I am using AWS HSM. Followed the AWS HSM Setup guide foor FIPS Mode HSM. Installed CloudHSM Command Line Interface (CLI), Created a user called crypto-user by By logging in to HHSM using CloudHSM CLI. Followed AWS HSM guide to setp up HSM on AWS.
After that I installed cloudhsm-pkcs11_latest_u22.04_arm64.deb in the same EC2 instance where the CloudHSM CLI was installed.
I gave the /opt/cloudhsm/lib/libcloudhsm_pkcs11.so in the correct location.
The below code gives me an error:
const pkcs11js = require("pkcs11js");
let pkcs11 = new pkcs11js.PKCS11();
pkcs11.load("/opt/cloudhsm/lib/libcloudhsm_pkcs11.so");
pkcs11.C_Initialize();
let slot = pkcs11.C_GetSlotList(true)[0];
let session = pkcs11.C_OpenSession(slot,pkcs11js.CKF_RW_SESSION | pkcs11js.CKF_SERIAL_SESSION);
pkcs11.C_Login(session, pkcs11js.CKU_USER, "1234");
**
Error: Pkcs11Error: CKR_PIN_INCORRECT**
I have already created a password for the crypto user and the correct pin is "1234".
I could login using the clouhsm-cli successfully.
$/opt/cloudhsm/bin/cloudhsm-cli interactive
>login --username example_user --role crypto-user
Ref: https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli-getting-started.html
Information:
var info = pkcs11.C_GetSessionInfo(session);
console.log("slot: 0x" + slot.toString("hex"));
console.log("session slot ID: 0x" + info.slotID.toString("hex"));
console.log("session state:" + info.state);
console.log("session flags:" + info.flags);
console.log("session deviceError:" + info.deviceError);
Output:
slot: 0x0100000000000020
session slot ID: 0x0100000000000020
session state:2
session flags:6
session deviceError:0
response undefined
let tokenInfo = pkcs11.C_GetTokenInfo(slot);
console.log(tokenInfo.flags, "tokenInfo.flags");
console.log(pkcs11js.CKF_USER_PIN_INITIALIZED, "pkcs11js.CKF_USER_PIN_INITIALIZED");
const isPinInitialized = (tokenInfo.flags & pkcs11js.CKF_USER_PIN_INITIALIZED) !== 0;
console.log("Is User PIN Initialized?", isPinInitialized);
console.log("Token Label:", tokenInfo.label.trim());
console.log("Token Locked:", tokenInfo.flags & pkcs11js.CKF_TOKEN_INITIALIZED ? "No" : "Yes");
console.log("Login Required:", tokenInfo.flags & pkcs11js.CKF_LOGIN_REQUIRED ? "Yes" : "No");
console.log("User PIN Initialized:", tokenInfo.flags & pkcs11js.CKF_USER_PIN_INITIALIZED ? "Yes" : "No");
console.log("User PIN Count:", tokenInfo.userPinCount); // Shows remaining PIN tries if available
Output:
1029 tokenInfo.flags
8 pkcs11js.CKF_USER_PIN_INITIALIZED
Is User PIN Initialized? false
Token Label: hsm1
Token Locked: No
Login Required: Yes
User PIN Initialized: No
User PIN Count: undefined
Can someone help me why I am getting Pkcs11Error: CKR_PIN_INCORRECT even after entering correct pin?
2
Answers
Fixed the issue, the password/pin should be written in this format- username:password
Example if the crypto user's username is abcd and password 1234, then:
The error
Pkcs11Error: CKR_PIN_INCORRECTsuggests that the provided PIN is incorrect or the HSM token may not be initialized properly. Here are a few things to check:Verify PIN Initialization: According to your token info,
User PIN Initializedisfalse. Ensure that the crypto user’s PIN has been initialized correctly in the HSM.Check HSM Setup: Double-check the HSM configuration and ensure that the user setup was successful. The CloudHSM CLI login working doesn’t always guarantee the PIN setup is correct for PKCS11 usage.
Reset the PIN: If possible, try resetting the crypto-user’s PIN using the CloudHSM CLI and reattempt the login.
This might resolve the issue.