Re: [openstack-dev] [barbican] Can we support key wrapping mechanisms other than CKM_AES_CBC_PAD?
You probably also need to change the parameters being added to the structure to match the chosen padding mechanism. mech = self.ffi.new("CK_MECHANISM *") mech.mechanism = CKM_AES_CBC_PAD iv = self._generate_random(16, session) mech.parameter = iv mech.parameter_len = 16 > > CKR_ARGUMENTS_BAD probably indicates that whats in mech.parameter > > is bad. On Wed, 2018-07-11 at 22:59 +1200, Lingxian Kong wrote: > BTW, i am using `CKM_RSA_PKCS` because it's the only one of the > suggested mechanisms that SoftHSM supports according to the output of > `pkcs11-tool --module libsofthsm2.so ---slot $slot --list- > mechanisms`. > > $ pkcs11-tool --module libsofthsm2.so ---slot $slot --list-mechanisms > ... > RSA-PKCS, keySize={512,16384}, encrypt, decrypt, sign, verify, wrap, > unwrap > ... > > > > > Cheers, > Lingxian Kong > > On Wed, Jul 11, 2018 at 10:48 PM, Lingxian Kong > wrote: > > Hi Ade, > > > > Thanks for your reply. > > > > I just replaced `CKM_AES_CBC_PAD` with `CKM_RSA_PKCS` here[1], of > > course I defined `CKM_RSA_PKCS = 0x0001` in the code, but still > > got the following error: > > > > Jul 11 10:42:05 barbican-devstack devstack@barbican-svc.service[198 > > 97]: 2018-07-11 10:42:05.309 19900 WARNING > > barbican.plugin.crypto.p11_crypto [req-f2d27105-4811-4c77-a321- > > 2ac1399cc9d2 b268f84aef814ae > > da17ad3fa38e0049d 7abe0e02baec4df2b6046d7ef7f44998 - default > > default] Reinitializing PKCS#11 library: HSM returned response > > code: 0x7L CKR_ARGUMENTS_BAD: P11CryptoPluginException: HSM > > returned response code: 0x7L CKR_ARGUMENTS_BAD > > > > [1]: https://github.com/openstack/barbican/blob/5dea5cec130b59ecfb8 > > d46435cd7eb3212894b4c/barbican/plugin/crypto/pkcs11.py#L496 > > > > > > Cheers, > > Lingxian Kong > > > > On Wed, Jul 11, 2018 at 9:18 PM, Ade Lee wrote: > > > Lingxian, > > > > > > I don't see any reason not to provide support for other wrapping > > > mechanisms. > > > > > > Have you tried hacking the code to use one of the other wrapping > > > mechanisms to see if it works? Ultimately, what is passed are > > > parameters to CFFI. As long as you pass in the right input and > > > your > > > PKCS#11 library can support it, then there should be no problem. > > > > > > If it works, it makes sense to make the wrapping algorithm > > > configurable > > > for the plugin. > > > > > > It may or may not make sense to store the wrapping algorithm used > > > in > > > the secret plugin-metadata if we want to support migration to > > > other > > > HSMs. > > > > > > Ade > > __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [barbican] Can we support key wrapping mechanisms other than CKM_AES_CBC_PAD?
BTW, i am using `CKM_RSA_PKCS` because it's the only one of the suggested mechanisms that SoftHSM supports according to the output of `pkcs11-tool --module libsofthsm2.so ---slot $slot --list-mechanisms`. *$ pkcs11-tool --module libsofthsm2.so ---slot $slot --list-mechanisms* *...* *RSA-PKCS, keySize={512,16384}, encrypt, decrypt, sign, verify, wrap, unwrap* *...* Cheers, Lingxian Kong On Wed, Jul 11, 2018 at 10:48 PM, Lingxian Kong wrote: > Hi Ade, > > Thanks for your reply. > > I just replaced `CKM_AES_CBC_PAD` with `CKM_RSA_PKCS` here[1], of course I > defined `CKM_RSA_PKCS = 0x0001` in the code, but still got the > following error: > > *Jul 11 10:42:05 barbican-devstack devstack@barbican-svc.service[19897]: > 2018-07-11 10:42:05.309 19900 WARNING barbican.plugin.crypto.p11_crypto > [req-f2d27105-4811-4c77-a321-2ac1399cc9d2 b268f84aef814ae* > *da17ad3fa38e0049d 7abe0e02baec4df2b6046d7ef7f44998 - default default] > Reinitializing PKCS#11 library: HSM returned response code: 0x7L > CKR_ARGUMENTS_BAD: P11CryptoPluginException: HSM returned response code: > 0x7L CKR_ARGUMENTS_BAD* > > [1]: https://github.com/openstack/barbican/blob/ > 5dea5cec130b59ecfb8d46435cd7eb3212894b4c/barbican/plugin/ > crypto/pkcs11.py#L496 > > > Cheers, > Lingxian Kong > > On Wed, Jul 11, 2018 at 9:18 PM, Ade Lee wrote: > >> Lingxian, >> >> I don't see any reason not to provide support for other wrapping >> mechanisms. >> >> Have you tried hacking the code to use one of the other wrapping >> mechanisms to see if it works? Ultimately, what is passed are >> parameters to CFFI. As long as you pass in the right input and your >> PKCS#11 library can support it, then there should be no problem. >> >> If it works, it makes sense to make the wrapping algorithm configurable >> for the plugin. >> >> It may or may not make sense to store the wrapping algorithm used in >> the secret plugin-metadata if we want to support migration to other >> HSMs. >> >> Ade > > __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [barbican] Can we support key wrapping mechanisms other than CKM_AES_CBC_PAD?
