CKR_USER_NOT_LOGGED_IN when generating key pair using sunPKCS11 provider

Question

When trying to generate rsa key pair with sun PKCS11 provider, method generateKeyPair() throws ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN

My code looks like this:

Provider prov = ... // initialize provider

KeyStore ks = KeyStore.getInstance("PKCS11", prov);
ks.load(null, "pass".toCharArray());

KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA", prov);
keyGen.initialize(2048);
KeyPair kp = keyGen.generateKeyPair();    // exception thrown here

I tried using AuthProvider right after provider initialization like so:

AuthProvider aprov = (AuthProvider) prov;
aprov.login(null, callbacks -> {
    log.error("@@@ Inside callbacks {}", callbacks.length);
});
aprov.setCallbackHandler(callbacks -> {
    log.error("@@@ Inside setCallBackHandler {}", callbacks.length);
});

But I don't see any logging output, so that means lambdas are not executed.

The ultimate goal is to generate RSA key pair and store it in keystore (HSM) via PKCS11.

I tried openjdk 8 and oracle jdk 8. Also when listing aliases from keystore, I get an empty list, but I know there is one entry. Adding -Djava.security.debug=sunpkcs11 changed nothing.

score 1 · Accepted Answer · answered Dec 05 '18 at 13:30

The problem in my case was wrong slot number in provider configuration. The selected slot was labeled as "accelerator" which does not support the creation of "private objects" - from HSM documentation.

After switching to a different slot, key generation and storage into keystore works.

CKR_USER_NOT_LOGGED_IN when generating key pair using sunPKCS11 provider

1 Answers1