PKCS11 not available

Hello,

I was trying to follow THIS GUIDE lately. I have set up the key material and wanted to enroll my machine like:

ziti tunnel enroll -j "${HSM_DEST}/${EC_ID}.jwt" -k "pkcs11://${PKCS11_MODULE}?id=${HSM_ID2}&pin=${HSM_PIN}"

I got the following error message:

failed to enroll: failed to load private key 'pkcs11:///usr/lib/x86_64-linux-gnu/pkcs11/libtpm2_pkcs11.so?id=01&pin=OBSCURED': engine 'pkcs11' is not supported

In the guide, the "ziti-tunnel" binary is used. This is no longer available for newer builds, so I tried it with "ziti tunnel".

Anything Im doing wrong here?
Thanks in advance!

1 Like

Hi @mkuhlmann! I do have a YubiKey that supports PKCS11, and will try to get it working with either ziti tunnel enroll, ziti edge enroll (maybe different?) or ziti-edge-tunnel enroll (definitely different) and report back here!

Hi,
thanks for the quick reply. I just checked ziti edge enroll, but it yields the same error message.
Looking forward to your results.

ziti-edge-tunnel uses the C SDK instead of Go and so it is an independent implementation that partially overlaps the tunnel command in the ziti Go CLI.

I just found this issue: ziti edge enroll "engine 'pkcs11' is not supported" · Issue #1231 · openziti/ziti · GitHub

Ah, yes. Now I remember that it was fixed in ZET, but not ZT. I'm guessing it's because ZET is treated as the flagship tunneler with the best performance and most features, though ZT is still useful in certain situations where it behaves differently from ZET.

Will ZET work for your case?

Unfortunately no.

I call:

/opt/openziti/bin/ziti-edge-tunnel enroll -j ./token.jwt -k "pkcs11:///usr/lib/x86_64-linux-gnu/pkcs11/libtpm2_pkcs11.so?id=05&pin=test" -i /opt/openziti/etc/identities/tpm.json

And get:

(17036)[ 0.000] INFO ziti-sdk:utils.c:200 ziti_log_set_level() set log level: root=3/INFO
(17036)[ 0.000] INFO ziti-sdk:utils.c:169 ziti_log_init() Ziti C SDK version 0.35.12 @5acfb13(HEAD) starting at (2024-02-08T16:37:16.079)
(17036)[ 0.000] INFO ziti-sdk:ziti_enroll.c:88 ziti_enroll() Ziti C SDK version 0.35.12 @5acfb13(HEAD) starting enrollment at (2024-02-08T16:37:16.079)
(17036)[ 0.083] WARN ziti-sdk:ziti_enroll.c:162 well_known_certs_cb() failed to load private key[pkcs11:///usr/lib/x86_64-linux-gnu/pkcs11/libtpm2_pkcs11.so?id=05&pin=test]
(17036)[ 0.083] INFO ziti-sdk:ziti_enroll.c:165 well_known_certs_cb() attempting to generate pkcs11 key
(17036)[ 0.083] WARN ziti-sdk:utils.c:590 pkcs11_gen() pkcs11 key generation is not supported by TLS driver[mbed TLS 2.28.1]
(17036)[ 0.083] ERROR ziti-sdk:ziti_enroll.c:213 well_known_certs_cb() /github/workspace/build/_deps/ziti-sdk-c-src/library/ziti_enroll.c:166 - gen_p11_key_internal(tls, &enroll_req->ecfg->pk, enroll_req->ecfg->private_key) => -10 (BIGNUM - The input arguments are negative or result in illegal output)
(17036)[ 0.083] ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:2141 enroll_cb() enrollment failed: error loading TLS key[-11]: BIGNUM - The input arguments are negative or result in illegal output(-11)
root@ubuntu:~# /opt/openziti/bin/ziti-edge-tunnel enroll -j ./token.jwt -k "pkcs11:///usr/lib/x86_64-linux-gnu/pkcs11/libtpm2_pkcs11.so?id=05&pin=test" -i /opt/openziti/etc/identities/tpm.json
(17041)[ 0.000] INFO ziti-sdk:utils.c:200 ziti_log_set_level() set log level: root=3/INFO
(17041)[ 0.000] INFO ziti-sdk:utils.c:169 ziti_log_init() Ziti C SDK version 0.35.12 @5acfb13(HEAD) starting at (2024-02-08T16:37:45.183)
(17041)[ 0.000] INFO ziti-sdk:ziti_enroll.c:88 ziti_enroll() Ziti C SDK version 0.35.12 @5acfb13(HEAD) starting enrollment at (2024-02-08T16:37:45.183)
(17041)[ 0.098] WARN ziti-sdk:ziti_enroll.c:162 well_known_certs_cb() failed to load private key[pkcs11:///usr/lib/x86_64-linux-gnu/pkcs11/libtpm2_pkcs11.so?id=05&pin=test]
(17041)[ 0.098] INFO ziti-sdk:ziti_enroll.c:165 well_known_certs_cb() attempting to generate pkcs11 key
(17041)[ 0.098] WARN ziti-sdk:utils.c:590 pkcs11_gen() pkcs11 key generation is not supported by TLS driver[mbed TLS 2.28.1]
(17041)[ 0.098] ERROR ziti-sdk:ziti_enroll.c:213 well_known_certs_cb() /github/workspace/build/_deps/ziti-sdk-c-src/library/ziti_enroll.c:166 - gen_p11_key_internal(tls, &enroll_req->ecfg->pk, enroll_req->ecfg->private_key) => -10 (BIGNUM - The input arguments are negative or result in illegal output)
(17041)[ 0.098] ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:2141 enroll_cb() enrollment failed: error loading TLS key[-11]: BIGNUM - The input arguments are negative or result in illegal output(-11)

Any idea, whats going wrong here? I have the feeling that this key URL is wrong. But I wouldnt know how to sove this.

