Closed sinu closed 2 years ago
No idea what a dpod is. Looks like commands are safenet.
Sent from my iPhone
On May 28, 2022, at 9:18 AM, Sanoj Thampi @.***> wrote:
@bentonstark @DominicForrest when i am using thales dpod i am getting the handle error, can we use object id instead of handle?
Traceback (most recent call last): File "wraptest.py", line 13, in
wrap_key_iv=iv) File "/usr/local/lib/python3.6/site-packages/pyhsm/hsmclient.py", line 2495, in wrap_key raise HsmError(bytes_to_str(msg.value)) pyhsm.hsmerror.HsmError: 'wrap_key: __wrap_key() failed to wrap target key; return value 96 CKR_KEY_HANDLE_INVALID (0x00000060)' HSM key list lunacm:>par con
The 'Crypto Officer' is currently logged in. Looking for objects accessible to the 'Crypto Officer'. Object list: Label: Generated AES Key Handle: 12 Object Type: Symmetric Key Usage Limit: none Object UID: dfcf000026000001ef990800 Label: san_pyhsm_test2 Handle: 11 Object Type: Symmetric Key Usage Limit: none Object UID: dacf000026000001ef990800
code
from pyhsm.hsmclient import HsmClient from pyhsm.hsmenums import HsmMech from pyhsm.convert import bytes_to_hex
with HsmClient(slot=3, pin="xxxxxxxxxx", pkcs11_lib="/root/dpod/libs/64/libCryptoki2.so") as c: my_key_handle_to_wrap = 11 my_aes_wrapping_key_handle = 12 iv = c.generate_random(size=16)
wrapped_key_bytes = c.wrap_key(key_handle=my_key_handle_to_wrap, wrap_key_handle=my_aes_wrapping_key_handle, wrap_key_mech=HsmMech.AES_CBC_PAD, wrap_key_iv=iv) print(bytes_to_hex(wrapped_key_bytes))
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.
No idea what a dpod is. Looks like commands are safenet. … Sent from my iPhone On May 28, 2022, at 9:18 AM, Sanoj Thampi @.***> wrote: @bentonstark @DominicForrest when i am using thales dpod i am getting the handle error, can we use object id instead of handle? Traceback (most recent call last): File "wraptest.py", line 13, in
wrap_key_iv=iv) File "/usr/local/lib/python3.6/site-packages/pyhsm/hsmclient.py", line 2495, in wrap_key raise HsmError(bytes_to_str(msg.value)) pyhsm.hsmerror.HsmError: 'wrap_key: __wrap_key() failed to wrap target key; return value 96 CKR_KEY_HANDLE_INVALID (0x00000060)' HSM key list lunacm:>par con The 'Crypto Officer' is currently logged in. Looking for objects accessible to the 'Crypto Officer'. Object list: Label: Generated AES Key Handle: 12 Object Type: Symmetric Key Usage Limit: none Object UID: dfcf000026000001ef990800 Label: san_pyhsm_test2 Handle: 11 Object Type: Symmetric Key Usage Limit: none Object UID: dacf000026000001ef990800 code from pyhsm.hsmclient import HsmClient from pyhsm.hsmenums import HsmMech from pyhsm.convert import bytes_to_hex with HsmClient(slot=3, pin="xxxxxxxxxx", pkcs11_lib="/root/dpod/libs/64/libCryptoki2.so") as c: my_key_handle_to_wrap = 11 my_aes_wrapping_key_handle = 12 iv = c.generate_random(size=16) wrapped_key_bytes = c.wrap_key(key_handle=my_key_handle_to_wrap, wrap_key_handle=my_aes_wrapping_key_handle, wrap_key_mech=HsmMech.AES_CBC_PAD, wrap_key_iv=iv) print(bytes_to_hex(wrapped_key_bytes)) — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.
@bentonstark DPOD is a cloud HSM from thales/safenet , yes back-end is safenet luna HSMs
Object UID is a proprietary SafeNet extension and does not exist in the PKCS-11 OASIS standard.
http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.pdf
So I see based on the SafeNet output you can at least query key handles 11 and 12 via the Crypto Officer user using the SafeNet CLI. The default user in py-hsm is CryptoOfficer. There could be several different things going on.
(1) The DPOD client / server expects a very specific user and/or session type. Py-hsm default is HsmUser.CryptoOfficer and HsmSession.ReadWrite.
(2) The SafeNet PKCS-11 API is throwing CKR_KEY_HANDLE_INVALID when really it is a key permission issues. Examples include keys that are not allowed to be wrapped off the device which is the case with most SafeNet HSMs or the wrapping key has incorrect permissions to allow wrap operations. It looks like this DPOD service supports key export configurations but you probably have to specify that when you establish the service since key export is not usually enabled on most HSMs and this is enforced at the firmware / hardware level of the device.
https://data-protection-updates.gemalto.com/2021/02/10/now-available-luna-cloud-hsm-key-export-available-on-dpod/ https://cpl.thalesgroup.com/encryption/data-protection-on-demand/services/hsm-on-demand-key-export
(3) You are not accessing the same partition with py-hsm as you are with lunacm CLI and thus the keys are not available to py-hsm. I would start with this first because based on your output I can't see at all which slot you accessed with the SafeNet CLI. In the py-hsm code you reference slot 3.
(4) Something else that is unique to this DPOD HSM model such as it does not support all of the PKCS-11 API operations.
To diagnose the problem, your best bet is to replicate all the operations you want to do using the SafeNet supplied CLI or APIs first and make sure it works.
