GenerateKeyPair: CKR_TEMPLATE_INCONSISTENT

3/22/2012 2:09:43 PM
Gravatar
Total Posts 6

GenerateKeyPair: CKR_TEMPLATE_INCONSISTENT

Hi

 

I'm trying to generate a key pair and store them on the token (ncipher net hsm 2000).
I'm getting error code 209: CKR_TEMPLATE_INCONSISTENT, and I can't figure out what's missing.
See the code snippet below where the attributes are defined.

Any ideas anyone?

Regards,
Mikael

........
                Log("Adding public attributes", true);
                CryptokiCollection templatePub = new CryptokiCollection();
                templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_PUBLIC_KEY));
                templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_DERIVE, false));
                templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_ENCRYPT, true));
                templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_KEY_TYPE, Key.CKK_RSA));
                templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_TOKEN, storeOnToken));
                templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_PRIVATE, true));
                templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_LABEL, publicLabel));
                templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_ID, "1"));
                templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_MODULUS_BITS, 1024));
                Log("Added " + templatePub.Count.ToString() + " attributes.", true);

                Log("Adding private attributes", true);
                CryptokiCollection templatePri = new CryptokiCollection();
                templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_PRIVATE_KEY));
                templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_DECRYPT, true));
                templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_DERIVE, false));
                templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_EXTRACTABLE, true));
                templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_KEY_TYPE, Key.CKK_RSA));
                templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_TOKEN, storeOnToken));
                templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_PRIVATE, true));
                templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_LABEL, privateLabel));
                templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_ID, "1"));
                //templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_MODULUS_BITS, 1024));
                Log("Added " + templatePri.Count.ToString() + " attributes.", true);
............

3/22/2012 2:45:44 PM
Gravatar
Total Posts 6

Re: GenerateKeyPair: CKR_TEMPLATE_INCONSISTENT

Hi

I tried using en example from NETPKCS11.pdf (How to use NCryptoki), but then I got error code 6: CKR_FUNCTION_FAILED.
Is there any example out there that works (see the example I used further down this post)?

Since the API doesn't tell me which attribute is invalid or missing I'm kind of stumbling in the dark here...


Regards,
Mikael


Sample code from ncryptoki site:

CryptokiCollection templatePub = new CryptokiCollection();

templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_CLASS,
CryptokiObject.CKO_PUBLIC_KEY));
templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_TOKEN, true));
templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_PRIVATE, false));
templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_LABEL, "Ugo's new Key"));
templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_ID, "1"));
templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_MODULUS_BITS, 1024));
templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_PUBLIC_EXPONENT, 0x010001));
// Prepares the templates for private key
CryptokiCollection templatePri = new CryptokiCollection();
templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_CLASS,
CryptokiObject.CKO_PRIVATE_KEY));
templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_TOKEN, true));
templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_PRIVATE, true));
templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_LABEL, "Ugo's new Key"));
templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_ID, "1"));  

3/22/2012 3:45:55 PM
Gravatar
Total Posts 6

Re: GenerateKeyPair: CKR_TEMPLATE_INCONSISTENT

Hi

I managed to solve the inconsistent part, but now I get CKR_FUNCTION_FAILED instead.
The strange thing is that the documentation (for ncipher net hsm 2000) speficied that only the key type was a required attribute.

Any ideas what might be wrong? The attributes itself are pretty straight forward and nothing that should have an invalid value.

The following attributes were required:

                Log("Adding public attributes", true);
                CryptokiCollection templatePub = new CryptokiCollection();
                templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_PUBLIC_KEY));
                templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_ENCRYPT, true));
                templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_TOKEN, storeOnToken));
                templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_LABEL, publicLabel));
                templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_WRAP, true));
                templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_MODULUS_BITS, 1024));
                templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_PUBLIC_EXPONENT, 0x10001));
                Log("Added " + templatePub.Count.ToString() + " attributes.", true);

                Log("Adding private attributes", true);
                CryptokiCollection templatePri = new CryptokiCollection();
                templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_PRIVATE_KEY));
                templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_DECRYPT, true));
                templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_KEY_TYPE, Key.CKK_RSA));
                templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_TOKEN, storeOnToken));
                templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_PRIVATE, true));
                templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_SUBJECT, "test"));
                templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_UNWRAP, true));
                templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_SENSITIVE, false));
                templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_LABEL, privateLabel));
                Log("Added " + templatePri.Count.ToString() + " attributes.", true);

Best regards,
Mikael

3/22/2012 5:58:32 PM
Gravatar
Total Posts 300
Ugo Chirico http://www.ugochirico.com

Re: GenerateKeyPair: CKR_TEMPLATE_INCONSISTENT

Hi Mikael, the errors you got come from the underlying PKCS#11 module. NCryptoki works as a wrapper passing the input and output parameters. those errors may depends on the attributes in the templates that are not liked by the underlying PKCS#11 module. Follow the documentation of your net hsm 2000. if it says that only CKA_KEY_TYPE is needed try to set that only. let me know...
3/23/2012 9:13:38 AM
Gravatar
Total Posts 6

Re: GenerateKeyPair: CKR_TEMPLATE_INCONSISTENT

HI

 

The thing is, if i only set CKA_KEY_TYPE then it complains of missing attributes frown
The attributes defined in my earlier post are the ones needed for the hsm to stop throwing CKR_TEMPLATE_INCOMPLETE or CKR_TEMPLATE_INCONSISTENT and go on and try to generate the key pair, but with a  CKR_FUNCTION_FAILED as a result.

Unfortunately the hsm does not say why the key generation fails.

Regards,
Mikael