[gnutls-devel] GnuTLS | PKCS#11 Auto-Initialization Not Working (#1798)

[Read-only notification of GnuTLS library development activities]

Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/issues/1798#note_3085364052


Thank you for the report. I tried to reproduce it with your provided test case 2, but it worked as expected against SoftHSM2:
```console
$ cat softhsm2.conf
directories.tokendir = ./tokens

$ export SOFTHSM2_CONF=$PWD/softhsm2.conf
$ softhsm2-util --init-token --free --label MyToken --pin 1234 --so-pin 1234
Slot 0 has a free/uninitialized token.
The token has been initialized and is reassigned to slot 832855648

$ GNUTLS_DEBUG_LEVEL=10 ./test
gnutls[2]: Enabled GnuTLS 3.8.12 logging...
gnutls[2]: getrandom random generator was selected
gnutls[2]: Intel SSSE3 was detected
gnutls[2]: Intel AES accelerator was detected
gnutls[2]: Intel GCM accelerator (AVX) was detected
gnutls[2]: cfg: unable to access: /usr/local/etc/gnutls/config: 2
gnutls[2]: Initializing all PKCS #11 modules
gnutls[2]: p11: Initializing module: p11-kit-trust
gnutls[2]: p11: Module p11-kit-trust is initialized in a thread-safe mode
gnutls[2]: p11: Initializing module: kryoptic
gnutls[2]: p11: Module kryoptic is initialized in a thread-safe mode
gnutls[2]: p11: Initializing module: opensc
gnutls[2]: p11: Module opensc is initialized in a thread-safe mode
gnutls[2]: p11: Initializing module: softhsm2
gnutls[2]: p11: Module softhsm2 is initialized in a thread-safe mode
gnutls[2]: Loading PKCS #11 libraries from /etc/gnutls/pkcs11.conf
gnutls[2]: Could not load /etc/gnutls/pkcs11.conf: Error while reading file.
8
```

I modified the program to print the `output_size` returned by `gnutls_pkcs11_token_get_info`, which should be 8 in this case (= `strlen("MyToken") + 1 /*NUL*/`):
```c
#include <gnutls/gnutls.h>
#include <gnutls/pkcs11.h>
#include <stdio.h>

int main(void) {
    int ret;
    size_t size = 0;
    
    // Initialize GnuTLS (but NOT PKCS#11)
    gnutls_global_init();
    
    // Try to use PKCS#11 - should trigger auto-init according to docs
    gnutls_pkcs11_token_get_info(
        "pkcs11:token=MyToken",
        GNUTLS_PKCS11_TOKEN_LABEL,
        NULL, &size
    );

    printf("%zu\n", size);

    // Check if PKCS#11 was initialized
    // Expected: modules loaded automatically
    // Actual: no initialization occurs
    
    gnutls_global_deinit();
    return 0;
}
```

I suspect that your issue might be specific to the token "G&D StarSign CUT S (SafeSign IC driver)", which may not support thread-safe initialization (see !2014 and !2049). Could you run the test under `GNUTLS_DEBUG_LEVEL=10` to gather more information?

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1798#note_3085364052
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20260216/fab843da/attachment.html>