Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with PKCS11 backend with Nitrokey HSM #380

Closed
ggardet opened this issue Apr 1, 2021 · 12 comments
Closed

Issue with PKCS11 backend with Nitrokey HSM #380

ggardet opened this issue Apr 1, 2021 · 12 comments
Labels
bug Something isn't working

Comments

@ggardet
Copy link

ggardet commented Apr 1, 2021
edited
Loading

I am trying to use a USB Nitrokey HSM with Parsec 0.7.2.
I initialized the HSM key with: pkcs11-tool --module /usr/lib64/pkcs11/libsofthsm2.so --init-token --init-pin --so-pin=3537363231383830 --new-pin=648219 --label="test" --pin=648219

Then softhsm2-util --show-slots gave me the slot number:

Available slots:
Slot 1777555050
    Slot info:
        Description:      SoftHSM slot ID 0x69f3566a                                      
        Manufacturer ID:  SoftHSM project                 
        Hardware version: 2.5
        Firmware version: 2.5
        Token present:    yes
    Token info:
        Manufacturer ID:  SoftHSM project                 
        Model:            SoftHSM v2      
        Hardware version: 2.5
        Firmware version: 2.5
        Serial number:    c4fe62b3e9f3566a
        Initialized:      yes
        User PIN init.:   yes
        Label:            test

Then I updated the config file with:

[[provider]]
provider_type = "Pkcs11"
key_info_manager = "on-disk-manager"
library_path = "/usr/lib64/pkcs11/libsofthsm2.so"
slot_number = 1777555050
user_pin = "648219"
software_public_operations = false

But I get:

parsec[14154]: [ERROR parsec_service::providers::pkcs11] Error initializing PKCS 11 context;
parsec[14154]: [ERROR cryptoki] Failed to finalize: PKCS11 error: This value can be returned by any function other than C_Initialize and C_GetFunctionList.  It indicates that the function cannot be executed because the Cryptoki library has not yet been initialized by a call to C_Initialize.
parsec[14154]: [ERROR parsec_service::utils::service_builder] Provider with ID PKCS #11 provider cannot be created;
parsec[14154]: Error: failed to create provider

If I change the library path to /usr/lib64/pkcs11/opensc-pkcs11.so:

[[provider]]
provider_type = "Pkcs11"
key_info_manager = "on-disk-manager"
library_path = "/usr/lib64/pkcs11/opensc-pkcs11.so"
slot_number = 1777555050
user_pin = "648219"
software_public_operations = false

I get a different error message:

parsec[14352]: [ERROR parsec_service::providers::pkcs11::utils] Error converted to PsaErrorCommunicationFailure;
parsec[13587]: [ERROR parsec_service::utils::service_builder] Provider with ID PKCS #11 provider cannot be created;
parsec[13587]: Error: failed to create provider
@ggardet ggardet changed the title Issue with PKCS#11 Issue with PKCS11 backend with Nitrokey HSM Apr 1, 2021
@hug-dev hug-dev added the bug Something isn't working label Apr 1, 2021
@hug-dev
Copy link
Member

hug-dev commented Apr 1, 2021
edited
Loading

Hmm weird. To have more details about what happened, can you modify Parsec config and set:

[core_settings]
log_level = "trace"
log_error_details = true

and try again?

@ggardet
Copy link
Author

ggardet commented Apr 1, 2021
edited
Loading

With /usr/lib64/pkcs11/libsofthsm2.so:

