p11-kit: cryptoauthlib: module failed to initialize: An error occurred on the device

[AlessioC31]

Hi everyone,
I'm on a Rpi 3 B and I'm trying to use a ATECC508a (connected via i2c) as a pkc11 slot. I can't manage to get it to a working state because when I execute sudo p11tool --list-all I get:

C_Initialize
IN: pInitArgs = NULL
C_Initialize = CKR_DEVICE_ERROR
p11-kit: cryptoauthlib: module failed to initialize: An error occurred on the device
pkcs11_init: PKCS #11 initialization error.
warning: no token URL was provided for this operation; the available tokens are:

That's my lib/atca_config.h:

/**
 * \file
 * \brief Cryptoauthlib Configuration Defines
 *
 * \copyright (c) 2015-2018 Microchip Technology Inc. and its subsidiaries.
 *
 * \page License
 *
 * Subject to your compliance with these terms, you may use Microchip software
 * and any derivatives exclusively with Microchip products. It is your
 * responsibility to comply with third party license terms applicable to your
 * use of third party software (including open source software) that may
 * accompany Microchip software.
 *
 * THIS SOFTWARE IS SUPPLIED BY MICROCHIP "AS IS". NO WARRANTIES, WHETHER
 * EXPRESS, IMPLIED OR STATUTORY, APPLY TO THIS SOFTWARE, INCLUDING ANY IMPLIED
 * WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY, AND FITNESS FOR A
 * PARTICULAR PURPOSE. IN NO EVENT WILL MICROCHIP BE LIABLE FOR ANY INDIRECT,
 * SPECIAL, PUNITIVE, INCIDENTAL OR CONSEQUENTIAL LOSS, DAMAGE, COST OR EXPENSE
 * OF ANY KIND WHATSOEVER RELATED TO THE SOFTWARE, HOWEVER CAUSED, EVEN IF
 * MICROCHIP HAS BEEN ADVISED OF THE POSSIBILITY OR THE DAMAGES ARE
 * FORESEEABLE. TO THE FULLEST EXTENT ALLOWED BY LAW, MICROCHIP'S TOTAL
 * LIABILITY ON ALL CLAIMS IN ANY WAY RELATED TO THIS SOFTWARE WILL NOT EXCEED
 * THE AMOUNT OF FEES, IF ANY, THAT YOU HAVE PAID DIRECTLY TO MICROCHIP FOR
 * THIS SOFTWARE.
 */

#ifndef _ATCA_CONFIG_H
#define _ATCA_CONFIG_H

/** Use I2C */
#define ATCA_HAL_I2C

/** Use the following address for ECC devices */
#define ATCA_I2C_ECC_ADDRESS    0xB0

/** Define if cryptoauthlib is to use the maximum execution time method */
#define ATCA_NO_POLL

#define ATCA_ATECC508A_SUPPORT
/** Use RTOS timers (i.e. delays that yield) */
//#define ATCA_USE_RTOS_TIMER


#endif

lib/pkcs11/pkcs11_config.h:

/**
 * \file
 * \brief PKCS11 Library Configuration
 *
 * Copyright (c) 2017 Microchip Technology Inc. All rights reserved.
 *
 * \atmel_crypto_device_library_license_start
 *
 * \page License
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *
 * 1. Redistributions of source code must retain the above copyright notice,
 *    this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright notice,
 *    this list of conditions and the following disclaimer in the documentation
 *    and/or other materials provided with the distribution.
 *
 * 3. The name of Atmel may not be used to endorse or promote products derived
 *    from this software without specific prior written permission.
 *
 * 4. This software may only be redistributed and used in connection with an
 *    Atmel integrated circuit.
 *
 * THIS SOFTWARE IS PROVIDED BY ATMEL "AS IS" AND ANY EXPRESS OR IMPLIED
 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT ARE
 * EXPRESSLY AND SPECIFICALLY DISCLAIMED. IN NO EVENT SHALL ATMEL BE LIABLE FOR
 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 *
 * \atmel_crypto_device_library_license_stop
 */

#ifndef PKCS11_CONFIG_H_
#define PKCS11_CONFIG_H_


/* Cryptoauthlib at the time of this module development is not versioned */
#ifndef ATCA_LIB_VER_MAJOR
#define ATCA_LIB_VER_MAJOR  3
#endif

