By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

RuntimeError: 1076 (AWS_ERROR_PKCS11_KEY_TYPE_UNSUPPORTED): PKCS#11 key type not supported

0

Hi, I'm running the PKCS#11 PubSub sample from the AWS IoT Device SDK v2, and get a runtime error 1076.

I first check my keys and certificates with the PubSub sample (ie without PKCS11), all is working fine python3 aws-iot-device-sdk-python-v2/samples/pubsub.py --endpoint <myendpoint> --root-ca ./Certificates/SFSRootCAG2.pem --cert ./Certificates/deviceCert.pem --key ./Certificates/deviceKey.pem

I then installed softhsm, imported my devicekey, all is ok (from pkcs11-tool): Available slots: Slot 0 (0x5f3dbf83): SoftHSM slot ID 0x5f3dbf83 token label : mytoken token manufacturer : SoftHSM project token model : SoftHSM v2 token flags : login required, rng, token initialized, PIN initialized, other flags=0x20 hardware version : 2.4 firmware version : 2.4 serial num : 78b981975f3dbf83 pin min/max : 4/255

Using slot 0 with a present token (0x5f3dbf83) Public Key Object; EC EC_POINT 256 bits EC_POINT: 044104b3100bc7f44c0f35b21b881720f7806536d9eec6ef32a6401ef676053b4567a19080f55e8f3e76523e7de573c3c69d17d1b3553068bb80de82d633045c421ebf EC_PARAMS: 06082a8648ce3d030107 label: devicekey ID: 5f3dbf83 Usage: verify Private Key Object; EC label: devicekey ID: 5f3dbf83 Usage: sign

I then run the following python3 aws-iot-device-sdk-python-v2/samples/pkcs11_pubsub.py --endpoint <myendpoint> --root-ca ./Certificates/SFSRootCAG2.pem --cert ./Certificates/deviceCert.pem --pkcs11-lib /usr/lib/softhsm/libsofthsm2.so --pin 123456 --token-label mytoken --key-label devicekey

Loading PKCS#11 library '/usr/lib/softhsm/libsofthsm2.so' ... Loaded! Traceback (most recent call last): File "aws-iot-device-sdk-python-v2/samples/pkcs11_pubsub.py", line 100, in <module> keep_alive_secs=30) File "/home/pi/.local/lib/python3.7/site-packages/awsiot/mqtt_connection_builder.py", line 304, in mtls_with_pkcs11 return _builder(tls_ctx_options, **kwargs) File "/home/pi/.local/lib/python3.7/site-packages/awsiot/mqtt_connection_builder.py", line 189, in _builder tls_ctx = awscrt.io.ClientTlsContext(tls_ctx_options) File "/home/pi/.local/lib/python3.7/site-packages/awscrt/io.py", line 511, in init options._pkcs11_cert_file_contents, RuntimeError: 1076 (AWS_ERROR_PKCS11_KEY_TYPE_UNSUPPORTED): PKCS#11 key type not supported

Note I'm using P256 keys. Could it be the issue ie that ECC keys are not supported when using PKCS11?

Topics
Internet of Things (IoT)
Tags
Internet of Things (IoT)
Language
English
fmay
asked 2 years ago335 views
1 Answer
0

Hi,

Thanks for the question regarding PKCS#11, ECC, and the Python v2 SDK. Unfortunately I have confirmed that this only works with RSA certificates at present. Any form of ECC certificate cannot be used with PKCS#11.

We always welcome feedback and I would suggest to open a GitHub issue with the Python v2 SDK requesting support for PKCS#11 and ECC. The issue may trickle down (up?) to the common runtime package that actually implements this, but I'd start with a issue for the Python SDK team first.

AWS
Gavin_A
answered 2 years ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content