Description
Is your feature request related to a problem? Please describe.
I am trying to use the pkcs11_pubsub.py on a Raspberry Pi connected to a Microchip ATECC608. Microchip's cryptoauthlib is configured as a PKCS11 provider - the same is correctly working with p11tool, able to generate CSRs, etc. However, I am not able to use it with the pkcs11_pubsub.py as the SDK seems to support only RSA keys as of today.
Describe the solution you'd like
It would be a fantastic to have support for EC keys as well so that secure elements like ATECC608 can be used to build more secure end nodes. Seems this support is already there on microcontroller SDK.
Describe alternatives you've considered
No alternatives possible as the support does not exist.
Additional context
Below is my output with the p11tool - clearly showing a private key that should be usable by anything that supports PKCS11. Eg: openssl.
pi@raspberrypi:~/parrytech-stuff/rpihat-sim7600/cal-app $ p11tool --provider /usr/lib/arm-linux-gnueabihf/libcryptoauth.so --list-all
Object 0:
URL: pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=231606F750596A01;token=00ABC;object=device;type=private
Type: Private key (EC/ECDSA-SECP256R1)
Label: device
Flags: CKA_PRIVATE; CKA_SENSITIVE;
ID:
Object 1:
URL: pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=231606F750596A01;token=00ABC;object=device;type=public
Type: Public key (EC/ECDSA-SECP256R1)
Label: device
ID:
Object 2:
URL: pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=231606F750596A01;token=00ABC;object=device;type=cert
Type: X.509 Certificate (EC/ECDSA-SECP256R1)
Expires: Fri Jan 1 04:53:23 2038
Label: device
ID:
Object 3:
URL: pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=231606F750596A01;token=00ABC;object=signer;type=cert
Type: X.509 Certificate (EC/ECDSA-SECP256R1)
Expires: Fri Jan 1 04:53:23 2038
Label: signer
Flags: CKA_CERTIFICATE_CATEGORY=CA; CKA_TRUSTED;
ID:
Below is my output that tells me that EC keys are unsupported in AWS IoT SDK (Python). Note the run time error at the end.
(vpython) pi@raspberrypi:~/parrytech-stuff/rpihat-sim7600/aws-iot-device-sdk-python-v2/samples $ python pkcs11_pubsub.py --endpoint "avu39804vjdlk-ats.iot.us-west-2.amazonaws.com" --cert baa4f78dafbe4e7b0d822f603f8c18468650a93a8855a1950265be952de73ab7-certificate.pem.crt --pkcs11-lib /usr/lib/arm-linux-gnueabihf/libcryptoauth.so --pin 1234 --token-label "00ABC" --slot-id "0" --key-label "device"
Loading PKCS#11 library '/usr/lib/arm-linux-gnueabihf/libcryptoauth.so' ...
Loaded!
Traceback (most recent call last):
File "/home/pi/parrytech-stuff/rpihat-sim7600/aws-iot-device-sdk-python-v2/samples/pkcs11_pubsub.py", line 80, in <module>
mqtt_connection = mqtt_connection_builder.mtls_with_pkcs11(
File "/home/pi/parrytech-stuff/rpihat-sim7600/vpython/lib/python3.9/site-packages/awsiot/mqtt_connection_builder.py", line 311, in mtls_with_pkcs11
return _builder(tls_ctx_options, **kwargs)
File "/home/pi/parrytech-stuff/rpihat-sim7600/vpython/lib/python3.9/site-packages/awsiot/mqtt_connection_builder.py", line 194, in _builder
tls_ctx = awscrt.io.ClientTlsContext(tls_ctx_options)
File "/home/pi/parrytech-stuff/rpihat-sim7600/vpython/lib/python3.9/site-packages/awscrt/io.py", line 564, in __init__
self._binding = _awscrt.client_tls_ctx_new(
RuntimeError: 1076 (AWS_ERROR_PKCS11_KEY_TYPE_UNSUPPORTED): PKCS#11 key type not supported
Look forward to hearing from the dev team on ways to go about this!
Regards,
Shashank