I am trying to understand how to supply a PIN to generate a key pair in an
HSM using the PKCS #11 interface in GnuTLS - and, so far, failing miserably. My
function does (in essence) the following:
1) Initialize the PKCS #11 interface with
gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL)
2) Add the provider with
gnutls_pkcs11_add_provider("<lib-path>", NULL) ;
where <lib-path> is the pathname of the shared library for the client component
of the HSM.
After the above, I tried to generate a keypair as follows:
gnutls_pkcs11_privkey_generate3(<hsm-url>,
GNUTLS_PK_RSA,
2048,
"First
Key",
&cid,
0,
&pubKey,
0,
GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE | GNUTLS_PKCS11_OBJ_FLAG_LOGIN) ;
where <hsm-url> is the URL for the HSM that I am using.
The above doesn't work. Both the init and provider calls do work, but
generate3 returns error -300 - PKCS11 error. This is not surprising, for one
needs to supply credentials in order to access the HSM.
The GnuTLS documentation says that, when a PIN is required for PKCS 11
operations, one should install a callback by means of
gnutls_pkcs11_set_pin_function(). I added such a thing, but the callback does
not get invoked. Even if it were, I am confused as to where the arguments for
the callback are coming from. The callback has the prototype
typedef int (*gnutls_pin_callback_t) (void *userdata, int attempt,
const char
*token_url,
const char
*token_label,
unsigned int
flags,
char *pin,
size_t pin_max);
Who is supplying them? SInce they involve the PIN (among other things) I would
have thought it is up to me. I don't know how. And, as I mentioned, the
callback does not get invoked when I call the generate3 function.
Any help to clarify these issues would be much appreciated.
_______________________________________________
Gnutls-help mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnutls-help
