[openstack-dev] [barbican] Can we support key wrapping mechanisms other than CKM_AES_CBC_PAD?

Ade Lee alee at redhat.com
Thu Jul 12 11:18:14 UTC 2018 

You probably also need to change the parameters being added to the
structure to match the chosen padding mechanism.

        mech = self.ffi.new("CK_MECHANISM *")
        mech.mechanism = CKM_AES_CBC_PAD
        iv = self._generate_random(16, session)
        mech.parameter = iv
        mech.parameter_len = 16

> > CKR_ARGUMENTS_BAD probably indicates that whats in mech.parameter
> > is bad.  


On Wed, 2018-07-11 at 22:59 +1200, Lingxian Kong wrote:
> BTW, i am using `CKM_RSA_PKCS` because it's the only one of the
> suggested mechanisms that SoftHSM supports according to the output of
> `pkcs11-tool --module libsofthsm2.so ---slot $slot --list-
> mechanisms`.
> 
> $ pkcs11-tool --module libsofthsm2.so ---slot $slot --list-mechanisms
> ...
> RSA-PKCS, keySize={512,16384}, encrypt, decrypt, sign, verify, wrap,
> unwrap
> ...
> 
> 
> 
> 
> Cheers,
> Lingxian Kong
> 
> On Wed, Jul 11, 2018 at 10:48 PM, Lingxian Kong <anlin.kong at gmail.com
> > wrote:
> > Hi Ade,
> > 
> > Thanks for your reply.
> > 
> > I just replaced `CKM_AES_CBC_PAD` with `CKM_RSA_PKCS` here[1], of
> > course I defined `CKM_RSA_PKCS = 0x00000001` in the code, but still
> > got the following error:
> > 
> > Jul 11 10:42:05 barbican-devstack devstack at barbican-svc.service[198
> > 97]: 2018-07-11 10:42:05.309 19900 WARNING
> > barbican.plugin.crypto.p11_crypto [req-f2d27105-4811-4c77-a321-
> > 2ac1399cc9d2 b268f84aef814ae
> > da17ad3fa38e0049d 7abe0e02baec4df2b6046d7ef7f44998 - default
> > default] Reinitializing PKCS#11 library: HSM returned response
> > code: 0x7L CKR_ARGUMENTS_BAD: P11CryptoPluginException: HSM
> > returned response code: 0x7L CKR_ARGUMENTS_BAD
> > 
> > [1]: https://github.com/openstack/barbican/blob/5dea5cec130b59ecfb8
> > d46435cd7eb3212894b4c/barbican/plugin/crypto/pkcs11.py#L496
> > 
> > 
> > Cheers,
> > Lingxian Kong
> > 
> > On Wed, Jul 11, 2018 at 9:18 PM, Ade Lee <alee at redhat.com> wrote:
> > > Lingxian, 
> > > 
> > > I don't see any reason not to provide support for other wrapping
> > > mechanisms.
> > > 
> > > Have you tried hacking the code to use one of the other wrapping
> > > mechanisms to see if it works?  Ultimately, what is passed are
> > > parameters to CFFI.  As long as you pass in the right input and
> > > your
> > > PKCS#11 library can support it, then there should be no problem.
> > > 
> > > If it works, it makes sense to make the wrapping algorithm
> > > configurable
> > > for the plugin.  
> > > 
> > > It may or may not make sense to store the wrapping algorithm used
> > > in
> > > the secret plugin-metadata if we want to support migration to
> > > other
> > > HSMs.
> > > 
> > > Ade 
> 
>

More information about the OpenStack-dev mailing list