When using Thales (formerly nCipher) nShield HSMs with XCA via PKCS#11 integration, an error occurs when generating any EC key as follows:
PKCS#11 function 'C_GenerateKeyPair' failed: CKR_TEMPLATE_INCONSISTENT
The console shows this additional information:
pkcs11: 000008CD Error: CKA_SIGN should be false if CKA_DERIVE true for EC key
The error occurs when generating an EC key because nShield treats ECDH and ECDSA keys differently even though PKCS#11 uses the same type for both. nShield PKCS#11 thus uses the derive/sign distinction to determine what type of key to create. If both CKA_DERIVE and CKA_SIGN are 'true', the key creation will therefore fail.
I created this bit of code to add to pkcs11.cpp to workaround the problem. This can be added round the "priv_atts << pk11_attr_bool(CKA_DERIVE, true" statement to provide a determination as to whether the token in use is an nShield and if so, to set CKA_DERIVE to 'false'. This then allows EC keys to be created on nShield successfully.
if (tokenInfo().manufacturerID() == "nCipher Corp. Ltd") {
priv_atts << pk11_attr_bool(CKA_DERIVE, false);
}
else
{
priv_atts << pk11_attr_bool(CKA_DERIVE, true);
}
I hope this is helpful.
Implemented differently for xca 1.4.0
commit 806312800de5ee893720df490a971e494dc984e0
Author: Christian Hohnstaedt chohnstaedt@innominate.com
Date: Wed Dec 2 08:48:30 2015 +0100