<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<title>
GitLab
</title>


<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<div></div>
<h2 dir="auto">
<a id="user-content-description-of-problem" class="anchor" href="#description-of-problem" aria-hidden="true"></a>Description of problem:</h2>
<p dir="auto">Hello gnutls team,</p>
<p dir="auto">I have some problems with p11tool's --initialize-so-pin and --initialize-pin options:</p>
<p dir="auto">I configured opencryptoki as pkcs11 provider using a p11-kit config file /etc/pkcs11/modules/opencryptoki.module.</p>
<p dir="auto">I initialized the token as follows:</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">p11tool --list-tokens</span>
<span id="LC2" class="line" lang="plaintext">Token 0:</span>
<span id="LC3" class="line" lang="plaintext">       URL: pkcs11:model=IBM%20SoftTok;manufacturer=IBM%20Corp.;serial=123;token=IBM%20OS%20PKCS%2311</span>
<span id="LC4" class="line" lang="plaintext">       Label: IBM OS PKCS#11</span>
<span id="LC5" class="line" lang="plaintext">       Type: Generic token</span>
<span id="LC6" class="line" lang="plaintext">       Flags: RNG, Requires login, Uninitialized, uPIN uninitialized</span>
<span id="LC7" class="line" lang="plaintext">       Manufacturer: IBM Corp.</span>
<span id="LC8" class="line" lang="plaintext">       Model: IBM SoftTok</span>
<span id="LC9" class="line" lang="plaintext">       Serial: 123</span>
<span id="LC10" class="line" lang="plaintext">      Module: /usr/local/lib/opencryptoki/libopencryptoki.so</span>
<span id="LC11" class="line" lang="plaintext"></span>
<span id="LC12" class="line" lang="plaintext"></span>
<span id="LC13" class="line" lang="plaintext">p11tool --initialize --label="swtok" pkcs11:model=IBM%20SoftTok;manufacturer=IBM%20Corp.;serial=123;token=IBM%20OS%20PKCS%2311</span>
<span id="LC14" class="line" lang="plaintext">Enter Security Officer's PIN: (INPUT: 87654321, "default so pin")</span>
<span id="LC15" class="line" lang="plaintext">Initializing token... done</span>
<span id="LC16" class="line" lang="plaintext"></span>
<span id="LC17" class="line" lang="plaintext">Token was successfully initialized; use --initialize-pin and --initialize-so-pin to set or reset PINs</span>
<span id="LC18" class="line" lang="plaintext"></span>
<span id="LC19" class="line" lang="plaintext"></span>
<span id="LC20" class="line" lang="plaintext">p11tool --list-tokens</span>
<span id="LC21" class="line" lang="plaintext">Token 0:</span>
<span id="LC22" class="line" lang="plaintext">      URL: pkcs11:model=IBM%20SoftTok;manufacturer=IBM%20Corp.;serial=123;token=swtok</span>
<span id="LC23" class="line" lang="plaintext">      Label: swtok</span>
<span id="LC24" class="line" lang="plaintext">      Type: Generic token</span>
<span id="LC25" class="line" lang="plaintext">      Flags: RNG, Requires login, uPIN uninitialized</span>
<span id="LC26" class="line" lang="plaintext">      Manufacturer: IBM Corp.</span>
<span id="LC27" class="line" lang="plaintext">      Model: IBM SoftTok</span>
<span id="LC28" class="line" lang="plaintext">      Serial: 123</span>
<span id="LC29" class="line" lang="plaintext">      Module: /usr/local/lib/opencryptoki/libopencryptoki.so</span></code></pre>
<p dir="auto">After initialization, the token has the default pin (87654321) and so the CKF_SO_PIN_TO_BE_CHANGED flag is set.
