Closed mirozitnansky closed 7 years ago
@mirozitnansky Can we close this issue now?
@mtrojnar, I am sorry I didn't have time to test it earlier. It is working now as expected in FIPS and default mode, always asking for pin. Once again, thank you very much for you support and all effort you are putting into this.
First of all, you are doing great job guys, many thanks for time and energy you are putting into this project.
I am pretty noob with pkcs11 stuff, so please have patience with me. I spent quite some time trying to implement OpenSSL certification authority based on Sefenet HSM module which should store CA private keys. CA key is than used for singing client/server certificates. Using libp11 as OpenSSL engine, configured with pkcs11 lib supplied with HSM, I was able to make OpenSSL work correctly... on some conditions. Our HSM can work in few modes. Safenet's default (we are currently using this mode), FIPS-140 and others. We are planning to switch our device from current, default mode, into FIPS-140 mode. This means, among other things, device will be switched to No Public Crypto mode – user have to be always logged into token, if he is going to use key for crypto operation. In current mode, there no need to be logged in token to do the sign operation in OpenSSL. On the other hand, object in token can be public or private (I am not reffering to RSA pulic/private key). Private objects are only accessible after loggin in.
First problem I encountered lied on having private object while disabled No Public Crypto flag. Then even if I try to set pin for token, engine won’t log in and simply says there is no such object (because it was set private).
I have pkcs11 communication logged so pc_private_list.txt is list using safenet utility.
and pc_private_sign.txt is OpenSSL sign attempt which end up failed:
In this case, I assume, if OpenSSL logged into token, sing operation would worked fine. So I set No public crypto flag to true, OpenSSL logs in correctly, finds private key and do the sing operation. Npc_private_sign.txt
Second thing, it seems to me, is some lack of implementation on side of Safenet. It looks like, they have not implemented CKU_CONTEXT_SPECIFIC user type in pkcs11 at all. When I have set No public crypto true, but my object is Public, OpenSSL finds it, then request pin (ignoring pin in URL), but then sing fails on
This seems to be a problem in pkcs11 log Npc_publicobj_sign.txt:
As I mentioned before, we plan to switch mode of our device to FIPS (with No public crypto flag), and we have public objects in token, so after switch we won’t be able to use them, because sing will fail as in previous case. If I am able to force login into token as standard user, crypto operations shoud work correctly even after mode switch. I noticed _Missing CKA_ALWAYSAUTHENTICATE attribute message in OpenSSL operations, but I am not sure if this has something to do with my situation.
All tests I am doing, are done on software HSM emulation, but hardware HSM works the same. Do you think, if is there any way to overcome this user type invalid issue?
Thanks in advance. If there is any test/log I can provide, I'll be happy to.