pkcs11:///usr/local/lib/libykcs11.so.2.3.1?id=01&pin=${HSM_PIN}" --jwt /tmp/yubi5.jwt --identity /tmp/yubi5.json
(314303)[        0.000]    INFO ziti-sdk:utils.c:188 ziti_log_set_level() set log level: root=3/INFO
(314303)[        0.000]    INFO ziti-sdk:utils.c:188 ziti_log_set_level() set log level: root=3/INFO
(314303)[        0.000]    INFO ziti-sdk:ziti_enroll.c:92 ziti_enroll() Ziti C SDK version 0.33.2 @e06b76c(HEAD) starting enrollment at (2023-08-02T20:38:55.820)

❯ jq .id.key /tmp/yubi5.json
"-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIDajW77cP9ZTOyPCzN7K5J5Oq4RvCv2JZlOgzhYRT6rXoAoGCCqGSM49\nAwEHoUQDQgAEbrTHk+Caw4H2IX54ZdAYnA1PHRbp2Vyq5orpZdExeH5GNjWx9+sA\nG
DYy3PFZFmIO535O7RlKzWKrgPpWJOEECQ==\n-----END EC PRIVATE KEY-----\n"

❯ pkcs11-tool --module /usr/local/lib/libykcs11.so.2.3.1 --list-objects
Using slot 0 with a present token (0x0)
Data object 0
  label:          'X.509 Certificate for PIV Authentication'
  application:    'X.509 Certificate for PIV Authentication'
  app_id:         2.16.840.1.101.3.7.2.1.1
  flags:          <empty>
Data object 26
  label:          'Card Holder Unique Identifier'
  application:    'Card Holder Unique Identifier'
  app_id:         2.16.840.1.101.3.7.2.48.0
  flags:          <empty>
Data object 31
  label:          'Discovery Object'
  application:    'Discovery Object'
  app_id:         2.16.840.1.101.3.7.2.96.80
  flags:          <empty>
Certificate Object; type = X.509 cert
  label:      X.509 Certificate for PIV Authentication
  subject:    DN: CN=kbingham
  serial:     15EC4112A27038E675E86C903BDEF3276A42A3EF
  ID:         01
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104a82caf7544bcba1b615929f99bcaa8ac21d2ff1b49b2834c36f08ee636177f289699f6d4fd0a73b686e9b2cd1c909e762018a1cb07c5ab0280de8c4adff48411
  EC_PARAMS:  06082a8648ce3d030107
  label:      Public key for PIV Authentication
  ID:         01
  Usage:      encrypt, verify
  Access:     none

[fixes #591]

qrkourier mentioned this issue Jan 30, 2023

Tunnel Comparison openziti/ziti-doc#383

Open

qrkourier mentioned this issue Apr 24, 2023

config with pkcs11 key fails to load context openziti/ziti-sdk-c#477

Closed

qrkourier mentioned this issue Aug 2, 2023

ziti edge enroll "engine 'pkcs11' is not supported" openziti/ziti#1231

Closed

ekoby added a commit that referenced this issue Aug 4, 2023

fix: enroll with pkcs11 key

75fcb0e

[fixes #591]

ekoby mentioned this issue Aug 4, 2023

fix: enroll with pkcs11 key #699

Merged

ekoby closed this as completed in #699 Aug 4, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

enroll ignores pkcs11 key source #591

enroll ignores pkcs11 key source #591

qrkourier commented Jan 24, 2023

qrkourier commented Jan 24, 2023

qrkourier commented Jan 30, 2023

qrkourier commented Aug 2, 2023 •

edited

Loading

enroll ignores pkcs11 key source #591

enroll ignores pkcs11 key source #591

Comments

qrkourier commented Jan 24, 2023

qrkourier commented Jan 24, 2023

qrkourier commented Jan 30, 2023

qrkourier commented Aug 2, 2023 • edited Loading

qrkourier commented Aug 2, 2023 •

edited

Loading