#ifndef ATCA_LIB_VER_MINOR
#define ATCA_LIB_VER_MINOR  2
#endif

/** If an Auth-key or IoProtection Secret is to be used this is the
 * slot number of it */
#ifndef PKCS11_PIN_SLOT
#define PKCS11_PIN_SLOT                 6
#endif

/** Define to lock the PIN slot after writing */
#ifndef PKCS11_LOCK_PIN_SLOT
#define PKCS11_LOCK_PIN_SLOT            0
#endif

/** Enable PKCS#11 Debugging Messages */
#ifndef PKCS11_DEBUG_ENABLE
#define PKCS11_DEBUG_ENABLE             0
#endif

/** Use Static or Dynamic Allocation */
#ifndef PKCS11_USE_STATIC_MEMORY
#define PKCS11_USE_STATIC_MEMORY        1
#endif

/** Use a compiled configuration rather than loading from a filestore */
#ifndef PKCS11_USE_STATIC_CONFIG
#define PKCS11_USE_STATIC_CONFIG        0
#endif

/** Maximum number of slots allowed in the system - if static memory this will
   always be the number of slots */
#ifndef PKCS11_MAX_SLOTS_ALLOWED
#define PKCS11_MAX_SLOTS_ALLOWED        1
#endif

/** Maximum number of total sessions allowed in the system - if using static
   memory then this many session contexts will be allocated */
#ifndef PKCS11_MAX_SESSIONS_ALLOWED
#define PKCS11_MAX_SESSIONS_ALLOWED     10
#endif

/** Maximum number of cryptographic objects allowed to be cached */
#ifndef PKCS11_MAX_OBJECTS_ALLOWED
#define PKCS11_MAX_OBJECTS_ALLOWED      16
#endif

/** Maximum label size in characters */
#ifndef PKCS11_MAX_LABEL_SIZE
#define PKCS11_MAX_LABEL_SIZE           30
#endif

/****************************************************************************/
/* The following configuration options are for fine tuning of the library   */
/****************************************************************************/

/** Defines if the library will produce a static function list or use an
   externally defined one. This is an optimization that allows for a statically
   linked library to include only the PKCS#11 functions that the application
   intends to use. Otherwise compilers will not be able to optimize out the unusued
   functions */
#ifndef PKCS11_EXTERNAL_FUNCTION_LIST
#define PKCS11_EXTERNAL_FUNCTION_LIST    0
#endif

/** Static Search Attribute Cache in bytes (variable number of attributes based
   on size and memory requirements) */
#ifndef PKCS11_SEARCH_CACHE_SIZE
#define PKCS11_SEARCH_CACHE_SIZE        128
#endif

/** Device Support for ATECC508A */
#ifndef PKCS11_508_SUPPORT
#define PKCS11_508_SUPPORT              1
#endif

/** Device Support for ATECC608A */
#ifndef PKCS11_608_SUPPORT
#define PKCS11_608_SUPPORT              1
#endif

/** Support for configuring a "blank" or new device */
#ifndef PKCS11_TOKEN_INIT_SUPPORT
#define PKCS11_TOKEN_INIT_SUPPORT       1
#endif

/** Include the monotonic hardware feature as an object */
#ifndef PKCS11_MONOTONIC_ENABLE
#define PKCS11_MONOTONIC_ENABLE         0
#endif


#include "pkcs11/cryptoki.h"
#include <stddef.h>
typedef struct _pkcs11_slot_ctx *pkcs11_slot_ctx_ptr;
typedef struct _pkcs11_lib_ctx  *pkcs11_lib_ctx_ptr;
typedef struct _pkcs11_object   *pkcs11_object_ptr;

CK_RV pkcs11_config_load_objects(pkcs11_slot_ctx_ptr pSlot);
CK_RV pkcs11_config_load(pkcs11_slot_ctx_ptr slot_ctx);
CK_RV pkcs11_config_cert(pkcs11_lib_ctx_ptr pLibCtx, pkcs11_slot_ctx_ptr pSlot, pkcs11_object_ptr pObject, CK_ATTRIBUTE_PTR pcLabel);
CK_RV pkcs11_config_key(pkcs11_lib_ctx_ptr pLibCtx, pkcs11_slot_ctx_ptr pSlot, pkcs11_object_ptr pObject, CK_ATTRIBUTE_PTR pcLabel);
CK_RV pkcs11_config_remove_object(pkcs11_lib_ctx_ptr pLibCtx, pkcs11_slot_ctx_ptr pSlot, pkcs11_object_ptr pObject);

void pkcs11_config_init_private(pkcs11_object_ptr pObject, char * label, size_t len);
void pkcs11_config_init_public(pkcs11_object_ptr pObject, char * label, size_t len);
void pkcs11_config_init_cert(pkcs11_object_ptr pObject, char * label, size_t len);

#endif /* PKCS11_CONFIG_H_ */

(the only thing I modified here is #define PKCS11_508_SUPPORT 1 because it was at 0 initially.

