PKCS#11 - Does a token need to be initialized in every client application to log in as the normal user with it?

chilliefiber

7/3/24, 8:16 PM

I'm having some trouble understanding the idea behind C_InitToken. I can tell what it does from the standard, but not its purpose.

One of the things it does is to provide authentication of the user as the SO, or initialize the SO's PIN if the token comes from factory. The second half I understand, but the first one seems unnecessary: this could be accomplished by opening a session and logging in as the SO. This probably means that this authentication is not the intended purpose but a prerequisite for the actual purpose.

At first my impression was that the token had to be initialized with C_InitToken before opening a session. However, looking at C_OpenSession, I didn't find a single return value for an error related to the token not being initialized by C_InitToken and no reference for such initialization to be necessary in the first place. This might be by design, or not (1).

Reading the standard again, I saw this:

When a token is initialized, all objects that can be destroyed are destroyed (i.e., all except for “indestructible” objects such as keys built into the token). Also, access by the normal user is disabled until the SO sets the normal user’s PIN. Depending on the token, some “default” objects may be created, and attributes of some objects may be set to default values.

Now I'm starting to believe that C_InitToken has 2 purposes:

1- If the token is new from factory, setup a PIN for the SO and make it so that the token is usable from now on(create those "default" objects etc...).

2- If the token has been initialized before, this function works sort of like a factory reset. This is why authentication as the SO is required: only the SO can do a "factory reset".

This means that PKCS#11 is allowing for a PIN to be initialized one time for the SO, then the SO must provide a PIN for the normal user using C_InitPin, and only then can we log in as the normal user.

So my question is: does every application need to call C_InitToken? Or if the token has been previously initialized and the token can store PINs, we only need to initialize it the first time, and then initialize the PIN for the normal user, and from then on applications can just open a session and log in as the normal user, with no calls to C_InitToken?

(1) What is the proper return code for C_Login when a CKU_SO attempts to log into a non-initialized token? While not the same as my question, it reveals that there might be some ambiguities with how the specification handles token initialization.

0 + 0

pkcs11

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: PKCS#11 - Does a token need to be initialized in every client application to log in as the normal user with it?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.