Skip to content

fix: PKCS11 slots/tokens/objects logging #3785

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Sep 19, 2025
Merged

fix: PKCS11 slots/tokens/objects logging #3785

merged 5 commits into from
Sep 19, 2025

Conversation

Bravo555
Copy link
Member

@Bravo555 Bravo555 commented Sep 18, 2025
edited
Loading

Proposed changes

When opening a session to a token as part of a request, all slots and tokens visible by the system will be printed.
We will also print URIs of all objects that we can see on the token.

NOTE: this PR also reverts "#3772", because this fix introduces TLS timeouts. For details see the commit message 7bcf8a9

Types of changes

  • Bugfix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Improvement (general improvements like code refactoring that doesn't explicitly fix a bug or add any new functionality)
  • Documentation Update (if none of the other choices apply)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Paste Link to the issue


Checklist

  • I have read the CONTRIBUTING doc
  • I have signed the CLA (in all commits with git commit -s. You can activate automatic signing by running just prepare-dev once)
  • I ran just format as mentioned in CODING_GUIDELINES
  • I used just check as mentioned in CODING_GUIDELINES
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

Further comments

This is a follow-up to #3766 that we thought was solved but is not. The issue can't be reliably reproduced, so we need to improve diagnostics for when it eventually reappears.

@Bravo555
refactor: Move mutex from Pkcs11Session to Pkcs11SigningKey
a8b0a06 
Signed-off-by: Marcel Guzik <marcel.guzik@cumulocity.com>
@Bravo555 Bravo555 temporarily deployed to Test Pull Request September 18, 2025 09:11 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Sep 18, 2025
edited
Loading

Robot Results

✅ Passed ❌ Failed ⏭️ Skipped Total Pass % ⏱️ Duration
691 0 3 691 100 2h6m16.626917s

@Bravo555 Bravo555 temporarily deployed to Test Pull Request September 18, 2025 12:08 — with GitHub Actions Inactive
@Bravo555 Bravo555 force-pushed the improve/pkcs11-tokens-objects-logging branch from 93513da to 5d8ad3e Compare September 18, 2025 12:16
@Bravo555 Bravo555 temporarily deployed to Test Pull Request September 18, 2025 12:16 — with GitHub Actions Inactive
@codecov Codecov
Copy link

codecov bot commented Sep 18, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 0% with 207 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
...ates/extensions/tedge-p11-server/src/pkcs11/mod.rs 0.00% 204 Missing ⚠️
...ates/extensions/tedge-p11-server/src/pkcs11/uri.rs 0.00% 3 Missing ⚠️

📢 Thoughts on this report? Let us know!

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@Bravo555 Bravo555 changed the title Improve/pkcs11 tokens objects logging improve: PKCS11 slots/tokens/objects logging Sep 18, 2025
@Bravo555 Bravo555 mentioned this pull request Sep 18, 2025
Closed
@Bravo555 Bravo555 force-pushed the improve/pkcs11-tokens-objects-logging branch from 5d8ad3e to 69816ad Compare September 18, 2025 14:37
@Bravo555 Bravo555 temporarily deployed to Test Pull Request September 18, 2025 14:37 — with GitHub Actions Inactive
@Bravo555 Bravo555 marked this pull request as ready for review September 19, 2025 07:55
@reubenmiller reubenmiller added the theme:hsm Hardware Security Module related topics label Sep 19, 2025
didier-wenzek
didier-wenzek reviewed Sep 19, 2025
View reviewed changes
crates/extensions/tedge-p11-server/src/pkcs11/mod.rs
#[derive(Debug, Clone, Copy)]
enum CryptokiSessionType {
ReadOnly,
_ReadWrite,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why introduce a case that is never used? Somehow this even makes CryptokiSessionType useless.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a part of #3709 where we do need it because we need to open a RW session, this variant will be used when that's eventually merged.

crates/extensions/tedge-p11-server/src/pkcs11/mod.rs
Comment on lines +208 to +209
debug!(slots = ?get_all_slots_info(&context));
debug!(tokens = ?get_all_token_info(&context));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is debug appropriate? Wouldn't info be better as these lists of slots and tokens are critical to check that a setting is correct.