/var/lib/cryptoauthlib/0.conf:

# Reserved Configuration for a device
# The objects in this file will be created and marked as undeletable
# These are processed in order. Configuration parameters must be comma
# delimited and may not contain spaces

interface = i2c,0xB0
#freeslots = 1,2,3

# Slot 0 is the primary private key
object = private,device,0

# Slot 10 is the certificate data for the device's public key
#object = certificate,device,10

# Slot 12 is the intermedate/signer certificate data
#object = certificate,signer,12

# Slot 15 is a public key
object = public,root,15

And lastly that's the output of sudo i2cdetect -y 1:

     0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f
00:          -- -- -- -- -- -- -- -- -- -- -- -- --
10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
30: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
40: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
50: -- -- -- -- -- -- -- -- 58 -- -- -- -- -- -- --
60: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
70: -- -- -- -- -- -- -- --

Can you please help me figuring out what I'm doing wrong?

Thanks.

[bryan-hunt]

You need to follow the wiki steps for either setting up p11-kit or provide the provider library to p11-tool in your commands

Remember that sudo changes the environment of execution as well. So that means if you set up p11-kit you will have to set it up properly to work in both. If you're using i2c you shouldn't have to be using sudo though.

[AlessioC31]

I already set up p11-kit in order to use the cryptoauthlib module, I forgot to mention it, sorry.

/usr/share/p11-kit/modules/cryptoauthlib.module:

module: /usr/lib/libcryptoauth.so
critical: yes
trust-policy: yes
managed: yes
log-calls: yes

I executed p11tool without sudo before but the output doesn't change.
I also tried to execute p11tool providing the provider:

$ p11tool --provider=/usr/lib/libcryptoauth.so
p11-kit: (unknown): module failed to initialize: An error occurred on the device
pkcs11_add_provider: PKCS #11 error in device

Am I missing something more? Can you please link me the wiki you're referring to? So I can be sure I'm following the right thing, thanks

[bryan-hunt]

Okay sudo should be unnecessary. Try modifying the interface line your configuration like this.

interface = i2c,0xB0,1

[AlessioC31]

Now it works. What does the ",1" stands for?

Thanks!

[bryan-hunt]

I2C bus number.

[shearl]

Hi All,

I am trying to do almost the same thing as @AlessioC31. I am using a Rpi 3 B+ and I'm trying to use a ATECC608a connected via i2c as a pkc11 slot. I have followed the wiki steps to set up p11tool and the suggestion here by @bryan-hunt to append ",1" for the i2c bus number in /var/lib/cryptoauthlib/0.conf.

When I execute the --list-all command I get the following output (regardless of what I type for the PIN).

$ p11tool --provider /usr/lib/libcryptoauth.so --list-all
Object 0:
	URL: pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=62A6D7FF625F;token=0123EE;object=device;type=private
Token '0123EE' with URL 'pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=62A6D7FF625F;token=0123EE' requires user PIN
Enter PIN: 
	Type: Private key (EC/ECDSA)
	Label: device
	Flags: CKA_PRIVATE; CKA_SENSITIVE; 
	ID: 
$ 

When I try to execute the command in the wiki to Get the public key for a private key I get the error shown in the output below (again, regardless of what I type for the PIN).

pi@raspberrypi:~/projects/Microchip/cryptoauthlib $ p11tool --provider /usr/lib/libcryptoauth.so --export-pubkey "pkcs11:token=0123EE;object=device;type=private"
note: assuming --login for this operation.
warning: no --outfile was specified and the public key will be printed on screen.
Token '0123EE' with URL 'pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=62A6D7FF625F;token=0123EE' requires user PIN
Enter PIN: 
Error in pkcs11_export_pubkey:1391: The requested data were not available.

Below is the contents of my lib/atca_config.h, modified to follow the model of what @AlessioC31 had in his lib/atca_config.h. My modifications are as follows: I uncommented #define ATCA_HAL_I2C, changed the i2c address per the output of i2cdetect and added #define ATCA_ATECC608A_SUPPORT. (Note that uncommenting #define ATCA_HAL_I2C results in a lot of warning: "ATCA_HAL_I2C" redefined messages during compilation.)

