Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pkcs11-tool: allow specifying vendor mechanism in hex like -m mechtype-0x8000xxxx #1301

Closed
aalba6675 opened this issue Mar 27, 2018 · 1 comment · Fixed by #1302
Closed

pkcs11-tool: allow specifying vendor mechanism in hex like -m mechtype-0x8000xxxx #1301

aalba6675 opened this issue Mar 27, 2018 · 1 comment · Fixed by #1302

Comments

@aalba6675
Copy link
Contributor

Problem Description

When specifying mechansim by -m we don't convert strings starting with mechtype-0x... back to hex, only a list of internal hardcoded strings.

This to allow specifying vendor mechanisms such as RSA keypairgen for AWS CloudHSM in FIPS-mode which requires 0x80000142 0x80000143 etc and won't accept the defaults

Proposed Resolution

If -m sees a string like like mechtype-0x80000142 then it will return the mechanism 0x80000142UL.

Steps to reproduce

  1. AWS CloudHSM in FIPS mode:
pkcs11-tool --module /usr/lib/libCryptoki2_64.so --slot 2 --keypairgen --key-type RSA:2048 -d 67:89 -a rsa-6789 -y privkey --pin MYPIN

Logs

Expected:

error: Generate RSA mechanism not supported             
Aborting.

Desired behaviour

$ pkcs11-tool --module /usr/lib/libCryptoki2_64.so --slot 2 --keypairgen --key-type RSA:2048 -d 67:89 -a rsa-6789 -y privkey --pin $PASS0 -m mechtype-0x80000142                      
Key pair generated:                                              
Private Key Object; RSA                                                                                   
  label:      rsa-6789                                                                                    
  ID:         060789                                   
  Usage:      decrypt, sign, unwrap                                                                       
warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID  (0x12)                                                                                                    
                                                         
Public Key Object; RSA 2048 bits
  label:      rsa-6789                                   
  ID:         060789                                          
  Usage:      encrypt, verify, wrap
@aalba6675 aalba6675 mentioned this issue Mar 27, 2018
Merged
6 tasks
@dengert
Copy link
Member

dengert commented Mar 28, 2018

You should add comment for pkcs11-tool --help. Do you really need the "mechtype-" if it starts 0x that should be good enough.

@frankmorgner frankmorgner mentioned this issue Apr 20, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

pkcs11-tool: let -m accept hexadecimal strings, e.g., 0x80001234 aalba6675/OpenSC
2 participants
@dengert @aalba6675