Skip to content

feat: allow hsm login before import pubkey (pubkey may be inaccessibl…#1109

Open
Spinbazz wants to merge 3 commits intosecure-systems-lab:mainfrom
Spinbazz:feat/hsm_login_before_import_pubkey
Open

feat: allow hsm login before import pubkey (pubkey may be inaccessibl…#1109
Spinbazz wants to merge 3 commits intosecure-systems-lab:mainfrom
Spinbazz:feat/hsm_login_before_import_pubkey

Conversation

@Spinbazz
Copy link
Copy Markdown

@Spinbazz Spinbazz commented Mar 25, 2026

…e for unlogged client)

Description of the changes being introduced by the pull request:

Add a call of login pykcs11 function before searching pub key on import function

Fixes #1108

jku
jku reviewed Mar 30, 2026
View reviewed changes
Comment thread securesystemslib/signer/_hsm_signer.py Outdated
Comment on lines +308 to +309
if pin_handler is not None:
session.login(pin_handler(cls.SECRETS_HANDLER_MSG))
Copy link
Copy Markdown
Collaborator

@jku jku Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this sounds like if the app provides pin_handler, all users now get a pin request even though some of them don't need it. I assume we could avoid that somehow

Copy link
Copy Markdown
Author

@Spinbazz Spinbazz Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I propose to call pin handler only if unlogged public key research has failed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jku jku jku left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

HSM signer - Add support for restricted public key

2 participants

@Spinbazz @jku