Hi Ade, Thanks for your reply.
I just replaced `CKM_AES_CBC_PAD` with `CKM_RSA_PKCS` here[1], of course I defined `CKM_RSA_PKCS = 0x00000001` in the code, but still got the following error: *Jul 11 10:42:05 barbican-devstack devstack@barbican-svc.service[19897]: 2018-07-11 10:42:05.309 19900 WARNING barbican.plugin.crypto.p11_crypto [req-f2d27105-4811-4c77-a321-2ac1399cc9d2 b268f84aef814ae* *da17ad3fa38e0049d 7abe0e02baec4df2b6046d7ef7f44998 - default default] Reinitializing PKCS#11 library: HSM returned response code: 0x7L CKR_ARGUMENTS_BAD: P11CryptoPluginException: HSM returned response code: 0x7L CKR_ARGUMENTS_BAD* [1]: https://github.com/openstack/barbican/blob/5dea5cec130b59ecfb8d46435cd7eb3212894b4c/barbican/plugin/crypto/pkcs11.py#L496 Cheers, Lingxian Kong On Wed, Jul 11, 2018 at 9:18 PM, Ade Lee <a...@redhat.com> wrote: > Lingxian, > > I don't see any reason not to provide support for other wrapping > mechanisms. > > Have you tried hacking the code to use one of the other wrapping > mechanisms to see if it works? Ultimately, what is passed are > parameters to CFFI. As long as you pass in the right input and your > PKCS#11 library can support it, then there should be no problem. > > If it works, it makes sense to make the wrapping algorithm configurable > for the plugin. > > It may or may not make sense to store the wrapping algorithm used in > the secret plugin-metadata if we want to support migration to other > HSMs. > > Ade
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev