CKR_FUNCTION_FAILED with SafeNet iKey 5100

[vanbroup]

When creating a new Certificate Request or Self-Signed Certificate using the Fortify Tools on a SafeNet iKey 5100 the following error prevents the key from being created.

{"message":"Server: session:98b491a6109f67996fba43c56e287986545ffc59e652cc5d3609ebc9d8e62ec5 provider/action/getCrypto","level":"info"}
{"message":"Server: session:98b491a6109f67996fba43c56e287986545ffc59e652cc5d3609ebc9d8e62ec5 provider:7353a5eb65e00b5799b54c3beacb1b9285cf385eeb8944c040bcf9f116fdf28e crypto/isLoggedIn","level":"info"}
{"message":"Server: session:98b491a6109f67996fba43c56e287986545ffc59e652cc5d3609ebc9d8e62ec5 provider:7353a5eb65e00b5799b54c3beacb1b9285cf385eeb8944c040bcf9f116fdf28e crypto/subtle/generateKey","level":"info"}
{"message":"Server: session:98b491a6109f67996fba43c56e287986545ffc59e652cc5d3609ebc9d8e62ec5 provider:7353a5eb65e00b5799b54c3beacb1b9285cf385eeb8944c040bcf9f116fdf28e crypto/subtle/exportKey","level":"info"}
{"message":"Server: session:98b491a6109f67996fba43c56e287986545ffc59e652cc5d3609ebc9d8e62ec5 provider:7353a5eb65e00b5799b54c3beacb1b9285cf385eeb8944c040bcf9f116fdf28e crypto/subtle/sign","level":"info"}
{"message":"Server: session:98b491a6109f67996fba43c56e287986545ffc59e652cc5d3609ebc9d8e62ec5 provider:7353a5eb65e00b5799b54c3beacb1b9285cf385eeb8944c040bcf9f116fdf28e crypto/certificateStorage/import","level":"info"}
{"message":"Server: session:98b491a6109f67996fba43c56e287986545ffc59e652cc5d3609ebc9d8e62ec5 provider:7353a5eb65e00b5799b54c3beacb1b9285cf385eeb8944c040bcf9f116fdf28e crypto/keyStorage/setItem","level":"info"}
{"message":"Error: CKR_FUNCTION_FAILED:6\n    at Error (native) PKCS11::C_CopyObject:512\n    at Session.copy (C:\\Program Files\\Fortify\\resources\\app.asar\\node_modules\\graphene-pk11\\build\\session.js:55:34)\n    at KeyStorage.<anonymous> (C:\\Program Files\\Fortify\\resources\\app.asar\\node_modules\\node-webcrypto-p11\\build\\key_storage.js:161:49)\n    at Generator.next (<anonymous>)\n    at C:\\Program Files\\Fortify\\resources\\app.asar\\node_modules\\tslib\\tslib.js:110:75\n    at new Promise (<anonymous>)\n    at Object.__awaiter (C:\\Program Files\\Fortify\\resources\\app.asar\\node_modules\\tslib\\tslib.js:106:16)\n    at KeyStorage.setItem (C:\\Program Files\\Fortify\\resources\\app.asar\\node_modules\\node-webcrypto-p11\\build\\key_storage.js:155:24)\n    at KeyStorageService.onMessage (C:\\Program Files\\Fortify\\resources\\app.asar\\node_modules\\@webcrypto-local\\server\\build\\index.js:2722:53)\n    at processTicksAndRejections (internal/process/task_queues.js:86:5)","level":"error"}

Token category: Hardware
Reader name: AKS ifdh 0
Hardware version: 8.0
Firmware version: 1.0
Product name: SafeNet eToken 5100
Model: Token 8.0.0.0 1.0.0
Card type: Java Card
OS version: eToken Java Applet 1.2.9
Mask version: 9.18 (9.12)
Supported key size: 2048 bits
CSP: eToken Base Cryptographic Provider
KSP: SafeNet Smart Card Key Storage Provider

Signing using Fortify works fine.

[microshine]

It's possible that your token doesn't support C_CopyObject function. As I can see from the logs it throws an exception on a key coping to your token.

[vanbroup]

Any way to (quickly) verify that or to work around it?

[microshine]

Do you have experience in NodeJS? I can write a simple script to test your token

[vanbroup]

I build some tests to verify the functionality of the token but do you think you can make it work if it doesn't support this functionallity. Else it's easier and quicker to get some new/supported tokens for this test.

[rmhrisk]

We test with a 5100; what version of the SAC client are you using?

[vanbroup]

SAC 10.4.26.0

[rmhrisk]

@microshine do you still have a 5100 and if so what SAC client version do you have?