avril 01 15:21:59 localhost parsec[2053]: [INFO  parsec] Parsec started. Configuring the service...
avril 01 15:21:59 localhost parsec[2053]: [WARN  parsec_service::key_info_managers::on_disk_manager] Inserting Key Triple (Application Name: "0", Provider ID: TPM provider, Key Name: "testTPM_ecc") mapping read from disk.
avril 01 15:21:59 localhost parsec[2053]: [WARN  parsec_service::key_info_managers::on_disk_manager] Inserting Key Triple (Application Name: "0", Provider ID: TPM provider, Key Name: "testTPM2") mapping read from disk.
avril 01 15:21:59 localhost parsec[2053]: [WARN  parsec_service::key_info_managers::on_disk_manager] Inserting Key Triple (Application Name: "0", Provider ID: TPM provider, Key Name: "testTPM") mapping read from disk.
avril 01 15:21:59 localhost parsec[2053]: [INFO  parsec_service::utils::service_builder] Creating a Mbed Crypto Provider.
avril 01 15:21:59 localhost parsec[2053]: [INFO  parsec_service::utils::service_builder] Creating a PKCS 11 Provider.
avril 01 15:21:59 localhost parsec[2053]: [INFO  parsec_service::providers::pkcs11] Building a PKCS 11 provider with library '/usr/lib64/pkcs11/libsofthsm2.so'
avril 01 15:21:59 localhost parsec[2053]: [TRACE parsec_service::providers::pkcs11] Initialize command
avril 01 15:21:59 localhost parsec[2053]: [ERROR parsec_service::providers::pkcs11] Error initializing PKCS 11 context; Error: PKCS11 error: Some horrible, unrecoverable error has occurred.  In the worst case, it is possible that the function only partially succeeded, and that the computer and/or token is in an inconsistent state.
avril 01 15:21:59 localhost parsec[2053]: [ERROR cryptoki] Failed to finalize: PKCS11 error: This value can be returned by any function other than C_Initialize and C_GetFunctionList.  It indicates that the function cannot be executed because the Cryptoki library has not yet been initialized by a call to C_Initialize.
avril 01 15:21:59 localhost parsec[2053]: [ERROR parsec_service::utils::service_builder] Provider with ID PKCS #11 provider cannot be created; Error: error initializing PKCS 11 context
avril 01 15:21:59 localhost parsec[2053]: Error: failed to create provider

With /usr/lib64/pkcs11/opensc-pkcs11.so:

avril 01 15:16:12 localhost parsec[1691]: [INFO  parsec] Parsec started. Configuring the service...
avril 01 15:16:12 localhost parsec[1691]: [WARN  parsec_service::key_info_managers::on_disk_manager] Inserting Key Triple (Application Name: "0", Provider ID: TPM provider, Key Name: "testTPM_ecc") mapping read from disk.
avril 01 15:16:12 localhost parsec[1691]: [WARN  parsec_service::key_info_managers::on_disk_manager] Inserting Key Triple (Application Name: "0", Provider ID: TPM provider, Key Name: "testTPM2") mapping read from disk.
avril 01 15:16:12 localhost parsec[1691]: [WARN  parsec_service::key_info_managers::on_disk_manager] Inserting Key Triple (Application Name: "0", Provider ID: TPM provider, Key Name: "testTPM") mapping read from disk.
avril 01 15:16:12 localhost parsec[1691]: [INFO  parsec_service::utils::service_builder] Creating a Mbed Crypto Provider.
avril 01 15:16:12 localhost parsec[1691]: [INFO  parsec_service::utils::service_builder] Creating a PKCS 11 Provider.
avril 01 15:16:12 localhost parsec[1691]: [INFO  parsec_service::providers::pkcs11] Building a PKCS 11 provider with library '/usr/lib64/pkcs11/opensc-pkcs11.so'
avril 01 15:16:12 localhost parsec[1691]: [TRACE parsec_service::providers::pkcs11] Initialize command
avril 01 15:16:12 localhost pcscd[1670]: 00248350 auth.c:137:IsClientAuthorized() Process 1691 (user: 479) is NOT authorized for action: access_pcsc
avril 01 15:16:12 localhost pcscd[1670]: 00000329 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
avril 01 15:16:12 localhost parsec[1691]: [ERROR parsec_service::providers::pkcs11::utils] Error converted to PsaErrorCommunicationFailure; Error: The specified slot ID is not valid.
avril 01 15:16:12 localhost parsec[1691]: [ERROR parsec_service::utils::service_builder] Provider with ID PKCS #11 provider cannot be created; Error: PKCS 11 initialization failed
avril 01 15:16:12 localhost parsec[1691]: Error: failed to create provider

@hug-dev
Copy link
Member

hug-dev commented Apr 1, 2021

My guess is that it's some permission problem, that the user running Parsec is not allowed to access the libraries/HSM. Did you perform the pkcs11-tool command with the same user running Parsec?
Maybe can be solved by adding the Parsec user to some Linux group? We did run Parsec using a Nitrokey HSM in the past but I do not remember if we needed a special Linux group...

@hug-dev
Copy link
Member

hug-dev commented Apr 1, 2021
edited
Loading

My user on my machine is member of the dialout group, maybe that?

edit: disk as well which might be relevent
edit2: that's all on Fedora for me

@ggardet
Copy link
Author

ggardet commented Apr 1, 2021

My guess is that it's some permission problem, that the user running Parsec is not allowed to access the libraries/HSM. Did you perform the pkcs11-tool command with the same user running Parsec?

No, it is a different user. parsec service is run as parsec user.

Maybe can be solved by adding the Parsec user to some Linux group? We did run Parsec using a Nitrokey HSM in the past but I do not remember if we needed a special Linux group...