The flag is not shown in the --list-tokens output, but when i activated p11-kit's log-calls (pkcs11.conf(5)), I
could see it is actually set. Next i tried to change the so pin using --initialize-so-pin. When i set the
default so pin using the environment variable (GNUTLS_SO_PIN=87654321), i could not even enter a new so pin,
it just says "Setting token's user PIN...". The debug trace shows a successfull login using the default so pin
and initializing the user pin (C_InitPIN) to the same value (87654321):</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">GNUTLS_SO_PIN=87654321 p11tool --initialize-so-pin pkcs11:model=IBM%20SoftTok;manufacturer=IBM%20Corp.;serial=123;token=swtok</span>
<span id="LC2" class="line" lang="plaintext">C_Initialize</span>
<span id="LC3" class="line" lang="plaintext">  IN: pInitArgs = NULL</span>
<span id="LC4" class="line" lang="plaintext">C_Initialize = CKR_OK</span>
<span id="LC5" class="line" lang="plaintext">C_GetInfo</span>
<span id="LC6" class="line" lang="plaintext"> OUT: pInfo = {</span>
<span id="LC7" class="line" lang="plaintext">       cryptokiVersion: 2.20</span>
<span id="LC8" class="line" lang="plaintext">       manufacturerID: "IBM"</span>
<span id="LC9" class="line" lang="plaintext">       flags: 0</span>
<span id="LC10" class="line" lang="plaintext">      libraryDescription: "Meta PKCS11 LIBRARY"</span>
<span id="LC11" class="line" lang="plaintext">      libraryVersion: 3.10</span>
<span id="LC12" class="line" lang="plaintext">      }</span>
<span id="LC13" class="line" lang="plaintext">C_GetInfo = CKR_OK</span>
<span id="LC14" class="line" lang="plaintext">Setting token's user PIN...</span>
<span id="LC15" class="line" lang="plaintext">C_GetSlotList</span>
<span id="LC16" class="line" lang="plaintext">  IN: tokenPresent = CK_TRUE</span>
<span id="LC17" class="line" lang="plaintext">  IN: pulCount = 0x3FFDD67DE28 = 48</span>
<span id="LC18" class="line" lang="plaintext"> OUT: pSlotList = (1) [ SL3 ]</span>
<span id="LC19" class="line" lang="plaintext">C_GetSlotList = CKR_OK</span>
<span id="LC20" class="line" lang="plaintext">C_GetTokenInfo</span>
<span id="LC21" class="line" lang="plaintext">  IN: slotID = SL3</span>
<span id="LC22" class="line" lang="plaintext"> OUT: pInfo = {</span>
<span id="LC23" class="line" lang="plaintext">      label: "swtok"</span>
<span id="LC24" class="line" lang="plaintext">      manufacturerID: "IBM Corp."</span>
<span id="LC25" class="line" lang="plaintext">      model: "IBM SoftTok"</span>
<span id="LC26" class="line" lang="plaintext">      serialNumber: "123"</span>
<span id="LC27" class="line" lang="plaintext">      flags: 8389709 = CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_CLOCK_ON_TOKEN | CKF_TOKEN_INITIALIZED | CKF_SO_PIN_TO_BE_CHANGED</span>
<span id="LC28" class="line" lang="plaintext">      ulMaxSessionCount: 18446744073709551614</span>
<span id="LC29" class="line" lang="plaintext">      ulSessionCount: 0</span>
<span id="LC30" class="line" lang="plaintext">      ulMaxRwSessionCount: 18446744073709551614</span>
<span id="LC31" class="line" lang="plaintext">      ulRwSessionCount: 18446744073709551615</span>
<span id="LC32" class="line" lang="plaintext">      ulMaxPinLen: 8</span>
<span id="LC33" class="line" lang="plaintext">      ulMinPinLen: 4</span>
<span id="LC34" class="line" lang="plaintext">      ulTotalPublicMemory: 18446744073709551614</span>
<span id="LC35" class="line" lang="plaintext">      ulFreePublicMemory: 18446744073709551614</span>
<span id="LC36" class="line" lang="plaintext">      ulTotalPrivateMemory: 18446744073709551614</span>
<span id="LC37" class="line" lang="plaintext">      ulFreePrivateMemory: 18446744073709551614</span>
<span id="LC38" class="line" lang="plaintext">      ulFreePrivateMemory: 18446744073709551614</span>
<span id="LC39" class="line" lang="plaintext">      hardwareVersion: 1.0</span>
