Skip to content

PKCS11 provider serial_number configuration #615

New issue
New issue
Closed
#621
Closed
PKCS11 provider serial_number configuration#615
#621
Labels
bugSomething isn't working
Milestone
 
Parsec Release 1.1.0
@anta5010

Description

@anta5010
anta5010
opened on Jun 15, 2022

It's now possible (and recommended) to configure Parsec PKCS11 provider with a PKCS11 token serial number instead of a slot ID.

When I tested this feature with a Nitrokey HSM module I initially got an error:

$ pkcs11-tool -L
Available slots:
Slot 0 (0x0): Nitrokey Nitrokey HSM (DENK01022270000         ) 00 00
  token label        : SmartCard-HSM (UserPIN)
  token manufacturer : www.CardContact.de
  token model        : PKCS#15 emulated
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 24.13
  firmware version   : 3.1
  serial num         : DENK0102227
  pin min/max        : 6/15

$ grep serial /home/pi/anta/config-PKCS11.toml
serial_number = "DENK0102227"

$ RUST_LOG=trace /home/pi/anta/parsec/target/release/parsec -c /home/pi/anta/config-PKCS11.toml
[INFO  parsec] Parsec started. Configuring the service...
[INFO  parsec_service::utils::service_builder] Creating a PKCS 11 Provider.
[INFO  parsec_service::providers::pkcs11] Building a PKCS 11 provider with library '/usr/lib/arm-linux-gnueabihf/opensc-pkcs11.so'
[TRACE parsec_service::providers::pkcs11] Initialize command
[ERROR parsec_service::utils::service_builder] Provider with ID PKCS #11 provider cannot be created; Error: No token with the provided serial number
Error: failed to create provider

After some debugging and reading specs I found that the serial number must be 16 characters long and must be padded with spaces:
http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html#_Toc416959687

I fixed my issue by updating Parsec config with
serial_number = "DENK0102227 "

pkcs11-tool -L doesn’t print the trailing spaces which can cause confusions like I had.

So, we can resolve the issue with either:

  1. Strip trailing spaces from both serial numbers when we do this comparison

    parsec/src/providers/pkcs11/mod.rs

    Line 527 in f302e27

    if sn == serial_number {
    or
  2. We update config file parsing procedure and generate an error when serial_number is shorter than 16 chars. The Parsec config file template should also include details about serial_number length requirements and padding with spaces.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions