diff -up ./src/coolkey/coolkey.cpp.fail-on-bad-mechanisms ./src/coolkey/coolkey.cpp

--- ./src/coolkey/coolkey.cpp.fail-on-bad-mechanisms	2016-06-16 14:36:05.934755563 -0700

+++ ./src/coolkey/coolkey.cpp	2016-06-16 14:36:05.945755372 -0700

@@ -77,7 +77,8 @@ rsaMechanismList[] = {

 static const MechInfo

 ecMechanismList[] = {

-    {CKM_ECDSA,{256,521,CKF_HW | CKF_SIGN | CKF_EC_F_P}},{ CKM_ECDSA_SHA1, {256, 521, CKF_HW | CKF_SIGN | CKF_EC_F_P}},{ CKM_ECDH1_DERIVE,{256, 521, CKF_HW | CKF_DERIVE | CKF_EC_F_P} }

+    {CKM_ECDSA,{256,521,CKF_HW | CKF_SIGN | CKF_EC_F_P}},

+    {CKM_ECDH1_DERIVE,{256, 521, CKF_HW | CKF_DERIVE | CKF_EC_F_P} }

 };

 unsigned int numRSAMechanisms = sizeof(rsaMechanismList)/sizeof(MechInfo);

diff -up ./src/coolkey/slot.cpp.fail-on-bad-mechanisms ./src/coolkey/slot.cpp

--- ./src/coolkey/slot.cpp.fail-on-bad-mechanisms	2016-06-16 14:36:05.943755407 -0700

+++ ./src/coolkey/slot.cpp	2016-06-16 15:07:40.255882660 -0700

@@ -4185,11 +4185,30 @@ Slot::signInit(SessionHandleSuffix suffi

 {

     refreshTokenState();

     SessionIter session = findSession(suffix);

+    PKCS11Object *key = getKeyFromHandle(hKey);

     if( session == sessions.end() ) {

         throw PKCS11Exception(CKR_SESSION_HANDLE_INVALID);

     }

+    if (pMechanism == NULL) {

+        throw PKCS11Exception(CKR_ARGUMENTS_BAD);

+    }

+

+    switch (pMechanism->mechanism) {

+    case CKM_RSA_PKCS:

+	if (key->getKeyType() != Key::rsa) {

+        	throw PKCS11Exception(CKR_KEY_TYPE_INCONSISTENT);

+	}

+	break;

+    case CKM_ECDSA:

+	if (key->getKeyType() != Key::ecc) {

+        	throw PKCS11Exception(CKR_KEY_TYPE_INCONSISTENT);

+	}

+	break;

+    default:

+        throw PKCS11Exception(CKR_MECHANISM_INVALID);

+    }

-    session->signatureState.initialize(getKeyFromHandle(hKey));

+    session->signatureState.initialize(key);

 }

 void

@@ -4198,11 +4217,24 @@ Slot::decryptInit(SessionHandleSuffix su

 {

     refreshTokenState();

     SessionIter session = findSession(suffix);

+    PKCS11Object *key = getKeyFromHandle(hKey);

     if( session == sessions.end() ) {

         throw PKCS11Exception(CKR_SESSION_HANDLE_INVALID);

     }

+    if (pMechanism == NULL) {

+        throw PKCS11Exception(CKR_ARGUMENTS_BAD);

+    }

+    switch (pMechanism->mechanism) {

+    case CKM_RSA_PKCS:

+	if (key->getKeyType() != Key::rsa) {

+        	throw PKCS11Exception(CKR_KEY_TYPE_INCONSISTENT);

+	}

+	break;

+    default:

+        throw PKCS11Exception(CKR_MECHANISM_INVALID);

+    }

-    session->decryptionState.initialize(getKeyFromHandle(hKey));

+    session->decryptionState.initialize(key);

 }

 /**

@@ -5008,8 +5040,23 @@ Slot::derive(SessionHandleSuffix suffix,

     ECCKeyAgreementParams params(CryptParams::ECC_DEFAULT_KEY_SIZE);

     SessionIter session = findSession(suffix);

+    PKCS11Object *key=getKeyFromHandle(hBaseKey);

-    session->keyAgreementState.initialize(getKeyFromHandle(hBaseKey));

+    if (pMechanism == NULL ) {

+        throw PKCS11Exception(CKR_ARGUMENTS_BAD);

+    }

+

+    switch (pMechanism->mechanism) {

+    case CKM_ECDH1_DERIVE:

+	if (key->getKeyType() != Key::ecc) {

+        	throw PKCS11Exception(CKR_KEY_TYPE_INCONSISTENT);

+	}

+	break;

+    default:

+        throw PKCS11Exception(CKR_MECHANISM_INVALID);

+    }

+

+    session->keyAgreementState.initialize(key);

     deriveECC(suffix, pMechanism, hBaseKey, pTemplate, ulAttributeCount, 

 		phKey, params);

@@ -5018,9 +5065,6 @@ Slot::derive(SessionHandleSuffix suffix,

 void Slot::deriveECC(SessionHandleSuffix suffix, CK_MECHANISM_PTR pMechanism,

        CK_OBJECT_HANDLE hBaseKey, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey, CryptParams& params)

 {

-    if (pMechanism == NULL ) {

-        throw PKCS11Exception(CKR_ARGUMENTS_BAD);

-    }

     CK_ECDH1_DERIVE_PARAMS *mechParams      = NULL;