问题
We are using PKCS11INTEROP library to connect with the NShield HSM. To perform any operation(generate/encrypt/decrypt) inside the HSM you need to first get the slot and then login to the slot using the PIN. This is all working as expected.
NShield HSM allows your keys to be protected in two ways Module Protection and Token Protection. The NShield client software provides you a utility KSAFE to manage keys in the HSM. If you are using KSAFE utility and you want to protect your keys by module protection then you do not have to provide a PIN whereas PIN becomes mandatory if the key is to protected by Token protection.
So my question is that : Can we perform operations within HSM using PKCS11INTEROP without the need of a PIN, ofcourse it would be module based protection?
回答1:
Yes you can. If I remember correctly module protected keys are located under the first accelerator slot. You can even perform login on accelerator slot if you set CKNFAST_FAKE_ACCELERATOR_LOGIN configuration variable. Look it up in nShield HSM user guide.
来源:https://stackoverflow.com/questions/45358919/is-it-possible-to-connect-with-a-hsm-without-pin-using-pkcs11interop-library