Comments (6)
jariq
commented on June 7, 2024
Can you please provide the exception you are getting?
It is not unusual that certain algorithms (especially those that are not FIPS approved or were not covered by the certification process) are disabled when HSM is operating in FIPS mode. I am not sure whether this is the case with your SafeNet HSM but I believe you should find such information in user manual provided with HSM.
from pkcs11interop.
henriquemotaesteves
commented on June 7, 2024
@jariq you're right. SafeNet disables all algorithms that are not approved by FIPS when the HSM is operating in FIPS mode.
from pkcs11interop.
UbaldoMolinari
commented on June 7, 2024
Hi.. here the exception
Net.Pkcs11Interop.Common.Pkcs11Exception: Method C_DeriveKey returned
CKR_MECHANISM_INVALID
at Net.Pkcs11Interop.HighLevelAPI4.Session.DeriveKey(Mechanism mechanism,
ObjectHandle baseKeyHandle, List`1 attributes)
at Net.Pkcs11Interop.HighLevelAPI.Session.DeriveKey(Mechanism mechanism,
ObjectHandle baseKeyHandle, List`1 attributes)
at hsmNameSpace.HSM.derive3DESECBKey(String key2Derive, String maskData,
String derivedKeyName) in
c:\Sviluppo\Engineering\Components\HSM\src\HSM.cs:line 226
at
hsmNameSpace.DynamicAuthentication.getExternalAuthenticationWithDerivation(String
keyChipSoc) in
c:\Sviluppo\Engineering\Components\HSM\src\DynamicAuthentication.cs:line 273
at hsmNameSpace.MainClass.Main(String[] args) in
c:\Sviluppo\Engineering\Components\HSM\src\Main.cs:line 65
2014-06-18 3:20 GMT+02:00 Henrique Esteves [email protected]:
@jariq https://github.com/jariq you're right. SafeNet disables all
algorithms that are not approved by the FIPS when HSM is operating in FIPS
mode.—
Reply to this email directly or view it on GitHub
#12 (comment).
from pkcs11interop.
jariq
commented on June 7, 2024
Page "About HSM NOT in FIPS140-2 approved mode" in SafeNet's documentation clearly states that Non-FIPS algorithms are disabled in FIPS mode and the error you are getting - CKR_MECHANISM_INVALID - indicates the same thing.
So you can either use one of the FIPS approved algorithms (which CKM_DES_ECB_ENCRYPT_DATA clearly is not) or you can disable FIPS mode of your HSM.
BTW you can also try to call Net.Pkcs11Interop.HighLevelAPI.Slot.GetMechanismList() method to get the exact list of the algorithms supported by your HSM - I guess that returned list will be shorter in FIPS mode.
from pkcs11interop.
UbaldoMolinari
commented on June 7, 2024
Thank you. I agree. Performing Slot.GetMechanismList() the allowed
mechanism are the following:
CKM_RSA_PKCS_KEY_PAIR_GEN
CKM_RSA_PKCS
CKM_RSA_X_509
CKM_SHA1_RSA_PKCS
CKM_RSA_PKCS_OAEP
CKM_RSA_X9_31_KEY_PAIR_GEN
CKM_DSA_KEY_PAIR_GEN
CKM_DSA
CKM_DSA_SHA1
CKM_DH_PKCS_KEY_PAIR_GEN
CKM_DH_PKCS_DERIVE
CKM_SHA256_RSA_PKCS
CKM_SHA384_RSA_PKCS
CKM_SHA512_RSA_PKCS
CKM_SHA224_RSA_PKCS
CKM_DES2_KEY_GEN
CKM_DES3_KEY_GEN
CKM_DES3_ECB
CKM_DES3_CBC
CKM_DES3_MAC
CKM_DES3_MAC_GENERAL
CKM_DES3_CBC_PAD
CKM_SHA_1
CKM_SHA_1_HMAC
CKM_SHA_1_HMAC_GENERAL
CKM_SHA256
CKM_SHA256_HMAC
CKM_SHA256_HMAC_GENERAL
CKM_SHA224
CKM_SHA224_HMAC
CKM_SHA224_HMAC_GENERAL
CKM_SHA384
CKM_SHA384_HMAC
CKM_SHA384_HMAC_GENERAL
CKM_SHA512
CKM_SHA512_HMAC
CKM_SHA512_HMAC_GENERAL
CKM_GENERIC_SECRET_KEY_GEN
CKM_CONCATENATE_BASE_AND_KEY
CKM_CONCATENATE_BASE_AND_DATA
CKM_CONCATENATE_DATA_AND_BASE
CKM_XOR_BASE_AND_DATA
CKM_SSL3_PRE_MASTER_KEY_GEN
CKM_KEY_WRAP_SET_OAEP
CKM_ECDSA_KEY_PAIR_GEN
CKM_ECDSA
CKM_ECDSA_SHA1
CKM_AES_KEY_GEN
CKM_AES_ECB
CKM_AES_CBC
CKM_AES_CBC_PAD
CKM_BLOWFISH_KEY_GEN
CKM_BLOWFISH_CBC
CKM_DSA_PARAMETER_GEN
CKM_DH_PKCS_PARAMETER_GEN
this means that I'm not able to derive a 3Des key?
