Concurrency signing in HSM with LunaProvider throw CKR_DATA_INVALID

Question

When I concurrently attempt to sign with the same key inside the HSM, some signatures fail with the following error: com.safenetinc.luna.exception.LunaCryptokiException: function 'C_Sign' returns 0x20 (CKR_DATA_INVALID)

With only one thread and one instance of my jar, I have no error. More threads I have more often the signatures fail. An important point, if I have 2 instances of only one thread each the issue also occurs.

I'm using Luna JSP provider. The algo is SHA256withECDSA.

I tried also with token connection, but same result. I check my timeout in crystoki.ini, failing occurs before the timeout. Even with a Singleton for the keyStore, or for the privateKey I have the issue.

Thread generator:

public static void main(String[] args)  {
    SpringApplication.run(DccHsmTest.class, args);


    for (int i=0; i<4; i++)
    {
      Multithreading object = new Multithreading();
      object.start();
    }
  }

 private byte[] CHALLENGE = new byte[10000];

 public void run()
  {
    try
    {
      final HsmService hsmService = new HsmService();

      hsmKeyStore = hsmService.hsmKeyStore(hsmPartition, hsmPassword);

      PrivateKey privateKey = (PrivateKey) hsmKeyStore.getKey(aliasToRetrieve, password);

      while(sign(privateKey)){
        ...
      }

      throw new RuntimeException();
    }
    catch (Exception e)
    {
      ...
    }
  }

  private static boolean sign(PrivateKey privateKey)  {
    try {
      Signature signature = Signature.getInstance("SHA256withECDSA", "LunaProvider");

      signature.initSign(privateKey);
      signature.update(CHALLENGE);

      signature.sign();
      return true;
    }
    catch(Exception e){
      ...    
      return false;
    }
  }

HsmService

@Service
@Scope(ConfigurableBeanFactory.SCOPE_SINGLETON)
public class HsmService {

  public KeyStore hsmKeyStore(String hsmPartition, String hsmPassword) throws
KeyStoreException,                                                                   CertificateException,                                                                       NoSuchAlgorithmException,                                                                       IOException {

    LunaProvider lunaProvider = new LunaProvider();
    Security.addProvider(lunaProvider);

    LunaSlotManager lunaSlotManager = LunaSlotManager.getInstance();
    lunaSlotManager.login(hsmPartition, hsmPassword);


    KeyStore keyStore = KeyStore.getInstance("Luna");
    keyStore.load(null, null);
    return keyStore;
  }
}

The error definition of CKR_DATA_INVALID is:
The plaintext input data to a cryptographic operation is invalid.

But I always pass the same input, sometimes it works.

The CKlog doesn't provide much details: FINISign CKR_DATA_INVALID (5811ms) {"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" }

Just seems to return a bad signature

Answer 1

Finally a simple reboot sold the problem. Now I have to find if this issue is due to a bad usage of the HSM on my code, or if it's due to tests from other developer(the HSM is used by other project)