Can you provide an example of how to use PKCS#11 interface to connect MQTT on Android9.0?

[Runxing123]

Confirm by changing [ ] to [x] below:

• [ ✔] I've searched for previous similar issues and didn't find any solution

Platform/OS/Hardware/Device
Android9.0

Describe the question

public class TlsContextPkcs11Options extends CrtResource {
  Pkcs11Lib pkcs11Lib;
  String userPin;
  Long slotId;
  String tokenLabel;
  String privateKeyObjectLabel;
  String certificateFilePath;
  String certificateFileContents;

  public TlsContextPkcs11Options(Pkcs11Lib pkcs11Lib) {
    this.addReferenceTo(pkcs11Lib);
    this.pkcs11Lib = pkcs11Lib;
  }

  public TlsContextPkcs11Options withUserPin(String pin) {
    this.userPin = pin;
    return this;
  }

  public TlsContextPkcs11Options withSlotId(long slotId) {
    this.slotId = slotId;
    return this;
  }

  public TlsContextPkcs11Options withTokenLabel(String label) {
    this.tokenLabel = label;
    return this;
  }

  public TlsContextPkcs11Options withPrivateKeyObjectLabel(String label) {
    this.privateKeyObjectLabel = label;
    return this;
  }

  public TlsContextPkcs11Options withCertificateFilePath(String path) {
    this.certificateFilePath = path;
    return this;
  }

  public TlsContextPkcs11Options withCertificateFileContents(String contents) {
    this.certificateFileContents = contents;
    return this;
  }

  protected void releaseNativeHandle() {
  }

  protected boolean canReleaseReferencesImmediately() {
    return true;
  }
}

Which fields are definitely required in the TlsContextPkcs11Options instance? Can you help provide a sample code?

[TwistedTwigleg]

I believe the following settings are the minimal required settings for making an PKCS11 connection:

• pkcs11Lib
• userPin
• certificateFilePath

You can find sample code for creating an MQTT PKCS11 connection in the PKCS11 PubSub sample.
There is also a simplified PKCS11 connection sample here in this PR that might also be helpful as a reference as it only contains code for making a PKCS11 connection and nothing more: #233

Also: While we know the code compiles on Android, we have currently not run tests to ensure it works on Android at this time.

[graebm]

Here's a link to the public docs for TlsContextPkcs11Options

@TwistedTwigleg was right that you probably only need to give those 3 arguments. But depending on how your PKCS#11 device is set up you may need to specify other parameters

[oshoemaker]

@TwistedTwigleg, I am curious if you have any further suggestions. There seems to be threading/locking issues with the use of this library in conjunction with the CRT library for android.

After some slight modifications to the library the current issues is with the failure around the mutex and then lack of OS locking support when using this library on android.

For example, when attempting to call .newMtlsPkcs11Builder(pkcs11Options) I get the following error:

Exception encountered: software.amazon.awssdk.crt.CrtRuntimeException: TlsContext.tls_ctx_new: Failed to create new aws_tls_ctx (aws_last_error: AWS_ERROR_PKCS11_CKR_CANT_LOCK(1086), A PKCS#11 (Cryptoki) library function failed with return value CKR_CANT_LOCK) AWS_ERROR_PKCS11_CKR_CANT_LOCK(1086)

However, when I load the module manually, and supply a null pointer for the mutex handler AND disable OS Locking I am able to initialize and query the device via the PKCS11 library:

Module module = Module.getInstance("/vendor/lib/libcryptoauth.so", "/vendor/lib/libcryptoauth.so");
module.initialize(null);
PKCS11 pkcs11 = module.getPKCS11Module();

CK_INFO info = pkcs11.C_GetInfo();
CK_SLOT_INFO slotInfo = pkcs11.C_GetSlotInfo(slotID);
CK_TOKEN_INFO tokenInfo = pkcs11.C_GetTokenInfo(slotID);

These calls to pkcs11 lib function as expected.

I am struggling to see a way for the current AWS SDK implementation to function with the CRT library on Android. Any thoughts/suggestions?

[TwistedTwigleg]

I'm not sure. Right now we know that the code can compile on Android, but we have currently not run testing to make sure the SDK runs with all functions on Android at this time.

A potential solution in the short term would be to modify the CRT code so that it does not look for OS locks, disabling the checks and related code. However, this may cause issues if the locks are needed for synchronizing. It might work though if the code executes synchronously and nothing tries to access it in a asynchronous way, but it might not. I am not sure how necessary the locks are currently, and I would be cautious to remove them, but in this case that seems to be the most viable short-term solution.

Unfortunately, I do not have a better long-term solution or suggestion at this time. Thank you for bringing this to our attention though!

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.