1 Reply Latest reply: Feb 13, 2012 9:10 PM by arshadnoor RSS

    PKCS11 provider session count bug


      when I am trying to sign many PDF files i got this exception:

      java.security.ProviderException: Initialization failed
           at sun.security.pkcs11.P11Signature.initialize(P11Signature.java:294)
           at sun.security.pkcs11.P11Signature.engineInitSign(P11Signature.java:375)
           at java.security.Signature$Delegate.engineInitSign(Unknown Source)
           at java.security.Signature.initSign(Unknown Source)
           at org.btrust.signer.PDFSigner.initSignPDF(PDFSigner.java:298)
           at org.btrust.signer.PDFSigner.signPDF(PDFSigner.java:484)
           at org.btrust.util.SignThread.run(SignThread.java:648)
      Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SESSION_COUNT
           at sun.security.pkcs11.wrapper.PKCS11.C_OpenSession(Native Method)
           at sun.security.pkcs11.SessionManager.openSession(SessionManager.java:185)
           at sun.security.pkcs11.SessionManager.getOpSession(SessionManager.java:123)
           at sun.security.pkcs11.Token.getOpSession(Token.java:247)
           at sun.security.pkcs11.P11Signature.initialize(P11Signature.java:283)
           +... 6 more+

      I got this error every time at a different file, sometimes at file 250, sometimes at file 400.

      Basically I do make a new provider and take the private key from the Smart Card with that new provider. If i do not do this i got exception every time at file 99 , because the maximum session count is reached.
      I have no idea what this exception is for, and why every time i got it at different file. I don't know what CKR_SESSION_COUNT is! SessionManager is invisible and no methods are available to manually manage the sessions to the smart card. Why is this provider so restricted.
      There is even a BUG reported HERE
      I really hope someone of all you guys have already been down this road.
      As you can see the exception is at at java.security.Signature.initSign(Unknown Source) . Have no idea why that happened. And even more, why i can sign 200 files and at some point it fails. What can I do?
      Thank you a lot in advance

      Edited by: 908737 on Jan 19, 2012 6:55 AM
        • 1. Re: PKCS11 provider session count bug
          You really need to read up on the Public Key Cryptographic System #11 (PKCS#11 or P11) standard to understand what is going on underneath (ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/pkcs11v2.pdf).

          When you write a C-program to talk to a PKCS#11 cryptographic module, you "open a session" with the token. Implementers of the module support a certain number of sessions per module; when you reach the limit, you get a CKR_SESSION_COUNT return value, indicating that there are too many open sessions. Application developers who write code to the P11 interface are expected to close sessions when they're done - but the question of when an application is done depends on the developer.

          Since Sun Microsystems is the "application developer" of the SunPKCS11 Bridge, when you write JCE code and instantiate a new SunPKCS11 Provider, the Bridge code written by Sun "opens" the session to the underlying P11 token (your smartcard in this case). Obviously, when you exit the Java application, the Provider will close the session; until then, the session is likely kept open.

          Since we don't know how you've written your application code, its entirely possible that the way you've written it causes the Bridge to open a new session with the smartcard, thereby running out of sessions supported by the smartcard. You probably need to experiment with your Java code to see how you can reuse existing instantiated objects so the SunPKCS11 Bridge does not open a new session for each operation on the smartcard (unless the session truly requires a different type of P11 privilege or access - the PDF document describes P11 Sessions in great detail).

          It is for this reason, when I work with cryptographic hardware modules, I insist on the module vendor providing a native JCE interface - or at least a JCE Provider that talks to their own PKCS11 library; this way, the creators of the module know what to write in their JNI code to talk to their P11 module/token without a third-party Bridge (SunPKCS11) getting in the way.

          Arshad Noor
          StrongAuth, Inc.