gradiant / blackice_connect Goto Github PK

Has anyone tried to connect a Java VM using its PKCS#11 support/config to BlackICE_Connect? Environment would be running on a Linux server that requires Azure key vault keys protected by an HSM (so premium or managed hsm).

When trying to create key pair via PKCS#11 found error "CKR_TEMPLATE_INCONSISTENT" on Windows10 application.

Hi,
I'm trying to build dependencies before compiling the BlackIceConnect Connector but OpenSSL build is failing with error.

Environment:
RHEL 7.6

Error:
make[2]: Entering directory /home/bcadmin/blackiceconnect/openssl-1.0.2n/apps' make[2]: warning: jobserver unavailable: using -j1. Add +' to parent make rule.
( :; LIBDEPS="${LIBDEPS:--L.. -lssl -L.. -lcrypto -ldl -L/home/bcadmin/blackiceconnect/zlib-1.2.11/libs/linux/zlib/release/x86/lib -lz}"; LDCMD="${LDCMD:-gcc -m32}"; LDFLAGS="${LDFLAGS:--DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -m32 -fPIC -static -Wa,--noexecstack -DL_ENDIAN -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM}"; LIBPATH=for x in $LIBDEPS; do echo $x; done | sed -e 's/^ *-L//;t' -e d | uniq; LIBPATH=echo $LIBPATH | sed -e 's/ /:/g'; LD_LIBRARY_PATH=$LIBPATH:$LD_LIBRARY_PATH ${LDCMD} ${LDFLAGS} -o ${APPNAME:=openssl} openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o ec.o ecparam.o x509.o genrsa.o gendsa.o genpkey.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o pkey.o pkeyparam.o pkeyutl.o spkac.o smime.o cms.o rand.o engine.o ocsp.o prime.o ts.o srp.o ${LIBDEPS} )
/bin/ld: cannot find -ldl
/bin/ld: cannot find -lc
collect2: error: ld returned 1 exit status
make[2]: *** [link_app.] Error 1
make[2]: Leaving directory /home/bcadmin/blackiceconnect/openssl-1.0.2n/apps' make[1]: *** [openssl] Error 2 make[1]: Leaving directory /home/bcadmin/blackiceconnect/openssl-1.0.2n/apps'
make: *** [build_apps] Error 1
[bcadmin@bc-05-phx openssl-1.0.2n]$ cd apps/
[bcadmin@bc-05-phx apps]$ ll

Hello,

If the KSP is installed on a machine in Azure, instead of asking for a client id/password it would be better to use directly the Managed Identity of the VM (or user assigned identity).

I was able to build the PKCS11 installer with Visual Studio. When running the installer, after you enter your key vault credentials and click on next, the app freezes and never come back. CPU usage is at 23%. Are there any other options to configure it?

If set HSM_PROCESSED = true in BlackICEconnect_win.cnf then the PKCS#11 library can not load.

I am trying to setup BlackICE to use it's PKCS11 extension capability. The OS that I am using is Ubuntu and I have already installed all the required linux dependencies which are mentioned here.

I got error while building PKCS11_Connector & PKCS11_Installer.

Error while building PKCS11_Connector:

dev-machine@Dev-Machine:~/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector$ ./linux-compile.sh
Selected Debug (default) since no option were specified (use either -d or -r)
Creating Makefile in /home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/linux-build/
Compiling in Debug mode
Running cmake from /home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/linux-build
Build configuration: linux-64-debug
Libraries path: /home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/../../libs
libcurl used: /home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/../../libs/linux/libcurl/debug/x64
OpenSSL used: /home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/../../libs/linux/openssl/debug/x64
zLib used: /home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/../../libs/linux/zlib/release/x64/
Source code root: /home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/src
-- Configuring done
-- Generating done
-- Build files have been written to: /home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/linux-build
/usr/bin/cmake -H/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector -B/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/linux-build --check-build-system CMakeFiles/Makefile.cmake 0
/usr/bin/cmake -E cmake_progress_start /home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/linux-build/CMakeFiles /home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/linux-build/CMakeFiles/progress.marks
make -f CMakeFiles/Makefile2 all
make[1]: Entering directory '/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/linux-build'
make -f CMakeFiles/BlackICEConnect_x64.dir/build.make CMakeFiles/BlackICEConnect_x64.dir/depend
make[2]: Entering directory '/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/linux-build'
cd /home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/linux-build && /usr/bin/cmake -E cmake_depends "Unix Makefiles" /home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector /home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector /home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/linux-build /home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/linux-build /home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/linux-build/CMakeFiles/BlackICEConnect_x64.dir/DependInfo.cmake --color=
make[2]: Leaving directory '/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/linux-build'
make -f CMakeFiles/BlackICEConnect_x64.dir/build.make CMakeFiles/BlackICEConnect_x64.dir/build
make[2]: Entering directory '/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/linux-build'
[ 7%] Building C object CMakeFiles/BlackICEConnect_x64.dir/src/cryptokiTypes.c.o
/usr/bin/cc -DBlackICEConnect_x64_EXPORTS -DPKCS11 -I/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/../../libs/linux/libcurl/debug/x64/include/curl -I/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/../../libs/linux/openssl/debug/x64/include -I/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/../../libs/linux/zlib/release/x64/include -I/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/src -I/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/../../Modules/AKV_Module -I/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/../../Modules/Common_Module -I/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/src/cryptoki -I/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/src/Helpers -I/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/../../Modules/Common_Module/src -Wimplicit-function-declaration -Wstrict-prototypes -Wmissing-prototypes -pedantic -Wfatal-errors -Wall -fstack-protector-all -Wl,-z,noexecstack -Wimplicit-function-declaration -Wstrict-prototypes -Wmissing-prototypes -pedantic -Wfatal-errors -Wall -fstack-protector-all -Wl,-z,noexecstack -g3 -ggdb -O0 -rdynamic -fPIC -o CMakeFiles/BlackICEConnect_x64.dir/src/cryptokiTypes.c.o -c /home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/src/cryptokiTypes.c
In file included from /home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/src/cryptoki.h:64:0,
from /home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/src/cryptokiTypes.h:15,
from /home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/src/cryptokiTypes.c:13:
/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/../../Modules/AKV_Module/src/clientRest.h:16:10: fatal error: curl.h: No such file or directory
#include <curl.h>
^~~~~~~~
compilation terminated.
CMakeFiles/BlackICEConnect_x64.dir/build.make:65: recipe for target 'CMakeFiles/BlackICEConnect_x64.dir/src/cryptokiTypes.c.o' failed
make[2]: *** [CMakeFiles/BlackICEConnect_x64.dir/src/cryptokiTypes.c.o] Error 1
make[2]: Leaving directory '/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/linux-build'
CMakeFiles/Makefile2:70: recipe for target 'CMakeFiles/BlackICEConnect_x64.dir/all' failed
make[1]: *** [CMakeFiles/BlackICEConnect_x64.dir/all] Error 2
make[1]: Leaving directory '/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector/linux-build'
Makefile:86: recipe for target 'all' failed
make: *** [all] Error 2
/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Connector

