From pspacek at redhat.com Wed Feb 11 12:24:55 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 11 Feb 2015 13:24:55 +0100 Subject: [Softhsm-develop] SOFTHSM-112: PKCS#11 constants conflict for AES and BLOWFISH Message-ID: <54DB4A17.3080903@redhat.com> Hello, SoftHSM's pkcs11.h has conflicting values for BLOWFISH and AES_KEY_WRAP algorithms: 823 #define CKM_AES_KEY_WRAP (0x1090) 824 #define CKM_BLOWFISH_KEY_GEN (0x1090) 825 #define CKM_AES_KEY_WRAP_PAD (0x1091) 826 #define CKM_BLOWFISH_CBC (0x1091) This is apparently a heritage from PKCS#11 2.30. Current PKCS#11 v2.40 solved this problem by re-numbering AES_KEY_WRAP algorithms: http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cs01/pkcs11-curr-v2.40-cs01.pdf #define CKM_BLOWFISH_KEY_GEN 0x00001090 #define CKM_BLOWFISH_CBC 0x00001091 #define CKM_AES_KEY_WRAP 0x00002109 #define CKM_AES_KEY_WRAP_PAD 0x0000210A Would it be possible to migrate SoftHSM v2 to PKCS#11 v2.40 and thus solve the conflict by the same renumbering? I have opened https://issues.opendnssec.org/browse/SOFTHSM-112 to track this so we do not forget ... Feel free to rename the issue in JIRA, I have accidentally send it before filling proper summary/title. Thank you for your time! -- Petr Spacek @ Red Hat From jerry.lundstrom at iis.se Wed Feb 11 13:31:44 2015 From: jerry.lundstrom at iis.se (=?utf-8?B?SmVycnkgTHVuZHN0csO2bQ==?=) Date: Wed, 11 Feb 2015 14:31:44 +0100 Subject: [Softhsm-develop] SOFTHSM-112: PKCS#11 constants conflict for AES and BLOWFISH In-Reply-To: <54DB4A17.3080903@redhat.com> References: <54DB4A17.3080903@redhat.com> Message-ID: <1423661504.20742.4.camel@mine> Hi Petr, On ons, 2015-02-11 at 13:24 +0100, Petr Spacek wrote: > Current PKCS#11 v2.40 solved this problem by re-numbering AES_KEY_WRAP algorithms: > http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cs01/pkcs11-curr-v2.40-cs01.pdf > > #define CKM_BLOWFISH_KEY_GEN 0x00001090 > #define CKM_BLOWFISH_CBC 0x00001091 > #define CKM_AES_KEY_WRAP 0x00002109 > #define CKM_AES_KEY_WRAP_PAD 0x0000210A Interesting, will consider changing this for my Crypt::PKCS11 [1] project also. Have you found any pkcs11.h/pkcs11t.h/pkcs11f.h files for v2.40 ? Btw, the latest specification is cos01 according to the "curr"-page [2]. /Jerry [1] https://github.com/dotse/p5-Crypt-PKCS11 [2] http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/pkcs11-curr-v2.40.html -- Jerry Lundstr?m - Software Engineer .SE - The Internet Infrastructure Foundation http://www.iis.se/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 949 bytes Desc: This is a digitally signed message part URL: From pspacek at redhat.com Wed Feb 11 14:00:03 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 11 Feb 2015 15:00:03 +0100 Subject: [Softhsm-develop] SOFTHSM-112: PKCS#11 constants conflict for AES and BLOWFISH In-Reply-To: <1423661504.20742.4.camel@mine> References: <54DB4A17.3080903@redhat.com> <1423661504.20742.4.camel@mine> Message-ID: <54DB6063.1030808@redhat.com> On 11.2.2015 14:31, Jerry Lundstr?m wrote: > > Have you found any pkcs11.h/pkcs11t.h/pkcs11f.h files for v2.40 ? No, I did not see any but it seems pretty straightforward to copy&paste appendixes together: http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/cos01/pkcs11-base-v2.40-cos01.html#_Toc408227815 http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408227215 http://docs.oasis-open.org/pkcs11/pkcs11-hist/v2.40/cos01/pkcs11-hist-v2.40-cos01.html#_Toc408228286 My main question is now: Will you accept patches with update to PKCS#11 v2.40? I can certainly write them. -- Petr Spacek @ Red Hat From jerry.lundstrom at iis.se Wed Feb 11 14:08:08 2015 From: jerry.lundstrom at iis.se (=?utf-8?B?SmVycnkgTHVuZHN0csO2bQ==?=) Date: Wed, 11 Feb 2015 15:08:08 +0100 Subject: [Softhsm-develop] SOFTHSM-112: PKCS#11 constants conflict for AES and BLOWFISH In-Reply-To: <54DB6063.1030808@redhat.com> References: <54DB4A17.3080903@redhat.com> <1423661504.20742.4.camel@mine> <54DB6063.1030808@redhat.com> Message-ID: <1423663688.20742.12.camel@mine> Hi Petr, On ons, 2015-02-11 at 15:00 +0100, Petr Spacek wrote: > My main question is now: Will you accept patches with update to PKCS#11 v2.40? > I can certainly write them. For my Crypt::PKCS11 project, sure! :) Sorry but I can't answer for SoftHSM since I am no longer a part of the development team. You'll have to wait for someone else to answer. Cheers, Jerry -- Jerry