search

parallaxsecond / rust-cryptoki

Rust wrapper for the PKCS #11 API, Cryptoki
https://docs.rs/cryptoki/
Apache License 2.0
77 stars 61 forks source link

Cannot init_token using an HSM with PED #201

Open Tartopoms opened 9 months ago

Tartopoms commented 9 months ago

Issue

I cannot init_token with my HSM using cryptoki in my Rust application. However, it works with SoftHSM2. I also manage to init a token using my HSM client binary (not my Rust application).

Context

I'm using an HSM with a PIN Entry Device (PED) (see what is a PED).

It's a device, linked to the HSM, that requires to plug dongle (USB stick) for authentification. To connect as SO, it's not possible to set a PIN. It is mandatory to use the PED. So instead of entering a PIN on my PC, I plug a dongle on the PED to login.

For example, if I want to open a session I use this line :

let session = pkcs11.open_rw_session(slot)?;
session.login(UserType::So, None)?

NOTE: I use None to indiacte to use the protected authentication path, in this case, it's the PED. NOTE2: However, to login as UserType::User, I am allowed to set a PIN, in order to avoid using the PED. In this case, I use Some(&pin) to login as a User.

How to reproduce

If I use SoftHSM2, I indicate a pin I set beforehand (eg. "1234") and it works perfectly. But if I use my HSM, there's not pin set for the SO, so I indicate en empty pin (eg. "").

let slot = pkcs11.get_slots_with_initialized_token()?[0];
let pin = AuthPin::new(String::from(""));
pkcs11.init_token(slot, &pin, "reinitialized")?;

init_token raises a CryptokiError(Pkcs11(GeneralError)).

Expected behaviour

Indicate "" (empty) pin and init the token successfully (that's what I'm doing using the HSM client binary), or using None, like in login().