2

We are using Pkcs11Interop library for cryptography and we customize&implement Pkcs11Interop code samples for our project where Pkcs11Interop documents in Github. In production, not everyday but we have to restart server after CPU usage reach maximum when we get a consecutive(4 or 5 times) CKR_ENCRYPTED_DATA_INVALID exception. What cause this ? How can we fix this problem ? Any ideas will be appreciated. If anyone want I can share our code sample. Thanks for helping.

2017-07-11 10:45:07,580 ERROR HSM | 11.07.2017 10:45:07 | HSM Decrypt error occured Net.Pkcs11Interop.Common.Pkcs11Exception: Method C_Decrypt returned CKR_ENCRYPTED_DATA_INVALID at Net.Pkcs11Interop.HighLevelAPI41.Session.Decrypt(Mechanism mechanism, ObjectHandle keyHandle, Byte[] encryptedData) at Pkcs11HsmHost.DecryptInSession(Session session, String value, Int32 keyIndex, Int32 retryCount) in Security\Pkcs11HsmHost.cs:line 164

Murat Gündeş
  • 852
  • 2
  • 17
  • 31

1 Answers1

0

You are most likely not using your PKCS#11 library correctly in miltithreaded environment. See this answer for more info.

jariq
  • 11,681
  • 3
  • 33
  • 52
  • Hi Jariq, We prepared a sample project and implement your code samples where publish in github. But we found something weird, there is no AppType in Pkcs11 Library. "If an application will be accessing PKCS#11 library from multiple threads simultaneously, it should specify "AppType.MultiThreaded" as a value of "appType" parameter. PKCS#11 library will use the native operation system threading model for locking." – Murat Gündeş Aug 17 '17 at 14:21
  • @MuratGündeş `AppType` enum is available only in current master branch which is yet to be released as new major version 4.0. In older versions this setting uses `bool` type so you need to set it to `true`. – jariq Aug 17 '17 at 14:24
  • And another one is, GetSlotList method. Your sample is like below, List slots = pkcs11.GetSlotList(SlotsType.WithTokenPresent); But we didn't find anything about SlotsType like AppType. When we check the GetSlotList method, it takes a parameter named bool tokenPresent. – Murat Gündeş Aug 17 '17 at 14:27
  • @MuratGündeş you need to work with samples and documentation in [3.3.0 branch](https://github.com/Pkcs11Interop/Pkcs11Interop/tree/3.3.0) instead of [master branch](https://github.com/Pkcs11Interop/Pkcs11Interop) – jariq Aug 17 '17 at 14:36