The wolfSSL library is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud. wolfSSL supports up to TLS 1.3 and DTLS 1.3!
p11-kit (nss softoken) creates slots from 17, 18
When wolfSSL pkcs11 detects two slots with token present it calls C_GetTokenInfo starting from 0 instead of the correct values returned by C_GetSlotList
List of slots/tokens:
$ pkcs11-tool --module /usr/lib64/p11-kit-proxy.so -L
Available slots:
Slot 0 (0x11): NSS Internal Cryptographic Services
token label : NSS Generic Crypto Services
token manufacturer : Mozilla Foundation
token model : NSS 3
token flags : rng, token initialized, readonly, other flags=0x200
hardware version : 4.0
firmware version : 0.0
serial num : 0000000000000000
pin min/max : 0/0
Slot 1 (0x12): NSS User Private Key and Certificate Services
token label : NSS Certificate DB
token manufacturer : Mozilla Foundation
**[** token model : NSS 3
token flags : login required, rng, token initialized, PIN initialized, other flags=0x200
hardware version : 0.0
firmware version : 0.0
serial num : 0000000000000000
pin min/max : 0/500
Log of wolfSSL pkcs11 when slot number is -1 (it detects slots 17, 18) but enumerates slots from 0
More simply: this issue can be triggered using NSS Softoken alone (don't need p11-kit-proxy). NSS Softoken enumerates tokens as 1, 2. So when passing -1 to wolfCrypt/pkcs11 it will not locate the correct token.
Update: the bug is when searching from -1 wolfCrypt enumerates the slots and assumes [0] = 0, [1] = 1 etc.
But the actual slotId doesn't have to match the index variable: e.g. NSS Softoken [0] = 1, [1] = 2 or p11-kit-proxy
[0] = 17, [1] = 18.
The function Pkcs11Token_Init(...) has the correct behaviour and the PR copies that code to the function
Pkcs11Slot_FindByTokenName(...).
Contact Details
shihping.chan@gmail.com
Version
5.7.2
Description
p11-kit (nss softoken) creates slots from 17, 18 When wolfSSL pkcs11 detects two slots with token present it calls C_GetTokenInfo starting from 0 instead of the correct values returned by C_GetSlotList
List of slots/tokens:
Log of wolfSSL pkcs11 when slot number is -1 (it detects slots 17, 18) but enumerates slots from 0
Additional Notes
More simply: this issue can be triggered using NSS Softoken alone (don't need p11-kit-proxy). NSS Softoken enumerates tokens as 1, 2. So when passing -1 to wolfCrypt/pkcs11 it will not locate the correct token.
Update: the bug is when searching from
-1
wolfCrypt enumerates the slots and assumes[0] = 0, [1] = 1
etc. But the actual slotId doesn't have to match the index variable: e.g. NSS Softoken[0] = 1, [1] = 2
or p11-kit-proxy[0] = 17, [1] = 18
.The function
Pkcs11Token_Init(...)
has the correct behaviour and the PR copies that code to the functionPkcs11Slot_FindByTokenName(...)
.