2014-06-18 23:32 GMT+02:00 Jaroslav Imrich [email protected]:
Page "About HSM NOT in FIPS140-2 approved mode"
http://amazon-aws-hsmaas-safenet-docs.s3-website-us-east-1.amazonaws.com/007-011136-002_lunasa_5-1_webhelp_rev-a/startpage_CSH.htm#concepts/about_hsm_not_in_fips140-2_approved_mode.htm
in SafeNet's documentation clearly states that Non-FIPS algorithms are
disabled in FIPS mode and the error you are getting - CKR_MECHANISM_INVALID
- indicates the same thing.
So you can either use one of the FIPS approved algorithms
http://crypto.stackexchange.com/questions/3859/fips-140-2-compliant-algorithms
(which CKM_DES_ECB_ENCRYPT_DATA clearly is not) or you can disable FIPS
mode of your HSM.BTW you can also try to call
Net.Pkcs11Interop.HighLevelAPI.Slot.GetMechanismList() method to get the
exact list of the algorithms supported by your HSM - I guess that returned
list will be shorter in FIPS mode.—
Reply to this email directly or view it on GitHub
#12 (comment).
from pkcs11interop.
jariq
commented on June 7, 2024
Take a look at "Table 34, Mechanisms vs. Functions" in PKCS#11 specification where you will find which mechanisms from your list can be used for key derivation. Then read more detailed description of each mechanism (i.e. CTRL+F for "CKM_CONCATENATE_BASE_AND_DATA" in the specification) and decide if it is suitable for your use case.
from pkcs11interop.
Related Issues (20)
- Private key is not in certificate
- Method C_OpenSession returned CKR_CRYPTOKI_NOT_INITIALIZED
- Pkcs11Interop is not supported on this platform HOT 25
- Missing attribute CKA_NAME_HASH_ALGORITHM
- problem in Pkcs11Interop with new dll from epass 2003
- CKR_OPERATION_NOT_INITIALIZED in multithreaded application
- Missing param represents object handle
- Method C_Login returned CKR_SESSION_HANDLE_INVALID
- Incorrect CK_VERSION string value
- Get Key Value From HSM
- Not able to use C_Sign with yubikey PIV slot with CKA_ALWAYS_AUTHENTICATE HOT 5
- Linux : NativeULong as System.UInt32 causes error while accessing CK_GCM_PARAMS structure from PKCS11 standards HOT 2
- mac os compile problem MAUI .net core 7.0 how to fix ?
- SafeNet Data Objects HOT 7
- ComputeDigest/CreateDigestInfo - with newest Pkcs11Interop - how to ?
- C_Sign returned CKR_OPERATION_NOT_INITIALIZED in multithreaded application
- C_Encrypt with AES mechanism always returns with CKR_GENERAL_ERROR HOT 1
- C_FindObjects does return with nothing while running application in docker
- C_FindObjects does return with nothing while running application in docker HOT 3
- session.Decrypt returning garbage characters appended in PKCS#11 Multipart Decryption with Pkcs11Interop v 4.x.x
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pkcs11interop.