Pkcs11Interop CKR_TOKEN_NOT_PRESENT
1,331 views
Skip to first unread message
Arnaud Bertoli
Mar 18, 2016, 5:17:57 AM3/18/16
to Pkcs11Interop
Hi,
I'm working on a backoffice software using an HSM Luna (AWS cloudhsm service). We use currently Pkcs11Interop library for test purpose. At the beginning we use the library in a web service to decrypt TDES data sending to us by embedded devices. No problems with that. But recently we have decided to use the HSM to perform CMAC verification and calculation. So I've written a little console application to test CMAC calculation and verification. I got no problems, the application was able to connect to the HSM and do all the operations. The problems started after I have integrated the new methods into the web service. It seems just impossible to open a session with the HSM.It fails with the CKR_TOKEN_NOT_PRESENT.
Here the method I use for opening the session :
public void OpenSession(IPkcs11 pkcs11, string hsmPIN, string hsmSLOT)
{
Log.Debug("Open session with the HSM Slot " + hsmSLOT + " Pin " + hsmPIN);
Console.WriteLine("Open session with the HSM");
lock (syncRoot)
{
//// get all the slot available
ICollection<ISlot> slots = pkcs11.GetSlotList(false);
if (slots != null && slots.Count > 0)
{
ISlot slot;
if (slots.Count == 1)
{
slot = slots.ElementAt(0);
}
else
{
slot = slots.ElementAt(Convert.ToInt16(hsmSLOT));
}
//// open a session with the $HSM$
session = slot.OpenSession(true);
if (session != null)
{
session.Login(CKU.CKU_USER, hsmPIN);
}
else
{
throw new Pkcs11Exception("Unable to open session with HSM", CKR.CKR_DEVICE_ERROR);
}
}
else
{
throw new Pkcs11Exception("No Slot available on HSM", CKR.CKR_DEVICE_ERROR);
}
}
}
Other precisions :
- Both console application and web service uses the same library for opening the session.
- when i out "true" in parameter of GetSlotList. I see the exception "Unable to open session with HSM"
- when I try to dump all the slots I see 4 slots in the console application but only 3 in the web service.
the ouput coming from console Application :
Open session with the HSM Slot 0 Pin ********************
slot id 1
slot description LunaNet Slot
slot id 2
slot description Luna UHD Slot
slot id 3
slot description Luna UHD Slot
slot id 4
slot description Luna UHD Slot
the ouput coming from web service:
2016-03-17 15:45:42,624 DEBUG Vix.eO.Sure.Lib.Utility.Cryptography.HSM.Pkcs11InteropHSMAPI - Open session with the HSM Slot 0 Pin ********************
2016-03-17 15:45:42,639 DEBUG Vix.eO.Sure.Lib.Utility.Cryptography.HSM.Pkcs11InteropHSMAPI - slot id 1
2016-03-17 15:45:42,639 DEBUG Vix.eO.Sure.Lib.Utility.Cryptography.HSM.Pkcs11InteropHSMAPI - slot description Luna UHD Slot
2016-03-17 15:45:42,639 DEBUG Vix.eO.Sure.Lib.Utility.Cryptography.HSM.Pkcs11InteropHSMAPI - slot id 2
2016-03-17 15:45:42,639 DEBUG Vix.eO.Sure.Lib.Utility.Cryptography.HSM.Pkcs11InteropHSMAPI - slot description Luna UHD Slot
2016-03-17 15:45:42,639 DEBUG Vix.eO.Sure.Lib.Utility.Cryptography.HSM.Pkcs11InteropHSMAPI - slot id 3
2016-03-17 15:45:42,639 DEBUG Vix.eO.Sure.Lib.Utility.Cryptography.HSM.Pkcs11InteropHSMAPI - slot description Luna UHD Slot
It seems that the web service just doesn't see the slot with the token. And It was working before my developpement when we do only TDES decryption so I suppose I have done something wrong ;). Does anyone have an idea?
Thanks for help,
I'm working on a backoffice software using an HSM Luna (AWS cloudhsm service). We use currently Pkcs11Interop library for test purpose. At the beginning we use the library in a web service to decrypt TDES data sending to us by embedded devices. No problems with that. But recently we have decided to use the HSM to perform CMAC verification and calculation. So I've written a little console application to test CMAC calculation and verification. I got no problems, the application was able to connect to the HSM and do all the operations. The problems started after I have integrated the new methods into the web service. It seems just impossible to open a session with the HSM.It fails with the CKR_TOKEN_NOT_PRESENT.
Here the method I use for opening the session :
public void OpenSession(IPkcs11 pkcs11, string hsmPIN, string hsmSLOT)
{
Log.Debug("Open session with the HSM Slot " + hsmSLOT + " Pin " + hsmPIN);
Console.WriteLine("Open session with the HSM");
lock (syncRoot)
{
//// get all the slot available
ICollection<ISlot> slots = pkcs11.GetSlotList(false);
if (slots != null && slots.Count > 0)
{
ISlot slot;
if (slots.Count == 1)
{
slot = slots.ElementAt(0);
}
else
{
slot = slots.ElementAt(Convert.ToInt16(hsmSLOT));
}
//// open a session with the $HSM$
session = slot.OpenSession(true);
if (session != null)
{
session.Login(CKU.CKU_USER, hsmPIN);
}
else
{
throw new Pkcs11Exception("Unable to open session with HSM", CKR.CKR_DEVICE_ERROR);
}
}
else
{
throw new Pkcs11Exception("No Slot available on HSM", CKR.CKR_DEVICE_ERROR);
}
}
}
Other precisions :
- Both console application and web service uses the same library for opening the session.
