Skip to content

Commit

Permalink
Always login with PIN If FORCE_LOGIN is specified in openssl config
Browse files Browse the repository at this point in the history 
The HSM slot is queried with C_GetTokenInfo(...) if it requires login,
checking the flag CKF_LOGIN_REQUIRED. If there are multiple objects in
the slot, some may not require login (like certificates and public
keys), other will require login (like private keys). In this case some
HSM (like Thales PTK 7.1) responds that no login is required, which sets
token->loginRequired = false. This makes it impossible to use
the private key - no attempt is ever made to login. Even if the user
explicitly sets the option FORCE_LOGIN - it is ignored.

Now if ctx->force_login is specified, it will always login with the
slot, regardless of the CKF_LOGIN_REQUIRED flag.
  • Loading branch information
@mtrojnar
Plamen Todorov authored and mtrojnar committed Mar 5, 2024
1 parent 91b7cb9 commit 54fa261
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion src/eng_back.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -542,7 +542,7 @@ static void *ctx_try_load_object(ENGINE_CTX *ctx,
/* In several tokens certificates are marked as private */
if (login) {
/* Only try to login if login is required */
if (tok->loginRequired) {
if (tok->loginRequired || ctx->force_login) {
/* Only try to login if a single slot matched to avoiding trying
* the PIN against all matching slots */
if (matched_count == 1) {
Expand Down

0 comments on commit 54fa261

Please sign in to comment.