PIN from config for batch operation with HSM.

[alonbl]

Hi, Please explain why can't you perform the same with custom pinentry program. Thanks,

[psztoch]

Custom pinentry is not compatible with normal pinentry. The simultaneous use of normal keys and PKCS # 11 is essential for me. In addition, each HSM slot has a different password.

[alonbl]

Consider using a different GNUPGHOME environment to select what configuration you would like to use, so you can have both PKCS#11 setup and normal setup.

Neither pkcs11-helper nor gnupg-pkcs11 cache PINs in memory. Even p11-kit does not have static configuration for PIN.

[psztoch]

The cryptographic material is safe in the HSM. To use it, you need to enter the password (pin) and if it is to be done without the user's intervention, you need to save the password somewhere. Custom pinentry is an uncertain solution and cannot be used in complex implementations.

GPG has a very effective in-memory password caching mechanism, but it is not usable for PKCS#11. I have been using it for many years, but the need to use HSM forces me to use your software.

My proposal is an additional option, no one has to use it as they are concerned about security.

[alonbl]

Please try pincache branch with gnupg-2.3, please notice you need to enable use-gnupg-pin-cache configuration option as it breaks the gnupg-2.2. It should work with the preset, the id is the pkcs11-helper token id (what resides between the '()' when you are propmted).

[psztoch]

Ok. Thx. I will try it. But I have other problem:

gpg-agent after 1-2 hours (continous work with constant PID) reports other SERIALNO. And any gpg operation forces "Please remove the current card and insert the one with serial number:" message.

After gpg-connect-agent "KILLAGENT" SERIALNO is reported properly and all works like a charm.

[alonbl]

On Wed, Oct 6, 2021 at 1:23 PM Przemysław Sztoch @.***> wrote:

Ok. Thx. I will try it. But I have other problem:

gpg-agent after 1-2 hours (continous work with constant PID) reports other SERIALNO. And any gpg operation forces "Please remove the current card and insert the one with serial number:" message.

After gpg-connect-agent "KILLAGENT" SERIALNO is reported properly and all works like a charm.

Please do not mix discussions. Open a new issue. Try to debug, I cannot understand how different serial is reported, debug the get_serial_of_tokenid function.

[alonbl]

Hi, Had you have time to check the pin cache? Thanks,

[alonbl]

Hi, I will be happy if you can check the pincache branch. Regards,

[alonbl]

Should work with present pin feature of gnupg with gnupg-pkcs11-scd-0.9.3