I'm also troubleshooting:

ziti-sdk:ziti_enroll.c:162 well_known_certs_cb() failed to load private key

Further info from p11tool:

root@ubuntu:~# p11tool --list-all "pkcs11:model=IoT%20Software%20TPM;manufacturer=MSFT;serial=0000000000000000;token=ziti"
WARNING: Getting tokens from fapi backend failed.
Object 0:
URL: pkcs11:model=IoT%20Software%20TPM;manufacturer=MSFT;serial=0000000000000000;token=ziti;id=%05;object=zitikey;type=public
Type: Public key (RSA-2048)
Label: zitikey
Flags: CKA_NEVER_EXTRACTABLE;
ID: 05

I got it working, but I had to build ziti-edge-tunnel. You can test with my build if you want:

There were two problems:

  • I was using the slot ID reported by by yubico-piv-tool, but the pkcs11 library uses the slot ID reported by opensc, e.g., pkcs11-tool, so I needed slot 01 instead of 9a.
  • the release build of ziti-edge-tunnel uses Mbed-TLS, but OpenSSL provides the pkcs11 capability, so it's necessary to build with OpenSSL.

The temporary zrok sharing links will stop working next time I reboot, so let me know if you need any help building the tunneler with OpenSSL for your platform.

Thank you so much! I would indeed need some advice on how to build ZET with OpenSSL. The BUILD.md doesnt really specify a lot of options.

Do you need an RPM, DEB, or just the binary, and for what platform and vintage, e.g., Linux with glibc 2.35 on x86_64 (Ubuntu Jammy 22.04 for amd64), Fedora 37, etc.?

The simplest thing to build is the binary, and for that, I really just need to know which libc version you're targeting to know whether the Ubuntu Bionic approach with static libssl or the Ubuntu Focal and newer approach with shared libssl is best.

I would like to be able to build the binary for multiple different hosts. At the moment im using Alma Linux 8 and 9 and a few different versions of Ubuntu.

By the way, the binary you have built for me works like a charm. I can use the TPM now.

Is Ubuntu Bionic 18.04 one of the versions of Ubuntu you are working with?

Based on my survey of libc versions, building the binary on Ubuntu Bionic with a static libssl will be the most portable option, excluding Red Hat 7, and therefore the laziest solution to the immediate problem.

Security note: Running a static libssl is not optimal. Linking to the OS's contemporary libssl would be better because it will benefit from security and other features and fixes that will be absent from the Bionic build.

We'll probably switch the releases from Mbed-TLS to OpenSSL soon. Do you prefer to wait for that eventuality while running the build I provided, or begin building static libssl on libc 2.27? Those are immediate solutions. Alternatively, we could take a closer look at building a shared libssl on libc 2.28 which might work with all those Linuxes, excluding RH7 and Ubuntu Bionic 18.04.

libc version survey for future reference:

ubuntu:bionic:                        (Ubuntu  GLIBC  2.27-3ubuntu1.6)   2.27
almalinux/8-minimal:                  (GNU     libc)  2.28               
oraclelinux:8:                        (GNU     libc)  2.28               
registry.access.redhat.com/ubi8/ubi:  (GNU     libc)  2.28               
rockylinux/rockylinux:8:              (GNU     libc)  2.28               
gcc:7:                                (Debian  GLIBC  2.28-10)           2.28
gcc:8:                                (Debian  GLIBC  2.28-10+deb10u1)   2.28
debian:buster:                        (Debian  GLIBC  2.28-10+deb10u2)   2.28
ubuntu:focal:                         (Ubuntu  GLIBC  2.31-0ubuntu9.14)  2.31
gcc:10:                               (Debian  GLIBC  2.31-13+deb11u7)   2.31
gcc:11:                               (Debian  GLIBC  2.31-13+deb11u7)   2.31
gcc:9:                                (Debian  GLIBC  2.31-13+deb11u7)   2.31
debian:bullseye:                      (Debian  GLIBC  2.31-13+deb11u8)   2.31
fedora:34:                            (GNU     libc)  2.33               
almalinux/9-minimal:                  (GNU     libc)  2.34               
fedora:35:                            (GNU     libc)  2.34               
oraclelinux:9:                        (GNU     libc)  2.34               
registry.access.redhat.com/ubi9/ubi:  (GNU     libc)  2.34               
rockylinux/rockylinux:9:              (GNU     libc)  2.34               
fedora:36:                            (GNU     libc)  2.35               
ubuntu:jammy:                         (Ubuntu  GLIBC  2.35-0ubuntu3.6)   2.35
debian:bookworm:                      (Debian  GLIBC  2.36-9+deb12u4)    2.36
gcc:12:                               (Debian  GLIBC  2.36-9+deb12u4)    2.36
gcc:13:                               (Debian  GLIBC  2.36-9+deb12u4)    2.36

@mkuhlmann Marcus, first of all, welcome to the OpenZiti party!
Secondly, thank you for trying out ZET with pkcs11 support.

Building ZET with OpenSSL is actually pretty easy using existing CMake presets, but hopefully you'll be able to switch back to pre-build binaries very soon.

Here are the basic steps for building against system-installed OpenSSL:

  • install libssl, libssl-dev packages -- needed for necessary OpenSSL headers and link targets
  • next follow the normal cmake process with TLS library var and appropriate preset for your target system:
    • cmake --preset=ci-linux-x64 -DTLSUV_TLSLIB=openssl
    • cd build; cmake --build . --target ziti-edge-tunnel

Let us know if you try it and your results
-EK