p11tool: support vendor specific RSA keygen mechanisms
Description of the feature:
Some RSA modules use vendor numbered mechanisms, such as AWS CloudHSM(SafeNet Luna) in FIPS mode.
Would it be possible in gnutls_pkcs11_privkey_generate3()
to
accept a force-mechanism-by-hex option somehow?
AWS CloudHSM in FIPS mode does not accept the normal mechs but the following
#define CKM_RSA_FIPS_186_3_AUX_PRIME_KEY_PAIR_GEN (CKM_VENDOR_DEFINED + 0x142)
#define CKM_RSA_FIPS_186_3_PRIME_KEY_PAIR_GEN (CKM_VENDOR_DEFINED + 0x143)
[0x80000142] UNKNOWN
[0x80000143] UNKNOWN
In pkcs11_int.h
its not obvious how to tell pk_to-mech()
to offer
alternate mechanisms. :-(
Applications that this feature may be relevant to:
p11tool
Is this feature implemented in other libraries (and which)
[UPDATE] OpenSC master will allow specifying mechanism by hex, instead of only from a list of hardcoded strings, e.g., pkcs11-tool -m 0x80000142 ...
. This been backported to Fedora 28.
Not quite: pkcs11-tool in OpenSC/OpenSC tries RSA mechanisms from a list of two. If I hack this list to add 0x80000142 0x80000143 then it works.
Original:
## won't work with CloudHSM in FIPS-mode
CK_MECHANISM_TYPE mtypes[] = {CKM_RSA_PKCS_KEY_PAIR_GEN, CKM_RSA_X9_31_KEY_PAIR_GEN}
Hacked:
## now pkcs11-tool will work
mtypes[] = {CKM_RSA_PKCS_KEY_PAIR_GEN, CKM_RSA_X9_31_KEY_PAIR_GEN, CKM_VENDOR_DEFINED+0x142, CKM_VENDOR_DEFINED+0x143}
Edited by Nikos Mavrogiannopoulos