[Opendnssec-user] PKCS11Exception: CKR_DATA_LEN_RANGE using softhsm2

Rickard Bellgrim rickard at opendnssec.org
Sun Dec 7 08:08:30 UTC 2014

On Fri, Dec 5, 2014 at 8:09 AM, Roland van Rijswijk - Deij <
Roland.vanRijswijk at surfnet.nl> wrote:

> Hi Roko,
> roko wrote:
> > I'm getting this error:
> > Caused by: sun.security.pkcs11.wrapper.PKCS11Exception:
> >
> > Is this maybe a known limitation for softhsm2 ? there is some workaround
> > ? Thx for your help.
> I've had a quick look at the code, and this seems to be a bug;
> C_EncryptUpdate always checks if the input block adheres to the cipher's
> required block size. It should only do this if the cipher is used in ECB
> mode. I have created SOFTHSM-107
> (https://issues.opendnssec.org/browse/SOFTHSM-107) in our issue tracking
> system for this bug, it will be addressed in the next version of SoftHSM
> v2.

We currently only support ECB and CBC. They require full block when not
padding. Could add support for CKM_DES_CBC_PAD, CKM_DES3_CBC_PAD, and

You are trying to use CKM_AES_CBC_PAD (AES/CBC/PKCS5Padding) which is
currently not supported. The error indicate that the Java implementation is
trying to use CKM_AES_CBC and not CKM_AES_CBC_PAD, which would have

// Rickard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20141207/7a8643e5/attachment.htm>

More information about the Opendnssec-user mailing list