Barbican

Thales Luna HSM Firmware above v7.4.0 doesnt support CKM_AES_CBC_PAD

Bug #2036506 reported by Rajiv Mucheli on 2023-09-19

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Barbican	New	Undecided	Unassigned

Bug Description

Hi,

After discussing with Thales Engineering, Thales Luna HSM Firmware above v7.4.0 doesnt support CKM_AES_CBC_PAD wrapping mechanism. Unless we fix this in Barbican, we cannot upgrade to the latest Thales HSM firmware version.

Can i setup a call with Thales Engineering to discuss this further ?

I also found SoftHSM also doesnt support CKM_AES_CBC_PAD wrapping mechanism, more details are provided here :

https://github.com/opendnssec/SoftHSMv2/issues/405
https://github.com/opendnssec/SoftHSMv2/issues/229

Please let me know if we need to test on my Thales Luna A790 network device or if further information is required.

Regards,
Rajiv

Revision history for this message

Rajiv Mucheli (rajiv.mucheli) wrote on 2023-09-19:

FYI : https://opendev.org/openstack/barbican/src/branch/master/barbican/plugin/crypto/pkcs11.py#L142

My production is running on Openstack Barbican Zed Release, i am planning to upgrade to Bobcat once the release is available

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.