Problem
Long story short - we've stumbled across some problems with key creation on certain HSM-s with certain FIPS mode firmware versions. A solution would be making the key creation template configurable. The default would stay as is, but members with "problematic" HSM-s would be able to configure this parameter.
Additional information:
Security server currently uses CKM_RSA_PKCS algorithm for signing (when using HSM), but new FIPS standard does not allow that. Instead CKM_RSA_PKCS_PSS could be used for newer FIPS firmware.
Acceptance criteria
PKCS#11 key creation template is configurable with the default staying as is
VitaliStupin
commented
6 years ago
Affected components: - signer, signer-console, proxy, central server, configuration client, configuration proxy Affected documentation: - UG-SYSPAR, UG-CP, DM-CS, PR-MSERV Estimated delivery: - External reference: - https://jira.ria.ee/browse/XTE-332
Problem Long story short - we've stumbled across some problems with key creation on certain HSM-s with certain FIPS mode firmware versions. A solution would be making the key creation template configurable. The default would stay as is, but members with "problematic" HSM-s would be able to configure this parameter.
Additional information: Security server currently uses CKM_RSA_PKCS algorithm for signing (when using HSM), but new FIPS standard does not allow that. Instead CKM_RSA_PKCS_PSS could be used for newer FIPS firmware.
Acceptance criteria