<span id="LC40" class="line" lang="plaintext">      firmwareVersion: 1.0</span>
<span id="LC41" class="line" lang="plaintext">      utcTime: 2018091222592200</span>
<span id="LC42" class="line" lang="plaintext">      }</span>
<span id="LC43" class="line" lang="plaintext">C_GetTokenInfo = CKR_OK</span>
<span id="LC44" class="line" lang="plaintext">C_GetSlotInfo</span>
<span id="LC45" class="line" lang="plaintext">  IN: slotID = SL3</span>
<span id="LC46" class="line" lang="plaintext"> OUT: pInfo = {</span>
<span id="LC47" class="line" lang="plaintext">      slotDescription: "Linux"</span>
<span id="LC48" class="line" lang="plaintext">      manufacturerID: "IBM"</span>
<span id="LC49" class="line" lang="plaintext">      flags: 1 = CKF_TOKEN_PRESENT</span>
<span id="LC50" class="line" lang="plaintext">      hardwareVersion: 0.0</span>
<span id="LC51" class="line" lang="plaintext">      firmwareVersion: 0.0</span>
<span id="LC52" class="line" lang="plaintext">      }</span>
<span id="LC53" class="line" lang="plaintext">C_GetSlotInfo = CKR_OK</span>
<span id="LC54" class="line" lang="plaintext">C_OpenSession:wa</span>
<span id="LC55" class="line" lang="plaintext"></span>
<span id="LC56" class="line" lang="plaintext">  IN: slotID = SL3</span>
<span id="LC57" class="line" lang="plaintext">  IN: flags = 6 = CKF_SERIAL_SESSION | CKF_RW_SESSION</span>
<span id="LC58" class="line" lang="plaintext">  IN: pApplication = NULL</span>
<span id="LC59" class="line" lang="plaintext">  IN: Notify = NULL</span>
<span id="LC60" class="line" lang="plaintext"> OUT: phSession = 0x3FFDD67E1D8 = S1</span>
<span id="LC61" class="line" lang="plaintext">C_OpenSession = CKR_OK</span>
<span id="LC62" class="line" lang="plaintext">C_GetSessionInfo</span>
<span id="LC63" class="line" lang="plaintext">  IN: hSession = S1</span>
<span id="LC64" class="line" lang="plaintext"> OUT: pInfo = {</span>
<span id="LC65" class="line" lang="plaintext">      slotID: SL3</span>
<span id="LC66" class="line" lang="plaintext">      state: CKS_RW_PUBLIC_SESSION</span>
<span id="LC67" class="line" lang="plaintext">      flags: 6 = CKF_SERIAL_SESSION | CKF_RW_SESSION</span>
<span id="LC68" class="line" lang="plaintext">      ulDeviceError: 0</span>
<span id="LC69" class="line" lang="plaintext">      }</span>
<span id="LC70" class="line" lang="plaintext">C_GetSessionInfo = CKR_OK</span>
<span id="LC71" class="line" lang="plaintext">C_Login</span>
<span id="LC72" class="line" lang="plaintext">  IN: hSession = S1</span>
<span id="LC73" class="line" lang="plaintext">  IN: userType = CKU_SO</span>
<span id="LC74" class="line" lang="plaintext">  IN: pPin = (8) "87654321"</span>
<span id="LC75" class="line" lang="plaintext">C_Login = CKR_OK</span>
<span id="LC76" class="line" lang="plaintext">C_InitPIN</span>
<span id="LC77" class="line" lang="plaintext">  IN: hSession = S1</span>
<span id="LC78" class="line" lang="plaintext">  IN: pPin = (8) "87654321"</span>
<span id="LC79" class="line" lang="plaintext">C_InitPIN = CKR_OK</span>
<span id="LC80" class="line" lang="plaintext">C_CloseSession</span>
<span id="LC81" class="line" lang="plaintext">  IN: hSession = S1</span>
<span id="LC82" class="line" lang="plaintext">C_CloseSession = CKR_OK</span>
<span id="LC83" class="line" lang="plaintext">C_Finalize</span>
<span id="LC84" class="line" lang="plaintext">  IN: pReserved = NULL</span>
<span id="LC85" class="line" lang="plaintext">C_Finalize = CKR_OK</span></code></pre>
<p dir="auto">Next thing i tried is changing the so pin without having the environment variable set. In that case
i was asked to enter a new so pin ("Enter Administrators's new PIN") and entered a pin different from
the default so pin. However, the debug trace still shows a successful login using the default so pin
and afterwards initializes the user pin to the same value:</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">p11tool --initialize-so-pin pkcs11:model=IBM%20SoftTok;manufacturer=IBM%20Corp.;serial=123;token=swtok</span>