What I'm missing is how often open_session() is called.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is debug appropriate?

We already do print the SlotInfo and TokenInfo of the token we select using debug, so kept debug for printing all to be consistent.

Wouldn't info be better as these lists of slots and tokens are critical to check that a setting is correct.

What I'm missing is how often open_session() is called.

open_session() is called for every request, so having this be info by default would spam the output quite a bit. And it has to be for every request, because slots and objects can change in between.

@Bravo555 Bravo555 temporarily deployed to Test Pull Request September 19, 2025 11:57 — with GitHub Actions Inactive
didier-wenzek
didier-wenzek approved these changes Sep 19, 2025
View reviewed changes
Copy link
Contributor

@didier-wenzek didier-wenzek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved.

Note that this PR reverts "the slot refresh fix and ignores its test suite", because this fix introduces TLS timeouts. For details see the commit message 7bcf8a9

@Bravo555
refactor: Create session type
345dcc0 
Signed-off-by: Marcel Guzik <marcel.guzik@cumulocity.com>
@Bravo555
refactor: Move session functions to CryptokiSession impl
f8d7352 
Signed-off-by: Marcel Guzik <marcel.guzik@cumulocity.com>
@Bravo555
Soft-revert "cryptoki: call C_Initialize for every session"
7b3b06d 
Disable the slot refresh fix and ignore its test suite.

We do this because in the user's environment, using a Nitrokey HSM,
reloading the library is too slow and leads to hitting a TLS timeout and
getting a TLS close_notify error:

error: Connection error while creating device in Cumulocity: Mqtt state: Mqtt serialization/deserialization error: IO: peer closed connection without sending TLS close_notify: https://docs.rs/rustls/latest/rustls/manual/_03_howto/index.html#unexpected-eof: Mqtt serialization/deserialization error: IO: peer closed connection without sending TLS close_notify: https://docs.rs/rustls/latest/rustls/manual/_03_howto/index.html#unexpected-eof: IO: peer closed connection without sending TLS close_notify: https://docs.rs/rustls/latest/rustls/manual/_03_howto/index.html#unexpected-eof: peer closed connection without sending TLS close_notify: https://docs.rs/rustls/latest/rustls/manual/_03_howto/index.html#unexpected-eof

This is the same error that TedgeP11Client::with_ready_check prevents,
but the slot fix makes it reappear on that environment. As the slot
issue concerns only softhsm which probably isn't used in any production
environments, for now we revert this fix until we solve more pressing
issues, i.e. thin-edge#3766.

Signed-off-by: Marcel Guzik <marcel.guzik@cumulocity.com>
@Bravo555
Add printing of all slots, tokens and objects on selected token
50daea5
@Bravo555 Bravo555 force-pushed the improve/pkcs11-tokens-objects-logging branch from bcd3df2 to 50daea5 Compare September 19, 2025 13:06
@Bravo555 Bravo555 temporarily deployed to Test Pull Request September 19, 2025 13:06 — with GitHub Actions Inactive
@Bravo555 Bravo555 enabled auto-merge September 19, 2025 13:15
@Bravo555 Bravo555 added this pull request to the merge queue Sep 19, 2025
Merged via the queue into thin-edge:main with commit 98b05e3 Sep 19, 2025
34 checks passed
@reubenmiller reubenmiller changed the title improve: PKCS11 slots/tokens/objects logging feat: PKCS11 slots/tokens/objects logging Sep 22, 2025
@reubenmiller reubenmiller changed the title feat: PKCS11 slots/tokens/objects logging fix: PKCS11 slots/tokens/objects logging Sep 22, 2025
@Bravo555 Bravo555 mentioned this pull request Sep 22, 2025
Merged
14 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@didier-wenzek didier-wenzek didier-wenzek approved these changes

@albinsuresh albinsuresh Awaiting requested review from albinsuresh albinsuresh is a code owner

@jarhodes314 jarhodes314 Awaiting requested review from jarhodes314 jarhodes314 is a code owner

@rina23q rina23q Awaiting requested review from rina23q rina23q is a code owner

Assignees
No one assigned
Labels
theme:hsm Hardware Security Module related topics
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Bravo555 @didier-wenzek @reubenmiller