Symmetric key creation with CKA_SENSITIVE false and CKA_PRIVATE as true

Question

I am working on a cloud HSM service and I see CKA_ATTRIBUTE_INVALID error when I am trying to create a AES 256 key with following attributes:

CKA_TOKEN=0
CKA_SENSITIVE=0
CKA_PRIVATE=1
CKA_ENCRYPT=1
CKA_DECRYPT=1
CKA_SIGN=1
CKA_VERIFY=1
CKA_WRAP=1
CKA_UNWRAP=1
CKA_DERIVE=1
CKA_EXTRACTABLE=1
CKA_MODIFIABLE=0

and hence the error: Status: C_DeriveKey returned error. (CKR_ATTRIBUTE_VALUE_INVALID)

I figured out if I pass CKA_SENSITIVE and CKA_PRIVATE both as 1 it passes and key gets created.

My question is how do I know which are the valid attribute combinations?
Can someone point me to a documentation, please. I didn't find much details in standard PKCS#11 spec guide.

I would appreciate any help here!!

Cheers.

Answer 1

As far as I can see the following attributes are have wrong values:

CKA_SIGN=1
CKA_VERIFY=1

Symmetric key can't be used in signing.

Also this values are have some questions:

CKA_TOKEN=0

means that the key is session object,

CKA_SENSITIVE=0

means that the key value is "visible" - it is not secure.

From my experience:
try to remove attributes from template one by one and you can find which of them are wrong.