Conversation
I bought a second yubikey so need a way to tell them apart... so: Define a URI that contains identifying information for the HSM token: * URI path is the keyid * URI query contains token field filters Example URI: "hsm:2?label=YubiKey+PIV+%2315835999" This would use keyid 2 from a token with label "YubiKey+PIV+%2315835999". The example is also what gets automatically created on HSMSigner.import_(). Other fields can also be used -- I believe there is no standard for these so this seemed sensible. Running import_() now fails if there are more than 1 tokens (but a filter can be provided there as well). Because of this the tests needed some changes (softhsm creates a new token in InitToken???) -- unfortunately this means the default import_() filter is not tested as I couldn't figure out how to remove the extra softhsm token. import_() stays backwards compatible, and old URIs keep working. The constructor has a new required argument (this could be fixed but I didn't see it as that important).
|
Three questions:
|
lukpueh
left a comment
lukpueh
left a comment
There was a problem hiding this comment.
Cool stuff!
I think the filter dictionary is quite neat and doesn't require that much more code compared to a hardcoded a label filter. Plus, your argument that there is no one obvious way to filter tokens makes sense. So even if it's a bit over kill, I'm fine with it.
But I don't understand the purpose of _build_token_filter. Couldn't you just not filter, if no filter is provided?
Could you also re-explain the issue you had with suddenly(?) SoftHSM creating two slots? And, why that doesn't let you test the default case?
What I mean is that before initToken() there is a slot 0 already with some default token I suppose. Then when we call Since I'm now trying to be more strict about finding a specific key during uri, key = HSMSigner.import_()because that now fails since there are two slots and two tokens that could be used and I think the safe option is to fail in that case. So to work around I have to do uri, key = HSMSigner.import_(self.hsm_keyid_default, self.token_filter)which does not test the default. |
|
Okay, thanks for the explanation. |
I'm fine with the API break regardless.
I'm fine with ticketizing this issue, unless you have resources to debug SoftHSM. |
This is (mostly) useful for testing as softhsm always has one uninitialized token. By skipping those we can actually test the default import_(). Also remove a debug print() call.
|
oops sorry for editing your comment by accident I tried to rply to this:
This turns out to be a softhsm feature (that allows you to "create" all the new tokens you want without a separate API): the way to distinguish the uninitialized token from usable tokens is PyKCS11.CKF_TOKEN_INITIALIZED flag which we could check for. I'll try this. |
|
Checking for CKF_TOKEN_INITIALIZED works and is likely a good check for real tokens as well, so that issue should be resolved. Thanks for asking the right questions :) |
lukpueh
left a comment
lukpueh
left a comment
There was a problem hiding this comment.
Very nice enhancement of the hsm signer! I'll approve despite a few minor nits. Although the double negation in the docstring seems like a mistake and should probably be fixed. The rest is nice to have.
Refactor duplicated code into _find_pkcs_slot() Tweak some docstrings, mostly to make it clear when "slot" refers to a PKCS slot (a smart card reader) and when it's a PIV slot (which roughly maps to PKCS CKA_ID, the keyid).
|
Refactoring suggestion was good, I even expanded that a bit. There is now a The failing test is Windows struggling with gpg -- I'm merging this |
2 participants
I bought a second yubikey so need a way to tell them apart... so: Define a URI that contains identifying information for the HSM token:
Example URI:
hsm:2?label=YubiKey+PIV+%2315835999This would use keyid 2 from a token with label "YubiKey PIV #15835999". This example is also what gets created by HSMSigner.import_() by default.
import_() stays backwards compatible, and old URIs keep working but there are some changes in functionality:
I can be persuaded to do these differently.
Please verify and check that the pull request fulfills the following requirements: