Ubuntu
libp11 package

Bug #1987938
Comment #3

Comment 3 for bug 1987938

Revision history for this message

Gil Weis (gilweis) wrote on 2022-08-30 (last edit on 2022-08-30): Re: When a PIN explicitly provided use a PIN regadless of secure login flag

Thanks for the detailed answer. I will try to give answers.
A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys, performs encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions.
Due to the critical role they play in securing applications and infrastructure, HSMs and/or the cryptographic modules are typically certified to internationally recognized standards such as Common Criteria or FIPS 140 to provide users with independent assurance that the design and implementation of the product and cryptographic algorithms are sound.
Most of the big companies, banks, governments, certificate authorities use HSM to keep digital keys, performs encryption and decryption functions.
Since the HSM has an important security role, for their management usually special hardware is required on the client side to identify with the HSM (PED).
Using PED required human in the client side.
Services the need HSM can't use PED to identify so they use PIN code and they can use the HSM but not admin operations.
libp11 is popular library that help to use pkc11 protocol. most of the HSM support pkcs11 protocol.
Most of uses of for such cases use LTS operating systems.

The bug:
If someone use this library to connect to HSM that support PED ("secure login" for this library) the library force to login with "secure login" even the client send PIN code and need to perform simple operation like sign/decrypt. This is a bug and version 0.4.12 fix this bug.

Impact:
All the users that use this library to connect HSMs that support PED (most of the big HSMs) can't use the library without the fix!

Reproduce the problem:
All the operations with this library to HSMs that support PED with PIN code reproduce the problem!
For example:

openssl conf file:
[openssl_init]
engines=engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/ssl/engines/libpkcs11.so
MODULE_PATH = hsm_module.so
init = 0

command:
$ openssl
OpenSSL> req -engine pkcs11 -new -key "pkcs11:object=test-key;type=private;pin-value=XXXX" \
-keyform engine -out req.pem -text -x509 -subj "/CN=Andreas Jellinghaus"
OpenSSL> x509 -engine pkcs11 -signkey "pkcs11:object=test-key;type=private;pin-value=XXXX" \
-keyform engine -in req.pem -out cert.pem