-
Notifications
You must be signed in to change notification settings - Fork 67
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow binary PIN values for PKCS11 providers #603
Comments
IIRC TPM also has a |
Hi all, I think the suggested approach is fine. However, there is an unlikely corner case when the pin of the token is, for example: What do you think? Is it okay to ignore this unlikely corner case or go with the other approach? |
I don't think there's a problem there, the value you'd put in would be |
Yea true, I mean it might get confusing a bit in this case. but indeed it's not a problem with the implementation |
As mentioned here and here, some PKCS11 tokens allow (or even require) PINs that do not conform to the spec, e.g., containing null bytes. The functionality has already been added (but not released, as of writing this) in the Cryptoki crate to allow such PINs, however this needs to be plumbed up into Parsec.
The authentication value config options for the TPM provider can stand as examples of how this could be implemented, namely by allowing the passed value to take the form
hex:...
, and to default to treating it as a string otherwise.Any implementation should be accompanied by configuration tests.
The text was updated successfully, but these errors were encountered: