pkcs#11 CKR_DEVICE_REMOVED error logging in to HSM

Question

I have the SmartCard HSM usb plugged in to my laptop. I can see it when I run a command thru an application using the PKCS#11 API:

Slot 0

    Slot info:
        Description:      Identiv uTrust 3512 SAM slot Token [CCID Interface] (55511725602
        Manufacturer ID:  Identiv                         
        Hardware version: 2.2
        Firmware version: 0.0
        Token present:    yes
    Token info:
        Manufacturer ID:  www.CardContact.de              
        Model:            PKCS#15 emulated
        Hardware version: 24.13
        Firmware version: 2.5
        Serial number:    DECC0300697     
        Initialized:      yes
        User PIN init.:   yes
        Label:            UserPIN (SmartCard-HSM)

Its been initialized with a SO-PIN and USER-PIN.

When I try to login in to the HSM using C_Login, I get a CKR_DEVICE_REMOVED error back. The usb HSM is still plugged in. I have googled the error but nothing fruitful came up.

login_token -LOGIN user -SLOT 0 -UPIN user-pin

EROR: rv=0x00000032: Could not log in on the token.

How can I login to the HSM ?

If I ignore the CKR_DEVICE_REMOVED error on C_Login, it passes and generates a key pair. Is it okay to ignore the error or should I be worried about it ? — ejohnson, Jan 19 '18 at 22:08
Which PKCS#11 library are you using? One provided as a part of OpenSC project? — jariq, Jan 20 '18 at 14:50

score 2 · Answer 1 · answered Jan 21 '18 at 09:50

2

Following text is the description of CKR_DEVICE_REMOVED error from PKCS#11 v2.20 specification:

CKR_DEVICE_REMOVED: The token was removed from its slot during the execution of the function.

If you did not attach/detach new reader and did not insert/remove smartcard once the PKCS#11 library was loaded then I don't see any obvious reason why you are receiving this error.

However you are using PKCS#11 library provided by OpenSC project so you can enable its debugging via environment variable or configuration file. You may be able to find the cause of the error by exploring the debug output yourself. If not, then your best bet is to open new OpenSC issue and discuss your problem with OpenSC project members.

answered Jan 21 '18 at 09:50

jariq

11,681
3
33
52

Thanks @jariq! I will do that. On a separate note - Can I store an application key in a HSM i.e can I feed a random key to some PKCS#11 function and have it store in the HSM ? Then retrieve it from the HSM using a corresponding 'get' function in PKCS ? – ejohnson Jan 23 '18 at 06:37
@ejohnson See [my previous answer to an older question](https://stackoverflow.com/a/43092643/3325704). – jariq Jan 23 '18 at 16:03
So it seems I can use a C_GenerateKey to generate a AES secret key and that stores the key on the HSM. I can then do a C_FindObject to get the key and its value. It appears C_CreateObject is not necessary here. Am I correct in my understanding ? @jariq – ejohnson Jan 23 '18 at 22:17
@ejohnson most likely not the answer you were expecting but you can do literally anything PKCS#11 API allows you to do. Whether it is the best and most secure solution is completely different question and almost impossible to answer without knowing your environment/solution/etc. – jariq Jan 23 '18 at 22:29

pkcs#11 CKR_DEVICE_REMOVED error logging in to HSM

1 Answers1