p11tool --list-all "<token>" does not find any items on Thales ProtectServer HSMs.
Description of problem:
Performing p11tool --login --list-all "<token>"
on ProtectServer 2 and 3 HSMs (Safenet/Gemalto/Thales, depending on when bought) using the hardware tokens will not display any objects on listing a token.
Version of gnutls used:
Mainline (git) and 3.7.1 (debian)
Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Debian and git
How reproducible:
- Enable the thales/safenet pkcs11 library
- Enable the module in pkcs11 config files
- Perform
p11tool --login --list-all "<token>"
- Enter PIN
Note: the emulation libraries will work and do not have this problem and are not a good test case.
Actual results:
Result is No matching objects found
Expected results:
List of objects, confirmed to work with solution at 512 objects below.
Problem/Solution: The problem is the #define OBJECTS_A_TIME 8 * 1024
in lib/pkcs11.c
for the find_multi_objs_cb
callback. The HSMs do not support this many objects. The maximum is 512 (for what I've tested, exact number unknown) and changing the macro to 512 will result in displaying objects. The pkcs11_find_objects
function reports error 0x80001001
(Vendor defined, host error, bad request) when the default value of 8192 is used.