[Cryptech Tech] Generating keys on alpha using pkcs11-tool

Rob Austein sra at hactrn.net
Mon Nov 21 13:02:09 UTC 2016

At Mon, 21 Nov 2016 12:27:37 +0100, Linus Nordberg wrote:
> pkcs11-tool now prints
>   error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_FUNCTION_FAILED (0x6)
> I do have the libengine-pkcs11-openssl (and libp11-2) package installed
> and am using openssl.cnf from your openssl-engine repo.
> An observation I've made is that the time it takes to fail increases
> with the bit size of the key I'm asking for to be generated.

Sounds like it's generating the key but having trouble storing it.

> What would your recommended next step for debugging be?

I would not put serious effort into debugging that version, it's far
enough behind the current development code that it'd be wasted
effort.  The keystore has completely changed, and I'm currently in the
process of getting rid of the SQL database entirely (not there yet).

If you really want to do serious debugging, figure out how to build
from source and debug the ksng branchs (all sw repos which have a
branch by that name).  We haven't tried to figure out a sane scheme
for building packaged binaries of development branches, it's not
rocket science, just tedious and potentially confusing for users.

From your description, though, it may be something as simple as the
SQL database not being writable by the user account that's running
this test, so I'd check for that first.

More information about the Tech mailing list