<span id="LC2" class="line" lang="plaintext">C_Initialize</span>
<span id="LC3" class="line" lang="plaintext">  IN: pInitArgs = NULL</span>
<span id="LC4" class="line" lang="plaintext">C_Initialize = CKR_OK</span>
<span id="LC5" class="line" lang="plaintext">C_GetInfo</span>
<span id="LC6" class="line" lang="plaintext"> OUT: pInfo = {</span>
<span id="LC7" class="line" lang="plaintext">       cryptokiVersion: 2.20</span>
<span id="LC8" class="line" lang="plaintext">       manufacturerID: "IBM"</span>
<span id="LC9" class="line" lang="plaintext">       flags: 0</span>
<span id="LC10" class="line" lang="plaintext">      libraryDescription: "Meta PKCS11 LIBRARY"</span>
<span id="LC11" class="line" lang="plaintext">      libraryVersion: 3.10</span>
<span id="LC12" class="line" lang="plaintext">      }</span>
<span id="LC13" class="line" lang="plaintext">C_GetInfo = CKR_OK</span>
<span id="LC14" class="line" lang="plaintext">Setting token's user PIN...</span>
<span id="LC15" class="line" lang="plaintext">Enter Administrators's new PIN: (INPUT: 76543210, "new so pin")</span>
<span id="LC16" class="line" lang="plaintext">C_GetSlotList</span>
<span id="LC17" class="line" lang="plaintext">  IN: tokenPresent = CK_TRUE</span>
<span id="LC18" class="line" lang="plaintext">  IN: pulCount = 0x3FFEC77E0A8 = 48</span>
<span id="LC19" class="line" lang="plaintext"> OUT: pSlotList = (1) [ SL3 ]</span>
<span id="LC20" class="line" lang="plaintext">C_GetSlotList = CKR_OK</span>
<span id="LC21" class="line" lang="plaintext">C_GetTokenInfo</span>
<span id="LC22" class="line" lang="plaintext">  IN: slotID = SL3</span>
<span id="LC23" class="line" lang="plaintext"> OUT: pInfo = {</span>
<span id="LC24" class="line" lang="plaintext">      label: "swtok"</span>
<span id="LC25" class="line" lang="plaintext">      manufacturerID: "IBM Corp."</span>
<span id="LC26" class="line" lang="plaintext">      model: "IBM SoftTok"</span>
<span id="LC27" class="line" lang="plaintext">      serialNumber: "123"</span>
<span id="LC28" class="line" lang="plaintext">      flags: 8913989 = CKF_RNG | CKF_LOGIN_REQUIRED | CKF_CLOCK_ON_TOKEN | CKF_TOKEN_INITIALIZED | CKF_USER_PIN_TO_BE_CHANGED | CKF_SO_PIN_TO_BE_CHANGED</span>
<span id="LC29" class="line" lang="plaintext">      ulMaxSessionCount: 18446744073709551614</span>
<span id="LC30" class="line" lang="plaintext">      ulSessionCount: 0</span>
<span id="LC31" class="line" lang="plaintext">      ulMaxRwSessionCount: 18446744073709551614</span>
<span id="LC32" class="line" lang="plaintext">      ulRwSessionCount: 18446744073709551615</span>
<span id="LC33" class="line" lang="plaintext">      ulMaxPinLen: 8</span>
<span id="LC34" class="line" lang="plaintext">      ulMinPinLen: 4</span>
<span id="LC35" class="line" lang="plaintext">      ulTotalPublicMemory: 18446744073709551614</span>
<span id="LC36" class="line" lang="plaintext">      ulFreePublicMemory: 18446744073709551614</span>
<span id="LC37" class="line" lang="plaintext">      ulTotalPrivateMemory: 18446744073709551614</span>
<span id="LC38" class="line" lang="plaintext">      ulFreePrivateMemory: 18446744073709551614</span>
<span id="LC39" class="line" lang="plaintext">      ulFreePrivateMemory: 18446744073709551614</span>
<span id="LC40" class="line" lang="plaintext">      hardwareVersion: 1.0</span>
<span id="LC41" class="line" lang="plaintext">      firmwareVersion: 1.0</span>
<span id="LC42" class="line" lang="plaintext">      utcTime: 2018091222532100</span>
<span id="LC43" class="line" lang="plaintext">      }</span>
<span id="LC44" class="line" lang="plaintext">C_GetTokenInfo = CKR_OK</span>
<span id="LC45" class="line" lang="plaintext">C_GetSlotInfo</span>
<span id="LC46" class="line" lang="plaintext">  IN: slotID = SL3</span>
<span id="LC47" class="line" lang="plaintext"> OUT: pInfo = {</span>
<span id="LC48" class="line" lang="plaintext">      slotDescription: "Linux"</span>
