search

bentonstark / py-hsm

Python module for accessing PKCS#11 compliant HSMs
Other
57 stars 18 forks source link

Handle not found error while accessing object details. #4

Closed supreetshetty closed 6 years ago

supreetshetty commented 6 years ago

Hi,

We are facing some issues when we try to get keys for a particular slot.

This is the error " object with handle 8 not found on HSM" which is coming from "hsmclient.py" line no 613

We are calling HsmClient(slot=slot, pin=pin, pkcs11_lib=path) by giving respective arguments such as slot-number, pin (user:password) and full SO file path.

Below is the full code being used in executing a function to get keys.

with HsmClient(slot=slot, pin=pin, pkcs11_lib=path) as client:
    for obj in client.get_objects():
        print(obj.to_string())

Here we get the error as " object with handle 8 not found on HSM in hsmclient.py line no 613"

The libhsm library is passed explicitly where path is absolute path of the .SO file.

At first we thought that maybe we cannot access the object data because we did not login the first time.

But with the code below we tried to rectify that scenario and got the same error. Here's the code to login and try to access the object.

c = HsmClient(pkcs11_lib=path)
c.open_session(slot=slot)
c.login(pin=pin)
c.get_objects()
c.logout()
c.close_session()

Could you please tell me if we are doing anything wrong.

We are testing it with Cavium LiquidSecurity model having the latest firmware dated April 2018

bentonstark commented 6 years ago

It is most likely a Cavium bug or a permission issue on CK_OBJECT_ID with the value 8. I have run into quite a few PKCS issues with Cavium and they have updated their client software and firmware to address many of the ones I found. The get_objects() method will get a list of valid object IDs from the HSM and then query each one to get more information. Can you see an object on the partition with an ID of 8 using Cavium's tools?

bentonstark commented 6 years ago

I would also try three things. 1) c.get_objects(fast_load=True) 2) print the handle IDs handles = c.find_objects() for h in handles: print(h) 3) Turn on PKCS#11 API debugging. I had to re-compile the Cavium client with the #define DEBUG macro uncommented. You may have to grep your Cavium client to find the #define statement( e.g. $ grep -r "#define DEBUG". I tested against the Cavium NITROX PCIe card directly so there may be a easier way to turn on PKCS#11 API debugging that a recompile (hopefully) for the LiquidSecurity appliance.

supreetshetty commented 6 years ago

@bentonstark It was indeed a Cavium bug. Thanks for the help.