3

I am attempting to generate an RSA key pair inside a SafeNet HSM. I copied the example templates specified in PKCS11 for the private and public keys. When i generate the key pair everything works fine. However, when i specify for the private key the following attribute values, the C_GenerateKeyPair returns CKR_TEMPLATE_INCONSISTENT:

  1. CKA_DECRYPT = false.
  2. CKA_UNWRAP = true.

I can imagine why i get template inconsistent but i just want to verify it. Since the unwrap operation is in it's essence a decrypt operation, then it is not consistent to allow a key to unwrap while it cannot decrypt.

However, shouldn't these two operations be treated separately by PKCS11 implementations?

Thanks in advance.

Timothy Ghanem
  • 1,606
  • 11
  • 20

1 Answers1

0

You should not have to set both of them, they are indeed separate. In fact, there exists in recent versions of the Gemalto SafeNet HSMs a partition policy that has to be enabled before so-called "multi-purpose keys" are even allowed. I think the inconsistency is not within the private key template, but rather between it and the corresponding public key template. You probably have to set the flags to the opposite values in the public key template.

mathiash
  • 93
  • 1
  • 5