CKR_KEY_HANDLE_INVALID when trying to sign RSA on SDK 5

0

On a server that talks to CloudHSM via SDK 3, Ubuntu 18, there is no problem with signing RSA, giiven a key handle.

But on another server, when trying to do the same with SDK 5, Amazon Linux 2023, the error is: CKR_KEY_HANDLE_INVALID

The integration is exactly the same on both servers ( pkcs11js ).

Is there anything obvious that I'm missing?

feita há 6 meses193 visualizações
1 Resposta
0
Resposta aceita

Hello,

The issue you are facing is captured in the guidelines provided the in the CloudHSM documentation for "Migrating from Client SDK 3 to Client SDK 5". See these guidelines at link [1].

In Client SDK5, key handles for the same key change with each session. In other words, the key handle is not static as is the case in Client SDK3.

To successfully use key handles in Client SDK 5, you must obtain key handles each time you run an application. If you have existing applications that expect to use the same key handles across different runs, you must modify your code to obtain the key handle each time you run the application. This change is in compliance with the PKCS #11 2.40 specification [2].

Alternatively, you can assign unique key labels to your keys in the cluster and then consume these keys by their label when using client SDK 5.

References:

[1] https://docs.aws.amazon.com/cloudhsm/latest/userguide/migrate-sdk.html [2] https://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html#_Toc416959689

AWS
ENGENHEIRO DE SUPORTE
respondido há 6 meses
  • Thank you very much, Teneng T, we will have to change our integration.

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas