search

CardContact / sc-hsm-embedded

PKCS#11 and CSP-Minidriver library for the SmartCard-HSM and STARCOS based signature cards
BSD 3-Clause "New" or "Revised" License
98 stars 31 forks source link

Label is always SmartCard-HSM #12

Closed RaymiiOrg closed 7 years ago

RaymiiOrg commented 8 years ago

The HSM label is always 'SmartCard-HSM' and not the label set when initializing the HSM.

When initializing the HSM with a specific label:

sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 --dkek-shares 1 --label 'hsm2'

It is not shown as the token label:

pkcs11-tool --module /usr/lib/libsc-hsm-pkcs11.so --login --pin 648219 --list-slots

Output:

Available slots:
Slot 0 (0xd): Lenovo Integrated Smart Card Reader 03 00
  (empty)
Slot 1 (0x1): Nitrokey Nitrokey HSM (010000000000000000000000) 00 00
  token label        : SmartCard-HSM
  token manufacturer : CardContact (www.cardcontact.de)
  token model        : SmartCard-HSM
  token flags        : readonly, login required, PIN initialized, token initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 
Slot 2 (0x5): Nitrokey Nitrokey HSM (010000000000000000000000) 01 00
  token label        : SmartCard-HSM
  token manufacturer : CardContact (www.cardcontact.de)
  token model        : SmartCard-HSM
  token flags        : readonly, login required, PIN initialized, token initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 
Slot 3 (0x9): Nitrokey Nitrokey HSM (010000000000000000000000) 02 00
  token label        : SmartCard-HSM
  token manufacturer : CardContact (www.cardcontact.de)
  token model        : SmartCard-HSM
  token flags        : readonly, login required, PIN initialized, token initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         :

The OpenSC module does show the label:

Available slots:
Slot 0 (0x0): Nitrokey Nitrokey HSM (010000000000000000000000) 00 00
  token label        : hsm3 (UserPIN)
  token manufacturer : www.CardContact.de
  token model        : PKCS#15 emulated
  token flags        : rng, login required, PIN initialized, token initialized
  hardware version   : 24.13
  firmware version   : 2.0
  serial num         : DENK0100485
Slot 1 (0x4): Nitrokey Nitrokey HSM (010000000000000000000000) 01 00
  token label        : hsm2 (UserPIN)
  token manufacturer : www.CardContact.de
  token model        : PKCS#15 emulated
  token flags        : rng, login required, PIN initialized, token initialized
  hardware version   : 24.13
  firmware version   : 2.0
  serial num         : DENK0100436
Slot 2 (0x8): Nitrokey Nitrokey HSM (010000000000000000000000) 02 00
  token label        : hsm1 (UserPIN)
  token manufacturer : www.CardContact.de
  token model        : PKCS#15 emulated
  token flags        : rng, login required, PIN initialized, token initialized
  hardware version   : 24.13
  firmware version   : 2.0
  serial num         : DENK0100186
Slot 3 (0xc): Lenovo Integrated Smart Card Reader 03 00
  (empty)

This is problematic when using multiple HSM's with mod_nss:

certutil -d /etc/nss/db -h all -L

Output:

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Enter Password or Pin for "SmartCard-HSM":
Enter Password or Pin for "SmartCard-HSM":
Enter Password or Pin for "SmartCard-HSM":
[...]
SmartCard-HSM:rsa2048                                        u,u,u
SmartCard-HSM:rsa2048                                        u,u,u
SmartCard-HSM:rsa2048                                        u,u,u
SmartCard-HSM:ECprime256v1                                   u,u,u
SmartCard-HSM:ECprime256v1                                   u,u,u
SmartCard-HSM:ECprime256v1                                   u,u,u
SmartCard-HSM:rsa1024                                        u,u,u
SmartCard-HSM:rsa1024                                        u,u,u
SmartCard-HSM:rsa1024                                        u,u,u

modutil -list -dbdir /etc/nss/db/

Output:

  2. hsm
  library name: /usr/lib/libsc-hsm-pkcs11.so
   slots: 4 slots attached
  status: loaded

   slot: Lenovo Integrated Smart Card Reader 03 00
  token: 

   slot: Nitrokey Nitrokey HSM (010000000000000000000000) 00 00
  token: SmartCard-HSM

   slot: Nitrokey Nitrokey HSM (010000000000000000000000) 01 00
  token: SmartCard-HSM

   slot: Nitrokey Nitrokey HSM (010000000000000000000000) 02 00
  token: SmartCard-HSM

It is impossible to select different HSM's in mod_nss now, thus not allowing for load balancing on the same host.

It's set here:

https://github.com/CardContact/sc-hsm-embedded/blob/master/src/pkcs11/token-sc-hsm.c#L1018

RaymiiOrg commented 8 years ago

The workaround I now use is three different NSS databases with the specific slot enabled, since that is unique.

