#124 OCKv3: TPm token does not initialize user pin in C_InitPIN()

Joy Latten

pkcsconf -u issuppose to initialize the user pin. But it does not appear to do this for tpm token. Had to do a pkcsconf -p to initialize and set user pin for tpm. However, we only have to do a pkcsconf -u on the other tokens to initialize and set the user pin. Why is this different for tpm?

We pretty much ignore inititalizing and setting the user pin in C_InitPin() for tpm. Whereas the other tokens do it and save to NVTOK.DAT the fact that it has been initialized. So now I understand why you return after token_specific_init_pin and don't save anything to NVTOK.DAT. That is the way it was done before. And also why I did not understand because I am thinking it should have same behaviour as other tokens. Instead, tpm waits to C_SetPin to set user pin and save the fact that it has been initialized into NVTOK.DAT.

I looked at the pkcs#11v2.20 spec and it says the following about C_InitPIN,
" If the token has a protected authentication path other than a PINpad, then it is token dependent whether or not C_InitPIN can be used to initialize the normal user’s token access. "

And it has the exact same thing for C_SetPIN.

The flag does not appear to be set in tpm to indicate it has a protected authentication path.
And if it does or doesn't then I cannot help but think C_InitPIN and C_SetPIn for the user pin should have similar behaviour.


  • Joy Latten
    Joy Latten

    • summary: TPm token does not initialize user pin in C_InitPIN() --> OCKv3: TPm token does not initialize user pin in C_InitPIN()
  • Joy Latten
    Joy Latten

    • labels: PKCS#11 STDLL shared object --> opencryptoki
    • assigned_to: Joy Latten --> nobody
    • Priority: 9 --> 8