Hi, At some revision in the PKCS#11 provider there was introduced checking of C_GetMechanismInfo min and max sizes.
This has turned out to be a bit fragile. Let me give two real world examples: 1. Amazon Cloud HSM report minSize and maxSize for EC keys to 0. The Java PKCS#11 provider will happily take 0 as maxSize and refuse to generate any EC keys at all. Needless to say, without the Java check it would be no problem. 131: C_GetMechanismInfo 2018-01-30 07:52:20.740 [in] slotID = 0x1 CKM_EC_KEY_PAIR_GEN [out] pInfo: CKM_EC_KEY_PAIR_GEN : min:0 max:0 flags:0x10001 ( Hardware KeyPair ) Returned: 0 CKR_OK (we are reporting this to Amazon as well) 2. Thales HSMs (some?) report maxSize for RSA_PKCS key generation as 4096, but will happily generate 8192 bit keys. I.e. the reported maxSize is not true. We have customers who used to generate 8192 bit RSA keys, but after a Java update can not do so anymore, because Java compares against this value. * Suggestions: 1. In the constructor of P11KeyPairGenerator where minKeyLen and maxKeyLen are calculated, never allow maxKeyLen to be less than minKeyLen. I.e. change the part: // auto-adjust default keysize in case it's out-of-range if ((minKeyLen != -1) && (keySize < minKeyLen)) { keySize = minKeyLen; } if ((maxKeyLen != -1) && (keySize > maxKeyLen)) { keySize = maxKeyLen; } To include something like: // auto-adjust default keysize in case it's out-of-range if ((minKeyLen != -1) && (keySize < minKeyLen)) { keySize = minKeyLen; } if ((maxKeyLen != -1) && (maxKeyLen < minKeyLen)) { maxKeyLen = minKeyLen; } if ((maxKeyLen != -1) && (keySize > maxKeyLen)) { keySize = maxKeyLen; } 2. Allow to ignore checking of maxKeyLen by some means, i.e. allow to ignore checking against C_GetMechanismInfo if you know that the HSM does not provide sane values. I.e. an environment variable for example reverting back to the old behavior when these were ignored. Regards, Tomas Gustavsson -- ********** PrimeKey Solutions AB Lundagatan 16, 171 63 Solna, Sweden Mob: +46 (0)707421096 Internet: www.primekey.se Twitter: twitter.com/primekeyPKI **********