how to login with username for SecurityOfficer

[bentonstark]

PKCS-11 does not support usernames for security officers or any users for that matter. Some of the HSM vendors will concatenate a username into the authentication PIN to get around this limitation. Others allow you to create virtual partitions that are associated with a specific HSM user. Please see the documentation of your particular HSM vendor for more information on how to do that. You can specific the user-type using py-hsm.

[aswinmaharaj]

Thank you Benton, that helps. So, I'm using Utimaco and here's an example: Example (login of SO on slot 0) using HMAC password): CK_UTF8CHAR_PTR pPin = "SO_0000,123456"; CK_ULONG ulPinLen = strlen(pPin); err = C_Login(hSession, CKU_CS_GENERIC, pPin, ulPinLen);

So, when i try combine the username and pin; and change your code hsmclient.py : def login() : self.userType.value = CKU_CS_GENERIC; I'm getting the error CKR_PIN_INCORRECT (0x000000a0)

Do you know, what causes this error?

[bentonstark]

The libhsm and pyhsm libraries has been heavily tested against Utimaco's Simulator and physical HSMs. When using Utimaco's HSMs I log directly into the partitions using the partition pin (password) and do not use a combination pin that includes a username. Which HSM are you using and do you have access to the CryptoServer_PKCS11_R2_DevGuide.pdf document? In that document is shows the delimiter for the user and password to be a colon and not a comma. See section 9.2.3. CK_UTF8CHAR_PTR pOldPin = "CKU_VENDOR:123456";

I also see in another section where the login is actually taking place that a comma is being used. So that looks right to me. I would reach out to your Utimaco rep unless you already know you can log into the HSM and make sure you have it configured correctly if you are new to the device. Once you verify everything is working properly with Utimaco's tools you can then try with py-hsm. That's my recommendation.

[aswinmaharaj]

CK_UTF8CHAR_PTR pPin = "USR_0000,123456"; works good when i use it in their handson c program, but it doesn't work on the pyhsm.

Do you know what all i should change, so that it works?

c.login(pin="USR_0000,123456") Traceback (most recent call last): File "", line 1, in File "/usr/local/lib/python2.7/dist-packages/pyhsm/hsmclient.py", line 463, in login len(pin_bytes)) ctypes.ArgumentError: argument 4: <type 'exceptions.TypeError'>: wrong type

[bentonstark]

So you can't run this library with Python 2.7. You will need to be on Python 3 and ideally 3.5 or higher. You can install Python 3 on your machine in a local user account using pyenv. Please see the installation instructions. https://github.com/bentonstark/py-hsm#installation-prerequisites

There are some example programs in the examples/ directory of the py-hsm project. Please make sure you are using the latest version of the libhsm and py-hsm installed. Once you do that you can try the following program located in the examples/ directory. You will need to potentially update the -p11 argument value. I just tested the following commands against the Utimaco Simulator using the latest libhsm.so and the py-hsm in pypi. The second command just gives me a PKCS#11 error which is what I would expect.

$ python listslots.py -p11 /usr/lib/libcs_pkcs11_R2.so $ python listkeys.py -p11 /usr/lib/libcs_pkcs11_R2.so -slot 0 -pin "USR_0000,123456"