Using IAIK PKCS#11 Wrapper with AWS CloudHSM

Question

Hi,  
I'm trying to issue RSA key pairs on AWS CloudHSM with a JAVA application using IAIK PKCS#11 Wrapper and JVM JCE Provider and I'm facing some difficulties. Indeed, for now, the only way to generate a keypair is providing minimal templates for both public and private key:  
	RSAPublicKey rsaPublicKeyTemplate = new RSAPublicKey();  
	RSAPrivateKey rsaPrivateKeyTemplate = new RSAPrivateKey();  
	// Modulus  
	rsaPublicKeyTemplate.getModulusBits().setLongValue(new Long(keyLength));  
	// Public exp  
	byte\[] publicExponentBytes = {0x01, 0x00, 0x01};  
	rsaPublicKeyTemplate.getPublicExponent().setByteArrayValue(publicExponentBytes);  
  
All other tries I made for customizing fail with the PKCS#11 error CKR_TEMPLATE_INCONSISTENT, for example when I try to make the generated key pair persistent:  
	rsaPublicKeyTemplate.getToken().setBooleanValue(Boolean.TRUE);  
	rsaPrivateKeyTemplate.getToken().setBooleanValue(Boolean.TRUE);  
It seems that the HSM does not understand the templates I provide...  
  
Has someone here even succeeded in using IAIK Provider or is AWS CloudHSM not compatible with this provider?  
Then, are we forced to use AWS JCE Provider?  
  
Thanks in advance for taking time to read my questions  
Eric  
  
Edited by: EricT on Jan 11, 2021 3:23 AM  
  
Edited by: EricT on Jan 11, 2021 6:51 AM

Answer

Hi everyone,  
  
  For all that are here coming from Google or anything else, the error CKR_TEMPLATE_INCONSISTENT can be easily solved by carefully looking at supported attributes :)  
  In my case, it was because I tried to build a RSA/ECDSA template with a subject and start/end dates attributes which are not part of the list: https://docs.aws.amazon.com/cloudhsm/latest/userguide/pkcs11-attributes.html  
  
Éric

Answer

To avoid CKR_TEMPLATE_INCOSISTENT error, build RSA/ECDSA templates only with supported attributes

Using IAIK PKCS#11 Wrapper with AWS CloudHSM

Relevant content