[Bug]: step-kms-plugin can't read my root-ca key when generating intermediate certificate

[Thisora]

Steps to Reproduce

Use the docker container build manually from master 1dacf50
Create a softhsm2:

Init environnement:

softhsm2-util --init-token --slot 0 --label "test"
mkdir $HOME/step-docker

Init a new CA:
docker run -it -v $HOME/step-docker:/home/step step-ca-image step ca init

Generate new certificates in the kms:

docker run -it -v /var/lib/softhsm/tokens:/var/lib/softhsm/tokens -v $HOME/step-docker:/home/step step-ca-image step kms create --json --kms "pkcs11:module-path=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so;token=test?pin-value=<NIP HERE>" "pkcs11:id=7331;object=root-ca"

Create corresponding certificate :

docker run -it -v /var/lib/softhsm/tokens:/var/lib/softhsm/tokens -v $HOME/step-docker:/home/step step-ca-image step certificate create --profile root-ca --kms "pkcs11:module-path=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so;token=test?pin-value=<NIP HERE>" --key "pkcs11:id=7331;object=root-ca" "Smallstep Root CA" certs/root_ca.crt

Then create a new intermediate key:

docker run -it -v /var/lib/softhsm/tokens:/var/lib/softhsm/tokens -v $HOME/step-docker:/home/step step-ca-image step kms create --json --kms "pkcs11:module-path=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so;token=test?pin-value=<NIP_HERE>" "pkcs11:id=7332;object=intermediate-ca"

And the following command return error:

docker run -it -v /var/lib/softhsm/tokens:/var/lib/softhsm/tokens -v $HOME/step-docker:/home/step step-ca-image step certificate create --profile intermediate-ca  --kms "pkcs11:module-path=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so;token=test?pin-value=<NIP_HERE>" --ca-key "pkcs11:id=7331" --ca certs/root_ca.crt  --key 'pkcs11:id=7332' 'My KMS Intermediate' certs/intermediate_ca.crt

The return error is :
error reading pkcs11:id=7331: no such file or directory

It seams that the ca-key is not found.

Your Environment

• OS - Ubuntu 22.04.3 LTS (jammy)

• step-ca Version - master (commit sha 1dacf50)

Expected Behavior

Generate the intermediate certificate intermediate_ca.crt

Actual Behavior

docker run -it -v /var/lib/softhsm/tokens:/var/lib/softhsm/tokens -v $HOME/step-docker:/home/step step-ca-image step certificate create --profile intermediate-ca  --kms "pkcs11:module-path=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so;token=test?pin-value=<NIP_HERE>" --ca-key "pkcs11:id=7331" --ca certs/root_ca.crt  --key 'pkcs11:id=7332' 'My KMS Intermediate' certs/intermediate_ca.crt

The return error is :
error reading pkcs11:id=7331: no such file or directory

It seams that the ca-key is not found.

Additional Context

I tried to verify key inside the softhsm:.

  pkcs11-tool --module=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so -l --list-objects

This give me
Using slot 0 with a present token (0x5a9cf00b)
Logging in to "test"
Please enter User PIN: 
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104aa08a7c2582f04e3f8dabe6d312e7e06282fe6b8fa3d2f4f363ba6e15609fd6f73773fa875c26b09be2d37558b0c04cb17eeed60b21e261e23690b1e1488812b
  EC_PARAMS:  06082a8648ce3d030107
  label:      intermediate-ca
  ID:         7332
  Usage:      encrypt, verify, wrap
  Access:     local
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104419fb549436ce9dae9e045e1ff218f6e1525a16edb576e5a538684cd3c2ab50c9f822ef165a8d90abedd47141da3d13b01468accf926f5d1e5dbd6ac30d05960
  EC_PARAMS:  06082a8648ce3d030107
  label:      root-ca
  ID:         7331
  Usage:      encrypt, verify, wrap
  Access:     local
Private Key Object; EC
  label:      root-ca
  ID:         7331
  Usage:      decrypt, sign, unwrap
  Access:     sensitive, always sensitive, never extractable, local
Private Key Object; EC
  label:      intermediate-ca
  ID:         7332
  Usage:      decrypt, sign, unwrap
  Access:     sensitive, always sensitive, never extractable, local

We can see that keys are present.

For those who want to reproduce, i have to add a few docker instruction (for example install libsofthsm2 in the docker container).

Note

This is a PoC and it is not suppose to be secure. But if you see any security risk (except softhsm), i would be glad to read them.

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[hslatman]

Hi @Thisora,

Can you try it by specifying --ca-kms in addition to --kms? That flag was added to be able to use a signing key potentially in a different KMS than the key for the certificate to be signed.

In your case you would have to use the same KMS two times. When I worked on it, I thought about falling back to the --kms flag if --ca-kms is not set, but I don't think I implemented that at the time, because I foresaw some potential issues with the SoftKMS implementation.

Also see https://github.com/smallstep/cli/blob/3f81750f9b3c58555f40601a08798a5be09bc2a2/command/certificate/create.go#L348. It was added in smallstep/cli#942.

[Thisora]

Thank you for your quick answer !
Adding --ca-kms worked !
Just to notice, i think that the documentation exemple do not work anymore.

I suggest to update the following lines of the documentation :
https://github.com/smallstep/docs/blob/a53fc14a62fc3c2826128456abeff1bff3688616/step-ca/configuration.mdx#L612
https://github.com/smallstep/docs/blob/a53fc14a62fc3c2826128456abeff1bff3688616/step-cli/reference/certificate/create/README.mdx#L439

And add the option --ca-kms.

Thanks a lot !

[joshuahigginson1]

+1 please update this in live docs!

[maraino]

cc @tashian

[tashian]

Added smallstep/docs#290