Attempted to read or write protected memory
victor
We have a Luna Network HSM mapped on a Windows x64 system (PKCS#11 driver is C:\Program Files\SafeNet\LunaClient\cryptoki.dll).
We are using with success Pkcs11Interop in our Windows Forms application. Also, if the Windows Forms application is opened for multiple times (multiple instances), the HSM is able to be used concurrently by these application without any kind of problems.
We have build a dummy ASP.NET Web Service Application that uses the HSM (create a key pair and sign some random data with the private key).
If the Web service is consumed by a single client, everything goes well.
If the Web service is consumed by 2 or multiple clients at the same time, the following error is thrown: "Attempted to read or write protected memory. This is often an indication that other memory is corrupt."
We are using Net.Pkcs11Interop.Common; and Net.Pkcs11Interop.HighLevelAPI; with the samples from the official website.
The error is usually thrown by this method: pkcs11.GetSlotList(SlotsType.WithTokenPresent)
// Load unmanaged PKCS#11 library
using (Pkcs11 pkcs11 = new Pkcs11(_pkcs11LibraryPath, AppType.MultiThreaded))
{
if (pkcs11.GetSlotList(SlotsType.WithTokenPresent).Count == 0)
In addition, other exceptions are thrown sometimes:
Method C_Login returned 2147483751
Method C_CloseSession returned CKR_SESSION_HANDLE_INVALID
These errors are never thrown if the webservice is consumed only by a single client.
We have tried various things like:
- compile all components to x64 only (no Any CPU or Mixed Platforms).
- Tools menu ->Options -> Debugging -> General -> Uncheck this option "Suppress JIT optimization on module load".
- disable/enable DEP: select "Turn on DEP for all programs and services except except those i select".
- create an IIS applciation pool with admin rights and change some settings: managed pipeline mode to classic, increase maximum worker processes, load user profile.
All of these workarounds not solve the issue.
Anybody knows why this thing happens?
Thank you for your time.
Jaroslav Imrich
you are most likely not using PKCS#11 API correctly in multithreaded application.
Short answer is that you need to ensure that:
- you are using single instance of Pkcs11 class in your application (i.e. loaded during server startup and unloaded during its stop)
- you are using new instance of Session class for each cryptographic operation
Long answer is that you need to read "Chapter 6 - General overview" of PKCS#11 v2.20 specification [0] which explains all basic concepts of PKCS#11 API.
After you finish this mandatory reading, you can take a look at Pkcs11RsaSignature [1] class in Pkcs11Interop.PDF [2] project for a working code sample of class that can be used in multithreaded environment.
[0] https://github.com/Pkcs11Interop/PKCS11-SPECS/tree/master/v2.20
[1] https://github.com/jariq/Pkcs11Interop.PDF/blob/master/src/Pkcs11Interop.PDF/Pkcs11RsaSignature.cs
[2] https://github.com/jariq/Pkcs11Interop.PDF/
--
You received this message because you are subscribed to the Google Groups "Pkcs11Interop" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pkcs11interop+unsubscribe@googlegroups.com.
To post to this group, send email to pkcs11...@googlegroups.com.
Visit this group at https://groups.google.com/group/pkcs11interop.
victor...@gmail.com
Thank you for you very useful information.
Indeed, it seems to be a problem with multithreading and we will try to implement the approach suggested by you. The problem is our webservice is a classic ASMX webservice and from our tests, ASMX not knows to use a single instance of a class.
Meanwhile, we have found a workaround based on locking mechanism as below:
private static object locker = new Object();
lock (locker)
{
//PKCS#11 operations
}
This approach will not use the miltithreading HSM ability but at least the webservice will not throw any kind of error.
The next step is to use WCF instead of ASMX because WCF knows about single instance of a class.
Thank you again for your support.