After JDK-8271566, the CKA_MODULUS and CKA_PRIVATE_EXPONENT attributes were added to the list passed to Java's C_GetAttributeValue wrapper when determining if a private RSA key is CRT or non-CRT [1]. The rationale was to make a single query and have both CKA_MODULUS and CKA_PRIVATE_EXPONENT available beforehand, avoiding a potential second query later. Most PKCS #11 tokens benefit from this saving.

Contrary to the native C_GetAttributeValue PKCS #11 API, its Java counterpart does not return any attribute value if there is an error in one of the attributes queried (e.g. if CKR_ATTRIBUTE_TYPE_INVALID is returned) [2]. If a non-CRT key is created in a token (pre PKCS #11 2.40), the query including all attributes will fail and CKA_MODULUS and CKA_PRIVATE_EXPONENT will not be available. An error will be thrown here [3].

This bug was reported by Bob Du (IBM).

--
[1] - https://git.openjdk.org/jdk/blob/jdk-24%2B6/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java#L568
[2] - https://git.openjdk.org/jdk/blob/jdk-24%2B6/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_objmgmt.c#L252
[3] - https://git.openjdk.org/jdk/blob/jdk-24%2B6/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java#L594