Lundstr?m - Software Engineer .SE - The Internet Infrastructure Foundation http://www.iis.se/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 949 bytes Desc: This is a digitally signed message part URL: From jakob at kirei.se Wed Feb 11 14:11:41 2015 From: jakob at kirei.se (Jakob Schlyter) Date: Wed, 11 Feb 2015 15:11:41 +0100 Subject: [Softhsm-develop] SOFTHSM-112: PKCS#11 constants conflict for AES and BLOWFISH In-Reply-To: <54DB6063.1030808@redhat.com> References: <54DB4A17.3080903@redhat.com> <1423661504.20742.4.camel@mine> <54DB6063.1030808@redhat.com> Message-ID: <91262E78-C985-4A9A-B5DE-B6F7E7C57548@kirei.se> On 11 feb 2015, at 15:00, Petr Spacek wrote: > My main question is now: Will you accept patches with update to PKCS#11 v2.40? Sure. Why not? Are there any downsides? jakob From pspacek at redhat.com Wed Feb 11 14:36:54 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 11 Feb 2015 15:36:54 +0100 Subject: [Softhsm-develop] SOFTHSM-112: PKCS#11 constants conflict for AES and BLOWFISH In-Reply-To: <91262E78-C985-4A9A-B5DE-B6F7E7C57548@kirei.se> References: <54DB4A17.3080903@redhat.com> <1423661504.20742.4.camel@mine> <54DB6063.1030808@redhat.com> <91262E78-C985-4A9A-B5DE-B6F7E7C57548@kirei.se> Message-ID: <54DB6906.70905@redhat.com> On 11.2.2015 15:11, Jakob Schlyter wrote: > On 11 feb 2015, at 15:00, Petr Spacek wrote: > >> My main question is now: Will you accept patches with update to PKCS#11 v2.40? > > Sure. Why not? Are there any downsides? The downside is that constants for AES_KEY_WRAP* were changed so it will cause failures in applications which were not recompiled with new pkcs11.h and use old CKM_ constant. AFAIK OpenDNSSEC does not use AES at all and in FreeIPA we will manage the change. I have no idea if somebody else is using the AES_KEY_WRAP* thing or not. -- Petr Spacek @ Red Hat From jakob at kirei.se Wed Feb 11 14:38:20 2015 From: jakob at kirei.se (Jakob Schlyter) Date: Wed, 11 Feb 2015 15:38:20 +0100 Subject: [Softhsm-develop] SOFTHSM-112: PKCS#11 constants conflict for AES and BLOWFISH In-Reply-To: <54DB6906.70905@redhat.com> References: <54DB4A17.3080903@redhat.com> <1423661504.20742.4.camel@mine> <54DB6063.1030808@redhat.com> <91262E78-C985-4A9A-B5DE-B6F7E7C57548@kirei.se> <54DB6906.70905@redhat.com> Message-ID: <5CFD365E-9B74-4CE8-A5C3-FEF61EC9D760@kirei.se> On 11 feb 2015, at 15:36, Petr Spacek wrote: > > On 11.2.2015 15:11, Jakob Schlyter wrote: >> On 11 feb 2015, at 15:00, Petr Spacek wrote: >> >>> My main question is now: Will you accept patches with update to PKCS#11 v2.40? >> >> Sure. Why not? Are there any downsides? > > The downside is that constants for AES_KEY_WRAP* were changed so it will cause > failures in applications which were not recompiled with new pkcs11.h and use > old CKM_ constant. > > AFAIK OpenDNSSEC does not use AES at all and in FreeIPA we will manage the > change. I have no idea if somebody else is using the AES_KEY_WRAP* thing or not. I suggest we go for 2.40 with SoftHSMv2 as a start; Rickard what say you? jakob From rickard at opendnssec.org Sun Feb 15 07:53:44 2015 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Sun, 15 Feb 2015 08:53:44 +0100 Subject: [Softhsm-develop] SOFTHSM-112: PKCS#11 constants conflict for AES and BLOWFISH In-Reply-To: <5CFD365E-9B74-4CE8-A5C3-FEF61EC9D760@kirei.se> References: <54DB4A17.3080903@redhat.com> <1423661504.20742.4.camel@mine> <54DB6063.1030808@redhat.com> <91262E78-C985-4A9A-B5DE-B6F7E7C57548@kirei.se> <54DB6906.70905@redhat.com> <5CFD365E-9B74-4CE8-A5C3-FEF61EC9D760@kirei.se> Message-ID: On Wed, Feb 11, 2015 at 3:38 PM, Jakob Schlyter wrote: > On 11 feb 2015, at 15:36, Petr Spacek wrote: > > The downside is that constants for AES_KEY_WRAP* were changed so it will > cause > > failures in applications which were not recompiled with new pkcs11.h and > use > > old CKM_ constant. > > > > AFAIK OpenDNSSEC does not use AES at all and in FreeIPA we will manage > the > > change. I have no idea if somebody else is using the AES_KEY_WRAP* thing > or not. > > I suggest we go for 2.40 with SoftHSMv2 as a start; Rickard what say you? > We have already incorporated some changes from 2.30/2.40 into SoftHSMv2. The full migration is part of https://issues.opendnssec.org/browse/SOFTHSM-6 For now, we could just update these values so that they match 2.40. // Rickard -------------- next part -------------- An HTML attachment was scrubbed... URL: