TLS 1.3 offload to PKCS11 Provider

[sahilnxp]

Had a look at #216
A test to exercise full TLS connection was added in this, looks like we have the Key and Certificates stored in PKCS#11 Token.
If I understood correctly Signing operation with the Key stored in Token will be done by the PKCS#11 implementation.

Apart from this signing, can you please tell me which operations are offloaded to PKCS#11 Provider in Full TLS connection?
Is TLS1.3 Session key derivation is also offloaded to the PKCS#11 implementation?
If yes, Which API is responsible for session key derivation?

@simo5 Can you please look at this?

[simo5]

OpenSSL avoids offloading any operation unless it is forced (key only available in provider) or is explicitly instructed to do so via properties.

So by default and in current tests only the Signature operation is offloaded.

That said, PKCS#11 does define a bunch of KDFs for TLS, but pkcs11-provider does not yet wrap all of them.

I am not sure there is a way to tell OpenSSL to offload just the KDFs, you may have to try to offload everything to the token via a default property that applies to all operations. That may or not be desirable.

[sahilnxp]

That said, PKCS#11 does define a bunch of KDFs for TLS, but pkcs11-provider does not yet wrap all of them.

Ok, can you please tell which KDFs pkcs11-provider currently wraps?

I am not sure there is a way to tell OpenSSL to offload just the KDFs, you may have to try to offload everything to the token via a default property that applies to all operations. That may or not be desirable

Hmm, that needs to be thought, but do you have an example which we can refer for defining a default property that applies to all operations ?

Openssl gives a way to offload the TLS PRF functions to HW crypto, using engines but don't know about the providers.

[simo5]

That said, PKCS#11 does define a bunch of KDFs for TLS, but pkcs11-provider does not yet wrap all of them.

Ok, can you please tell which KDFs pkcs11-provider currently wraps?

Only HKDF so far:
https://github.com/latchset/pkcs11-provider/blob/main/src/kdf.h

I am not sure there is a way to tell OpenSSL to offload just the KDFs, you may have to try to offload everything to the token via a default property that applies to all operations. That may or not be desirable

Hmm, that needs to be thought, but do you have an example which we can refer for defining a default property that applies to all operations ?

you can set default property of provider=pkcs11 in the confgi file or pass it via -propq on command line utilties.

Openssl gives a way to offload the TLS PRF functions to HW crypto, using engines but don't know about the providers.

See above.
The kdfs openssl support from providers are:

• hkdf
• hmacdrbg
• kbkdf
• krb5kdf
• pbkdf2
• pkcs12kdf
• pvkkdf
• scrypt
• sshkdf
• sskdf
• tls1_prf
• x492kdf

So far we wired only the first one, it is not hard to do many of others (where there is a pkcs#11 spec that covers them), we just haven't done it yet.

[kshitizvars]

This is how our openssl.cnf looks like with pkcs11-provider related changes:-

[openssl_init]
providers = provider_sect
 
# List of providers to load
[provider_sect]
default = default_sect
pkcs11 = pkcs11_sect
 
[default_sect]
activate = 1
[pkcs11_sect]
module = /usr/lib/pkcs11.so
pkcs11-module-path = /usr/lib/libckteec.so.0
pkcs11-module-cache-keys = false
pkcs11-module-quirks = no-operation-state
activate = 1

Can you please point out where exactly we need to add and what needs to be added?

[simo5]

Checkout the "EVP Configuration" section in the openssl.cnf manpage

[kshitizvars]

Hi

This is my openssl.cnf after applying EVP configuration:-

[openssl_init]
providers = provider_sect
alg_section = algorithm_sect

# List of providers to load
[provider_sect]
default = default_sect
pkcs11 = pkcs11_sect

[default_sect]
activate = 1
[pkcs11_sect]
module = /usr/lib/pkcs11.so
pkcs11-module-path = /usr/lib/libckteec.so.0
pkcs11-module-cache-keys = false
pkcs11-module-quirks = no-operation-state
activate = 1

[algorithm_sect]
default_properties = ?provider=pkcs11

Server side command:-
openssl s_server -key "pkcs11:model=OP-TEE%20TA;manufacturer=Linaro;serial=0000000000000000;token=kshitiz_test;id=%02;object=ecc-key-521;type=private?pin-value=1234" -cert req_client.crt -accept 443 -Verify 3 -named_curve secp521r1 -ciphersuites 'TLS_AES_256_GCM_SHA384' -tls1_3

Client side command:-
./openssl s_client -connect 10.232.132.242:443 -tls1_3 -ciphersuites 'TLS_AES_256_GCM_SHA384' -cert server.crt -key server.key -CAfile ../ca.crt

Error recieved on server side:-

verify depth is 3, must return a certificate
Using default temp DH parameters
ACCEPT
ERROR
20904DB5FFFF0000:error:40800007:pkcs11:p11prov_common_gen_init:Invalid or improper arguments were provided to the invoked function:/usr/src/debug/pkcs11-provider/0.3/src/keymgmt.c:150:Unsupported selection
20904DB5FFFF0000:error:03000086:digital envelope routines:gen_init:initialization error:/usr/src/debug/openssl/3.2.1/crypto/evp/pmeth_gn.c:52:
20904DB5FFFF0000:error:0A00013A:SSL routines:tls_parse_ctos_key_share:unable to find ecdh parameters:/usr/src/debug/openssl/3.2.1/ssl/statem/extensions_srvr.c:684:

Am I doing something wrong here? And one more thing, that if we are able to reach to optee in sign verification operation without applying EVP configuration change, so why this change is required for exchange operation? Any specific reason?

[simo5]

Not your fault, please open a feature request
You hit an unimplemented Keymgmt feature we need to add to make this work via a token.

[simo5]

I actually opened #395