Handle CKR_USER_ALREADY_LOGGED_IN in PKCS#11 session open#30
Merged
Conversation
When both the Nitrokey HSM provider and the HSM cache backend open PKCS#11 sessions on the same slot, the second C_Login call fails with CKR_USER_ALREADY_LOGGED_IN because the slot only allows one login. The cache backend's open() raised ProviderError and fell back to live provider lookups, silently disabling the entire cache. This also happens across process restarts: if psi serve is killed before its finally block runs close()/logout(), the next serve process inherits a stale login on the slot. Treat CKR_USER_ALREADY_LOGGED_IN as success — the slot is already authenticated and the session is usable.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
When both the Nitrokey HSM provider and the HSM cache backend open PKCS#11 sessions on the same slot, the second
C_Logincall fails withCKR_USER_ALREADY_LOGGED_INbecause the slot only allows one login. The cache backend'sopen()raisedProviderErrorand fell back to live provider lookups, silently disabling the cache on every serve startup.This also happens across process restarts when serve is killed before its
finallyblock runsclose()/logout()— the next process inherits a stale login.Fix: treat
CKR_USER_ALREADY_LOGGED_INas success — the slot is already authenticated and the session is usable.Discovered while testing the cache key fix (PR #29) on the test server: the cache had the right keys but never loaded because the HSM backend couldn't open its session.
Test plan
pytest— 335 tests pass (HSM tests are integration-only, no hardware in CI).ruff check/ty check— clean.psi-secrets, confirm cache loads (noHSM login failedwarning), stop Infisical, verify lookups return cached values.