[gnutls-devel] GnuTLS | p11tool --list-all "<token>" does not find any items on Thales ProtectServer HSMs. (#1491)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Mon Jul 3 17:11:37 CEST 2023

Tristan created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1491

## Description of problem:
Performing `p11tool --login --list-all "<token>"` on ProtectServer 2 and 3 HSMs (Safenet/Gemalto/Thales, depending on when bought) using the hardware tokens will not display any objects on listing a token.

## Version of gnutls used:
Mainline (git) and 3.7.1 (debian)

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Debian and git

## How reproducible:
1. Enable the thales/safenet pkcs11 library
2. Enable the module in pkcs11 config files
3. Perform `p11tool --login --list-all "<token>"`
4. Enter PIN

Note: the emulation libraries will work and do not have this problem and are not a good test case.

## Actual results:
Result is `No matching objects found`

## Expected results:
List of objects, confirmed to work with solution at 512 objects below.

Problem/Solution: The problem is the `#define OBJECTS_A_TIME 8 * 1024` for the `find_multi_objs_cb` callback. The HSMs do not support this many objects. The maximum is 512 (for what I've tested, exact number unknown) and changing the macro to 512 will result in displaying objects. The `pkcs11_find_objects` function reports error `0x80001001` (Vendor defined, host error, bad request) when the default value of 8192 is used.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1491
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20230703/93091c10/attachment-0001.html>

More information about the Gnutls-devel mailing list