How to login as Crypto User role

Skip to first unread message


Dec 16, 2019, 1:53:29 AM12/16/19
to Pkcs11Interop

My HSM has another role which is "Crypto User" with the limited crypto operation that can be performed (encrypt/decrypt/sign/verify).
So, I can't use the following code to log in as Crypto User but I'm not sure why it doesn't.

pkcs11Library = Settings.Factories.Pkcs11LibraryFactory.LoadPkcs11Library(Settings.Factories, Settings.Pkcs11LibraryPath, Settings.AppType);
 slot = Helpers.GetUsableSlot(pkcs11Library);
session = slot.OpenSession(SessionType.ReadOnly);
session.Login(CKU.CKU_CONTEXT_SPECIFIC, passwd);

Anyone please kindly help.

P.S. It has no problem with the "Crypto Officer" role. It can use the ReadWrite session and CKU_USER type to log in.

Best regards,


Dec 16, 2019, 2:55:07 AM12/16/19
to Pkcs11Interop
Hi Jaroslav,

I have config the debug log then login as Crypto User in the HSM itself tool. So, it looks like the Crypto User uses "-2147483647" but the CKU_CONTEXT_SPECIFIC is "2".

14:14:11 08016-14520:STRTLogin {Sesn=2 User=-2147483647 PIN=(8 "********") }
14:14:11 08016-14520:FINILogin CKR_OK(66526ms) {}

I have checked the CKU class in uint type then I can't perform typecasting to the negative value.
session.Login((CKU) LunaRoles.CKU_CU, passwd);

Please kindly help.


Dec 16, 2019, 3:08:48 AM12/16/19
to Pkcs11Interop

I have just checked the error message then I solved the problem!

Here is my solution.

1. Create enum for your HSM roles
public enum HsmRoles
        CKU_SO = 0,
        CKU_CO = 1,
        CKU_CU = -2147483647

2. Edit the login step (Cast to CKU type then uncheck to support negative value)
session.Login(unchecked((CKU) LunaRoles.CKU_CU), passwd);
Reply all
Reply to author
0 new messages