[Opendnssec-user] PKCS11Exception: CKR_DATA_LEN_RANGE using softhsm2

Roland van Rijswijk - Deij Roland.vanRijswijk at surfnet.nl
Fri Dec 5 07:09:32 UTC 2014

Hi Roko,

roko wrote:
> I'm getting this error:
> Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DATA_LEN_RANGE
> Is this maybe a known limitation for softhsm2 ? there is some workaround
> ? Thx for your help.

I've had a quick look at the code, and this seems to be a bug;
C_EncryptUpdate always checks if the input block adheres to the cipher's
required block size. It should only do this if the cipher is used in ECB
mode. I have created SOFTHSM-107
(https://issues.opendnssec.org/browse/SOFTHSM-107) in our issue tracking
system for this bug, it will be addressed in the next version of SoftHSM

Meanwhile you could help us by testing this by doing the following:

- Build SoftHSM v2 from source (instructions here:

- go to "src/lib" in the source tree

- edit "SoftHSM.cpp"

- go to line 2166 and comment it out (this is the check for block size

- re-run your test program and let us know the result

Thanks in advance for reporting this issue.

Best regards,


-- Roland M. van Rijswijk - Deij
-- SURFnet bv
-- w: http://www.surf.nl/en/about-surf/subsidiaries/surfnet
-- e: roland.vanrijswijk at surfnet.nl

Please note: As of 1 January 2015 SURFnet has a new address and
telephone number:
Kantoren Hoog Overborch (Hoog Catharijne) - Moreelsepark 48, 3511 EP
Utrecht - PO Box 19035, 3501 DA Utrecht - Telephone: +31 88-7873000
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4412 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20141205/30531662/attachment.bin>

More information about the Opendnssec-user mailing list