C_GenerateKeyPair returned CKR_USER_NOT_LOGGED_IN

Question

using (Session session = slot.OpenSession(SessionType.ReadWrite))
{
    session.Login(CKU.CKU_SO, "pin");                   

    List<ObjectAttribute> publicKeyAttributes = new List<ObjectAttribute>();
    publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_CLASS, CKO.CKO_SECRET_KEY));
    publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_KEY_TYPE, CKK.CKK_RSA));
    publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_CLASS, CKO.CKO_CERTIFICATE));
    publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_CLASS, CKO.CKO_PRIVATE_KEY));
    publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_LABEL, "label2"));
    publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_LABEL, "label1"));
    publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_LABEL, "Pkcs11Interop"));

    List<ObjectHandle> foundPublicKeys = session.FindAllObjects(publicKeyAttributes);
}

I am trying to use the Pkcs11Interop library to get my own certificate from HSM and get it from the bill.

When I try to find my own certificate with this code:

var foundObjects = session.FindAllObjects (searchTemplate)

It returned zero (0).

session.GenerateKeyPair (mechanism, publicKeyAttributes, privateKeyAttributes, out publicKeyHandle, out privateKeyHandle);

I found this code but I get an error.

C_GenerateKeyPair returned CKR_USER_NOT_LOGGED_IN

Can anyone help me? Thanks.

Please read [Under what circumstances may I add “urgent” or other similar phrases to my question, in order to obtain faster answers?](//meta.stackoverflow.com/q/326569) - the summary is that this is not an ideal way to address volunteers, and is probably counterproductive to obtaining answers. Please refrain from adding this to your questions. — halfer, Mar 31 '18 at 11:08
_I'm moving some excellent advice from Jariq's post to the comments._ (1) I can only guess what your question really is, because you are not asking clearly enough (the only time you used a question mark is after the word *"emergency ???"* which does not really help). See [How do I ask a good question?](https://stackoverflow.com/help/how-to-ask) for some basic ideas on how to improve your future questions. — halfer, Mar 31 '18 at 11:10
(2) You also did not provide enough code to let anyone understand your problem. It's always a good idea to provide [Minimal, Complete, and Verifiable example](https://stackoverflow.com/help/mcve) reproducing your problem. — halfer, Mar 31 '18 at 11:12
(3) It's also a good idea to use [markdown to format your question](https://stackoverflow.com/help/formatting) and increase its readability by doing so. — halfer, Mar 31 '18 at 11:12
(4) By making these beginner mistakes you are lowering the chance anyone will be able or willing to help you. Please try to improve your future questions. — halfer, Mar 31 '18 at 11:14

score 4 · Accepted Answer · edited Mar 31 '18 at 11:09

So let's answer the questions I'm guessing you were trying to ask:

Question #1: When I try to find my own certificate object with var foundObjects = session.FindAllObjects(searchTemplate); I get zero objects. Why?

You did not post your search template so again I can only guess. My guess is that your search template does not match attributes of objects you are expecting to be found. In other words there are no objects on your token that match search template criteria.

For more details see the documentation of C_FindObjectsInit function in PKCS#11 v2.20 specification. It states:

The matching criterion is an exact byte-for-byte match with all attributes in the template.

You can also read Chapter 10 of PKCS#11 v2.20 specification to get familiar with PKCS#11 object types and their attributes.

Question #2: When I try to generate new key pair with session.GenerateKeyPair() method I get error C_GenerateKeyPair returned CKR_USER_NOT_LOGGED_IN. Why?

Chapter 6.5 of PKCS#11 v2.20 specification states:

Only the normal user is allowed access to private objects on the token, and that access is granted only after the normal user has been authenticated. Some tokens may also require that a user be authenticated before any cryptographic function can be performed on the token, whether or not it involves private objects.

So I guess you must first authenticate to your token by calling session.Login() method and after that you should be able to create new token objects (generate keys).

Please note that it is highly recommended that before you start using Pkcs11Interop you get familiar at least with "Chapter 2 - Scope", "Chapter 6 - General overview" and "Chapter 10 - Objects" of PKCS#11 v2.20 specificiation (or equivalent chapters of any previous or subsequent specification version).

So my problem here is, do I try to enter my session.login () with the user "CKU.CKU_SO"? — TEngineer, Mar 31 '18 at 09:40
@TEngineer `CKU_SO` does not have access to private objects - `CKU_USER` does. Every object consists of a set of attributes each of which has precisely one value - you cannot specify `CKA_CLASS` multiple times in a single template. It seems you didn't read the specification at all. — jariq, Mar 31 '18 at 09:59
Your meta-advice was excellent, but it doesn't belong in answers, because answers are not solely for question authors. I'll copy it to the comments. — halfer, Mar 31 '18 at 11:09
You are right, more careful. I applied @jariq. But I still can not find my certifications.. This time I added -CKA_CLASS, CKA_LABEL- to the "PublicKeyAttributes" part, but I still could not get the result I wanted, and session.Login (CKU.CKU_USER, password) correctly applied this part. Should I call this a separate question? — TEngineer, Apr 02 '18 at 09:13

C_GenerateKeyPair returned CKR_USER_NOT_LOGGED_IN

1 Answers1