Open v1sion opened 2 years ago
Hi @mode51software, great work on the plugin btw!!
Thanks @v1sion
Was trying to use the plugin to generate keys on the AWS cloudHSM, but I'm getting a CKR_ATTRIBUTE_VALUE_INVALID during the key creation.
I'll give it a go
Hey @mode51software think I found the issue, is in the pkcs11helper rather than here.
According to the CloudHSM documentation the CKA_MODIFIABLE
attribute default value is TRUE
and there is a caveat "This attribute is partially supported by the firmware and must be explicitly set only to the default value."
also taking a look at the pkcs11 documentation CKA_MODIFIABLE
default should be TRUE
.
But in the pkcs11helper https://github.com/mode51software/pkcs11helper/blob/master/pkg/pkcs11client/keyconfig.go#L191 this value is set to False
.
So changing this default should fix it.
Hi @v1sion good spot.
Apologies for being slow. I have created a CloudHSM cluster on AWS but not tested yet.
I did a quick test and it looks like it fixed the issue, https://github.com/mode51software/pkcs11helper/pull/21 let me know if it works for you!
Btw when testing the cloudHSM with the pkcs11-tool I was only able to generate keys using the sdk v3 with ubuntu 16 for some weird reason. AWS support knowledge the bug in ubuntu 18 with sdk v3 and v5 though.
Just tested the plugin with vault and I'm able to generate the keys and issue certs with the CKA_MODIFIABLE
set to true 👍
Nice one that's fantastic news. Thanks for figuring it out I'll update the doc and put this note in and link to your solution here for CloudHSM.
Hi @mode51software, great work on the plugin btw!! Was trying to use the plugin to generate keys on the AWS cloudHSM, but I'm getting a
CKR_ATTRIBUTE_VALUE_INVALID
during the key creation.plugin config:
By its documentation, CloudHSM does not support all attributes https://docs.aws.amazon.com/cloudhsm/latest/userguide/pkcs11-attributes.html, https://docs.aws.amazon.com/cloudhsm/latest/userguide/ki-pkcs11-sdk.html, but I'm able to generate the keys using the pkcs11-tool, even though there is a similar warning, but the keys are created.
Any idea what could be?