search

bentonstark / py-hsm

Python module for accessing PKCS#11 compliant HSMs
Other
57 stars 18 forks source link

CKR_KEY_HANDLE_INVALID in thales DPOD #15

Closed sinu closed 2 years ago

sinu commented 2 years ago

@bentonstark @DominicForrest when i am using thales dpod i am getting the handle error, can we use object id instead of handle?

Traceback (most recent call last):
  File "wraptest.py", line 13, in <module>
    wrap_key_iv=iv)
  File "/usr/local/lib/python3.6/site-packages/pyhsm/hsmclient.py", line 2495, in wrap_key
    raise HsmError(bytes_to_str(msg.value))
pyhsm.hsmerror.HsmError: 'wrap_key: __wrap_key() failed to wrap target key; return value 96 CKR_KEY_HANDLE_INVALID (0x00000060)'

HSM key list 

lunacm:>par con

        The 'Crypto Officer' is currently logged in. Looking for objects
        accessible to the 'Crypto Officer'.

        Object list:

        Label:         Generated AES Key
        Handle:        12
        Object Type:   Symmetric Key
        Usage Limit:   none
        Object UID:    dfcf000026000001ef990800

        Label:         san_pyhsm_test2
        Handle:        11
        Object Type:   Symmetric Key
        Usage Limit:   none
        Object UID:    dacf000026000001ef990800

code 

from pyhsm.hsmclient import HsmClient
from pyhsm.hsmenums import HsmMech
from pyhsm.convert import bytes_to_hex

with HsmClient(slot=3, pin="xxxxxxxxxx", pkcs11_lib="/root/dpod/libs/64/libCryptoki2.so") as c:
  my_key_handle_to_wrap = 11
  my_aes_wrapping_key_handle = 12
  iv = c.generate_random(size=16)

  wrapped_key_bytes = c.wrap_key(key_handle=my_key_handle_to_wrap,
                                 wrap_key_handle=my_aes_wrapping_key_handle,
                                 wrap_key_mech=HsmMech.AES_CBC_PAD,
                                 wrap_key_iv=iv)
  print(bytes_to_hex(wrapped_key_bytes))
bentonstark commented 2 years ago

No idea what a dpod is. Looks like commands are safenet.

Sent from my iPhone

On May 28, 2022, at 9:18 AM, Sanoj Thampi @.***> wrote:

 @bentonstark @DominicForrest when i am using thales dpod i am getting the handle error, can we use object id instead of handle?

Traceback (most recent call last): File "wraptest.py", line 13, in wrap_key_iv=iv) File "/usr/local/lib/python3.6/site-packages/pyhsm/hsmclient.py", line 2495, in wrap_key raise HsmError(bytes_to_str(msg.value)) pyhsm.hsmerror.HsmError: 'wrap_key: __wrap_key() failed to wrap target key; return value 96 CKR_KEY_HANDLE_INVALID (0x00000060)' HSM key list

lunacm:>par con

    The 'Crypto Officer' is currently logged in. Looking for objects
    accessible to the 'Crypto Officer'.

    Object list:

    Label:         Generated AES Key
    Handle:        12
    Object Type:   Symmetric Key
    Usage Limit:   none
    Object UID:    dfcf000026000001ef990800

    Label:         san_pyhsm_test2
    Handle:        11
    Object Type:   Symmetric Key
    Usage Limit:   none
    Object UID:    dacf000026000001ef990800

code

from pyhsm.hsmclient import HsmClient from pyhsm.hsmenums import HsmMech from pyhsm.convert import bytes_to_hex

with HsmClient(slot=3, pin="xxxxxxxxxx", pkcs11_lib="/root/dpod/libs/64/libCryptoki2.so") as c: my_key_handle_to_wrap = 11 my_aes_wrapping_key_handle = 12 iv = c.generate_random(size=16)

wrapped_key_bytes = c.wrap_key(key_handle=my_key_handle_to_wrap, wrap_key_handle=my_aes_wrapping_key_handle, wrap_key_mech=HsmMech.AES_CBC_PAD, wrap_key_iv=iv) print(bytes_to_hex(wrapped_key_bytes))

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.

