Menu

#20 Thales/nCipher nShield PKCS#11 integration - EC generate key CKR_TEMPLATE_INCONSISTENT error

Unstable_(example)
closed
nobody
None
5
2018-01-06
2016-07-26
Mark Penny
No

When using Thales (formerly nCipher) nShield HSMs with XCA via PKCS#11 integration, an error occurs when generating any EC key as follows:

PKCS#11 function 'C_GenerateKeyPair' failed: CKR_TEMPLATE_INCONSISTENT

The console shows this additional information:

pkcs11: 000008CD Error: CKA_SIGN should be false if CKA_DERIVE true for EC key

The error occurs when generating an EC key because nShield treats ECDH and ECDSA keys differently even though PKCS#11 uses the same type for both. nShield PKCS#11 thus uses the derive/sign distinction to determine what type of key to create. If both CKA_DERIVE and CKA_SIGN are 'true', the key creation will therefore fail.

I created this bit of code to add to pkcs11.cpp to workaround the problem. This can be added round the "priv_atts << pk11_attr_bool(CKA_DERIVE, true" statement to provide a determination as to whether the token in use is an nShield and if so, to set CKA_DERIVE to 'false'. This then allows EC keys to be created on nShield successfully.

if (tokenInfo().manufacturerID() == "nCipher Corp. Ltd") {
priv_atts << pk11_attr_bool(CKA_DERIVE, false);
}
else
{
priv_atts << pk11_attr_bool(CKA_DERIVE, true);
}

I hope this is helpful.

Discussion

  • Christian Hohnstaedt

    • status: open --> closed
     
  • Christian Hohnstaedt

    Implemented differently for xca 1.4.0

    commit 806312800de5ee893720df490a971e494dc984e0
    Author: Christian Hohnstaedt chohnstaedt@innominate.com
    Date: Wed Dec 2 08:48:30 2015 +0100

    Thales nCipher key generation changes for EC and DSA keys
    
    Developed and tested by
     Mak, Mcken <Mcken.Mak@thalesesec.com>
    
    Thanks!