[Opendnssec-user] SoftHSM warning 'PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed' when querying via pkcs11-tool

dchilton+opendnssec at bestmail.us dchilton+opendnssec at bestmail.us
Fri Apr 29 14:38:51 UTC 2011


I built softhsm 1.2.0 and initialized a token. (i've since also tried
this with svn/trunk -- same results as below ...)

I built opensc,

opensc-tool --info
  opensc 0.12.0 [gcc  4.5.2 20110419 [gcc-4_5-branch revision 172703]]
  Enabled features: zlib readline openssl pcsc(libpcsclite.so.1)

and can use its pkcs11-tool to query the softhsm db,

pkcs11-tool --module=/usr/local/lib/libsofthsm.so \
--show-info --list-token-slots --list-mechanisms
        Cryptoki version 2.20
        Manufacturer     SoftHSM
        Library          Implementation of PKCS11 (ver 1.2)
        Available slots:
                Slot 0 (0x0): SoftHSM
                  token label:   TEST_Token
                  token manuf:   SoftHSM
                  token model:   SoftHSM
                  token flags:   rng, login required, PIN initialized,
                  token initialized, other flags=0x40
                  serial num  :  1
        Using slot 0 with a present token (0x0)
        Supported mechanisms:
          RSA-PKCS-KEY-PAIR-GEN, keySize={512,4096}, generate_key_pair
          RSA-PKCS, keySize={512,4096}, sign, verify
          RSA-X-509, keySize={512,4096}, sign, verify
          MD5, digest
          RIPEMD160, digest
          SHA-1, digest
          SHA256, digest
          SHA384, digest
          SHA512, digest
          MD5-RSA-PKCS, keySize={512,4096}, sign, verify
          RIPEMD160-RSA-PKCS, keySize={512,4096}, sign, verify
          SHA1-RSA-PKCS, keySize={512,4096}, sign, verify
          SHA256-RSA-PKCS, keySize={512,4096}, sign, verify
          SHA384-RSA-PKCS, keySize={512,4096}, sign, verify
          SHA512-RSA-PKCS, keySize={512,4096}, sign, verify

when I try to generate a keypair, it says 'keypair generated', but also
fires a warning,

pkcs11-tool --module=/usr/local/lib/libsofthsm.so \
--login --pin 1234 \
--keypairgen --key-type rsa:2048 --id 01 --label zone_key
        Using slot 0 with a present token (0x0)
        Key pair generated:
        Private Key Object; RSA
          label:      zone_key
          ID:         01
          Usage:      decrypt, sign, unwrap
        warning: PKCS11 function
        C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv =

        Public Key Object; RSA 2048 bits
          label:      zone_key
          ID:         01
          Usage:      encrypt, verify, wrap

On the opensc list, it was suggested this warning is a problem with

>> About the warning, it looks like your PKCS #11 module does not define the
>> CKA_ALWAYS_AUTHENTICATE attribute (which is part of PKCS #11
>> specification).

but, checking, it looks like it's defined ...

cd /usr/local/src/softhsm-1.2.0
grep CKA_ALWAYS_AUTHENTICATE ./src/lib/cryptoki_compat/pkcs11.h -A3 -B3
 #define CKA_EC_POINT                    (0x181)
 #define CKA_SECONDARY_AUTH              (0x200)
 #define CKA_AUTH_PIN_FLAGS              (0x201)
 #define CKA_ALWAYS_AUTHENTICATE         (0x202)
 #define CKA_WRAP_WITH_TRUSTED           (0x210)
 #define CKA_HW_FEATURE_TYPE             (0x300)
 #define CKA_RESET_ON_INIT               (0x301)

I don't know what's actually generating this warning, or how or whether
to fix it.

Any ideas if this is, in fact, SoftHSM complaining?


More information about the Opendnssec-user mailing list