Setting up cryptoauthlib as a PKCS11 Provider - module failed to initialize

[matriedel]

I was following the manual "Setting up cryptoauthlib as a PKCS11 Provider"
I got stuck with the following error

sudo p11tool --provider=/usr/lib/libcryptoauth.so
p11-kit: (unknown): module failed to initialize: Internal error
pkcs11_add_provider: PKCS #11 error.

One guess was the issue might be caused by a wrong slot config file. I defined
/var/lib/cryptoauthlib/slot.conf as

---

interface = i2c,0xB0
# freeslots = 1,2,3

# Slot 0 is the primary private key
object = private,device,0

---

what I was missing in the config file was a bus number for the i2c interface like e.g.
atcai2c.bus = 0

Where can I configure the bus setting?
Any other hint of the error I see?

[bryan-hunt]

Rename slot.conf to 0.conf which means the pkcs11 slot 0 (or device0)

Pkcs11 defines each installed device as a slot which gets confusing with each memory location in a cryptoauth device being called a slot as well.

The bus number is not in the text configuration files yet so to change that you have to change the default in atca_cfgs.c

It will be available in the next update for pkcs11 as it has been requested as an addition to the configuration files.

[matriedel]

With adding your proposed changes the issue could be solved.

But with further p11tool --export-pubkey testing, I get another issue "Error in pkcs11_export_pubkey:821:"

p11tool --export-pubkey "pkcs11:token=0123EE;object=device;type=private"
warning: --login was not specified and it may be required for this operation.
warning: no --outfile was specified and the public key will be printed on screen.
Error in pkcs11_export_pubkey:821: The requested PKCS #11 object is not available

What might be the issue here?

[bryan-hunt]

What happens when you do a list-all or list-tokens?

There are some troubleshooting tips on this page: https://github.com/MicrochipTech/cryptoauthlib/wiki/Greengrass-HSI

[matriedel]

For p11tool --list-all I get a long list with 1718 Objects
for p11tool --list-tokens I get the following
Token 0:
URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
Label: System Trust
Type: Trust module
Manufacturer: PKCS#11 Kit
Model: p11-kit-trust
Serial: 1
Module: p11-kit-trust.so

[bryan-hunt]

If you’re not using p11-kit you have to specify the provider with every command. So list-all and list-tokens with the provider set produces?

[matriedel]

O.K I see. Thank you for your comment.

Unfortunately, it seems I cannot connect to the device anymore via p11tool.
The error message is slightly different than at the first time.

p11tool --provider=/usr/lib/libcryptoauth.so
p11-kit: (unknown): module failed to initialize: An error occurred on the device
pkcs11_add_provider: PKCS #11 error in device

What I did to get a clean start I was running successfully
\cryptoauthtools\python\examples\config.py
At least this indicates that a communication with the device is possible.

[bryan-hunt]

model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust is a software token from p11-kit and does not indicate that p11tool was able to communicate with the cryptoauth device.

See https://github.com/MicrochipTech/cryptoauthlib/wiki/PKCS11-Linux-Setup#using-p11-kit-proxy for how to set up p11-kit to see the library and interact with it.

Did you change the bus number in atca_cfgs.c for your platform, rebuild, and reinstall the .so?

[matriedel]

Yes I changed the bus number to .atcai2c.bus = 0 and .devtype = ATECC508A, in atca_cfgs.c for my platform, rebuild, and reinstalled the .so
After I did it the first time
p11tool --provider=/usr/lib/libcryptoauth.so
worked one time.
Quite strange....

p11tool
p11-kit: cryptoauthlib: module failed to initialize: An error occurred on the device
pkcs11_init: PKCS #11 initialization error.
p11tool [options] [url]
p11tool --help for usage instructions.

One hint - I see some warnings when compiling

[ 75%] Building C object lib/CMakeFiles/cryptoauth.dir/pkcs11/pkcs11_cert.c.o
/home/pi/cryptoauthlib/lib/pkcs11/pkcs11_cert.c: In function ‘pkcs11_cert_get_encoded’:
/home/pi/cryptoauthlib/lib/pkcs11/pkcs11_cert.c:86:118: warning: passing argument 4 of ‘atcacert_read_cert’ from incompatible pointer type [-Wincompatible-pointer-types]
status = atcacert_read_cert(obj_ptr->data, cert_cfg->ca_cert_def ? ca_key: NULL, pAttribute->pValue, &pAttribute->ulValueLen);
^
In file included from /home/pi/cryptoauthlib/lib/pkcs11/pkcs11_cert.c:40:0:
/home/pi/cryptoauthlib/lib/atcacert/atcacert_client.h:73:5: note: expected ‘size_t * {aka unsigned int *}’ but argument is of type ‘CK_ULONG * {aka long unsigned int }’
int atcacert_read_cert(const atcacert_def_t cert_def,
^
[ 77%] Building C object lib/CMakeFiles/cryptoauth.dir/pkcs11/pkcs11_config.c.o
/home/pi/cryptoauthlib/lib/pkcs11/pkcs11_config.c: In function ‘pkcs11_config_key’:
/home/pi/cryptoauthlib/lib/pkcs11/pkcs11_config.c:640:52: warning: format ‘%d’ expects argument of type ‘int’, but argument 5 has type ‘CK_SLOT_ID {aka long unsigned int}’ [-Wformat=]
(void)snprintf(filename, sizeof(filename), "%s%d.%d.conf", pLibCtx->config_path, pSlot->slot_id ,i);
^
/home/pi/cryptoauthlib/lib/pkcs11/pkcs11_config.c:640:52: warning: format ‘%d’ expects argument of type ‘int’, but argument 5 has type ‘CK_SLOT_ID {aka long unsigned int}’ [-Wformat=]
/home/pi/cryptoauthlib/lib/pkcs11/pkcs11_config.c: In function ‘pkcs11_config_remove_object’:
/home/pi/cryptoauthlib/lib/pkcs11/pkcs11_config.c:656:48: warning: format ‘%d’ expects argument of type ‘int’, but argument 5 has type ‘CK_SLOT_ID {aka long unsigned int}’ [-Wformat=]
(void)snprintf(filename, sizeof(filename), "%s%d.%d.conf", pLibCtx->config_path, pSlot->slot_id, pObject->slot);
^
/home/pi/cryptoauthlib/lib/pkcs11/pkcs11_config.c:656:48: warning: format ‘%d’ expects argument of type ‘int’, but argument 5 has type ‘CK_SLOT_ID {aka long unsigned int}’ [-Wformat=]

[matriedel]

Problem solved after reinstallation and modification of atca_cfgs.c