Closed RaymiiOrg closed 7 years ago
The workaround I now use is three different NSS databases with the specific slot enabled, since that is unique.
The module does not support reading the label yet. I will have to add that once I'm back from vacation.
Andreas
Von meinem iPhone 7 gesendet
Am 15.07.2016 um 18:17 schrieb Raymii notifications@github.com:
The HSM label is always 'SmartCard-HSM' and not the label set when initializing the HSM.
When initializing the HSM with a specific label:
sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 --dkek-shares 1 --label 'hsm2' It is not shown as the token label:
pkcs11-tool --module /usr/lib/libsc-hsm-pkcs11.so --login --pin 648219 --list-slots Output:
Available slots: Slot 0 (0xd): Lenovo Integrated Smart Card Reader 03 00 (empty) Slot 1 (0x1): Nitrokey Nitrokey HSM (010000000000000000000000) 00 00 token label : SmartCard-HSM token manufacturer : CardContact (www.cardcontact.de) token model : SmartCard-HSM token flags : readonly, login required, PIN initialized, token initialized hardware version : 0.0 firmware version : 0.0 serial num : Slot 2 (0x5): Nitrokey Nitrokey HSM (010000000000000000000000) 01 00 token label : SmartCard-HSM token manufacturer : CardContact (www.cardcontact.de) token model : SmartCard-HSM token flags : readonly, login required, PIN initialized, token initialized hardware version : 0.0 firmware version : 0.0 serial num : Slot 3 (0x9): Nitrokey Nitrokey HSM (010000000000000000000000) 02 00 token label : SmartCard-HSM token manufacturer : CardContact (www.cardcontact.de) token model : SmartCard-HSM token flags : readonly, login required, PIN initialized, token initialized hardware version : 0.0 firmware version : 0.0 serial num : The OpenSC module does show the label:
Available slots: Slot 0 (0x0): Nitrokey Nitrokey HSM (010000000000000000000000) 00 00 token label : hsm3 (UserPIN) token manufacturer : www.CardContact.de token model : PKCS#15 emulated token flags : rng, login required, PIN initialized, token initialized hardware version : 24.13 firmware version : 2.0 serial num : DENK0100485 Slot 1 (0x4): Nitrokey Nitrokey HSM (010000000000000000000000) 01 00 token label : hsm2 (UserPIN) token manufacturer : www.CardContact.de token model : PKCS#15 emulated token flags : rng, login required, PIN initialized, token initialized hardware version : 24.13 firmware version : 2.0 serial num : DENK0100436 Slot 2 (0x8): Nitrokey Nitrokey HSM (010000000000000000000000) 02 00 token label : hsm1 (UserPIN) token manufacturer : www.CardContact.de token model : PKCS#15 emulated token flags : rng, login required, PIN initialized, token initialized hardware version : 24.13 firmware version : 2.0 serial num : DENK0100186 Slot 3 (0xc): Lenovo Integrated Smart Card Reader 03 00 (empty) This is problematic when using multiple HSM's with mod_nss:
certutil -d /etc/nss/db -h all -L Output:
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Enter Password or Pin for "SmartCard-HSM": Enter Password or Pin for "SmartCard-HSM": Enter Password or Pin for "SmartCard-HSM": [...] SmartCard-HSM:rsa2048 u,u,u SmartCard-HSM:rsa2048 u,u,u SmartCard-HSM:rsa2048 u,u,u SmartCard-HSM:ECprime256v1 u,u,u SmartCard-HSM:ECprime256v1 u,u,u SmartCard-HSM:ECprime256v1 u,u,u SmartCard-HSM:rsa1024 u,u,u SmartCard-HSM:rsa1024 u,u,u SmartCard-HSM:rsa1024 u,u,u modutil -list -dbdir /etc/nss/db/
Output:
hsm library name: /usr/lib/libsc-hsm-pkcs11.so slots: 4 slots attached status: loaded
slot: Lenovo Integrated Smart Card Reader 03 00 token:
slot: Nitrokey Nitrokey HSM (010000000000000000000000) 00 00 token: SmartCard-HSM
slot: Nitrokey Nitrokey HSM (010000000000000000000000) 01 00 token: SmartCard-HSM
slot: Nitrokey Nitrokey HSM (010000000000000000000000) 02 00 token: SmartCard-HSM It is impossible to select different HSM's in mod_nss now, thus not allowing for load balancing on the same host.
It's set here:
https://github.com/CardContact/sc-hsm-embedded/blob/master/src/pkcs11/token-sc-hsm.c#L1018
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
That would be nice, thank you. Also, enjoy your holiday!
Added in b8fce0c
The HSM label is always 'SmartCard-HSM' and not the label set when initializing the HSM.
When initializing the HSM with a specific label:
It is not shown as the token label:
Output:
The OpenSC module does show the label:
This is problematic when using multiple HSM's with
mod_nss
:Output:
modutil -list -dbdir /etc/nss/db/
Output:
It is impossible to select different HSM's in mod_nss now, thus not allowing for load balancing on the same host.
It's set here:
https://github.com/CardContact/sc-hsm-embedded/blob/master/src/pkcs11/token-sc-hsm.c#L1018