<html><body><div style="color:#000; background-color:#fff; font-family:Courier New, courier, monaco, monospace, sans-serif;font-size:10px"><div id="yui_3_16_0_1_1418051957143_12166">Hi Rickard</div><div id="yui_3_16_0_1_1418051957143_12165"><br></div><div id="yui_3_16_0_1_1418051957143_12164" dir="ltr">Thank you for your interest. I been following SOFTHSM-107 and I see a push in here (https://github.com/opendnssec/SoftHSMv2/pull/100), I did merge the changes with softhsm-2.0.0b1 and recompile. If I ask for the module info from java, I get this:</div><div id="yui_3_16_0_1_1418051957143_15201" dir="ltr"><br></div><div id="yui_3_16_0_1_1418051957143_14555" dir="ltr">Mechanism Name: CKM_AES_CBC_PAD<br style="" class=""> Minimum Key-Size: 16<br style="" class=""> Maximum Key-Size: 32<br style="" class=""> Hardware: false<br style="" class=""> Encrypt: true<br style="" class=""> Decrypt: true<br style="" class=""> Digest: false<br style="" class=""> Sign: false<br style="" class=""> Sign Recover: false<br style="" class=""> Verify: false<br style="" class=""> Verify Recover: false<br style="" class=""> Generate: false<br style="" class=""> Generate Key-Pair: false<br style="" class=""> Wrap: false<br style="" class=""> Unwrap: false<br style="" class=""> Derive: false<br style="" class=""> EC F(p): false<br style="" class=""> EC F(2^m): false<br style="" class=""> EC Parameters: false<br style="" class=""> EC Named Curve: false<br style="" class=""> EC Uncompress: false<br style="" class=""> EC Compress: false<br style="" class=""> Extension: false<br style="" class=""><br></div><div id="yui_3_16_0_1_1418051957143_14529" dir="ltr">So, I think padding is now supported, but in my application now I have this exception:</div><div id="yui_3_16_0_1_1418051957143_13861" dir="ltr"><br></div><div id="yui_3_16_0_1_1418051957143_13862" dir="ltr">Caused by: javax.crypto.ShortBufferException<br style="" class=""> at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:561)<br style="" class=""> at sun.security.pkcs11.P11Cipher.engineUpdate(P11Cipher.java:464)<br style="" class=""> at sun.security.pkcs11.P11Cipher.engineUpdate(P11Cipher.java:452)<br style="" class=""> ... 49 more<br style="" class="">Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_BUFFER_TOO_SMALL<br style="" class=""> at sun.security.pkcs11.wrapper.PKCS11.C_EncryptUpdate(Native Method)<br style="" class=""> at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:517)<br style="" class=""> ... 51 more<br style="" class=""><br></div><div dir="ltr" id="yui_3_16_0_1_1418051957143_11824"><span id="yui_3_16_0_1_1418051957143_18044">As you say in the ticket, I don't really know about crypto, I'm just trying to make things work. Please let me know if I can / should do anything else.</span></div><div id="yui_3_16_0_1_1418051957143_18045" dir="ltr"><br><span></span></div> <div class="qtdSeparateBR"><br><br></div><div style="display: block;" class="yahoo_quoted"> <div style="font-family: Courier New, courier, monaco, monospace, sans-serif; font-size: 10px;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div dir="ltr"> <font face="Arial" size="2"> El Domingo, 7 de diciembre, 2014 3:08:33, Rickard Bellgrim <rickard@opendnssec.org> escribió:<br> </font> </div> <br><br> <div class="y_msg_container"><div id="yiv6419858624"><div><div class="yiv6419858624yqt9831444465" id="yiv6419858624yqtfd48936"><div dir="ltr">On Fri, Dec 5, 2014 at 8:09 AM, Roland van Rijswijk - Deij <span dir="ltr"><<a rel="nofollow" shape="rect" ymailto="mailto:Roland.vanRijswijk@surfnet.nl" target="_blank" href="mailto:Roland.vanRijswijk@surfnet.nl">Roland.vanRijswijk@surfnet.nl</a>></span> wrote:<br clear="none"><div class="yiv6419858624gmail_extra"><div class="yiv6419858624gmail_quote"><blockquote class="yiv6419858624gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex;">Hi Roko,<br clear="none">
<span class="yiv6419858624"><br clear="none">
roko wrote:<br clear="none">
> I'm getting this error:<br clear="none">
</span>> Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DATA_LEN_RANGE<br clear="none">
<span class="yiv6419858624">><br clear="none">
> Is this maybe a known limitation for softhsm2 ? there is some workaround<br clear="none">
> ? Thx for your help.<br clear="none">
<br clear="none">
</span>I've had a quick look at the code, and this seems to be a bug;<br clear="none">
C_EncryptUpdate always checks if the input block adheres to the cipher's<br clear="none">
required block size. It should only do this if the cipher is used in ECB<br clear="none">
mode. I have created SOFTHSM-107<br clear="none">
(<a rel="nofollow" shape="rect" target="_blank" href="https://issues.opendnssec.org/browse/SOFTHSM-107">https://issues.opendnssec.org/browse/SOFTHSM-107</a>) in our issue tracking<br clear="none">
system for this bug, it will be addressed in the next version of SoftHSM<br clear="none">
v2.<br clear="none"></blockquote><div><br clear="none"></div><div>We currently only support ECB and CBC. They require full block when not padding. Could add support for CKM_DES_CBC_PAD, CKM_DES3_CBC_PAD, and CKM_AES_CBC_PAD.</div><div><br clear="none"></div><div>You are trying to use CKM_AES_CBC_PAD (AES/CBC/PKCS5Padding) which is currently not supported. The error indicate that the Java implementation is trying to use CKM_AES_CBC and not CKM_AES_CBC_PAD, which would have returned CKR_MECHANISM_INVALID.</div><div><br clear="none"></div><div>// Rickard</div></div></div></div></div></div></div><br><br></div> </div> </div> </div> </div></body></html>