PKCS#11 Error 257 User not logged in

Fab · August 25, 2020, 12:41am

We use the OpenSC PKCS#11 library to control our NitroKey HSM.
This is on Ubuntu 20-04 with OpenSC 0.20.

We perform the following operations:
One user creates a Session and then Login with the User PIN.
No error is returned by the C_OpenSession (CKF_SERIAL_SESSION | CKF_RW_SESSION)
and the subsequent C_Login().
The session handle returned seems to be correct.

Then another user uses that session to create a key pair.

It seems that sometimes this 2nd user gets the error #257: User Not Logged returned from C_GenerateKeyPair.

It is not clear what is causing this but on the failure case, there was a delay between the C_Login and the C_GenerateKeyPair call.
Is there a time out on the session login if it’s not used to create keys or do other operations (like signing)? If not, what could be the explanation? And if there’s a time out, what is the recommended technique to keep the login alive?

sc-hsm · August 25, 2020, 8:30am

One issue could be a different process that is accessing and then resetting the device.

Normally opening a session and performing a login will leave the session in state open until the device is reset or C_Logout() is called.

Maybe you want to try the native PKCS#11 module.

Fab · August 25, 2020, 3:43pm

Thank you for your reply and asserting there is no time out. We will keep investigating these failures and also try your suggestion of using the native PKCS#11 module.