@bentonstark simple list handle also sending wrong response please see
lunacm:>par con
The 'Crypto Officer' is currently logged in. Looking for objects
accessible to the 'Crypto Officer'.
Object list:
Label: Unwrapped AES Key
Handle: 1
Object Type: Symmetric Key
Usage Limit: none
Object UID: e5cf000026000001ef990800
Label: Generated AES Key
Handle: 2
Object Type: Symmetric Key
Usage Limit: none
Object UID: dfcf000026000001ef990800
Label: san_pyhsm_test2
Handle: 3
Object Type: Symmetric Key
Usage Limit: none
Object UID: dacf000026000001ef990800
handle list code
i am using below sample to list the handle for key san_pyhsm_test2
[root@viensstower pyhsmtest]# cat gethandle.py
from pyhsm.hsmclient import HsmClient
with HsmClient(slot=3, pin="xxxxx", pkcs11_lib="/root/dpod/libs/64/libCryptoki2.so") as c:
handle = c.get_object_handle(label="san_pyhsm_test2")
print(str(handle))
Result i am getting handle as "1" for all the keys
[root@sviensstower pyhsmtest]# python3 gethandle.py
1
[root@ensstower pyhsmtest]#
This appears to be a Linux system. Why did you install the DPOD pkcs-11 shared lib in root? /root/dpod/libs/64/libCryptoki2.so
The lunacm CLI you are using is communicating with the DPOD HSM using SafeNet's proprietary APIs and not the OASIS standards PKCS-11 API. I suspect the PKCS-11 API for this HSM client has some kind of problem because it is connecting correctly but returning bad data. To test that theory you can interact with the HSM client through the PKCS-11 API using other PKCS-11 compliant software.
Object UID is a proprietary SafeNet extension and does not exist in the PKCS-11 OASIS standard. http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.pdf https://thalesdocs.com/gphsm/luna/7.1/docs/pci/Content/lunacm/commands/partition/partition_contents.htm?Highlight=%22object%20uid%22
So I see based on the SafeNet output you can at least query key handles 11 and 12 via the Crypto Officer user using the SafeNet CLI. The default user in py-hsm is CryptoOfficer. There could be several different things going on.
(1) The DPOD client / server expects a very specific user and/or session type. Py-hsm default is HsmUser.CryptoOfficer and HsmSession.ReadWrite. (2) The SafeNet PKCS-11 API is throwing CKR_KEY_HANDLE_INVALID when really their is a key permission issues. Examples include keys that are not allowed to be wrapped off the device which is the case with most SafeNet HSMs or the wrapping key has in correct permissions to allow wrap operations. (3) Something else that is unique to this DPOD HSM model such as it does not support all of the PKCS-11 API operations.
To diagnose the problem, your best bet is to replicate all the operations you want to do using the SafeNet supplied CLI or APIs first and make sure it works.
On Sun, May 29, 2022 at 12:37 AM Sanoj Thampi @.***> wrote:
No idea what a dpod is. Looks like commands are safenet. … <#m3810108933710724842> Sent from my iPhone On May 28, 2022, at 9:18 AM, Sanoj Thampi @.***> wrote: @bentonstark https://github.com/bentonstark @DominicForrest https://github.com/DominicForrest when i am using thales dpod i am getting the handle error, can we use object id instead of handle? Traceback (most recent call last): File "wraptest.py", line 13, in wrap_key_iv=iv) File "/usr/local/lib/python3.6/site-packages/pyhsm/hsmclient.py", line 2495, in wrap_key raise HsmError(bytes_to_str(msg.value)) pyhsm.hsmerror.HsmError: 'wrap_key: __wrap_key() failed to wrap target key; return value 96 CKR_KEY_HANDLE_INVALID (0x00000060)' HSM key list lunacm:>par con The 'Crypto Officer' is currently logged in. Looking for objects accessible to the 'Crypto Officer'. Object list: Label: Generated AES Key Handle: 12 Object Type: Symmetric Key Usage Limit: none Object UID: dfcf000026000001ef990800 Label: san_pyhsm_test2 Handle: 11 Object Type: Symmetric Key Usage Limit: none Object UID: dacf000026000001ef990800 code from pyhsm.hsmclient import HsmClient from pyhsm.hsmenums import HsmMech from pyhsm.convert import bytes_to_hex with HsmClient(slot=3, pin="xxxxxxxxxx", pkcs11_lib="/root/dpod/libs/64/libCryptoki2.so") as c: my_key_handle_to_wrap = 11 my_aes_wrapping_key_handle = 12 iv = c.generate_random(size=16) wrapped_key_bytes = c.wrap_key(key_handle=my_key_handle_to_wrap, wrap_key_handle=my_aes_wrapping_key_handle, wrap_key_mech=HsmMech.AES_CBC_PAD, wrap_key_iv=iv) print(bytes_to_hex(wrapped_key_bytes)) — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.
@bentonstark https://github.com/bentonstark DPOD is a cloud HSM from thales/safenet , yes back-end is safenet luna HSMs
— Reply to this email directly, view it on GitHub https://github.com/bentonstark/py-hsm/issues/15#issuecomment-1140375863, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACXSYQZEZFYNNESDCLKS5S3VMLX7FANCNFSM5XGUONZQ . You are receiving this because you were mentioned.Message ID: @.***>
@bentonstark @DominicForrest when i am using thales dpod i am getting the handle error, can we use object id instead of handle?
HSM key list
code