Error while building PKCS11_Installer:

dev-machine@Dev-Machine:~/BlackICE_Connect/BIC_PKCS11/PKCS11_Installer/linux-setup$ ./linux-compile.sh
Creating Makefile in /home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Installer/linux-setup/../linux-build
Compiling in debug mode
Running cmake from /home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Installer/linux-build
Build configuration: linux-64-debug
Build name: GradiantEncryptConfig_debug_x64
Linked m (math lib)
-- Configuring done
-- Generating done
-- Build files have been written to: /home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Installer/linux-build
/usr/bin/cmake -H/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Installer -B/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Installer/linux-build --check-build-system CMakeFiles/Makefile.cmake 0
/usr/bin/cmake -E cmake_progress_start /home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Installer/linux-build/CMakeFiles /home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Installer/linux-build/CMakeFiles/progress.marks
make -f CMakeFiles/Makefile2 all
make[1]: Entering directory '/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Installer/linux-build'
make -f CMakeFiles/GradiantEncryptConfig_debug_x64.dir/build.make CMakeFiles/GradiantEncryptConfig_debug_x64.dir/depend
make[2]: Entering directory '/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Installer/linux-build'
cd /home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Installer/linux-build && /usr/bin/cmake -E cmake_depends "Unix Makefiles" /home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Installer /home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Installer /home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Installer/linux-build /home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Installer/linux-build /home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Installer/linux-build/CMakeFiles/GradiantEncryptConfig_debug_x64.dir/DependInfo.cmake --color=
make[2]: Leaving directory '/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Installer/linux-build'
make -f CMakeFiles/GradiantEncryptConfig_debug_x64.dir/build.make CMakeFiles/GradiantEncryptConfig_debug_x64.dir/build
make[2]: Entering directory '/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Installer/linux-build'
make[2]: Nothing to be done for 'CMakeFiles/GradiantEncryptConfig_debug_x64.dir/build'.
make[2]: Leaving directory '/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Installer/linux-build'
[100%] Built target GradiantEncryptConfig_debug_x64
make[1]: Leaving directory '/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Installer/linux-build'
/usr/bin/cmake -E cmake_progress_start /home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Installer/linux-build/CMakeFiles 0
/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Installer/linux-setup
cp: cannot stat '/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Installer/linux-setup/../../PKCS11_Connector/bin/linux-debug/x64/libBlackICEConnect_x64.so': No such file or directory
tar: Removing leading `/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Installer/linux-setup/../' from member names
/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Installer/linux-setup/../GradiantBlackIceConnect_debug_x64/BlackICEconnect_template.cnf
/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Installer/linux-setup/../GradiantBlackIceConnect_debug_x64/GradiantBlackIceConnect_debug_x64.tar.gz
/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Installer/linux-setup/../GradiantBlackIceConnect_debug_x64/GradiantEncryptConfig_debug_x64
/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Installer/linux-setup/../GradiantBlackIceConnect_debug_x64/README.txt
/home/dev-machine/BlackICE_Connect/BIC_PKCS11/PKCS11_Installer/linux-setup/../GradiantBlackIceConnect_debug_x64/setup.sh

Am I missing some required steps?