PKCS errors listing slots

HSM6
1

I’m running into issues using PKCS#11 tools with my HSM6.Using multiple tools I’ve received an error about an invalid slot. This has prevented me from using it for my first use case, which is a CA in a box using the pi + module.

Using the pkcs11-tool CLI as a baseline, here’s the output:

crdant@certificates:~/workspace/step-ca_0.19.0 $ pkcs11-tool --module /usr/lib/libzk_pkcs11.so -l -p 1234 --token test --list-slots
Available slots:
Slot 0 (0x103ebe3b4): SoftHSM slot ID 0x3ebe3b4
  token label        : test
  token manufacturer : SoftHSM project
  token model        : SoftHSM v2
  token flags        : login required, rng, token initialized, PIN initialized, other flags=0x20
  hardware version   : 0.0
  firmware version   : 75.127
  serial num         : 4ce9927e03ebe3b4
  pin min/max        : 4049356396564721714/360856430586101759
Slot 1 (0x0): (GetSlotInfo failed, CKR_SLOT_ID_INVALID)
error: PKCS11 function C_OpenSession failed: rv = CKR_SLOT_ID_INVALID (0x3)
Aborting.

Other tools/libraries are showing the same issues. I’m using Raspberian Buster as the OS.

2

Played with this some more by generating additional tokens, and at some point it always drops out with the same CKR_SLOT_ID_INVALID error.

3

@crdant - Can you try this example and see if it works in your setup?

sudo zk_pkcs11-util --show-slots
SLOT_NUMBER=$(sudo zk_pkcs11-util --init-token --slot 0 --label "test" --pin 1234 --so-pin 1234 | grep -o '[0-9]\+')
echo "Slot number is: $SLOT_NUMBER"
sudo zk_pkcs11-util --show-slots

sudo zk_pkcs11-util --use-zkslot 2 --slot $SLOT_NUMBER --label iotkey --id 0000 --pin 1234
sudo zk_pkcs11-util --show-slots

# sudo zk_pkcs11-util --delete-token --token test
5

Hi @Bob_of_Zymbit , the first fragment runs as expected

crdant@certificates:~ $ sudo zk_pkcs11-util --show-slots
Available slots:
Slot 0
    Slot info:
        Description:      SoftHSM slot ID 0x0
        Manufacturer ID:  SoftHSM project
        Hardware version: 2.5
        Firmware version: 2.5
        Token present:    yes
    Token info:
        Manufacturer ID:  SoftHSM project
        Model:            SoftHSM v2
        Hardware version: 2.5
        Firmware version: 2.5
        Serial number:
        Initialized:      no
        User PIN init.:   no
        Label:
crdant@certificates:~ $ SLOT_NUMBER=$(sudo zk_pkcs11-util --init-token --slot 0 --label "test" --pin 1234 --so-pin 1234 | grep -o '[0-9]\+')
crdant@certificates:~ $ echo "Slot number is: $SLOT_NUMBER"
Slot number is: 1517866645
crdant@certificates:~ $ sudo zk_pkcs11-util --show-slots
Available slots:
Slot 1517866645
    Slot info:
        Description:      SoftHSM slot ID 0x5a78ce95
        Manufacturer ID:  SoftHSM project
        Hardware version: 2.5
        Firmware version: 2.5
        Token present:    yes
    Token info:
        Manufacturer ID:  SoftHSM project
        Model:            SoftHSM v2
        Hardware version: 2.5
        Firmware version: 2.5
        Serial number:    82c4f8675a78ce95
        Initialized:      yes
        User PIN init.:   yes
        Label:            test
Slot 1
    Slot info:
        Description:      SoftHSM slot ID 0x1
        Manufacturer ID:  SoftHSM project
        Hardware version: 2.5
        Firmware version: 2.5
        Token present:    yes
    Token info:
        Manufacturer ID:  SoftHSM project
        Model:            SoftHSM v2
        Hardware version: 2.5
        Firmware version: 2.5
        Serial number:
        Initialized:      no
        User PIN init.:   no
        Label:

