multiple remote PKCS#11 modules not working
Hello,
I have two almost identical smartcards (just the serial numbers are different), each one attached via an USB based smart card reader, on the hosts certos
and certos2
. To access them I have these config files in my home:
➜ (pts/58) mkl@dude02:~ (master) ✗ cat ~/.config/pkcs11/modules/certos.module
remote: |ssh certos.hi.pengutronix.de p11-kit remote /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
#log-calls: yes
➜ (pts/58) mkl@dude02:~ (master) ✗ cat ~/.config/pkcs11/modules/certos2.module
remote: |ssh certos2.hi.pengutronix.de p11-kit remote /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
#log-calls: yes
When I access them via p11-kit-proxy.so
both are properly detected:
➜ (pts/58) mkl@dude02:~ (master) ✗ pkcs11-tool --module /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so -L
Available slots:
Slot 0 (0x10): SCM Microsystems Inc. SPR 532 [Vendor Interface] (60206024) 0...
token label : CycurCard (User PIN)
token manufacturer : xxx
token model : PKCS#15
token flags : login required, token initialized, PIN initialized
hardware version : 0.0
firmware version : 0.0
serial num : 244f8b131a1e
pin min/max : 6/8
Slot 1 (0x11): Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface...
(empty)
Slot 2 (0x12): Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface...
(empty)
Slot 3 (0x13): Gemalto USB GemPCPinpad SmartCard Reader 01 00
token label : CycurCard (User PIN)
token manufacturer : xxx
token model : PKCS#15
token flags : login required, token initialized, PIN initialized
hardware version : 0.0
firmware version : 0.0
serial num : 24c8c609160f
pin min/max : 4/8
However when using p11tool
, not.
➜ (pts/58) mkl@dude02:~ (master) ✗ p11tool --list-token-urls
pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
pkcs11:model=PKCS%2315;manufacturer=xxx;serial=244f8b131a1e;token=CycurCard%20%20%20%28User%20PIN%29%00%00%00%00%00%00%00%00%00%00
I found out that lib/pkcs11.c
refuses to load two modules with the same info :(
/* initially check if this module is a duplicate */
for (i = 0; i < active_providers; i++) {
/* already loaded, skip the rest */
if (module == providers[i].module ||
memcmp(&info, &providers[i].info, sizeof(info)) == 0) {
_gnutls_debug_log("p11: module %s is already loaded.\n", name);
return GNUTLS_E_INT_RET_0;
}
}
In my use case the module
pointers are not the same, but the info is:
$14 = {cryptoki_version = {major = 2 '\002', minor = 20 '\024'}, manufacturer_id = "OpenSC Project", ' ' <repeats 18 times>, flags = 0, library_description = "OpenSC smartcard framework ", library_version = {major = 0 '\000', minor = 20 '\024'}}
as both hosts use the same version of p11-kit.
The memcmp()
on the info
was added in 12f4abc0 by @nmav, any idea how to work around this check?
regards, Marc