<span id="LC49" class="line" lang="plaintext">      manufacturerID: "IBM"</span>
<span id="LC50" class="line" lang="plaintext">      flags: 1 = CKF_TOKEN_PRESENT</span>
<span id="LC51" class="line" lang="plaintext">      hardwareVersion: 0.0</span>
<span id="LC52" class="line" lang="plaintext">      firmwareVersion: 0.0</span>
<span id="LC53" class="line" lang="plaintext">      }</span>
<span id="LC54" class="line" lang="plaintext">C_GetSlotInfo = CKR_OK</span>
<span id="LC55" class="line" lang="plaintext">C_OpenSession</span>
<span id="LC56" class="line" lang="plaintext">  IN: slotID = SL3</span>
<span id="LC57" class="line" lang="plaintext">  IN: flags = 6 = CKF_SERIAL_SESSION | CKF_RW_SESSION</span>
<span id="LC58" class="line" lang="plaintext">  IN: pApplication = NULL</span>
<span id="LC59" class="line" lang="plaintext">  IN: Notify = NULL</span>
<span id="LC60" class="line" lang="plaintext"> OUT: phSession = 0x3FFEC77E458 = S1</span>
<span id="LC61" class="line" lang="plaintext">C_OpenSession = CKR_OK</span>
<span id="LC62" class="line" lang="plaintext">C_GetSessionInfo</span>
<span id="LC63" class="line" lang="plaintext">  IN: hSession = S1</span>
<span id="LC64" class="line" lang="plaintext"> OUT: pInfo = {</span>
<span id="LC65" class="line" lang="plaintext">      slotID: SL3</span>
<span id="LC66" class="line" lang="plaintext">      state: CKS_RW_PUBLIC_SESSION</span>
<span id="LC67" class="line" lang="plaintext">      flags: 6 = CKF_SERIAL_SESSION | CKF_RW_SESSION</span>
<span id="LC68" class="line" lang="plaintext">      ulDeviceError: 0</span>
<span id="LC69" class="line" lang="plaintext">      }</span>
<span id="LC70" class="line" lang="plaintext">C_GetSessionInfo = CKR_OK</span>
<span id="LC71" class="line" lang="plaintext">Token 'swtok' with URL 'pkcs11:model=IBM%20SoftTok;manufacturer=IBM%20Corp.;serial=123;token=swtok' requires security officer PIN</span>
<span id="LC72" class="line" lang="plaintext">Enter PIN: (INPUT: 87654321, "default so pin")</span>
<span id="LC73" class="line" lang="plaintext">C_Login</span>
<span id="LC74" class="line" lang="plaintext">  IN: hSession = S1</span>
<span id="LC75" class="line" lang="plaintext">  IN: userType = CKU_SO</span>
<span id="LC76" class="line" lang="plaintext">  IN: pPin = (8) "87654321"</span>
<span id="LC77" class="line" lang="plaintext">C_Login = CKR_OK</span>
<span id="LC78" class="line" lang="plaintext">C_InitPIN</span>
<span id="LC79" class="line" lang="plaintext">  IN: hSession = S1</span>
<span id="LC80" class="line" lang="plaintext">  IN: pPin = (8) "87654321"</span>
<span id="LC81" class="line" lang="plaintext">C_InitPIN = CKR_OK</span>
<span id="LC82" class="line" lang="plaintext">C_CloseSession</span>
<span id="LC83" class="line" lang="plaintext">  IN: hSession = S1</span>
<span id="LC84" class="line" lang="plaintext">C_CloseSession = CKR_OK</span>
<span id="LC85" class="line" lang="plaintext">C_Finalize</span>
<span id="LC86" class="line" lang="plaintext">  IN: pReserved = NULL</span>
<span id="LC87" class="line" lang="plaintext">C_Finalize = CKR_OK</span></code></pre>
<p dir="auto">In both cases (instead of changing the so pin) the user pin was initialized (to the default so pin):</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">p11tool --list-tokens</span>
<span id="LC2" class="line" lang="plaintext">Token 0:</span>
<span id="LC3" class="line" lang="plaintext">       URL: pkcs11:model=IBM%20SoftTok;manufacturer=IBM%20Corp.;serial=123;token=swtok</span>
<span id="LC4" class="line" lang="plaintext">       Label: swtok</span>
<span id="LC5" class="line" lang="plaintext">       Type: Generic token</span>
<span id="LC6" class="line" lang="plaintext">       Flags: RNG, Requires login</span>
<span id="LC7" class="line" lang="plaintext">       Manufacturer: IBM Corp.</span>
<span id="LC8" class="line" lang="plaintext">       Model: IBM SoftTok</span>