sinu commented 2 years ago

No idea what a dpod is. Looks like commands are safenet. Sent from my iPhone On May 28, 2022, at 9:18 AM, Sanoj Thampi @.***> wrote:  @bentonstark @DominicForrest when i am using thales dpod i am getting the handle error, can we use object id instead of handle? Traceback (most recent call last): File "wraptest.py", line 13, in wrap_key_iv=iv) File "/usr/local/lib/python3.6/site-packages/pyhsm/hsmclient.py", line 2495, in wrap_key raise HsmError(bytes_to_str(msg.value)) pyhsm.hsmerror.HsmError: 'wrap_key: __wrap_key() failed to wrap target key; return value 96 CKR_KEY_HANDLE_INVALID (0x00000060)' HSM key list lunacm:>par con The 'Crypto Officer' is currently logged in. Looking for objects accessible to the 'Crypto Officer'. Object list: Label: Generated AES Key Handle: 12 Object Type: Symmetric Key Usage Limit: none Object UID: dfcf000026000001ef990800 Label: san_pyhsm_test2 Handle: 11 Object Type: Symmetric Key Usage Limit: none Object UID: dacf000026000001ef990800 code from pyhsm.hsmclient import HsmClient from pyhsm.hsmenums import HsmMech from pyhsm.convert import bytes_to_hex with HsmClient(slot=3, pin="xxxxxxxxxx", pkcs11_lib="/root/dpod/libs/64/libCryptoki2.so") as c: my_key_handle_to_wrap = 11 my_aes_wrapping_key_handle = 12 iv = c.generate_random(size=16) wrapped_key_bytes = c.wrap_key(key_handle=my_key_handle_to_wrap, wrap_key_handle=my_aes_wrapping_key_handle, wrap_key_mech=HsmMech.AES_CBC_PAD, wrap_key_iv=iv) print(bytes_to_hex(wrapped_key_bytes)) — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.

@bentonstark DPOD is a cloud HSM from thales/safenet , yes back-end is safenet luna HSMs

bentonstark commented 2 years ago

Object UID is a proprietary SafeNet extension and does not exist in the PKCS-11 OASIS standard.

http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.pdf

https://thalesdocs.com/gphsm/luna/7.1/docs/pci/Content/lunacm/commands/partition/partition_contents.htm?Highlight=%22object%20uid%22

So I see based on the SafeNet output you can at least query key handles 11 and 12 via the Crypto Officer user using the SafeNet CLI. The default user in py-hsm is CryptoOfficer. There could be several different things going on.

(1) The DPOD client / server expects a very specific user and/or session type. Py-hsm default is HsmUser.CryptoOfficer and HsmSession.ReadWrite.

(2) The SafeNet PKCS-11 API is throwing CKR_KEY_HANDLE_INVALID when really it is a key permission issues. Examples include keys that are not allowed to be wrapped off the device which is the case with most SafeNet HSMs or the wrapping key has incorrect permissions to allow wrap operations. It looks like this DPOD service supports key export configurations but you probably have to specify that when you establish the service since key export is not usually enabled on most HSMs and this is enforced at the firmware / hardware level of the device.

https://data-protection-updates.gemalto.com/2021/02/10/now-available-luna-cloud-hsm-key-export-available-on-dpod/ https://cpl.thalesgroup.com/encryption/data-protection-on-demand/services/hsm-on-demand-key-export

(3) You are not accessing the same partition with py-hsm as you are with lunacm CLI and thus the keys are not available to py-hsm. I would start with this first because based on your output I can't see at all which slot you accessed with the SafeNet CLI. In the py-hsm code you reference slot 3.

(4) Something else that is unique to this DPOD HSM model such as it does not support all of the PKCS-11 API operations.

To diagnose the problem, your best bet is to replicate all the operations you want to do using the SafeNet supplied CLI or APIs first and make sure it works.

sinu commented 2 years ago

@bentonstark simple list handle also sending wrong response please see 

lunacm:>par con

        The 'Crypto Officer' is currently logged in. Looking for objects
        accessible to the 'Crypto Officer'.

        Object list:

        Label:         Unwrapped AES Key
        Handle:        1
        Object Type:   Symmetric Key
        Usage Limit:   none
        Object UID:    e5cf000026000001ef990800

        Label:         Generated AES Key
        Handle:        2
        Object Type:   Symmetric Key
        Usage Limit:   none
        Object UID:    dfcf000026000001ef990800

        Label:         san_pyhsm_test2
        Handle:        3
        Object Type:   Symmetric Key
        Usage Limit:   none
        Object UID:    dacf000026000001ef990800

handle list code

i am using below sample to list the handle for key san_pyhsm_test2

[root@viensstower pyhsmtest]# cat gethandle.py
from pyhsm.hsmclient import HsmClient

with HsmClient(slot=3, pin="xxxxx", pkcs11_lib="/root/dpod/libs/64/libCryptoki2.so") as c:
  handle = c.get_object_handle(label="san_pyhsm_test2")
  print(str(handle))

