| Cryptographic Token Interface Standard |
PKCS#11
|
Cryptoki function return values for functions that use a session handle
Any Cryptoki function that takes a session handle as one of its arguments (i.e., any Cryptoki function except for C_Initialize, C_Finalize, C_GetInfo, C_GetFunctionList, C_GetSlotList, C_GetSlotInfo, C_GetTokenInfo, C_WaitForSlotEvent, C_GetMechanismList, C_GetMechanismInfo, C_InitToken, C_OpenSession, and C_CloseAllSessions) can return the following values:
- CKR_SESSION_HANDLE_INVALID: The specified session handle was invalid at the time that the function was invoked. Note that this can happen if the session's token is removed before the function invocation, since removing a token closes all sessions with it.
- CKR_DEVICE_REMOVED: The token was removed from its slot during the execution of the function.
- CKR_SESSION_CLOSED: The session was closed during the execution of the function. Note that, as stated in Section 6.7.6, the behavior of Cryptoki is undefined if multiple threads of an application attempt to access a common Cryptoki session simultaneously. Therefore, there is actually no guarantee that a function invocation could ever return the value CKR_SESSION_CLOSED"if one thread is using a session when another thread closes that session, that is an instance of multiple threads accessing a common session simultaneously. The relative priorities of these errors are in the order listed above, e.g., if either of CKR_SESSION_HANDLE_INVALID or CKR_DEVICE_REMOVED would be an appropriate error return, then CKR_SESSION_HANDLE_INVALID should be returned.
In practice, it is often not crucial (or possible) for a Cryptoki library to be able to make a distinction between a token being removed before a function invocation and a token being removed during a function execution.
RSA Security Inc. Public-Key Cryptography Standards -
PKCS#11 - v230