supporting CFSSL

[tendaworld]

With this mod applied, one can use [PKCS11] (https://github.com/ibpl/cfssl/tree/master-IB%231094763) token in multirootca for certs signing (tested succesfully with Nitrokey HSM 2; should work with other compatible HSM tokens too). Requires importing https://github.com/letsencrypt/pkcs11key

Example config below works with Nitrokey-HSM

[ default ]
private = pkcs11://notused
module = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
token_label = UserPIN (myhsm)
pin = 123456
config = /etc/cfssl/server.json
certificate = /etc/cfssl/issuer.crt
Note: issuer.crt must contain cert issued for signing key in HSM.

However when using it on NetHSM like below, running into [FATAL] pkcs11key: pkcs11key: opening session: pkcs11: 0x6: CKR_FUNCTION_FAILED. Can you replicate the issue and assist with debugging.

[ default ]
private = pkcs11://notused
module = /usr/lib/nitrokey/libnethsm_pkcs11.so
token_label = pkcs11:object=MYKEY1;type=public
pin = ""
config = /etc/cfssl/server.json
certificate = /etc/cfssl/issuer.crt

[jans23]

Is your NetHSM provisioned and operational?

[tendaworld]

Yes, both from REST and PKCS all's good status operational, and also used openssl engine with pkcs11 to generate the root cert and imported it into the HSM. The patched CFSSL with PKCS11# support is available here https://github.com/tenda-dev/cfssl

Debug Log.......

root | 2023/12/04 18:21:27 [INFO] PKCS11 PIN for token LocalHSM is not specified in config; please enter it on PIN pad if available
root | [2023-12-04T18:21:27Z DEBUG ureq::stream] connecting to nethsm:8443 at 192.168.240.2:8443
root | [2023-12-04T18:21:27Z DEBUG rustls::client::hs] No cached session for DnsName("nethsm")
root | [2023-12-04T18:21:27Z DEBUG rustls::client::hs] Not resuming any session
root | [2023-12-04T18:21:27Z DEBUG rustls::client::hs] Using ciphersuite TLS13_AES_128_GCM_SHA256
root | [2023-12-04T18:21:27Z DEBUG rustls::client::tls13] Not resuming
root | [2023-12-04T18:21:27Z DEBUG rustls::client::tls13] TLS1.3 encrypted extensions: [ServerNameAck]
root | [2023-12-04T18:21:27Z DEBUG rustls::client::hs] ALPN protocol is None
root | [2023-12-04T18:21:27Z DEBUG ureq::stream] created stream: Stream(RustlsStream)
root | [2023-12-04T18:21:27Z DEBUG ureq::unit] sending request GET https://nethsm:8443/api/v1/health/state
root | [2023-12-04T18:21:27Z DEBUG ureq::unit] writing prelude: GET /api/v1/health/state HTTP/1.1
root | Host: nethsm:8443
root | user-agent: pkcs11-rs/0.1.0
root | accept: application/json
root | [2023-12-04T18:21:27Z DEBUG ureq::response] Body entirely buffered (length: 23)
root | [2023-12-04T18:21:27Z DEBUG ureq::pool] adding stream to pool: https|nethsm|8443 -> Stream(RustlsStream)
root | [2023-12-04T18:21:27Z DEBUG ureq::unit] response 200 to GET https://nethsm:8443/api/v1/health/state
root | [2023-12-04T18:21:27Z DEBUG ureq::pool] pulling stream from pool: https|nethsm|8443 -> Stream(RustlsStream)
root | [2023-12-04T18:21:27Z DEBUG ureq::unit] sending request (reused connection) GET https://nethsm:8443/api/v1/info
root | [2023-12-04T18:21:27Z DEBUG ureq::unit] writing prelude: GET /api/v1/info HTTP/1.1
root | Host: nethsm:8443
root | user-agent: pkcs11-rs/0.1.0
root | accept: application/json
root | [2023-12-04T18:21:27Z DEBUG ureq::response] Body entirely buffered (length: 45)
root | [2023-12-04T18:21:27Z DEBUG ureq::pool] adding stream to pool: https|nethsm|8443 -> Stream(RustlsStream)
root | [2023-12-04T18:21:27Z DEBUG ureq::unit] response 200 to GET https://nethsm:8443/api/v1/info
root | [2023-12-04T18:21:27Z DEBUG ureq::pool] pulling stream from pool: https|nethsm|8443 -> Stream(RustlsStream)
root | [2023-12-04T18:21:27Z DEBUG ureq::unit] sending request (reused connection) GET https://nethsm:8443/api/v1/system/info
root | [2023-12-04T18:21:27Z DEBUG ureq::unit] writing prelude: GET /api/v1/system/info HTTP/1.1
root | Host: nethsm:8443
root | user-agent: pkcs11-rs/0.1.0
root | authorization: ***
root | accept: application/json
root | [2023-12-04T18:21:27Z DEBUG ureq::response] Body entirely buffered (length: 144)
root | [2023-12-04T18:21:27Z DEBUG ureq::pool] adding stream to pool: https|nethsm|8443 -> Stream(RustlsStream)
root | [2023-12-04T18:21:27Z DEBUG ureq::unit] response 200 to GET https://nethsm:8443/api/v1/system/info
root | 2023/12/04 18:21:27 [FATAL] pkcs11key: pkcs11key: opening session: pkcs11: 0x7: CKR_ARGUMENTS_BAD

