Provider Initialization (Validating Signatures)

By default, the SunPKCS11 provider only specifies mandatory PKCS#11 attributes when creating objects. The PKCS#11 library you are using will assign implementation specific default values to the other attributes. For example, when the SunPKCS11 provider imports a public key in the security token to validate a signature, the CKA_VERIFY attribute is absent and the nCipher default is false.

When this public key is passed to the C_VerifyInit() function, the public key is rejected with the error CKR_KEY_FUNCTION_NOT_PERMITTED as shown in the nCipher log. In Java, this can cause the following obscure error message:

ProviderException: initialization failed

The Sun PKCS11 Provider reference guide explains how to set specific attributes for various kinds of keys and cryptography operations. The simplest solution is to add the following line to the configuration file:

attributes = compatibility

The following is a relevant paragraph from the Sun PKCS#11 reference guide:

There is also a special form of the attributes option. You can write attributes = compatibility in the configuration file. That is a shortcut for a whole set of attribute statements. They are designed to provide maximum compatibility with existing Java applications, which may expect, for example, all key components to be accessible and secret keys to be useable for both encryption and decryption.

A sample configuration file using the attributes statement is shown in the following example:

name=nShield
library=D:/nfast/bin/cknfast.dll
description=nShield_PCI_500
slotListIndex=1
attributes = compatibility

SlotListIndex 0 is the HSM accelerator slot where MODULE protected keys are stored. A module protected key requires no password or user input. To use a softcard to protect your keys, you must define slotListIndex=1.


iWay Software