[openstack-dev] [Barbican] Status of PKCS#11 Plug-in

Andreas Scheuring scheuran at linux.vnet.ibm.com
Fri Jul 21 13:07:07 UTC 2017

Hi all,
I would like to get clarity about the sate of the Barbican PKCS#11
Plug-in. We did some tests against against the PKCS#11 implementation
opencryptoki configured with a s390x hardware backend.

The main issue seems to be, that the plug-in has been developed against
PKCS#11 2.40 draft [2]- but has never been adapted to PKCS#11 version
2.40 final [1].

We ran into a couple of issues and pushed WIP patches for it
- AES_GCM header contains extra bits [3]
- unwrap key: CKA_EXTRACTABLE must not be set [4][4a]
- HMAC signing: Key type AES type used, but must be GENRIC SECRET

Couple of questions:

* What is the state of the PKCS#11 Plug-in?
* It's often mentioned in combination with SafeNet. Is it a SafeNet
specific implementation? Or should it be a general purpose PKCS#11
* Are the future plans for the plugin?
* What would be the right approach to enable support for PKCS#11 2.40
final. Updating the plug-in. Forking it and create a new one?

Seems also others already ran into this issue [6]

Thanks a lot!

[3] https://review.openstack.org/#/c/483378/
[4] https://review.openstack.org/#/c/483388/
[4a] https://bugs.launchpad.net/barbican/+bug/1704128
[5] https://review.openstack.org/#/c/483400/
[5a] https://bugs.launchpad.net/barbican/+bug/1704141
[6] https://bugs.launchpad.net/barbican/+bug/1613989

IRC: andreas_s

More information about the OpenStack-dev mailing list