Open lingxiankong opened 6 years ago
As noted in #229, this mechanism is not implemented. But there are other wrapping mechanisms available. Keeping this issue open as a feature request.
@bellgrim hi thanks for the reply. I'm not familiar with PKCS programing, do you mean I just need to replace CKM_AES_CBC_PAD with either CKM_AES_KEY_WRAP, CKM_AES_KEY_WRAP_PAD, CKM_RSA_PKCS, or CKM_RSA_PKCS_OAEP in the barbican code?
Yes, there are other wrapping mechanisms but it is probably not as easy as just swapping the name of the mechanism when doing the operation. I have not implemented them so I do not know the details of each method. You can find more information about the mechanisms in PKCS#11 v2.40. It then points to e.g. RFC5649 for CKM_AES_KEY_WRAP_PAD.
Hello Is it possible to get a link to sample implementation / how to switch to CKM_AES_KEY_WRAP_PAD in Java?
We generally don't provide programming examples, and are not familiar enough with Java to help you with that, we suggest you ask this question on StackExchange or a similar forum.
I would like to second this request. Using CKM_DES3_CBC
or CKM_AES_CBC
to encrypt/unwrap private keys is established practice. This is blocking integration of our applications with SoftHSM2.
There are security reasons to use other mechanisms, we cannot promise that these older mechanisms will be implemented anytime soon, but we would welcome a pull request if that is an option.
Hi, is this issue resolved ?
Was anyone able to switch the wrapping mechanism of Openstack Barbican from CKM_AES_CBC_PAD to CKM_AES_KWP ?
Could we implement CKM_AES_CBC_PAD for wrapping in order to support SoftHSM in OpenStack Barbican. Here is Barbican related code: https://github.com/openstack/barbican/blob/5dea5cec130b59ecfb8d46435cd7eb3212894b4c/barbican/plugin/crypto/pkcs11.py#L496
Or is there some solution could work around this?