the second runs with no apparent change to the output from --show-slots

crdant@certificates:~ $ sudo zk_pkcs11-util --use-zkslot 2 --slot $SLOT_NUMBER --label iotkey --id 0000 --pin 1234
crdant@certificates:~ $ sudo zk_pkcs11-util --show-slots
Available slots:
Slot 1517866645
    Slot info:
        Description:      SoftHSM slot ID 0x5a78ce95
        Manufacturer ID:  SoftHSM project
        Hardware version: 2.5
        Firmware version: 2.5
        Token present:    yes
    Token info:
        Manufacturer ID:  SoftHSM project
        Model:            SoftHSM v2
        Hardware version: 2.5
        Firmware version: 2.5
        Serial number:    82c4f8675a78ce95
        Initialized:      yes
        User PIN init.:   yes
        Label:            test
Slot 1
    Slot info:
        Description:      SoftHSM slot ID 0x1
        Manufacturer ID:  SoftHSM project
        Hardware version: 2.5
        Firmware version: 2.5
        Token present:    yes
    Token info:
        Manufacturer ID:  SoftHSM project
        Model:            SoftHSM v2
        Hardware version: 2.5
        Firmware version: 2.5
        Serial number:
        Initialized:      no
        User PIN init.:   no
        Label:

After running both, using the pkcs11-tool fails with a different error:

crdant@certificates:~ $ pkcs11-tool --module /usr/lib/libzk_pkcs11.so -l -p 1234 --token test --list-slots
Available slots:
Slot 0 (0x0): SoftHSM slot ID 0x0
  token state:   uninitialized
error: PKCS11 function C_OpenSession failed: rv = CKR_TOKEN_NOT_RECOGNIZED (0xe1)
Aborting.
crdant@certificates:~ $

When I run sudo pkcs11-tool . . . I get the original CKR_SLOT_ID_INVALID error…

crdant@certificates:~ $ sudo pkcs11-tool --module /usr/lib/libzk_pkcs11.so -l -p 1234 --token test --list-slots
Available slots:
Slot 0 (0x15a78ce95): SoftHSM slot ID 0x5a78ce95
  token label        : test
  token manufacturer : SoftHSM project
  token model        : SoftHSM v2
  token flags        : login required, rng, token initialized, PIN initialized, other flags=0x20
  hardware version   : 0.0
  firmware version   : 40.111
  serial num         : 82c4f8675a78ce95
  pin min/max        : 4049356396564721714/360856430586101759
Slot 1 (0x0): (GetSlotInfo failed, CKR_SLOT_ID_INVALID)
error: PKCS11 function C_OpenSession failed: rv = CKR_SLOT_ID_INVALID (0x3)
Aborting.
crdant@certificates:~ $
6

I found the difference between sudo and no sudo on the pkcs11-tool. It was file permissions on the directory created under /var/lib/zmbit/zk_pcks11/tokens.

My original issue remains, in the that PCKS module appears to be bailing on slot listing when used with tools like pkcs11-tool and other commands that use PKCS#11 to access the module.

7

@crdant -

The displays would be the same.

zk_pkcs11-util is basically an extended softhsm2-util that adds the --use-zkslot parameter allowing you to use the private key from a givenHSM6 keyslot instead of importing one from a PKCS#8 file. You can man zk_pkcs11-util and/or man zk_pkcs11.conf for a description of the slight changes.

Going back to the example, instead of --list-slots use --list-objects. You should see the key object included indicating that the private key of the HSM6 will be used for that token.

pi@pi:~ $ pkcs11-tool --module /usr/lib/libzk_pkcs11.so --token test --list-objects
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104e2482699f1c8d3d28e71ceac9e5133c187a53348be372f2894a884b57b9e7aba02ddcb0abbe710c9878317e767fe22877eca893dc41d61439df9162d81dc108c
  EC_PARAMS:  06082a8648ce3d030107
  label:      iotkey
  ID:         0000
  Usage:      verify
  Access:     none

pi@pi:~ $
8

I’m feeling more and more like the PKCS#11 support I relied on when making my purchase decision is partial implementation and unable to support my use case. I can list objects, but the following operations for pkcs11-tool seem to fail:

--list-slots
--list-token-slots
--read-object --type pubkey
--keypairgen
--keygen

I’m happy to open individual threads on each of these items to show what I’m seeing to see if we can make progress, or to continue this thread. At this point I’m resigned to having made a poor choice in purchasing the HSM6.