Let me check. My feeling is, that pkcs11-tool will routinely prompt for the PIN if CKF_PIN_REQUIRED is indicated. I assume engine-pkcs11 does the same.
- Company
- News
- Products
- Solutions
- Support
- Shop
Hello @sc-hsm ,
If your feeling is good, then the conclusion is that what we want to achieve is not possible currently.
Just to be clear on the context:
- We have many ‘softwares parts’ to sign/encrypt (bootloaders (secure-boot), fitImage, OTA files, etc).
- All the softwares used for this works with OpenSSL, so we can pass PKCS11 ‘URI’ in key/cert fields and use PKCS11 engine (sc-hsm), this is what permit to use HSM’s devices instead of non-secure ‘private key file’.
- The problem here is that we was interested by the ‘n-of-m authentification’, but currently as I understand, if we want to use this feature we need to use Smart Card Shell for n-of-m authentification + cryptography operation and we are not able to use OpenSSL + PKCS11 Engine (+Smart Card Shell)
One option (our side) should be to “modify/patch” the softwares used to sign:
- For sw-update: There is no problem as there is an option to pass an external sign script instead of using OpenSSL.
- For /boot/fitImage: We need to patch mkimage in U-Boot sources.
- For the bootloaders: We need to patch the softwares provided by renesas with NDA.
But we don’t like/want this option:
- For maintenance issues when the softwares sources needs to be updated.
- For responsabilities issues.
Another option will be (in your side), but I don’t know if this is possible or even “wanted” (for security reasons):
Option A: (most secure, but more difficult to implement)
- Add the possibility to do n-of-m authentification + PIN code
- In this mode, the dongle will be automatically locked on startup. We need to lock/unlock the dongle using n-of-m with SmartCardShell.
- And then in order to use the key’s we need to login with PIN Code
- Don’t need ‘session attachment’ in this mode as the ‘lock/unlock’ mecanism will be related to the ‘dongle’ and not a ‘session’.
Option B: (less secure, but faster to implement)
- Add a PKCS11 URI ‘custom parameter’ that can be used to ‘bypass the login’
- In this mode, we need to unlock the dongle using n-of-m with SmartCardShell
- And then when the sc-hsm PKCS11 engine is used, it can attach to the session of SmartCardShell (like what you was thinking originaly)
- Then if the parameter (‘no-login’) is set in PKCS11 URI passed by OpenSSL, if a LOGIN request is made by OpenSSL, you automatically return a success, without trying to do the login with the HSM (only if we can attach to the SmartCardShell session)
With these two solutions, the n-of-m authentification will not be directly integrated in the “standard” tools (OpenSSL, pkcs11-tools, etc), BUT it will be usable with! We just need to add a step before calling these tools to “unlock the HSM”
What I have in mind is a little different:
We have PKA in the portal, which implements the required authentication steps with a device that is remotely connected. We could integrate this connectivity behind the C_Login call in the PKCS#11 module, so that whenever an application calls C_Login, the token is connected to the portal, where you could perform PKA. If PKA is complete, the connection is closed and C_Login completes, allowing the application to continue.
That would allow arbitrary applications to use PKCS#11 without adding user-facing support for PKA.
There is the sc-hsm-management-server repo in the CDN that implements just the PKA part in a simple web service, if running the full portal instance is too much.