#ifndef _ATCA_CONFIG_H
#define _ATCA_CONFIG_H

/** Use I2C */
#define ATCA_HAL_I2C

/** Use the following address for ECC devices */
#define ATCA_I2C_ECC_ADDRESS    0xC0

/** Define if cryptoauthlib is to use the maximum execution time method */
#define ATCA_NO_POLL

/** Use RTOS timers (i.e. delays that yield) */
//#define ATCA_USE_RTOS_TIMER

#define ATCA_ATECC608A_SUPPORT

Below are the contents of my /var/lib/cryptoauthlib/0.conf. The only thing I changed here is the i2c address and appended ",1" for the bus number per the suggestion from @bryan-hunt.

# Reserved Configuration for a device
# The objects in this file will be created and marked as undeletable
# These are processed in order. Configuration parameters must be comma
# delimited and may not contain spaces

interface = i2c,0xC0,1
freeslots = 1,2,3

# Slot 0 is the primary private key
object = private,device,0

# Slot 10 is the certificate data for the device's public key
#object = certificate,device,10

# Slot 12 is the intermedate/signer certificate data
#object = certificate,signer,12

# Slot 15 is a public key
object = public,root,15

Below is the output of sudo i2cdetect -y 1. I believe that the device address of 0x60 is 0xC0.

     0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f
00:          -- -- -- -- -- -- -- -- -- -- -- -- -- 
10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
30: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
40: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
50: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
60: 60 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
70: -- -- -- -- -- -- -- --    

My guess is that the ATECC608A does not come pre-provisioned with the default keys and certificates as found in /var/lib/cryptoauthlib/slot.conf.tmpl? Is there a way under Linux to provision the ATECC608A? Also, is there a default PIN?

[shearl]

@bryan-hunt My apologies for not digging deeper into the other issues to find the problem. I see from issues #105 and #95 that I missed the initialisation step. (It seems like it might be a good idea to explicitly add this to the PKCS11 Linux Setup wiki page).

I get the same error mentioned in #105 and #95, but it does seem to actually initialise the token and I am able to export the public key.

$ p11tool --provider /usr/lib/libcryptoauth.so --initialize "pkcs11:serial=62A6D7FF625F" --label test
Enter Security Officer's PIN: 
Initializing token... 
Error in pkcs11_init:1439: PKCS #11 error.

Note: I'm surprised that I get the error because @raerne said here that changing ATCA_I2C_ECC_ADDRESS to 0xC0 in lib/atca_config.h fixed the problem. I have it set that way - see above - but I still get the error.

[raerne]

I don't have an unprovisioned device available to reproduce. If I recall correctly with "fixed the problem" i meant that the function pkcs11_token_init succeeded which meant that the device itself was initialized. However, the p11tool cli call itself did not return with success but I was able to use all other commands like p11tool ... --list-all successfully.

[shearl]

Hi @raerne, thanks for the message. Unfortunately it seems like my ATECC608 is still not working with the pkcs11 tools.

I started over with a brand new unprovisioned ATECC608 and did the following:

$ p11tool --initialize --label greengrass "pkcs11:serial=C2D1F027997E"
Enter Security Officer's PIN: 
Initializing token... 
Error in pkcs11_init:1439: PKCS #11 error.

Based on your comments and what @bryan-hunt has said, this shouldn't be a problem. However, when I ask for the list of tokens I get the following:

$ p11tool --list-tokens
Token 0:
	URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
	Label: System Trust
	Type: Trust module
	Flags: uPIN uninitialized
	Manufacturer: PKCS#11 Kit
	Model: p11-kit-trust
	Serial: 1
	Module: p11-kit-trust.so

Token 1:
	URL: pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=C2D1F027997E;token=0123EE
	Label: 0123EE
	Type: Hardware token, Trust module
	Flags: RNG, Requires login, Uninitialized, uPIN uninitialized
	Manufacturer: Microchip Technology Inc
	Model: ATECC608A
	Serial: C2D1F027997E
	Module: /usr/lib/libcryptoauth.so

Note the this line Flags: RNG, Requires login, Uninitialized, uPIN uninitialized which seems to indicate that the token is still uninitialized.

