You probably also need to change the parameters being added to the structure to match the chosen padding mechanism.
mech = self.ffi.new("CK_MECHANISM *") mech.mechanism = CKM_AES_CBC_PAD iv = self._generate_random(16, session) mech.parameter = iv mech.parameter_len = 16 > > CKR_ARGUMENTS_BAD probably indicates that whats in mech.parameter > > is bad. On Wed, 2018-07-11 at 22:59 +1200, Lingxian Kong wrote: > BTW, i am using `CKM_RSA_PKCS` because it's the only one of the > suggested mechanisms that SoftHSM supports according to the output of > `pkcs11-tool --module libsofthsm2.so ---slot $slot --list- > mechanisms`. > > $ pkcs11-tool --module libsofthsm2.so ---slot $slot --list-mechanisms > ... > RSA-PKCS, keySize={512,16384}, encrypt, decrypt, sign, verify, wrap, > unwrap > ... > > > > > Cheers, > Lingxian Kong > > On Wed, Jul 11, 2018 at 10:48 PM, Lingxian Kong <anlin.k...@gmail.com > > wrote: > > Hi Ade, > > > > Thanks for your reply. > > > > I just replaced `CKM_AES_CBC_PAD` with `CKM_RSA_PKCS` here[1], of > > course I defined `CKM_RSA_PKCS = 0x00000001` in the code, but still > > got the following error: > > > > Jul 11 10:42:05 barbican-devstack devstack@barbican-svc.service[198 > > 97]: 2018-07-11 10:42:05.309 19900 WARNING > > barbican.plugin.crypto.p11_crypto [req-f2d27105-4811-4c77-a321- > > 2ac1399cc9d2 b268f84aef814ae > > da17ad3fa38e0049d 7abe0e02baec4df2b6046d7ef7f44998 - default > > default] Reinitializing PKCS#11 library: HSM returned response > > code: 0x7L CKR_ARGUMENTS_BAD: P11CryptoPluginException: HSM > > returned response code: 0x7L CKR_ARGUMENTS_BAD > > > > [1]: https://github.com/openstack/barbican/blob/5dea5cec130b59ecfb8 > > d46435cd7eb3212894b4c/barbican/plugin/crypto/pkcs11.py#L496 > > > > > > Cheers, > > Lingxian Kong > > > > On Wed, Jul 11, 2018 at 9:18 PM, Ade Lee <a...@redhat.com> wrote: > > > Lingxian, > > > > > > I don't see any reason not to provide support for other wrapping > > > mechanisms. > > > > > > Have you tried hacking the code to use one of the other wrapping > > > mechanisms to see if it works? Ultimately, what is passed are > > > parameters to CFFI. As long as you pass in the right input and > > > your > > > PKCS#11 library can support it, then there should be no problem. > > > > > > If it works, it makes sense to make the wrapping algorithm > > > configurable > > > for the plugin. > > > > > > It may or may not make sense to store the wrapping algorithm used > > > in > > > the secret plugin-metadata if we want to support migration to > > > other > > > HSMs. > > > > > > Ade > > __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev