• Type: Story
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.4.0b1
    • Component/s: libhsm
    • Labels:


      (This text may need some updates)

      You could have two functions:
      hsm_prompt_pin(unsigned int id, const char *repository, void *data, int mode);
      hsm_block_pin(unsigned int id, const char *repository, void *data, int mode);

      • "id" will have a value between zero and HSM_MAX_SESSIONS. Used for
        identifying the repository.
      • "repository" is the repository name.
      • "data" optional data to send to the callback function.
      • "mode" is the type of mode the function should run in.

      There are three different modes:
      HSM_PIN_FIRST - Used when getting the PIN for the first time.
      HSM_PIN_RETRY - Used when we failed to login the first time.
      HSM_PIN_SAVE - The latest PIN can be saved for future use. Called
      after a successful login.

      hsm_prompt_pin() + HSM_PIN_FIRST = Return the PIN from the shared
      memory if there is one. If not, then prompt for one.
      hsm_prompt_pin() + HSM_PIN_RETRY = Prompt and return a PIN.
      hsm_prompt_pin() + HSM_PIN_SAVE = If we have prompted for a PIN, then
      save it in the shared memory.

      hsm_block_pin() + HSM_PIN_FIRST = Wait until there is a PIN in the
      shared memory and then return it.
      hsm_block_pin() + HSM_PIN_RETRY = Return the PIN from the shared memory.
      hsm_block_pin() + HSM_PIN_SAVE = Nothing to save.

      The daemons would initialize libhsm with the hsm_block_pin() and the
      other applications would use hsm_prompt_pin().

      A PIN will only be saved in memory if we could successfully login.
      hsm_block_pin() would in that case never get HSM_PIN_RETRY. It will
      only get it if there is an invalid PIN there from a previous run. This
      will happen e.g. if the user has changed the PIN in the HSM. The
      daemons would in that case always quit. To resolve the situation, the
      user should call a program which uses the hsm_prompt_pin(), e.g. "ods-hsmutil login".




            rickard Rickard Bellgrim
            vanrein Rick van Rein
            0 Vote for this issue
            2 Start watching this issue