PIN in URI PEM files ?

[ifranzki]

When creating an URI PEM file via openssl storeutl -keys -text 'pkcs11:...;type=private?pin-source=/path/to/pinfile or even with ?pin-value then the URI inside the PEM does not contain the PIN parameter.

Is this intentional?

For ?pin-value I could very well understand that we might not want to store the PIN value in the PEM file, but for ?pin-source it could be OK.

Running a server-type application that prompts for the PKCS#11 PIN at startup is not really enterprise ready. It can't be started unattended. So having a (secure) way to supply the PIN as part of the URI PEM would be useful. Using ?pin-source with the URI in the PEM file could be a relatively secure way of doing this.

[simo5]

Ah sorry I misread the bug report, at the moment PEM files do not contain pin values more or less intentionally as well only store a canonical URI.

Adding a pin into a PEM file is a bit controversial, as it may easily leak the HSM PIN which is, kind of a big deal. It also may lock up the HSM if the pin is later changed but the PEM file is not.

However there is an utility that can construct a pem file with an arbitrary URI in #363 if you want to try that out and see what happens.

[simo5]

(I deleted a previous comment because it had a link to an issue that is not actually related and I wanted to avoid confusion)

[ifranzki]

Adding a pin into a PEM file is a bit controversial, as it may easily leak the HSM PIN which is, kind of a big deal.

I agree. However, using pin-source (instead of pin-value!) might be a good option, that way the PIN is actually NOT contained in the PEM file, just a reference to a file containing the pin.

[simo5]

The solution for now is in #363 which was just merged, you can download the file directly and use it, it does not have any big dependencies, just one python module.