Pkcs#11 with NCryptoki error N. 145

0 投票
最新提问 用户: (120 分)

I'm using the NCryptoki dll to manage the acccess to our HSMs.

I use a C# windows service. This service is a socket: it listens for requests and it access to the HSMs, doing stuff.

Using my code to acccess HSM, I randomly get this message:

Cryptware.NCryptoki.CryptokiException: Error n. 145

Only few calls on the total get this message, but it is quite annoying. Do you know why this is happening?

I found 145 is 0x00000091 CKR_OPERATION_NOT_INITIALIZED: There is no active operation of an appropriate type in the specified session

I get this error, for example, when I call the find method:

Cryptware.NCryptoki.CryptokiException: Error n. 145 at Cryptware.NCryptoki.CryptokiObjects.Find(CryptokiCollection attList, Int32 nMaxCount)

It seems like the session isn't valid.

Our service is a listening socket. It gets a big load of requests and, few of them, fail with this message. Do you know why?

The weird point is the same request rarely fails and all the other times works.

1个回答

0 投票
最新回答 用户: (300 分)

You are most likely not using PKCS#11 library and PKCS#11 sessions in multi-threaded environment correctly. See my older answer to similar question for more details.

发表于 用户: (120 分)
Hi, the weird point is my service has only one session. I have a loop to keep alive this session (every minute I send a request). Only these request are about 60*24=1440 daily requests, plus all the real request, I think there are about 2000/2500 total requests. Starting from this number, consider only about 20 daily request fail with this error. Further, we get this error only from a week, when we changed HSM and Virtual Machine connecting to the HSM. Can this be a problem?
发表于 用户: (120 分)
I add this point: in previous virtual machine with the previous HSM it used to work perfectly
发表于 用户: (300 分)
@PieroAlberto using single session in service listening on the socket sounds suspicious. Are you blocking concurrent access to the service so the session is never used by two threads simultaneously?
发表于 用户: (120 分)
Honestly no... can this be the problem?
发表于 用户: (300 分)
@PieroAlberto Yes IMO this might be the root cause of your issues. But it is rather easy to solve with correct programming model. You just need to initialize PKCS#11 library with CKF_OS_LOCKING_OK flag and use new session for each cryptographic operation. Then your service should be threadsafe from PKCS#11 point of view. Read "Chapter 6 - General overview" of PKCS#11 v2.20 specification for more info about thread/operation isolation provided by sessions.
欢迎来到 Security Q&A ,有什么不懂的可以尽管在这里提问,你将会收到社区其他成员的回答。
...