CardContact commented 8 years ago

The module does not support reading the label yet. I will have to add that once I'm back from vacation.

Andreas

Von meinem iPhone 7 gesendet

Am 15.07.2016 um 18:17 schrieb Raymii notifications@github.com:

The HSM label is always 'SmartCard-HSM' and not the label set when initializing the HSM.

When initializing the HSM with a specific label:

sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 --dkek-shares 1 --label 'hsm2' It is not shown as the token label:

pkcs11-tool --module /usr/lib/libsc-hsm-pkcs11.so --login --pin 648219 --list-slots Output:

Available slots: Slot 0 (0xd): Lenovo Integrated Smart Card Reader 03 00 (empty) Slot 1 (0x1): Nitrokey Nitrokey HSM (010000000000000000000000) 00 00 token label : SmartCard-HSM token manufacturer : CardContact (www.cardcontact.de) token model : SmartCard-HSM token flags : readonly, login required, PIN initialized, token initialized hardware version : 0.0 firmware version : 0.0 serial num : Slot 2 (0x5): Nitrokey Nitrokey HSM (010000000000000000000000) 01 00 token label : SmartCard-HSM token manufacturer : CardContact (www.cardcontact.de) token model : SmartCard-HSM token flags : readonly, login required, PIN initialized, token initialized hardware version : 0.0 firmware version : 0.0 serial num : Slot 3 (0x9): Nitrokey Nitrokey HSM (010000000000000000000000) 02 00 token label : SmartCard-HSM token manufacturer : CardContact (www.cardcontact.de) token model : SmartCard-HSM token flags : readonly, login required, PIN initialized, token initialized hardware version : 0.0 firmware version : 0.0 serial num : The OpenSC module does show the label:

Available slots: Slot 0 (0x0): Nitrokey Nitrokey HSM (010000000000000000000000) 00 00 token label : hsm3 (UserPIN) token manufacturer : www.CardContact.de token model : PKCS#15 emulated token flags : rng, login required, PIN initialized, token initialized hardware version : 24.13 firmware version : 2.0 serial num : DENK0100485 Slot 1 (0x4): Nitrokey Nitrokey HSM (010000000000000000000000) 01 00 token label : hsm2 (UserPIN) token manufacturer : www.CardContact.de token model : PKCS#15 emulated token flags : rng, login required, PIN initialized, token initialized hardware version : 24.13 firmware version : 2.0 serial num : DENK0100436 Slot 2 (0x8): Nitrokey Nitrokey HSM (010000000000000000000000) 02 00 token label : hsm1 (UserPIN) token manufacturer : www.CardContact.de token model : PKCS#15 emulated token flags : rng, login required, PIN initialized, token initialized hardware version : 24.13 firmware version : 2.0 serial num : DENK0100186 Slot 3 (0xc): Lenovo Integrated Smart Card Reader 03 00 (empty) This is problematic when using multiple HSM's with mod_nss:

certutil -d /etc/nss/db -h all -L Output:

Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI

Enter Password or Pin for "SmartCard-HSM": Enter Password or Pin for "SmartCard-HSM": Enter Password or Pin for "SmartCard-HSM": [...] SmartCard-HSM:rsa2048 u,u,u SmartCard-HSM:rsa2048 u,u,u SmartCard-HSM:rsa2048 u,u,u SmartCard-HSM:ECprime256v1 u,u,u SmartCard-HSM:ECprime256v1 u,u,u SmartCard-HSM:ECprime256v1 u,u,u SmartCard-HSM:rsa1024 u,u,u SmartCard-HSM:rsa1024 u,u,u SmartCard-HSM:rsa1024 u,u,u modutil -list -dbdir /etc/nss/db/

Output:

  1. hsm library name: /usr/lib/libsc-hsm-pkcs11.so slots: 4 slots attached status: loaded

    slot: Lenovo Integrated Smart Card Reader 03 00 token:

    slot: Nitrokey Nitrokey HSM (010000000000000000000000) 00 00 token: SmartCard-HSM

    slot: Nitrokey Nitrokey HSM (010000000000000000000000) 01 00 token: SmartCard-HSM

    slot: Nitrokey Nitrokey HSM (010000000000000000000000) 02 00 token: SmartCard-HSM It is impossible to select different HSM's in mod_nss now, thus not allowing for load balancing on the same host.

It's set here:

https://github.com/CardContact/sc-hsm-embedded/blob/master/src/pkcs11/token-sc-hsm.c#L1018

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

RaymiiOrg commented 8 years ago

That would be nice, thank you. Also, enjoy your holiday!

CardContact commented 7 years ago

Added in b8fce0c