HsmSymKeyType and Hsm.Mech both fail

[54-68-65-20-53-74-61-67]

Hello,

I'm hoping you're still supporting this project and could offer assistance. We are trying to either unwrap or import a key to an HSM. Every time we get CKR_ATTRIBUTE_TYPE_INVALID (import) or CKR_MECHANISM_PARAM_INVALID (unwrap). From what I can see its how the hsmenums module translates the text.

Other things seem to work, like create_secret_key()

We are working on RHEL 5.7, with a SafeNet HSM.

[bentonstark]

yes, I can provide you some support. The CKR_ATTRIBUTE_TYPE_INVALID error code usually means something is wrong with the key you are attempting to import and unwrap (decrypt) on th HSM. It could be as simple as selecting the wrong padding algorithm. Where did this key come from you are attempting to import (e.g a hsm, software, given to you)? Is it encrypted or is it cleartext and if encrypted do you know the algorithm and padding used to encrypt (wrap) it? What type of key is it (RSA, EC, AES, DES3, etc)?

Benton

On Feb 24, 2017 11:39 AM, "pynixadm" notifications@github.com wrote:

Hello,

I'm hoping you're still supporting this project and could offer assistance. We are trying to either unwrap or import a key to an HSM. Every time we get CKR_ATTRIBUTE_TYPE_INVALID (import) or CKR_MECHANISM_PARAM_INVALID (unwrap). From what I can see its how the hsmenums module translates the text.

Other things seem to work, like create_secret_key()

We are working on RHEL 5.7, with a SafeNet HSM.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/bentonstark/pihsm/issues/1, or mute the thread https://github.com/notifications/unsubscribe-auth/AK8sQ9VGtxNE8tbDzNtI8xZHolKV6dqlks5rfweigaJpZM4MLaYU .

[54-68-65-20-53-74-61-67]

We'd be using AES Keys.

Heres how I'm accepting for import_secret_key():

def import_key():

    par_passwd = get_par_password()

    label = input("Please specify a key label: ")
    ckd = input("Please specify 'Clear-text Key data': ")
    ckd = str.encode(ckd)
    slot = input("Please enter slot: ")
    slot = int(slot)

    try:
        with HsmClient(slot=slot, pin=par_passwd) as c:
            key_handle = c.import_secret_key(key_label=label,
                                             key_type=HsmSymKeyType.AES,
                                             clear_key_data=ckd,
                                             key_size_in_bits=256)
            print(key_handle)
    except Exception as e:
        print("Failed to import AES Key.\n\n{}".format(e))

and unwrap_secret_key():

def unwrap_key():

    par_passwd = get_par_password()

    wkh = input("Please specify (integer) 'handle of the wrapping key to use': ")
    wki = input("Please specify 'wrapping key initialization vector': ")
    wki = str.encode(wki)
    kl = input("Please specify 'text label for the symmetric key': ")
    kd = input("Please specify 'encrypted (wrapped) key data': ")
    kd = str.encode(kd)
    slot = input("Please enter slot: ")
    slot = int(slot)

    try:
        with HsmClient(slot=slot, pin=par_passwd) as c:
            hkey = c.unwrap_secret_key(wrap_key_handle=int(wkh),
                                       wrap_key_mech=HsmMech.AES_CBC_PAD,
                                       wrap_key_iv=wki,
                                       key_label=kl,
                                       key_data=kd)
            print(hkey)
    except Exception as e:
        print("Failed to unwrap Key\n\n.{}".format(e))

[bentonstark]

So the data for the key you are accepting appears to be console input which is going to prompt the user for ascii data. The only way that will work is if the user supplies the AES key using some kind of encoding like hex or base64. Then after reading the encoded binary AES key the program will need to decode it to get the actual key byte array. In other words instead of str.encode() you need to use base64.b64decode(ckd).

https://docs.python.org/3/library/base64.html

To reflect this in your program and that it only accepts a AES 256 bit key, you should prompt with something like the following.

ckd = input("Please specify 'AES-256 base64 encoded Clear-text Key data': ")

The unwrap code has a similar encoding problem.

On Feb 28, 2017 2:35 PM, "pynixadm" notifications@github.com wrote:

We'd be using AES Keys.

Heres how I'm accepting for import_secret_key():

def import_key():

par_passwd = get_par_password()

label = input("Please specify a key label: ")
ckd = input("Please specify 'Clear-text Key data': ")
ckd = str.encode(ckd)
slot = input("Please enter slot: ")
slot = int(slot)

try:
    with HsmClient(slot=slot, pin=par_passwd) as c:
        key_handle = c.import_secret_key(key_label=label,
                                         key_type=HsmSymKeyType.AES,
                                         clear_key_data=ckd,
                                         key_size_in_bits=256)
        print(key_handle)
except Exception as e:
    print("Failed to import AES Key.\n\n{}".format(e))

and unwrap_secret_key():

def unwrap_key():

par_passwd = get_par_password()

wkh = input("Please specify (integer) 'handle of the wrapping key

to use': ") wki = input("Please specify 'wrapping key initialization vector': ") wki = str.encode(wki) kl = input("Please specify 'text label for the symmetric key': ") kd = input("Please specify 'encrypted (wrapped) key data': ") kd = str.encode(kd) slot = input("Please enter slot: ") slot = int(slot)

try:
    with HsmClient(slot=slot, pin=par_passwd) as c:
        hkey = c.unwrap_secret_key(wrap_key_handle=int(wkh),
                                   wrap_key_mech=HsmMech.AES_CBC_PAD,
                                   wrap_key_iv=wki,
                                   key_label=kl,
                                   key_data=kd)
        print(hkey)
except Exception as e:
    print("Failed to unwrap Key\n\n.{}".format(e))

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/bentonstark/pihsm/issues/1#issuecomment-283139870, or mute the thread https://github.com/notifications/unsubscribe-auth/AK8sQ06oaWtMIp8rGIZc-YzDHsAeOEvgks5rhHb6gaJpZM4MLaYU .