rust-cryptoki icon indicating copy to clipboard operation
rust-cryptoki copied to clipboard

Published 20 hours ago verified publisher icon parallaxsecond

Compatibility issues with Luna HSM

Open Tartopoms opened this issue 1 year ago • 5 comments

Issue

I cannot init_token with my HSM using cryptoki in my Rust application. However, it works with SoftHSM2. I also manage to init a token using my HSM client binary (not my Rust application).

Context

I'm using an HSM with a PIN Entry Device (PED) (see what is a PED).

It's a device, linked to the HSM, that requires to plug dongle (USB stick) for authentification. To connect as SO, it's not possible to set a PIN. It is mandatory to use the PED. So instead of entering a PIN on my PC, I plug a dongle on the PED to login.

For example, if I want to open a session I use this line :

let session = pkcs11.open_rw_session(slot)?;
session.login(UserType::So, None)?

NOTE: I use None to indiacte to use the protected authentication path, in this case, it's the PED. NOTE2: However, to login as UserType::User, I am allowed to set a PIN, in order to avoid using the PED. In this case, I use Some(&pin) to login as a User.

How to reproduce

If I use SoftHSM2, I indicate a pin I set beforehand (eg. "1234") and it works perfectly. But if I use my HSM, there's not pin set for the SO, so I indicate en empty pin (eg. "").

let slot = pkcs11.get_slots_with_initialized_token()?[0];
let pin = AuthPin::new(String::from(""));
pkcs11.init_token(slot, &pin, "reinitialized")?;

init_token raises a CryptokiError(Pkcs11(GeneralError)).

Expected behaviour

Indicate "" (empty) pin and init the token successfully (that's what I'm doing using the HSM client binary), or using None, like in login().

Tartopoms avatar Feb 28 '24 09:02 Tartopoms

I'm having the same issue. In addition, it's not recognizing that there is an initialized token in the slot, despite all other signs pointing to this being the case

jaeparker22 avatar Feb 21 '25 22:02 jaeparker22

I don't have the necessary hardware to test this sadly 😢 We would need a good soul to debug this!

hug-dev avatar Feb 27 '25 14:02 hug-dev

Seems the main difference between the login and the init function is that login has the Pin in an Option. Hardware I have that I can use to debug this is company property - so unsure how that impacts the degree of support I can provide to any debug efforts in terms of license/legal concerns.

jaeparker22 avatar Feb 27 '25 17:02 jaeparker22

Update: This page from Thales documentation may explain originally posted issue

https://thalesdocs.com/gphsm/luna/7/docs/network/Content/sdk/extensions/sa_specific_cmds.htm

jaeparker22 avatar Feb 27 '25 20:02 jaeparker22

If the issue happens specifically with Thales Luna HSMs, we could take contact with them for support/help too!

hug-dev avatar Feb 28 '25 09:02 hug-dev