When I ask for a list of all objects on the token it indeed shows two objects:

$ p11tool --list-all "pkcs11:serial=C2D1F027997E"
Object 0:
	URL: pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=C2D1F027997E;token=0123EE;object=device;type=private
Token '0123EE' with URL 'pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=C2D1F027997E;token=0123EE' requires user PIN
Enter PIN: 
	Type: Private key (EC/ECDSA-SECP256R1)
	Label: device
	Flags: CKA_PRIVATE; CKA_SENSITIVE; 
	ID: 

Object 1:
	URL: pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=C2D1F027997E;token=0123EE;object=device;type=public
	Type: Public key (EC/ECDSA-SECP256R1)
	Label: device
	ID: 

And it seems like I can successfully export the public key:

$ p11tool --export-pubkey "pkcs11:token=0123EE;object=device;type=private"
note: assuming --login for this operation.
warning: no --outfile was specified and the public key will be printed on screen.
Token '0123EE' with URL 'pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=C2D1F027997E;token=0123EE' requires user PIN
Enter PIN: 
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/jkBuiLcmZWeyI6T2l03oSjLsWBY
8TiI0U7pJc3wKGxGJCNiDzz9EwngosTQRTEtk2HQOpAsAa0Ir1KVJa2ASg==
-----END PUBLIC KEY-----

However, when I try to use the pkcs11 engine with OpenSSL to create a certificate signing request, I get more error messages about the token being uninitialized:

$ OPENSSL_CONF=myopenssl.conf openssl req -engine pkcs11 -key "pkcs11:token=0123EE;object=device;type=private" -keyform engine -new -out new_device.csr -subj "/CN=NEW CSR EXAMPLE"
engine "pkcs11" set.
Found uninitialized token
Specified object not found
Found uninitialized token
Specified object not found
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
1995735056:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:974:
1995735056:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../crypto/engine/eng_pkey.c:78:
unable to load Private Key

For reference, here are the relevant configuration files:

$ cat /etc/cryptoauthlib/cryptoauthlib.conf
# Cryptoauthlib Configuration File

filestore = /var/lib/cryptoauthlib

$ cat /var/lib/cryptoauthlib/0.conf 
# Reserved Configuration for a device
# The objects in this file will be created and marked as undeletable
# These are processed in order. Configuration parameters must be comma
# delimited and may not contain spaces

interface = i2c,0xC0,1
freeslots = 1,2,3

# Slot 0 is the primary private key
object = private,device,0

# Slot 10 is the certificate data for the device's public key
#object = certificate,device,10

# Slot 12 is the intermedate/signer certificate data
#object = certificate,signer,12

# Slot 15 is a public key
object = public,root,15

$ cat /etc/pkcs11/pkcs11.conf
# This setting controls whether to load user configuration from the
# ~/.config/pkcs11 directory. Possible values:
#    none: No user configuration
#    merge: Merge the user config over the system configuration (default)
#    only: Only user configuration, ignore system configuration
user-config: merge

$ cat ~/.config/pkcs11/modules/cryptoauthlib.module
module: /usr/lib/libcryptoauth.so
critical: yes
trust-policy: yes
managed: yes
log-calls: no

$ cat myopenssl.conf 
openssl_conf = openssl_init

[openssl_init]
engines=engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/arm-linux-gnueabihf/engines-1.1/libpkcs11.so
MODULE_PATH = /usr/lib/libcryptoauth.so
init = 0

[shearl]

Still not solved. I have an issue into Microchip tech support and they said they are trying to recreate the issue.

…

On Tue, Jul 14, 2020 at 01:33 ander-galis-ikerlan ***@***.***> wrote: I'm having the exact same issue, I'm able to export the key with p11tool but for OpenSSL the device is not initialized, where you able to solve it?

[ander-galis-ikerlan]

It looks that after the --initialize step the configuration memory is lock but not the data one. And we can't interact with it until it is closed. In order to do it what I did was to use cryptoauthtools, more specifically the config.py to close this memory. It clearly is a workaround but it worked for me and I was able to generate the CSR. You can check the state of your memory using info.py. Remember to install the cryptoauthlib library using pip and moving the libcryptoauth.so that you compiled into the correct folder so that python can detect it

[vishalSpintly]

Still not solved. I have an issue into Microchip tech support and they said they are trying to recreate the issue.
…
On Tue, Jul 14, 2020 at 01:33 ander-galis-ikerlan @.***> wrote: I'm having the exact same issue, I'm able to export the key with p11tool but for OpenSSL the device is not initialized, where you able to solve it?

