Key load failure after rerun of a container

[mrangana]

No description provided.

[mrangana]

When the keys are generated and loaded it works fine with SoftHSM. But when the container is exited, started again, and try to find the previously generated key using "FindKeyPair" results in could not find error

2019/02/20 16:19:43 crypto11: could not find PKCS#11 key

The keys are present and I can list them using pkcs11-tool

[dmjones]

It's hard to say, based on the information you've provided so far. Are you able to share a minimal example that demonstrates this behaviour?

[mrangana]

There are too many things involved here, docker, softhsm , packages and tools. In a nutshell my test shows that if the keys are generated using "crypto11.GenerateRSAKeyPair", the keys can not be found using the "crypto11.FindKeyPair(nil, []byte(keyLabel))" after the restart of the container. Where keyLabel is auto assigned during the key generation.

[dmjones]

I created a sample project to test this. You can find it here: https://github.com/dmjones/crypto11-28.

The joy of creating minimal examples is that one usually uncovers something helpful. I noticed that the automatically generated labels have 20 null bytes at the end. I believe this is legal, per the PKCS#11 standard, but far from desirable.

As a consequence of this, if you convert the bytes to a string using labelString := string(label), you lose those 20 bytes. If you convert back again with label := []byte(labelString), you now have a different label. The library won't be able to find the key.

I have raised #31 to cover this undesirable behaviour.

Does this solve your issue? If not, please edit my example (or create your own) until we have a failing test.

[mrangana]

This seems to be the issue. As long as we pass the label by reference it works fine and finds the key. If it is printed out ( without hex encoding) and used subsequently will result in not finding the key.