I’m running into issues using PKCS#11 tools with my HSM6.Using multiple tools I’ve received an error about an invalid slot. This has prevented me from using it for my first use case, which is a CA in a box using the pi + module.
Using the pkcs11-tool CLI as a baseline, here’s the output:
crdant@certificates:~/workspace/step-ca_0.19.0 $ pkcs11-tool --module /usr/lib/libzk_pkcs11.so -l -p 1234 --token test --list-slots
Available slots:
Slot 0 (0x103ebe3b4): SoftHSM slot ID 0x3ebe3b4
token label : test
token manufacturer : SoftHSM project
token model : SoftHSM v2
token flags : login required, rng, token initialized, PIN initialized, other flags=0x20
hardware version : 0.0
firmware version : 75.127
serial num : 4ce9927e03ebe3b4
pin min/max : 4049356396564721714/360856430586101759
Slot 1 (0x0): (GetSlotInfo failed, CKR_SLOT_ID_INVALID)
error: PKCS11 function C_OpenSession failed: rv = CKR_SLOT_ID_INVALID (0x3)
Aborting.
Other tools/libraries are showing the same issues. I’m using Raspberian Buster as the OS.
I found the difference between sudo and no sudo on the pkcs11-tool. It was file permissions on the directory created under /var/lib/zmbit/zk_pcks11/tokens.
My original issue remains, in the that PCKS module appears to be bailing on slot listing when used with tools like pkcs11-tool and other commands that use PKCS#11 to access the module.
zk_pkcs11-util is basically an extended softhsm2-util that adds the --use-zkslot parameter allowing you to use the private key from a givenHSM6 keyslot instead of importing one from a PKCS#8 file. You can man zk_pkcs11-util and/or man zk_pkcs11.conf for a description of the slight changes.
Going back to the example, instead of --list-slots use --list-objects. You should see the key object included indicating that the private key of the HSM6 will be used for that token.
I’m feeling more and more like the PKCS#11 support I relied on when making my purchase decision is partial implementation and unable to support my use case. I can list objects, but the following operations for pkcs11-tool seem to fail:
I’m happy to open individual threads on each of these items to show what I’m seeing to see if we can make progress, or to continue this thread. At this point I’m resigned to having made a poor choice in purchasing the HSM6.