Skip to content

Commit 5edb050

Browse files
marainomaraino
authored
Merge pull request #730 from smallstep/mariano/no-pin
Add support for tokens with no pins
2 parents 6f2a144 + ed0b190 commit 5edb050

File tree

2 files changed

+77
-0
lines changed

2 files changed

+77
-0
lines changed

kms/pkcs11/pkcs11.go

+4
Original file line numberDiff line numberDiff line change
@@ -121,6 +121,10 @@ func New(_ context.Context, opts apiv1.Options) (*PKCS11, error) {
121121
if config.Pin == "" && opts.Pin != "" {
122122
config.Pin = opts.Pin
123123
}
124+
// If no pin is set, assume that the token does not support login.
125+
if config.Pin == "" && !u.Has("pin-value") && !u.Has("pin-source") {
126+
config.LoginNotSupported = true
127+
}
124128

125129
switch {
126130
case config.TokenLabel == "" && config.TokenSerial == "" && config.SlotNumber == nil:

kms/pkcs11/pkcs11_test.go

+73
Original file line numberDiff line numberDiff line change
@@ -13,12 +13,16 @@ import (
1313
"crypto/rsa"
1414
"crypto/x509"
1515
"math/big"
16+
"os"
17+
"path/filepath"
1618
"reflect"
1719
"strings"
1820
"testing"
1921

2022
"github.com/ThalesIgnite/crypto11"
2123
"github.com/pkg/errors"
24+
"github.com/stretchr/testify/assert"
25+
"github.com/stretchr/testify/require"
2226
"go.step.sm/crypto/kms/apiv1"
2327
"golang.org/x/crypto/cryptobyte"
2428
"golang.org/x/crypto/cryptobyte/asn1"
@@ -77,6 +81,10 @@ func TestNew(t *testing.T) {
7781
Type: "pkcs11",
7882
URI: "pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=pkcs11-test",
7983
}}, k, false},
84+
{"ok empty pin", args{context.Background(), apiv1.Options{
85+
Type: "pkcs11",
86+
URI: "pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=pkcs11-test;pin-value=",
87+
}}, k, false},
8088
{"ok with missing module", args{context.Background(), apiv1.Options{
8189
Type: "pkcs11",
8290
URI: "pkcs11:token=pkcs11-test",
@@ -141,6 +149,71 @@ func TestNew(t *testing.T) {
141149
}
142150
}
143151

152+
func TestNew_config(t *testing.T) {
153+
tmp0 := p11Configure
154+
t.Cleanup(func() {
155+
p11Configure = tmp0
156+
})
157+
158+
k := mustPKCS11(t)
159+
t.Cleanup(func() {
160+
k.Close()
161+
})
162+
163+
path := filepath.Join(t.TempDir(), "pin.txt")
164+
require.NoError(t, os.WriteFile(path, []byte("123456\n"), 0o0600))
165+
166+
var zero int
167+
168+
ctx := context.Background()
169+
type args struct {
170+
ctx context.Context
171+
opts apiv1.Options
172+
}
173+
tests := []struct {
174+
name string
175+
args args
176+
wantConfig *crypto11.Config
177+
}{
178+
{"ok", args{ctx, apiv1.Options{URI: "pkcs11:module-path=module.so;token=token?pin-value=password"}}, &crypto11.Config{
179+
Path: "module.so", TokenLabel: "token", Pin: "password",
180+
}},
181+
{"ok default module", args{ctx, apiv1.Options{URI: "pkcs11:token=token?pin-value=password"}}, &crypto11.Config{
182+
Path: defaultModule, TokenLabel: "token", Pin: "password",
183+
}},
184+
{"ok serial", args{ctx, apiv1.Options{URI: "pkcs11:module-path=module.so;serial=1234567890?pin-value=password"}}, &crypto11.Config{
185+
Path: "module.so", TokenSerial: "1234567890", Pin: "password",
186+
}},
187+
{"ok slot-id", args{ctx, apiv1.Options{URI: "pkcs11:module-path=module.so;slot-id=0?pin-value=password"}}, &crypto11.Config{
188+
Path: "module.so", SlotNumber: &zero, Pin: "password",
189+
}},
190+
{"ok max-sessions", args{ctx, apiv1.Options{URI: "pkcs11:module-path=module.so;slot-id=0;max-sessions=100?pin-value=password"}}, &crypto11.Config{
191+
Path: "module.so", SlotNumber: &zero, Pin: "password", MaxSessions: 100,
192+
}},
193+
{"ok pin-source", args{ctx, apiv1.Options{URI: "pkcs11:module-path=module.so;token=token?pin-source=" + path}}, &crypto11.Config{
194+
Path: "module.so", TokenLabel: "token", Pin: "123456",
195+
}},
196+
{"ok login not supported", args{ctx, apiv1.Options{URI: "pkcs11:module-path=module.so;token=token"}}, &crypto11.Config{
197+
Path: "module.so", TokenLabel: "token", LoginNotSupported: true,
198+
}},
199+
{"ok empty pin", args{ctx, apiv1.Options{URI: "pkcs11:module-path=module.so;token=token?pin-value="}}, &crypto11.Config{
200+
Path: "module.so", TokenLabel: "token", Pin: "",
201+
}},
202+
{"ok pin option", args{ctx, apiv1.Options{URI: "pkcs11:module-path=module.so;token=token?pin-value=", Pin: "password"}}, &crypto11.Config{
203+
Path: "module.so", TokenLabel: "token", Pin: "password",
204+
}},
205+
}
206+
for _, tt := range tests {
207+
t.Run(tt.name, func(t *testing.T) {
208+
p11Configure = func(config *crypto11.Config) (P11, error) {
209+
assert.Equal(t, tt.wantConfig, config)
210+
return k.p11, nil
211+
}
212+
_, err := New(tt.args.ctx, tt.args.opts)
213+
assert.NoError(t, err)
214+
})
215+
}
216+
}
144217
func TestPKCS11_GetPublicKey(t *testing.T) {
145218
k := setupPKCS11(t)
146219
type args struct {

0 commit comments

Comments
 (0)