-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot init_token using an HSM with PED #201
Comments
I'm having the same issue. In addition, it's not recognizing that there is an initialized token in the slot, despite all other signs pointing to this being the case |
I don't have the necessary hardware to test this sadly 😢 We would need a good soul to debug this! |
Seems the main difference between the login and the init function is that login has the Pin in an Option. Hardware I have that I can use to debug this is company property - so unsure how that impacts the degree of support I can provide to any debug efforts in terms of license/legal concerns. |
Update: This page from Thales documentation may explain originally posted issue https://thalesdocs.com/gphsm/luna/7/docs/network/Content/sdk/extensions/sa_specific_cmds.htm |
If the issue happens specifically with Thales Luna HSMs, we could take contact with them for support/help too! |
Issue
I cannot
init_token
with my HSM usingcryptoki
in my Rust application.However, it works with SoftHSM2.
I also manage to init a token using my HSM client binary (not my Rust application).
Context
I'm using an HSM with a PIN Entry Device (PED) (see what is a PED).
It's a device, linked to the HSM, that requires to plug dongle (USB stick) for authentification.
To connect as SO, it's not possible to set a PIN. It is mandatory to use the PED.
So instead of entering a PIN on my PC, I plug a dongle on the PED to login.
For example, if I want to open a session I use this line :
NOTE: I use
None
to indiacte to use the protected authentication path, in this case, it's the PED.NOTE2: However, to login as
UserType::User
, I am allowed to set a PIN, in order to avoid using the PED. In this case, I useSome(&pin)
tologin
as aUser
.How to reproduce
If I use SoftHSM2, I indicate a pin I set beforehand (eg.
"1234"
) and it works perfectly. But if I use my HSM, there's not pin set for theSO
, so I indicate en empty pin (eg.""
).init_token
raises aCryptokiError(Pkcs11(GeneralError))
.Expected behaviour
Indicate
""
(empty) pin and init the token successfully (that's what I'm doing using the HSM client binary), or usingNone
, like inlogin()
.The text was updated successfully, but these errors were encountered: