Pkcs11Exception: o método C_Initialize retornou 2147483907
Eu tenho um método simples para acessar meu HSM com Pkcs11Interop.
Esta é a função:
static public byte[] findTargetKeySValue(String label, String type, string command)
{
try
{
string pkcs11LibraryPath = @"C:\Program Files\SafeNet\Protect Toolkit 5\Protect Toolkit C SDK\bin\hsm\cryptoki.dll";
Utility.Logger("cryptoki dll path " + pkcs11LibraryPath, command);
using (Pkcs11 pkcs11 = new Pkcs11(pkcs11LibraryPath, Inter_Settings.AppType))
{
// Find first slot with token present
Slot slot = Inter_Helpers.GetUsableSlot(pkcs11);
// Open RW session
using (Session session = slot.OpenSession(SessionType.ReadOnly))
{
// Login as normal user
session.Login(CKU.CKU_USER, Inter_Settings.NormalUserPin);
// Prepare attribute template that defines search criteria
List<ObjectAttribute> objectAttributes = new List<ObjectAttribute>();
objectAttributes.Add(new ObjectAttribute(CKA.CKA_CLASS, CKO.CKO_SECRET_KEY));
if (type == "DES")
objectAttributes.Add(new ObjectAttribute(CKA.CKA_KEY_TYPE, CKK.CKK_DES));
else if (type == "DES2")
objectAttributes.Add(new ObjectAttribute(CKA.CKA_KEY_TYPE, CKK.CKK_DES2));
else if (type == "DES3")
objectAttributes.Add(new ObjectAttribute(CKA.CKA_KEY_TYPE, CKK.CKK_DES3));
objectAttributes.Add(new ObjectAttribute(CKA.CKA_LABEL, label));//PROVAK
List<ObjectHandle> foundObjects = session.FindAllObjects(objectAttributes);
var key = foundObjects[0];
byte[] plainKeyValue = null;
List<ObjectAttribute> readAttrsSensitive = session.GetAttributeValue(key, new List<CKA>() { CKA.CKA_SENSITIVE });
if (!readAttrsSensitive[0].GetValueAsBool())
{
Utility.Logger("findTargetKeySValue chiave " + label + " non senstive", command);
List<ObjectAttribute> readAttrs = session.GetAttributeValue(key, new List<CKA>() { CKA.CKA_VALUE });
if (readAttrs[0].CannotBeRead)
throw new Exception("Key cannot be exported");
else
plainKeyValue = readAttrs[0].GetValueAsByteArray();
//Console.WriteLine(ByteArrayToAsciiHEX(plainKeyValue));
session.Logout();
return plainKeyValue;
}
else
{
Utility.Logger("findTargetKeySValue chiave " + label + " senstive", command);
Console.WriteLine("wrap/unwrap");
objectAttributes = new List<ObjectAttribute>();
objectAttributes.Add(new ObjectAttribute(CKA.CKA_CLASS, CKO.CKO_SECRET_KEY));
objectAttributes.Add(new ObjectAttribute(CKA.CKA_KEY_TYPE, CKK.CKK_DES3));
objectAttributes.Add(new ObjectAttribute(CKA.CKA_LABEL, "WRAPPING_KEY")); //WRAPPING_KEY WRK
foundObjects = session.FindAllObjects(objectAttributes);
var wrappingKey = foundObjects[0];
Mechanism m = new Mechanism(CKM.CKM_DES3_ECB);
var wrapped = session.WrapKey(m, wrappingKey, key);
//Console.WriteLine("wrapped " + ByteArrayToAsciiHEX(wrapped));
//Console.WriteLine(ByteArrayToAsciiHEX(session.Decrypt(m, wrappingKey, wrapped)));
var k = session.Decrypt(m, wrappingKey, wrapped);
session.Logout();
return k;
}
}
}
}
catch (Exception e)
{
//Console.WriteLine(e.ToSafeString());
Utility.Logger("findTargetKeySValue " + e.ToSafeString(), command);
return null;
}
}
Eu tenho esse método chamado dentro de um servidor de soquete quando ele recebe uma chamada do cliente.
Para testá-lo, criei um pequeno programa com um loop. Nesse loop, ele envia cerca de 3 solicitações a cada segundo para o servidor, que usa Pkcs11Interop.
Vamos chamar esse programa testador tester.exe. Se eu executar o tester.exe, tudo parece estar bem. Mas, enquanto o primeiro tester.exe está em execução, tento executar outra instância do tester.exe, recebo o erro
Net.Pkcs11Interop.Common.Pkcs11Exception: o método C_Initialize retornou 2147483907
neste código de linha específico:
using (Pkcs11 pkcs11 = new Pkcs11(pkcs11LibraryPath, Inter_Settings.AppType))
Por quê? Qual é o problema?
ATUALIZAR:
AppType é
public static AppType AppType = AppType.MultiThreaded;
e as configurações init são:
static Inter_Settings()
{
if (AppType == AppType.MultiThreaded)
{
InitArgs40 = new LLA40.CK_C_INITIALIZE_ARGS();
InitArgs40.Flags = CKF.CKF_OS_LOCKING_OK;
InitArgs41 = new LLA41.CK_C_INITIALIZE_ARGS();
InitArgs41.Flags = CKF.CKF_OS_LOCKING_OK;
InitArgs80 = new LLA80.CK_C_INITIALIZE_ARGS();
InitArgs80.Flags = CKF.CKF_OS_LOCKING_OK;
InitArgs81 = new LLA81.CK_C_INITIALIZE_ARGS();
InitArgs81.Flags = CKF.CKF_OS_LOCKING_OK;
}
// Convert strings to byte arrays
SecurityOfficerPinArray = ConvertUtils.Utf8StringToBytes(SecurityOfficerPin);
NormalUserPinArray = ConvertUtils.Utf8StringToBytes(NormalUserPin);
ApplicationNameArray = ConvertUtils.Utf8StringToBytes(ApplicationName);
// Build PKCS#11 URI that identifies private key usable in signature creation tests
Pkcs11UriBuilder pkcs11UriBuilder = new Pkcs11UriBuilder();
pkcs11UriBuilder.ModulePath = Pkcs11LibraryPath;
pkcs11UriBuilder.Serial = TokenSerial;
pkcs11UriBuilder.Token = TokenLabel;
pkcs11UriBuilder.PinValue = NormalUserPin;
pkcs11UriBuilder.Type = CKO.CKO_PRIVATE_KEY;
pkcs11UriBuilder.Object = ApplicationName;
PrivateKeyUri = pkcs11UriBuilder.ToString();
}
UPDATE2:
public class InteropHSM
{
private Pkcs11 _pkcs11 = null;
private Slot _slot = null;
public InteropHSM()
{
string pkcs11LibraryPath = @"C:\Program Files\SafeNet\Protect Toolkit 5\Protect Toolkit C SDK\bin\hsm\cryptoki.dll";
_pkcs11 = new Pkcs11(pkcs11LibraryPath, Inter_Settings.AppType);
_slot = Inter_Helpers.GetUsableSlot(_pkcs11);
}
public byte[] findTargetKeySValue(String label, String type, string command)
{
try
{
//string pkcs11LibraryPath = @"C:\Program Files\SafeNet\Protect Toolkit 5\Protect Toolkit C SDK\bin\hsm\cryptoki.dll";
//Utility.Logger("cryptoki dll path " + pkcs11LibraryPath, command);
//using (Pkcs11 pkcs11 = new Pkcs11(pkcs11LibraryPath, Inter_Settings.AppType))
//{
//Slot slot = Inter_Helpers.GetUsableSlot(_pkcs11);
using (Session session = _slot.OpenSession(SessionType.ReadOnly))
{
// Login as normal user
session.Login(CKU.CKU_USER, Inter_Settings.NormalUserPin);
// Prepare attribute template that defines search criteria
List<ObjectAttribute> objectAttributes = new List<ObjectAttribute>();
objectAttributes.Add(new ObjectAttribute(CKA.CKA_CLASS, CKO.CKO_SECRET_KEY));
if (type == "DES")
objectAttributes.Add(new ObjectAttribute(CKA.CKA_KEY_TYPE, CKK.CKK_DES));
else if (type == "DES2")
