PKCS11-SPECS | All versions of PKCS # 11 specification in one place | TLS library

I bought a NitroKey HSM and wanted to derive a secret with EC. Previosly question

For this, I want to use the CKM_ECDH1_DERIVE mechanisms. Which is supported by this HSM, see:

Referring to the PKCS#11 specification this must be considered:

1. The mechanism CKM_ECDH1_DERIVE must be used with the function Derive (Page 188)
2. The mechanism CKM_ECDH1_DERIVE expects parameter CK_ECDH1_DERIVE_PARAMS (Page 222) with this arguments:
   1. kdf: Key derivation function used on the shared secret value (CKD)
   2. sharedData: Some data shared between the two parties
   3. publicData: Other party's EC public key value
3. The function DeriveKey expects these arguments:
   1. Mechanism CKM.CKM_ECDH1_DERIVE
   2. ObjectHandle PrivateKey
   3. ObjectAttributes (Page 338)
      1. CKA.CKA_CLASS -> CKO.CKO_SECRET_KEY
      2. CKA.CKA_KEY_TYPE -> CKK.CKK_GENERIC_SECRET
      3. But "However, since these facts are all implicit in the mechanism, there is no need to specify any of them" so these can be null?

So with this information, I tried to implement a method.

But I get this Error:

Net.Pkcs11Interop.Common.Pkcs11Exception : Method C_DeriveKey returned CKR_TEMPLATE_INCOMPLETE

at Session.DeriveKey.

Explanation of CKR_TEMPLATE_INCOMPLETE (Page 64):

If the attribute values in the supplied template, together with any default attribute values and any attribute values contributed to the object by the object-creation function itself, are insufficient to fully specify the object to create, then the attempt should fail with the error code CKR_TEMPLATE_INCOMPLETE.

and here (Page 98)

CKR_TEMPLATE_INCOMPLETE: The template specified for creating an object is incomplete, and lacks some necessary attributes. See Section 10.1 for more information.

But I used the nesseary attributes:

1. CKA.CKA_CLASS -> CKO.CKO_SECRET_KEY
2. CKA.CKA_KEY_TYPE -> CKK.CKK_GENERIC_SECRET

Ideas?