Pkcs11 No Slot With A Token Was Found
The PKCS #11 standard defines a platform-independent API to cryptographic tokens, such as hardware security modules (HSM), smart cards, and names the API itself 'Cryptoki' (from 'cryptographic token interface' and pronounced as 'crypto-key' - but 'PKCS #11' is often used to refer to the API as well as the standard that defines it).
The API defines most commonly used cryptographic object types (RSAX.509 keys, DES/Triple DES Certificates/keys, etc.) and all the functions needed to use, create/generate, modify and delete those objects.
This container relies on a PKCS#11 a library which handles the communication with the token/card. This can be a vendor specific library or an opensource one, please select the correct one depending on the type of token/card you are using.
Cause: a token is not present in the slot. Action: Place a pkcs11 token in the slot. NZE-43011: pkcs11: Token login failed. Cause: To login to the pkcs11 token a correct passphrase is needed. NZE-43019: pkcs11: No certificate found on smart card/HSM label with given cert label.
- 1.1 Description of this Document. This PKCS #11 Cryptographic Token Interface Usage Guide Version 2.40 is intended to complement PKCS11-Base, PKCS11-Curr, PKCS11-Hist and PKCS11-Prof by providing guidance on how to implement the PKCS #11 interface most effectively.
- I recommend reading my PKCS#11 Terminology blog before trying this. In this blog, there is a simple program that gets the information about the HSM slots using the standard PKCS#11 library functions. In the above program statements, it loads the cryptoki library DLL provided by the HSM/token vendors.
Interface Summary
The Abstract PKCS #11 smartcard interface is summarized in the following snippet:
Each interface will be covered on this wiki, accompanied with example code and response objects.
Get the PKCS #11 container object
For more information on how to configure the T1C-JS client library see Client Configuration.
To set the locations of the PCKS#11 library, pass a ModuleConfig
object when initializing the client:
Then grab a reference to the pkcs11 container:
Call a function for the PKCS #11 container:
Reading data
Info
This methods returns more information about the PKCS #11 library you are using.
An example response:
Slots
This methods returns the available slots on the system.
An example response:
The flags value gives more information about the slot, possible values are
Value | Description |
---|---|
0 | Empty |
1 | Token present |
2 | Removable device |
3 | Token present + removable device |
4 | Hardware slot |
5 | Token present + hardware slot |
6 | Removable device + hardware slot |
7 | Token present + removable device + hardware slot |
32 | Unknown |
Slots with tokens present
This method is similar the the slots endpoint but only returns a list of slots where a token is present.
Pkcs11 No Slot With A Token Was Found The Most
An example response:
Token
This methods returns the token information for a slot.
An example response:
Certificates
This methods allows you to retrieve the certificates from the PKCS #11 token.
An example callback:
Response:
Signing data
To successfully sign data, we need the following parameters:
- Slot ID of the token to use
- Certificate ID of the signing certificate
- PIN code
- Hashed data to sign
- Hashing algorithm used
The slot id can be found using either a call to slots
, slotsWithTokenPresent
. Once the slot id is found, the certificates can be retrieved with a call to certificates
. This then returns the certificate id. Now we can combine this with the PIN code and hashed data + hashing algorithm (SHA1, SHA256, SHA384, SHA512) to create the final signData call:
signData call
Returns signed data for provided input data.
An example response:
Pkcs11 No Slot With A Token Was Found The First
verifySignedData call
This call can be used to verify if the signed data is correct. The request is similar to signData
, but we also pass in the signed hash:
An example response:
Pkcs11 No Slot With A Token Was Found Dead
Error Handling
Error Object
The functions specified are asynchronous and always need a callback function.
The callback function will reply with a data object in case of success, or with an error object in case of an error. An example callback:
The error object returned:
For the error codes and description, see Status codes.
Hi,
I'm trying to use an aladdin token to protect some sensitive information.
Unfortunately I'm getting the following error message
vlad@brutal ~ $ ecryptfs-manager
eCryptfs key management menu
-------------------------------
1. Add passphrase key to keyring
2. Add public key to keyring
3. Generate new public/private keypair
4. Exit
Pkcs11-tool No Slot With A Token Was Found
Make selection: 2
[opensc-pkcs11] reader-pcsc.c:896:pcsc_detect_readers: SCardListReaders
failed: 0x8010002e
[opensc-pkcs11] reader-pcsc.c:1015:pcsc_detect_readers: returning with:
No readers found
Select key type to use for newly created files:
1) tspi
2) passphrase
3) openssl
4) pkcs11-helper
Selection: 4
[opensc-pkcs11] reader-pcsc.c:896:pcsc_detect_readers: SCardListReaders
failed: 0x8010002e
[opensc-pkcs11] reader-pcsc.c:1015:pcsc_detect_readers: returning with:
No readers found
[opensc-pkcs11] reader-pcsc.c:896:pcsc_detect_readers: SCardListReaders
failed: 0x8010002e
[opensc-pkcs11] reader-pcsc.c:1015:pcsc_detect_readers: returning with:
No readers found
PKCS#11 Serialized ID:
Passphrase (empty for interactive):
Optional X.509 Certificate PEM file:
Error processing key generation decision graph; rc = [-5]
I can see the card from pkcs11-tool
Pkcs11 No Slot With A Token Was Found Guilty
vlad@brutal ~ $ pkcs11-tool -L
[opensc-pkcs11] reader-pcsc.c:896:pcsc_detect_readers: SCardListReaders
failed: 0x8010002e
[opensc-pkcs11] reader-pcsc.c:1015:pcsc_detect_readers: returning with:
No readers found
[opensc-pkcs11] reader-pcsc.c:896:pcsc_detect_readers: SCardListReaders
failed: 0x8010002e
[opensc-pkcs11] reader-pcsc.c:1015:pcsc_detect_readers: returning with:
No readers found
Available slots:
Slot 0 Aladdin eToken PRO
token label: OpenSC Card (vlad)
token manuf: OpenSC Project
token model: PKCS#15
token flags: login required, PIN initialized, token initialized
serial num : 262119072909
any idea? same token is working for ssh login
here is my versions
3.1.6-gentoo #1 SMP Tue Jan 17 10:22:02 CET 2012 i686 Intel(R) Core(TM)2 Duo CPU T9600 @ 2.80GHz GenuineIntel GNU/Linux
dev-libs/opensc 0.11.13-r2
sys-fs/ecryptfs-utils 95
dev-libs/pkcs11-helper 1.09
Thank you
L: