yubihsm-shell icon indicating copy to clipboard operation
yubihsm-shell copied to clipboard

Published 20 hours ago verified publisher icon Yubico

decryption using pkcs11-tool not working

Open embetrix opened this issue 9 months ago • 4 comments

using pkcs11-tool encryption is working while decryption is not :

export PKCS11_MODULE_PATH=/usr/local/lib/pkcs11/yubihsm_pkcs11.so
export YUBIHSM_PKCS11_CONF=./yubihsm_pkcs11.conf
export 
export PIN="0001password"
export TOKEN_NAME="MyToken"

start-stop-daemon --start --background --exec /usr/local/bin/yubihsm-connector -- -d

yubihsm-shell -a reset --password password

sleep 2

pkcs11-tool --pin $PIN --module $PKCS11_MODULE_PATH  --login --keygen --key-type aes:32 --label "AES32" --usage-decrypt --sensitive --private 
                                                                                                                    
dd if=/dev/urandom of=DATA.bin bs=1k count=1 > /dev/null 2>&1
export IV_VECTOR="AE120000000000000000000000000000"
pkcs11-tool --pin $PIN --module $PKCS11_MODULE_PATH  --login --encrypt --label AES32  -m AES-CBC --iv "${IV_VECTOR}" --input-file DATA.bin --output-file DATA.enc  
pkcs11-tool --pin $PIN --module $PKCS11_MODULE_PATH  --login --decrypt --label AES32  -m AES-CBC --iv "${IV_VECTOR}" --input-file DATA.enc --output-file DATA.bin.dec

Logs:

+ export IV_VECTOR=AE120000000000000000000000000000
+ pkcs11-tool --pin 0001password --module /usr/local/lib/pkcs11/yubihsm_pkcs11.so --login --encrypt --label AES32 -m AES-CBC --iv AE120000000000000000000000000000 --input-file DATA.bin --output-file DATA.enc
Using slot 0 with a present token (0x0)
Using encrypt algorithm AES-CBC
+ pkcs11-tool --pin 0001password --module /usr/local/lib/pkcs11/yubihsm_pkcs11.so --login --decrypt --label AES32 -m AES-CBC --iv AE120000000000000000000000000000 --input-file DATA.enc --output-file DATA.bin.dec
Using slot 0 with a present token (0x0)
Using decrypt algorithm AES-CBC
error: PKCS11 function C_DecryptInit failed: rv = CKR_KEY_TYPE_INCONSISTENT (0x63)
Aborting.

embetrix avatar Mar 07 '25 11:03 embetrix

Can you try adding the ID of the AES key in the decryption command? Find the ID by running the pkcs11-tool --list-objects command

aveenismail avatar Mar 10 '25 15:03 aveenismail

using both --label and --id in decryption or just --id does solve the issue:

pkcs11-tool --pin 0001password --module /usr/local/lib/pkcs11/yubihsm_pkcs11.so --login --decrypt --label AES32 -m AES-CBC --iv AE120000000000000000000000000000 --input-file DATA.enc --output-file DATA.bin.dec --id 1234
Using slot 0 with a present token (0x0)
Using decrypt algorithm AES-CBC

this is definitely a bug in the yubihsm_pkcs11.so since this workaround is not required for the encryption

embetrix avatar Mar 10 '25 15:03 embetrix

Good to know that the it works. I'll be looking into why there's a discrepancy

aveenismail avatar Mar 10 '25 15:03 aveenismail

I just tested this and it works for me. Could there possibly be another key on the device with the same label that isn't an AES key ?

qpernil avatar Jun 05 '25 09:06 qpernil