Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PKCS#11 signer fails with unknown error code on ARMv7 (with YubiHSM2 Nano) #752

Closed
ximon18 opened this issue Jan 4, 2022 · 1 comment
Closed

PKCS#11 signer fails with unknown error code on ARMv7 (with YubiHSM2 Nano) #752

ximon18 opened this issue Jan 4, 2022 · 1 comment
Labels
armv7 bug Something isn't working hsm Relates to adding HSM support to Krill

Comments

@ximon18
Copy link
Member

ximon18 commented Jan 4, 2022

Krill version tested:

$ rustc -V
rustc 1.57.0 (f1edd0429 2021-11-29)

$ git describe --all --long
heads/hsm-0-g223a5266

$ lsb_release -d
Description:    Ubuntu 21.10

$ uname -a
Linux ximon-laptop 5.15.0-051500-generic #202110312130 SMP Sun Oct 31 21:33:20 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Prerequisites:

$ cargo install cross
$ rustup target add armv7-unknown-linux-gnueabihf

Build:

$ cross build --target armv7-unknown-linux-gnueabihf --no-default-features --features static-openssl,hsm
    Finished dev [unoptimized + debuginfo] target(s) in 2m 25s

Test:

$ scp target/debug/krill [email protected]:
$ ssh [email protected]
$ grep -Ev '^#' krill.conf | sed '/^\s*$/d'
log_level = "trace"
log_type = "stderr"
admin_token = "********"
service_uri = "https://localhost:3000/"
[[signers]]
type = "PKCS#11"
name = "YubiHSM2 Nano via PKCS#11"
lib_path = "/home/pi/yubihsm/yubihsm-shell-2.3.0b/build/pkcs11/yubihsm_pkcs11.so"
slot = 0
user_pin = "********"
$ ./krill -c ./krill.conf
...
2022-01-04 12:12:53 [ERROR] [krill::commons::crypto::signing::signers::pkcs11::signer] [YubiHSM2 Nano via PKCS#11]
Unable to initialize PKCS#11 info for library '/home/pi/yubihsm/yubihsm-shell-2.3.0b/build/pkcs11/yubihsm_pkcs11.so':
PKCS#11 Error: Failed to load PKCS#11 library '"/home/pi/yubihsm/yubihsm-shell-2.3.0b/build/pkcs11/yubihsm_pkcs11.so"':
PKCS#11: unknown (0xb6ab784000000000)

This issue was explored further using the simpler keyls project and found to be seemingly due to a problem with the pkcs11 v0.5.0 Rust crate raising an error when invoking the C_GetFunctionList() PKCS#11 function during its Ctx::new() code. Using the cryptoki Rust crate instead didn't have the same issue. See ximon18/keyls#4.
@ximon18 ximon18 added bug Something isn't working hsm Relates to adding HSM support to Krill armv7 labels Jan 4, 2022
This was referenced Jan 4, 2022
Closed
Closed
Merged
@ximon18
Copy link
Member Author

ximon18 commented Feb 14, 2022

Closing as this is fixed in the dev branch and we even tweeted showing it working on ARM platforms:

@ximon18 ximon18 closed this as completed Feb 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
armv7 bug Something isn't working hsm Relates to adding HSM support to Krill
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ximon18