'Sun PKCS#11 Wrapper how to debug CKR_TEMPLATE_INCONSISTENT
Is there any way how to debug what is causing Sun PKCS#11 wrapper exception?:
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_TEMPLATE_INCONSISTENT
I would like to know which attribute of PKCS#11 object is inconsistent and fix it.
Solution 1:[1]
It is quite tricky to find exactly what attribute is missing or provided incorrectly. The only way you could fix this is by trial and error. Since this exception is thrown by the token, it wouldn't be logged, which makes it much difficult to solve.
I would recommend first to better understand what type of token you are dealing with. This will give you a better idea of what type of object template it would expect.
For example, if the token only allows you to create sensitive keys, if you set the attribute value as false, the token would complain. So you have to try a combination of attributes and see if it succeeds in creating the object.
Another thing you could do is, if, the token comes with its own sdk or tools, that can interact with the token and create objects, create a test object using their sdk/tool, and then use the PKCS#11 interface to extract the object and see what template it has. You could use this as a base template.
If it doesn't you can try to create an object starting with a minimal template, with required values, like:
- Id (some random value)
- Label (alias name)
- Token (true recommended)
- Sensitive (true recommended)
- Algorithm/Mechanism (CKM_RSA_PKCS_KEY_PAIR_GEN / CKM_AES_KEY_GEN)
- Key Type (CKK_RSA / CKK_AES)
- Value Length (optional)
- Class (optional)
Solution 2:[2]
You can use a pkcs11 logging wrapper. For instance: https://github.com/Pkcs11Interop/pkcs11-logger
You'll need some environment variables:
- PKCS11_LOGGER_LIBRARY_PATH -> path to the real pkcs11 library
- PKCS11_LOGGER_LOG_FILE_PATH -> path to the log file
- PKCS11_LOGGER_FLAGS -> flags (take a look at pkcs11-logger README.md
file)
Solution 3:[3]
I was doing some experiments with PKCS11 lib on C# and as far as I know, it's the same for Java or even JavaScript so...
When I tried to craft a "RSA key pair" I got a problem when declaring:
- CKA.CKA_CLASS, CKO.CKO_SECRET_KEY
Also when working with AES keys I got issues when I tried to create it with "Value_length" different from 32
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | |
| Solution 2 | Egl |
| Solution 3 | Dharman |