Result i am getting handle as "1" for all the keys 


[root@sviensstower pyhsmtest]# python3 gethandle.py
1
[root@ensstower pyhsmtest]#
bentonstark commented 2 years ago

This appears to be a Linux system. Why did you install the DPOD pkcs-11 shared lib in root? /root/dpod/libs/64/libCryptoki2.so

The lunacm CLI you are using is communicating with the DPOD HSM using SafeNet's proprietary APIs and not the OASIS standards PKCS-11 API. I suspect the PKCS-11 API for this HSM client has some kind of problem because it is connecting correctly but returning bad data. To test that theory you can interact with the HSM client through the PKCS-11 API using other PKCS-11 compliant software.

bentonstark commented 1 year ago

Object UID is a proprietary SafeNet extension and does not exist in the PKCS-11 OASIS standard. http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.pdf https://thalesdocs.com/gphsm/luna/7.1/docs/pci/Content/lunacm/commands/partition/partition_contents.htm?Highlight=%22object%20uid%22

So I see based on the SafeNet output you can at least query key handles 11 and 12 via the Crypto Officer user using the SafeNet CLI. The default user in py-hsm is CryptoOfficer. There could be several different things going on.

(1) The DPOD client / server expects a very specific user and/or session type. Py-hsm default is HsmUser.CryptoOfficer and HsmSession.ReadWrite. (2) The SafeNet PKCS-11 API is throwing CKR_KEY_HANDLE_INVALID when really their is a key permission issues. Examples include keys that are not allowed to be wrapped off the device which is the case with most SafeNet HSMs or the wrapping key has in correct permissions to allow wrap operations. (3) Something else that is unique to this DPOD HSM model such as it does not support all of the PKCS-11 API operations.

To diagnose the problem, your best bet is to replicate all the operations you want to do using the SafeNet supplied CLI or APIs first and make sure it works.

On Sun, May 29, 2022 at 12:37 AM Sanoj Thampi @.***> wrote:

No idea what a dpod is. Looks like commands are safenet. … <#m3810108933710724842> Sent from my iPhone On May 28, 2022, at 9:18 AM, Sanoj Thampi @.***> wrote:  @bentonstark https://github.com/bentonstark @DominicForrest https://github.com/DominicForrest when i am using thales dpod i am getting the handle error, can we use object id instead of handle? Traceback (most recent call last): File "wraptest.py", line 13, in wrap_key_iv=iv) File "/usr/local/lib/python3.6/site-packages/pyhsm/hsmclient.py", line 2495, in wrap_key raise HsmError(bytes_to_str(msg.value)) pyhsm.hsmerror.HsmError: 'wrap_key: __wrap_key() failed to wrap target key; return value 96 CKR_KEY_HANDLE_INVALID (0x00000060)' HSM key list lunacm:>par con The 'Crypto Officer' is currently logged in. Looking for objects accessible to the 'Crypto Officer'. Object list: Label: Generated AES Key Handle: 12 Object Type: Symmetric Key Usage Limit: none Object UID: dfcf000026000001ef990800 Label: san_pyhsm_test2 Handle: 11 Object Type: Symmetric Key Usage Limit: none Object UID: dacf000026000001ef990800 code from pyhsm.hsmclient import HsmClient from pyhsm.hsmenums import HsmMech from pyhsm.convert import bytes_to_hex with HsmClient(slot=3, pin="xxxxxxxxxx", pkcs11_lib="/root/dpod/libs/64/libCryptoki2.so") as c: my_key_handle_to_wrap = 11 my_aes_wrapping_key_handle = 12 iv = c.generate_random(size=16) wrapped_key_bytes = c.wrap_key(key_handle=my_key_handle_to_wrap, wrap_key_handle=my_aes_wrapping_key_handle, wrap_key_mech=HsmMech.AES_CBC_PAD, wrap_key_iv=iv) print(bytes_to_hex(wrapped_key_bytes)) — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.

@bentonstark https://github.com/bentonstark DPOD is a cloud HSM from thales/safenet , yes back-end is safenet luna HSMs

— Reply to this email directly, view it on GitHub https://github.com/bentonstark/py-hsm/issues/15#issuecomment-1140375863, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACXSYQZEZFYNNESDCLKS5S3VMLX7FANCNFSM5XGUONZQ . You are receiving this because you were mentioned.Message ID: @.***>