CKR_KEY_HANDLE_INVALID when trying to sign RSA on SDK 5

Question

On a server that talks to CloudHSM via SDK 3, Ubuntu 18, there is no problem with signing RSA, giiven a key handle.

But on another server, when trying to do the same with SDK 5, Amazon Linux 2023, the error is:
CKR_KEY_HANDLE_INVALID

The integration is exactly the same on both servers ( pkcs11js ).

Is there anything obvious that I'm missing?

Accepted Answer

Hello,

The issue you are facing is captured in the guidelines provided the in the CloudHSM documentation for "Migrating from Client SDK 3 to Client SDK 5". See these guidelines at link [1].

In Client SDK5, key handles for the same key change with each session. In other words, the key handle is not static as is the case in Client SDK3.

To successfully use key handles in Client SDK 5, you must obtain key handles each time you run an application. If you have existing applications that expect to use the same key handles across different runs, you must modify your code to obtain the key handle each time you run the application. This change is in compliance with the PKCS #11 2.40 specification [2].

Alternatively, you can assign unique key labels to your keys in the cluster and then consume these keys by their label when using client SDK 5.

References:

[1] https://docs.aws.amazon.com/cloudhsm/latest/userguide/migrate-sdk.html
[2] https://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html#_Toc416959689

CKR_KEY_HANDLE_INVALID when trying to sign RSA on SDK 5

Contenido relevante