From: Claudio Ferreira Filho <[email protected]> Date: Tue, 14 Jan 2026 15:30:00 -0300 Subject: [PATCH] pkcs11: Add fallback for modules that reject initialization flags
Some PKCS#11 modules (e.g., SafeSign IC 3.8.0.0) reject any flags in C_Initialize() and return CKR_ARGUMENTS_BAD, but work correctly when called with flags=0. This patch adds a fallback attempt with flags=0 when a module returns CKR_ARGUMENTS_BAD, maintaining compatibility with non-conforming modules while preserving the current behavior for properly implemented modules. Tested with: - SafeSign IC Standard Linux 3.8.0.0 (AET Europe B.V.) - Token: Giesecke & Devrient StarSign CUT S - System: Debian GNU/Linux sid (GnuTLS 3.8.11) Signed-off-by: Claudio Ferreira Filho <[email protected]> --- lib/pkcs11.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/lib/pkcs11.c b/lib/pkcs11.c index 1234567..abcdefg 100644 --- a/lib/pkcs11.c +++ b/lib/pkcs11.c @@ -290,6 +290,13 @@ static int pkcs11_provider_init(struct gnutls_pkcs11_provider_st *provider, args.reserved = (void *)reserved; rv = module->C_Initialize(&args); + /* Some modules (e.g., SafeSign) reject any flags and only accept flags=0 */ + if (rv == CKR_ARGUMENTS_BAD) { + _gnutls_debug_log("p11: Module %s rejected flags, trying with flags=0\n", name); + args.flags = 0; + rv = module->C_Initialize(&args); + } + if (rv == CKR_CANT_LOCK) { args = no_thread_init_args; args.reserved = (void *)reserved; -- 2.43.0