I am initialising the pkcs11 session like this, perhaps therein lies the issue....

	// initialize token communication
	priv, err = pkcs11key.New(module, tokenLabel, pin, cert.PublicKey)
	if err != nil {
		return nil, err
	}

[q-nk]

I do not fully understand your setup, so let me describe it in my own words:
You are using CFSSL to build certificate bundles. The keypair for the root certificate, of the bundles, should be stored within a HSM, accessed through PKCS#11, which was made available for CFSSL through this patch https://github.com/tenda-dev/cfssl?

I assume the mentioned code

	// initialize token communication
	priv, err = pkcs11key.New(module, tokenLabel, pin, cert.PublicKey)
	if err != nil {
		return nil, err
	}

is from https://github.com/tenda-dev/cfssl/blob/4513b7df7b567b487ba1fd1f59d48b91b1798d7a/multiroot/config/config.go#L292?
This code parses the configs you posted? e.g.

[ default ]
private = pkcs11://notused
module = /usr/lib/nitrokey/libnethsm_pkcs11.so
token_label = pkcs11:object=MYKEY1;type=public
pin = ""
config = /etc/cfssl/server.json
certificate = /etc/cfssl/issuer.crt

Did you made any changes between your two posts? The error messages differ:
First Post:

[FATAL] pkcs11key: pkcs11key: opening session: pkcs11: 0x6: CKR_FUNCTION_FAILED

Second Post:

[FATAL] pkcs11key: pkcs11key: opening session: pkcs11: 0x7: CKR_ARGUMENTS_BAD

Could you provide a step-by-step manual to reproduce the mentioned behavior?

My first impression is that some PKCS#11 parameters are wrong. So in the best case only the mentioned config has to be adjusted.

[tendaworld]

I was able to debug between the first and second post, found there was a wrong nethsm url, which I corrected.
The step to reproduce is running the CFSSL from here https://github.com/tenda-dev/cfssl, with multiroot patched to support PKCS11# with has this mod already applied, https://github.com/ibpl/cfssl/tree/master-IB%231094763

and using the roots.conf as below
[ default ]
private = pkcs11://notused
module = /usr/lib/nitrokey/libnethsm_pkcs11.so
token_label = LocalHSM
pin = ""
config = /etc/cfssl/ca_root.config.json
certificate = /etc/cfssl/CA-ROOT.crt

p11nethsm.conf is as below

enable_set_attribute_value: false
log_level: Debug
slots:

• label: LocalHSM # Name you NetHSM however you want
  description: Local HSM (docker) # Optional description
  operator:
  username: "xxxxxxxxx"
  password: "env:LOCALHSMPASS"
  administrator:
  username: "xxxxxxx"
  password: "xxxxxxxxxx"
  instances:
  • url: "https://nethsm:8443/api/v1" # URL to reach the server
    certificate:
    sha256_fingerprints:
    • "D9:08xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:65:F2:CB:7E:2C:26:20"

I started CFSSL with the multirootca cmd
multirootca
-a 0000:8080
-l default
-roots roots.conf
-tls-cert server-tls.pem
-tls-key server-tls-key.pem

I end up with the error
[FATAL] pkcs11key: pkcs11key: opening session: pkcs11: 0x7: CKR_ARGUMENTS_BAD

I have created the pub/priv (CA-ROOT.pem) key pair on the nethsm using the REST API.
I used openssl to generate a CSR and it's PKCS#11 engine to connect to the same nethsm and successfully create the self-signed CA-ROOT.crt. which I imported into the nethsm using the REST API.

I suspect the issue lies in how the CFSSL PKCS#11 driver is calling/sending instructions to the nethsm and without a debugging/pkcs#11spy or something to see how it is currently implemented i'm chasing a black cat in the dark. Perhaps you can help.to resolve.