objectAttributes.Add(new ObjectAttribute(CKA.CKA_KEY_TYPE, CKK.CKK_DES2));
else if (type == "DES3")
objectAttributes.Add(new ObjectAttribute(CKA.CKA_KEY_TYPE, CKK.CKK_DES3));
objectAttributes.Add(new ObjectAttribute(CKA.CKA_LABEL, label));//PROVAK
List<ObjectHandle> foundObjects = session.FindAllObjects(objectAttributes);
var key = foundObjects[0];
byte[] plainKeyValue = null;
List<ObjectAttribute> readAttrsSensitive = session.GetAttributeValue(key, new List<CKA>() { CKA.CKA_SENSITIVE });
if (!readAttrsSensitive[0].GetValueAsBool())
{
Utility.Logger("findTargetKeySValue chiave " + label + " non senstive", command);
List<ObjectAttribute> readAttrs = session.GetAttributeValue(key, new List<CKA>() { CKA.CKA_VALUE });
if (readAttrs[0].CannotBeRead)
throw new Exception("Key cannot be exported");
else
plainKeyValue = readAttrs[0].GetValueAsByteArray();
//Console.WriteLine(ByteArrayToAsciiHEX(plainKeyValue));
session.Logout();
return plainKeyValue;
}
else
{
Utility.Logger("findTargetKeySValue chiave " + label + " senstive", command);
Console.WriteLine("wrap/unwrap");
objectAttributes = new List<ObjectAttribute>();
objectAttributes.Add(new ObjectAttribute(CKA.CKA_CLASS, CKO.CKO_SECRET_KEY));
objectAttributes.Add(new ObjectAttribute(CKA.CKA_KEY_TYPE, CKK.CKK_DES3));
objectAttributes.Add(new ObjectAttribute(CKA.CKA_LABEL, "WRAPPING_KEY")); //WRAPPING_KEY WRK
foundObjects = session.FindAllObjects(objectAttributes);
var wrappingKey = foundObjects[0];
Mechanism m = new Mechanism(CKM.CKM_DES3_ECB);
var wrapped = session.WrapKey(m, wrappingKey, key);
//Console.WriteLine("wrapped " + ByteArrayToAsciiHEX(wrapped));
Console.WriteLine(ByteArrayToAsciiHEX(session.Decrypt(m, wrappingKey, wrapped)));
var k = session.Decrypt(m, wrappingKey, wrapped);
session.Logout();
return k;
}
}
//}
}
catch (Exception e)
{
//Console.WriteLine(e.ToSafeString());
Utility.Logger("findTargetKeySValue " + e.ToSafeString(), command);
return null;
}
}
public static string ByteArrayToAsciiHEX(byte[] ba)
{
string hex = BitConverter.ToString(ba);
return hex.Replace("-", "");
}
}
Sempre que é chamado, a instância do servidor da classe acima e chama o método findTargetKeySValue. Se o servidor receber solicitações simultâneas, ele falhará na interação HSM ... mas estou ficando louco, a sessão é sempre diferente, como nas especificações.
UPDATE3
Thread t = new Thread(() => ih.findTargetKeySValue(label, type, command));
t.Start();
Thread tt = new Thread(() => ih.findTargetKeySValue(label, type, command));
tt.Start();
Thread ttt = new Thread(() => ih.findTargetKeySValue(label, type, command));
ttt.Start();
Thread tttt = new Thread(() => ih.findTargetKeySValue(label, type, command));
tttt.Start();
Thread ttttt = new Thread(() => ih.findTargetKeySValue(label, type, command));
ttttt.Start();
Criei esse snippet simples para testar multithread (findTargetKeySValue está definido acima) e trava com a mensagem "O método C_Initialize retornou 2147483907". Esse código é definido pelo fornecedor e éCKR_CRYPTOKI_UNUSABLE. Vou usar isso para os próximos testes.
