PKCS11 not working on mender client with TPM

I tried to configure a client to use a private key stored inside a TPM. In order to get the URI of the private key, I used p11tool. The result is the following.

root@nano-iot:~/tpm2_ptool/tpm2-pkcs11/tools# p11tool --provider='/usr/local/lib/libtpm2_pkcs11.so' --list-all "$token" --login
Token 'my first token' with URL 'pkcs11:model=Intel%00%00%00%00%00%00%00%00%00%00%00;manufacturer=Intel;serial=0000000000000000;token=my%20first%20token' requires user PIN
Enter PIN: 
WARNING: Needed CKA_VALUE but didn't find encrypted blob
Object 0:
	URL: pkcs11:model=Intel%00%00%00%00%00%00%00%00%00%00%00;manufacturer=Intel;serial=0000000000000000;token=my%20first%20token;id=%22%24;object=myrsakey;type=public
	Type: Public key (RSA-2048)
	Label: myrsakey
	Flags: CKA_NEVER_EXTRACTABLE; 
	ID: 22:24

Object 1:
	URL: pkcs11:model=Intel%00%00%00%00%00%00%00%00%00%00%00;manufacturer=Intel;serial=0000000000000000;token=my%20first%20token;id=%22%24;object=myrsakey;type=private
	Type: Private key (RSA-2048)
	Label: myrsakey
	Flags: CKA_PRIVATE; CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE; 
	ID: 22:24

With this URL I edit the mender.conf file located in /etc/mender the following way.

{
  "ServerURL": "https://my_server.org",
  "ServerCertificate": "/etc/mender/server.crt",
  "HttpsClient": {
        "Certificate": "/etc/mender/Nano.pem",
        "Key": "pkcs11:model=Intel%00%00%00%00%00%00%00%00%00%00%00;manufacturer=Intel;serial=0000000000000000;token=my%20first%20token;id=%22%24;object=myrsakey;type=private;pin-value=myuserpin",
        "SSLEngine": "pkcs11"
    }
}

Then I restart the mender client using service mender-client restart and the client doesn’t connect. In the journalctl the following can be seen.

ene 26 18:20:09 nano-iot mender[5176]: PKCS11_get_private_key returned NULL
ene 26 18:20:09 nano-iot mender[5176]: Failed to enumerate slots
ene 26 18:20:09 nano-iot mender[5176]: Failed to enumerate slots

I then try with the following mender.conf.

{
  "ServerURL": "https://my_server.org",
  "ServerCertificate": "/etc/mender/server.crt",
  "HttpsClient": {
        "Certificate": "/etc/mender/Nano.pem",
        "Key": "pkcs11:module-path=/usr/local/lib/libtpm2_pkcs11.so;model=Intel%00%00%00%00%00%00%00%00%00%00%00;manufacturer=Intel;serial=0000000000000000;slot-id=0;token=my%20first%20token;id=%22%24;object=myrsakey;type=private;pin-value=myuserpin",
        "SSLEngine": "pkcs11"
    }
}

And I get exactly the same result.

Is there anything that I’m missing?

Best,

I found something interesting on this. After a lot of investigation, I’ve seen that the issue should be on how the daemon is launched by systemd. If I launch the mender client manually the error does not appear.

Do you have any insight on this or how to solve it?

Best,

Hi @sandevins were you able to resolve this?

Hi @oleorhagen,

Yes, the problem is related to the environment variable OPENSSL_CONF when the process is launched by systemd.

You have to add a line in the /usr/lib/systemd/system/mender-client.service file under the [Service] section with the following content.

Environment="OPENSSL_CONF=<PATH_TO_OPENSSL_CONF"

I hope this helps.

Yes, systemd’s evnironment is clean by default

I’m glad you were able to resolve it.

I’m I’m still curious. Which version of OpenSSL are you using. And which pkcs11 provider?

I’m pretty sure the OPENSSL version is 1.1.1k. The PKCS#11 provider we used was KeyConnect by Gradiant to provide some cryptoagility to the architecture.