Barbican

Support for YubiHSM 2 as PKCS11 backend

Bug #2042949 reported by Michel Nederlof
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Barbican
In Progress
Undecided
Unassigned

Bug Description

We're in the process of using the YubiHSM 2 [1] as a backend store for barbican.

It almost works, but it would need some small additions on the barbican code side to get it to work properly. We're working on that :)

Some caveats upfront:
- Minimal firmware version required: v2.3.1
  (otherwise the encrypt/decrypt methods are not available on the device [3])

Developers information can be found on yubico website [2]

[1] https://www.yubico.com/nl/product/yubihsm-2/
[2] https://developers.yubico.com/YubiHSM2/
[3] https://developers.yubico.com/YubiHSM2/Concepts/Capability.html

Tags: yubihsm
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to barbican (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/barbican/+/900107

Changed in barbican:
status: New → In Progress
Revision history for this message
Josselin Mouette (jmouette) wrote :

Thanks a lot for the patch. We are using YubiHSM as well and your work helped us immensely.

It was not entirely enough, though, which is why I’m proposing a small supplemental change.

Revision history for this message
Rajiv Mucheli (rajiv.mucheli) wrote :

Hi,

Does this patch use the wrap/unwrap key mechanism CKM_AES_CBC_PAD ? or does it change ?

Regards,
Rajiv

Revision history for this message
Josselin Mouette (jmouette) wrote :

Hi, it uses the proprietary VENDOR_YUBICO_CKM_AES_CCM_WRAP mechanism.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.