PKCS#11: C_Decrypt retured CKR_OPERATION_NOT_INITIALIZED

I have been trying to decrypt a file with a smart card but I get weird message.

I am using PKCS11Interop to invoke C_Decrypt in the dll file that uses pkcs11.h to communicate with smart cards.

This is the code:

public byte[] Decrypt(byte[] encData)
    {
        byte[] decrypt = null;

        using (Session session = _slot.OpenSession(SessionType.ReadOnly))
        using (Mechanism mechanism = new Mechanism(CKM.CKM_RSA_PKCS))
        {
            decrypt = session.Decrypt(mechanism, _privateKeyHandle, encData);
        }

        return decrypt;
    }

The weird thing is, when I use Yubico smart card with opensc-pkcs11.dll, it works fine. When I use HSID5000 with hsid-pkcs11.dll it fails with message "C_Decrypt returned CKR_OPERATION_NOT_INITIALIZED"

When I use the same smart card (HSID5000) but in pkcs11-tool instead of Pkcs11Interop, it works:

pkcs11-tool --id 01 --decrypt -p ******** -m RSA-PKCS --module hsid-pkcs11.dll --input-file input.enc

Here is the pkcs11-logger file generated with Pkcs11Interop in both scenarios (Opensc smart card and HSID smart card)

Yubico opensc smart card log file:

0x00000b04 : 0x00000734 : Calling C_Decrypt
0x00000b04 : 0x00000734 : Input
0x00000b04 : 0x00000734 :  hSession: 35424832
0x00000b04 : 0x00000734 :  pEncryptedData: 0000000002E334C0
0x00000b04 : 0x00000734 :  *pEncryptedData: HEX(793...D99)
0x00000b04 : 0x00000734 :  ulEncryptedDataLen: 256
0x00000b04 : 0x00000734 :  pData: 0000000002E346E0
0x00000b04 : 0x00000734 :  pulDataLen: 000000000042EB48
0x00000b04 : 0x00000734 :  *pulDataLen: 7
0x00000b04 : 0x00000734 : Output
0x00000b04 : 0x00000734 :  pData: 0000000002E346E0
0x00000b04 : 0x00000734 :  pulDataLen: 000000000042EB48
0x00000b04 : 0x00000734 :  *pData: HEX(730D0A730D0A73)
0x00000b04 : 0x00000734 :  *pulDataLen: 7
0x00000b04 : 0x00000734 : Returning 0 (CKR_OK)

HSID smart card log file:

0x00001b90 : 0x00000d94 : Calling C_Decrypt
0x00001b90 : 0x00000d94 : Input
0x00001b90 : 0x00000d94 :  hSession: 12274064
0x00001b90 : 0x00000d94 :  pEncryptedData: 0000000002E6A300
0x00001b90 : 0x00000d94 :  *pEncryptedData: HEX(49B....527)
0x00001b90 : 0x00000d94 :  ulEncryptedDataLen: 256
0x00001b90 : 0x00000d94 :  pData: 0000000002E6B520
0x00001b90 : 0x00000d94 :  pulDataLen: 00000000004AE938
0x00001b90 : 0x00000d94 :  *pulDataLen: 256
0x00001b90 : 0x00000d94 : Returning 145 (CKR_OPERATION_NOT_INITIALIZED)

Can someone help me with this?

Update #1:

The Full log file for the hsid-pkcs11.dll is here

Update #2: (Solution!)

After the remarkable comment from jariq, the HSID token doesn't like multiple calls to C_Decrypt, so I used his wrapper but instead of using the HighLevel library, I used the Lowlevel one and called C_Decrypt only once. And it worked!

Thanks to all of you.

When executed with --decrypt argument pkcs11-tool calls (see source code) following PKCS#11 functions:

• C_DecryptInit to initialize operation
• C_Decrypt with allocated output buffer to receive the decrypted data

Pkcs11Interop calls (see source code) following PKCS#11 functions in implementation of session.Decrypt():

• C_DecryptInit to initialize operation
• C_Decrypt without allocated output buffer to determine length of decrypted data
• C_Decrypt with allocated output buffer to receive the decrypted data

It seems that hsid-pkcs11.dll does not like it when application calls C_Decrypt twice as Pkcs11Interop does. However calling C_Decrypt twice is completely fine and this technique is described in chapter 11.2 of PKCS#11 v2.20 specification.

Exactly the same specification states on page 145 that:

C_Decrypt uses the convention described in Section 11.2 on producing output.

IMO you need to contact vendor of your unmanaged PKCS#11 library and ask him for fix or at least explanation.