[Opendnssec-user] PKCS11Exception: CKR_DATA_LEN_RANGE using softhsm2
roko98 at yahoo.com
Mon Dec 8 17:01:54 UTC 2014
Thank you for your interest. I been following SOFTHSM-107 and I see a push in here (https://github.com/opendnssec/SoftHSMv2/pull/100), I did merge the changes with softhsm-2.0.0b1 and recompile. If I ask for the module info from java, I get this:
Mechanism Name: CKM_AES_CBC_PAD
Minimum Key-Size: 16
Maximum Key-Size: 32
Sign Recover: false
Verify Recover: false
Generate Key-Pair: false
EC F(p): false
EC F(2^m): false
EC Parameters: false
EC Named Curve: false
EC Uncompress: false
EC Compress: false
So, I think padding is now supported, but in my application now I have this exception:
Caused by: javax.crypto.ShortBufferException
... 49 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_BUFFER_TOO_SMALL
at sun.security.pkcs11.wrapper.PKCS11.C_EncryptUpdate(Native Method)
... 51 more
As you say in the ticket, I don't really know about crypto, I'm just trying to make things work. Please let me know if I can / should do anything else.
El Domingo, 7 de diciembre, 2014 3:08:33, Rickard Bellgrim <rickard at opendnssec.org> escribió:
On Fri, Dec 5, 2014 at 8:09 AM, Roland van Rijswijk - Deij <Roland.vanRijswijk at surfnet.nl> wrote:
> I'm getting this error:
> Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DATA_LEN_RANGE
> Is this maybe a known limitation for softhsm2 ? there is some workaround
> ? Thx for your help.
I've had a quick look at the code, and this seems to be a bug;
C_EncryptUpdate always checks if the input block adheres to the cipher's
required block size. It should only do this if the cipher is used in ECB
mode. I have created SOFTHSM-107
(https://issues.opendnssec.org/browse/SOFTHSM-107) in our issue tracking
system for this bug, it will be addressed in the next version of SoftHSM
We currently only support ECB and CBC. They require full block when not padding. Could add support for CKM_DES_CBC_PAD, CKM_DES3_CBC_PAD, and CKM_AES_CBC_PAD.
You are trying to use CKM_AES_CBC_PAD (AES/CBC/PKCS5Padding) which is currently not supported. The error indicate that the Java implementation is trying to use CKM_AES_CBC and not CKM_AES_CBC_PAD, which would have returned CKR_MECHANISM_INVALID.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Opendnssec-user