Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot init_token using an HSM with PED #201

Open
Tartopoms opened this issue Feb 28, 2024 · 5 comments
Open

Cannot init_token using an HSM with PED #201

Tartopoms opened this issue Feb 28, 2024 · 5 comments

Comments

@Tartopoms
Copy link

Issue

I cannot init_token with my HSM using cryptoki in my Rust application.
However, it works with SoftHSM2.
I also manage to init a token using my HSM client binary (not my Rust application).

Context

I'm using an HSM with a PIN Entry Device (PED) (see what is a PED).

It's a device, linked to the HSM, that requires to plug dongle (USB stick) for authentification.
To connect as SO, it's not possible to set a PIN. It is mandatory to use the PED.
So instead of entering a PIN on my PC, I plug a dongle on the PED to login.

For example, if I want to open a session I use this line :

let session = pkcs11.open_rw_session(slot)?;
session.login(UserType::So, None)?

NOTE: I use None to indiacte to use the protected authentication path, in this case, it's the PED.
NOTE2: However, to login as UserType::User, I am allowed to set a PIN, in order to avoid using the PED. In this case, I use Some(&pin) to login as a User.

How to reproduce

If I use SoftHSM2, I indicate a pin I set beforehand (eg. "1234") and it works perfectly. But if I use my HSM, there's not pin set for the SO, so I indicate en empty pin (eg. "").

let slot = pkcs11.get_slots_with_initialized_token()?[0];
let pin = AuthPin::new(String::from(""));
pkcs11.init_token(slot, &pin, "reinitialized")?;

init_token raises a CryptokiError(Pkcs11(GeneralError)).

Expected behaviour

Indicate "" (empty) pin and init the token successfully (that's what I'm doing using the HSM client binary), or using None, like in login().

@jaeparker22
Copy link

I'm having the same issue. In addition, it's not recognizing that there is an initialized token in the slot, despite all other signs pointing to this being the case

@hug-dev
Copy link
Member

hug-dev commented Feb 27, 2025

I don't have the necessary hardware to test this sadly 😢 We would need a good soul to debug this!

@jaeparker22
Copy link

Seems the main difference between the login and the init function is that login has the Pin in an Option. Hardware I have that I can use to debug this is company property - so unsure how that impacts the degree of support I can provide to any debug efforts in terms of license/legal concerns.

@jaeparker22
Copy link

Update: This page from Thales documentation may explain originally posted issue

https://thalesdocs.com/gphsm/luna/7/docs/network/Content/sdk/extensions/sa_specific_cmds.htm

@hug-dev
Copy link
Member

hug-dev commented Feb 28, 2025

If the issue happens specifically with Thales Luna HSMs, we could take contact with them for support/help too!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants