Lingxian, I don't see any reason not to provide support for other wrapping mechanisms.
Have you tried hacking the code to use one of the other wrapping mechanisms to see if it works? Ultimately, what is passed are parameters to CFFI. As long as you pass in the right input and your PKCS#11 library can support it, then there should be no problem. If it works, it makes sense to make the wrapping algorithm configurable for the plugin. It may or may not make sense to store the wrapping algorithm used in the secret plugin-metadata if we want to support migration to other HSMs. Ade On Sat, 2018-07-07 at 12:54 +1200, Lingxian Kong wrote: > Hi Barbican guys, > > Currently, I am testing the integration between Barbican and SoftHSM > v2 but I met with a problem that SoftHSM v2 doesn't > support CKM_AES_CBC_PAD key wrapping operation which is hardcoded in > Barbican code here https://github.com/openstack/barbican/blob/5dea5ce > c130b59ecfb8d46435cd7eb3212894b4c/barbican/plugin/crypto/pkcs11.py#L4 > 96. After discussion with SoftHSM team, I was told SoftHSM does > support other mechanisms such as CKM_AES_KEY_WRAP, > CKM_AES_KEY_WRAP_PAD, CKM_RSA_PKCS, or CKM_RSA_PKCS_OAEP. > > My question is, is it easy to support other wrapping mechanisms in > Barbican? Or if there is another workaround this problem? > > Cheers, > Lingxian Kong > _____________________________________________________________________ > _____ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: [email protected]?subject:unsubs > cribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
