Hi all, I would like to get clarity about the sate of the Barbican PKCS#11 Plug-in. We did some tests against against the PKCS#11 implementation opencryptoki configured with a s390x hardware backend. The main issue seems to be, that the plug-in has been developed against PKCS#11 2.40 draft [2]- but has never been adapted to PKCS#11 version 2.40 final [1]. We ran into a couple of issues and pushed WIP patches for it - AES_GCM header contains extra bits [3] - unwrap key: CKA_EXTRACTABLE must not be set [4][4a] - HMAC signing: Key type AES type used, but must be GENRIC SECRET [5][5a] Couple of questions: * What is the state of the PKCS#11 Plug-in? * It's often mentioned in combination with SafeNet. Is it a SafeNet specific implementation? Or should it be a general purpose PKCS#11 implementation? * Are the future plans for the plugin? * What would be the right approach to enable support for PKCS#11 2.40 final. Updating the plug-in. Forking it and create a new one? Seems also others already ran into this issue [6] Thanks a lot! [1] http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/os/pkcs11-curr-v2.40-os.pdf [2] https://www.oasis-open.org/committees/document.php?document_id=55657&wg_abbrev=pkcs11 [3] https://review.openstack.org/#/c/483378/ [4] https://review.openstack.org/#/c/483388/ [4a] https://bugs.launchpad.net/barbican/+bug/1704128 [5] https://review.openstack.org/#/c/483400/ [5a] https://bugs.launchpad.net/barbican/+bug/1704141 [6] https://bugs.launchpad.net/barbican/+bug/1613989 -- ----- Andreas IRC: andreas_s