- when i out "true" in parameter of GetSlotList. I see the exception "Unable to open session with HSM"
- when I try to dump all the slots I see 4 slots in the console application but only 3 in the web service.
the ouput coming from console Application :
Open session with the HSM Slot 0 Pin ********************
slot id 1
slot description LunaNet Slot
slot id 2
slot description Luna UHD Slot
slot id 3
slot description Luna UHD Slot
slot id 4
slot description Luna UHD Slot
the ouput coming from web service:
2016-03-17 15:45:42,624 DEBUG Vix.eO.Sure.Lib.Utility.Cryptography.HSM.Pkcs11InteropHSMAPI - Open session with the HSM Slot 0 Pin ********************
2016-03-17 15:45:42,639 DEBUG Vix.eO.Sure.Lib.Utility.Cryptography.HSM.Pkcs11InteropHSMAPI - slot id 1
2016-03-17 15:45:42,639 DEBUG Vix.eO.Sure.Lib.Utility.Cryptography.HSM.Pkcs11InteropHSMAPI - slot description Luna UHD Slot
2016-03-17 15:45:42,639 DEBUG Vix.eO.Sure.Lib.Utility.Cryptography.HSM.Pkcs11InteropHSMAPI - slot id 2
2016-03-17 15:45:42,639 DEBUG Vix.eO.Sure.Lib.Utility.Cryptography.HSM.Pkcs11InteropHSMAPI - slot description Luna UHD Slot
2016-03-17 15:45:42,639 DEBUG Vix.eO.Sure.Lib.Utility.Cryptography.HSM.Pkcs11InteropHSMAPI - slot id 3
2016-03-17 15:45:42,639 DEBUG Vix.eO.Sure.Lib.Utility.Cryptography.HSM.Pkcs11InteropHSMAPI - slot description Luna UHD Slot
It seems that the web service just doesn't see the slot with the token. And It was working before my developpement when we do only TDES decryption so I suppose I have done something wrong ;). Does anyone have an idea?
Thanks for help,
Arnaud Bertoli
Mar 18, 2016, 5:21:49 AM3/18/16
to Pkcs11Interop
Sorry one mistake :
"when i out "true" in parameter of GetSlotList. I see the exception "Unable to open session with HSM"" is not good. The real exeption is "No Slot available on HSM."
"when i out "true" in parameter of GetSlotList. I see the exception "Unable to open session with HSM"" is not good. The real exeption is "No Slot available on HSM."
Jaroslav Imrich
Mar 20, 2016, 7:11:56 PM3/20/16
to Pkcs11Interop, arnaud....@vixtechnology.com
Hello Arnaud,
I have no previous experience with AWS CloudHSM but it sounds like your problem might be permission related. You say that your console application sees 4 slots. Was it executed under a privileged user account? You say that your web service sees only 3 slots. Is it running on ISS? What is identity of your application pool [0]? I guess it is different from the user account you used to run your console application. Please note that not every user account might be allowed to access HSM.ISlot slot;
if (slots.Count == 1)
{
slot = slots.ElementAt(0);
}
else
{
slot = slots.ElementAt(Convert.ToInt16(hsmSLOT));
}
Using slot index to identify a correct slot is not a best idea IMO. It is usually much better to use token serial or token label (see [1] for a code sample) or even better PKCS#11 URI (see [2] for a code sample).
[0] https://www.iis.net/learn/manage/configuring-security/application-pool-identities
[1] https://github.com/jariq/Pkcs7SignatureGenerator/blob/master/src/Pkcs7SignatureGenerator/Pkcs7SignatureGenerator.cs#L362
[2] https://github.com/Pkcs11Interop/Pkcs11Interop/blob/3.0.0/src/Pkcs11InteropTests/HighLevelAPI/_27_Pkcs11UriUtilsTest.cs#L98
Regards, Jaroslav[1] https://github.com/jariq/Pkcs7SignatureGenerator/blob/master/src/Pkcs7SignatureGenerator/Pkcs7SignatureGenerator.cs#L362
[2] https://github.com/Pkcs11Interop/Pkcs11Interop/blob/3.0.0/src/Pkcs11InteropTests/HighLevelAPI/_27_Pkcs11UriUtilsTest.cs#L98
Arnaud Bertoli
Mar 21, 2016, 12:18:33 PM3/21/16
to Pkcs11Interop
HI Jaroslav,
Thanks for answer. Yes we use an IIS server. You're probably right about permissions issue. On friday we have tested on a old AWS plateform and everything worked fine. Morever, IIS configuration seems to be identical on both plateforms. I suppose it is a problem in the configuration with the HSM. I mean in the link between the client and the HSM. I will check with our network administrator.
And of course thanks for all your advices about the slots. I will have a look to all of this.
Regards,
Thanks for answer. Yes we use an IIS server. You're probably right about permissions issue. On friday we have tested on a old AWS plateform and everything worked fine. Morever, IIS configuration seems to be identical on both plateforms. I suppose it is a problem in the configuration with the HSM. I mean in the link between the client and the HSM. I will check with our network administrator.
And of course thanks for all your advices about the slots. I will have a look to all of this.
Regards,
Le vendredi 18 mars 2016 10:17:57 UTC+1, Arnaud Bertoli a écrit :
Reply all
Reply to author
Forward
0 new messages