Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid CK_GCM_PARAMS structure for PKCS11 2.40 #108

Open
tstiemerling opened this issue Apr 11, 2024 · 1 comment
Open

Invalid CK_GCM_PARAMS structure for PKCS11 2.40 #108

tstiemerling opened this issue Apr 11, 2024 · 1 comment

Comments

@tstiemerling
Copy link

tstiemerling commented Apr 11, 2024
edited
Loading

Assuming pkcs11j is meant to be PKCS11 2.40 compliant (which the comments seem to imply), the structure for the CK_GCM_PARAMS is incorrect. In PKCS11 2.40 it is defined as:

typedef struct CK_GCM_PARAMS {
CK_BYTE_PTR pIv;
CK_ULONG ulIvLen;
CK_BYTE_PTR pAAD;
CK_ULONG ulAADLen;
CK_ULONG ulTagBits;
} CK_GCM_PARAMS;

whereas the current code uses the structure from PKCS11 3.0 and above (added ulIvBits field):

typedef struct CK_GCM_PARAMS {
CK_BYTE_PTR pIv;
CK_ULONG ulIvLen;
CK_ULONG ulIvBits;
CK_BYTE_PTR pAAD;
CK_ULONG ulAADLen;
CK_ULONG ulTagBits;
} CK_GCM_PARAMS;

Consequently we are getting CKR_MECHANISM_PARAM_INVALID when testing against SafeNet ProtectServer 3 HSM.
@tstiemerling
Copy link
Author

Ok, noticed that pkcs11j defines both CK_AES_GCM_PARAMS and CK_AES_GCM_240_PARAMS, but both give the same error with the HSM so will need to investigate further.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tstiemerling