yoe
commented
4 years ago This appears to be due to a bug in PyCKS11, and the change from PKCS#11 v2.11 (in eid-mw-4.4) to PKCS#11 v2.40 (in eid-mw-5.0, as required for the support of ECDSA keys).
The 2.40 version of the PKCS#11 standard has the following to say about C_GetSlotList():
The set of slots accessible through a Cryptoki library is checked at the time that
C_GetSlotList, for list length prediction (NULL pSlotList argument) is called.(in the definition of C_GetSlotList on page 72)
Note that this behavior is different in version 2.11 of the PKCS#11 standard.
PyCKS11 appears to never call C_GetSlotList with a NULL list at all. Since version 5.0 of the eID middleware initializes the list of slots when C_GetSlotList() is called with a NULL list (and not at C_Initialize time), which is a valid way of doing so that also speeds up processing as it avoids a double initialization, this means that with PyCKS11 the slots are never initialized and hence no slots can be found (regardless of whether they have a token or not).
While it might be possible to implement a workaround in the eID middleware for this issue, it is really a bug in the handling of C_GetSlotList in PyCKS11, and this issue should be fixed there. Hence, closing this issue -- but feel free to reopen if I missed something that would make it our fault.
Hi all,
eid-mw-4.4.* (libbeidpkcs11) works fine with PyKCS11 : you can try it with the simple python script here https://github.com/linuxunderground/eid-mw-sdk-python.
But with new eid-mw-5.0.*, the python script does not work anymore : token is never found...
-- Vincent