<span id="LC9" class="line" lang="plaintext">       Serial: 123</span>
<span id="LC10" class="line" lang="plaintext">      Module: /usr/local/lib/opencryptoki/libopencryptoki.so</span></code></pre>
<p dir="auto">pkcs11 v2.20 says regarding CKF_SO_PIN_TO_BE_CHANGED (which is set
after the initialization):</p>
<blockquote dir="auto">
<p>[CKF_SO_PIN_TO_BE_CHANGED:] True if the SO PIN value is the default value set by token initialization or manufacturing, or the PIN has been expired by the card.</p>
</blockquote>
<blockquote dir="auto">
<p>If a PIN is set to the default value, or has expired, the
appropriate CKF_USER_PIN_TO_BE_CHANGED or CKF_SO_PIN_TO_BE_CHANGED
flag is set to true. When either of these flags are true, logging
in with the corresponding PIN will succeed, but only the C_SetPIN
function can be called. Calling any other function that required the
user to be logged in will cause CKR_PIN_EXPIRED to be returned until
C_SetPIN is called successfully.</p>
</blockquote>
<p dir="auto">pkcs11 v2.20 says regarding C_InitPin:</p>
<blockquote dir="auto">
<p>C_InitPIN initializes the normal user’s PIN.</p>
</blockquote>
<p dir="auto">If the --initialize-so-pin option is meant to change the so pin,
then it should do a C_Login with default so pin and a C_SetPIN
using a new so pin instead of calling C_Login and C_InitPIN both
with default so pin, as it is shown in the debug output above?</p>
<p dir="auto">Moreover, if the environment variable GNUTLS_SO_PIN is set,
the pin for C_Login and C_InitPIN is read from it, so even if
C_InitPIN could be used to change the so pin, it would always be set
to the same default so pin.
In case the environment variable is not set, both the new pin and
the pin (for login) are read by the getpass function. However, it
seems that function writes to a static buffer such that the
second input (the default so pin for login) overwrites the first
input, since it was not copied at the time it was obtained. So
again, even if C_InitPin could be used to change the so pin,
it would always be set to the same default so pin.</p>
<p dir="auto">If the --initialize-so-pin option is not meant to change the so pin,
but instead just re-initialize it to its default value, why does
it ask to enter a new admin pin (in case the environment variable is not
set)? Which option should be used to change the so pin i.e., leave the
CKF_SO_PIN_TO_BE_CHANGED state after initialization?</p>
<p dir="auto">Also, the static buffer problem described above, seems also to affect
the --initialize-pin option:</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">p11tool --initialize-pin pkcs11:model=IBM%20SoftTok;manufacturer=IBM%20Corp.;serial=123;token=swtok</span>
<span id="LC2" class="line" lang="plaintext">C_Initialize</span>
<span id="LC3" class="line" lang="plaintext">  IN: pInitArgs = NULL</span>
<span id="LC4" class="line" lang="plaintext">C_Initialize = CKR_OK</span>
<span id="LC5" class="line" lang="plaintext">C_GetInfo</span>
<span id="LC6" class="line" lang="plaintext"> OUT: pInfo = {</span>
<span id="LC7" class="line" lang="plaintext">       cryptokiVersion: 2.20</span>
<span id="LC8" class="line" lang="plaintext">       manufacturerID: "IBM"</span>
<span id="LC9" class="line" lang="plaintext">       flags: 0</span>
<span id="LC10" class="line" lang="plaintext">      libraryDescription: "Meta PKCS11 LIBRARY"</span>
<span id="LC11" class="line" lang="plaintext">      libraryVersion: 3.10</span>
<span id="LC12" class="line" lang="plaintext">      }</span>
<span id="LC13" class="line" lang="plaintext">C_GetInfo = CKR_OK</span>
<span id="LC14" class="line" lang="plaintext">Setting token's user PIN...</span>
<span id="LC15" class="line" lang="plaintext">Enter User's new PIN: (INPUT: 76543210, "new user pin")</span>
<span id="LC16" class="line" lang="plaintext">C_GetSlotList</span>
<span id="LC17" class="line" lang="plaintext">  IN: tokenPresent = CK_TRUE</span>
