No Login on Private Key Usage

[falko-strenzke]

We observed the following behaviour in version 0.4.12 when invoking openssl dgst -engine pkcs11 -keyform engine -sign [...]

• When searching for private keys, this is done first attempted by libp11 without performing C_Login()
• If the sought private key is found in this way, signature generation is also attempted without performing C_Login()
• If C_SignInit() fails with CKR_USER_NOT_LOGGED_IN, the command fails

We found specifying "FORCE_LOGIN" in the engine section as a workaround.

However, according to our understanding, in the described case libp11 would preferably perform C_Login() after the failed call to C_SignInit() and try to call this function again.

Is this something you would put on the roadmap? Would you prefer us to propse an MR (currently not sure if we can provide that but I would check that)?

[frankmorgner]

I don't use the PKCS#11 engine myself, but looking at the source code, it seems that libp11 actually does the right thing: https://github.com/OpenSC/libp11/blob/6c96847f1f52a5ccc76e8f8d14820cc4d6af1ecb/src/eng_back.c#L199-L243

I suggest you debug that part above and especially check the reason why no login is performed on line 211. I would assume that libp11 doesn't recognize the need to login, because your slot doesn't propagate this property correctly.