[gnutls-help] Supplying a PIN for an HSM with PKCS 11
nuncestbibendum at excite.com
Tue Oct 23 21:59:02 CEST 2018
I am trying to understand how to supply a PIN to generate a key pair in an HSM using the PKCS #11 interface in GnuTLS - and, so far, failing miserably. My function does (in essence) the following:
1) Initialize the PKCS #11 interface with
2) Add the provider with
gnutls_pkcs11_add_provider("<lib-path>", NULL) ;
where <lib-path> is the pathname of the shared library for the client component of the HSM.
After the above, I tried to generate a keypair as follows:
GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE | GNUTLS_PKCS11_OBJ_FLAG_LOGIN) ;
where <hsm-url> is the URL for the HSM that I am using.
The above doesn't work. Both the init and provider calls do work, but generate3 returns error -300 - PKCS11 error. This is not surprising, for one needs to supply credentials in order to access the HSM.
The GnuTLS documentation says that, when a PIN is required for PKCS 11 operations, one should install a callback by means of gnutls_pkcs11_set_pin_function(). I added such a thing, but the callback does not get invoked. Even if it were, I am confused as to where the arguments for the callback are coming from. The callback has the prototype
typedef int (*gnutls_pin_callback_t) (void *userdata, int attempt,
const char *token_url,
const char *token_label,
unsigned int flags,
char *pin, size_t pin_max);
Who is supplying them? SInce they involve the PIN (among other things) I would have thought it is up to me. I don't know how. And, as I mentioned, the callback does not get invoked when I call the generate3 function.
Any help to clarify these issues would be much appreciated.
More information about the Gnutls-help