UPDATE4:
Eu mudei o código em
public InteropHSM()
{
string pkcs11LibraryPath = @"C:\Program Files\SafeNet\Protect Toolkit 5\Protect Toolkit C SDK\bin\hsm\cryptoki.dll";
_pkcs11 = new Pkcs11(pkcs11LibraryPath, Inter_Settings.AppType);
_slot = Inter_Helpers.GetUsableSlot(_pkcs11);
session = _slot.OpenSession(SessionType.ReadOnly);
session.Login(CKU.CKU_USER, Inter_Settings.NormalUserPin);
}
public byte[] findTargetKeySValue(String label, String type, string command)
{
try
{
List<ObjectAttribute> objectAttributes = new List<ObjectAttribute>();
objectAttributes.Add(new ObjectAttribute(CKA.CKA_CLASS, CKO.CKO_SECRET_KEY));
if (type == "DES")
objectAttributes.Add(new ObjectAttribute(CKA.CKA_KEY_TYPE, CKK.CKK_DES));
else if (type == "DES2")
objectAttributes.Add(new ObjectAttribute(CKA.CKA_KEY_TYPE, CKK.CKK_DES2));
else if (type == "DES3")
objectAttributes.Add(new ObjectAttribute(CKA.CKA_KEY_TYPE, CKK.CKK_DES3));
objectAttributes.Add(new ObjectAttribute(CKA.CKA_LABEL, label));//PROVAK
List<ObjectHandle> foundObjects = session.FindAllObjects(objectAttributes);
var key = foundObjects[0];
byte[] plainKeyValue = null;
List<ObjectAttribute> readAttrsSensitive = session.GetAttributeValue(key, new List<CKA>() { CKA.CKA_SENSITIVE });
if (!readAttrsSensitive[0].GetValueAsBool())
{
Utility.Logger("findTargetKeySValue chiave " + label + " non senstive", command);
List<ObjectAttribute> readAttrs = session.GetAttributeValue(key, new List<CKA>() { CKA.CKA_VALUE });
if (readAttrs[0].CannotBeRead)
throw new Exception("Key cannot be exported");
else
plainKeyValue = readAttrs[0].GetValueAsByteArray();
//Console.WriteLine(ByteArrayToAsciiHEX(plainKeyValue));
session.Logout();
Console.WriteLine(plainKeyValue);
return plainKeyValue;
}
else
{
Utility.Logger("findTargetKeySValue chiave " + label + " senstive", command);
Console.WriteLine("wrap/unwrap");
objectAttributes = new List<ObjectAttribute>();
objectAttributes.Add(new ObjectAttribute(CKA.CKA_CLASS, CKO.CKO_SECRET_KEY));
objectAttributes.Add(new ObjectAttribute(CKA.CKA_KEY_TYPE, CKK.CKK_DES3));
objectAttributes.Add(new ObjectAttribute(CKA.CKA_LABEL, "WRAPPING_KEY")); //WRAPPING_KEY WRK
foundObjects = session.FindAllObjects(objectAttributes);
var wrappingKey = foundObjects[0];
Mechanism m = new Mechanism(CKM.CKM_DES3_ECB);
var wrapped = session.WrapKey(m, wrappingKey, key);
//Console.WriteLine("wrapped " + ByteArrayToAsciiHEX(wrapped));
Console.WriteLine(ByteArrayToAsciiHEX(session.Decrypt(m, wrappingKey, wrapped)));
var k = session.Decrypt(m, wrappingKey, wrapped);
//session.Logout();
return k;
}
}
catch (Exception e)
{
Console.WriteLine(e.ToSafeString());
Utility.Logger("findTargetKeySValue " + e.ToSafeString(), command);
return null;
}
}
Eu chamo isso com código de UPDATE3. Estou entendendoO método C_FindObjectsFinal retornou CKR_OPERATION_NOT_INITIALIZED quando o código chama
List<ObjectHandle> foundObjects = session.FindAllObjects(objectAttributes);