Skip to content

Commit

Permalink
Do not enforce pin on pkcs11 kms
Browse files Browse the repository at this point in the history
This commit removes the enforcement of a pin when a pkcs11 kms is
initialized. Some soft pkcs11 implementations, like NSS's softtokn, have
an empty pin by default.
  • Loading branch information
maraino committed Feb 14, 2024
1 parent 4967ab9 commit e924984
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 6 deletions.
4 changes: 2 additions & 2 deletions kms/pkcs11/pkcs11.go
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,8 @@ func New(_ context.Context, opts apiv1.Options) (*PKCS11, error) {
config.Path = defaultModule
}

// We will allow empty pins as some modules might not have a pin by default.
// This is the case of softokn used to read NSS databases.
config.Pin = u.Pin()
if config.Pin == "" && opts.Pin != "" {
config.Pin = opts.Pin
Expand All @@ -114,8 +116,6 @@ func New(_ context.Context, opts apiv1.Options) (*PKCS11, error) {
switch {
case config.TokenLabel == "" && config.TokenSerial == "" && config.SlotNumber == nil:
return nil, errors.New("kms uri 'token', 'serial' or 'slot-id' are required")
case config.Pin == "":
return nil, errors.New("kms 'pin' cannot be empty")
case config.TokenLabel != "" && config.TokenSerial != "":
return nil, errors.New("kms uri 'token' and 'serial' are mutually exclusive")
case config.TokenLabel != "" && config.SlotNumber != nil:
Expand Down
8 changes: 4 additions & 4 deletions kms/pkcs11/pkcs11_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,10 @@ func TestNew(t *testing.T) {
URI: "pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=pkcs11-test",
Pin: "passowrd",
}}, k, false},
{"ok no pin", args{context.Background(), apiv1.Options{
Type: "pkcs11",
URI: "pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=pkcs11-test",
}}, k, false},
{"ok with missing module", args{context.Background(), apiv1.Options{
Type: "pkcs11",
URI: "pkcs11:token=pkcs11-test",
Expand All @@ -77,10 +81,6 @@ func TestNew(t *testing.T) {
{"fail missing uri", args{context.Background(), apiv1.Options{
Type: "pkcs11",
}}, nil, true},
{"fail missing pin", args{context.Background(), apiv1.Options{
Type: "pkcs11",
URI: "pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=pkcs11-test",
}}, nil, true},
{"fail missing token/serial/slot-id", args{context.Background(), apiv1.Options{
Type: "pkcs11",
URI: "pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so",
Expand Down

0 comments on commit e924984

Please sign in to comment.