<span id="LC18" class="line" lang="plaintext">  IN: pulCount = 0x3FFE2FFDC28 = 48</span>
<span id="LC19" class="line" lang="plaintext"> OUT: pSlotList = (1) [ SL3 ]</span>
<span id="LC20" class="line" lang="plaintext">C_GetSlotList = CKR_OK</span>
<span id="LC21" class="line" lang="plaintext">C_GetTokenInfo</span>
<span id="LC22" class="line" lang="plaintext">  IN: slotID = SL3</span>
<span id="LC23" class="line" lang="plaintext"> OUT: pInfo = {</span>
<span id="LC24" class="line" lang="plaintext">      label: "swtok"</span>
<span id="LC25" class="line" lang="plaintext">      manufacturerID: "IBM Corp."</span>
<span id="LC26" class="line" lang="plaintext">      model: "IBM SoftTok"</span>
<span id="LC27" class="line" lang="plaintext">      serialNumber: "123"</span>
<span id="LC28" class="line" lang="plaintext">      flags: 8913989 = CKF_RNG | CKF_LOGIN_REQUIRED | CKF_CLOCK_ON_TOKEN | CKF_TOKEN_INITIALIZED | CKF_USER_PIN_TO_BE_CHANGED | CKF_SO_PIN_TO_BE_CHANGED</span>
<span id="LC29" class="line" lang="plaintext">      ulMaxSessionCount: 18446744073709551614</span>
<span id="LC30" class="line" lang="plaintext">      ulSessionCount: 0</span>
<span id="LC31" class="line" lang="plaintext">      ulMaxRwSessionCount: 18446744073709551614</span>
<span id="LC32" class="line" lang="plaintext">      ulRwSessionCount: 18446744073709551615</span>
<span id="LC33" class="line" lang="plaintext">      ulMaxPinLen: 8</span>
<span id="LC34" class="line" lang="plaintext">      ulMinPinLen: 4</span>
<span id="LC35" class="line" lang="plaintext">      ulTotalPublicMemory: 18446744073709551614</span>
<span id="LC36" class="line" lang="plaintext">      ulFreePublicMemory: 18446744073709551614</span>
<span id="LC37" class="line" lang="plaintext">      ulTotalPrivateMemory: 18446744073709551614</span>
<span id="LC38" class="line" lang="plaintext">      ulFreePrivateMemory: 18446744073709551614</span>
<span id="LC39" class="line" lang="plaintext">      ulFreePrivateMemory: 18446744073709551614</span>
<span id="LC40" class="line" lang="plaintext">      hardwareVersion: 1.0</span>
<span id="LC41" class="line" lang="plaintext">      firmwareVersion: 1.0</span>
<span id="LC42" class="line" lang="plaintext">      utcTime: 2018091223495800</span>
<span id="LC43" class="line" lang="plaintext">      }</span>
<span id="LC44" class="line" lang="plaintext">C_GetTokenInfo = CKR_OK</span>
<span id="LC45" class="line" lang="plaintext">C_GetSlotInfo</span>
<span id="LC46" class="line" lang="plaintext">  IN: slotID = SL3</span>
<span id="LC47" class="line" lang="plaintext"> OUT: pInfo = {</span>
<span id="LC48" class="line" lang="plaintext">      slotDescription: "Linux"</span>
<span id="LC49" class="line" lang="plaintext">      manufacturerID: "IBM"</span>
<span id="LC50" class="line" lang="plaintext">      flags: 1 = CKF_TOKEN_PRESENT</span>
<span id="LC51" class="line" lang="plaintext">      hardwareVersion: 0.0</span>
<span id="LC52" class="line" lang="plaintext">      firmwareVersion: 0.0</span>
<span id="LC53" class="line" lang="plaintext">      }</span>
<span id="LC54" class="line" lang="plaintext">C_GetSlotInfo = CKR_OK</span>
<span id="LC55" class="line" lang="plaintext">C_OpenSession</span>
<span id="LC56" class="line" lang="plaintext">  IN: slotID = SL3</span>
<span id="LC57" class="line" lang="plaintext">  IN: flags = 6 = CKF_SERIAL_SESSION | CKF_RW_SESSION</span>
<span id="LC58" class="line" lang="plaintext">  IN: pApplication = NULL</span>
<span id="LC59" class="line" lang="plaintext">  IN: Notify = NULL</span>
<span id="LC60" class="line" lang="plaintext"> OUT: phSession = 0x3FFE2FFDFD8 = S1</span>
<span id="LC61" class="line" lang="plaintext">C_OpenSession = CKR_OK</span>
<span id="LC62" class="line" lang="plaintext">C_GetSessionInfo</span>
<span id="LC63" class="line" lang="plaintext">  IN: hSession = S1</span>
<span id="LC64" class="line" lang="plaintext"> OUT: pInfo = {</span>
