Skip to content
GitLab
Closed
Created by Benjamin Herrenschmidt@ozbenhContributor

p11tool fails to find certs with AWS KMS token (with possible fix ?)

Hi !

I am a contributor to this "soft" token which talks to AWS KMS: https://github.com/JackOfMostTrades/aws-kms-pkcs11

A given slot with this token has just two objects: A private key and a certificate.

Retrieving the certificate fails with p11tool consistently. The error seem to be a disconnect between those two functions in gnutls lib/pkcs11.c:

  • find_privkeys()

It properly finds the private key and reaches the following code:

	current = 0;
	while (pkcs11_find_objects
	       (sinfo->module, sinfo->pks, &ctx, 1, &count) == CKR_OK
	       && count == 1) {

		a[0].type = CKA_ID;
		a[0].value = certid_tmp;
		a[0].value_len = sizeof(certid_tmp);

		_gnutls_buffer_init(&list->key_ids[current]);

		if (pkcs11_get_attribute_value
		    (sinfo->module, sinfo->pks, ctx, a, 1) == CKR_OK) {
			ret = _gnutls_buffer_append_data(&list->key_ids[current],
						   a[0].value,
						   a[0].value_len);
			if (ret < 0)
				return gnutls_assert_val(ret);
			current++;
		}

		if (current > list->key_ids_size)
			break;
	}

	pkcs11_find_objects_final(sinfo);

	list->key_ids_size = current - 1;

There is only one iteration of the loop since there's only one object of type CKO_PRIVATE_KEY in the token. The retrieval of the attribute works fine, so we exist the loop with:

current = 1

We thus return from the function with

list->key_ids_size = 0

Now, this is called from this code in find_multi_objs_cb() (note: this is the only caller)

	memset(&plist, 0, sizeof(plist));

	if (find_data->flags & GNUTLS_PKCS11_OBJ_FLAG_WITH_PRIVKEY) {
		ret = find_privkeys(sinfo, tinfo, &plist);
		if (ret < 0) {
			gnutls_assert();
			return ret;
		}

		if (plist.key_ids_size == 0) {
			gnutls_assert();
			return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
		}
	}

As you can see, it will hit the case where plist.key_ids_size is 0 and fail. There seem to be a disconnect as to whether key_ids_size is 0 or 1 based between the caller and the callee....

Now I'm happy to send a pull request with a fix provided somebody can confirm that my analysis is correct. I can see two main approach to fix this:

  • Remove the "-1" when setting key_ids_size in find_privKeys(). This is IMHO the most obvious fix and provides the clearest semantic

  • Remvoe the second test in the caller

Recommendations ? Did I get something very wrong ? :-)

Edited by Benjamin Herrenschmidt