Search code examples
c#.netrsahsmpkcs11interop

C_GenerateKeyPair returned CKR_USER_NOT_LOGGED_IN

using (Session session = slot.OpenSession(SessionType.ReadWrite))
{
    session.Login(CKU.CKU_SO, "pin");                   

    List<ObjectAttribute> publicKeyAttributes = new List<ObjectAttribute>();
    publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_CLASS, CKO.CKO_SECRET_KEY));
    publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_KEY_TYPE, CKK.CKK_RSA));
    publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_CLASS, CKO.CKO_CERTIFICATE));
    publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_CLASS, CKO.CKO_PRIVATE_KEY));
    publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_LABEL, "label2"));
    publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_LABEL, "label1"));
    publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_LABEL, "Pkcs11Interop"));

    List<ObjectHandle> foundPublicKeys = session.FindAllObjects(publicKeyAttributes);
}

I am trying to use the Pkcs11Interop library to get my own certificate from HSM and get it from the bill.

When I try to find my own certificate with this code:

var foundObjects = session.FindAllObjects (searchTemplate)

It returned zero (0).

session.GenerateKeyPair (mechanism, publicKeyAttributes, privateKeyAttributes, out publicKeyHandle, out privateKeyHandle);

I found this code but I get an error.

C_GenerateKeyPair returned CKR_USER_NOT_LOGGED_IN

Can anyone help me? Thanks.

Solution

  • So let's answer the questions I'm guessing you were trying to ask:

    Question #1: When I try to find my own certificate object with var foundObjects = session.FindAllObjects(searchTemplate); I get zero objects. Why?

    You did not post your search template so again I can only guess. My guess is that your search template does not match attributes of objects you are expecting to be found. In other words there are no objects on your token that match search template criteria.

    For more details see the documentation of C_FindObjectsInit function in PKCS#11 v2.20 specification. It states:

    The matching criterion is an exact byte-for-byte match with all attributes in the template.

    You can also read Chapter 10 of PKCS#11 v2.20 specification to get familiar with PKCS#11 object types and their attributes.

    Question #2: When I try to generate new key pair with session.GenerateKeyPair() method I get error C_GenerateKeyPair returned CKR_USER_NOT_LOGGED_IN. Why?

    Chapter 6.5 of PKCS#11 v2.20 specification states:

    Only the normal user is allowed access to private objects on the token, and that access is granted only after the normal user has been authenticated. Some tokens may also require that a user be authenticated before any cryptographic function can be performed on the token, whether or not it involves private objects.

    So I guess you must first authenticate to your token by calling session.Login() method and after that you should be able to create new token objects (generate keys).

    Please note that it is highly recommended that before you start using Pkcs11Interop you get familiar at least with "Chapter 2 - Scope", "Chapter 6 - General overview" and "Chapter 10 - Objects" of PKCS#11 v2.20 specificiation (or equivalent chapters of any previous or subsequent specification version).