Hello Shearl / Bryan,

I am trying the same with a Rpi4 board with the ATECC608A connected over I2C lines as well.
I find myself in the same situation as you have reported here. I have tried figuring out the problem but I do not find any resources to resolve the issue.
see:

$ p11tool --list-all
warning: no token URL was provided for this operation; the available tokens are:

pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=E42440B94379;token=0123EE

$ p11tool --provider /usr/lib/libcryptoauth.so --list-all
Object 0:
URL: pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=E42440B94379;token=0123EE;object=device;type=private
Token '0123EE' with URL 'pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=E42440B94379;token=0123EE' requires user PIN
Enter PIN:
Type: Private key
Label: device
Flags: CKA_PRIVATE; CKA_SENSITIVE;
ID:

Object 1:
URL: pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=E42440B94379;token=0123EE;object=device;type=public
Type: Public key
Label: device
ID:

$ p11tool --provider /usr/lib/libcryptoauth.so --initialize "pkcs11:serial=E42440B94379" --label aws-iot
Enter Security Officer's PIN:
Initializing token...
Error in pkcs11_init:1455: PKCS #11 error.

$ p11tool --list-tokens
Token 0:
URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
Label: System Trust
Type: Trust module
Flags: uPIN uninitialized
Manufacturer: PKCS#11 Kit
Model: p11-kit-trust
Serial: 1
Module: p11-kit-trust.so

Token 1:
URL: pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=E42440B94379;token=0123EE
Label: 0123EE
Type: Hardware token, Trust module
Flags: RNG, Requires login, Uninitialized, uPIN uninitialized
Manufacturer: Microchip Technology Inc
Model: ATECC608A
Serial: E42440B94379
Module: /usr/lib/libcryptoauth.so

$ p11tool --export-pubkey --provider /usr/lib/libcryptoauth.so "pkcs11:token=0123EE;object=device;type=private"
note: assuming --login for this operation.
warning: no --outfile was specified and the public key will be printed on screen.
Error in pkcs11_export_pubkey:1397: The requested PKCS #11 object is not available

$ openssl req -engine pkcs11 -key "pkcs11:token=0123EE;object=device;type=private" -keyform engine -new -out new_device.csr -subj "/CN=NEW CSR EXAMPLE"
engine "pkcs11" set.
Found uninitialized token
Specified object not found
Found uninitialized token
Specified object not found
The private key was not found.
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
3069526080:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:766:
3069526080:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../crypto/engine/eng_pkey.c:77:
unable to load Private Key

Can you let me know know if you resolved this problem and if yes, how.
Look forward to your response.

regards,
Vishal

[dexterac]

Is this resolved?

[bryan-hunt]

There is nothing to resolve. It's just improper configuration.

Start with the Trust Platform Development Suite and configure a TrustFlex part.

Otherwise one needs to read the datasheet and understand the part before making changes to the part configuration.

[vishalSpintly]

@bryan-hunt Extremely disappointed with the response.
You are not making any attempt at helping understand what the problem could be even on executing simple applications provided by Microchip themselves. This is unfortunate.

On contacting the Microchip sales team I hear that the ATECC608A Chip has hardware issues and is not recommended for new designs.

[bryan-hunt]

Like all semiconductor devices there are errata that are discovered. Given the worldwide semiconductor manufacturing situation it is recommended to use the latest revision of the part. The ATECC608B trustflex parts are available: https://www.microchipdirect.com/product/ATECC608B-TFLXTLSS-PROTO so that doesn't change the overall recommendation to use the trust platform rather than blank devices. These are complex devices that require attention to detail when performing configuration.

This is why the Trust Platform is the best way to get started with using these parts - the Trust Platform Development Suite comes with examples, and configuration tools.

When it comes to pkcs11 these instructions have been run numerous times by many people. The pkcs11 interface is used by hundreds of thousands of devices. Everything I have seen on this thread indicates the instructions having not been followed or a hardware issue for which I can't diagnose through this medium.

[vishalSpintly]

Everything I have seen on this thread indicates the instructions having not been followed

If that is the case why haven't you pointed out the "instructions that have not been followed".
Everything that was done has been in compliance with the listed instructions.
It rather looks like you are not interested in helping solve customer reported issues.

[ronnytittoto]

Microchip has a team of ESEs that can support customers in the field; additionally MCHP official support team, available under www.microchip.com/support, can support customers working on designs including this device. I would recommend getting in touch with a local ESE.
Hope this helps

[github-actions]

This issue has been marked as stale - please confirm the issue still exists with the latest version of the library and update the issue if it remains