[openstack-dev] [barbican] Can we support key wrapping mechanisms other than CKM_AES_CBC_PAD?

Ade Lee alee at redhat.com
Wed Jul 11 09:18:17 UTC 2018


Lingxian, 

I don't see any reason not to provide support for other wrapping
mechanisms.

Have you tried hacking the code to use one of the other wrapping
mechanisms to see if it works?  Ultimately, what is passed are
parameters to CFFI.  As long as you pass in the right input and your
PKCS#11 library can support it, then there should be no problem.

If it works, it makes sense to make the wrapping algorithm configurable
for the plugin.  

It may or may not make sense to store the wrapping algorithm used in
the secret plugin-metadata if we want to support migration to other
HSMs.

Ade 

On Sat, 2018-07-07 at 12:54 +1200, Lingxian Kong wrote:
> Hi Barbican guys,
> 
> Currently, I am testing the integration between Barbican and SoftHSM
> v2 but I met with a problem that SoftHSM v2 doesn't
> support CKM_AES_CBC_PAD key wrapping operation which is hardcoded in
> Barbican code here https://github.com/openstack/barbican/blob/5dea5ce
> c130b59ecfb8d46435cd7eb3212894b4c/barbican/plugin/crypto/pkcs11.py#L4
> 96. After discussion with SoftHSM team, I was told SoftHSM does
> support other mechanisms such as CKM_AES_KEY_WRAP,
> CKM_AES_KEY_WRAP_PAD, CKM_RSA_PKCS, or CKM_RSA_PKCS_OAEP.
> 
> My question is, is it easy to support other wrapping mechanisms in
> Barbican? Or if there is another workaround this problem?
> 
> Cheers,
> Lingxian Kong
> _____________________________________________________________________
> _____
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubs
> cribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



More information about the OpenStack-dev mailing list