Hi Ade, Thanks for your reply. I just replaced `CKM_AES_CBC_PAD` with `CKM_RSA_PKCS` here[1], of course I defined `CKM_RSA_PKCS = 0x0001` in the code, but still got the following error: *Jul 11 10:42:05 barbican-devstack devstack@barbican-svc.service[19897]: 2018-07-11 10:42:05.309 19900 WARNING barbican.plugin.crypto.p11_crypto [req-f2d27105-4811-4c77-a321-2ac1399cc9d2 b268f84aef814ae* *da17ad3fa38e0049d 7abe0e02baec4df2b6046d7ef7f44998 - default default] Reinitializing PKCS#11 library: HSM returned response code: 0x7L CKR_ARGUMENTS_BAD: P11CryptoPluginException: HSM returned response code: 0x7L CKR_ARGUMENTS_BAD* [1]: https://github.com/openstack/barbican/blob/5dea5cec130b59ecfb8d46435cd7eb3212894b4c/barbican/plugin/crypto/pkcs11.py#L496 Cheers, Lingxian Kong On Wed, Jul 11, 2018 at 9:18 PM, Ade Lee wrote: > Lingxian, > > I don't see any reason not to provide support for other wrapping > mechanisms. > > Have you tried hacking the code to use one of the other wrapping > mechanisms to see if it works? Ultimately, what is passed are > parameters to CFFI. As long as you pass in the right input and your > PKCS#11 library can support it, then there should be no problem. > > If it works, it makes sense to make the wrapping algorithm configurable > for the plugin. > > It may or may not make sense to store the wrapping algorithm used in > the secret plugin-metadata if we want to support migration to other > HSMs. > > Ade __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [barbican] Can we support key wrapping mechanisms other than CKM_AES_CBC_PAD?
Lingxian, I don't see any reason not to provide support for other wrapping mechanisms. Have you tried hacking the code to use one of the other wrapping mechanisms to see if it works? Ultimately, what is passed are parameters to CFFI. As long as you pass in the right input and your PKCS#11 library can support it, then there should be no problem. If it works, it makes sense to make the wrapping algorithm configurable for the plugin. It may or may not make sense to store the wrapping algorithm used in the secret plugin-metadata if we want to support migration to other HSMs. Ade On Sat, 2018-07-07 at 12:54 +1200, Lingxian Kong wrote: > Hi Barbican guys, > > Currently, I am testing the integration between Barbican and SoftHSM > v2 but I met with a problem that SoftHSM v2 doesn't > support CKM_AES_CBC_PAD key wrapping operation which is hardcoded in > Barbican code here https://github.com/openstack/barbican/blob/5dea5ce > c130b59ecfb8d46435cd7eb3212894b4c/barbican/plugin/crypto/pkcs11.py#L4 > 96. After discussion with SoftHSM team, I was told SoftHSM does > support other mechanisms such as CKM_AES_KEY_WRAP, > CKM_AES_KEY_WRAP_PAD, CKM_RSA_PKCS, or CKM_RSA_PKCS_OAEP. > > My question is, is it easy to support other wrapping mechanisms in > Barbican? Or if there is another workaround this problem? > > Cheers, > Lingxian Kong > _ > _ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubs > cribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [barbican] Can we support key wrapping mechanisms other than CKM_AES_CBC_PAD?
Hi Barbican guys, Currently, I am testing the integration between Barbican and SoftHSM v2 but I met with a problem that SoftHSM v2 doesn't support CKM_AES_CBC_PAD key wrapping operation which is hardcoded in Barbican code here https://github.com/openstack/barbican/blob/5dea5cec130b59ecfb8d46435cd7eb3212894b4c/barbican/plugin/crypto/pkcs11.py#L496. After discussion with SoftHSM team, I was told SoftHSM does support other mechanisms such as CKM_AES_KEY_WRAP, CKM_AES_KEY_WRAP_PAD, CKM_RSA_PKCS, or CKM_RSA_PKCS_OAEP. My question is, is it easy to support other wrapping mechanisms in Barbican? Or if there is another workaround this problem? Cheers, Lingxian Kong __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev