0

I'm using the NCryptoki dll to manage the acccess to our HSMs.

I use a C# windows service. This service is a socket: it listens for requests and it access to the HSMs, doing stuff.

Using my code to acccess HSM, I randomly get this message:

Cryptware.NCryptoki.CryptokiException: Error n. 145

Only few calls on the total get this message, but it is quite annoying. Do you know why this is happening?

I found 145 is 0x00000091 CKR_OPERATION_NOT_INITIALIZED: There is no active operation of an appropriate type in the specified session

I get this error, for example, when I call the find method:

Cryptware.NCryptoki.CryptokiException: Error n. 145 at Cryptware.NCryptoki.CryptokiObjects.Find(CryptokiCollection attList, Int32 nMaxCount)

It seems like the session isn't valid.

Our service is a listening socket. It gets a big load of requests and, few of them, fail with this message. Do you know why?

The weird point is the same request rarely fails and all the other times works.

Piero Alberto
  • 3,823
  • 6
  • 56
  • 108

1 Answers1

1

You are most likely not using PKCS#11 library and PKCS#11 sessions in multi-threaded environment correctly. See my older answer to similar question for more details.

Community
  • 1
  • 1
jariq
  • 11,681
  • 3
  • 33
  • 52
  • Hi, the weird point is my service has only one session. I have a loop to keep alive this session (every minute I send a request). Only these request are about 60*24=1440 daily requests, plus all the real request, I think there are about 2000/2500 total requests. Starting from this number, consider only about 20 daily request fail with this error. Further, we get this error only from a week, when we changed HSM and Virtual Machine connecting to the HSM. Can this be a problem? – Piero Alberto Apr 27 '17 at 06:34
  • I add this point: in previous virtual machine with the previous HSM it used to work perfectly – Piero Alberto Apr 27 '17 at 06:42
  • @PieroAlberto using single session in service listening on the socket sounds suspicious. Are you blocking concurrent access to the service so the session is never used by two threads simultaneously? – jariq Apr 27 '17 at 07:11
  • Honestly no... can this be the problem? – Piero Alberto Apr 27 '17 at 07:16
  • 1
    @PieroAlberto Yes IMO this might be the root cause of your issues. But it is rather easy to solve with correct programming model. You just need to initialize PKCS#11 library with `CKF_OS_LOCKING_OK` flag and use new session for each cryptographic operation. Then your service should be threadsafe from PKCS#11 point of view. Read *"Chapter 6 - General overview"* of [PKCS#11 v2.20](https://github.com/Pkcs11Interop/PKCS11-SPECS/tree/master/v2.20) specification for more info about thread/operation isolation provided by sessions. – jariq Apr 27 '17 at 07:59
  • Cool, I'm reading it. Only one more question: as I said, the same service worked percfectly on another virtual machine. Do you think it can be a problem caused by a lack of resources (cpu/ram) of the physical machine where the vm works? We have some resources issues and I'm wondering if this can be one cause. – Piero Alberto Apr 27 '17 at 08:15
  • @PieroAlberto I really can't answer that :) – jariq Apr 27 '17 at 09:56
  • How can I set the flag CKF_OS_LOCKING_OK? – Piero Alberto Nov 20 '17 at 13:30