<span id="LC65" class="line" lang="plaintext">      slotID: SL3</span>
<span id="LC66" class="line" lang="plaintext">      state: CKS_RW_PUBLIC_SESSION</span>
<span id="LC67" class="line" lang="plaintext">      flags: 6 = CKF_SERIAL_SESSION | CKF_RW_SESSION</span>
<span id="LC68" class="line" lang="plaintext">      ulDeviceError: 0</span>
<span id="LC69" class="line" lang="plaintext">      }</span>
<span id="LC70" class="line" lang="plaintext">C_GetSessionInfo = CKR_OK</span>
<span id="LC71" class="line" lang="plaintext">Token 'swtok' with URL 'pkcs11:model=IBM%20SoftTok;manufacturer=IBM%20Corp.;serial=123;token=swtok' requires security officer PIN</span>
<span id="LC72" class="line" lang="plaintext">Enter PIN: (INPUT: 87654321, "default so pin")</span>
<span id="LC73" class="line" lang="plaintext">C_Login</span>
<span id="LC74" class="line" lang="plaintext">  IN: hSession = S1</span>
<span id="LC75" class="line" lang="plaintext">  IN: userType = CKU_SO</span>
<span id="LC76" class="line" lang="plaintext">  IN: pPin = (8) "87654321"</span>
<span id="LC77" class="line" lang="plaintext">C_Login = CKR_OK</span>
<span id="LC78" class="line" lang="plaintext">C_InitPIN</span>
<span id="LC79" class="line" lang="plaintext">  IN: hSession = S1</span>
<span id="LC80" class="line" lang="plaintext">  IN: pPin = (8) "87654321"</span>
<span id="LC81" class="line" lang="plaintext">C_InitPIN = CKR_OK</span>
<span id="LC82" class="line" lang="plaintext">C_CloseSession</span>
<span id="LC83" class="line" lang="plaintext">  IN: hSession = S1</span>
<span id="LC84" class="line" lang="plaintext">C_CloseSession = CKR_OK</span>
<span id="LC85" class="line" lang="plaintext">C_Finalize</span>
<span id="LC86" class="line" lang="plaintext">  IN: pReserved = NULL</span>
<span id="LC87" class="line" lang="plaintext">C_Finalize = CKR_OK</span></code></pre>
<p dir="auto">A work-around for the --initialize-pin option is to provide the default so pin via the corresponding environment variable.</p>
<h2 dir="auto">
<a id="user-content-version-of-gnutls-used" class="anchor" href="#version-of-gnutls-used" aria-hidden="true"></a>Version of gnutls used:</h2>
<p dir="auto">gnutls-3.6.2-1.fc28.s390x
gnutls-utils-3.6.2-1.fc28.s390x</p>
<h2 dir="auto">
<a id="user-content-distributor-of-gnutls-eg-ubuntu-fedora-rhel" class="anchor" href="#distributor-of-gnutls-eg-ubuntu-fedora-rhel" aria-hidden="true"></a>Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)</h2>
<p dir="auto">Fedora 28 (on s390x)</p>
<h2 dir="auto">
<a id="user-content-how-reproducible" class="anchor" href="#how-reproducible" aria-hidden="true"></a>How reproducible:</h2>
<ol dir="auto">
<li>Set up opencryptoki as a pkcs11 provider using a p11-kit config file.</li>
<li>Initilize a token: p11tool --initialize --label="" </li>
<li>Try to change the default so pin: p11tool --initialize-so-pin </li>
<li>See "Description of problem" for more details.</li>
</ol>
<h2 dir="auto">
<a id="user-content-actual-results" class="anchor" href="#actual-results" aria-hidden="true"></a>Actual results:</h2>
<p dir="auto">SO pin is not changed. Instead, user pin is initialized to default SO pin.</p>
<h2 dir="auto">
<a id="user-content-expected-results" class="anchor" href="#expected-results" aria-hidden="true"></a>Expected results:</h2>
<p dir="auto">SO pin is changed i.e., the CKF_SO_PIN_TO_BE_CHANGED flag is set to false.</p>

</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777;">

<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/issues/561">view it on GitLab</a>.
<br>
You're receiving this email because of your account on gitlab.com.
If you'd like to receive fewer emails, you can
<a href="https://gitlab.com/sent_notifications/8cb5578fa5dd69cfc76135496496c5c7/unsubscribe">unsubscribe</a>
from this thread or
adjust your notification settings.
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/issues/561"}}</script>
</p>
</div>
</body>
</html>