Sun PKCS＃11包装器如何调试CKR_TEMPLATE_INCONSISTENT

Question

Is there any way how to debug what is causing Sun PKCS#11 wrapper exception?:

sun.security.pkcs11.wrapper.PKCS11Exception: CKR_TEMPLATE_INCONSISTENT

I would like to know which attribute of PKCS#11 object is inconsistent and fix it.

Answer 1

It is quite tricky to find exactly what attribute is missing or provided incorrectly. The only way you could fix this is by trial and error. Since this exception is thrown by the token, it wouldn't be logged, which makes it much difficult to solve.

I would recommend first to better understand what type of token you are dealing with. This will give you a better idea of what type of object template it would expect.

For example, if the token only allows you to create sensitive keys, if you set the attribute value as false , the token would complain. So you have to try a combination of attributes and see if it succeeds in creating the object.

Another thing you could do is, if, the token comes with its own sdk or tools, that can interact with the token and create objects, create a test object using their sdk/tool, and then use the PKCS#11 interface to extract the object and see what template it has. You could use this as a base template.

If it doesn't you can try to create an object starting with a minimal template, with required values, like:

• Id (some random value)
• Label (alias name)
• Token (true recommended)
• Sensitive (true recommended)
• Algorithm/Mechanism (CKM_RSA_PKCS_KEY_PAIR_GEN / CKM_AES_KEY_GEN)
• Key Type (CKK_RSA / CKK_AES)
• Value Length (optional)
• Class (optional)

Answer 2

You can use a pkcs11 logging wrapper. For instance: https://github.com/Pkcs11Interop/pkcs11-logger

You'll need some environment variables:

• PKCS11_LOGGER_LIBRARY_PATH -> path to the real pkcs11 library
• PKCS11_LOGGER_LOG_FILE_PATH -> path to the log file
• PKCS11_LOGGER_FLAGS -> flags (take a look at pkcs11-logger README.md

file)