I will try to some groups (dialout, disk) to parsec user.

I am on openSUSE Tumbleweed.

@anta5010
Copy link
Collaborator

anta5010 commented Apr 1, 2021

You can check permissions on all directories inseid /var/lib/softhsm/tokens/
I had an issue when run softhsm2-util as root and parsec as parsec user although I had a different error.

@ionut-arm
Copy link
Member

ionut-arm commented Apr 1, 2021
edited
Loading

At least for the opensc-pkcs11.so errors it seems other access control mechanisms (polkit?) are used, at least for Fedora/CentOS: https://support.nitrokey.com/t/pkcs11-tool-is-a-udev-rule-required-for-centos-8/2728

@ggardet
Copy link
Author

ggardet commented Apr 1, 2021
edited
Loading

You can check permissions on all directories inseid /var/lib/softhsm/tokens/
I had an issue when run softhsm2-util as root and parsec as parsec user although I had a different error.

Indeed, the folder inside /var/lib/softhsm/tokens/ was owned by root:root.
So, I did a chown -R parsec:parsec /var/lib/softhsm/tokens/* and parsec service started properly!

Not sure how to handle this properly.

At least for the opensc-pkcs11.so errors it seems other access control mechanisms (polkit?) are used, at least for Fedora/CentOS: https://support.nitrokey.com/t/pkcs11-tool-is-a-udev-rule-required-for-centos-8/2728

I added /usr/share/polkit-1/rules.d/01-pcscd.rules with:

polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_card" &&
        action.lookup("reader") == 'name of reader' &&
        subject.user == "parsec") {
            return polkit.Result.YES;
    }
});

polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
        subject.user == "parsec") {
            return polkit.Result.YES;
    }
});

And the error is different:

avril 01 16:39:32 localhost parsec[1690]: [WARN  parsec_service::key_info_managers::on_disk_manager] Inserting Key Triple (Application Name: "0", Provider ID: TPM provider, Key Name: "testTPM2") mapping read from disk.
avril 01 16:39:32 localhost parsec[1690]: [WARN  parsec_service::key_info_managers::on_disk_manager] Inserting Key Triple (Application Name: "0", Provider ID: TPM provider, Key Name: "testTPM") mapping read from disk.
avril 01 16:39:32 localhost parsec[1690]: [INFO  parsec_service::utils::service_builder] Creating a Mbed Crypto Provider.
avril 01 16:39:32 localhost parsec[1690]: [INFO  parsec_service::utils::service_builder] Creating a PKCS 11 Provider.
avril 01 16:39:32 localhost parsec[1690]: [INFO  parsec_service::providers::pkcs11] Building a PKCS 11 provider with library '/usr/lib64/pkcs11/opensc-pkcs11.so'
avril 01 16:39:32 localhost parsec[1690]: [TRACE parsec_service::providers::pkcs11] Initialize command
avril 01 16:39:32 localhost parsec[1690]: [ERROR parsec_service::providers::pkcs11::utils] Error converted to PsaErrorCommunicationFailure; Error: The specified slot ID is not valid.
avril 01 16:39:32 localhost parsec[1690]: [ERROR parsec_service::utils::service_builder] Provider with ID PKCS #11 provider cannot be created; Error: PKCS 11 initialization failed
avril 01 16:39:32 localhost parsec[1690]: Error: failed to create provider

whereas the same slot_number works with softhsm...

Also, pkcs11-tool --list-slots returns:

Available slots:
No slots

so, it is kind of consistent.

@hug-dev
Copy link
Member

hug-dev commented Apr 1, 2021

I think @anta5010 actually had this specific error (but with SoftHSM). You can initialize a token but not access its slots. I think it's still a permission issue somehow.

I had to do something similar with polkit when I tried it a long time ago, here are my rules if it helps:

$ cat /usr/share/polkit-1/rules.d/org.debian.pcsc-lite.rules
polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
        subject.user == "hugdev") {
            return polkit.Result.YES;
    }
});

polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_card" &&
        subject.user == "hugdev") {
            return polkit.Result.YES;    }
});

Maybe try to remove the action.lookup("reader") == 'name of reader' condition?

@ionut-arm
Copy link
Member

@ggardet did you manage to get this to work?

@ggardet
Copy link
Author

ggardet commented Apr 26, 2021

@ggardet did you manage to get this to work?

No, I gave up for now due to other high priority tasks.

@ionut-arm
Copy link
Member

Closing this as stale, feel free to open if you hit this problem again!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ggardet @hug-dev @anta5010 @ionut-arm