Comments (7)
maraino
commented on June 8, 2024
Hi @udf2457, the right module is /usr/local/lib/pkcs11/yubihsm_pkcs11.dylib. We don't support the attribute export-under-wrap, but you can do the same with the --extractable flag.
In any case, your command, with the proper module, works as expected on my YubiHSM2. I've reproduced the error you mentioned if I use non-PKCS#11 library like libyubihsm_usb.dylib or I try to use a file that does not exist.
Here is a working configuration:
$ echo $YUBIHSM_PKCS11_CONF
/Users/mariano/yubihsm_pkcs11.conf
$ cat /Users/mariano/yubihsm_pkcs11.conf
connector = http://127.0.0.1:12345
$ yubihsm-connector
...And then in another terminal:
$ echo 0001password > /tmp/pin.txt
$ step kms create --json --kty RSA --size 4096 --extractable --kms "pkcs11:module-path=/usr/local/lib/pkcs11/yubihsm_pkcs11.dylib;token=YubiHSM?pin-source=/tmp/pin.txt" "pkcs11:id=7534;object=my-root-ca"
{
"name": "pkcs11:id=7534;object=my-root-ca",
"publicKey": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAt0Z8VQXJqbSg/QtlhDP+\nniQ4pcY2V/ieWdtyFDRX5u4vq8ZxtxOWlOYWTKHZ+yx73+b7AvUmAlFsH70IE9Me\nzqKnSwwqTj8KvVIA4f1VYpbnVC6P9a37+5uh+TPj4P+6n7un+LPHwyKMywmx7Rfk\nxIDYkXkuLGRIUHW8PgnPnxwqujDADh8DRQDLaZ3gYTm6svOTs0FP9v3wU7Waktka\nK+pMQtpogP/kNWBQM/D2kxYjzMmN5EVXppDQIwACDbIoqldNaezCdwoar+u1H+CL\n8QTE1/700QHiamaM6rxl3rZwWIqbNjioH10tlbGGyQjVsUkdnSbywMf4RE4Kv3y2\nlFb434mRx7jOqqjcpYx7Bbd49PrsYR8GX9BMJr1UIbzUBuXRt0xUoOJTZA6xSe9c\nL0JGK7BZ5AQyuBiyZYsumVqxUyL8UI8KJo+bhTrbcXJU/f3oTABNci6Q2eRPsXaX\nTAw7znIjWxS0OEN4hYR/QT3W71ow074qxszEw5qPsw78iwDpm/nE1njI8lmJadm8\nsFqimqrFAmCKkAoWeWARcNfOwrBVGbqPHv06qJuUTHVp5H38zDAcSkZ3HI1a5Uvt\ndgqj7xI7Clu1uVlaV2elhZFTY3CtLLGleMzj70s/LsfRAfXdEm8wj5V4Vpd4Umau\nUz7UtMhhoosEXqgFaWbxE5UCAwEAAQ==\n-----END PUBLIC KEY-----\n"
}from step-kms-plugin.
udf2457
commented on June 8, 2024
Subsequent to my earlier post, I actually did discover /usr/local/lib/pkcs11/yubihsm_pkcs11.dylib but that did not work either.
Can you confirm what OS X version you are on ? I am on Sonoma 14.4.1 ?
from step-kms-plugin.
maraino
commented on June 8, 2024
You can also combine all the URIs in one, or use p11-kit to simplify things:
$ cat ~/.config/pkcs11/modules/yubihsm
module: /usr/local/lib/pkcs11/yubihsm_pkcs11.dylib
managed: true
$ export DYLD_FALLBACK_LIBRARY_PATH=/usr/local/lib
$ step kms create "pkcs11:token=YubiHSM;id=7534;object=my-root-ca?pin-source=/tmp/pin.txt"
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2uZnKCl1txbD7TmsYtq3jfvHAx36
culZcLP8jsPmcrj/6qsAKPCKNLW+vkaRS939i5ypT7EjwbT7U0EpvqGadw==
-----END PUBLIC KEY-----With the latest version of macOS, we cannot load by default libraries in /usr/local/lib/... so you need to set the environment variable DYLD_FALLBACK_LIBRARY_PATH (or DYLD_LIBRARY_PATH).
from step-kms-plugin.
maraino
commented on June 8, 2024
Same version as you. Can you try with p11-kit? or pkcs11-tool?
This is from the last key I created in my previous command.
$ pkcs11-tool --module /usr/local/lib/pkcs11/yubihsm_pkcs11.dylib -O --token-label YubiHSM -p 0001password --id 7534
Private Key Object; EC
label: my-root-ca
ID: 7534
Usage: sign
Access: sensitive, always sensitive, never extractable, local
Public Key Object; EC EC_POINT 256 bits
EC_POINT: 044104dae667282975b716c3ed39ac62dab78dfbc7031dfa72e95970b3fc8ec3e672b8ffeaab0028f08a34b5bebe46914bddfd8b9ca94fb123c1b4fb534129bea19a77
EC_PARAMS: 06082a8648ce3d030107 (OID 1.2.840.10045.3.1.7)
label: my-root-ca
ID: 7534
warning: PKCS11 function C_GetAttributeValue(VERIFY_RECOVER) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
Usage: verify
Access: local
from step-kms-plugin.
maraino
commented on June 8, 2024
I'm not sure which version I am using but here is some info:
$ yubihsm-shell --version
yubihsm-shell 2.2.0
$ sha256sum /usr/local/lib/pkcs11/yubihsm_pkcs11.dylib
5ec42644ac33d6106883cb7413e1b9b615e7d4a9761697c1a323eeed003f731e /usr/local/lib/pkcs11/yubihsm_pkcs11.dylibfrom step-kms-plugin.
maraino
commented on June 8, 2024
I've installed the last one and works too:
$ yubihsm-shell --version
yubihsm-shell 2.4.2
$ sha256sum /usr/local/lib/pkcs11/yubihsm_pkcs11.dylib
b27217253584750bf1f07e0ab9e6991f178a2b333932c1f517e08b4d88303d37 /usr/local/lib/pkcs11/yubihsm_pkcs11.dylib
I'm on an Intel mac, and this one was https://developers.yubico.com/YubiHSM2/Releases/yubihsm2-sdk-2023-11-darwin-amd64.pkg
from step-kms-plugin.
udf2457
commented on June 8, 2024
DYLD_FALLBACK_LIBRARY_PATH was the secret sauce !
Thanks !
Maybe some kind soul needs to make a note of that in the docs. 😉
from step-kms-plugin.
Related Issues (17)
- Add docs on KMS URIs HOT 3
- Cannot import a certificate into YubiKey PIV slot HOT 1
- Prebuilt binaries are not compatible with the official step-ca Docker image HOT 6
- add dependency to .deb HOT 1
- When touich policy is enabled, user isn't prompted to touch the yubikey HOT 2
- Error: failed to load key manager: error initializing PKCS#11: could not open PKCS#11 only when I running step kms outside of pod in k8s HOT 3
- Multiple region support HOT 2
- Add support for `TSS2 PRIVATE KEY` PEM format HOT 11
- Failed to create key - Error generating key HOT 3
- Oracle Vault OCI KMS support
- doc: add example using pin-source method HOT 3
- go install fails due to crypto library error HOT 1
- Support usage text as plugin HOT 1
- Document required IAM permissions for AWS KMS (but also for other providers)
- [Bug]: AWS SSO via `credential_process` not supported HOT 7
- [Request] Support for Azure Managed HSM Vaults HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from step-kms-plugin.