FYI: We are working upstream on getting OpenSSL to adopt opaque symmetric key interfaces:
https://github.com/openssl/openssl/pull/25908 https://github.com/openssl/openssl/pull/26416 Until these interfaces become available there is no way to use symmetric keys via the pkcs11-provider. On Sun, 2025-01-19 at 09:55 -0800, Paul Kehrer via Cryptography-dev wrote: > The key handle you get from PKCS11 is not compatible with the symmetric > cipher interfaces of cryptography. For asymmetric keys it's possible to > create classes using our key interfaces that will allow use of opaque > types, but the symmetric API is not capable of this at this time. > > -Paul > > On Sun, Jan 19, 2025 at 9:52 AM Sriram R via Cryptography-dev < > cryptography-dev@python.org> wrote: > > > Hello, > > > > I'm testing a softHSM2 setup with the following code on rhel 9.4 system > > running in FIPS mode: > > > > import pkcs11 > > from cryptography.hazmat.primitives import serialization > > from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes > > > > lib = pkcs11.lib("/usr/local/lib/softhsm/libsofthsm2.so") > > token = lib.get_token(token_label='MyToken') > > > > > > with token.open(rw=True, user_pin="your_pin") as session: > > key = session.generate_key(pkcs11.KeyType.AES, 256, > > label="MySymmetricKey", template={Attribute.SENSITIVE: False, > > Attribute.EXTRACTABLE: True,}, store=True) > > > > data = b"Hello, world!" > > iv = os.urandom(16) > > cipher = Cipher(algorithms.AES(key), modes.CBC(iv)) > > encryptor = cipher.encryptor() > > ciphertext = encryptor.update(data) + encryptor.finalize() > > > > decryptor = cipher.decryptor() > > plaintext = decryptor.update(ciphertext) + decryptor.finalize() > > > > print("Plaintext:", plaintext) > > > > When I run the above code, I get the following key type error: > > > > TypeError: memoryview: a bytes-like object is required, not 'SecretKey' > > > > While I understand that the AES Cipher() method doesn't like the key > > format, I don't know how to convert the key from session.generate_key() > > method to a format that's acceptable. > > > > I also tried using the key[Attribute.VALUE] but no luck! > > > > Thanks in advance! > > > > Best, > > PE > > _______________________________________________ > > Cryptography-dev mailing list > > Cryptography-dev@python.org > > https://mail.python.org/mailman/listinfo/cryptography-dev > > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev@python.org > https://mail.python.org/mailman/listinfo/cryptography-dev -- Simo Sorce Distinguished Engineer RHEL Crypto Team Red Hat, Inc _______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev
